Join Log in
Score:0
avatar Server

How can I interpet the virtual memory values in PSLIST -m?

in flag
tim11g

I'm trying to use the sysinternals pslist64 (latest version v1.4) to diagnose memory issues. In a Windows 10 system, pslist64 -m provides this data (subset of the first 25 lines of output):

Name                Pid      VM      WS    Priv Priv Pk   Faults   NonP Page
Idle                  0       8       8      60      60        9      0    0
System                4  302132  197472     776     912  2563343      0    0
Registry            148  163316   56004    8980  195936   176551     24  323
smss                580 2151718540    1036    1072    1136     1340      3   12
csrss               916 2151774964    5396    1988    2216     7733     29  297
wininit            1020 2151746364    6288    1408    1948     2554     11   74
csrss               104 2151824756    5884    4328    4996  1859083     39  323
services            920 2151769324   16628    9040   15344   218823     15  213
lsass              1040 2151808560   31496   14932   16264    61249     37  224
svchost            1156 2151833136   36628   16904   19976   122177     29  702
fontdrvhost        1188 2151763536    6820    5468    5468     3148      8   63
WUDFHost           1236 2151821936   10444    8452    8704     4454     16  182
svchost            1296 2151784348   22436   14960   15416    97254     20  217
svchost            1344 2151763788   13616    6732    7120     7113     12  127
winlogon           1404 2151782260   14732    6164    7208    25359     12  144
fontdrvhost        1468 2151877724   18512   10668   11944    27406     12  274
svchost            1572 2151781208   11796    6100    6720     8654     12  103
svchost            1592 2151809396   14924    8544    8968    23063     21  148
svchost            1624 2151760240   10868    5264    5484     5696     13   83
svchost            1632 2151756972   10628    9572   10108    10702     35   67
svchost            1648 2151759324   10492    5260    5668     4079     14   83
svchost            1668 2151762416   13756    5092    5320     5076     10   88
svchost            1676 2151772828   15172    6676    6904     6220     24  108
svchost            1892 2151761008   10732    5960    6948     6881     11   89
svchost            1900 2151768044   13112    6292    7156     7409     16  106

The VM value seems strange. The values are displayed in KB, per the -h help. Many of the values seem to be of the form 2^31 + X where X is a value that could be considered a "reasonable value" of a few GB. If I add up the VM column numbers as shown, for all the instances of svchost and other processes. the total is over 380 TB.

My hypothesis is that memory values are represented as 32 bit, and there is a high bit "tag" of 0x80000000 on some values, which is not accounted for in the pslist -m display of the VM column which formats as an unsigned int. Can anyone provide further details or interpretations? I did not find any more information on Microsoft PSLIST docs or the sysinternals blog.

Edit - I confirmed the same behavior on other Windows 10 systems. I also tested on an older Windows Server 2008r2, and it does not exhibit the display issue with VM values:

Name                Pid      VM      WS    Priv Priv Pk   Faults   NonP Page
Idle                  0       0      24       0       0        1      0    0
System                4    3340     304     124    9508   186576      0    0
smss                240    3984     316     452     548      678      1   10
csrss               432   55392    1680    3216    3944   916722     16  162
wininit             504   45364     520    1476    1784     1358      9   88
csrss               524  146700   13528   25196   25384  7364214     22  314
services            572   44032    5576    6296    9416   599010     13   69
lsass               580   57124    9768    8568   10308   166219     29  112
lsm                 588   31284    2828    3348    3596   226338     10   55
winlogon            688   27304     392    1776    2008     1899      7   45
svchost             744   47692    4604    4836    5184  1256663     13   89
svchost             820   37980    5188    5436    5656  2221819     16   92
svchost             972 1337980   39400  645160  645164  3386113    155 1455
svchost             376  546332   48508   54132  901184 190381045    159  372
svchost              12  107232   12088   12564   14108   422579     39  172
svchost             644   73208    6572    6668    6792  4528076     19  131
svchost             760  162264   11360   16848   18304  1859017     38  161
svchost            1092   55856    7020   12540   13548  5757388     32   89

Edit 2 - I checked on a Windows 11 system. It does not have the same results as either of the preceding examples. The values are closer to Windows 10, but the VM values for svchost are all 4194303.

49
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.