!vtop
The !vtop extension converts a virtual address to the corresponding physical address, and displays other page table and page directory information.
Syntax
!vtop PFN VirtualAddress
!vtop 0 VirtualAddress
Parameters
DirBase
Specifies the directory base for the process. Each process has its own virtual address space. Use the !process extension to determine the directory base for a process.
PFN
Specifies the page frame number (PFN) of the directory base for the process.
0
Causes !vtop to use the current process context for address translation.
VirtualAddress
Specifies the virtual address whose page is desired.
DLL
Kdexts.dll
Additional Information
For other methods of achieving these results, see Converting Virtual Addresses to Physical Addresses. Also see !ptov. For information about page tables and page directories, see Microsoft Windows Internals, by Mark Russinovich and David Solomon.
Remarks
To use this command, first use the !process extension to determine the directory base of the process. The page frame number (PFN) of this directory base can be found by removing the three trailing hexadecimal zeros (in other words, by right-shifting the number 12 bits).
Here is an example:
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
....
PROCESS ff779190 SessionId: 0 Cid: 04fc Peb: 7ffdf000 ParentCid: 0394
DirBase: 098fd000 ObjectTable: e1646b30 TableSize: 8.
Image: MyApp.exe
Since the directory base is 0x098FD000, its PFN is 0x098FD.
kd> !vtop 98fd 12f980
Pdi 0 Pti 12f
0012f980 09de9000 pfn(09de9)
Notice how the trailing three zeros are optional. The !vtop extension displays the page directory index (PDI), the page table index (PTI), the virtual address that you had originally input, the physical address of the beginning of the physical page, and the page frame number (PFN) of the page table entry (PTE).
If you want to convert the virtual address 0x0012F980 to a physical address, you simply have to take the last three hexadecimal digits (0x980) and add them to the physical address of the beginning of the page (0x09DE9000). This gives the physical address 0x09DE9980.
If you forget to remove the three zeros, and pass the full directory base to !vtop instead of the PFN, the results will usually be correct. This is because when !vtop receives a number too large to be a PFN, it right-shifts it twelve bits and uses that number instead:
kd> !vtop 98fd 12f980
Pdi 0 Pti 12f
0012f980 09de9000 pfn(09de9)
kd> !vtop 98fd000 12f980
Pdi 0 Pti 12f
0012f980 09de9000 pfn(09de9)
However, it is better to always use the PFN, because some directory base values will not be converted in this manner.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for