Hey everyone, I thought I’ll add some information about the the internals mechanisms of Windows, in this example I’m going to write about the process working set and the basic management of working set.
The process working set is the number of pages referenced by a process. The working set is the number of virtual pages which are currently in physical memory.
By default, the minimum working set is 50 pages and the maximum limit is 345 pages for a single process. Although, these limits can be ignored, if the system has enough free memory.
We can examine the current working set for a process by using the !process extension with either the Process ID or the process’ address.
We see the current working set, and the working set maximum and minimum sizes. We can also see the page fault count for the current process and it’s pool usuage.
With a page fault, the Working Set Manager must examine if the current pages are to replaced (trimmed) and sent to the disk, or additional pages can be simply added to the working set of the process. The Working Set Manager arranges the processes into an order, with processes with the largest working sets and have pages which haven’t been accessed in a while, are nominated first for trimming and then smaller processes are considered for trimming.
The Working Set Manager will examine processes with working sets above their minimum of 50 pages, and then will check the PTE Status Bits for the page, if the accessed bit is clear, then the page hasn’t been accessed recently and is considered to be aged. The Working Set Manager while scanning for pages to trim, may come across a page which does have the Accessed status bit set, and will therefore clear this bit, upon the next scan, if the page still hasn’t been accessed then this page is considered aged.
The scans will continue until required.
The Working Set of a process can also be found in Process Explorer.