How To Examine the Use of Process Memory Under Win32s

ID: Q129599

The information in this article applies to:

Microsoft Win32s versions 1.2, 1.3, 1.30a, 1.3c

SUMMARY

Under Windows, tools such as HeapWalk and PWalk can be used to examine memory use of 16-bit code. However, these tools cannot be used to look at memory use of 32-bit code. This article discusses how to look at process memory use under Win32s.

MORE INFORMATION

If you run the debug version of Win32s and kernel debugger WDEB386, you can break into the debugger at any point by pressing CTRL+C and using debug information from the Win32s VxD. Use the command .w32s to get the list of information types available.


   #.w32s
   W32S debug routines:

   A - General Info
   B - Print Free LS ranges
   C - Print RRD &amp; Section lists
   D - Print Modules list
   E - Toggle SwapOut trace
   F - Toggle PageFault trace
   G - Count present alias pages
   H - List RRD Commit List
   I - Toggle Virtual Alloc/Free trace
   J - Toggle Mapped Section trace
   K - List Locked Pages
   [ESC] Exit W32S Debug Routines

Option C gives you information about the sparse memory usage.

The memory for .EXE and .DLL files is allocated in the sparse memory. Here's an example printout using option C:


RRD List:
Index      Start      Size       Owner      #Commits   CommSize   #PresPg
00000000   87AA0000   0000E000   00000000   - VIEW -   - VIEW -   - VIEW -
00000001   87A90000   00001000   00001F37   00000001   00001000   00000001
00000002   87A50000   00040000   00000000   00000000   00000000   00000000
00000003   87A40000   00002000   00000000   - VIEW -   - VIEW -   - VIEW -
00000004   87A30000   00009000   00000000   - VIEW -   - VIEW -   - VIEW -
00000005   87A20000   00002000   00000000   - VIEW -   - VIEW -   - VIEW -
00000006   87A10000   00002000   00000000   - VIEW -   - VIEW -   - VIEW -
00000007   87910000   00100000   00001F37   00000001   00001000   00000001
00000008   878F0000   00020000   00001F37   00000001   00020000   00000002
00000009   878C0000   00021000   00001F37   00000001   00021000   00000001
0000000A   878B0000   00005000   00000000   00000001   00005000   00000005
0000000B   87860000   00043000   00000000   00000001   00043000   00000031
0000000C   87830000   0002D000   00000000   00000001   0002D000   0000000C
0000000D   87810000   00011000   00000000   00000001   00011000   0000000E
0000000E   80869000   00001000   00001F37   00000001   00001000   00000000
0000000F   87800000   00002000   00001F37   00000001   00002000   00000001
00000010   80635000   00001000   00001F37   00000001   00001000   00000000

                      ========                         ========   ========

Total                 00229000                         000CD000   00000056

Sections List:
SecIndex   hFile      SecSize    #Ref       #Views     CommSize   #PresPg
00000001   00000004   00002000   00000000   00000001   00002000   00000001
00000002   00000005   00002000   00000000   00000001   00002000   00000001
00000003   00000006   00009000   00000000   00000001   00009000   00000003
00000004   00000007   00002000   00000000   00000001   00002000   00000001
00000005   00000008   0000E000   00000000   00000001   0000E000   00000001

                      ========                         ========   ========

Total                 0001D000                         0001D000   00000007

G. Total                                               000EA000   0000005D

The Size column contains the reserved size and the CommSize column contains the committed size. The addresses are zero-based (ring 0), not based on 0xffff0000 (ring 3). Therefore, you must add 0x10000 to the addresses you see in the list in order to get the ring 3 addresses.

Option D gives you the list of modules and where they reside in memory. These addresses are zero-based addresses as well, as is any information that you get from the VxD.

Another way to get information indicating where things are placed in memory is to set the verbose loader flag (0x20) in the Win32sDebug variable in the [386Enh] section of the SYSTEM.INI file.

NOTE: Do not add the 0x, just write Win32sDebug=20. The loader then will print in the debug terminal information about each loaded module. For example:


Open file D:\WIN32APP\FREECELL\FREECELL.EXE in mode 0xa0
LELDR: allocating 0x11000
LELDR: Module D:\WIN32APP\FREECELL\FREECELL.EXE [1] loaded at 0x87820000
LELDR: obj  1 loaded @ 0x87821000, 0x   5c00 bytes   .text,flags=0x60000020
LELDR: obj  2 loaded @ 0x87827000, 0x      0 bytes    .bss,flags=0xc0000080
LELDR: obj  3 loaded @ 0x87828000, 0x    200 bytes  .rdata,flags=0x40000040
LELDR: obj  4 loaded @ 0x87829000, 0x    a00 bytes   .data,flags=0xc0000040
LELDR: obj  5 loaded @ 0x8782a000, 0x   2400 bytes   .rsrc,flags=0x40000040
LELDR: obj  6 loaded @ 0x8782d000, 0x    200 bytes    .CRT,flags=0xc0000040
LELDR: obj  7 loaded @ 0x8782e000, 0x    a00 bytes  .idata,flags=0x40000040
LELDR: obj  8 loaded @ 0x8782f000, 0x   1e00 bytes  .reloc,flags=0x42000040
File D:\WIN32APP\FREECELL\FREECELL.EXE is closed

The addresses here are ring 3 addresses.

REFERENCES

Please see the "Win32s Programmer's Reference" included in the Win32 SDK for more information about the debugging features. This information is not included in the version of the Win32s documentation distributed with Visual C++.

Additional query words: 1.20

Keywords : kbWin32s
Version : WINDOWS:1.2,1.3,1.30a,1.3c
Platform : WINDOWS
Issue type :