MMPFNLIST

For each physical page that’s in general use, the kernel keeps one MMPFN structure. For each physical page that’s not in active use (or at least in transition to or from active use), the MMPFN goes into one or another list. The MMPFNLIST structure (formally _MMPFNLIST) is the list head.

Before Windows 10, the list heads are internal variables in the kernel’s data. In Windows 10 and higher, with physical memory in separate partitions, the list heads are the PageLists and Vp members of an MI_PARTITION structure.

The MMPFNLIST structure is 0x14 or 0x28 bytes in 32-bit and 64-bit Windows 10, respectively, since its one change for Windows 7. In earlier versions it is 0x10 or 0x20 bytes.

ULONG_PTR Total;

MMLISTS ListName;

PFN_NUMBER Flink;

PFN_NUMBER Blink;

ULONG_PTR Lock;

The Total is of pages in the list. The ListName has long been only a rough classification of the list’s purpose. In early versions, the kernel has six lists among its internal variables, each with a unique ListName. Only in version 3.10 does each list have its own ListName. Version 5.0 added a second list that shares StandbyPageList for its ListName. Ever since, the ListName is arguably more a list type.

The kernel keeps all MMPFN structures in an array that is indexed by the Page Frame Number (PFN) of the corresponding pages of physical memory. For each page that’s in a list, the MMPFN has its Flink and Blink members set to the PFN of the next and previous page, respectively, or to a terminating value if the page is at the tail or head. The terminator varies with the version:

This interpretation applies also to the Flink and Blink in the MMPFNLIST. They are respectively the PFN of the first and last pages in the list, else they hold the terminating value.