The !ptov extension displays the entire physical-to-virtual map for a given process.
Specifies the directory base for the process. To determine the directory base, use the !process command, and look at the value displayed for DirBase.
Windows XP and later
1: kd> .process Implicit process is now 852b4040 1: kd> !process 852b4040 1 PROCESS 852b4040 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00185000 ObjectTable: 83203000 HandleCount: 663. Image: System ...
In this case, the directory base is 0x00185000. Pass this address to !ptov:
1: kd> !ptov 185000 X86PtoV: pagedir 185000, PAE enabled. 15e11000 10000 549e6000 20000 ... 60a000 210000 40b000 211000 ... 54ad3000 25f000 548d3000 260000 ... d71000 77510000 ...
The numbers in the left column are the physical addresses of each memory page that has a mapping for this process. The numbers in the right column are the virtual addresses to which they are mapped.
The total display is very long.
Here is a 64-bit example.
3: kd> .process Implicit process is now fffffa80`0361eb30 3: kd> !process fffffa80`0361eb30 1 PROCESS fffffa800361eb30 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00187000 ObjectTable: fffff8a000002870 HandleCount: 919. Image: System ... 3: kd> !ptov 187000 Amd64PtoV: pagedir 187000 00000001`034fb000 1d0000 a757c000 1d1000 00000001`0103d000 1d2000 c041e000 1d3000 ... 2ed6f000 fffff680`00001000 00000001`13939000 fffff680`00003000 ceefb000 fffff680`00008000 ...
The directory base is the physical address of the first table that is used in virtual address translation. This table has different names depending on the bitness of the target operating system and whether Physical Address Extension (PAE) is enabled for the target operating system.
For 64-bit Windows, the directory base is the physical address of the Page Map Level 4 (PML4) table. For 32-bit Windows with PAE enabled, the directory base is the physical address of the Page Directory Pointers (PDP) table. For 32-bit Windows with PAE disabled, the directory bas is the physical address of the Page Directory (PD) table.
For related topics, see !vtop and Converting Virtual Addresses to Physical Addresses. For information about virtual address translation, see Microsoft Windows Internals, by Mark Russinovich and David Solomon. (These resources may not be available in some languages and countries.)
Build date: 1/27/2014