Geoff Chappell - Software Analyst
The MMWSL_INSTANCE is the first part of an MMWSL_FULL, which is in turn the continuation of the ancient MMWSL structure after its separation into parts for the 1607 release of Windows 10.
As an internal structure with little, if any, visibility outside the kernel, the MMWSL_INSTANCE varies greatly between versions and even between builds.
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 1607 | 0xD4 | 0x01A0 |
| 1703 to 2004 | 0x18 | 0x28 |
These sizes, and the names, offsets and types in the tables that follow, are from Microsoft’s symbol files for the kernel.
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 | 0x00 |
ULONG_PTR NextSlot; |
1607 only | previously at 0x0C and 0x18 in MMWSL |
MMPTE *NextPteToTrim; |
1703 and higher | |||
| 0x04 | 0x08 |
ULONG_PTR NextAgingSlot; |
1607 only | previously at 0x14 and 0x28 in MMWSL |
MMPTE *NextPteToAge; |
1703 and higher | |||
| 0x08 | 0x10 |
ULONG_PTR NextAccessClearingSlot; |
1607 only | previously at 0x18 and 0x30 in MMWSL |
MMPTE *NextPteToAccessClear; |
1703 and higher | |||
| 0x0C | 0x18 |
ULONG LastAccessClearingRemainder; |
1607 and higher | previously at 0x1C and 0x38 in MMWSL |
| 0x10 | 0x1C |
ULONG LastAgingRemainder; |
1607 and higher | previously at 0x20 and 0x3C in MMWSL |
| 0x14 (1607) | 0x20 (1607) |
ULONG_PTR ActiveWsleCounts [0x10]; |
1607 only | previously at 0x3C and 0x70 in MMWSL |
| 0x54 (1607) | 0xA0 (1607) |
MI_ACTIVE_WSLE_LISTHEAD ActiveWsles [0x10]; |
1607 only | previously at 0x7C and 0xF0 in MMWSL |
| 0x14 | 0x20 |
ULONG_PTR LockedEntries; |
1703 and higher |
The MI_ACTIVE_WSLE_LISTHEAD has just Flink and Blink members that are each a ULONG_PTR.