Author: loverboy
Subject: Nonpaged pool in RAMMap and in PE are different
Posted: 16 March 2013 at 9:27pm
Just made alivekd -m -o d:\kernel.dmp
Subject: Nonpaged pool in RAMMap and in PE are different
Posted: 16 March 2013 at 9:27pm
Just made alivekd -m -o d:\kernel.dmp
This is (part of) what I see in windbg64
0: kd> !vm
*** Virtual Memory Usage ***
Physical Memory: 4187937 ( 16751748 Kb)
Page File: \??\C:\pagefile.sys
Current: 16751748 Kb Free Space: 16671896 Kb
Minimum: 16751748 Kb Maximum: 50255244 Kb
Unimplemented error for MiSystemVaTypeCount
Available Pages: 2981559 ( 11926236 Kb)
ResAvail Pages: 3469232 ( 13876928 Kb)
Locked IO Pages: 0 ( 0 Kb)
Free System PTEs: 33559100 ( 134236400 Kb)
Modified Pages: 482366 ( 1929464 Kb)
Modified PF Pages: 481582 ( 1926328 Kb)
NonPagedPool Usage: 52561155 ( 210244620 Kb)
NonPagedPoolNx Usage: 486639 ( 1946556 Kb)
NonPagedPool Max: 3123220 ( 12492880 Kb)
********** Excessive NonPaged Pool Usage *****
PagedPool 0 Usage: 152158 ( 608632 Kb)
PagedPool 1 Usage: 10768 ( 43072 Kb)
PagedPool 2 Usage: 4100 ( 16400 Kb)
PagedPool 3 Usage: 4097 ( 16388 Kb)
PagedPool 4 Usage: 4083 ( 16332 Kb)
PagedPool Usage: 175206 ( 700824 Kb)
PagedPool Maximum: 33554432 ( 134217728 Kb)
Session Commit: 11907 ( 47628 Kb)
Shared Commit: 225391 ( 901564 Kb)
Special Pool: 0 ( 0 Kb)
Shared Process: 7973 ( 31892 Kb)
PagedPool Commit: 175268 ( 701072 Kb)
Driver Commit: 7849 ( 31396 Kb)
Committed pages: 1512068 ( 6048272 Kb)
Commit limit: 8375410 ( 33501640 Kb)
Physical Memory: 4187937 ( 16751748 Kb)
Page File: \??\C:\pagefile.sys
Current: 16751748 Kb Free Space: 16671896 Kb
Minimum: 16751748 Kb Maximum: 50255244 Kb
Unimplemented error for MiSystemVaTypeCount
Available Pages: 2981559 ( 11926236 Kb)
ResAvail Pages: 3469232 ( 13876928 Kb)
Locked IO Pages: 0 ( 0 Kb)
Free System PTEs: 33559100 ( 134236400 Kb)
Modified Pages: 482366 ( 1929464 Kb)
Modified PF Pages: 481582 ( 1926328 Kb)
NonPagedPool Usage: 52561155 ( 210244620 Kb)
NonPagedPoolNx Usage: 486639 ( 1946556 Kb)
NonPagedPool Max: 3123220 ( 12492880 Kb)
********** Excessive NonPaged Pool Usage *****
PagedPool 0 Usage: 152158 ( 608632 Kb)
PagedPool 1 Usage: 10768 ( 43072 Kb)
PagedPool 2 Usage: 4100 ( 16400 Kb)
PagedPool 3 Usage: 4097 ( 16388 Kb)
PagedPool 4 Usage: 4083 ( 16332 Kb)
PagedPool Usage: 175206 ( 700824 Kb)
PagedPool Maximum: 33554432 ( 134217728 Kb)
Session Commit: 11907 ( 47628 Kb)
Shared Commit: 225391 ( 901564 Kb)
Special Pool: 0 ( 0 Kb)
Shared Process: 7973 ( 31892 Kb)
PagedPool Commit: 175268 ( 701072 Kb)
Driver Commit: 7849 ( 31396 Kb)
Committed pages: 1512068 ( 6048272 Kb)
Commit limit: 8375410 ( 33501640 Kb)
<SNIP>
0: kd> !poolused 2
Sorting by NonPaged Pool Consumed
Sorting by NonPaged Pool Consumed
Pool Used:
NonPaged Paged
Tag Allocs Used Allocs Used
MirD 2 1904836608 0 0 UNKNOWN pooltag 'MirD', please update pooltag.txt
File 25765 8565392 0 0 File objects
Ntfx 22153 7202672 0 0 General Allocation , Binary: ntfs.sys
NVRM 18274 6073440 0 0 UNKNOWN pooltag 'NVRM', please update pooltag.txt
MmCa 21363 5426016 0 0 Mm control areas for mapped files , Binary: nt!mm
73.. 717 5072144 0 0 UNKNOWN pooltag ' 73', please update pooltag.txt
FMsl 22092 4241664 0 0 STREAM_LIST_CTRL structure , Binary: fltmgr.sys
<SNIP>
NonPaged Paged
Tag Allocs Used Allocs Used
MirD 2 1904836608 0 0 UNKNOWN pooltag 'MirD', please update pooltag.txt
File 25765 8565392 0 0 File objects
Ntfx 22153 7202672 0 0 General Allocation , Binary: ntfs.sys
NVRM 18274 6073440 0 0 UNKNOWN pooltag 'NVRM', please update pooltag.txt
MmCa 21363 5426016 0 0 Mm control areas for mapped files , Binary: nt!mm
73.. 717 5072144 0 0 UNKNOWN pooltag ' 73', please update pooltag.txt
FMsl 22092 4241664 0 0 STREAM_LIST_CTRL structure , Binary: fltmgr.sys
<SNIP>
RngS 0 0 1 128 UNKNOWN pooltag 'RngS', please update pooltag.txt
CM27 0 0 11 21808 Internal Configuration manager allocations , Binary: nt!cm
CM17 0 0 10 163840 Internal Configuration manager allocations , Binary: nt!cm
SePa 0 0 1 32 Process audit image names and captured polity structures , Binary: nt!se
TOTAL 210020 1989587984 322859 701114128
CM27 0 0 11 21808 Internal Configuration manager allocations , Binary: nt!cm
CM17 0 0 10 163840 Internal Configuration manager allocations , Binary: nt!cm
SePa 0 0 1 32 Process audit image names and captured polity structures , Binary: nt!se
TOTAL 210020 1989587984 322859 701114128
If I search for MirD in folder C:\Windows\System32\drivers I find it into
gm.dls
There is also a readme file that says
-------------------------------------------------------------------------
GMREADME.TXT
Copyright (c) 1998-2000 Microsoft Corporation. All Rights Reserved.
------------
GMREADME.TXT
Copyright (c) 1998-2000 Microsoft Corporation. All Rights Reserved.
------------
The GM.DLS file contains the Roland SoundCanvas Sound Set which is
protected under the following copyright:
Roland GS Sound Set/Microsoft (P) 1996 Roland Corporation U.S.
The Roland SoundCanvas Sound Set is licensed under Microsoft's
End User License Agreement for use with Microsoft operating
system products only. All other uses require a separate written
license from Roland.
protected under the following copyright:
Roland GS Sound Set/Microsoft (P) 1996 Roland Corporation U.S.
The Roland SoundCanvas Sound Set is licensed under Microsoft's
End User License Agreement for use with Microsoft operating
system products only. All other uses require a separate written
license from Roland.
-------------------------------------------------------------------------
So windbg gives another different result (210244620 Kb) with respect to what RAMMap and Process Explorer/Hacker give...
Any idea?