SYSTEM_POOLTAG_INFORMATION

The SYSTEM_POOLTAG_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemPoolTagInformation (0x16).

Documentation Status

The SYSTEM_POOLTAG_INFORMATION structure is not documented.

Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.

Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.

Layout

The SYSTEM_POOLTAG_INFORMATION is 0x20 or 0x30 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition
0x00 0x00 
ULONG Count;
0x04 0x08 
SYSTEM_POOLTAG TagInfo [ANYSIZE_ARRAY];

The SYSTEM_POOLTAG is 0x1C or 0x28 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition
0x00 0x00 
union {
    UCHAR Tag [4];
    ULONG TagUlong;
};
0x04 0x04 
ULONG PagedAllocs;
0x08 0x08 
ULONG PagedFrees;
0x0C 0x10 
ULONG_PTR PagedUsed;
0x10 0x18 
ULONG NonPagedAllocs;
0x14 0x1C 
ULONG NonPagedFrees;
0x18 0x20 
ULONG_PTR NonPagedUsed;

This page was created on 9th July 2016 but was not published until 25th October 2016. It was last modified on 27th June 2019.

Copyright © 2016-2019. Geoff Chappell. All rights reserved. Conditions apply.