Does Windows zero out the memory pool after a driver frees it?

jshen28

8/19/24, 6:45 AM

I am researching the possibility of overcommitting memory on a host where many Windows servers are running. The virtual machines are QEMU/KVM backed and managed by Libvirt. My current observation is that as soon as the Windows Server boots, the QEMU process will occupy the same amount of RSS memory as defined in -m option. On the other hand, a Linux guest does not behave the same way, as it will gradually consume more memory as the virtual machine runs.

One solution to over commit memory is to enable KSM. But the drawback of this solution is it does request some time to do the page iterating and merging. So it still may be allow booting many Windows servers within a short period of time.

Then I am looking at memory balloon. I try to inflate the balloon and then immediately deflates it in the hope that on the host, the RSS will not increase. But obviously it is not the case. I observe that as soon as the balloon deflates, the host RSS memory increases.

I am wondering if the Windows memory management system automatically zeros out memory after ExFreePool or other calls.

563

1 + 5

windows

memory

Luuk

8/19/24, 8:59 AM

Can you share more details about your question after reading: [ExFreePool function](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-exfreepool), which claims "This routine releases memory allocated by ExAllocatePool, ExAllocatePoolWithTag, ExAllocatePoolWithQuota, or ExAllocatePoolWithQuotaTag. The memory block must not be accessed after it is freed."

Luuk

8/19/24, 9:13 AM

"**The memory block must not be accessed after it is freed.**" so, NO Windows will not do that ...

BaronSamedi1958

8/19/24, 6:48 PM

You misunderstood his question. Touching freed memory ptr would trigger a kernel exception obviously.

Nonny Moose

8/19/24, 7:54 PM

Worth noting that Windows does have to zero out the memory before giving it to a userspace process (if it should choose to allocate the memory to a user process, which is not guaranteed to happen).

RiGiD5

8/19/24, 9:30 PM

ExAllocatePool APIs are strictly kernel-mode. Windows is just a subsystem within NT kernel architecture. Kernel APIs and Win32 APIs are from the different planets.

Score:12

Server

BaronSamedi1958

8/19/24, 9:05 AM

I am wondering if windows memory management system automatically zeros out memory after ExFreePool or other calls. Thank you very much in advance for the help.

It does not. It’s super-easy to check actually. Write a simple driver issuing series of ExAllocatePoolXxx calls with random requested pool sizes, fill allocated memory with a known pattern, say GUID and each time incremented global counter. Free memory after RtlFillMemory call. Start checking what you’re getting from ExAllocatePoolXxx by dumping the very beginning of the pool region, and at some point you’ll see your own signatures in what you’re allocating.

+ 1

jshen28

8/20/24, 7:10 AM

thank you very much. l'll try this approach and see the result.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does Windows zero out the memory pool after a driver frees it?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.