Читаем Windows® Internals, Sixth Edition, Part 2 полностью

To view the same information by using the kernel debugger, you can use the !vm command as shown here:kd> !vm 1: kd> !vm *** Virtual Memory Usage *** Physical Memory: 851757 ( 3407028 Kb) Page File: \??\C:\pagefile.sys Current: 3407028 Kb Free Space: 3407024 Kb Minimum: 3407028 Kb Maximum: 4193280 Kb Available Pages: 699186 ( 2796744 Kb) ResAvail Pages: 757454 ( 3029816 Kb) Locked IO Pages: 0 ( 0 Kb) Free System PTEs: 370673 ( 1482692 Kb) Modified Pages: 9799 ( 39196 Kb) Modified PF Pages: 9798 ( 39192 Kb) NonPagedPool Usage: 0 ( 0 Kb) NonPagedPoolNx Usage: 8735 ( 34940 Kb) NonPagedPool Max: 522368 ( 2089472 Kb) PagedPool 0 Usage: 17573 ( 70292 Kb) PagedPool 1 Usage: 2417 ( 9668 Kb) PagedPool 2 Usage: 0 ( 0 Kb) PagedPool 3 Usage: 0 ( 0 Kb) PagedPool 4 Usage: 28 ( 112 Kb) PagedPool Usage: 20018 ( 80072 Kb) PagedPool Maximum: 523264 ( 2093056 Kb) ...

On this 4-GB, 32-bit system, nonpaged and paged pool were far from their maximums.

You can also examine the values of the kernel variables listed in Table 10-5. The following were taken from a 32-bit system:lkd> ? poi(MmMaximumNonPagedPoolInBytes) Evaluate expression: 2139619328 = 7f880000 lkd> ? poi(MmSizeOfPagedPoolInBytes) Evaluate expression: 2143289344 = 7fc00000

From this example, you can see that the maximum size of both nonpaged and paged pool is approximately 2 GB, typical values on 32-bit systems with large amounts of RAM. On the system used for this example, current nonpaged pool usage was 35 MB and paged pool usage was 80 MB, so both pools were far from full.

Monitoring Pool Usage

The Memory performance counter object has separate counters for the size of nonpaged pool and paged pool (both virtual and physical). In addition, the Poolmon utility (in the WDK) allows you to monitor the detailed usage of nonpaged and paged pool. When you run Poolmon, you should see a display like the one shown in Figure 10-6.

Figure 10-6. Poolmon output

The highlighted lines you might see represent changes to the display. (You can disable the highlighting feature by typing a slash (/) while running Poolmon. Type / again to reenable highlighting.) Type ? while Poolmon is running to bring up its help screen. You can configure which pools you want to monitor (paged, nonpaged, or both) and the sort order. For example, by pressing the P key until only nonpaged allocations are shown, and then the D key to sort by the Diff (differences) column, you can find out what kind of structures are most numerous in nonpaged pool. Also, the command-line options are shown, which allow you to monitor specific tags (or every tag but one tag). For example, the command poolmon –iCM will monitor only CM tags (allocations from the configuration manager, which manages the registry). The columns have the meanings shown in Table 10-6.

Table 10-6. Poolmon Columns

Column

Explanation

Tag

Four-byte tag given to the pool allocation

Type

Pool type (paged or nonpaged pool)

Allocs

Count of all allocations (The number in parentheses shows the difference in the Allocs column since the last update.)

Frees

Count of all Frees (The number in parentheses shows the difference in the Frees column since the last update.)

Diff

Count of Allocs minus Frees

Bytes

Total bytes consumed by this tag (The number in parentheses shows the difference in the Bytes column since the last update.)

Per Alloc

Size in bytes of a single instance of this tag

For a description of the meaning of the pool tags used by Windows, see the file \Program Files\Debugging Tools for Windows\Triage\Pooltag.txt. (This file is installed as part of the Debugging Tools for Windows, described in Chapter 1 in Part 1.) Because third-party device driver pool tags are not listed in this file, you can use the –c switch on the 32-bit version of Poolmon that comes with the WDK to generate a local pool tag file (Localtag.txt). This file will contain pool tags used by drivers found on your system, including third-party drivers. (Note that if a device driver binary has been deleted after it was loaded, its pool tags will not be recognized.)

Alternatively, you can search the device drivers on your system for a pool tag by using the Strings.exe tool from Sysinternals. For example, the commandstrings %SYSTEMROOT%\system32\drivers\*.sys | findstr /i "abcd"