I'm trying to use the sysinternals pslist64 (latest version v1.4) to diagnose memory issues.
In a Windows 10 system, pslist64 -m
provides this data (subset of the first 25 lines of output):
Name Pid VM WS Priv Priv Pk Faults NonP Page
Idle 0 8 8 60 60 9 0 0
System 4 302132 197472 776 912 2563343 0 0
Registry 148 163316 56004 8980 195936 176551 24 323
smss 580 2151718540 1036 1072 1136 1340 3 12
csrss 916 2151774964 5396 1988 2216 7733 29 297
wininit 1020 2151746364 6288 1408 1948 2554 11 74
csrss 104 2151824756 5884 4328 4996 1859083 39 323
services 920 2151769324 16628 9040 15344 218823 15 213
lsass 1040 2151808560 31496 14932 16264 61249 37 224
svchost 1156 2151833136 36628 16904 19976 122177 29 702
fontdrvhost 1188 2151763536 6820 5468 5468 3148 8 63
WUDFHost 1236 2151821936 10444 8452 8704 4454 16 182
svchost 1296 2151784348 22436 14960 15416 97254 20 217
svchost 1344 2151763788 13616 6732 7120 7113 12 127
winlogon 1404 2151782260 14732 6164 7208 25359 12 144
fontdrvhost 1468 2151877724 18512 10668 11944 27406 12 274
svchost 1572 2151781208 11796 6100 6720 8654 12 103
svchost 1592 2151809396 14924 8544 8968 23063 21 148
svchost 1624 2151760240 10868 5264 5484 5696 13 83
svchost 1632 2151756972 10628 9572 10108 10702 35 67
svchost 1648 2151759324 10492 5260 5668 4079 14 83
svchost 1668 2151762416 13756 5092 5320 5076 10 88
svchost 1676 2151772828 15172 6676 6904 6220 24 108
svchost 1892 2151761008 10732 5960 6948 6881 11 89
svchost 1900 2151768044 13112 6292 7156 7409 16 106
The VM value seems strange. The values are displayed in KB, per the -h help. Many of the values seem to be of the form 2^31 + X where X is a value that could be considered a "reasonable value" of a few GB. If I add up the VM column numbers as shown, for all the instances of svchost and other processes. the total is over 380 TB.
My hypothesis is that memory values are represented as 32 bit, and there is a high bit "tag" of 0x80000000 on some values, which is not accounted for in the pslist -m
display of the VM column which formats as an unsigned int. Can anyone provide further details or interpretations? I did not find any more information on Microsoft PSLIST docs or the sysinternals blog.
Edit - I confirmed the same behavior on other Windows 10 systems. I also tested on an older Windows Server 2008r2, and it does not exhibit the display issue with VM values:
Name Pid VM WS Priv Priv Pk Faults NonP Page
Idle 0 0 24 0 0 1 0 0
System 4 3340 304 124 9508 186576 0 0
smss 240 3984 316 452 548 678 1 10
csrss 432 55392 1680 3216 3944 916722 16 162
wininit 504 45364 520 1476 1784 1358 9 88
csrss 524 146700 13528 25196 25384 7364214 22 314
services 572 44032 5576 6296 9416 599010 13 69
lsass 580 57124 9768 8568 10308 166219 29 112
lsm 588 31284 2828 3348 3596 226338 10 55
winlogon 688 27304 392 1776 2008 1899 7 45
svchost 744 47692 4604 4836 5184 1256663 13 89
svchost 820 37980 5188 5436 5656 2221819 16 92
svchost 972 1337980 39400 645160 645164 3386113 155 1455
svchost 376 546332 48508 54132 901184 190381045 159 372
svchost 12 107232 12088 12564 14108 422579 39 172
svchost 644 73208 6572 6668 6792 4528076 19 131
svchost 760 162264 11360 16848 18304 1859017 38 161
svchost 1092 55856 7020 12540 13548 5757388 32 89
Edit 2 - I checked on a Windows 11 system. It does not have the same results as either of the preceding examples. The values are closer to Windows 10, but the VM values for svchost are all 4194303.
0 Answers