that the kernel memory is always available, regardless of which process is cur-
rently running. The upper 2 GB are, of course, protected from any user-mode
access.
One side effect of this design is that applications only have a 31-bit address
space—the most significant bit is always clear in every address. This provides
a tiny reversing hint: A 32-bit number whose first hexadecimal digit is 8 or
above is not a valid user-mode pointer.
The Kernel Memory Space
So what goes on inside those 2 GB reserved for the kernel? Those 2 GB are
divided between the various kernel components. Primarily, the kernel space
contains all of the system’s kernel code, including the kernel itself and any
other kernel components in the system such as device drivers and the like.
Most of the 2 GB are divided among several significant system components.
The division is generally static, but there are several registry keys that can
somewhat affect the size of some of these areas. Figure 3.1 shows a typical lay-
out of the Windows kernel address space. Keep in mind that most of the com-
ponents have a dynamic size that can be determined in runtime based on the
available physical memory and on several user-configurable registry keys.
Paged and Nonpaged Pools The paged pool and nonpaged pool are
essentially kernel-mode heaps that are used by all the kernel compo-
nents. Because they are stored in kernel memory, the pools are inher-
ently available in all address spaces, but are only accessible from kernel
mode code. The paged pool is a (fairly large) heap that is made up of
conventional paged memory. The paged pool is the default allocation
heap for most kernel components.The nonpaged pool is a heap that is
made up of nonpageable memory. Nonpagable memory means that the
data can never be flushed to the hard drive and is always kept in physi-
cal memory. This is beneficial because significant areas of the system are
not allowed to use pagable memory.
System Cache The system cache space is where the Windows cache man-
ager maps all currently cached files. Caching is implemented in Win-
dows by mapping files into memory and allowing the memory manager
to manage the amount of physical memory allocated to each mapped
file. When a program opens a file, a section object (see below) is created
for it, and it is mapped into the system cache area. When the program
later accesses the file using the ReadFileor WriteFileAPIs, the file
system internally accesses the mapped copy of the file using cache man-
ager APIs such as CcCopyReadand CcCopyWrite.Windows Fundamentals 75