Windows Internals

Guided path: Memory deep dive

Step 5 of 6

Continue to Cache Manager
expert

Pool & heap

Kernel pool tags and user-mode heaps as different allocation worlds.

What you should already know

This topic is marked expert. Skim these first if any of them feel unfamiliar.

Memory managementVAD tree

Related labs

Hands-on exercises for this area — in the browser or on a Windows machine.

Memory metrics lab

Compare private bytes, working set, and commit with realistic scenarios.

Open lab
View all labs

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Memory pools

learn.microsoft.com

Microsoft Learn

Enable pool tagging

learn.microsoft.com

Why it matters

Memory leaks and performance issues often come from confusing user-mode heap behavior with kernel pool behavior.

Mental model

Windows uses different allocators for different trust and lifetime domains.

Windows building blocks

Names and paths you can look for in Task Manager, Explorer, or documentation.

  • RegistryPoolTag

    Enable pool tagging for driver leak analysis

Go one level deeper

Extra detail for readers who want more precision before opening a child topic.

  • NonPaged pool must stay resident; Paged pool can be paged out like user memory.
  • Driver Verifier can track pool usage and catch double-frees in development.

How it works

  1. 1User-mode heaps serve application allocations.
  2. 2Kernel pools serve privileged components and drivers.
  3. 3Pool tags and diagnostics help trace where kernel allocations come from.

Key terms

Pool tag
A short identifier attached to kernel allocations for debugging and analysis.
Heap
A dynamic allocation arena typically used by user-mode applications.

Investigating kernel memory growth

Pool tags let you connect rising kernel usage back to the component responsible for those allocations.

Common misconception

User-mode heaps and kernel pool are not interchangeable concepts; they answer different allocation needs.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

expert

Cache Manager

How Windows speeds file access by coordinating cached file data with memory.

Next step in your guided path

intermediate

VAD tree

How Windows tracks ranges of virtual memory for a process.

Related topic

intermediate

ETW tracing

Real-time sessions, controllers, and consumers for higher-volume tracing.

Related topic

Related topics

ETW tracing

Real-time sessions, controllers, and consumers for higher-volume tracing.

VAD tree

How Windows tracks ranges of virtual memory for a process.

Previous

Working set & trimming

Which pages stay resident for a process and how Windows reclaims memory under pressure.

Next

Cache Manager

How Windows speeds file access by coordinating cached file data with memory.