内存电脑提示虚拟内存不足

电脑提示虚拟内存不足时间:2021-01-19 阅读:()

Windows调试工具入门(http://www.
DbgTech.
net)WinDbg内核调试常用命令(2)-1-WinDbgWinDbgWinDbgWinDbg内核调试常用命令(2)(2)(2)(2)接上一章继续介绍内核调试下的常用命令,这一章主要涉及内存相关、对象相关、驱动设备相关以及蓝屏Dump相关命令.
介绍每个命令的主要作用,以及常用方式,不会涉及详细的命令参数,目的是能快速上手熟悉内核调试下的常用操作,而不是替代帮助文件.
内存相关内存相关内存相关内存相关内存操作应该是调试最常用的,比如查看内存、修改内存等.
本节介绍内核模式下常用的内存操作命令,大部分是内核模式下特有的命令,诸如db/eb/dt/s等基本内存命令则不会介绍.
!
address!
address!
address!
address!
address命令显示内存信息,如内存范围、内存权限等.
这条命令在用户模式下也能用,而且显示的信息比较丰富.
!
address命令不带参数时,显示所有内存信息.
Usage表示内存用途,如内核映像、非分页内存、内核栈、会话空间等.
通过Usage就能大概了解某段内存的kd>!
address80800000-0026b000UsageKernelSpaceUsageImageImageNamentoskrnl.
exe80a6b000-0001f000UsageKernelSpaceUsageImageImageNamehalacpi.
dll.
.
.
.
.
.
f51d9000-00005000UsageKernelSpaceUsageKernelStackKernelStack81827020:340.
7ac.
.
.
.
.
.
f894f000-00002000UsageKernelSpaceUsageImageImageNameswenum.
sysf8951000-00256000UsageKernelSpaceUsageNonPagedSystemf8ba8000-07038000UsageKernelSpaceUsageNonPagedPoolExpansionWindows调试工具入门(http://www.
DbgTech.
net)WinDbg内核调试常用命令(2)-2-使用情况,也为进一步分析内存指明了方向.
!
addressxxxxxxxx显示指定地址的内存信息.
!
vm!
vm!
vm!
vm!
vm命令显示虚拟内存信息,查看当前虚拟内存状况、检查虚拟内存耗尽时都非常有用.

!
vm4显示基本内存信息、进程虚拟内存、会话空间内存信息.
kd>xwin32k!
NtUserCreateWindowExbf8a8779win32k!
NtUserCreateWindowEx=kd>!
addressbf8a8779bf800000-001cf000UsageKernelSpaceUsageImageImageName\SystemRoot\System32\win32k.
syskd>!
vm4***VirtualMemoryUsage***PhysicalMemory:130938(523752Kb)PageFile:\\C:\pagefile.
sysCurrent:786432KbFreeSpace:780020KbMinimum:786432KbMaximum:1572864KbAvailablePages:105581(422324Kb)ResAvailPages:98280(393120Kb)LockedIOPages:80(320Kb)FreeSystemPTEs:54462(217848Kb)FreeNPPTEs:28726(114904Kb)FreeSpecialNP:0(0Kb)ModifiedPages:148(592Kb)ModifiedPFPages:148(592Kb)NonPagedPoolUsage:1878(7512Kb)NonPagedPoolMax:32055(128220Kb)PagedPool0Usage:1416(5664Kb)PagedPool1Usage:365(1460Kb)PagedPool2Usage:376(1504Kb)PagedPoolUsage:2157(8628Kb)PagedPoolMaximum:64512(258048Kb)SharedCommit:940(3760Kb)SpecialPool:0(0Kb)SharedProcess:1644(6576Kb)PagedPoolCommit:2161(8644Kb)DriverCommit:1295(5180Kb)Committedpages:20930(83720Kb)Commitlimit:321906(1287624Kb)TotalPrivate:13733(54932Kb)0340SVCHOST.
EXE3395(13580Kb)Windows调试工具入门(http://www.
DbgTech.
net)WinDbg内核调试常用命令(2)-3-其中基本内存信息部分,包括物理内存大小、页文件大小、分页内存大小、非分页内存大小等,按页面数和KB数显示.
如果驱动分配非分页内存失败,则可以检查当前的非分页内存使用情况,看当前值是不是接近最大值,所以导致分配失败.
在进程虚拟内存部分,按进程占用内存量从大到小往下排列,很容易看出最大内存占用的进程.
最后一部分是会话空间内存信息,显示每个会话的内存情况.
创建窗口、设置消息钩子等都会占用这块内存,如果创建窗口失败,则可以检查一下这块内存使用量是不是达到了最大值.
!
memusage!
memusage!
memusage!
memusage!
memusage命令显示物理内存信息.
主要是通过统计PFN数据库信息,得到物理内存的情况.
PFN(PageFrameNumber)表示页面帧编号,PFN数据库用来描述每个物理内存页的状态.
!
memusage8显示不同类型页面的大小.
019cWINLOGON.
EXE1686(6744Kb)0678Explorer.
EXE1684(6736Kb)01d4LSASS.
EXE1672(6688Kb)0308SVCHOST.
EXE870(3480Kb)03b8SPOOLSV.
EXE814(3256Kb)07b4WMIPRVSE.
EXE463(1852Kb)03f8MSDTC.
EXE396(1584Kb)0184CSRSS.
EXE385(1540Kb)0578SVCHOST.
EXE358(1432Kb)01c8SERVICES.
EXE354(1416Kb)06dcvmusrvc.
exe264(1056Kb)0320SVCHOST.
EXE263(1052Kb)02d0SVCHOST.
EXE263(1052Kb)0450VMSRVC.
EXE228(912Kb)0290SVCHOST.
EXE210(840Kb)0470SVCHOST.
EXE135(540Kb)06f0ctfmon.
exe126(504Kb)04e0SVCHOST.
EXE67(268Kb)0518VPCMAP.
EXE58(232Kb)014cSMSS.
EXE35(140Kb)0004System7(28Kb)TerminalServerMemoryUsageBySession:SessionPagedPoolMaximumis4096KSessionViewSpaceMaximumis49152KSessionID0@f8953000:PagedPoolUsage:0KCommitUsage:344Klkd>!
memusage8loadingPFNdatabaseloading(100%complete)Compilingmemoryusagedata(99%Complete).
Zeroed:1(4kb)Windows调试工具入门(http://www.
DbgTech.
net)WinDbg内核调试常用命令(2)-4-!
memusage命令显示更加详细的信息,包括页面对应的磁盘文件等.
Free:25(100kb)Standby:167451(669804kb)Modified:9709(38836kb)ModifiedNoWrite:32(128kb)Active/Valid:344756(1379024kb)Transition:2088(8352kb)Bad:0(0kb)Unknown:0(0kb)TOTAL:524062(2096248kb)lkd>!
memusageloadingPFNdatabaseloading(100%complete)Compilingmemoryusagedata(99%Complete).
Zeroed:0(0kb)Free:69(276kb)Standby:134832(539328kb)Modified:7863(31452kb)ModifiedNoWrite:15(60kb)Active/Valid:379194(1516776kb)Transition:2089(8356kb)Bad:0(0kb)Unknown:0(0kb)TOTAL:524062(2096248kb)BuildingkernelmapFinishedbuildingkernelmapScanningPFNdatabase-(100%complete)UsageSummary(inKb):ControlValidStandbyDirtySharedLockedPageTablesnameffffedcb567948724007240AWE845ca22845608829040000mapped_file(002.
part)869aebd0788372038800mapped_file(GdiPlus.
dll)85160d30318041011880000mapped_file(004.
part)84d5a32042504961840000mapped_file(003.
part)851fdd483260145280000mapped_file(001.
part)85cd26f01132153800000mapped_file($LogFile)86e5ca28010800000mapped_file(cimwin32.
dll)864669580240000mapped_file(vqqsdl.
dll)8475cae804920000mapped_file(msvcr90.
dll).
.
.
.
.
.
2400-----0-----driver(vmnetuserif.
sys)2400-----0-----driver(vstor2.
sys)4000-----0-----driver(cdfs.
sys)16800-----0-----driver(udfs.
sys)Windows调试工具入门(http://www.
DbgTech.
net)WinDbg内核调试常用命令(2)-5-!
pte!
pte!
pte!
pte!
pte命令显示指定地址对应的页表项(PTE)和页目录项(PDE).
显示地址是否有效,或者转换物理地址时经常用到.
分别显示了一个用户态地址对应的PTE和一个内核态地址对应的PTE,从输出来看,两个地址都有效(V),一个是用户态(U),一个是内核态(K).
!
pfn!
pfn!
pfn!
pfn!
pfn命令显示物理内存页的详细信息,指定页面帧编号为参数.
1600-----0-----driver(PROCEXP113.
SYS)1600-----0-----driver(VlkdKnl.
sys)800-----0-----driver(kldbgdrv.
sys)194736013120-----167956(PagedPool)597201276-----0204(KernelStacks)5456800-----04(NonPagedPool)Summary1632484544292378641052962563224444Totalkd>!
process00notepad.
exePROCESS81ddb3e0SessionId:0Cid:016cPeb:7ffd7000ParentCid:0678DirBase:1fc63000ObjectTable:e1a30860HandleCount:43.
Image:notepad.
exekd>.
process/i81ddb3e0Youneedtocontinueexecution(press'g')forthecontexttobeswitched.
Whenthedebuggerbreaksinagain,youwillbeinthenewprocesscontext.
kd>gBreakinstructionexception-code80000003(firstchance)nt!
RtlpBreakWithStatusInstruction:8081d97eint3kd>!
pte1000000VA01000000PDEatC0300010PTEatC0004000contains069FC067contains15B62025pfn69fc---DA--UWEVpfn15b62----A--UREVkd>xwin32k!
NtUserCreateWindowExbf8a8779win32k!
NtUserCreateWindowEx=kd>!
ptebf8a8779VAbf8a8779PDEatC0300BF8PTEatC02FE2A0contains1C59D063contains1E211021pfn1c59d---DA--KWEVpfn1e211----A--KREVkd>xwin32k!
NtUserCreateWindowExWindows调试工具入门(http://www.
DbgTech.
net)WinDbg内核调试常用命令(2)-6-!
db!
db!
db!
db和!
eb!
eb!
eb!
eb!
db/!
eb命令用来显示、修改物理内存,类似的还有!
dd/!
dc/!
dq/!
ed等.
bf8a8779win32k!
NtUserCreateWindowEx=kd>!
ptebf8a8779VAbf8a8779PDEatC0300BF8PTEatC02FE2A0contains1C59D063contains1E211021pfn1c59d---DA--KWEVpfn1e211----A--KREVkd>!
pfn1e211PFN0001E211ataddress812D3198flink0000015Eblink/sharecount00000001pteaddressE13CE2E0referencecount0001Cachedcolor0restorepte8BC6A460containingpage01E71FActivePSharedkd>!
process00notepad.
exePROCESS81eb91d8SessionId:0Cid:0174Peb:7ffdf000ParentCid:0674DirBase:00075000ObjectTable:e1650888HandleCount:41.
Image:notepad.
exekd>.
process/i81eb91d8Youneedtocontinueexecution(press'g')forthecontexttobeswitched.
Whenthedebuggerbreaksinagain,youwillbeinthenewprocesscontext.
kd>gBreakinstructionexception-code80000003(firstchance)nt!
RtlpBreakWithStatusInstruction:8081d97eint3kd>db1000000l100010000004d5a900003000000-04000000ffff0000MZ.
01000010b800000000000000-4000000000000000010000200000000000000000-0000000000000000010000300000000000000000-00000000e8000000010000400e1fba0e00b409cd-21b8014ccd215468L.
!
Th0100005069732070726f6772-616d2063616e6e6fisprogramcanno01000060742062652072756e-20696e20444f5320tberuninDOS010000706d6f64652e0d0d0a-2400000000000000mode.
01000080ec855bbda8e435ee-a8e435eea8e435ee.
.
[.
.
.
5.
.
.
5.
.
.
5.
010000906beb3aeea9e435ee-6beb55eea9e435eek.
:.
.
.
5.
k.
U.
.
.
5.
010000a06beb68eebbe435ee-a8e434ee62e435eek.
h.
.
.
5.
.
.
4.
b.
5.
010000b06beb6aeebfe435ee-6beb6beea9e435eek.
j.
.
.
5.
k.
k.
.
.
5.
010000c06beb6feea9e435ee-52696368a8e435eek.
o.
.
.
5.
Rich.
.
5.
010000d00000000000000000-0000000000000000010000e00000000000000000-504500004c010300.
.
.
.
.
.
.
.
PE.
.
L.
.
.
010000f09a5b434200000000-00000000e0000f01.
[CB.
Windows调试工具入门(http://www.
DbgTech.
net)WinDbg内核调试常用命令(2)-7-!
pool!
pool!
pool!
pool!
pool命令显示内核内存池信息.
!
poolxxxxxxxx显示指定内存的信息.
kd>!
pte1000000VA01000000PDEatC0300010PTEatC0004000contains00DFC067contains19D34025pfndfc---DA--UWEVpfn19d34----A--UREVkd>!
db19d34000#19d340004d5a900003000000-04000000ffff0000MZ.
#19d34010b800000000000000-4000000000000000#19d340200000000000000000-0000000000000000#19d340300000000000000000-00000000e8000000#19d340400e1fba0e00b409cd-21b8014ccd215468L.
!
Th#19d3405069732070726f6772-616d2063616e6e6fisprogramcanno#19d34060742062652072756e-20696e20444f5320tberuninDOS#19d340706d6f64652e0d0d0a-2400000000000000mode.
kd>!
db19d34080#19d34080ec855bbda8e435ee-a8e435eea8e435ee.
.
[.
.
.
5.
.
.
5.
.
.
5.
#19d340906beb3aeea9e435ee-6beb55eea9e435eek.
:.
.
.
5.
k.
U.
.
.
5.
#19d340a06beb68eebbe435ee-a8e434ee62e435eek.
h.
.
.
5.
.
.
4.
b.
5.
#19d340b06beb6aeebfe435ee-6beb6beea9e435eek.
j.
.
.
5.
k.
k.
.
.
5.
#19d340c06beb6feea9e435ee-52696368a8e435eek.
o.
.
.
5.
Rich.
.
5.
#19d340d00000000000000000-0000000000000000#19d340e00000000000000000-504500004c010300.
.
.
.
.
.
.
.
PE.
.
L.
.
.
#19d340f09a5b434200000000-00000000e0000f01.
[CB.
kd>!
process00notepad.
exePROCESS81eb91d8SessionId:0Cid:0174Peb:7ffdf000ParentCid:0674DirBase:00075000ObjectTable:e1650888HandleCount:41.
Image:notepad.
exekd>!
pool81eb91d8Poolpage81eb91d8regionisNonpagedpool81eb9000size:a8previoussize:0(Allocated)Mdl81eb90a8size:18previoussize:a8(Free).
.
.
.
81eb90c0size:40previoussize:18(Allocated)FatE81eb9100size:a8previoussize:40(Allocated)File(Protected)81eb91a8size:10previoussize:a8(Free)Irp*81eb91b8size:298previoussize:10(Allocated)*Proc(Protected)PooltagProc:Processobjects,Binary:nt!
ps81eb9450size:40previoussize:298(Allocated)FatE.
.
.
.
.
.
kd>sizeof(nt!
_EPROCESS)Windows调试工具入门(http://www.
DbgTech.
net)WinDbg内核调试常用命令(2)-8-!
poolused!
poolused!
poolused!
poolused!
poolused命令按照内存池Tag显示内存池信息.
!
poolused命令显示所有Tag的内存池信息,按Tag名排列.
unsignedint0x278kd>sizeof(nt!
_OBJECT_HEADER)unsignedint0x20kd>sizeof(nt!
_POOL_HEADER)unsignedint8kd>dtnt!
_POOL_HEADER81eb91b8+0x000PreviousSize:0y000000010(0x2)+0x000PoolIndex:0y0000000(0)+0x002BlockSize:0y001010011(0x53)+0x002PoolType:0y0000101(0x5)+0x000Ulong1:0xa530002+0x004PoolTag:0xe36f7250+0x004AllocatorBackTraceIndex:0x7250+0x006PoolTagHash:0xe36fkd>dtnt!
_OBJECT_HEADER81eb91c0+0x000PointerCount:14+0x004HandleCount:1+0x004NextToFree:0x00000001+0x008Type:0x81f9b040_OBJECT_TYPE+0x00cNameInfoOffset:0''+0x00dHandleInfoOffset:0''+0x00eQuotaInfoOffset:0''+0x00fFlags:0x20''+0x010ObjectCreateInfo:0x81e12438_OBJECT_CREATE_INFORMATION+0x010QuotaBlockCharged:0x81e12438+0x014SecurityDescriptor:0xe1868463+0x018Body:_QUADkd>53*8Evaluateexpression:664=00000298lkd>!
poolusedSortingbyTagPoolUsed:NonPagedPagedTagAllocsUsedAllocsUsedOPM00264UNKNOWNpooltag'OPM',pleaseupdatepooltag.
txt010X12400UNKNOWNpooltag'010X',pleaseupdatepooltag.
txt100X48800UNKNOWNpooltag'100X',pleaseupdatepooltag.
txt110X14800UNKNOWNpooltag'110X',pleaseupdatepooltag.
txt13946021493761289760UNKNOWNpooltag'1394',pleaseupdatepooltag.
txt.
.
.
.
.
.
Windows调试工具入门(http://www.
DbgTech.
net)WinDbg内核调试常用命令(2)-9-!
poolused2命令显示非分页内存信息,按内存大小排列.
!
poolused4命令显示分页内存信息,按内存大小排列.
!
poolused2和!
poolused4两条命令检查内存池当前使用情况非常方便,很容易定位内存使用量大的模块.
所Proc714657600Processobjects,Binary:nt!
ps.
.
.
.
.
.
vdbg144800UNKNOWNpooltag'vdbg',pleaseupdatepooltag.
txtvirt2301180051280VirtualMachineManager(VPC/VS),Binary:vmm.
syswhea121709600UNKNOWNpooltag'whea',pleaseupdatepooltag.
txtTOTAL97080379773369481192370752lkd>!
poolused2SortingbyNonPagedPoolConsumedPoolUsed:NonPagedPagedTagAllocsUsedAllocsUsedEtwB146667238416802816EtwBuffer,Binary:nt!
etwCont309264860800ContiguousphysicalmemoryallocationsfordevicedriversPool5225322400Pooltables,etc.
HTab505195558400UNKNOWNpooltag'HTab',pleaseupdatepooltag.
txtWdm718154293600WDMDevi598123417600DeviceobjectsNV3389103916800nVidiavideodriverFile528189768800Fileobjects.
.
.
.
.
.
Txls00132TXF_CANCEL_LSN,Binary:ntfs.
sysPcSt00364608WDMaudiostuffTOTAL98637381283369526591889040lkd>!
poolused4SortingbyPagedPoolConsumedPoolUsed:NonPagedPagedTagAllocsUsedAllocsUsedMmSt00392928541680Mmsectionobjectprototypeptes,Binary:nt!
mmCM2500394218165760InternalConfigurationmanagerallocations,Binary:nt!
cmMmRe0065110185528UNKNOWNpooltag'MmRe',pleaseupdatepooltag.
txtCM3500223301376InternalConfigurationmanagerallocations,Binary:nt!
cmNtFB00852839560BitmpSup.
c,Binary:ntfs.
sysClfI00212648560CLFS_MARSHALBUFFER_TAG,Binary:clfs.
sys.
.
.
.
.
.
FlmC328800UNKNOWNpooltag'FlmC',pleaseupdatepooltag.
txtAlIn2462601600ALPCInternalallocation,Binary:nt!
alpcTOTAL9821343330551209452991533248Windows调试工具入门(http://www.
DbgTech.
net)WinDbg内核调试常用命令(2)-10-有的Tag都会自动在triage\pooltag.
txt文件中查找对应的模块,如果没有显示模块,也可以在所有驱动文件中查找字符串,从而找到消耗内存的驱动.
!
poolfind!
poolfind!
poolfind!
poolfind!
poolfind命令显示所有指定Tag的内存信息.
!
poolfindxxxx0命令显示在非分页池中所有Tag为xxxx的内存信息.
!
poolfindxxxx1命令显示在分页池中所有Tag为xxxx的内存信息.
对象相关对象相关对象相关对象相关在Windows内核中,所有资源都是以对象形式存在的,如进程对象、文件对象等.
大部分内核函数都会和对象管理器打交道,系统大部分时间也在操作不同的对象.
句柄是对象的上层抽象,不同的句柄可以表示同一个对象,不同的进程可以有值相同的句柄.
由句柄可以得到对象,由对象可以生成句柄.