PAE NTOSKRNL selection?

NTDEV
1

I discovered an oddity with the automatic NTOSKRNL selection on my
systems related to PAE (Physical Address Extensions) that I wanted to
understand.

I have multiple systems, all with the same hardware and 1 GB of RAM.
The only difference is that half have a Celeron M and half have a
Pentium M CPU. I’ve noticed that NTKRNLPA (PAE) is loaded on the
Celeron M and NTOSKRNL (non-PAE) is loaded on the Pentium M.

My first reaction was that since they only have 1 GB of RAM, why are any
of them loading the PAE version? I think that can be explained by a
sentence that I found in Windows Internals that said that PAE is
preferred for DEP (Data Execution Prevention) support, though I don’t
see how those relate to each other. What can DEP with PAE do that DEP
without PAE can’t?

My second reaction is how is PAE support determined? From my reading of
it in Windows Internals, the support for it has been around since the
Pentium Pro, so I’d think that all current Intel CPUs would have it (but
seemingly not). I’m doubly-surprised that the lower-end Celeron M has
it but the Pentium M does not. And what is “it” – how would I
determine if a given CPU has “it” or not? I didn’t see anything in CPUZ
or MSINFO32, so which tool might show “it”?

And lastly, beside the DEP thing, what is lost by forcing the Celeron to
use NTOSKRNL with /NOPAE in BOOT.INI? (I also tried forcing /PAE on the
Pentium M, but that didn’t work (it still auto-selected the non-PAE
kernel), so that begs the question, what is the /PAE flag useful for?)

This all comes about because I’m using a special kernel to track down an
issue with Microsoft (thus using /KERNEL=) and I only want to use one
BOOT.INI for all systems, but I couldn’t figure out a way to BOTH select
a special /KERNEL and also select the appropriate PAE-ness. And I
didn’t want to replace the default NTOSKRNL/NTKRNLPA files since I want
easy back-out.

Thanks in advance for clearing up my confusion / wondering!

2

I can’t help with most of this but I can get you started.

First of all, PAE is required to support the XD(“execute disable” - intel)/NX(“non-executable” - AMD) bit, which is used to flag virtual memory pages as non-executable, and which is the basis of DEP. According to the intel manual vol 3b page 3-47: “Bit 63 is the execute-disable bit if the execute-disable bit feature is supported in the processor. If the feature is not supported, bit 63 is reserved. The functionality of the execute disable bit is described in Section 4.11, ?Page-Level Protection?. It requires both PAE and enhanced paging data structures. Note that the execute disable bit can provide page protection in 32-bit PAE mode and IA-32e mode” So that’s sort of interesting to me because it means even if Windows maybe tells you that it’s in DEP opt-in mode, if it’s not booting from the PAE kernel, it’s not using hardware DEP (XD/NX) only possibly “software DEP” (which has absolutely nothing to do with making pages non-executable, only protecting against SEH overwrites, which makes it much less useful than hardware DEP).

Also, as to how you can determine whether a given processor supports PAE, I think the most reliable way is to use the x86 CPUID instruction. I found this site which has some code which might help you with that.
http://osdev.berlios.de/cpuid.html
Also, when I was looking through the intel manual I noticed CPUID can tell you if XD is supported as well

That said, I think I saw somewhere that said the Pentium M does support PAE, and thus I can’t really tell you how windows choses its kernel.

Jack

3

Jack’s right: You need to enable PAE to use NX/XD/DEP (all terms for the same thing).

Whether an Intel CPU supports the XD bit is processor specific. From some quick checking, it appears that Banias-generation Pentium M CPUs don’t support XD, but Dothan-generation Pentium M CPUs do.

If you simply want to know if a given computer supports NX/XD/DEP, you can do this from Windows as described here: http://support.microsoft.com/kb/912923 – I don’t know of a way to check this programatically… but that doesn’t mean there isn’t one.

Hope that’s somewhat helpful,

Peter
OSR

4

> From my reading of it in Windows Internals,

What you should read on the topic is not “Windows Internals” but Intel Developer’s Manual, particularly, Volume 3. At this point you will know page table layouts in PAE and non-PAE modes, as well as that taking advantage of hardware support for DEP requires running CPU in PAE mode; you will know how to dynamically discover what set features a given CPU model supports; and many other exciting things. At this point you can proceed to “Windows Internals” and MSFT docs, and look at the whole thing from the OS’s perspective - otherwise, you have rather slim chance of understanding what “Windows Internals” and MSFT docs say…

Anton Bassov

5

wrote in message news:xxxxx@ntdev…
> If you simply want to know if a given computer supports NX/XD/DEP, you can
> do this from Windows as described here:
> http://support.microsoft.com/kb/912923 – I don’t know of a way to check
> this programatically… but that doesn’t mean there isn’t one.
>

This requires reading the model specific registers (RDMSR instruction) which
must be executed in kernel mode. First you need a CPUID instruction to see
if RDMSR is supported.

//Daniel

6

Thanks to all for the detail on PAE; I’m less confused now about why I’m
getting different behavior.

There was a nice line in the Wikipedia article on PAE that explained the
surprising difference that I saw on my Pentium M:
“PAE is provided by Intel Pentium Pro and above CPUs (including all
later Pentium-series processors except the 400 MHz bus versions of the
Pentium M)…”

How odd that they’d skip a feature that’s in every CPU in the last 10 years
on just that one series.

7

“Taed Wynnell” wrote in message news:xxxxx@ntdev…
> Thanks to all for the detail on PAE; I’m less confused now about why I’m
> getting different behavior.
>
> There was a nice line in the Wikipedia article on PAE that explained the
> surprising difference that I saw on my Pentium M:
> “PAE is provided by Intel Pentium Pro and above CPUs (including all
> later Pentium-series processors except the 400 MHz bus versions of the
> Pentium M)…”
>
> How odd that they’d skip a feature that’s in every CPU in the last 10
> years
> on just that one series.

Some features may be disabled in BIOS -
look at the BIOS settings or check with the BIOS vendor.

– pa

8

I would be very surprised to find out that any BIOS SETUP does allow to disable or enable PAE.

Actually how Microsoft chooses to select the PAE kernel or not is not completely documented at all.
Although definitely there are cases when PAE is enabled, there are other that is enabled for no apparent reason.
You can find that it enters PAE in some OS versions and not in others, on the same machine with same configuration and same BOOT configuration.
It may enter PAE mode just for the reason of having 1GB RAM or more, no matter what you set in BOOT.INI.
Even more funny, you can amaze why it keeps PAE enabled/disabled even when you set PAE Forcedisable/ForceEnable under VISTA boot config.

It would be nice to know the true story about when PAE is selected by the MS operating systems and why.

Inaki.

-----Mensaje original-----
De: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] En nombre de Pavel A.
Enviado el: viernes, 27 de marzo de 2009 20:32
Para: Windows System Software Devs Interest List
Asunto: Re:[ntdev] PAE NTOSKRNL selection?

“Taed Wynnell” wrote in message news:xxxxx@ntdev…
> Thanks to all for the detail on PAE; I’m less confused now about why I’m
> getting different behavior.
>
> There was a nice line in the Wikipedia article on PAE that explained the
> surprising difference that I saw on my Pentium M:
> “PAE is provided by Intel Pentium Pro and above CPUs (including all
> later Pentium-series processors except the 400 MHz bus versions of the
> Pentium M)…”
>
> How odd that they’d skip a feature that’s in every CPU in the last 10
> years
> on just that one series.

Some features may be disabled in BIOS -
look at the BIOS settings or check with the BIOS vendor.

– pa


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

9

  • If there’s sufficient physical memory for it to be necessary, or

  • If hardware-based NX (DEP) support is available. The NX page-table bit requires the extended PTE format introduced with PAE.

  • S

-----Original Message-----
From: I?aki Castillo Arteta
Sent: Monday, March 30, 2009 07:50
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] PAE NTOSKRNL selection?

I would be very surprised to find out that any BIOS SETUP does allow to disable or enable PAE.

Actually how Microsoft chooses to select the PAE kernel or not is not completely documented at all.
Although definitely there are cases when PAE is enabled, there are other that is enabled for no apparent reason.
You can find that it enters PAE in some OS versions and not in others, on the same machine with same configuration and same BOOT configuration.
It may enter PAE mode just for the reason of having 1GB RAM or more, no matter what you set in BOOT.INI.
Even more funny, you can amaze why it keeps PAE enabled/disabled even when you set PAE Forcedisable/ForceEnable under VISTA boot config.

It would be nice to know the true story about when PAE is selected by the MS operating systems and why.

Inaki.

-----Mensaje original-----
De: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] En nombre de Pavel A.
Enviado el: viernes, 27 de marzo de 2009 20:32
Para: Windows System Software Devs Interest List
Asunto: Re:[ntdev] PAE NTOSKRNL selection?

“Taed Wynnell” wrote in message news:xxxxx@ntdev…
> Thanks to all for the detail on PAE; I’m less confused now about why I’m
> getting different behavior.
>
> There was a nice line in the Wikipedia article on PAE that explained the
> surprising difference that I saw on my Pentium M:
> “PAE is provided by Intel Pentium Pro and above CPUs (including all
> later Pentium-series processors except the 400 MHz bus versions of the
> Pentium M)…”
>
> How odd that they’d skip a feature that’s in every CPU in the last 10
> years
> on just that one series.

Some features may be disabled in BIOS -
look at the BIOS settings or check with the BIOS vendor.

– pa


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

10

> If hardware-based NX (DEP) support is available. The NX

page-table bit requires the extended PTE format introduced with PAE.

This is the most common reason for PAE getting auto-enabled.
To force Vista to use non-PAE kernel you need to do this:

bcdedit /set nx alwaysoff
bcdedit /set pae forcedisable


Pavel Lebedinsky/Windows Kernel Test
This posting is provided “AS IS” with no warranties, and confers no rights.