How Control Flow Guard Drastically Caused Windows 8. Address Space and Behavior Changes Alex Ionescus Blog. Windows 8. 1 radically changes the address space layout of the system by finally removing the 4. I described in one of the earliest blog posts on this website and which Wikipedia even links to. This is a little known detail about the operating system, and an odd thing for Microsoft not to emphasize on with more aplomb, especially given that 8. Windows 8. Now, you may think that 1. TB to 2. 56 TB is a meaningless change since no applications currently use even a fraction of that space, but the main benefit of this change are not the ability to allocate additional memory, but rather the increased entropy space available for Address Space Load Randomization ASLR, especially given that Windows 8 introduced High Entropy ASLR HEASLR, Top down Randomization and Anonymous Memory Randomization. Additionally, another key change was done in Windows 8. As Pavel Lebedinsky, one of the lead SDETs on the Memory Manager and an extremely helpful individual indicated on one of the blog posts from Mark Russinovich 1. Reserved memory does contribute to commit charge, because the memory manager charges commit for pagetable space necessary to map the entire reserved range. On 6. 4 bit this can be a significant number reserving 1 TB of memory will consume approximately 2 GB of commit. This means that attempting to reserve the full 8 TB of memory on Windows 7 results in 1. GB of commit, which is beyonds most peoples commit limit, especially at the time. In Windows 8. 1, this would result in 1. GB of commit being used, which only a beefy server would tolerate. While such large memory reservations are unusual, they do have usefulness in certain scenarios related to security and low level testing. This Windows behavior prevented such reservations from reliably working, but in Windows 8. Indeed, you can easily test this by using the Test. Limit tool from the Windows Internals Book, and run it with the r option and preferably with a large enough block size. Heres a screenshot of hitting the 1. TB reservation And heres the resulting view in VMMap, which does not show the expected page table commit charge, but rather a much smaller size 2. MB. So why did Microsoft change this behavior in Windows 8. Well, Windows 1. 0, as well as Windows 8. Update 3 November Update make this clear. Free-Windows-8.1-ISO-DVD-64-bit-Official.jpg' alt='Win8.1 64 Bit' title='Win8.1 64 Bit' />As I previously tweeted, these OS versions enable Control Flow Guard CFG, a feature that laid dormant in the first versions of Windows 8. In order to function, CFG requires the use of optimized bitmaps in order to determine the validity of indirect calls, and on 6. Windows, this bitmap requires 2 TB of space. Not only would this cut the Windows 8 address space by 2. GB of per process commit Heres a screenshot of Process Hacker showing how all CFG enabled processes now use 2 TB of virtual address space The final effect of this change from 8 TB to 1. TB is that the kernel address space layout has significantly changed. And sadly, the address extension in Win. DBG is broken and continues to show the Windows 8 address space layout which I expanded on during my Blackhat 2. Windows Internals book is stuck on Windows 7 and doesnt even cover Windows 8 or higher. Therefore, I publish below what I believe to be the only public source of information on the Windows 8. One of the benefits of this new layout is that it now becomes extremely easy by using the first 5 or 6 nibbles of an address to determine where its coming from. For example, 0x. FFFFD is a kernel stack, 0x. FFFFC is paged pool, 0x. FFFFF8 is a loaded image driver or kernel, and 0x. FFFFE is nonpaged pool. Start. End. Size. Description. FFFF0. FFFF0. 7FFFFFFFFFF8. TBMemory Hole. FFFF0. FFFFAFFFFFFFFFFF1. TBUnused Space. FFFFB0. FFFFBFFFFFFFFFFF1. TBSystem Cache. FFFFC0. FFFFCFFFFFFFFFFF1. TBPaged Pool. FFFFD0. FFFFDFFFFFFFFFFF1. TBSystem PTEs. FFFFE0. FFFFEFFFFFFFFFFF1. TBNonpaged Pool. FFFFF0. Win8.1 64 Bit' title='Win8.1 64 Bit' />Memory type Limit on X86 Limit in 64bit Windows Usermode virtual address space for each 32bit process. GB. Up to 3 GB with IMAGEFILELARGEADDRESSAWARE and 4GT. Radeon Software Crimson ReLive Edition Graphics Driver Installer for Windows 8. Bit Compatible Operating Systems Windows 8. FFFFF6. 7FFFFFFFFF6. TBUnused Space. FFFFF6. FFFFF6. FFFFFFFFFF5. GBPTE Space. FFFFF7. FFFFF7. 7FFFFFFFFF5. GBHyper. Space. FFFFF7. FFFFF7. 800. 00. FFF4. KShared User Data. Best Software To Overclock Radeon 7850 Vs Gtx here. Logic Express 9 Serial Number Idm here. FFFFF7. 800. 00. FFFFF7. BFFFFFFF3. GBSystem PTE WS FFFFF7. C0. 00. 00. 00. FFFFF7. FFFFFFFF1. GBWS Hash Table. FFFFF7. 810. 00. FFFFF7. FFFFFFF6. GBPaged Pool WSFFFFF7. FFFFF7. 993. FFFFFFF3. GBWS Hash Table. FFFFF7. FFFFF7. A97. FFFFFFF6. GBSystem Cache WSFFFFF7. A98. 00. 00. 00. FFFFF7. B17. FFFFFFF3. GBWS Hash Table. FFFFF7. B18. 00. 00. FFFFF7. FFFFFFFFFF3. GBUnused Space. FFFFF8. FFFFF8. FFFFFFFFFF1. TBSystem View PTEs. FFFFF9. 000. 00. FFFFF9. FFFFFFFFF5. GBSession Space. FFFFF9. FFFFFA7. 0FFFFFFFF1. TBDynamic VA Space. FFFFFA8. 00. 00. FFFFFAFFFFFFFFFF5. GBPFN Database. FFFFFFFFFFC0. FFFFFFFFFFFFFFFF4. MBHAL Heap. Table describing the various 6. Windows 8. 1. This entry was posted on Thursday, January 2. Random Tidbits. You can follow any responses to this entry through the RSS 2. You can leave a response, or trackback from your own site.