In tip 7101 » How can I monitor my system for kernel mode memory leaks, we used Poolmon.exe
to determine the pool tag of a leaking process.
To determine the driver name from a pool tag:
1. Open a CMD prompt.
2. Change to the drivers folder by typing cd /d %SystemRoot%\System32\Drivers
3. Type the following command:
findstr /m /l <pool tag> *.sys
4. If you receive multiple files, add an h to the <pool tag>. findstr /m /l hTCPt *.sys returns TCPIP.SYS.