The QueryWorkingSet function retrieves information about the pages currently added to the working set of the specified process.
BOOL QueryWorkingSet(
HANDLE hProcess, // handle to the process
PVOID pv, // buffer that receives the information
DWORD cb // size of the buffer
);
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
The return buffer consists of a variable number of DWORD values. The first DWORD contains the number of valid DWORD values that follow it in the buffer. Each remaining DWORD represents one page in the process working set, and is composed of an address combined with various flag values.
To decode these DWORD values, it is necessary to split the high 20 bits from the low 12 bits. The high 20 bits (obtained by using a bitwise AND operator with 0xFFFFF000) contain the address of a page of memory loaded into the specified process. The bottom 12 bits are flag values that can be interpreted as follows.
| Value | Meaning |
|---|---|
| 0x001 | The page is read-only (if bit 0x004 is not set). |
| 0x002 | The page is executable (code). |
| 0x004 | The page is read/write (if bit 0x001 is not set). |
| 0x005 | The page is copy-on-write (bits 0x001 and 0x004 are both set). |
| 0x100 | The page can be shared across processes. |
For example, consider the following DWORD values:
0x00000003
0x00400103
0x00480101
0x00500004
Breaking apart the bits, these DWORD values can be interpreted as follows:
| 0x00000003 | There are three DWORD values to follow. |
| 0x00400103 | The page at address 0x00400000 has read-only, executable, and shared access. |
| 0x00480101 | The page at address 0x00480000 has read-only and shared access. |
| 0x00500004 | The page at address 0x00500000 has read/write access. |
Windows NT Alpha: Split the high 19 bits from the low 13 bits, because pages are 8 KB in size, whereas pages are 4 KB in size on an x86 computer.
Process Status Helper Overview, PSAPI Functions, EnumProcesses