Geoff Chappell - Software Analyst
The MMSUPPORT_INSTANCE structure (formally _MMSUPPORT_INSTANCE) is the first and main part of an MMSUPPORT_FULL, which is in turn the continuation of the ancient MMSUPPORT structure after its separation into parts for the 1607 release of Windows 10.
As an internal structure with little, if any, visibility outside the kernel, the MMSUPPORT_INSTANCE varies between builds:
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 1607 | 0x64 | 0xC0 |
| 1703 to 1709 | 0x68 | 0xC8 |
| 1803 to 2004 | 0x64 | 0xC0 |
These sizes, and the names, offsets and types in the tables that follow, are from Microsoft’s symbol files for the kernel.
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 | 0x00 |
USHORT NextPageColor; |
1607 to 1709 | previously at 0x60 and 0xC0 in MMSUPPORT |
ULONG NextPageColor; |
1803 and higher | |||
| 0x02 (1607 to 1709) | 0x02 (1607 to 1709) |
USHORT LastTrimStamp; |
1607 to 1709 | previously at 0x62 and 0xC2 in MMSUPPORT;
next at 0x5C and 0xAC |
| 0x04 | 0x04 |
ULONG PageFaultCount; |
1607 and higher | previously at 0x64 and 0xC4 in MMSUPPORT |
| 0x08 | 0x08 |
ULONG_PTR TrimmedPageCount; |
1607 and higher | previously at 0x68 and 0xC8 in MMSUPPORT |
| 0x0C | 0x10 |
MMWSL_INSTANCE *VmWorkingSetList; |
1607 and higher | previously at 0x5C and 0xB8 in MMSUPPORT |
| 0x10 | 0x18 |
LIST_ENTRY WorkingSetExpansionLinks; |
1607 and higher | previously at 0x0C and 0x18 in MMSUPPORT |
| 0x18 | 0x28 |
ULONG AgeDistribution [7]; |
1607 only | previously at 0x14 and 0x28 in MMSUPPORT |
ULONG AgeDistribution [8]; |
1703 and higher | |||
| 0x34 (1607); 0x38 |
0x60 (1607); 0x68 |
KGATE *ExitOutswapGate; |
1607 and higher | previously at 0x04 and 0x08 in MMSUPPORT |
| 0x38 (1607); 0x3C |
0x68 (1607); 0x70 |
ULONG_PTR MinimumWorkingSetSize; |
1607 and higher | previously at 0x30 and 0x60 in MMSUPPORT |
| 0x3C (1607); 0x40 |
0x70 (1607); 0x78 |
ULONG_PTR WorkingSetLeafSize; |
1607 and higher | previously at 0x34 and 0x68 in MMSUPPORT |
| 0x40 (1607); 0x44 |
0x78 (1607); 0x80 |
ULONG_PTR WorkingSetLeafPrivateSize; |
1607 and higher | previously at 0x38 and 0x70 in MMSUPPORT |
| 0x44 (1607); 0x48 |
0x80 (1607); 0x88 |
ULONG_PTR WorkingSetSize; |
1607 and higher | previously at 0x3C and 0x78 in MMSUPPORT |
| 0x48 (1607); 0x4C |
0x88 (1607); 0x90 |
ULONG_PTR WorkingSetPrivateSize; |
1607 and higher | previously at 0x40 and 0x80 in MMSUPPORT |
| 0x4C (1607); 0x50 |
0x90 (1607); 0x98 |
ULONG_PTR MaximumWorkingSetSize; |
1607 and higher | previously at 0x44 and 0x88 in MMSUPPORT |
| 0x50 (1607); 0x54 |
0x98 (1607); 0xA0 |
ULONG_PTR PeakWorkingSetSize; |
1607 and higher | previously at 0x54 and 0xA8 in MMSUPPORT |
| 0x54 (1607); 0x58 |
0xA0 (1607); 0xA8 |
ULONG HardFaultCount; |
1607 and higher | previously at 0x58 and 0xB0 in MMSUPPORT |
| 0x5C | 0xAC |
USHORT LastTrimStamp; |
1803 and higher | previously at 0x02 |
| 0x5E |
USHORT Unused0; |
1803 and higher | ||
| 0xA4 (1607); 0xAC (1703 to 1709); 0xAE |
USHORT PartitionId; |
1607 and higher | previously at 0xB4 in MMSUPPORT | |
| 0xA6 (1607); 0xAE (1703 to 1709) |
USHORT Pad0; |
1607 to 1709 | previously at 0xB6 in MMSUPPORT | |
| 0xB0 |
ULONGLONG SelfmapLock; |
1803 and higher | ||
| 0x58 (1607); 0x5C (1703 to 1709) |
0xA8 (1607); 0xB0 (1703 to 1709) |
union {
PVOID InstancedWorkingSet;
} u1;
|
1607 to 1709 | |
| 0x5C (1607); 0x60 (1703 to 1709) |
0xB0 (1607); 0xB8 |
ULONG_PTR Reserved0; |
1607 to 1709 | |
| 0x60 (1607); 0x64 (1703 to 1709); 0x60 |
0xB8 (1607); 0xC0 (1703 to 1709); 0xB8 |
MMSUPPORT_FLAGS Flags; |
1607 and higher | previously at 0x70 and 0xD8 in MMSUPPORT |