- May 7, 2013
- 10,391
Code:
[COLOR=#ff0000]BugCheck 1A[/COLOR], {[COLOR=#0000cd]41284[/COLOR], 5be07001, 10edf, [COLOR=#008000]fffff70001080000[/COLOR]}
Probably caused by : dxgmms1.sys ( dxgmms1!VIDMM_GLOBAL::CloseLocalAllocation+a7 )
The fourth parameter contains the address of the Working Set List, this can be verified with the !wsle extension, and then applying the same extension to the address of the current process. I'm assuming the third paramter may be a WSLE index.
Code:
0: kd> [COLOR=#008000]!wsle fffff70001080000[/COLOR]
Working Set @ [COLOR=#ff0000]fffff70001080000[/COLOR]
FirstFree 2dd88 FirstDynamic 0
LastEntry 367f7 NextSlot 0 LastInitialized 5
NonDirect 0 HashTable 0 HashTableSize 0
Now, apply the same debugger extension to the current process address which is firefox.exe.
Code:
0: kd> [COLOR=#008000]!wsle fffffa800787ab30[/COLOR]
Working Set @ [COLOR=#ff0000]fffff70001080000[/COLOR]
FirstFree 2dd88 FirstDynamic 0
LastEntry 367f7 NextSlot 0 LastInitialized 5
NonDirect 0 HashTable 0 HashTableSize 0
If we apply the dd command to the address of the Working Set List, then we can see the entries specified above:
Code:
0: kd> [COLOR=#008000]dd fffff70001080000[/COLOR]
fffff700`01080000 [COLOR=#ff8c00]0002dd88 [/COLOR]00000005 [COLOR=#0000cd]000367f7[/COLOR] 00000005
fffff700`01080010 01080488 fffff700 00000000 00000000
fffff700`01080020 0003696e 00020023 00000394 000036ba
fffff700`01080030 00000000 0000fffd 0000fffd 000051c3
fffff700`01080040 00000023 00000000 00000000 00000000
fffff700`01080050 40001000 fffff704 41004fe4 fffff706
fffff700`01080060 00000800 00000004 01000000 fffff700
fffff700`01080070 00000003 00000000 0000000b 00000000
All Working Set List Entries are stored within an array, each page is represented with a _MMWSLE data structure.
Code:
0: kd> [COLOR=#008000]dt nt!_MMWSLE -b[/COLOR]
+0x000 u1 : <unnamed-tag>
+0x000 VirtualAddress : Ptr64
+0x000 Long : Uint8B
+0x000 e1 : [COLOR=#ff0000]_MMWSLENTRY[/COLOR]
+0x000 Valid : Pos 0, 1 Bit
+0x000 Spare : Pos 1, 1 Bit
+0x000 Hashed : Pos 2, 1 Bit
+0x000 Direct : Pos 3, 1 Bit
+0x000 Protection : Pos 4, 5 Bits
+0x000 Age : Pos 9, 3 Bits
+0x000 VirtualPageNumber : Pos 12, 52 Bits
+0x000 e2 : [COLOR=#ff0000]_MMWSLE_FREE_ENTRY[/COLOR]
+0x000 MustBeZero : Pos 0, 1 Bit
+0x000 PreviousFree : Pos 1, 31 Bits
+0x000 NextFree : Pos 32, 32 Bits
We can view the x64 Kernel Address Space within the custom debugger extension !cmkd.kvas:
Code:
0: kd> [COLOR=#008000]!kvas[/COLOR]
### Start End Length Type
000 ffff080000000000 fffff67fffffffff ee8000000000 ( 238 TB) SystemSpace
001 fffff68000000000 fffff6ffffffffff 8000000000 ( 512 GB) PageTables
002 [COLOR=#ff0000]fffff70000000000[/COLOR] fffff77fffffffff 8000000000 ( 512 GB) HyperSpace
003 fffff78000000000 fffff78000000fff 1000 ( 4 KB) SharedSystemPage
004 fffff78000001000 fffff7ffffffffff 7ffffff000 ( 511 GB) CacheWorkingSet
005 fffff80000000000 fffff87fffffffff 8000000000 ( 512 GB) LoaderMappings
006 fffff88000000000 fffff89fffffffff 2000000000 ( 128 GB) SystemPTEs
007 fffff8a000000000 fffff8bfffffffff 2000000000 ( 128 GB) PagedPool
008 fffff90000000000 fffff97fffffffff 8000000000 ( 512 GB) SessionSpace
009 fffff98000000000 fffffa7fffffffff 10000000000 ( 1 TB) DynamicKernelVa
010 fffffa8000000000 fffffa8003ffffff 4000000 ( 64 MB) PfnDatabase
011 fffffa8004000000 fffffa80b93fffff b5400000 ( 2 GB) NonPagedPool
012 ffffffffffc00000 ffffffffffffffff 400000 ( 4 MB) HalReserved
The Working Set List address maps to the HyperSpace, whereby all the Working Set List Entries are stored. Every process context will share the same Working Set List address.
Code:
0: kd> [COLOR=#008000]dt nt!_EPROCESS Vm.VmWorkingSetList->Wsle fffffa80`0787ab30[/COLOR]
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
To my understanding and from reading an OSR thread, the address 0xfffff700`01080488 is a 64-bit pointer to the _MMWSLE structure.
Code:
0: kd> [COLOR=#008000]dt nt!_EPROCESS Vm.VmWorkingSetList->Wsle[/COLOR]
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : [COLOR=#ff0000]Ptr64[/COLOR] _MMWSLE
Code:
0: kd> [COLOR=#008000]!for_each_process "dt nt!_EPROCESS Vm.vmworkingsetlist->Wsle @#Process;dt nt!_EPROCESS imageFilename @#Process"[/COLOR]
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "System"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "smss.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "csrss.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "wininit.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "csrss.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "winlogon.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "services.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "lsass.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "lsm.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "nvvsvc.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "MsMpEng.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "wlanext.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "conhost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "nvxdsync.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "nvvsvc.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "spoolsv.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "armsvc.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "officeclicktor"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "HiPatchService"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "MsDepSvc.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "sqlservr.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "taskhost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "dwm.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "explorer.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "msseces.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "RAVCpl64.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "NvNetworkServi"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "WLTRAY.EXE"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "NvBackend.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "nvstreamsvc.ex"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "TSVNCache.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "sqlwriter.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "nvtray.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "vmnat.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "WLIDSVC.EXE"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "vmnetdhcp.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "WLIDSVCM.EXE"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "nvstreamsvc.ex"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "conhost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "nvstreamsvc.ex"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "conhost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "wmpnetwk.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "mirc.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "svchost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "wuauclt.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "Skype.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "ssh-agent.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "conhost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "ssh-agent.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "taskhost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "GoogleCrashHan"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "GoogleCrashHan"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "mysqld.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "XBoxStat.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "SearchIndexer."
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "DisplayFusion."
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "Skype.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "Battle.net.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "uTorrent.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "firefox.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "PowerISO.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "PowerISO.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "PowerISO.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "PowerISO.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "AcroRd32.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "Unity.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "adb.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "adb.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "explorer.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "prevhost.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "jp2launcher.ex"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "audiodg.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "Project64.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "SndVol.exe"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "plugin-contain"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "FlashPlayerPlu"
+0x398 Vm :
+0x068 VmWorkingSetList :
+0x010 Wsle : 0xfffff700`01080488 _MMWSLE
+0x2e0 ImageFileName : [15] "FlashPlayerPlu"
If you evaluate the pointers, then it becomes more clear:
Code:
0: kd> [COLOR=#008000].printf "(mmwsl *)%y\n(mmwsle *)%y\n" ,fffff700`01080000,@@masm(poi(0xfffff700`01080488+10))[/COLOR]
(mmwsl *)fffff700`01080000
(mmwsle *)[COLOR=#ff0000]fffff6fb`7dc00049[/COLOR]
Code:
0: kd> [COLOR=#008000]dt nt!_mmwsle u1.e1. (fffff6fb`7dc00049)[/COLOR]
+0x000 u1 :
+0x000 e1 :
+0x000 Valid : 0y0
+0x000 Spare : 0y0
+0x000 Hashed : 0y0
+0x000 Direct : 0y1
+0x000 Protection : 0y10001 (0x11)
+0x000 Age : 0y000
+0x000 VirtualPageNumber : 0y0000000000000000000000000000000000000001010000110010 (0x1432)
The u1 and e1 come the offsets within the data strucutre _MMWSLE:
Code:
0: kd> [COLOR=#008000]dt nt!_MMWSLE -b[/COLOR]
+0x000 [COLOR=#ff0000]u1[/COLOR] : <unnamed-tag>
+0x000 VirtualAddress : Ptr64
+0x000 Long : Uint8B
+0x000 [COLOR=#ff0000]e1 [/COLOR] : _MMWSLENTRY
+0x000 Valid : Pos 0, 1 Bit
+0x000 Spare : Pos 1, 1 Bit
+0x000 Hashed : Pos 2, 1 Bit
+0x000 Direct : Pos 3, 1 Bit
+0x000 Protection : Pos 4, 5 Bits
+0x000 Age : Pos 9, 3 Bits
+0x000 VirtualPageNumber : Pos 12, 52 Bits
+0x000 e2 : _MMWSLE_FREE_ENTRY
+0x000 MustBeZero : Pos 0, 1 Bit
+0x000 PreviousFree : Pos 1, 31 Bits
+0x000 NextFree : Pos 32, 32 Bits
You may need to change the process context for different values, but I haven't tried this yet. To be honest, there is hardly any information about the Working Set data structures and how to use them in a debugging context. The !wsle extension isn't well documented either.
Reference:
OSR's windbg List: !wlse extension