We’ve talked a lot about the /3GB switch and its effect on system resources in previous posts. Today we are going to discuss how to determine whether or not /3GB is enabled on a 32-bit system without looking at the boot.ini file or using MSCONFIG.EXE. Finding out this information is not as difficult as you would think – there are actually multiple ways to find this information. We are going to find this information in three different ways – by looking in the registry, by using PSTAT.EXE and by looking at a Memory Dump File. So, without further delay, let’s look at the simplest of the three methods – finding the information in the registry.
To find the information in the Registry, all you have to do is look in the HKLM\SYSTEM\CurrentControlSet\Control key, and examine the SystemStartOptions value. Below is the value from a Windows XP system that I have configured with /3GB.
As you can see, the ‘/’ character is removed from the string in the Registry, but the options themselves are determined easily enough. With this in mind, here’s a quick tip for Systems Administrators who might need to find this information for multiple systems – use a simple script or batch file to query this value in the registry on all your machines and write the output to a text file. Remember that you will need to be able to access the registry remotely for this to work!
Let’s now take a look at the second method of finding out if /3GB is enabled – by using PSTAT.EXE. PSTAT.EXE is part of the Resource Kit Utilities for Windows 2000 and can be downloaded from the Microsoft web site. Run PSTAT.EXE and redirect the output to a text file:
When you examine the output file, search for HAL.DLL (the Hardware Abstraction Layer DLL. Below is the output from my Windows XP SP3 system:
ModuleName Load Addr ------------------------ hal.dll E0B82000
The key piece of information here is the Address at which the module is loaded. In our post on the x86 Virtual Address Space we noted that the System Space (Kernel Mode) memory range on a 32-bit system ranged from 0x80000000 to 0xFFFFFFFF on a system without /3GB and 0xC0000000 to 0xFFFFFFFF on a system with /3GB enabled.
|Memory Address ranges without /3GB||Memory Address ranges with /3GB|
As you can see from the diagram above, the Kernel and Executive, HAL and Boot Drivers load between Addresses 0x80000000 and 0xBFFFFFFF on a system that does not have /3GB configured. So, looking at the address where HAL.DLL is loaded, we can see that the module is loaded at Address 0xE0B82000. Since this address is outside of the range where the module would load if the system was not configured with /3GB we can deduce that /3GB is configured on this system.
Finally, let’s look at determining whether or not /3GB is in use by examining a memory lmdump file. I generated a manual dump on my XP Machine with and without /3GB enabled. Let’s first take a look at the dump with /3GB enabled. Believe it or not, you really don’t have to do any work to determine if /3GB is enabled beyond loading up your memory dump file into the debugger! Below is the output from the debugger when I opened the dump file:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\3GBMEMORY.DMP] Kernel Complete Dump File: Full address space is available Symbol search path is: SRV*C:\SYMBOLS*http://msdl.microsoft.com/downloads/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp.080413-2111 Kernel base = 0xe0ba3000 PsLoadedModuleList = 0xe0c29720 Debug session time: Thu May 15 09:33:21.044 2008 (GMT-5) System Uptime: 1 days 2:14:13.500
The important piece of information here is the Kernel base. As you can see, the address is 0xE0BA3000 (the text in red above). Remember that if /3GB is not configured, the Kernel loads between 0x80000000 and 0xBFFFFFFF – since we are loading at 0xE0BA3000, we can deduce that /3GB is configured. Before we wrap up, let’s take a look at a dump from the same machine when /3GB is not configured.
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\NO3GBMEMORY.DMP] Kernel Complete Dump File: Full address space is available Symbol search path is: SRV*C:\SYMBOLS*http://msdl.microsoft.com/downloads/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp.080413-2111 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Thu May 15 12:58:35.741 2008 (GMT-5) System Uptime: 0 days 1:54:45.750
As we can see in this output, the Kernel Base is at 0x804D7000 – inside the range for the Kernel on a system without /3GB.
So there you have it – three different ways to find out whether or not a system is configured with the /3GB switch using different tools. That brings us to the end of this Two Minute Drill. Until next time …
|Share this post :|