MSDN Documentation

Windows Kernel Internals

Paging in the Windows Kernel

Paging is a fundamental memory management technique used by the Windows kernel to manage the system's physical and virtual memory. It allows the operating system to load processes and their data into memory efficiently, enabling multitasking and the execution of programs larger than the available physical RAM.

Core Concepts

  • Virtual Address Space: Each process is given its own private, contiguous virtual address space. This space is much larger than the physical RAM available on the system.
  • Physical Memory (RAM): The actual hardware memory installed in the computer.
  • Pages: Both virtual and physical memory are divided into fixed-size blocks called pages. A typical page size is 4 KB, but this can vary.
  • Page Table Entries (PTEs): The Memory Manager uses page tables to translate virtual addresses to physical addresses. Each PTE maps a virtual page to a physical page frame.
  • Page Fault: When a process tries to access a virtual page that is not currently present in physical memory, a page fault occurs.

The Paging Process

The paging process involves several key steps managed by the Windows Memory Manager:

1. Page Fault Handling

When a page fault occurs, the CPU interrupts the current process. The operating system's page fault handler takes over:

  1. The handler checks if the virtual address is valid for the process. If not, an access violation (crash) occurs.
  2. If valid, the handler determines the location of the required page. This could be:
    • In the system's paging file (a dedicated disk file for swapping memory).
    • In the original executable file or mapped file.
    • In a shared memory region.
  3. The Memory Manager allocates a free physical page frame.
  4. The contents of the required page are read from its source (paging file, executable, etc.) into the allocated physical page frame.
  5. The corresponding PTE is updated to point to the physical page frame, marking the page as present in memory.
  6. The instruction that caused the page fault is restarted.

2. Paging Out (Swapping)

When physical memory becomes scarce, the Memory Manager must make space by moving less-used pages out of RAM. This process is known as paging out or swapping:

  • The Memory Manager selects a page to be replaced, often using an algorithm like Least Recently Used (LRU).
  • If the page has been modified (is "dirty"), its contents are written to the paging file.
  • The PTE for that page is updated to indicate that it is no longer in physical memory and where it can be found (e.g., in the paging file). The page frame is then considered free.

Paging File Management

The paging file (pagefile.sys by default) acts as an extension of physical RAM. Its management is crucial for system stability and performance.

  • The size of the paging file can be configured by the user, allowing for dynamic adjustment based on workload.
  • The system maintains a list of pages that reside in the paging file, facilitating quick retrieval when needed.

Performance Considerations

Excessive paging (frequent reading from and writing to the paging file) can significantly degrade system performance, leading to what is commonly known as "thrashing." Optimizing memory usage and managing the paging file size appropriately are key to maintaining good performance.

Note: Understanding paging is essential for advanced system administration, performance tuning, and debugging of memory-related issues in Windows applications and drivers.

Key Structures and Objects

  • Virtual Memory Manager (VMM): The kernel component responsible for managing virtual memory.
  • Pagefile: The disk file used to store pages not currently in RAM.
  • Working Set: The set of physical page frames currently assigned to a process.

Example Scenario

Imagine a large application that requires more memory than is physically available. When the application accesses a part of its code or data that is not yet in RAM, a page fault occurs. The kernel reads the necessary page from the hard drive (or SSD) into an available physical memory frame, updates the page table, and resumes the application's execution. If memory becomes full, less frequently used pages might be written back to the paging file to make room for newly requested data.


// Simplified representation of a page table entry (PTE)
typedef struct _MMPTE {
    union {
        _MMPTE_VALID_PTE        Valid;
        _MMPTE_TRANSITION_PTE   Transition;
        _MMPTE_PROTOTYPE_PTE    Prototype;
        _MMPTE_SOFTWARE_PTE     Software;
    } u;
} MMPTE;

// Bits within a PTE might indicate:
// - Present bit: Is the page in physical memory?
// - Dirty bit: Has the page been modified since being loaded?
// - Accessed bit: Has the page been accessed recently?
// - Page frame number: If present, the physical address of the page frame.
// - Page file information: If not present, its location in the paging file.