Memory Management
Chapter 5
Memory Manager Components
The memory manager is part of the Windows executive and therefore exists in the file
Ntoskrnl.exe. It's the largest component in the executive, hinting at its importance and complexity. No parts of the memory manager exist in the HAL.The memory manager consists of the following components:
A set of executive system services for allocating, deallocating, and managing virtual memory, most of which are exposed through the Windows API or kernel-mode device driver interfaces
A translation-not-valid and access fault trap handler for resolving hardware-detected memory-management exceptions and making virtual pages resident on behalf of a process
Six key top-level routines, each running in one of six different kernel-mode threads in the System process:
The balance set manager (
KeBalanceSetManager, priority 17) β This calls an inner routine, the working set manager (MmWorkingSetManager), once per second as well as when free memory falls below a certain threshold. The working set manager drives the overall memory-management policies, such as working set trimming, aging, and modified page writing.The process/stack swapper (
KeSwapProcessOrStack, priority 23) β This performs both process and kernel thread stack inswapping and outswapping. The balance set manager and the thread-scheduling code in the kernel awaken this thread when an inswap or outswap operation needs to take place.The modified page writer (
MiModifiedPageWriter, priority 18) β This writes dirty pages on the modified list back to the appropriate paging files. This thread is awakened when the size of the modified list needs to be reduced.The mapped page writer (
MiMappedPageWriter, priority 18) β This writes dirty pages in mapped files to disk or remote storage. It is awakened when the size of the modified list needs to be reduced or if pages for mapped files have been on the modified list for more than 5 minutes. This second modified page writer thread is necessary because it can generate page faults that result in requests for free pages. If there were no free pages and only one modified page writer thread, the system could deadlock waiting for free pages.The segment dereference thread (
MiDereferenceSegmentThread, priority 19) β This is responsible for cache reduction as well as for page file growth and shrinkage. For example, if there is no virtual address space for paged pool growth, this thread trims the page cache so that the paged pool used to anchor it can be freed for reuse.The zero page thread (
MiZeroPageThread, priority 0) β This zeroes out pages on the free list so that a cache of zero pages is available to satisfy future demand-zero page faults. In some cases, memory zeroing is done by a faster function calledMiZeroInParallel.
Large And Small Pages
Memory management is done in distinct chunks called pages. This is because the hardware memory management unit translates virtual to physical addresses at the granularity of a page. Hence, a page is the smallest unit of protection at the hardware level.
The processors on which Windows runs support two page sizes: small and large. The actual sizes vary based on the processor architecture, and they are listed below:
The primary advantage of large pages is speed of address translation for references to data within the large page. This advantage exists because the first reference to any byte within a large page will cause the hardware's translation look-aside buffer (TLB), to have in its cache the information necessary to translate references to any other byte within the large page.
If small pages are used, more TLB entries are needed for the same range of virtual addresses, thus increasing the recycling of entries as new virtual addresses require translation. This, in turn, means having to go back to the page table structures when references are made to virtual addresses outside the scope of a small page whose translation has been cached. The TLB is a very small cache; thus, large pages make better use of this limited resource.
To take advantage of large pages on systems with more than 2 GB of RAM, Windows maps with large pages the core operating system images (Ntoskrnl.exe and Hal.dll) as well as core operating system data (such as the initial part of non-paged pool and the data structures that describe the state of each physical memory page). Windows also automatically maps I/O space requests (calls by device drivers to
MmMapIoSpace) with large pages if the request is of a satisfactorily large page length and alignment.In addition, Windows allows applications to map their images, private memory, and page fileβbacked sections with large pages (see the
MEM_LARGE_PAGESflag on theVirtualAlloc,VirtualAllocEx, andVirtualAllocExNumafunctions). You can also specify other device drivers to be mapped with large pages by adding a multistring registry valueLargePageDriversto the keyHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Managementand specifying the names of the drivers as separately null-terminated strings.Attempts to allocate large pages may fail after the operating system has been running for an extended period because the physical memory for each large page must occupy a significant number of physically contiguous small pages. This extent of physical pages must furthermore begin on a large page boundary. Free physical memory does become fragmented as the system runs. This is not a problem for allocations using small pages but can cause large page allocations to fail.
The memory is also always non-pageable because the page file system does not support large pages. Because the memory is non-pageable, the caller is required to have the
SeLockMemoryPrivilegeto be able to allocate using large pages. Also, the allocated memory is not considered part of the process working set nor are large page allocations subject to job-wide limits on virtual memory usage.On Windows 10 version 1607 x64 and Server 2016 systems, large pages may also be mapped with huge pages, which are 1 GB in size. This is done automatically if the allocation size requested is larger than 1 GB, but it does not have to be a multiple of 1 GB. For example, an allocation of 1040 MB would result in using one huge page (1024 MB) plus 8 "normal" large pages (16 MB divided by 2 MB).
There is an unfortunate side effect of large pages. Each page (whether huge, large, or small) must be mapped with a single protection that applies to the entire page. This is because hardware memory protection is on a per-page basis. If a large page contains, for example, both read-only code and read/write data, the page must be marked as read/write, meaning that the code will be writable. As a result, device drivers or other kernel-mode code could, either maliciously or due to a bug, modify what is supposed to be read-only operating system or driver code without causing a memory access violation.
If small pages are used to map the operating system's kernel-mode code, the read-only portions of Ntoskrnl.exe and Hal.dll can be mapped as read-only pages. Using small pages does reduce efficiency of address translation, but if a device driver (or other kernel-mode code) attempts to modify a read-only part of the operating system, the system will crash immediately with the exception information pointing at the offending instruction in the driver. If the write were allowed to occur, the system would likely crash later (in a harder-to-diagnose way) when some other component tried to use the corrupted data.
Internal Synchronization
Like all other components of the Windows executive, the memory manager is fully reentrant and supports simultaneous execution on multiprocessor systems. That is, it allows two threads to acquire resources in such a way that they don't corrupt each other's data.
To accomplish the goal of being fully reentrant, the memory manager uses several different internal synchronization mechanisms, such as spinlocks and interlocked instructions, to control access to its own internal data structures.
Some of the system-wide resources to which the memory manager must synchronize access include:
Dynamically allocated portions of the system virtual address space
System working sets
Kernel memory pools
The list of loaded drivers
The list of paging files
Physical memory lists
Image base randomization address space layout randomization (ASLR) structures
Each individual entry in the page frame number (PFN) database
Per-process memory-management data structures that require synchronization include the following:
Working set lock β This is held while changes are made to the working set list.
Address space lock β This is held whenever the address space is being changed.
Both these locks are implemented using pushlocks.
Memory Manager Services
The memory manager provides a set of system services to allocate and free virtual memory, share memory between processes, map files into memory, flush virtual pages to disk, retrieve information about a range of virtual pages, change the protection of virtual pages, and lock the virtual pages into memory.
Like other Windows executive services, memory-management services allow their caller to supply a process handle indicating the particular process whose virtual memory is to be manipulated. The caller can thus manipulate either its own memory or (with proper permissions) the memory of another process.
The Windows API has four groups of functions for managing memory in applications:
Virtual API β This is the lowest-level API for general memory allocations and deallocations. It always works on page granularity. It is also the most powerful, supporting the full capabilities of the memory manager. Functions include
VirtualAlloc,VirtualFree,VirtualProtect,VirtualLock, and others.Heap API β This provides functions for small allocations (typically less than a page). It uses the Virtual API internally, but adds management on top of it. Heap manager functions include
HeapAlloc,HeapFree,HeapCreate,HeapReAllocand others. The heap manager is discussed in the section "Heap manager" later in this chapter.Local/Global APIs β These are leftovers from 16-bit Windows and are now implemented using the Heap API.
Memory-mapped files β These functions allow mapping files as memory and/or sharing memory between cooperating processes. Memory-mapped file functions include
CreateFileMapping,OpenFileMapping,MapViewOfFile, and others.
The memory manager also provides several services to other kernel-mode components inside the executive as well as to device drivers. These include allocating and deallocating physical memory and locking pages in physical memory for direct memory access (DMA) transfers. These functions begin with the prefix
Mm.In addition, although not strictly part of the memory manager, some executive support routines that begin with
Exare used to allocate and deallocate from the system heaps (paged and non-paged pool) as well as to manipulate look-aside lists.
Page States And Memory Allocation
Pages in a process virtual address space are either free, reserved, committed, or shareable.
Committed and shareable pages are pages that, when accessed, ultimately translate to valid pages in physical memory. Committed pages are also referred to as private pages. This is because committed pages cannot be shared with other processes, whereas shareable pages can be (but might be in use by only one process).
Private pages are allocated through the Windows
VirtualAlloc,VirtualAllocEx, andVirtualAllocExNumafunctions, which lead eventually to the executive in the functionNtAllocateVirtualMemoryinside the memory manager. These functions are capable of committing memory as well as reserving memory.Reserving memory means setting aside a range of contiguous virtual addresses for possible future use (such as an array) while consuming negligible system resources, and then committing portions of the reserved space as needed as the application runs. Or, if the size requirements are known in advance, a process can reserve and commit in the same function call. In either case, the resulting committed pages can then be accessed by any thread in the process.
Attempting to access free or reserved memory results in an access violation exception because the page isn't mapped to any storage that can resolve the reference.
If committed (private) pages have never been accessed before, they are created at the time of first access as zero-initialized pages (or demand zero). Private committed pages may later be automatically written to the paging file by the operating system if required by demand for physical memory. Private refers to the fact that these pages are normally inaccessible to any other process.
Shared pages are usually mapped to a view of a section. This in turn is part or all of a file, but may instead represent a portion of page file space. All shared pages can potentially be shared with other processes. Sections are exposed in the Windows API as file-mapping objects.
When a shared page is first accessed by any process, it will be read in from the associated mapped file unless the section is associated with the paging file, in which case it is created as a zero-initialized page. Later, if it is still resident in physical memory, the second and subsequent processes accessing it can simply use the same page contents that are already in memory. Shared pages might also have been prefetched by the system.
Pages are written to disk through a mechanism called modified page writing. This occurs as pages are moved from a process's working set to a system-wide list called the modified page list. From there, they are written to disk or remote storage. Mapped file pages can also be written back to their original files on disk with an explicit call to
FlushViewOfFileor by the mapped page writer as memory demands dictate.You can decommit private pages and/or release address space with the
VirtualFreeorVirtualFreeExfunction. The difference between decommittal and release is similar to the difference between reservation and committal. Decommitted memory is still reserved, but released memory has been freed; it is neither committed nor reserved.Reserving memory is a relatively inexpensive operation because it consumes very little actual memory. All that needs to be updated or constructed is the relatively small internal data structures that represent the state of the process address space.
One extremely common use for reserving a large space and committing portions of it as needed is the user-mode stack for each thread. When a thread is created, a stack is created by reserving a contiguous portion of the process address space. (The default size is 1 MB but you can override this size with the
CreateThreadandCreateRemoteThread(Ex)function calls or change it on an executable image basis by using the/STACKlinker flag.) By default, the initial page in the stack is committed and the next page is marked as a guard page (which isn't committed) that traps references beyond the end of the committed portion of the stack and expands it.
Commit Charge And Commit Limit
The memory manager keeps track of private committed memory usage on a global basis, termed commitment or commit charge.
There is a system-wide limit, called the system commit limit or simply the commit limit, on the amount of committed virtual memory that can exist at any one time. This limit corresponds to the current total size of all paging files plus the amount of RAM that is usable by the operating system.
The memory manager can increase the commit limit automatically by expanding one or more of the paging files if they are not already at their configured maximum size.
Locking Memory
In general, it's better to let the memory manager decide which pages remain in physical memory. However, there might be special circumstances when it might be necessary for an application or device driver to lock pages in physical memory.
Pages can be locked in memory in two ways:
Windows applications can call the
VirtualLockfunction to lock pages in their process working set. Pages locked using this mechanism remain in memory until explicitly unlocked or until the process that locked them terminates. The number of pages a process can lock can't exceed its minimum working set size minus eight pages. If a process needs to lock more pages, it can increase its working set minimum with theSetProcessWorkingSetSizeExfunction.Device drivers can call the
MmProbeAndLockPages,MmLockPagableCodeSection,MmLockPagableDataSection, orMmLockPagableSectionByHandlekernel-mode functions. Pages locked using this mechanism remain in memory until explicitly unlocked. The last three of these APIs enforce no quota on the number of pages that can be locked in memory because the resident available page charge is obtained when the driver first loads. This ensures that it can never cause a system crash due to overlocking. For the first API, quota charges must be obtained or the API will return a failure status.
Allocation Granularity
Windows aligns each region of reserved process address space to begin on an integral boundary defined by the value of the system allocation granularity, which can be retrieved from the Windows
GetSystemInfoorGetNativeSystemInfofunctions.This value is 64 KB, a granularity that is used by the memory manager to efficiently allocate metadata (for example, VADs, bitmaps, and so on) to support various process operations.
Finally, when a region of address space is reserved, Windows ensures that the size and base of the region is a multiple of the system page size, whatever that might be.
Shared Memory And Mapped Files
Windows provides a mechanism to share memory among processes and the operating system. Shared memory can be defined as memory that is visible to more than one process or that is present in more than one process virtual address space.
For example, if two processes use the same DLL, it would make sense to load the referenced code pages for that DLL into physical memory only once and share those pages between all processes that map the DLL.
Each process would still maintain its private memory areas to store private data but the DLL code and unmodified data pages could be shared without harm.
The underlying primitives in the memory manager used to implement shared memory are called section objects, which are exposed as file-mapping objects in the Windows API. This fundamental primitive in the memory manager is used to map virtual addresses whether in main memory, in the page file, or in some other file that an application wants to access as if it were in memory. A section can be opened by one process or by many. In other words, section objects don't necessarily equate to shared memory.
A section object can be connected to an open file on disk (called a mapped file) or to committed memory (to provide shared memory). Sections mapped to committed memory are called page-file-backed sections because the pages are written to the paging file (as opposed to a mapped file) if demands on physical memory require it. (Because Windows can run with no paging file, page-file-backed sections might in fact be "backed" only by physical memory.) As with any other empty page that is made visible to user mode (such as private committed pages), shared committed pages are always zero-filled when they are first accessed to ensure that no sensitive data is ever leaked.
To create a section object, call the Windows
CreateFileMapping,CreateFileMappingFromApp, orCreateFileMappingNuma(Ex)function, specifying a previously opened file handle to map it to (orINVALID_HANDLE_VALUEfor a page-file-backed section) and optionally a name and security descriptor. If the section has a name, other processes can open it withOpenFileMappingor theCreateFileMapping*functions.Or you can grant access to section objects through either handle inheritance (by specifying that the handle be inheritable when opening or creating the handle) or handle duplication (by using
DuplicateHandle). Device drivers can also manipulate section objects with theZwOpenSection,ZwMapViewOfSection, andZwUnmapViewOfSectionfunctions.A section object can refer to files that are much larger than can fit in the address space of a process. (If the paging file backs a section object, sufficient space must exist in the paging file and/or RAM to contain it.) To access a very large section object, a process can map only the portion of the section object that it requires (called a view of the section) by calling the
MapViewOfFile(Ex),MapViewOfFileFromApp, orMapViewOfFileExNumafunction and then specifying the range to map. Mapping views permits processes to conserve address space because only the views of the section object needed at the time must be mapped into memory.
Protecting Memory
Windows provides memory protection so that no user process can inadvertently or deliberately corrupt the address space of another process or the operating system. Windows provides this protection in four primary ways:
All system-wide data structures and memory pools used by kernel-mode system components can be accessed only while in kernel mode. User-mode threads can't access these pages. If they attempt to do so, the hardware generates a fault, which the memory manager reports to the thread as an access violation.
Each process has a separate, private address space, protected from access by any thread belonging to another process. Even shared memory is not really an exception to this because each process accesses the shared regions using addresses that are part of its own virtual address space. The only exception is if another process has virtual memory read or write access to the process object (or holds
SeDebugPrivilege) and thus can use theReadProcessMemoryorWriteProcessMemoryfunction. Each time a thread references an address, the virtual memory hardware, in concert with the memory manager, intervenes and translates the virtual address into a physical one. By controlling how virtual addresses are translated, Windows can ensure that threads running in one process don't inappropriately access a page belonging to another process.Hardware-controlled memory protection β In addition to the implicit protection offered by virtual-to-physical address translation, all processors supported by Windows provide some form of hardware-controlled memory protection such as read/write, read-only, and so on. (The exact details of such protection vary according to the processor.) For example, code pages in the address space of a process are marked read-only and are thus protected from modification by user threads.
Shared memory section objects have standard Windows access control lists (ACLs) that are checked when processes attempt to open them, thus limiting access of shared memory to those processes with the proper rights. Access control also comes into play when a thread creates a section to contain a mapped file. To create the section, the thread must have at least read access to the underlying file object or the operation will fail. Once a thread has successfully opened a handle to a section, its actions are still subject to the memory manager and the hardware-based page protections described earlier. A thread can change the page-level protection on virtual pages in a section if the change doesn't violate the permissions in the ACL for that section object. For example, the memory manager allows a thread to change the pages of a read-only section to have copy-on-write access but not to have read/write access. The copy-on-write access is permitted because it has no effect on other processes sharing the data.
Data Execution Prevention
Data Execution Prevention (DEP), or no-execute (NX) page protection, causes an attempt to transfer control to an instruction in a page marked as "no execute" to generate an access fault.
If an attempt is made in kernel mode to execute code in a page marked as "no execute," the system will crash with the bug check code
ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY(0xFC). If this occurs in user mode, aSTATUS_ACCESS_VIOLATION(0xC0000005) exception is delivered to the thread attempting the illegal reference. If a process allocates memory that needs to be executable, it must explicitly mark such pages by specifying thePAGE_EXECUTE,PAGE_EXECUTE_READ,PAGE_EXECUTE_READWRITE, orPAGE_EXECUTE_WRITECOPYflags on the page-granularity memory-allocation functions.On 32-bit x86 systems that support DEP, bit 63 in the page table entry (PTE) is used to mark a page as non-executable. Therefore, the DEP feature is available only when the processor is running in Physical Address Extension (PAE) mode, without which page table entries are only 32 bits wide. Thus, support for hardware DEP on 32-bit systems requires loading the PAE kernel (
%SystemRoot%\System32\Ntkrnlpa.exe), which currently is the only supported kernel on x86 systems.On ARM systems, DEP is set to AlwaysOn. On 64-bit versions of Windows, execution protection is always applied to all 64-bit processes and device drivers and can be disabled only by setting the
nxBCD option to AlwaysOff. Execution protection for 32-bit programs depends on system configuration settings.On 64-bit Windows, execution protection is applied to thread stacks (both user and kernel mode), user-mode pages not specifically marked as executable, the kernel paged pool, and the kernel session pool. The application of execution protection for 32-bit processes depends on the value of the BCD
nxoption.
Additionally, to provide compatibility with older versions of the Active Template Library (ATL) framework (version 7.1 or earlier), the Windows kernel provides an ATL thunk emulation environment. This environment detects ATL thunk code sequences that have caused the DEP exception and emulates the expected operation. Note that ATL thunk emulation is permanently disabled if the AlwaysOn value is set.
Finally, if the system is in OptIn or OptOut mode and executing a 32-bit process, the
SetProcessDEPPolicyfunction allows a process to dynamically disable DEP or to permanently enable it. When it is enabled through this API, DEP cannot be disabled programmatically for the lifetime of the process. This function can also be used to dynamically disable ATL thunk emulation if the image wasn't compiled with the/NXCOMPATflag. On 64-bit processes or systems booted with AlwaysOff or AlwaysOn, the function always returns a failure.
Copy-on-write
Copy-on-write page protection is an optimization the memory manager uses to conserve physical memory. When a process maps a copy-on-write view of a section object that contains read/write pages, the memory manager delays the copying of pages until the page is written to instead of making a process private copy at the time the view is mapped.
If a thread in either process writes to a page, a memory-management fault is generated. The memory manager sees that the write is to a copy-on-write page, so instead of reporting the fault as an access violation, it does the following:
It allocates a new read/write page in physical memory.
It copies the contents of the original page to the new page.
It updates the corresponding page-mapping information in this process to point to the new location.
It dismisses the exception, causing the instruction that generated the fault to be re-executed. This time, the write operation succeeds.
Each new process that writes to that same shared page will also get its own private copy. Copy-on-write is one example of an evaluation technique called lazy evaluation that the memory manager uses as often as possible. Lazy-evaluation algorithms avoid performing an expensive operation until absolutely required. If the operation is never required, no time is wasted on it.
Address Windowing Extensions
An 32-bit application that needs to make more than 2 GB (or 3 GB) of data easily available in a single process could do so via file mapping, remapping a part of its address space into various portions of a large file. However, significant paging would be involved upon each remap.
For higher performance (and more fine-grained control), Windows provides a set of functions called Address Windowing Extensions (AWE). These functions allow a process to allocate more physical memory than can be represented in its virtual address space. It then can access the physical memory by mapping a portion of its virtual address space into selected portions of the physical memory at various times.
You allocate and use memory via the AWE functions in three steps:
You allocate the physical memory to be used. The application uses the Windows functions
AllocateUserPhysicalPagesorAllocateUserPhysicalPagesNuma. (These require theSeLockMemoryPrivilege.)You create one or more regions of virtual address space to act as windows to map views of the physical memory. The application uses the Win32
VirtualAlloc,VirtualAllocEx, orVirtualAllocExNumafunction with theMEM_PHYSICALflag.Steps 1 and 2 are, generally speaking, initialization steps. To actually use the memory, the application uses
MapUserPhysicalPagesorMapUserPhysicalPagesScatterto map a portion of the physical region allocated in step 1 into one of the virtual regions, or windows, allocated in step 2.
In the figure, the application has created a 256 MB window in its address space and has allocated 4 GB of physical memory. It can then use
MapUserPhysicalPagesorMapUserPhysicalPagesScatterto access any portion of the physical memory by mapping the desired portion of memory into the 256 MB window. The size of the application's virtual address space window determines the amount of physical memory the application can access with any given mapping. To access another portion of the allocated RAM, the application can simply remap the area.AWE is useful for security reasons too, because AWE memory is never paged out, the data in AWE memory can never have a copy in the paging file that someone could examine by rebooting into an alternate operating system. (
VirtualLockprovides the same guarantee for pages in general.)Finally, there are some restrictions on memory allocated and mapped by the AWE functions:
Pages can't be shared between processes.
The same physical page can't be mapped to more than one virtual address.
Page protection is limited to read/write, read-only, and no access.
Kernel Mode Heaps
At system initialization, the memory manager creates two dynamically sized memory pools, or heaps, that most kernel-mode components use to allocate system memory:
Non-paged pool β This consists of ranges of system virtual addresses that are guaranteed to reside in physical memory at all times. Thus, they can be accessed at any time without incurring a page fault; meaning they can be accessed from any IRQL. One of the reasons a non-paged pool is required is because page faults can't be satisfied at DPC/dispatch level or above. Therefore, any code and data that might execute or be accessed at or above DPC/dispatch level must be in non-pageable memory.
Paged pool β This is a region of virtual memory in system space that can be paged into and out of the system. Device drivers that don't need to access the memory from DPC/dispatch level or above can use paged pool. It is accessible from any process context.
Both memory pools are in the system part of the address space and are mapped in the virtual address space of every process. The executive provides routines to allocate and deallocate from these pools. For information on these routines, see the functions that start with
ExAllocatePool,ExAllocatePoolWithTag, andExFreePoolin the Windows Development Kit (WDK) documentation.Systems start with four paged pools, which are combined to make the overall system paged pool, and two non-paged pools. More are created; as many as 64 depending on the number of NUMA nodes on the system. Having more than one paged pool reduces the frequency of system code blocking on simultaneous calls to pool routines.
Additionally, the different pools created are mapped across different virtual address ranges that correspond to different NUMA nodes on the system. The different data structures, such as the large page look-aside lists, to describe pool allocations are also mapped across different NUMA nodes.
In addition to the paged and non-paged pools, there are a few other pools with special attributes or uses. For example, there is a pool region in session space that is used for data that is common to all processes in the session. Allocations from another pool, called special pool, are surrounded by pages marked as "no access" to help isolate problems in code that accesses memory before or after the region of pool it allocated.
Pool Sizes
A non-paged pool starts at an initial size based on the amount of physical memory on the system and then grows as needed. For a non-paged pool, the initial size is 3 percent of system RAM. If this is less than 40 MB, the system will instead use 40 MB as long as 10 percent of RAM results in more than 40 MB. Otherwise, 10 percent of RAM is chosen as a minimum.
Four of these computed sizes are stored in kernel variables in Windows 8.x and Server 2012/R2. Three of these are exposed as performance counters and one is computed only as a performance counter value.
Windows 10 and Server 2016 moved the global variables into fields in a global memory management structure (
MI_SYSTEM_INFORMATION) namedMiState. Within this lies a variable namedVs(of type_MI_VISIBLE_STATE) where this information resides. The global variableMiVisibleStatealso points to thatVsmember
Look-aside Lists
Windows provides a fast memory-allocation mechanism called look-aside lists. The basic difference between pools and look-aside lists is that while general pool allocations can vary in size, a look-aside list contains only fixed-sized blocks. Although the general pools are more flexible in terms of what they can supply, look-aside lists are faster because they don't use any spinlocks.
Executive components and device drivers can create look-aside lists that match the size of frequently allocated data structures by using the
ExInitializeNPagedLookasideList(for non-paged allocations) andExInitializePagedLookasideList(for paged allocation) functions, as documented in the WDK.To minimize the overhead of multiprocessor synchronization, several executive subsystems such as the I/O manager, cache manager, and object manager create separate look-aside lists for each processor for their frequently accessed data structures. The executive also creates a general per-processor paged and non-paged look-aside list for small allocations (256 bytes or less).
If a look-aside list is empty (as it is when it's first created), the system must allocate from the paged or non-paged pool. But if it contains a freed block, the allocation can be satisfied very quickly. (The list grows as blocks are returned to it.)
The pool-allocation routines automatically tune the number of freed buffers that look-aside lists store according to how often a device driver or executive subsystem allocates from the list. The more frequent the allocations, the more blocks are stored on a list. Look-aside lists are automatically reduced in size if they aren't being allocated from. (This check happens once per second when the balance set manager system thread wakes up and calls the
ExAdjustLookasideDepthfunction.)
Heap Manager
Most applications allocate smaller blocks than the 64-KB minimum allocation granularity possible using page-granularity functions such as
VirtualAlloc. Allocating such a large area for relatively small allocations is not optimal from a memory usage and performance standpoint.To address this, Windows provides a component called the heap manager, which manages allocations inside larger memory areas reserved using the page-granularity memory-allocation functions.
The allocation granularity in the heap manager is relatively small: 8 bytes on 32-bit systems, and 16 bytes on 64-bit systems. The heap manager has been designed to optimize memory usage and performance in the case of these smaller allocations.
The heap manager exists in two places:
Ntdll.dllandNtoskrnl.exe. The subsystem APIs (such as the Windows heap APIs) call the functions in Ntdll.dll, and various executive components and device drivers call the functions inNtoskrnl.exe. Its native interfaces (prefixed withRtl) are available only for use in internal Windows components or kernel-mode device drivers.The documented Windows API interfaces to the heap (prefixed with
Heap) are forwarders to the native functions in Ntdll.dll. In addition, legacy APIs (prefixed with eitherLocalorGlobal) are provided to support older Windows applications. These also internally call the heap manager, using some of its specialized interfaces to support legacy behavior.The most common Windows heap functions are:
HeapCreateorHeapDestroyβ These create or delete, respectively, a heap. The initial reserved and committed size can be specified at creation.HeapAllocβ This allocates a heap block. It is forwarded toRtlAllocateHeapin Ntdll.dll.HeapFreeβ This frees a block previously allocated withHeapAlloc.HeapReAllocβ This changes the size of an existing allocation, growing or shrinking an existing block. It is forwarded toRtlReAllocateHeapin Ntdll.dll.HeapLockandHeapUnlockβ These control mutual exclusion to heap operations.HeapWalkβ This enumerates the entries and regions in a heap.
Process Heaps
Each process has at least one heap: the default process heap. The default heap is created at process startup and is never deleted during the process's lifetime. It defaults to 1 MB in size, but you can make it bigger by specifying a starting size in the image file by using the
/HEAPlinker flag.This size is just the initial reserve, however. It will expand automatically as needed. The default heap can be explicitly used by a program or implicitly used by some Windows internal functions. An application can query the default process heap by making a call to the Windows
GetProcessHeapfunction.Processes can also create additional private heaps with the
HeapCreatefunction. When a process no longer needs a private heap, it can recover the virtual address space by callingHeapDestroy. An array with all heaps is maintained in each process, and a thread can query them with the WindowsGetProcessHeapsfunction.A Universal Windows Platform (UWP) app process includes at least three heaps:
The default process heap just described.
A shared heap used to pass large arguments to the process' session Csrss.exe instance. This is created by the
CsrClientConnectToServerNtdll.dll function, which executes early in the process initialization done by Ntdll.dll. The heap handle is available in the global variableCsrPortHeap(in Ntdll.dll).A heap created by the Microsoft C runtime library. Its handle is stored in the global variable
_crtheap(in the msvcrt module). This heap is the one used internally by the C/C++ memory-allocation functions such asmalloc,free,realloc, operatornew/delete, and so on.
A heap can manage allocations either in large memory regions reserved from the memory manager via
VirtualAllocor from memory-mapped file objects mapped in the process address space. The latter approach is rarely used in practice (and is not exposed by the Windows API), but it's suitable for scenarios where the content of the blocks needs to be shared between two processes or between a kernel-mode and a user-mode component. The Win32 GUI subsystem driver (Win32k.sys) uses such a heap for sharing GDI and USER objects with user mode.If a heap is built on top of a memory-mapped file region, certain constraints apply with respect to the component that can call heap functions:
The internal heap structures use pointers, and therefore do not allow remapping to different addresses in other processes.
The synchronization across multiple processes or between a kernel component and a user process is not supported by the heap functions.
In the case of a shared heap between user mode and kernel mode, the user-mode mapping should be read-only to prevent user-mode code from corrupting the heap's internal structures, which would result in a system crash. The kernel-mode driver is also responsible for not putting any sensitive data in a shared heap to avoid leaking it to user mode.
Heap Types
Until Windows 10 and Server 2016, there was just one heap type, which we'll call the NT heap. The NT heap is augmented by an optional front-end layer, which if used, consists of the low-fragmentation heap (LFH). Windows 10 introduced a new heap type called segment heap. The two heap types include common elements but are structured and implemented differently.
By default, the segment heap is used by all UWP apps and some system processes, while the NT heap is used by all other processes.
The NT Heap
The NT heap in user mode is structured in two layers: a front-end layer and the heap back end (sometimes called the heap core).
The back end handles the basic functionality and includes the management of blocks inside segments, the management of the segments, policies for extending the heap, committing and decommitting memory, and management of large blocks.
For user-mode heaps only, a front-end heap layer can exist on top of the core functionality.
Heap Synchronization
The heap manager supports concurrent access from multiple threads by default. However, if a process is single threaded or uses an external mechanism for synchronization, it can tell the heap manager to avoid the overhead of synchronization by specifying the
HEAP_NO_SERIALIZEflag either at heap creation or on a per-allocation basis. If heap synchronization is enabled, there is one lock per heap that protects all internal heap structures.A process can also lock the entire heap and prevent other threads from performing heap operations for operations that would require consistent states across multiple heap calls. For instance, enumerating the heap blocks in a heap with the Windows function
HeapWalkrequires locking the heap if multiple threads can perform heap operations simultaneously. Locking and unlocking a heap can be done with theHeapLockandHeapUnlockfunctions, respectively.
The Low-Fragmentation Heap
The LFH avoids fragmentation by managing allocated blocks in predetermined different block-size ranges called buckets. When a process allocates memory from the heap, the LFH chooses the bucket that maps to the smallest block large enough to hold the required size. (The smallest block is 8 bytes.)
If the allocation is larger than
16,384bytes, the LFH simply forwards it to the underlying heap back end. The above table summarizes the different buckets, their granularity, and the range of sizes they map to.The LFH addresses these issues by using the core heap manager and look-aside lists. The Windows heap manager implements an automatic tuning algorithm that can enable the LFH by default under certain conditions, such as lock contention or the presence of popular size allocations that have shown better performance with the LFH enabled.
For large heaps, a significant percentage of allocations is frequently grouped in a relatively small number of buckets of certain sizes. The allocation strategy used by LFH is to optimize the usage for these patterns by efficiently handling same-size blocks.
To address scalability, the LFH expands the frequently accessed internal structures to a number of slots that is two times larger than the current number of processors on the machine. The assignment of threads to these slots is done by an LFH component called the affinity manager.
Initially, the LFH starts using the first slot for heap allocations; however, if a contention is detected when accessing some internal data, the LFH switches the current thread to use a different slot. Further contentions will spread threads on more slots. These slots are controlled for each size bucket to improve locality and minimize the overall memory consumption.
Even if the LFH is enabled as a front-end heap, the less frequent allocation sizes may continue to use the core heap functions to allocate memory, while the most popular allocation classes will be performed from the LFH. Once the LFH is enabled for a specific heap, it cannot be disabled. The
HeapSetInformationAPI with theHeapCompatibilityInformationclass that was able to remove the LFH layer in Windows 7 and earlier versions of Windows is now ignored.
The Segment Heap
The actual layer that manages an allocation depends on the allocation size as follows:
For small sizes (less than or equal to 16,368 bytes), the LFH allocator is used, but only if the size is determined to be a common one. This is a similar logic to the LFH front layer of the NT heap. If the LFH has not kicked in yet, the variable size (VS) allocator will be used instead.
For sizes less than or equal to 128 KB (and not serviced by the LFH), the VS allocator is used. Both VS and LFH allocators use the back end to create the required heap sub-segments as necessary.
Allocations larger than 128 KB and less than or equal to 508 KB are serviced directly by the heap back end.
Allocations larger than 508 KB are serviced by calling the memory manager directly (
VirtualAlloc) since these are so large that using the default 64 KB allocation granularity (and rounding to the nearest page size) is deemed good enough.
Here is a quick comparison of the two heap implementations:
In some scenarios, the segment heap may be somewhat slower than the NT heap. However, it's likely that future Windows versions would make it on par with the NT heap.
The segment heap has a lower memory footprint for its metadata, making it better suited for low-memory devices such as phones.
The segment heap's metadata is separated from the actual data, while the NT heap's metadata is interspersed with the data itself. This makes the segment heap more secure, as it's more difficult to get to the metadata of an allocation given just a block address.
The segment heap can be used only for a growable heap. It cannot be used with a user-supplied memory mapped file. If such a segment heap creation is attempted, an NT heap is created instead.
Both heaps support LFH-type allocations, but their internal implementation is completely different. The segment heap has a more efficient implementation in terms of memory consumption and performance.
UWP apps use segment heaps by default. This is mainly because of their lower memory footprint, which is suitable for low-memory devices. It's also used with certain system processes based on executable name: csrss.exe, lsass.exe, runtimebroker.exe, services.exe, smss.exe, and svchost.exe.
To enable or disable the segment heap for a specific executable, you can set an Image File Execution Options value named
FrontEndHeapDebugOptions(DWORD):Bit 2 (4) to disable segment heap
Bit 3 (8) to enable segment heap
You can also globally enable or disable the segment heap by adding a value named
Enabled(DWORD) to theHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heapregistry key. A zero value disables the segment heap and a non-zero value enables it.
Heap Security Features
The metadata used by the heaps for internal management is packed with a high degree of randomization to make it difficult for an attempted exploit to patch the internal structures to prevent crashes or conceal the attack attempt. These blocks are also subject to an integrity-check mechanism on the header to detect simple corruptions such as buffer overruns.
Finally, the heap uses a small degree of randomization of the base address or handle. By using the
HeapSetInformationAPI with theHeapEnableTerminationOnCorruptionclass, processes can opt in for an automatic termination in case of detected inconsistencies to avoid executing unknown code.As an effect of block metadata randomization, using the debugger to simply dump a block header as an area of memory is not that useful. For example, the size of the block and whether it is busy are not easy to spot from a regular dump. The same applies to LFH blocks. They have a different type of metadata stored in the header, also partially randomized.
To dump these details, the
!heap βicommand in the debugger does all the work to retrieve the metadata fields from a block, also flagging checksum or free-list inconsistencies if they exist. The command works for both LFH and regular heap blocks. To set the proper context, the same!heap βicommand with the heap handle as an argument must be executed first.
Segment Heap-Specific Security Features
The segment heap implementation uses many security mechanisms to make it harder to corrupt memory or to allow code injection by an attacker. Here are a few of them:
Fail fast on linked list node corruption β The segment heap uses linked lists to track segments and sub-segments. As with the NT heap, checks are added in the list node insertion and removal to prevent arbitrary memory writes due to corrupted list nodes. If a corrupted node is detected, the process is terminated via a call to
RtlFailFast.Fail fast on red-black (RB) tree node corruption β The segment heap uses RB trees to track free back-end and VS allocations. Node insertion and deletion functions validate the nodes involved or, if corrupted, invoke the fail-fast mechanism.
Function pointer decoding β Some aspects of the segment heap allow for callbacks (in
VsContextandLfhContextstructures, part of the_SEGMENT_HEAPstructure). An attacker can override these callbacks to point to his or her own code. However, the function pointers are encoded by using a XOR function with an internal random heap key and the context address, both of which cannot be guessed in advance.Guard pages β When LFH and VS sub-segments and large blocks are allocated, a guard page is added at the end. This helps to detect overflows and corruption of adjacent data.
Heap Debugging Features
The heap manager includes several features to help detect bugs by using the following heap settings:
Enable tail checking β The end of each block carries a signature that is checked when the block is released. If a buffer overrun destroys the signature entirely or partially, the heap will report this error.
Enable free checking β A free block is filled with a pattern that is checked at various points when the heap manager needs to access the block, such as at removal from the free list to satisfy an allocate request. If the process continues to write to the block after freeing it, the heap manager will detect changes in the pattern and the error will be reported.
Parameter checking β This function consists of extensive checking of the parameters passed to the heap functions.
Heap validation β The entire heap is validated at each heap call.
Heap tagging and stack traces support β This function supports the specification of tags for allocation and/or captures user-mode stack traces for the heap calls to help narrow the possible causes of a heap error.
Enabling heap-debugging options affects all heaps in the process. Also, if any of the heap-debugging options are enabled, the LFH will be disabled automatically and the core heap will be used (with the required debugging options enabled). The LFH is also not used for heaps that are not expandable (because of the extra overhead added to the existing heap structures) or for heaps that do not allow serialization.
Pageheap
Because the tail and free checking options described in the preceding sections might discover corruptions that occurred well before the problem was detected, an additional heap debugging capability, called pageheap, is provided. Pageheap directs all or part of the heap calls to a different heap manager.
You can enable pageheap using the Gflags tool (part of the Debugging Tools for Windows). When enabled, the heap manager places allocations at the end of pages and reserves the page that immediately follows. Because reserved pages are not accessible, any buffer overruns that occur will cause an access violation, making it easier to detect the offending code.
Optionally, pageheap allows for the placement of blocks at the beginning of the pages, with the preceding page reserved, to detect buffer underrun problems (a rare occurrence). Pageheap also can protect freed pages against any access to detect references to heap blocks after they have been freed.
Note that using the pageheap can cause you to run out of address space (in 32-bit processes) because of the significant overhead added for small allocations. Also, performance can suffer due to the increase of references to demand zero pages, loss of locality, and additional overhead caused by frequent calls to validate heap structures. A process can reduce the impact by specifying that the pageheap be used only for blocks of certain sizes, address ranges, and/or originating DLLs.
Fault-tolerant Heap
Microsoft has identified the corruption of heap metadata as one of the most common causes of application failures. Windows includes a feature called the fault-tolerant heap (FTH) to mitigate these problems and to provide better problem-solving resources to application developers.
The FTH is implemented in two primary components:
The detection component (FTH server)
The mitigation component (FTH client)
The detection component is a DLL called Fthsvc.dll that is loaded by the Windows Security Center service (Wscsvc.dll), which in turn runs in one of the shared service processes under the local service account. It is notified of application crashes by the Windows Error Reporting (WER) service.
Suppose an application crashes in Ntdll.dll with an error status indicating either an access violation or a heap-corruption exception. If it is not already on the FTH service's list of watched applications, the service creates a "ticket" for the application to hold the FTH data. If the application subsequently crashes more than four times in an hour, the FTH service configures the application to use the FTH client in the future.
The FTH client is an application-compatibility shim. This mechanism has been used since Windows XP to allow applications that depend on a particular behavior of older Windows systems to run on later systems. In this case, the shim mechanism intercepts the calls to the heap routines and redirects them to its own code. The FTH code implements numerous mitigations that attempt to allow the application to survive despite various heap-related errors.
For example, to protect against small buffer overrun errors, the FTH adds 8 bytes of padding and an FTH reserved area to each allocation. To address a common scenario in which a block of heap is accessed after it is freed,
HeapFreecalls are implemented only after a delay. "Freed" blocks are put on a list, and freed only when the total size of the blocks on the list exceeds 4 MB. Attempts to free regions that are not actually part of the heap, or not part of the heap identified by the heap handle argument toHeapFree, are simply ignored. In addition, no blocks are actually freed once exit orRtlExitUserProcesshas been called.The FTH server continues to monitor the failure rate of the application after the mitigations have been installed. If the failure rate does not improve, the mitigations are removed. The FTH does not normally operate on services, and it is disabled on Windows server systems for performance reasons. A system administrator can manually apply the shim to an application or service executable by using the Application Compatibility Toolkit.
Last updated