MI_VISIBLE_STATE

The MI_VISIBLE_STATE structure is known only as the type of the Vs member of the MI_SYSTEM_INFORMATION, which is in turn the type of the internal kernel variable MiState in Windows 10.

As a collection of what earlier versions had as separately named internal variables, the MI_VISIBLE_STATE is highly susceptible to changing between builds.

Version Size (x86) Size (x64)
10.0 to 1511 0x0840 0x0640
1607 0x0880 0x0840
1703 0x0880 0x0900
1709 0x08C0 0x0900
1803 0x0A80 0x0C40

These sizes and the names and types in the table below are from type information in the public symbol files for the kernel.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00
MI_SPECIAL_POOL SpecialPool;
10.0 and higher
0x48 (10.0 to 1607);
0x40
0x50 (10.0 to 1607);
0x40
LIST_ENTRY SessionWsList;
10.0 and higher
0x50 (10.0 to 1607);
0x48
0x60 (10.0 to 1607);
0x50
RTL_BITMAP *SessionIdBitmap;
10.0 and higher
0x54 (10.0 to 1607);
0x4C
0x68 (10.0 to 1607);
0x58
MM_PAGED_POOL_INFO PagedPoolInfo;
10.0 and higher
0x70 (10.0 to 1607);
0x68
0xA0 (10.0 to 1607);
0x90
ULONG_PTR MaximumNonPagedPoolInPages;
10.0 and higher
0x74 (10.0 to 1607);
0x6C
0xA8 (10.0 to 1607);
0x98
ULONG_PTR SizeOfPagedPoolInPages;
10.0 and higher
0x78 (10.0 to 1607);
0x70
0xB0 (10.0 to 1607);
0xA0
MI_SYSTEM_PTE_TYPE SystemPteInfo;
10.0 and higher
0xAC (10.0 to 1511);
0xB0 (1607);
0xA8 (1703 to 1709);
0xA4
0x0110 (10.0 to 1511);
0x0118 (1607);
0x0108 (1703 to 1709);
0x0100
ULONG_PTR volatile NonPagedPoolCommit;
10.0 and higher
0xAC (1607 to 1709);
0xA8
0x0110 (1607 to 1709);
0x0108
ULONG_PTR volatile SmallNonPagedPtesCommit;
1607 and higher
0xB0 (10.0 to 1511);
0xB4 (1607);
0xB0 (1703 to 1709);
0xAC
0x0118 (10.0 to 1511);
0x0120 (1607);
0x0118 (1703 to 1709);
0x0110
ULONG_PTR volatile BootCommit;
10.0 and higher
0xB4 (10.0 to 1511);
0xB8 (1607);
0xB4 (1703 to 1709);
0xB0
0x0120 (10.0 to 1511);
0x0128 (1607);
0x0120 (1703 to 1709);
0x0118
ULONG_PTR volatile MdlPagesAllocated;
10.0 and higher
0xB8 (10.0 to 1511);
0xBC (1607);
0xB8 (1703 to 1709);
0xB4
0x0128 (10.0 to 1511);
0x0130 (1607);
0x0128 (1703 to 1709);
0x0120
ULONG_PTR volatile SystemPageTableCommit;
10.0 and higher
0xBC (10.0 to 1511);
0xC0 (1607);
0xBC (1703 to 1709);
0xB8
0x0130 (10.0 to 1511);
0x0138 (1607);
0x0130 (1703 to 1709);
0x0128
ULONG_PTR volatile SpecialPagesInUse;
10.0 and higher
0xC0 (10.0 to 1511);
0xC4 (1607)
0x0138 (10.0 to 1511);
0x0140 (1607)
ULONG_PTR volatile WsOverheadPages;
10.0 to 1607
0xC4 (10.0 to 1511);
0xC8 (1607)
0x0140 (10.0 to 1511);
0x0148 (1607)
ULONG_PTR volatile VadBitmapPages;
10.0 to 1607
0xC8 (10.0 to 1511);
0xCC (1607);
0xC0 (1703 to 1709);
0xBC
0x0148 (10.0 to 1511);
0x0150 (1607);
0x0138 (1703 to 1709);
0x0130
ULONG_PTR volatile ProcessCommit;
10.0 and higher
0xCC (10.0 to 1511);
0xD0 (1607)
0x0150 (10.0 to 1511);
0x0158 (1607)
ULONG_PTR volatile SharedCommit;
10.0 to 1607
0xD0 (10.0 to 1511);
0xD4 (1607);
0xC4 (1703 to 1709);
0xC0
0x0158 (10.0 to 1511);
0x0160 (1607);
0x0140 (1703 to 1709);
0x0138
LONG volatile DriverCommit;
10.0 and higher
0xC8 (1703 to 1709);
0xC4
0x0148 (1607 to 1709);
0x0140
ULONG_PTR PfnDatabaseCommit;
1607 and higher
0x0100 0x0180
MMSUPPORT SystemWs [3];
10.0 to 1511
MMSUPPORT_FULL SystemWs [3];
1607 to 1709
MMSUPPORT_FULL SystemWs [6];
1803 and higher
0x02C0 (1607 to 1709);
0x0480
0x04C0 (1607 to 1709);
0x0800
MMSUPPORT_SHARED SystemCacheShared;
1607 and higher
  0x0540 (1607 to 1709);
0x0880
MMSUPPORT_AGGREGATION AggregateSystemWs [1];
1607 and higher
  0x0560 (1607)
MMWSL_SHARED SystemCacheSharedWorkingSetList;
1607 only
0x0280 (10.0 to 1511);
0x02E4 (1607 to 1709);
0x04AC
0x0468 (10.0 to 1511);
0x05C0 (1607);
0x0560 (1703 to 1709);
0x08A0
ULONG MapCacheFailures;
10.0 and higher
0x0284 (10.0) 0x046C (10.0)
ULONG LastUnloadedDriver;
10.0 only
0x0288 (10.0) 0x0470 (10.0)
UNLOADED_DRIVERS *UnloadedDrivers;
10.0 only
0x028C (10.0);
0x0284 (1511);
0x02E8 (1607 to 1709);
0x04B0
0x0478 (10.0);
0x0470 (1511);
0x05C8 (1607);
0x0568 (1703 to 1709);
0x08A8
ULONG_PTR PagefileHashPages;
10.0 and higher
0x0290 (10.0);
0x0288 (1511);
0x02EC (1607 to 1709);
0x04B4
0x0480 (10.0);
0x0478 (1511);
0x05D0 (1607);
0x0570 (1703 to 1709);
0x08B0
SYSPTES_HEADER PteHeader;
10.0 and higher
0x031C (10.0);
0x0314 (1511);
0x0378 (1607 to 1709);
0x0540
0x0598 (10.0);
0x0590 (1511);
0x06E8 (1607);
0x0688 (1703 to 1709);
0x09C8
MI_SPECIAL_POOL *SessionSpecialPool;
10.0 and higher
0x0320 (10.0);
0x0318 (1511);
0x037C (1607 to 1709);
0x0544
0x05A0 (10.0);
0x0598 (1511);
0x06F0 (1607);
0x0690 (1703 to 1709);
0x09D0
ULONG_PTR SystemVaTypeCount [MiVaMaximumType];
10.0 and higher
0x035C (10.0);
0x0354 (1511);
0x03B8 (1607 to 1703);
0x03C0 (1709);
0x0584
0x0700 (1703);
0x0710 (1709);
0x0A50
UCHAR SystemVaType [0x0400];
10.0 and higher (x86)
UCHAR SystemVaType [0x0100];
1703 and higher (x64)
0x075C (10.0);
0x0754 (1511);
0x07B8 (1607 to 1703);
0x07C0 (1709);
0x0984
 
ULONG SystemVaTypeCountFailures [MiVaMaximumType];
10.0 and higher
0x0798 (10.0);
0x0790 (1511);
0x07F4 (1607 to 1703);
0x0804 (1709);
0x09C4
 
ULONG SystemVaTypeCountLimit [MiVaMaximumType];
10.0 and higher
0x07D4 (10.0);
0x07CC (1511);
0x0830 (1607 to 1703);
0x0848 (1709);
0x0A04
 
ULONG SystemVaTypeCountPeak [MiVaMaximumType];
10.0 and higher
0x0810 (10.0);
0x0808 (1511);
0x086C (1607 to 1703);
0x088C (1709);
0x0A44
 
ULONG SystemAvailableVa;
10.0 and higher
  0x0760 (1607);
0x0800 (1703);
0x0810 (1709);
0x0B50
MI_SYSTEM_VA_ASSIGNMENT SystemVaRegions [AssignedRegionMaximum];
1607 and higher

The SystemVaTypeCount member is originally the internal variable MiSystemVaTypeCount, dating from Windows Vista. The several similar arrays of counters in the 32-bit builds correspond similarly to internal variables that date from Windows Vista SP1. All are indexed by the MI_SYSTEM_VA_TYPE enumeration. Note that the number of elements varies with the build.

The MI_SYSTEM_VA_TYPE enumeration also figures in the SystemVaType member. This too, in the 32-bit builds, dates from Windows Vista as an internal variable. Its elements evaluate to the enumeration. Given a virtual address in system space, this array provides for ready reckoning of the address’s type. The index for the lookup is in 2MB units from the start of system space, 2MB being the amount of virtual address space that’s mapped through one page directory entry (given the use of PAE), and 0x0400 elements allowing system space to start as low as 0x80000000.

The SystemAvailableVa member also dates from Windows Vista. It tracks how many bytes of system address space are not yet assigned, but only for 32-bit Windows. In 64-bit Windows, perhaps just for the convenience that comes from having much more address space to work with, different types of addresses in system address space are assigned to different regions whose bases and sizes are hard-coded. This predictability was scrapped for the 1607 release of Windows 10, apparently in a continuing programme of strengthening kernel-mode Address Space Layout Randomisation. A new classification of address-space regions is modelled by the MI_ASSIGNED_REGION_TYPES enumeration, which indexes the new SystemVaRegions array. Again, the number of elements varies with the build. The values give the dynamically assigned base addresses and sizes of these regions of system space. The variability complicates the lookup of the other address-space type. The 1703 release eases this by introducing the SystemVaType member to 64-bit Windows. The index for the lookup is in units of 512GB from the start of system space at 0xFFFF8000`00000000, 512GB being the amount of virtual address space that’s mapped through one PML4 entry.