Geoff Chappell - Software Analyst
The MI_VISIBLE_STATE structure is known only as the type of the Vs member of the MI_SYSTEM_INFORMATION, which is in turn the type of the internal kernel variable MiState in Windows 10.
As a collection of what earlier versions had as separately named internal variables, the MI_VISIBLE_STATE is highly susceptible to changing between builds.
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 10.0 to 1511 | 0x0840 | 0x0640 |
| 1607 | 0x0880 | 0x0840 |
| 1703 | 0x0880 | 0x0900 |
| 1709 | 0x08C0 | 0x0900 |
| 1803 to 1809 | 0x0A80 | 0x0C40 |
| 1903 | 0x0CC0 | 0x0C80 |
| 2004 | 0x0CC0 | 0x0CC0 |
These sizes and the names and types in the table below are from type information in the public symbol files for the kernel.
| Offset (x86) | Offset (x64) | Definition | Versions |
|---|---|---|---|
| 0x00 (10.0 to 1809) | 0x00 (10.0 to 1809) |
MI_SPECIAL_POOL SpecialPool; |
10.0 to 1809 |
| 0x48 (10.0 to 1607); 0x40 (1703 to 1809); 0x00 |
0x50 (10.0 to 1607); 0x40 (1703 to 1809); 0x00 |
LIST_ENTRY SessionWsList; |
10.0 and higher |
| 0x50 (10.0 to 1607); 0x48 (1703 to 1809); 0x08 |
0x60 (10.0 to 1607); 0x50 (1703 to 1809); 0x10 |
RTL_BITMAP *SessionIdBitmap; |
10.0 and higher |
| 0x54 (10.0 to 1607); 0x4C (1703 to 1809); 0x0C |
0x68 (10.0 to 1607); 0x58 (1703 to 1809); 0x18 |
MM_PAGED_POOL_INFO PagedPoolInfo; |
10.0 and higher |
| 0x70 (10.0 to 1607); 0x68 (1703 to 1809); 0x18 |
0xA0 (10.0 to 1607); 0x90 (1703 to 1809); 0x30 |
ULONG_PTR MaximumNonPagedPoolInPages; |
10.0 and higher |
| 0x74 (10.0 to 1607); 0x6C (1703 to 1809); 0x1C |
0xA8 (10.0 to 1607); 0x98 (1703 to 1809); 0x38 |
ULONG_PTR SizeOfPagedPoolInPages; |
10.0 and higher |
| 0x78 (10.0 to 1607); 0x70 (1703 to 1809); 0x20 |
0xB0 (10.0 to 1607); 0xA0 (1703 to 1809); 0x40 |
MI_SYSTEM_PTE_TYPE SystemPteInfo; |
10.0 and higher |
| 0xAC (10.0 to 1511); 0xB0 (1607); 0xA8 (1703 to 1709); 0xA4 (1803 to 1809); 0x54 |
0x0110 (10.0 to 1511); 0x0118 (1607); 0x0108 (1703 to 1709); 0x0100 (1803 to 1809); 0xA0 |
ULONG_PTR volatile NonPagedPoolCommit; |
10.0 and higher |
| 0xAC (1607 to 1709); 0xA8 (1803 to 1809); 0x58 |
0x0110 (1607 to 1709); 0x0108 (1803 to 1809); 0xA8 |
ULONG_PTR volatile SmallNonPagedPtesCommit; |
1607 and higher |
| 0xB0 (10.0 to 1511); 0xB4 (1607); 0xB0 (1703 to 1709); 0xAC (1803 to 1809); 0x5C |
0x0118 (10.0 to 1511); 0x0120 (1607); 0x0118 (1703 to 1709); 0x0110 (1803 to 1809); 0xB0 |
ULONG_PTR volatile BootCommit; |
10.0 and higher |
| 0xB4 (10.0 to 1511); 0xB8 (1607); 0xB4 (1703 to 1709); 0xB0 (1803 to 1809); 0x60 |
0x0120 (10.0 to 1511); 0x0128 (1607); 0x0120 (1703 to 1709); 0x0118 (1803 to 1809); 0xB8 |
ULONG_PTR volatile MdlPagesAllocated; |
10.0 and higher |
| 0xB8 (10.0 to 1511); 0xBC (1607); 0xB8 (1703 to 1709); 0xB4 (1803 to 1809); 0x64 |
0x0128 (10.0 to 1511); 0x0130 (1607); 0x0128 (1703 to 1709); 0x0120 (1803 to 1809); 0xC0 |
ULONG_PTR volatile SystemPageTableCommit; |
10.0 and higher |
| 0xBC (10.0 to 1511); 0xC0 (1607); 0xBC (1703 to 1709); 0xB8 (1803 to 1809) |
0x0130 (10.0 to 1511); 0x0138 (1607); 0x0130 (1703 to 1709); 0x0128 (1803 to 1809) |
ULONG_PTR volatile SpecialPagesInUse; |
10.0 to 1809 |
| 0xC0 (10.0 to 1511); 0xC4 (1607) |
0x0138 (10.0 to 1511); 0x0140 (1607) |
ULONG_PTR volatile WsOverheadPages; |
10.0 to 1607 |
| 0xC4 (10.0 to 1511); 0xC8 (1607) |
0x0140 (10.0 to 1511); 0x0148 (1607) |
ULONG_PTR volatile VadBitmapPages; |
10.0 to 1607 |
| 0xC8 (10.0 to 1511); 0xCC (1607); 0xC0 (1703 to 1709); 0xBC (1803 to 1809); 0x68 |
0x0148 (10.0 to 1511); 0x0150 (1607); 0x0138 (1703 to 1709); 0x0130 (1803 to 1809); 0xC8 |
ULONG_PTR volatile ProcessCommit; |
10.0 and higher |
| 0xCC (10.0 to 1511); 0xD0 (1607) |
0x0150 (10.0 to 1511); 0x0158 (1607) |
ULONG_PTR volatile SharedCommit; |
10.0 to 1607 |
| 0xD0 (10.0 to 1511); 0xD4 (1607); 0xC4 (1703 to 1709); 0xC0 (1803 to 1809); 0x6C |
0x0158 (10.0 to 1511); 0x0160 (1607); 0x0140 (1703 to 1709); 0x0138 (1803 to 1809); 0xD0 |
LONG volatile DriverCommit; |
10.0 and higher |
| 0x70 | 0xD4 |
UCHAR PagingLevels; |
1903 and higher |
| 0xC8 (1703 to 1709); 0xC4 (1803 to 1809); 0x74 |
0x0148 (1607 to 1709); 0x0140 (1803 to 1809); 0xD8 |
ULONG_PTR PfnDatabaseCommit; |
1607 and higher |
| 0x0100 (10.0 to 1809); 0x80 |
0x0180 (10.0 to 1809); 0x0100 |
MMSUPPORT SystemWs [3]; |
10.0 to 1511 |
MMSUPPORT_FULL SystemWs [3]; |
1607 to 1709 | ||
MMSUPPORT_FULL SystemWs [6]; |
1803 and higher | ||
| 0x02C0 (1607 to 1709); 0x0480 (1803 to 1809); 0x0680 |
0x04C0 (1607 to 1709); 0x0800 (1803 to 1809); 0x0880 |
MMSUPPORT_SHARED SystemCacheShared; |
1607 and higher |
| 0x0540 (1607 to 1709); 0x0880 (1803 to 1809); 0x0900 |
MMSUPPORT_AGGREGATION AggregateSystemWs [1]; |
1607 and higher | |
| 0x0560 (1607) |
MMWSL_SHARED SystemCacheSharedWorkingSetList; |
1607 only | |
| 0x0280 (10.0 to 1511); 0x02E4 (1607 to 1709); 0x04AC (1803 to 1809); 0x0700 |
0x0468 (10.0 to 1511); 0x05C0 (1607); 0x0560 (1703 to 1709); 0x08A0 (1803 to 1809); 0x0920 |
ULONG MapCacheFailures; |
10.0 and higher |
| 0x0284 (10.0) | 0x046C (10.0) |
ULONG LastUnloadedDriver; |
10.0 only |
| 0x0288 (10.0) | 0x0470 (10.0) |
UNLOADED_DRIVERS *UnloadedDrivers; |
10.0 only |
| 0x028C (10.0); 0x0284 (1511); 0x02E8 (1607 to 1709); 0x04B0 (1803 to 1809); 0x0704 |
0x0478 (10.0); 0x0470 (1511); 0x05C8 (1607); 0x0568 (1703 to 1709); 0x08A8 (1803 to 1809); 0x0928 |
ULONG_PTR PagefileHashPages; |
10.0 and higher |
| 0x0290 (10.0); 0x0288 (1511); 0x02EC (1607 to 1709); 0x04B4 (1803 to 1809); 0x0708 |
0x0480 (10.0); 0x0478 (1511); 0x05D0 (1607); 0x0570 (1703 to 1709); 0x08B0 (1803 to 1809); 0x0930 |
SYSPTES_HEADER PteHeader; |
10.0 and higher |
| 0x031C (10.0); 0x0314 (1511); 0x0378 (1607 to 1709); 0x0540 (1803 to 1809) |
0x0598 (10.0); 0x0590 (1511); 0x06E8 (1607); 0x0688 (1703 to 1709); 0x09C8 (1803 to 1809) |
MI_SPECIAL_POOL *SessionSpecialPool; |
10.0 to 1809 |
| 0x0320 (10.0); 0x0318 (1511); 0x037C (1607 to 1709); 0x0544 (1803 to 1809); 0x0794 |
0x05A0 (10.0); 0x0598 (1511); 0x06F0 (1607); 0x0690 (1703 to 1709); 0x09D0 (1803 to 1809); 0x0A48 |
ULONG_PTR SystemVaTypeCount [MiVaMaximumType]; |
10.0 and higher |
| 0x035C (10.0); 0x0354 (1511); 0x03B8 (1607 to 1703); 0x03C0 (1709); 0x0584 (1803 to 1809); 0x07D0 (1903); 0x07D4 |
0x0700 (1703); 0x0710 (1709); 0x0A50 (1803 to 1809); 0x0AC0 (1903); 0x0AC8 |
UCHAR SystemVaType [0x0400]; |
10.0 and higher (x86) |
UCHAR SystemVaType [0x0100]; |
1703 and higher (x64) | ||
| 0x075C (10.0); 0x0754 (1511); 0x07B8 (1607 to 1703); 0x07C0 (1709); 0x0984 (1803 to 1809); 0x0BD0 (1903); 0x0BD4 |
ULONG SystemVaTypeCountFailures [MiVaMaximumType]; |
10.0 and higher | |
| 0x0798 (10.0); 0x0790 (1511); 0x07F4 (1607 to 1703); 0x0804 (1709); 0x09C4 (1803 to 1809); 0x0C0C (1903); 0x0C14 |
ULONG SystemVaTypeCountLimit [MiVaMaximumType]; |
10.0 and higher | |
| 0x07D4 (10.0); 0x07CC (1511); 0x0830 (1607 to 1703); 0x0848 (1709); 0x0A04 (1803 to 1809); 0x0C48 (1903); 0x0C54 |
ULONG SystemVaTypeCountPeak [MiVaMaximumType]; |
10.0 and higher | |
| 0x0810 (10.0); 0x0808 (1511); 0x086C (1607 to 1703); 0x088C (1709); 0x0A44 (1803 to 1809); 0x0C84 (1903); 0x0C94 |
ULONG SystemAvailableVa; |
10.0 and higher | |
| 0x0760 (1607); 0x0800 (1703); 0x0810 (1709); 0x0B50 (1803 to 1809); 0x0BC0 (1903); 0x0BC8 |
MI_SYSTEM_VA_ASSIGNMENT SystemVaRegions [AssignedRegionMaximum]; |
1607 and higher |
The SystemVaTypeCount member is originally the internal variable MiSystemVaTypeCount, dating from Windows Vista. The several similar arrays of counters in the 32-bit builds correspond similarly to internal variables that date from Windows Vista SP1. All are indexed by the MI_SYSTEM_VA_TYPE enumeration. Note that the number of elements varies with the build.
The MI_SYSTEM_VA_TYPE enumeration also figures in the SystemVaType member. This too, in the 32-bit builds, dates from Windows Vista as an internal variable. Its elements evaluate to the enumeration. Given a virtual address in system space, this SystemVaType array thus provides for ready reckoning of the address’s type. The index for the lookup is in 2MB units from the start of system space, 2MB being the amount of virtual address space that’s mapped through one page directory entry (given the use of PAE). That there are 0x0400 elements allows system space to start as low as 0x80000000.
The SystemAvailableVa member also originates as an internal variable in Windows Vista. It tracks how many bytes of system address space are not yet assigned, but only for 32-bit Windows. In 64-bit Windows, perhaps just for the convenience that comes from having much more address space to work with, different types of addresses in system address space are assigned to different regions whose bases and sizes are hard-coded. This predictability was scrapped for the 1607 release of Windows 10, apparently in a continuing programme of strengthening kernel-mode Address Space Layout Randomisation (ASLR). A new classification of address-space regions is modelled by the MI_ASSIGNED_REGION_TYPES enumeration, which indexes the new SystemVaRegions array. Again, the number of elements varies with the build. The values give the dynamically assigned base addresses and sizes of these regions of system space. The variability complicates the lookup of the other address-space type. The 1703 release eases this by introducing the SystemVaType member to 64-bit Windows. The index for the lookup is in units of 512GB from the start of system space at 0xFFFF8000`00000000, 512GB being the amount of virtual address space that’s mapped through one PML4 entry.