Phân tích cấu trúc các bộ nhớ sử dụng Ứng dụng trên Windows Server 2008 R2

VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process’s committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map. Powerful filtering, refresh and snapshot comparison capabilities allow you to identify the sources of process memory usage and the memory cost of application features.

Before reporting a bug, please make sure that you can reproduce the bug on the latest version of VMMap posted at Sysinternals. To report a bug, email

VMMap works on Windows XP and higher, including x64 64-bit versions of Windows.

Memory Types

VMMap categorizes memory into one of several types:


The memory represents an executable file such as a .exe or .dll and has been loaded into a process by the image loader. It does not include images mapped as data files, which would be included in the Mapped File memory type. Image mappings can include shareable memory like code. When data regions, like initialized data, is modified, additional private memory is created in the process. The Details column shows the file’s path.


Private memory is memory allocated by VirtualAlloc and not suballocated either by the Heap Manager or the .NET run time. It cannot be shared with other processes, is charged against the system commit limit, and typically contains application data.


Shareable memory is memory that can be shared with other processes, is backed by the paging file (if present), is charged against the system commit limit and typically contains data shared between DLLs in different processes or inter-process communication messages. The Windows APIs refer to this type of memory as pagefile-backed sections.

Mapped File

The memory is shareable and represents a file on disk. The Details column shows the file’s path. Mapped files typically contain application data.


Heaps represent private memory managed by the user-mode heap manager and, like the Private memory type, is charged against the system commit limit and contains application data. Application memory allocations using the C runtime malloc library, HeapAlloc and LocalAlloc, use Heap memory.

Managed Heap

Managed heap represents private memory that’s allocated and used by the .NET garbage collector and, like the Private memory type, is charged against the system commit limit and contains application data.


Stacks are private memory used to store function parameters, local function variables and function invocation records for individual threads. Stacks are charged agains the commit limit and typically grow on demand.


System memory is private kernel-mode physical memory associated with the process. The vast majority of System memory consists of the process page tables.


Free memory regions are spaces in the process address space that are not allocated.

Note: The VirtualProtect API can change the protections of any page to something different than that implied by the original allocation’s memory type. That means that there can potentially be pages of memory private to the process in a shareable memory region, for instance, because the region was created as a pagefile-backed section, but then the application changed the protection on some pages to copy-on-write and modified them. The protection shown for a region isn’t necessarily the protection it had since it’s creation.

The VMMap Window

When you run VMMap, it will present a process selection dialog. After you select a process it analyzes the process and presents the graphs:

  • Commit Summary Graph This graph shows the committed (memory that represents data or code) memory usage of the process by type. The graph’s scale is the total committed virtual memory usage of the process.

  • Private Summary Graph This graph shows the committed private virtual memory. This memory is backed by the paging file and charged against the system commit limit. It corresponds to the PrivateBytes performance counter.

  • Working Set Summary Graph This graph shows the working set usage of the process by memory type. Working set represents the amount of commited virtual memory that’s in physical memory and owned by the process. The graph’s scale is the total committed virtual memory.

The color key for the regions in the graphs is presented in the Summary View. Below the graphs VMMap shows two windows:

  • Summary View This shows a summary of the virtual and physical usage of the process by type.

  • Details View This shows the memory regions of the process address space.

For each region, VMMap displays the memory type, memory protection, and virtual and physical memory usage. Selecting a type in the Summary View filters the Details View to just show regions of the selected type. Select Total to show all memory types in the Details View. In order to reduce noise in the output, VMMap does not show entries that have a value of 0.

Both windows include the following columns of information:


Total size of the allocated type or region. For the Summary View and regions in the Details View that do not have reserved areas, this is equal to the maximum amount of physical memory required to store the region’s data.


The amount of the allocation backed by system virtual memory (RAM and paging files) and charged against the system commit limit.


The amount of the allocation that, if modified, is private to the process (copy-on-write pages that have not been modified are included). This represents the charge to the system commit limit (sum of RAM plus the paging files) of the region.

Total WS

The amount of physical memory assigned to the type or region.

Private WS

The amount of physical memory assigned to the type or region that cannot be shared with other processes.

Shareable WS

The amount of physical memory assigned to the type or region that can be shared with other processes.

Shared WS

The amount of Shareable WS that is currently shared with other processes.

Locked WS

The amount of the working set that is locked into physical memory. This corresponds to memory locked via the VirtualAlloc API as well as Address Windowing Extensions (AWE) memory views. Note that working set figures returned by some other diagnostic tools does not include AWE memory.

The largest block of the particular size.

Note: Because of limitations in the APIs provided by the operating system, on 64-bit Windows XP or 64-bit Windows Server 2003, Vmmap does not show the regions corresponding to 32-bit thread stacks when analyzing 32-bit processes.


In some cases, the purpose of a memory region can be revealed by the string data stored within it. To view printable strings (ASCII or UNICODE strings of three or more characters in length), select a region and then the Strings menu item from the Edit menu.


You can have VMMap automatically take snapshots and capture a trace of several memory-related operations by opening the process selection dialog, switching to the Launch and Trace a New Program page, and entering the executable’s path and command-line options. VMMap will generate snapshots at the interval configured in the Trace Snapshot Interval menu of the Options menu.

In addition, it will use Detours DLL injection library to instrument the heap and virtual allocation functions executed by the process. You can view the history of all recorded operations by opening the Trace history dialog using the Trace button on the main window. To view operations related to a particular heap region, select the heap block in the details pane and then click the Heap Allocations button. The Calltree button will show the call stacks of all places in the process from which the recorded memory allocations were made. Just like for manual snapshots, you can open the Timeline window to see the history of the process’s execution, select particular snapshots for viewing, or select two snapshots to see the differences.

Command Line Options

VMMap supports the following command-line options:

usage: vmmap [-64] [-p <pid or process name> [outputfile]] [-o inputfile]


Use the 64-bit version to analyze a 32-bit process instead of the 32-bit version.


Process ID or process name. If you specify a name, VMMap will match it against the first process that has a name that begins with the specified text.

output file

If you specify an output file, VMMap will scan the target process and then terminate. If you don’t include an extension, VMMap will add .mmp and save in its native format. Add a .csv extension to save as CSV format; any other extension will save as .txt.


Has VMMap open the specified .mmp file on startup.

Tham khảo:

Download: Download VMMap

About thangletoan

Hallo Aloha

Posted on 03/08/2012, in Bảo mật, Công nghệ, Công nghệ và Giáo dục, Chính sách CNTT, Live@edu, Microsoft, Test Hardware and tagged , . Bookmark the permalink. Để lại bình luận.

Gửi phản hồi

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập: Logo

Bạn đang bình luận bằng tài khoản Log Out / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Log Out / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Log Out / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Log Out / Thay đổi )

Connecting to %s

%d bloggers like this: