Geoff Chappell - Software Analyst
The MI_MEMORY_EVENT_TYPES enumeration (formally _MI_MEMORY_EVENT_TYPES) looks to have been introduced for Windows 10 to help with supporting memory partitions. What had been internal variables for the kernel’s management of physical memory now had to be reproduced for each partition. They were reworked as members of structures that are nested in the MI_PARTITION. In the particular case of the many separate variables in which the kernel kept pointers to KEVENT objects to signal on the occurrence of corresponding events in memory management, the variables were collected into an array named MemoryEvents in the MI_PARTITION_CORE. The MI_MEMORY_EVENT_TYPES indexes this array.
Value (x86) | Name | Versions | Object Name |
---|---|---|---|
0 (10.0 to 1607) | LowAvailablePagesEvent | 10.0 to 1607 | \KernelObjects\LowMemoryCondition |
1 (10.0 to 1607) | HighAvailablePagesEvent | 10.0 to 1607 | \KernelObjects\HighMemoryCondition |
2 (10.0 to 1607); 0 |
LowPagedPoolEvent | 10.0 and higher | \KernelObjects\LowPagedPoolCondition |
3 (10.0 to 1607); 1 |
HighPagedPoolEvent | 10.0 and higher | \KernelObjects\HighPagedPoolCondition |
4 (10.0 to 1607); 2 |
LowNonPagedPoolEvent | 10.0 and higher | \KernelObjects\LowNonPagedPoolCondition |
5 (10.0 to 1607); 3 |
HighNonPagedPoolEvent | 10.0 and higher | \KernelObjects\HighNonPagedPoolCondition |
4 | LowAvailablePagesEvent | 1703 and higher | \KernelObjects\LowMemoryCondition |
5 | HighAvailablePagesEvent | 1703 and higher | \KernelObjects\HighMemoryCondition |
6 | LowCommitEvent | 10.0 and higher | \KernelObjects\LowCommitCondition |
7 | HighCommitEvent | 10.0 and higher | \KernelObjects\HighCommitCondition |
8 | MaximumCommitEvent | 10.0 and higher | \KernelObjects\MaximumCommitCondition |
9 | BadMemoryDetectedEvent | 10.0 and higher | \KernelObjects\MemoryErrors |
10 | PhysicalMemoryChangeEvent | 10.0 and higher | \KernelObjects\PhysicalMemoryChange |
11 | TotalNumberOfMemoryEvents | 10.0 and higher |
The KEVENT structure for each of these events is not merely a kernel object such as might be referenced by any kernel-mode software that learns the address. Instead, these events are Object Manager objects which can be opened by name (subject to security), including by user-mode software. It’s almost as if much of the point to the memory events is that they are accessible to user-mode software such as may alert the user (or system administrator) at notable moments in the use of memory. Yet Microsoft documents the events only as Standard Event Objects for drivers to use—and even then does not document the last two. There must be other documentation to find—or more to write about these events!