SYSTEM_POOLTAG_INFORMATION

The SYSTEM_POOLTAG_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemPoolTagInformation (0x16).

Documentation Status

The SYSTEM_POOLTAG_INFORMATION structure is not documented.

Layout

The SYSTEM_POOLTAG_INFORMATION is 0x20 or 0x30 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition
0x00 0x00
ULONG Count;
0x04 0x08
SYSTEM_POOLTAG TagInfo [ANYSIZE_ARRAY];

The SYSTEM_POOLTAG is 0x1C or 0x28 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition
0x00 0x00
union {
    UCHAR Tag [4];
    ULONG TagUlong;
};
0x04 0x04
ULONG PagedAllocs;
0x08 0x08
ULONG PagedFrees;
0x0C 0x10
ULONG_PTR PagedUsed;
0x10 0x18
ULONG NonPagedAllocs;
0x14 0x1C
ULONG NonPagedFrees;
0x18 0x20
ULONG_PTR NonPagedUsed;