How to use Memory Pool Monitor (Poolmon.exe) to troubleshoot kernel mode memory leaks
This article describes how to use the Memory Pool Monitor utility, Poolmon.exe, as a troubleshooting tool to monitor memory tags.
Poolmon displays data that the operating system collects about memory allocations from the system paged and nonpaged kernel pools and about the memory pools used for Terminal Services sessions. The data is grouped by pool allocation tag. This information can be used by Microsoft Technical Support to find kernel mode memory leaks.
A memory leak is caused by an application or by a process that allocates memory for use but that does not free the memory when the application or process finishes. Therefore, available memory is completely used over time. Frequently, this condition causes the system to stop functioning correctly.
In this case, the following events may be logged in the System log:
Event ID: 2020
Description: The server was unable to allocate from the system paged pool because the pool was empty.
Event ID: 2019
Description: The server was unable to allocate from the system nonpaged pool because the pool was empty.
In httperror log, there will be Connections_Refused errors which makes the websites stop to accept new connections. This usually indicates the kernel NonPagedPool memory has dropped below 20MB and http.sys has stopped receiving new connections.
How to find pool tags that are used by third-party drivers
This article describes how to find the source of a pool tag that is used by a third-party driver. This may be useful because when you troubleshoot an issue, you may encounter a pool tag that cannot be tied to a Microsoft component, and finding the source of these tags can be complicated and is often impossible without the use of a kernel-mode debugger.
Who's Using the Pool?