findstr /m /l "TagName" C:\Windows\System32\drivers\*.sys Replace TagName with the 4-character tag (e.g., Ntfs ). This searches all driver binaries for that string. Often, the tag is embedded near the driver’s allocation routines. Microsoft provides pooltag.txt – a mapping file. On a WDK-installed system, find it at: C:\WinDDK\7600.16385.1\tools\other\pooltag.txt
Navigate to where poolmon.exe lives, or add that folder to your PATH environment variable. Then type: poolmon.exe download windows 7
For Windows 7 users, especially those dealing with mysterious system slowdowns, "low memory" warnings despite having ample RAM, or driver-induced crashes (BSODs), PoolMon is an indispensable scalpel. While Windows 7 is no longer under mainstream Microsoft support, millions of legacy systems, industrial machines, and personal computers still run it. Understanding how to obtain and use PoolMon on this OS remains a critical skill. findstr /m /l "TagName" C:\Windows\System32\drivers\*
Download the Sysinternals Suite (easiest) or the WDK 7.1.0 (most official). Run poolmon -b -d regularly. And when you see that one tag ballooning to gigabytes of non-paged pool, you’ll know exactly which driver to blame. Disclaimer: Windows 7 reached end of life on January 14, 2020. Microsoft no longer provides security updates. Use PoolMon and diagnostic tools only on systems that are isolated from the internet or as part of a controlled migration plan. Microsoft provides pooltag
