I'm confused. I'm reading the description of the "Complete Memory Dump" and it says that unmapped physical pages are not included, but it doesn't say anything about physical pages allocated for user-mode processes.
Are those included or not?
I'm confused. I'm reading the description of the "Complete Memory Dump" and it says that unmapped physical pages are not included, but it doesn't say anything about physical pages allocated for user-mode processes.
Are those included or not?
A complete memory dump includes all pages in memory, including those for user-mode processes. That can be useful, although of course the resulting dump is quite large.
Thanks. I wonder why then, at times, I do not see user-mode portion of the call-stack even if it's a complete memory dump?
PE headers required for stack walk might be paged out. Or the stack itself might be paged out.
That's a good point @Scott_Noone_OSR, thanks. Just from curiosity though, why would "PE headers" be involved in the stack walk?
The debugger uses the Unwind Data in the PE header for stack walking:
x64 exception handling | Microsoft Learn
For amusement you can dump the content in the debugger with .fnent:
0: kd> .fnent nt!MiZeroPage
Debugger function entry 00000184`47032760 for:
(fffff801`36e8d060) nt!MiZeroPage | (fffff801`36e8d8f0) nt!MiZeroEngineMemory
Exact matches:
nt!MiZeroPage (void)
BeginAddress = 00000000`00275060
EndAddress = 00000000`002758e4
UnwindInfoAddress = 00000000`000645e8
Unwind info at fffff801`36c7c5e8, 28 bytes
version 2, flags 3, prolog 2c, codes d
handler routine: nt!_GSHandlerCheck_SEH (fffff801`37029a40), data 1
00: offs a, unwind op 6, op info 0 UWOP_EPILOG Length: a. Flags: 0
01: offs 31, unwind op 6, op info 3 UWOP_EPILOG Offset from end: 331 (FFFFF80136E8D5B3)
02: offs 1a, unwind op 4, op info 6 UWOP_SAVE_NONVOL FrameOffset: 238 reg: rsi.
04: offs 1a, unwind op 4, op info 3 UWOP_SAVE_NONVOL FrameOffset: 230 reg: rbx.
06: offs 1a, unwind op 1, op info 0 UWOP_ALLOC_LARGE FrameOffset: 1f0.
08: offs 13, unwind op 0, op info f UWOP_PUSH_NONVOL reg: r15.
09: offs 11, unwind op 0, op info e UWOP_PUSH_NONVOL reg: r14.
0a: offs f, unwind op 0, op info d UWOP_PUSH_NONVOL reg: r13.
0b: offs d, unwind op 0, op info c UWOP_PUSH_NONVOL reg: r12.
0c: offs b, unwind op 0, op info 7 UWOP_PUSH_NONVOL reg: rdi.