Originally, I wanted to write about Sysinternals and its use for analyzing Windows OS architecture. While writing I realized that I have covered Windows memory management. Hence, we will cover it in current blog.
Windows Memory Management:
To under this, we will check some fundamental concepts of memory.
Virtual Memory: Today’s operating systems works in such a way that, process running on Computer feels like it is the only process running on system. Process will get 2^x bytes of virtual memory, where x is physical bits available to the processor. For our series, we are considering 64 bit Intel processors, hence the target Virtual Address space is roughly 2^64 bytes. However, normal workstations do not have this amount of physical memory (i.e. RAM), due to hardware limitations. This is where Memory Mapping (Address Translation) and Paging comes is picture.
This can imply that OS makes sure that Process runs correctly, independent of state of underlying hardware. When the size of all running processes is greater than available physical memory, OS will allocate load processes sequentially on physical memory, wait for process execution and allocate new process and this goes on.
Paging: Now to address the gap between Virtual and Physical memory, OS (Memory manager) deploys something called Paging. It is chopping off large memory into certain sized chunks called Pages. Page is the smallest level of granularity available at hardware level. Based on the sizes, Windows supports small and large pages. They are listed below:
|Architecture||Small Page Size||Large Page Size||Small pages per Large Page|
There are two types of paging techniques which can be employed by OS:
- Disc Paging: In this computer physical memory (RAM) is extended with Page file, which is stored on HDD/SSD and processor view it as non-volatile RAM. When there is no enough RAM to allocate new process, Memory manager will move data from RAM to this file (pagefile.sys). Downside of this scheme is accessing data from pagefile.sys degrades system performance. Hence this technique is only used when physical memory is really limited. With systems with RAM ≥ 4GB, use of pagefile.sys is limited to caching pre-fetched data.
- Demand Paging: In this scheme, process is segmented process into smaller tasks. Only the threads related to these tasks are loaded to the memory instead of entire process.
Address Translation: Mapping virtual address to physical address is known as Address translation mechanism. This is done by Memory manager with the help of translation tables known as Page tables. Operating system maintains Page tables, containing virtual address pages and their cross- reference to physical memory address. The CPU incorporates a hardware logic to sequentially generate the same virtual addresses and gives it to its own Memory Management Unit (MMU), which refers to the Page Table and locates the physical address where the instruction is stored.
Virtual memory manager manages the memory requests made by all processes. The VMM allocates consecutive address in the virtual memory in units called Page, to each process which must run. Initially each Page is initialized with the storage locations of the process files on hard disc which are subsequently replaced by the physical memory addresses once the process files are loaded to memory. This allows an operating system to provide an address space to all processes in the virtual memory, irrespective of the size of physical memory available.
The mapping of a Virtual Page to Physical memory occurs in units called Page frame which are of the same size of the Page and formed by consecutive bytes in physical memory. However, while Pages are continuous in Virtual memory, the corresponding Page frames are randomly distributed in Physical memory. A Page frame is an array of memory bytes and is essentially a higher unit of memory size, appropriate for allocating to processes. The collection of all page frames of a process comprises its Working Set.
Thus the operating system maintains a Page Table for each process, containing the process pages in virtual memory mapped either to its page frame in physical memory or initialized to the page location on hard disc. Page Tables of all running processes are created on the physical memory at system start.
Translation Lookaside Buffer (TLB): TLB is the cache used by modern CPUs to improve performance of Virtual to Physical address translation. MMU caches last few translations in this. When CPU’s Memory Management Unit (MMU) needs read page from Page Table, it will first check TLB by default. If it is found, then it’s called TLB Hit. If not, then MMU scans Page Table (process known as page walk) to find the page, copies found page to TLB and then reads it. This is called TLB Miss. If page not found in Page table, then Page Fault occurs and Virtual to Physical mapping entry get created in Page Table.
Memory Pools: Memory manager creates two type of memory pools that system uses to allocate memory.
Non-paged pool: It consists of virtual memory addresses that guaranteed to reside in physical memory as long as the corresponding kernel objects are allocated.
Paged Pool: The paged pool consists of virtual memory that can be paged in and out of the system.
Both memory pools are in the region of the address space that is reserved for the system and mapped into the virtual address space of each process. To improve performance, systems with a single processor have three paged pools, and multiprocessor systems have five paged pools.
Segmentation: It is memory addressing technique in which programs would be loaded into physical memory in segments at fixed location. The Segments started from the lowest address in Code (Text) segment, followed by Data segment, then the Heap segment and the finally the Stack segment at the top address, with a Free memory segment located between Heap and Stack both of which can grow into the Free segment.
The virtual address space of a process is defined in a Segment Table held in associative memory within CPU by a Segment Table Base Register (STBR). The Segment Table contains a fixed set of Segment Numbers as virtual addresses with corresponding physical address specified by Segment Base, Limit and Segment Protection Information.
Note: While writing this blog, I realized that Windows Memory management is vast (and complex) and I cannot cover it in this humble blogpost. So, I have decided to conclude the blogpost now. Instead I have left some links in reference section for further reading. In next blog, we will explore Sysinternals and its use for process analysis.
- x64 Address Translation: https://dzone.com/articles/exercise-virtual-physical
- File Mapping: https://docs.microsoft.com/en-us/windows/desktop/memory/file-mapping
- Windows 10 Virtual and Physical Memory : https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/physical-and-virtual-memory-in-windows-10/e36fb5bc-9ac8-49af-951c-e7d39b979938
- Virtual to Physical Address Translation: 1 2 3 4