MiUnmapViewOfSection?

Patrick · Aug 17, 2013

Hi friends,

Recently in a PAGE_FAULT_IN_NONPAGED_AREA (50) dump I was perusing, I saw the following in the stack:

Code:

0: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`06fbe688 fffff800`02d5752b : 00000000`00000050 fffffa00`0659b0c8 00000000`00000000 fffff880`06fbe7f0 : nt!KeBugCheckEx
fffff880`06fbe690 fffff800`02cd8d2e : 00000000`00000000 fffffa00`0659b0c8 fffff680`00339000 00000000`00353402 : nt! ?? ::FNODOBFM::`string'+0x43781
fffff880`06fbe7f0 fffff800`02de1a5c : 00000000`671ff000 fffffa80`0659b050 fffff880`06fbea30 fffff800`02dc68a6 : nt!KiPageFault+0x16e (TrapFrame @ fffff880`06fbe7f0)
fffff880`06fbe980 fffff800`02d510c5 : fffffa80`04499680 00000003`00000000 00000000`0061b402 fffffa00`0659b0c8 : nt!MiEmptyPageAccessLog+0xdc
fffff880`06fbe9f0 fffff800`02ff51c1 : fffffa80`07ff0450 00000000`00000000 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x3aa06
fffff880`06fbeb10 fffff800`02ff55c3 : 0000007f`00000000 00000000`67120000 fffffa80`00000001 fffffa80`0659b010 : nt!MiUnmapViewOfSection+0x1b1
fffff880`06fbebd0 fffff800`02cd9e93 : 00000000`00000000 00000000`671221b4 fffffa80`04499680 00000000`0ecfc900 : nt!NtUnmapViewOfSection+0x5f
fffff880`06fbec20 00000000`76f615ba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06fbec20)
00000000`11c4e4e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76f615ba

We can see that there are some virtual memory routines being called, but what the heck is MiUnmapViewOfSection?

I know that NtUnmapViewOfSection is called if the parameters might be from either a user-mode source or a kernel-mode source. And I know that ZwUnmapViewOfSection is called to inform the routine that the parameters come from a trusted, kernel-mode source. That way the parameters don't need validation before being used.

What's the Mi prefix???

niemiro · Aug 18, 2013

You can find the full list of these prefixes in Windows Internals. In edition 5, it's page 72-73 (I don't have a copy of edition 6 on me, but it's presumably similar)

Anyway, if you look at the list, you'll see Lsa (Local Security Authority); Mm (Memory manager); Nt (Nt system services).

But no Mi. Why? You'll need to read the previous paragraph:

"...either the first letter of the prefix followed by an i "for internal", or the full prefix followed by a p (for private)."

So, Mi should be an internal Memory Manager function.

Richard

Patrick · Aug 19, 2013

Oops, never saw your reply!

Thank you very much Richard, much appreciated! :hug:

Search

Search

MiUnmapViewOfSection?

Patrick

Sysnative Staff

niemiro

Senior Administrator, Windows Update Expert

Patrick

Sysnative Staff