locked
Why !vtop works and not !PTE RRS feed

  • Question

  • Hello,
    WinDbg on a 64 bit Windows 7, was attached to a 64 bit user mode app.
    Why did the !vtop command work, but the !PTE command on the same
    virtual address (of a variable in the user mode app) returned a "not valid" as
    below? The user mode app is waiting for input. Many thanks for any help.

    lkd> !process 0 0 umode64v2.exe
    PROCESS fffffa8006ea0220
    SessionId: 1 Cid: 03f8 Peb: 7fffffd3000 ParentCid: 04a4
    DirBase: 1678b000 ObjectTable: fffff8a0013db010 HandleCount: 6.
    Image: UMode64v2.exe
    lkd> .process /p /r fffffa8006ea0220
    Implicit process is now fffffa80`06ea0220
    Loading User Symbols
    .....
    lkd> .context
    User-mode page directory base is 1678b000

    lkd> dd 13f459000
    00000001`3f459000 deadbeef fffffffe 00000001 ffffffff

    lkd> !vtop 1678b000 13f459000
    Amd64VtoP: Virt 00000001`3f459000, pagedir 1678b000
    Amd64VtoP: PML4E 1678b000
    Amd64VtoP: PDPE 18d39020
    Amd64VtoP: PDE 1907afd0
    Amd64VtoP: PTE 17efb2c8
    Amd64VtoP: Mapped phys 7001000
    Virtual address 13f459000 translates to physical address 7001000.

    lkd> !dd 7001000
    # 7001000 deadbeef fffffffe 00000001 ffffffff

    lkd> !pte 13f459000
    VA 000000013f459000
    PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00020 PDE at FFFFF6FB40004FD0 PTE at FFFFF680009FA2C8
    contains 1A7000000CE88867 contains 02E0000012E08867 contains 0310000012B08867 contains 0000000000000000
    pfn ce88 ---DA--UWEV pfn 12e08 ---DA--UWEV pfn 12b08 ---DA--UWEV not valid

    Saturday, January 15, 2011 9:36 PM

Answers

  • Try this:

    kd> .cache noforcedecodeptes  // this is the default ?

    Max cache size is       : 1048576 bytes (0x400 KB)
    Total memory in cache   : 120 bytes (0x1 KB)
    Number of regions cached: 1
    3 full reads broken into 6 partial reads
        counts: 4 cached/2 uncached, 66.67% cached
        bytes : 41 cached/48 uncached, 46.07% cached
    kd> !process 0 0 calc.exe
    PROCESS ffbc8980  SessionId: 0  Cid: 075c    Peb: 7ffdf000  ParentCid: 0620
        DirBase: 06700260  ObjectTable: e15c1888  HandleCount:  37.
        Image: calc.exe
    kd> .process ffbc8980
    Implicit process is now ffbc8980
    WARNING: .cache forcedecodeuser is not enabled   // error in help and here??? 
    kd> .cache forcedecodeptes
    Max cache size is       : 1048576 bytes (0x400 KB)
    Total memory in cache   : 0 bytes (0 KB)
    Number of regions cached: 0
    0 full reads broken into 0 partial reads
        counts: 0 cached/0 uncached, 0.00% cached
        bytes : 0 cached/0 uncached, 0.00% cached
    ** Transition PTEs are implicitly decoded
    ** Virtual addresses are translated to physical addresses before access
    ** Prototype PTEs are implicitly decoded


    kd> !vtop  6700260 10000
    X86VtoP: Virt 00010000, pagedir 6700260
    X86VtoP: PAE PDPE 6700260 - 000000000264e001
    X86VtoP: PAE PDE 264e000 - 00000000008f0067
    X86VtoP: PAE PTE 8f0080 - 00000000007f1886
    X86VtoP: PAE Mapped phys 7f1000
    Virtual address 10000 translates to physical address 7f1000.

    d> !pte 10000
                        VA 00010000
    PDE at C0600000            PTE at C0000080
    contains 00000000008F0067  contains 00000000007F1886
    pfn 8f0       ---DA--UWEV   not valid
                                Transition: 7f1
                                Protect: 4 - ReadWrite

    But why?? dont know explicitly And why not valid??? witnh other address ok:

    kd> !vtop  6700260 1000000
    X86VtoP: Virt 01000000, pagedir 6700260
    X86VtoP: PAE PDPE 6700260 - 000000000264e001
    X86VtoP: PAE PDE 264e040 - 0000000000a22067
    X86VtoP: PAE PTE a22000 - 0000000007bc7005
    X86VtoP: PAE Mapped phys 7bc7000
    Virtual address 1000000 translates to physical address 7bc7000.
    kd> !pte  1000000
                        VA 01000000
    PDE at C0600040            PTE at C0008000
    contains 0000000000A22067  contains 0000000007BC7005
    pfn a22       ---DA--UWEV   pfn 7bc7      -------UREV

    WinVista32 virtualmachine

    .cache forcedecodeuser as in help gets nonsense:

    kd> !pte 10000
                        VA 00010000
    PDE at C0600000            PTE at C0000080
    contains 0000000001900067  contains FFFFFFFF00000480
    pfn 1900      ---DA--UWEV   not valid
                                Proto: VAD
                                Protect: 4 - ReadWrite

    no warranty

     

    • Marked as answer by itsawildworld Tuesday, January 18, 2011 4:20 PM
    Sunday, January 16, 2011 11:44 AM

All replies

  • Try this:

    kd> .cache noforcedecodeptes  // this is the default ?

    Max cache size is       : 1048576 bytes (0x400 KB)
    Total memory in cache   : 120 bytes (0x1 KB)
    Number of regions cached: 1
    3 full reads broken into 6 partial reads
        counts: 4 cached/2 uncached, 66.67% cached
        bytes : 41 cached/48 uncached, 46.07% cached
    kd> !process 0 0 calc.exe
    PROCESS ffbc8980  SessionId: 0  Cid: 075c    Peb: 7ffdf000  ParentCid: 0620
        DirBase: 06700260  ObjectTable: e15c1888  HandleCount:  37.
        Image: calc.exe
    kd> .process ffbc8980
    Implicit process is now ffbc8980
    WARNING: .cache forcedecodeuser is not enabled   // error in help and here??? 
    kd> .cache forcedecodeptes
    Max cache size is       : 1048576 bytes (0x400 KB)
    Total memory in cache   : 0 bytes (0 KB)
    Number of regions cached: 0
    0 full reads broken into 0 partial reads
        counts: 0 cached/0 uncached, 0.00% cached
        bytes : 0 cached/0 uncached, 0.00% cached
    ** Transition PTEs are implicitly decoded
    ** Virtual addresses are translated to physical addresses before access
    ** Prototype PTEs are implicitly decoded


    kd> !vtop  6700260 10000
    X86VtoP: Virt 00010000, pagedir 6700260
    X86VtoP: PAE PDPE 6700260 - 000000000264e001
    X86VtoP: PAE PDE 264e000 - 00000000008f0067
    X86VtoP: PAE PTE 8f0080 - 00000000007f1886
    X86VtoP: PAE Mapped phys 7f1000
    Virtual address 10000 translates to physical address 7f1000.

    d> !pte 10000
                        VA 00010000
    PDE at C0600000            PTE at C0000080
    contains 00000000008F0067  contains 00000000007F1886
    pfn 8f0       ---DA--UWEV   not valid
                                Transition: 7f1
                                Protect: 4 - ReadWrite

    But why?? dont know explicitly And why not valid??? witnh other address ok:

    kd> !vtop  6700260 1000000
    X86VtoP: Virt 01000000, pagedir 6700260
    X86VtoP: PAE PDPE 6700260 - 000000000264e001
    X86VtoP: PAE PDE 264e040 - 0000000000a22067
    X86VtoP: PAE PTE a22000 - 0000000007bc7005
    X86VtoP: PAE Mapped phys 7bc7000
    Virtual address 1000000 translates to physical address 7bc7000.
    kd> !pte  1000000
                        VA 01000000
    PDE at C0600040            PTE at C0008000
    contains 0000000000A22067  contains 0000000007BC7005
    pfn a22       ---DA--UWEV   pfn 7bc7      -------UREV

    WinVista32 virtualmachine

    .cache forcedecodeuser as in help gets nonsense:

    kd> !pte 10000
                        VA 00010000
    PDE at C0600000            PTE at C0000080
    contains 0000000001900067  contains FFFFFFFF00000480
    pfn 1900      ---DA--UWEV   not valid
                                Proto: VAD
                                Protect: 4 - ReadWrite

    no warranty

     

    • Marked as answer by itsawildworld Tuesday, January 18, 2011 4:20 PM
    Sunday, January 16, 2011 11:44 AM
  • Thank you for the help.  With it, I was able to find out that .process /P or .cache forcedecodeptes enabled !pte to work.  Although I am not sure I trust !pte command, since without /P or forcedecodeptes, sometime it returned erronous data.  It didn't say "not valid", just gave wrong answer.  Thanks again.

    Tuesday, January 18, 2011 4:19 PM