To find the information in the Registry, all you have to do is look in the HKLM\SYSTEM\CurrentControlSet\Control key, and examine the SystemStartOptions value. Below is the value from a Windows XP system that I have configured with /3GB.
As you can see, the ‘/’ character is removed from the string in the Registry, but the options themselves are determined easily enough. With this in mind, here’s a quick tip for Systems Administrators who might need to find this information for multiple systems – use a simple script or batch file to query this value in the registry on all your machines and write the output to a text file. Remember that you will need to be able to access the registry remotely for this to work!
Let’s now take a look at the second method of finding out if /3GB is enabled – by using PSTAT.EXE. PSTAT.EXE is part of the Resource Kit Utilities for Windows 2000 and can be downloaded from the Microsoft web site. Run PSTAT.EXE and redirect the output to a text file:
When you examine the output file, search for HAL.DLL (the Hardware Abstraction Layer DLL. Below is the output from my Windows XP SP3 system:
The key piece of information here is the Address at which the module is loaded. In our post on the x86 Virtual Address Space we noted that the System Space (Kernel Mode) memory range on a 32-bit system ranged from 0x80000000 to 0xFFFFFFFF on a system without /3GB and 0xC0000000 to 0xFFFFFFFF on a system with /3GB enabled.
|Memory Address ranges without /3GB||Memory Address ranges with /3GB|
As you can see from the diagram above, the Kernel and Executive, HAL and Boot Drivers load between Addresses 0x80000000 and 0xBFFFFFFF on a system that does not have /3GB configured. So, looking at the address where HAL.DLL is loaded, we can see that the module is loaded at Address 0xE0B82000. Since this address is outside of the range where the module would load if the system was not configured with /3GB we can deduce that /3GB is configured on this system.
Finally, let’s look at determining whether or not /3GB is in use by examining a memory lmdump file. I generated a manual dump on my XP Machine with and without /3GB enabled. Let’s first take a look at the dump with /3GB enabled. Believe it or not, you really don’t have to do any work to determine if /3GB is enabled beyond loading up your memory dump file into the debugger! Below is the output from the debugger when I opened the dump file:
The important piece of information here is the Kernel base. As you can see, the address is 0xE0BA3000 (the text in red above). Remember that if /3GB is not configured, the Kernel loads between 0x80000000 and 0xBFFFFFFF – since we are loading at 0xE0BA3000, we can deduce that /3GB is configured. Before we wrap up, let’s take a look at a dump from the same machine when /3GB is not configured.
As we can see in this output, the Kernel Base is at 0x804D7000 – inside the range for the Kernel on a system without /3GB.
So there you have it – three different ways to find out whether or not a system is configured with the /3GB switch using different tools. That brings us to the end of this Two Minute Drill. Until next time …
|Share this post :|
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.