Microsoft KB Archive/129599

{|
 * width="100%"|

How To Examine the Use of Process Memory Under Win32s

 * }

Q129599

-

The information in this article applies to:


 * Microsoft Win32s versions 1.2, 1.3, 1.30a, 1.3c

-

SUMMARY
Under Windows, tools such as HeapWalk and PWalk can be used to examine memory use of 16-bit code. However, these tools cannot be used to look at memory use of 32-bit code. This article discusses how to look at process memory use under Win32s.

MORE INFORMATION
If you run the debug version of Win32s and kernel debugger WDEB386, you can break into the debugger at any point by pressing CTRL+C and using debug information from the Win32s VxD. Use the command .w32s to get the list of information types available.

  #.w32s W32S debug routines:

A - General Info B - Print Free LS ranges C - Print RRD & Section lists D - Print Modules list E - Toggle SwapOut trace F - Toggle PageFault trace G - Count present alias pages H - List RRD Commit List I - Toggle Virtual Alloc/Free trace J - Toggle Mapped Section trace K - List Locked Pages [ESC] Exit W32S Debug Routines Option C gives you information about the sparse memory usage.

The memory for .EXE and .DLL files is allocated in the sparse memory. Here's an example printout using option C:

RRD List: Index     Start      Size       Owner      #Commits   CommSize   #PresPg 00000000  87AA0000   0000E000   00000000   - VIEW -   - VIEW -   - VIEW - 00000001  87A90000   00001000   00001F37   00000001   00001000   00000001 00000002  87A50000   00040000   00000000   00000000   00000000   00000000 00000003  87A40000   00002000   00000000   - VIEW -   - VIEW -   - VIEW - 00000004  87A30000   00009000   00000000   - VIEW -   - VIEW -   - VIEW - 00000005  87A20000   00002000   00000000   - VIEW -   - VIEW -   - VIEW - 00000006  87A10000   00002000   00000000   - VIEW -   - VIEW -   - VIEW - 00000007  87910000   00100000   00001F37   00000001   00001000   00000001 00000008  878F0000   00020000   00001F37   00000001   00020000   00000002 00000009  878C0000   00021000   00001F37   00000001   00021000   00000001 0000000A  878B0000   00005000   00000000   00000001   00005000   00000005 0000000B  87860000   00043000   00000000   00000001   00043000   00000031 0000000C  87830000   0002D000   00000000   00000001   0002D000   0000000C 0000000D  87810000   00011000   00000000   00000001   00011000   0000000E 0000000E  80869000   00001000   00001F37   00000001   00001000   00000000 0000000F  87800000   00002000   00001F37   00000001   00002000   00000001 00000010  80635000   00001000   00001F37   00000001   00001000   00000000

========                        ========   ========

Total                00229000                         000CD000   00000056

Sections List: SecIndex  hFile      SecSize    #Ref       #Views     CommSize   #PresPg 00000001  00000004   00002000   00000000   00000001   00002000   00000001 00000002   00000005   00002000   00000000   00000001   00002000   00000001 00000003   00000006   00009000   00000000   00000001   00009000   00000003 00000004   00000007   00002000   00000000   00000001   00002000   00000001 00000005   00000008   0000E000   00000000   00000001   0000E000   00000001

========                        ========   ========

Total                0001D000                         0001D000   00000007

G. Total                                              000EA000   0000005D The Size column contains the reserved size and the CommSize column contains the committed size. The addresses are zero-based (ring 0), not based on 0xffff0000 (ring 3). Therefore, you must add 0x10000 to the addresses you see in the list in order to get the ring 3 addresses.

Option D gives you the list of modules and where they reside in memory. These addresses are zero-based addresses as well, as is any information that you get from the VxD.

Another way to get information indicating where things are placed in memory is to set the verbose loader flag (0x20) in the Win32sDebug variable in the [386Enh] section of the SYSTEM.INI file.

NOTE: Do not add the 0x, just write Win32sDebug=20. The loader then will print in the debug terminal information about each loaded module. For example:

Open file D:\WIN32APP\FREECELL\FREECELL.EXE in mode 0xa0 LELDR: allocating 0x11000 LELDR: Module D:\WIN32APP\FREECELL\FREECELL.EXE [1] loaded at 0x87820000 LELDR: obj 1 loaded @ 0x87821000, 0x   5c00 bytes   .text,flags=0x60000020 LELDR: obj 2 loaded @ 0x87827000, 0x      0 bytes    .bss,flags=0xc0000080 LELDR: obj 3 loaded @ 0x87828000, 0x    200 bytes  .rdata,flags=0x40000040 LELDR: obj 4 loaded @ 0x87829000, 0x    a00 bytes   .data,flags=0xc0000040 LELDR: obj 5 loaded @ 0x8782a000, 0x   2400 bytes   .rsrc,flags=0x40000040 LELDR: obj 6 loaded @ 0x8782d000, 0x    200 bytes    .CRT,flags=0xc0000040 LELDR: obj 7 loaded @ 0x8782e000, 0x    a00 bytes  .idata,flags=0x40000040 LELDR: obj 8 loaded @ 0x8782f000, 0x   1e00 bytes  .reloc,flags=0x42000040 File D:\WIN32APP\FREECELL\FREECELL.EXE is closed The addresses here are ring 3 addresses.