Geoff Chappell - Software Analyst
The MI_PARTITION_SEGMENTS structure (formally _MI_PARTITION_SEGMENTS) is here thought to exist only as a subdivision of the MI_PARTITION, specifically as the latter’s Segments member.
As a collection of what had mostly been internal variables, the MI_PARTITION_PAGE_LISTS is highly susceptible to changing between builds. The following changes of size give some rough indication of the variability so far:
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 10.0 | 0xA8 | 0x0110 |
| 1511 to 1607 | 0x0100 | 0x0180 |
| 1703 | 0x0100 | 0x0240 |
| 1709 | 0x0180 | 0x0300 |
| 1803 to 2004 | 0x0200 | 0x0340 |
The sizes in the preceding table and the offsets, names and types in the next are from type information in public symbol files for the kernel.
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 | 0x00 |
LONG volatile SegmentListLock; |
1703 and higher | previously at 0xC0 and 0x0140 |
| 0x04 | 0x04 |
ULONG DeleteOnCloseCount; |
1703 and higher | previously at 0x74 and 0xBC |
| 0x08 | 0x08 |
LONGLONG volatile FsControlAreaCount; |
1703 and higher | |
| 0x10 | 0x10 |
LONGLONG volatile PfControlAreaCount; |
1703 and higher | |
| 0x18 | 0x18 |
LONGLONG volatile CloneHeaderCount; |
1803 and higher | |
| 0x00 (10.0 to 1607); 0x18 (1703 to 1709); 0x20 |
0x00 (10.0 to 1607); 0x18 (1703 to 1709); 0x20 |
KEVENT DeleteSubsectionCleanup; |
10.0 and higher | |
| 0x10 (10.0 to 1607); 0x28 (1703 to 1709); 0x30 |
0x18 (10.0 to 1607); 0x30 (1703 to 1709); 0x38 |
KEVENT UnusedSegmentCleanup; |
10.0 and higher | |
| 0x20 (10.0 to 1607); 0x38 (1703 to 1709); 0x40 |
0x30 (10.0 to 1607); 0x48 (1703 to 1709); 0x50 |
ULONG_PTR SubsectionDeletePtes; |
10.0 and higher | |
| 0x3C (1709); 0x44 |
0x50 (1709); 0x58 |
MMPAGE_FILE_EXPANSION AttemptForCantExtend; |
1709 and higher | |
| 0x24 (10.0 to 1607); 0x3C (1703); 0x70 (1709); 0x78 |
0x38 (10.0 to 1607); 0x50 (1703); 0xA8 (1709); 0xB0 |
MMDEREFERENCE_SEGMENT_HEADER DereferenceSegmentHeader; |
10.0 and higher | |
| 0x40 (10.0 to 1607); 0x58 (1703); 0x9C (1709); 0xA4 |
0x68 (10.0 to 1607); 0x80 (1703); 0xF8 (1709); 0x0100 |
LIST_ENTRY DeleteOnCloseList; |
10.0 and higher | |
| 0x48 (10.0 to 1607); 0x60 (1703); 0xA8 (1709); 0xB0 |
0x78 (10.0 to 1607); 0x90 (1703); 0x0108 (1709); 0x0110 |
KTIMER DeleteOnCloseTimer; |
10.0 and higher | |
| 0x70 (10.0 to 1607); 0x88 (1703); 0xD0 (1709); 0xD8 |
0xB8 (10.0 to 1607); 0xD0 (1703); 0x0148 (1709); 0x0150 |
BOOLEAN DeleteOnCloseTimerActive; |
10.0 and higher | |
| 0x74 (10.0 to 1607) | 0xBC |
ULONG DeleteOnCloseCount; |
10.0 to 1607 | next at 0x04 |
| 0xD1 (1709); 0xD9 |
0x0149 (1709); 0x0151 |
BOOLEAN SegmentDereferenceThreadExists; |
1709 and higher | |
| 0xDC | 0x0158 |
PVOID SegmentDereferenceActiveControlArea; |
1809 and higher | |
| 0xD4 (1709); 0xDC (1803); 0xE0 |
0x0150 (1709); 0x0158 (1803); 0x0160 |
ULONG_PTR UnusedSegmentPagedPool; |
1709 and higher | |
| 0x78 (10.0 to 1607); 0x8C (1703); 0xD8 (1709); 0xE0 (1803); 0xE4 |
0xC0 (10.0 to 1607); 0xD8 (1703); 0x0158 (1709); 0x0160 (1803); 0x0168 |
LIST_ENTRY UnusedSegmentList; |
10.0 and higher | |
| 0x80 (10.0 to 1607); 0x94 (1703); 0xE0 (1709); 0xE8 (1803); 0xEC |
0xD0 (10.0 to 1607); 0xE8 (1703); 0x0168 (1709); 0x0170 (1803); 0x0178 |
LIST_ENTRY UnusedSubsectionList; |
10.0 and higher | |
| 0x88 (10.0 to 1607); 0x9C (1703); 0xE8 (1709); 0xF0 (1803); 0xF4 |
0xE0 (10.0 to 1607); 0xF8 (1703); 0x0178 (1709); 0x0180 (1803); 0x0188 |
LIST_ENTRY DeleteSubsectionList; |
10.0 and higher | |
| 0x90 (10.0 to 1607); 0xA4 (1703); 0xF0 (1709); 0xF8 (1803); 0xFC |
0xF0 (10.0 to 1607); 0x0108 (1703); 0x0188 (1709); 0x0190 (1803); 0x0198 |
KEVENT ControlAreaDeleteEvent; |
10.0 and higher | |
| 0xA0 (10.0 to 1607); 0xB4 (1703); 0x0100 (1709); 0x0108 (1803); 0x010C |
0x0108 (10.0 to 1607); 0x0120 (1703); 0x01A0 (1709); 0x01A8 (1803); 0x01B0 |
SINGLE_LIST_ENTRY ControlAreaDeleteList; |
10.0 and higher | last member in 10.0 |
| 0xC0 (1511 to 1607) | 0x0140 (1511 to 1607) |
LONG volatile SegmentListLock; |
1511 to 1607 | next at 0x00; last member in 1511 |
| 0xC8 (1607) | 0x0148 (1607) |
LONGLONG volatile ControlAreaCount; |
1607 only | last member in 1607 |
| 0xB8 (1703); 0x0108 (1709); 0x0110 |
0x0128 (1703); 0x01A8 (1709); 0x01B0 (1803); 0x01B8 |
MI_PTE_CHAIN_HEAD FreeSystemCache; |
1703 and higher | |
| 0xD0 (1703); 0x0120 (1709); 0x0128 |
0x0140 (1703); 0x01C0 (1709); 0x01C8 (1803); 0x01D0 |
KEVENT CloneDereferenceEvent; |
1703 and higher | |
| 0xE0 (1703); 0x0130 (1709); 0x0138 |
0x0160 (1703); 0x01E0 (1709 to 1803); 0x01F0 |
SLIST_HEADER CloneProtosSListHead; |
1703 and higher | |
| 0xE8 (1703); 0x0138 (1709); 0x0140 |
0x0170 (1703); 0x01F0 (1709 to 1803); 0x0200 |
EX_PUSH_LOCK SystemCacheInitLock; |
1703 and higher | last member in 1703 (x86) |
| 0x013C (1709); 0x0144 |
0x01F8 (1709 to 1803); 0x0208 |
ULONG PagefileExtensionWaiters; |
1709 and higher | |
| 0x0140 (1709); 0x0148 |
0x01FC (1709 to 1803); 0x020C |
ULONG PagefileExtensionRequests; |
1709 and higher | |
| 0x0144 (1709); 0x014C |
0x0200 (1709 to 1803); 0x0210 |
KEVENT PagefileExtensionWaitEvent; |
1709 and higher | last member in 1709 (x86) |
| 0x015C | 0x0178 (1703); 0x0218 (1709 to 1803); 0x0228 |
MI_CROSS_PARTITION_CHARGES SharedCharges; |
1803 and higher (x86); 1703 and higher (x64) |
|
| 0x01CC | 0x01F8 (1703); 0x02B8 (1709); 0x02F8 (1803); 0x0308 |
KEVENT *SharedChargesDrainEvent; |
1803 and higher (x86); 1703 and higher (x64) |
|
| 0x0200 (1703); 0x02C0 |
KEVENT *PagefileControlAreasDrainEvent; |
1703 to 1709 | last member in 1703 (x64); last member in 1709 (x64) |
|
| 0x01D0 | 0x0300 (1803); 0x0310 |
KEVENT *ControlAreasDrainEvent; |
1803 and higher | |
| 0x01D4 | 0x0308 (1803); 0x0318 |
KEVENT *CloneHeaderDrainEvent; |
1803 and higher | |
| 0x01D8 | 0x0310 (1803); 0x0320 |
EX_RUNDOWN_REF_CACHE_AWARE *ProbeRundownReference; |
1803 and higher | last member in 1803; last member in 1809; last member in 1903; last member in 2004 |