[SUGGESTION] Stop 0x1A - Working Set List and Entries

x BlueRobot

Administrator
Staff member
Joined
May 7, 2013
Posts
10,391
Code:
[COLOR=#ff0000]BugCheck 1A[/COLOR], {[COLOR=#0000cd]41284[/COLOR], 5be07001, 10edf, [COLOR=#008000]fffff70001080000[/COLOR]}

Probably caused by : dxgmms1.sys ( dxgmms1!VIDMM_GLOBAL::CloseLocalAllocation+a7 )

The fourth parameter contains the address of the Working Set List, this can be verified with the !wsle extension, and then applying the same extension to the address of the current process. I'm assuming the third paramter may be a WSLE index.

Code:
0: kd> [COLOR=#008000]!wsle fffff70001080000[/COLOR]

Working Set @ [COLOR=#ff0000]fffff70001080000[/COLOR]
    FirstFree    2dd88  FirstDynamic        0
    LastEntry    367f7  NextSlot            0  LastInitialized        5
    NonDirect        0  HashTable           0  HashTableSize          0

Now, apply the same debugger extension to the current process address which is firefox.exe.

Code:
0: kd> [COLOR=#008000]!wsle fffffa800787ab30[/COLOR]

Working Set @ [COLOR=#ff0000]fffff70001080000[/COLOR]
    FirstFree    2dd88  FirstDynamic        0
    LastEntry    367f7  NextSlot            0  LastInitialized        5
    NonDirect        0  HashTable           0  HashTableSize          0

If we apply the dd command to the address of the Working Set List, then we can see the entries specified above:

Code:
0: kd> [COLOR=#008000]dd fffff70001080000[/COLOR]
fffff700`01080000  [COLOR=#ff8c00]0002dd88 [/COLOR]00000005 [COLOR=#0000cd]000367f7[/COLOR] 00000005
fffff700`01080010  01080488 fffff700 00000000 00000000
fffff700`01080020  0003696e 00020023 00000394 000036ba
fffff700`01080030  00000000 0000fffd 0000fffd 000051c3
fffff700`01080040  00000023 00000000 00000000 00000000
fffff700`01080050  40001000 fffff704 41004fe4 fffff706
fffff700`01080060  00000800 00000004 01000000 fffff700
fffff700`01080070  00000003 00000000 0000000b 00000000

All Working Set List Entries are stored within an array, each page is represented with a _MMWSLE data structure.

Code:
0: kd> [COLOR=#008000]dt nt!_MMWSLE -b[/COLOR]
   +0x000 u1               : <unnamed-tag>
      +0x000 VirtualAddress   : Ptr64 
      +0x000 Long             : Uint8B
      +0x000 e1               : [COLOR=#ff0000]_MMWSLENTRY[/COLOR]
         +0x000 Valid            : Pos 0, 1 Bit
         +0x000 Spare            : Pos 1, 1 Bit
         +0x000 Hashed           : Pos 2, 1 Bit
         +0x000 Direct           : Pos 3, 1 Bit
         +0x000 Protection       : Pos 4, 5 Bits
         +0x000 Age              : Pos 9, 3 Bits
         +0x000 VirtualPageNumber : Pos 12, 52 Bits
      +0x000 e2               : [COLOR=#ff0000]_MMWSLE_FREE_ENTRY[/COLOR]
         +0x000 MustBeZero       : Pos 0, 1 Bit
         +0x000 PreviousFree     : Pos 1, 31 Bits
         +0x000 NextFree         : Pos 32, 32 Bits

We can view the x64 Kernel Address Space within the custom debugger extension !cmkd.kvas:

Code:
0: kd> [COLOR=#008000]!kvas[/COLOR]
### Start            End                                  Length Type    
000 ffff080000000000 fffff67fffffffff     ee8000000000 ( 238 TB) SystemSpace
001 fffff68000000000 fffff6ffffffffff       8000000000 ( 512 GB) PageTables
002 [COLOR=#ff0000]fffff70000000000[/COLOR] fffff77fffffffff       8000000000 ( 512 GB) HyperSpace
003 fffff78000000000 fffff78000000fff             1000 (   4 KB) SharedSystemPage
004 fffff78000001000 fffff7ffffffffff       7ffffff000 ( 511 GB) CacheWorkingSet
005 fffff80000000000 fffff87fffffffff       8000000000 ( 512 GB) LoaderMappings
006 fffff88000000000 fffff89fffffffff       2000000000 ( 128 GB) SystemPTEs
007 fffff8a000000000 fffff8bfffffffff       2000000000 ( 128 GB) PagedPool
008 fffff90000000000 fffff97fffffffff       8000000000 ( 512 GB) SessionSpace
009 fffff98000000000 fffffa7fffffffff      10000000000 (   1 TB) DynamicKernelVa
010 fffffa8000000000 fffffa8003ffffff          4000000 (  64 MB) PfnDatabase
011 fffffa8004000000 fffffa80b93fffff         b5400000 (   2 GB) NonPagedPool
012 ffffffffffc00000 ffffffffffffffff           400000 (   4 MB) HalReserved

The Working Set List address maps to the HyperSpace, whereby all the Working Set List Entries are stored. Every process context will share the same Working Set List address.

Code:
0: kd> [COLOR=#008000]dt nt!_EPROCESS Vm.VmWorkingSetList->Wsle fffffa80`0787ab30[/COLOR]
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE

To my understanding and from reading an OSR thread, the address 0xfffff700`01080488 is a 64-bit pointer to the _MMWSLE structure.

Code:
0: kd> [COLOR=#008000]dt nt!_EPROCESS Vm.VmWorkingSetList->Wsle[/COLOR]
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : [COLOR=#ff0000]Ptr64[/COLOR] _MMWSLE

Code:
0: kd> [COLOR=#008000]!for_each_process "dt nt!_EPROCESS Vm.vmworkingsetlist->Wsle @#Process;dt nt!_EPROCESS imageFilename @#Process"[/COLOR]
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "System"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "smss.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "csrss.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "wininit.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "csrss.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "winlogon.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "services.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "lsass.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "lsm.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "nvvsvc.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "MsMpEng.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "wlanext.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "conhost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "nvxdsync.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "nvvsvc.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "spoolsv.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "armsvc.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "officeclicktor"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "HiPatchService"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "MsDepSvc.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "sqlservr.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "taskhost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "dwm.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "explorer.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "msseces.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "RAVCpl64.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "NvNetworkServi"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "WLTRAY.EXE"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "NvBackend.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "nvstreamsvc.ex"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "TSVNCache.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "sqlwriter.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "nvtray.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "vmnat.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "WLIDSVC.EXE"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "vmnetdhcp.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "WLIDSVCM.EXE"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "nvstreamsvc.ex"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "conhost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "nvstreamsvc.ex"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "conhost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "wmpnetwk.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "mirc.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "svchost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "wuauclt.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "Skype.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "ssh-agent.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "conhost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "ssh-agent.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "taskhost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "GoogleCrashHan"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "GoogleCrashHan"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "mysqld.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "XBoxStat.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "SearchIndexer."
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "DisplayFusion."
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "Skype.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "Battle.net.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "uTorrent.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "firefox.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "PowerISO.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "PowerISO.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "PowerISO.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "PowerISO.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "AcroRd32.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "Unity.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "adb.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "adb.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "explorer.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "prevhost.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "jp2launcher.ex"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "audiodg.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "Project64.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "SndVol.exe"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "plugin-contain"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "FlashPlayerPlu"
   +0x398 Vm                        : 
      +0x068 VmWorkingSetList          : 
         +0x010 Wsle                      : 0xfffff700`01080488 _MMWSLE
   +0x2e0 ImageFileName : [15]  "FlashPlayerPlu"

If you evaluate the pointers, then it becomes more clear:

Code:
0: kd> [COLOR=#008000].printf "(mmwsl *)%y\n(mmwsle *)%y\n" ,fffff700`01080000,@@masm(poi(0xfffff700`01080488+10))[/COLOR]
(mmwsl *)fffff700`01080000
(mmwsle *)[COLOR=#ff0000]fffff6fb`7dc00049[/COLOR]

Code:
0: kd> [COLOR=#008000]dt nt!_mmwsle u1.e1. (fffff6fb`7dc00049)[/COLOR]
   +0x000 u1     : 
      +0x000 e1     : 
         +0x000 Valid  : 0y0
         +0x000 Spare  : 0y0
         +0x000 Hashed : 0y0
         +0x000 Direct : 0y1
         +0x000 Protection : 0y10001 (0x11)
         +0x000 Age    : 0y000
         +0x000 VirtualPageNumber : 0y0000000000000000000000000000000000000001010000110010 (0x1432)

The u1 and e1 come the offsets within the data strucutre _MMWSLE:

Code:
0: kd> [COLOR=#008000]dt nt!_MMWSLE -b[/COLOR]
   +0x000 [COLOR=#ff0000]u1[/COLOR]               : <unnamed-tag>
      +0x000 VirtualAddress   : Ptr64 
      +0x000 Long             : Uint8B
      +0x000 [COLOR=#ff0000]e1 [/COLOR]              : _MMWSLENTRY
         +0x000 Valid            : Pos 0, 1 Bit
         +0x000 Spare            : Pos 1, 1 Bit
         +0x000 Hashed           : Pos 2, 1 Bit
         +0x000 Direct           : Pos 3, 1 Bit
         +0x000 Protection       : Pos 4, 5 Bits
         +0x000 Age              : Pos 9, 3 Bits
         +0x000 VirtualPageNumber : Pos 12, 52 Bits
      +0x000 e2               : _MMWSLE_FREE_ENTRY
         +0x000 MustBeZero       : Pos 0, 1 Bit
         +0x000 PreviousFree     : Pos 1, 31 Bits
         +0x000 NextFree         : Pos 32, 32 Bits

You may need to change the process context for different values, but I haven't tried this yet. To be honest, there is hardly any information about the Working Set data structures and how to use them in a debugging context. The !wsle extension isn't well documented either.

Reference:

OSR's windbg List: !wlse extension
 
Back
Top