Windows working set structure

Working set is a very important concept in memory management. Windows system often divides the working sets into process working set and kernel working set, respectively used to trace the physical memory usage of each process and kernel. Operations on the working set page in the Windows kernel are divided into the page trimming algorithm of the working set manager (system level) and the page replacement algorithm of the process. The former mainly scans the memory usage of the system periodically and trims the pages of some processes, for example, select a process with a low priority, and apply the Least Recently Unused (LRU) algorithm to select the page to delete. The latter is mainly used inside the process. If the process is requested after the process requisition page exceeds a certain peak value, the working set size no longer increases and the existing pages are replaced using a certain policy.
This article analyzes the working set page replacement of the Windows memory management by using Windows 2003 as the experiment platform, and using the kernel source code and the debug tool WinDbg. It analyzes the peak value of the process working set and the page replacement algorithm, writes an application that verifies its peak value and replacement algorithm, modifies the replacement algorithm appropriately, and tries to see the effect of the new algorithm in the application.
Data Structure Related to Working Set
EPROCESS is a structure that describes the process. The structures related to the working set can be found from here. The data structures related to the working set are mainly MMSUPPORT, MMWSL, MMWSLE MMWSLENTRY, MMPTE, and PMMWSLE_HASH. Their main relationship is shown in Figure 1. Understanding the relationship between the working set structures is a great help in kernel debugging, algorithm modification, and kernel system call addition.