In "Resolving Windows 2000 / XP Physical Memory Management", I detailed the concept of page frame database, which mentioned for each page system in the page box database in terms of physical memory organizational and management. A structure for tracking page status, etc. But the page frame database does not truly coordinate the use of physical memory. We know that Windows is a multi-task operating system, but physical memory is a relatively poor resource, in order to avoid a process (or system) to exhaust the concept of work set (WorkingSet). WorkingSet is a fairly important term in memory. It is usually divided into two types of process work sets and system works in Windows 2000 / XP, which are used to track physical memory usage of each process and system. Due to the introduction of terminal services, another workset will be used to track the cases of individual session use physical memory. This paper proceeds from the internal organization of the process work set, briefly explains the organization and management of work sets in Windows 2000 / XP. Eprocess is a structure in which the process is described, so starting with EPROCESS, it must also find way of representation of the process work set. In fact, sub-structure in EPRocess MMSupport is some key content related to the process and memory subsystem, and the process work is naturally here. For early kernel versions These content are not integrated into the MMSupport structure, and the definition of MMSupport in each version is different, and the definition of MMSupport is listed in Windows XP Build 2600 SP0 (all structures in this article may only apply to this version): typedef struct _MMSUPPORT {LARGE_INTEGER LastTrimTime; MMSUPPORT_FLAGS Flags; ULONG PageFaultCount; ULONG PeakWorkingSetSize; ULONG WorkingSetSize; ULONG MinimumWorkingSetSize; ULONG MaximumWorkingSetSize; PMMWSL VmWorkingSetList; LIST_ENTRY WorkingSetExpansionLinks; ULONG Claim; ULONG NextEstimationSlot; ULONG NextAgingSlot; ULONG EstimatedAvailable; ULONG GrowthSinceLastEstimate; } MMSupport, * pmmsupport; in MMSupport, PeakWorkingsetSize, WorkingSetsize, MinimumWorkingSize, MaximumWorkingset, indicates that the work set of this process, of course, the work set size, allows the maximum value of the work set and the minimum. Perfmon.msc and task manager (Taskmgr.exe) can track these data processes. Win32 API GetProcessWorkingSize (ex) and setProcessWorkingsetSize (EX) can get or set MinimumWorkingSetsize and MaximumworkingSetSize after having the corresponding process_query_information and process_set_quota permissions.
When the process is established, the process works is always empty, and createProcess et al. Is responsible for initializing the process works in the process of establishing the process. It assigns a physical page and then calls the MiinitializeWorkingSetList initialization process work set. The latter initializes the MMSupport structure we mentioned above as the parameters as the original EPRocess. Here we must mention a very important member of the VmWorkingSetList (structure MMWSL), defined as follows: 0x000 Quota: Uint4B 0x004 FirstFree: Uint4B 0x008 FirstDynamic: Uint4B 0x00c LastEntry: Uint4B 0x010 NextSlot: Uint4B 0x014 Wsle: Ptr32 _MMWSLE 0x018 LastInitializedWsle: Uint4B 0x01c NonDirectCount: Uint4B 0x020 HashTable: Ptr32 _MMWSLE_HASH 0x024 HashTableSize: Uint4B 0x028 NumberOfCommittedPageTables: Uint4B 0x02c HashTableStart: Ptr32 Void 0x030 HighestPermittedHashAddress: Ptr32 Void 0x034 NumberOfImageWaiters: Uint4B 0x038 VadBitMapHint: Uint4B 0x03c UsedPageTableEntries : [768] UINT2B 0X63C CommittedPageTables: [24] UINT4B Efficiency Considerations, Windows 2000 / XP maps this structure to a fixed virtual memory address. Speed by the kernel variable mmworkingsetlist, actually MiinitializeWorkingSetList is directly referenced to the VMworkingSetList member of the MMSupport structure. MMWorkingSetList is located in the kernel area (0xc0503000 in Windows XP Build 2600 Professional), usually the kernel area is shared by all processes, but it is clear that the WorkingSet specified by MMWORKINGSETLIST has different mappings for each process, which has different contents. This is the same as the process page directory or page table. The latter I did test in detail in the "Small" Windows NT / 2000 Page Mechanism. Because the process WorkingSet is a case where the process is used to use physical memory, in other words, the page located in the workingset is in physical memory (not replaced to PageFile.sys), so access these pages will not cause the page fault. We can use VirtualLock to place the page into the process work. Conversely, how does the system know that a page (using the virtual page address), does this process exist in a work center? Thick browsing the definition of the MMWSL given above, you know that Windows 2000 / XP uses a hashtable to organize these pages. HashTable features a fast retrieval that is just suitable for frequent access of WorkingSet. Another example is the organization of the overall naming core of the system, see "Analysis of Windows NT / 2000 Kernel Objects".
Like Windbg! Object commands, WINDBG is available! WSLE is used for Dump process works. For example: kd> wsle 7 Working Set @ c0503000 FirstFree:! 469 FirstDynamic: 7 LastEntry 46c NextSlot: 4 LastInitialized 658 NonDirect 145 HashTable: c06f4000 HashTableSize: 400 Reading the WSLE data ... .. Virtual Address Age Locked ReferenceCount c0300203 0 1 1 C0301203 0 1 1 C0502203 0 1 1 1 C0504203 0 1 1 C06F4203 0 1 1 C06F5203 0 1 1 C0505203 0 1 1 1 C05029 0 1 1 77C47029 0 0 1... WSLE command is just a WSLE member of VMworkingSetList (MMWSLE pointer Each element DUMP of the array (each element 32bit) is directed. Windbg! WSLE commands are obtained in the result of the Virtual Address column, each 32bit of WSLE. As shown in the following Windbg Command: KD> DD MMWORKINGSETLIST L 1 // The address of the current process MMWSL structure is described in the forehead of this article.
805467d0 c0503000 kd> dd c0503000 l 10 // MMWSL content c0503000 000003b9 000003ba 00000007 000003b9 c0503010 00000004 c050369c 00000658 0000014c -------- | _MMWSLE content (MMWSL defined as given above, MMWSLE is a pointer) c0503020 c06f4000 00000400 0000001a C06F4000 | | _hashtablesize (UINT4B) hash | _hashtable (MMWSLE_HASH) address (this two values will be used underground) C0503030 C0800000 00000000 000000005C 004D023A KD> DD C050369C / / The Virtual Address column output above the WSLE command ( WorkingSet // Frequent changes, if there is a slight difference, it may be that the system has changed). c050369c c0300203 c0301203 c0502203 c0503203 c05036ac c0504203 c06f4203 c06f5203 c0505203 actually here each Virtual Address, Virtual Address as c0300203 just like shown above, is because WorkingSet page as a unit, so the content of these have 32bit 12bit Used for other purposes. In fact, in Windows XP, this 32bit content is defined as MMWSLENTRY, specific: Valid: POS 0, 1 Bit LockedINWS: POS 1, 1 Bit LockedInmemory: POS 2, 1 Bit Protection: Pos 3, 5 Bits Sameprotectasproto: POS 8, 1 Bit Direct: POS 9, 1 Bit Age: POS 10, 2 Bits VirtualPagenumber: POS 12, 20 Bits WSLE commands to some properties of WSLE according to this low 12 bit output WSLE: As AGE and Locked. ReferenceCount is located in PFN, please refer to "Resolving Windows 2000 / XP Physical Memory Management". The entire structure is so clear, but it is very frequent as the WorkingSet access mentioned above, and the page that retrieves the specified virtual address is in WorkingSet to rely on another important member HashTable. Since we pass HashTable, we will give HashFunction (interested in how to get Hashfunction can see how miInsertwsle is implemented). ((PVA >> a) & 0x3fffc)% (Hashtablesize-1) Here, the PVA is a page virtual address, and the Hashtablesize refers to the size of the WorkingSet hash table for the current process. For a given page, how do you quickly retrieve the array subscripts in the WSLE array? Have a hash table, of course through the Hash table.
This is still abstract, and we explain the problem with a specific example: from the WSLE command output, we know that the virtual address 77C47000 (77C47029, the line), the tenth of MMWSLE (99, ie index is 9), and the work set of this process is 0x400 (this value may be usually changed when MiGrowWSlehash when needed), so: (77C47029 >> a) & 0x3fffc)% (0x400-1) value is 0x9a, so it is located Hashtable's 0x9A Bucket (starting with 0), found the 0x9A Bucket by the HashTable address C06F4000 obtained above. And what about the size of each bucket? What needs to be explained is that each bucket of this hashtable is defined as follows (_MMWSLE_HASH): 0x000 Key: uint4b 0x004 index: uint4b is 8 bytes per bukeet, so we use the following KD command results: KD> DD C06F4000 9A * 8 L 2 C06F44D0 77C47000 00000009 The key value is 77C47000, that is, the virtual address, the index value is 9, that is, verify the WSLE command output of Windbg above. Now, for the organization of WorkingSet, it has also been discussed, and it is necessary to point out more about WorkingSet in Windows XP, which is much more than this discussion, such as WorkingSet's hash table is scalable (via migrowwslehash), HashTable content Insert, change, delete, and work set trim (via mitrimworkingset), etc., especially the work set trimming, the beginning of the article refers to the reasonable utilization of physical memory, avoiding a process (or system) consumption Dedicularly, the use of physical memory is defined by the maximum, minimum value of the WorkingSet, and the quota specified by the quota. If there is a range of such a range or physical memory consumption, work set is used. Andrew Tanenbaum "Modern Operating Systems" introduces a variety of work set trimming algorithms, using more images like LRUs in Windows 2000 / XP in single-processors (Clock Algorithm is like a lot of Unix system implementations), you should See the value of the AGE output above. I can only experiment with the single processor because of the conditions limit. For the integrity of the space, I briefly introduce the situation of multiprocessors: Windows 2000 uses the FIFO (First In First Out) algorithm, but there seems to be Windows XP / .NET Server 2003 in some introduction to Microsoft I have seen. The LRU is also used in multiprocessing, it seems that the core of Windows is getting more and more complete. This article only introduces the work set of process, for system work sets and session work set, Datong, in fact, after analyzing three work sets, it began to write such a one. These concepts, the structure is constantly discovered in their own learning process, but also makes themselves, but I have never seen any discussions on these structural levels, wrong, I would like to forgive me ,Thank you!
