Parsing winndows 2000/XP physical memory management (

Source: Internet
Author: User
Resolve winndows 2000/XP physical memory management
WebSphere (

Physical memory is a relatively tight resource, and reasonable use of it is the key to the performance of an operating system. In Windows 2000/XP, a structure called page frame database is used internally to describe the status of physical memory. This article describes the organization and management of Windows physical memory from this structure.

In Windows, the physical memory is divided by page_size (0 x bytes on x86, that is, 4 K, each Unit describes its status and usage in the database on the page. The page box database is actually an array that describes the structure of each page. The page box database is specified by the kernel Variable matrix database, while the number of items in the database is specified by mmnumberofphysicalpages. The index of the number of items is represented by page frame number (PFn. Mmnumberofphysicalpages is generally slightly lower than the number of physical memory pages actually owned by the system. During initialization, the system retains some pages for the operating system to use. It should be noted that the page box database only describes physical memory in a narrow sense and does not contain the memory of other mapped physical devices.

Windbg! The PFN command is used to analyze the memory status and usage on any page, as shown below:

Kd> dd matrix database L 1
80547438 80c00000
Kd>! PFN 143
PFN 00000143 at address 80c01e48
Flink 00000500 blink/share count 00000001 pteaddress e1085174
Reference count 0001 cached color 0
Restore PTE 00b5ac24 containing page 0096d8 active P

In "Inside Windows 2000", the fields of PFN are clearly explained. Here is a brief description:

Flink and blink are used to link pages in a specific State into a linked list. In the system, kernel variables such as kernel, mmfreepagelisthead, mmstandbypagelisthead, mmmodifiedpagelisthead, expires, and mmbadpagelisthead are used to indicate the linked list. From these variable names, it is easy to understand the page status of each linked list. In Windows, there are eight statuses in the page box database, and the other two are active and transition statuses. These eight States are indicated by the first 3bit in the type (offset: 0xd, size: byte) field of PFN.

Pteaddress is the PTE address pointing to this page. After analysis, there are three main situations:

A. pteaddress is 0 or 0 xffffffff. It can be identified as zeroedpage or freepage Based on the PFN status.
B. The pteaddress is 0xc ********, indicating that the page has a system or a process exclusive and is in the process or system work set.
C. pteaddress is 0xe *******, indicating that this is a prototype PTE, that is, this page is shared. For details, see my explore Windows 2000/XP prototype Pte.

Restore PTE, which is called original PTE in "Inside Windows 2000. Its function is to indicate the back-store location of the page, that is, the location of data in a pagefile or mapped file on the disk. For example, in the case mentioned above, C generally points to a subsection of the mapped file. Therefore, it is called subsection PTE internally, which is defined by the structure of the matrix _ subsection. In another case, it may be a PTE pointing to pagefile, which is defined by the structure of the matrix _ software. In this regard, there was an error in the last time I proposed it. The specific bit definitions of the matrix _ subsection are as follows:

Valid: POS 0, 1 bit
Subsectionaddresslow: POS 1, 4 bits
Protection: POS 5, 5 bits
Prototype: POS 10, 1 bit
Subsectionaddresshigh: POS 11, 20 bits
Whichpool: POS 31, 1 bit

The highest bit whichpool indicates the pool in which the subsection is located (nonpagedpool or pagedpool), and the valid is 0. It indicates that this is not a PTE that can be recognized by x86 hardware and analyzed by midispatchfault. The algorithm for converting subsection Pte to subsection address is provided in the Code provided below.

This description describes the function of subsection Pte to locate the position of the page specified by PFN in the corresponding mapped file. To better explain this process, inside Windows 2000 uses a block diagram to explain the various links in the memory manager, but each data structure, such as PFN, segment and so on are not detailed enough, and the conversion algorithms between them are not mentioned. This is a picture I re-created based on Windows XP Professional build 2600:

Click to enlarge it

Windbg provides one! The memusage command analyzes subsectin Pte to obtain the memory usage of each mapped file in the system. The code below only lists in detail which mapped files are used on some pages! Memusage has detailed statistical functions. However, through this code and my previous articles, we can basically understand the complex relationship between the above figure.

For test Purpose, I define the below constant, but no say
Mmsubsectionbase and mmnonpagedpoolend are fixed in
Windows 2000 and Windows XP. They are initialized on System
Boot phase by ntoskrnl and rely on the system physical memory size etc.
# Define win2000_2195
# Ifdef winxp_2600
# Define mmsubsectionbase 0x80d21000
# Define mmnonpagedpoolend 0xffbe0000
# Endif
# Ifdef win2000_2195
# Define mmsubsectionbase 0x0
# Define mmnonpagedpoolend 0xffb7f000
# Endif

# Define matrix database 0xffb7f000 // please redefine it on your machine.
# Define mmnumberofphysicalpages 0x3f7d // please redefine it on your machine.

Portion of NT! Migetsubsectionandprotofrompte
Get subsection from restore PTE (original PTE) at PFN database entry
Disasm by webcrazy ( at
Thanks to wuzq ( for light!

Unsigned int migetsubsectionandprotofrompte (int pte)
Unsigned int subaddr;
If (PTE <0 ){
Subaddr = mmsubsectionbase + (PTE & 0x1e) <2) | (PTE> 4) & 0x7ffff80 ));
} Else {
Subaddr = mmnonpagedpoolend-(PTE & 0x1e) <2) | (PTE> 4) & 0xfffff80 ));
Return subaddr;

I release memusage () to dump control area.
Only mapped file control area were dump.
Please see windbg! Memusage command.

Void memusage ()
Unsigned int * pfndatabase = matrix database;
Unsigned int numberphys = mmnumberofphysicalpages;

Unsigned int restorepte, PFN = 0, PPTE, subsection;

Unsigned char flag = 0;
Static unsigned int flagnum [8];
Static char * flagdesc [8] =
{"Zeroed", "free", "standby", "modified", "modnowrt", "bad", "active", "trans "};
Memset (flagnum, 0, sizeof (flagnum ));

For (; PFN <numberphys; PFN ++ ){
Flag = * (char *) pfndatabase + 0xd );
Flag & = 0x07;
Flagnum [flag] ++;
Pfndatabase + = 0x18/0x04;

Dbuplint ("/nmemusage:/N ");
For (flag = 0; flag <8; flag ++)
Dbuplint ("% 10 s: % 04d (% 08dk)/n", flagdesc [flag], flagnum [flag], flagnum [flag] * 4 );

Pfndatabase = matrix database;
For (PFN = 0; PFN <numberphys; PFN ++ ){
PPTE = * (unsigned int *) (pfndatabase + 0x1 ));
Restorepte = * (unsigned int *) (pfndatabase + 0x4 ));
Flag = * (char *) pfndatabase + 0xd );
Flag & = 0x07;

If (PPTE> = 0xe000000 & PPTE <0xf0000000 ){
Subsection = migetsubsectionandprotofrompte (restorepte );
Dbuplint ("PFN: % 04x, PPTE: % 08x, restorepte: % 08x, subsection: % 08x, CA: % 08x,
Flag: % 10 s/n ", PFN, PPTE, restorepte, subsection,
Mmisaddressvalid (void *) Subsection )? * (Unsigned int *) subsection:
0x11111111, flagdesc [flag]);
Pfndatabase + = 0x18/0x04;

This article only basically explains the organization and management of physical memory in Windows 2000/XP. For restore PTE, it is still pointed to pagefile, which is not described in the previous section, because there are still a lot of content, I will introduce it separately based on the process I learned. I need to thank wuzq ( to provide me with ideas, may have some superficial understanding of this, thank him again.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.