MMPFN Union 3

The MMPFN (Memory Manager Page Frame Number) structure is the key to pretty much everything that the Memory Manager knows about a page of physical memory that is in general use. Since an array of these structures for all physical memory needs to be kept in physical memory, the MMPFN is its own substantial overhead. Presumably to keep this down, ever more gets packed in to the MMPFN ever more intricately.

However untidy the construction of the MMPFN, it has several fields that are recognisably the same through all versions despite moving around and being repackaged. All versions have an integral reference count. Early versions have it as variously 16-bit or 32-bit, but as a direct member of the MMPFN. Public symbol files starting with Windows 2000 SP3 show a u3 member that combines the 16-bit ReferenceCount with 16 bits of flags, and it is here thought that this or something very like it had already been defined for version 4.0. As a type, u3 is an unnamed union. It shifts once within the MMPFN:

The u3 union is almost certainly not original. The only known use that the earliest versions make of this space is for two 16-bit counts. Both versions 3.10 and 3.50 have at offset 0x0C something very like the 16-bit ReferenceCount as known from public symbol files but they have at offset 0x0E a second 16-bit count whose name may be lost to history. Version 3.51 dropped this second count in favour of widening ReferenceCount to 32 bits.

In none of these early versions is the kernel known to treat this space as having any bit flags. What they have instead are 12 bits of flags at offset 0x14 in combination with a Page Frame Number (PFN) in something like the style of a Page Table Entry (PTE). This whole dword is here thought to be the original MMPFNENTRY. Version 4.0 moved the 12 bit flags to offset 0x0C and redefined the 20-bit PteFrame as the whole integer. Concurrently, the 32-bit ReferenceCount was narrowed to 16 bits, but now at offset 0x0E. Though this might have been done as done as separate words for offsets 0x0C and 0x0E with no union in sight, keeping the bit flags in a 32-bit MMPFNENTRY is consistent with the u3 definition from the earliest public symbol files and the simpler explanation is that this definition dates from version 4.0.

MMPFNENTRY e1;

struct {
    /*  see below: Structure with Entry 1  */
};

struct {
    /*  see below: Entry 2 Structure  */
} e2;

struct {
    USHORT ReferenceCount;
    UCHAR ByteFlags;
    UCHAR InterlockedByteFlags;
} e3;

struct {
    ULONG EntireField;
} e4;

Originally, the e1 and e2 branches each lay out the whole four bytes: e1 as bit fields, leaving the reference count as a 16-bit DontUse field; e2 as 16-bit integers, collecting the flags as ShortFlags to be followed by the ReferenceCount. Version 5.2 from Windows Server 2003 SP1 switched the flags and reference count, and changed many details of the construction.

Structure with Entry 1

When the version 5.2 from Windows Server 2003 SP1 brought the 16-bit ReferenceCount to the front of u3, the MMPFNENTRY of ULONG bit fields lost its high 16 bits that were labelled as DontUse, and was narrowed to USHORT bit fields. Version 6.0 rearranged further into two sets of UCHAR bit fields, which the 1607 release of Windows 10 formalises as separate structures MMPFNENTRY1 and MMPFNENTRY3.

USHORT ReferenceCount;

MMPFNENTRY e1;

MMPFNENTRY1 e1;

MMPFNENTRY3 e3;

Entry 2 Structure

The e2 member is in essence a pair of 16-bit integers: the 16 bits of flags that e1 defines as bit fields; and a 16-bit reference count. The order changes and different versions put either or both of the 16-bit integers in union with another that is volatile. Starting with the 1607 release of Windows 10, the flags are all lost, leaving the e2 member holding just the 16-bit ReferenceCount.

USHORT ShortFlags;

USHORT ReferenceCount;

union {
    USHORT ReferenceCount;
    SHORT volatile VolatileReferenceCount;
};

USHORT ReferenceCount;

USHORT ReferenceCount;

USHORT ShortFlags;

union {
    USHORT ShortFlags;
    USHORT volatile VolatileShortFlags;
};