Geoff Chappell - Software Analyst
The MMSUPPORT_SHARED structure (formally _MMSUPPORT_SHARED) is the second and lesser part of an MMSUPPORT_FULL, which is in turn the continuation of the ancient MMSUPPORT structure after its separation into parts for the 1607 release of Windows 10.
As an internal structure with little, if any, visibility outside the kernel, the MMSUPPORT_SHARED varies between builds:
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 1607 to 1709 | 0x24 | 0x48 |
| 1803 to 1809 | 0x2C | 0x50 |
| 1903 to 2004 | 0x80 | 0x80 |
These sizes, and the names, offsets and types in the tables that follow, are from Microsoft’s symbol files for the kernel.
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 | 0x00 |
LONG volatile WorkingSetLock; |
1607 and higher | previously at 0x00 in MMSUPPORT |
| 0x04 | 0x04 |
LONG GoodCitizenWaiting; |
1703 and higher (x64) | |
| 1803 and higher (x86) | previously at 0x20 | |||
| 0x04 (1607 to 1709); 0x08 |
0x08 |
ULONG_PTR ReleasedCommitDebt; |
1607 and higher | previously at 0x74 and 0xE0 in MMSUPPORT |
| 0x08 (1607 to 1709); 0x0C |
0x10 |
ULONG_PTR ResetPagesRepurposedCount; |
1607 and higher | |
| 0x0C (1607 to 1709); 0x10 |
0x18 |
PVOID WsSwapSupport; |
1607 and higher | previously at 0x78 and 0xE8 in MMSUPPORT |
| 0x10 (1607 to 1709); 0x14 |
0x20 |
PVOID CommitReleaseContext; |
1607 and higher | |
| 0x18 (1803 to 1809) | 0x28 (1803 to 1809) |
LONG volatile WorkingSetCoreLock; |
1803 to 1809 | next at 0x40 |
| 0x14 (1607 to 1709); 0x1C (1803 to 1809); 0x18 |
0x28 (1607 to 1709); 0x30 (1803 to 1809); 0x28 |
PVOID AccessLog; |
1607 and higher | previously at 0x08 and 0x10 in MMSUPPORT |
| 0x18 (1607 to 1709); 0x20 (1803 to 1809); 0x1C |
0x30 (1607 to 1709); 0x38 (1803 to 1809); 0x30 |
ULONG_PTR ChargedWslePages; |
1607 only | previously at 0x48 and 0x90 in MMSUPPORT |
ULONG_PTR volatile ChargedWslePages; |
1703 and higher | |||
| 0x1C (1607 to 1709); 0x24 (1803 to 1809); 0x20 |
0x38 (1607 to 1709); 0x40 (1803 to 1809); 0x38 |
ULONG_PTR ActualWslePages; |
1607 and higher | previously at 0x4C and 0x98 in MMSUPPORT |
| 0x40 | 0x40 |
ULONG_PTR WorkingSetCoreLock; |
1903 and higher | previously at 0x18 and 0x28 |
| 0x20 (1607 to 1709); 0x28 (1803 to 1809); 0x44 |
0x40 (1607 to 1709); 0x48 |
ULONG_PTR WorkingSetSizeOverhead; |
1607 only | previously at 0x50 and 0xA0 in MMSUPPORT |
LONG GoodCitizenWaiting; |
1703 to 1709 (x86) | next at 0x04 | ||
ULONGLONG Reserved0; |
1703 to 1709 (x64) | |||
PVOID ShadowMapping; |
1803 and higher |
Not annotated in the definitions above is that WorkingSetCoreLock has 0x40-byte alignment at its new position for the 1903 release.