This is a note to myself, mainly. If the PROTECTED_POOL flag is set on a pool tag, freeing it will require the use of the same tag as when allocating it. For all other purposes the tag will be ignored when freeing.
Microsoft states for the Tag parameter in ExAllocatePoolWithTag:
Specifies the pool tag for the allocated memory. Specify the pool tag as a character literal of up to four characters delimited by single quotation marks (for example, ‘Tag1’). The string is usually specified in reverse order (for example, ‘1gaT’). The ASCII value of each character in the tag must be between 0 and 127. Every allocation code path should use a unique pool tag to ensure that debuggers and verifiers identify a distinct allocated block.
Presumably most tags used by system components themselves will have that flag set, but to be honest I haven’t checked the pooltag.txt lately 😉
// Oliver
Pingback: Matching pool tags in Windows drivers « c0llateral Blog