Windows 2000 pfn

I think we are dealing with a very simple device driver issue right now just looking at the dump, so please do the following: 1. Windows kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model WDM driver. Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.

Select - "Create custom settings for code developers " 2. Select - "Select individual settings from a full list" 3. Select - "Select driver names from a list" 5. Click on the "Provider" tab. This will sort all of the drivers by the provider. Otherwise, since it is at or above the beginning of the MMPFN array, it is interpreted as an address in the array and the command dumps the MMPFN that begins at or contains this address.

This is a heavily overloaded structure which Microsoft has evidently been determined should not grow. Over the nearly 20 years of Windows versions that the! What the! The location is specially important for interpreting what shows for flink and blink. For pages whose location is Active or Trans, the four or eight bytes that hold the u1.

Flink and u2. Blink members are available for other use, hence their definitions as members of unions. However, the output does not get this share count from the u2.

ShareCount member. What shows for flink and blink is only ever obtained from u1. In recent versions, one in bit Windows or both in bit is only a bit field so that what shows for flink and blink is only a portion of what other use is made of the same space.

This is problematic in bit Windows since flink may show just the first 36 bits of a bit pointer. To see the whole pointer, you must resort to some alternative such as dumping the MMPFN in detail by feeding its address to the dt command. Eight single-bit MMPFN members are described in the flagcodes and flagtext placeholders, all but one in both:. Additional lines of output are possible between these two representations of 1-bit flags.

Both are outside the present scope of this note. Partition member. Even more information, in this case about large and even huge pages, according to whether PteFrame has any of several special values, will not in practice be seen outside Microsoft—at least not by those of us who have only the public symbol files—since it requires type information for an internal variable named nt!

This also applies, by the way, to LockedDown in what is otherwise the plain-text representation of single-bit flags. When given a non-zero Flags parameter, the! Zero for the PageFrame parameter has a conventional meaning of surveying the MmPfnDatabase from start to end in the straightforward order. Anything other than zero for the PageFrame is a page frame number from which to start the survey, which is then filtered in various ways depending on the starting page and on the Flags. This note presently simplifies by ignoring that the Partition parameter can constrain the survey just to pages that belong to the given partition.

For the straightforward survey of the whole database, give zero for the PageFrame. State diagram for page frames. When the memory manager needs a zero-initialized page to service a demand-zero page fault a reference to a page that is defined to be all zeros or to a user-mode committed private page that has never been accessed , it first attempts to get one from the zero page list.

If the list is empty, it gets one from the free page list and zeroes the page. If the free list is empty, it goes to the standby list and zeroes that page. One reason zero-initialized pages are required is to meet C2 security requirements. C2 specifies that user-mode processes must be given initialized page frames to prevent them from reading a previous process's memory contents. Therefore, the memory manager gives user-mode processes zeroed page frames unless the page is being read in from a mapped file.

If that's the case, the memory manager prefers to use nonzeroed page frames, initializing them with the data off the disk. The zero page list is populated from the free list by a system thread called the zero page thread thread 0 in the System process. The zero page thread waits on an event object to signal it to go to work.

When the free list has eight or more pages, this event is signaled. However, the zero page thread will run only if no other threads are running, because the zero page thread runs at priority 0 and the lowest priority that a user thread can be set to is 1. In Windows Server and later, when memory needs to be zeroed as a result of a physical page allocation by a driver that calls MmAllocatePagesForMdl or a Windows application that calls AllocateUserPhysicalPages , or when an application allocates large pages, the memory manager zeroes the memory using a higher performing function called MiZeroInParallel , which maps larger regions than the zero page thread, which only zeroes a page at a time.

In addition, on multiprocessor systems, it creates additional system threads to perform the zeroing in parallel and in a NUMA-optimized fashion on NUMA platforms. When the memory manager doesn't require a zero-initialized page, it goes first to the free list. If that's empty, it goes to the zeroed list. If the zeroed list is empty, it goes to the standby list. Before the memory manager can use a page frame from the standby list, it must first backtrack and remove the reference from the invalid PTE or prototype PTE that still points to the page frame.

Because entries in the PFN database contain pointers back to the previous user's page table or to a prototype PTE for shared pages , the memory manager can quickly find the PTE and make the appropriate change.

When a process has to give up a page out of its working set either because it referenced a new page and its working set was full or the memory manager trimmed its working set , the page goes to the standby list if the page was clean not modified or to the modified list if the page was modified while it was resident. When a process exits, all the private pages go to the free list.

Also, when the last reference to a page file backed section is closed, these pages also go to the free list. A soft fault refers to a page fault satisfied from one of the transition lists. Hard faults refer to a disk-read. The following example is a portion of output you'll see if you start Notepad with Pfmon and then exit. Be sure to notice the summary of page fault activity at the end.

When the modified list gets too big, or if the size of the zeroed and standby lists falls below a minimum threshold as indicated by the kernel variable MmMinimumFreePages , which is computed at system boot time , one of two system threads are awakened to write pages back to disk and move the pages to the standby list.

One system thread writes out modified pages MiModifiedPageWriter to the paging file, and a second one writes modified pages to mapped files MiMappedPageWriter. Two threads are required to avoid creating a deadlock, which would occur if the writing of mapped file pages caused a page fault that in turn required a free page when no free pages were available thus requiring the modified page writer to create more free pages.

Both threads run at priority 17 and, after initialization, wait for separate event objects to trigger their operation. The modified page writer event is triggered for one of two reasons:. When the number of modified pages exceeds the maximum value computed at system initialization MmModifiedPageMaximum currently pages for all systems. The modified page writer waits for an additional event MiMappedPagesTooOldEvent that is set after a predetermined number of seconds MmModifiedPageLifeInSeconds to indicate that mapped pages not modified pages should be written to disk.

By default, this value is seconds 5 minutes. The reason for this additional event is to reduce data loss in the case of a system crash or power failure by eventually writing out modified mapped pages even if the modified list hasn't reached its threshold of pages.

It accomplishes this by examining the original PTE field of the PFN database elements for pages on the modified page list to locate pages in contiguous locations on the disk. Pages that are in the process of being written can be referenced by another thread.

When this happens, the reference count and the share count in the PFN entry that represents the physical page are incremented to indicate that another process is using the page. Although PFN database entries are of fixed length, they can be in several different states, depending on the state of the page.

Thus, individual fields have different meanings depending on the state. The states of a PFN entry are shown in Figure States of PFN database entries. The following fields appear in more than one PFN type:. Reference count The number of references to this page.

The reference count is decremented when the share count becomes 0 or when pages are unlocked from memory. The following example is a portion of output you'll see if you start Notepad with Pfmon and then exit.

Be sure to notice the summary of page fault activity at the end. When the modified list gets too big, or if the size of the zeroed and standby lists falls below a minimum threshold as indicated by the kernel variable MmMinimumFreePages , which is computed at system boot time , a system thread called the modified page writer is awakened to write pages back to disk and move the pages to the standby list.

The modified page writer is responsible for limiting the size of the modified page list by writing pages back to disk when the list becomes too big. It consists of two system threads: one to write out modified pages MiModifiedPageWriter to the paging file and a second one to write modified pages to mapped files MiMappedPageWriter. Two threads are required to avoid creating a deadlock, which would occur if the writing of mapped file pages caused a page fault that in turn required a free page when no free pages were available thus requiring the modified page writer to create more free pages.

Both threads run at priority 17 and, after initialization, wait on separate event objects to trigger their operation. The modified page writer event is triggered for one of two reasons:.

When the number of modified pages exceeds the maximum value computed at system initialization MmModifiedPageMaximum. Table shows the number of pages that trigger the waking of the modified page writer to reduce the size of the modified list and how many pages it leaves on the list. As with other memory management variables, this value is computed at system boot time and depends on the amount of physical memory.

The modified page writer waits on an additional event MiMappedPagesTooOldEvent that is set after a predetermined number of seconds MmModifiedPageLifeInSeconds to indicate that mapped pages not modified pages should be written to disk. By default, this value is seconds 5 minutes. The reason for this additional event is to reduce data loss in the case of a system crash or power failure by eventually writing out modified mapped pages even if the modified list hasn't reached the thresholds listed in Table It accomplishes this by examining the original PTE field of the PFN database elements for pages on the modified page list to locate pages in contiguous locations on the disk.

Pages that are in the process of being written can be referenced by another thread. When this happens, the reference count and the share count in the PFN entry that represents the physical page are incremented to indicate that another process is using the page.

Although PFN database entries are of fixed length, they can be in several different states, depending on the state of the page. Thus, individual fields have different meanings depending on the state. The states of a PFN entry are shown in Figure The following fields appear in more than one PFN type:.

Reference count The number of references to this page. The reference count is decremented when the share count becomes 0 or when pages are unlocked from memory. When the share count becomes 0, the page is no longer owned by a working set. Then, depending on the reference count, the PFN database entry that describes the page is updated to add the page to the free, standby, or modified list.

Saving the contents of the PTE allows it to be restored when the physical page is no longer resident. Flag Meaning Modified state Indicates whether the page was modified. If the page is modified, its contents must be saved to disk before removing it from memory. For example, this page is sharable. Parity error Indicates that the physical page contains parity or error correction control errors. Read in progress Indicates that an in-page operation is in progress for the page. Write in progress Indicates that a page write operation is in progress.

Start of nonpaged pool For nonpaged pool pages, indicates that this is the first PFN for a given nonpaged pool allocation. End of nonpaged pool For nonpaged pool pages, indicates that this is the last PFN for a given nonpaged pool allocation. In this case, the first field in the PFN contains the error code.