how does this feature in rammap work

the feature of file summary/file details looks really usefull.
but its implementation does not rely on a driver , and after some basic debug,Rammap just use 0x42 and 0x4f class when it calls NtQuerySystemInformation. but these both class does not look like is the answer.

any help would be appeciated

5771067@qq.com wrote:

the feature of file summary/file details looks really usefull.
but its implementation does not rely on a driver , and after some basic debug,Rammap just use 0x42 and 0x4f class when it calls NtQuerySystemInformation. but these both class does not look like is the answer.

any help would be appeciated

I’m not sure what you’re asking. 0x42 and 0x4f are both undocumented,
but you’re not much of a hacker if you couldn’t find out anything about
them. 0x42 is SystemBigPoolInformation, and 0x4f is
SystemSuperfetchInformation. The big pool structure is available on the
web. The SuperFetch information isn’t, as far as I can tell.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

thanks Tim.

actually,I know what these both “class” mean. but they looks irrelevant with "summary/file details "

ps:the feature of summary/file details can retrive the file cache in system in memory standbylist.

5771067@qq.com wrote:

actually,I know what these both “class” mean. but they looks irrelevant with "summary/file details "

ps:the feature of summary/file details can retrive the file cache in system in memory standbylist.

And that’s exactly what Superfetch is.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

but,after i look up the information that Superfetch supports to provide,it does not provide any information related to file path . so this is really confuese.

or all the information come from the “fileinfo” device ??