NT Memory Primer Basic Concepts - The Size of a Process Each program is called a process, and each process has a working set which is code and data in physical memory. The working set is dynamic: it grows (and shrinks) as the user loads (and closes) modules and data files. Also, the NT Virtual Memory Manager can grow (and shrink) a process' working set, if memory is needed (or becomes available) by the system. The VMM does this both to give more memory to active applications, and to keep available memory as high as possible (so you can open more applications and data files as needed). So each process usually has some code and data in virtual memory as well as physical memory. As you can see from this screen shot, each process also uses a part of NT system memory called kernel memory, which is highly protected OS code and can't be addressed directly by user mode processes (ie, regular applications). Kernel memory objects are things like the GDI (graphical device interface), which draws windows among other things, and the printing subsystem. That is, anything handled by the operating system. Kernel mode resources are divided into two "pools": Paged Pool and NonPaged Pool. All that means is that some code can be paged to disk if necessary (Paged Pool), but some must stay in physical memory no matter what (NonPaged Pool). Note that these numbers are not perfectly exact because they're counted in "pages" of 4K each. If a process is using 2K of a 4K page, it will register as 4K. However, according to the Microsoft Resource Kit, the numbers on the Task Manager/Performance tab, which are totals, are accurate. Also note that one of the few aspects of NT Memory handling that the user can modify is whether or not kernel pools can get paged to the paging file. By modifying the following registry entry, you can ensure that all kernel code stays in physical memory: HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\DisablePagingExecutive=1 If you have a lot of memory, and you'd like to see your paging file used as little as possible, disabling the Paging Executive might help. On the other hand, the NT memory management scheme involves keeping as much available memory free as possible (see The NT File Cache below), so if you're using a lot of physical memory for inactive kernel mode processes, it may result in your active applications' working sets being trimmed down a lot more than you're comfortable with. In other words, disabling the Paging Executive might worsen matters in terms of performance.

How Much Memory Is In Use Now? This one's easy: open Task Manager again, and look in the status bar over to the right: Mem Usage. This is the total amount of physical RAM and virtual RAM being used currently. The easiest way to grasp NT memory handling is to start at the Task Manager/Performances tab. The first interesting thing to notice is that your current Memory Usage is shown three times in this dialog: in the graph (MEM USAGE), in the status bar (Mem Usage ratio), and in the field "Commit Charge" (as the Commit Charge Total). Keep in mind that "Memory Usage" here, on the Performances tab, refers to both Physical and Virtual memory combined. On the Processes tab, the Memory Use figure is the process' working set, which is the amount reserved in physical memory only. Hence, the figures won't add up if you try. What Else Is Here? Still on the Performances tab of Task Manager, you have the Commit Charge Limit, which is the Total Available Memory (your physical RAM plus your virtual memory). Now over on the right, you see the Physical Memory counters and the Kernel Memory counters. Physical Memory is your RAM, and Kernel Memory the protected OS code referred to in the previous section. Notice that your Total Physical Memory (RAM) minus your Memory Usage does not equal Available Memory. That usually infuriates people because it seems your Available Memory should be much higher. The monkey in the wrench is the third item under Physical Memory: File Cache. NT reserves some of your available physical memory for the File Cache, which works in tandem with the Virtual Memory Manager to cache code that isn't "active". After some time of being inactive, it will "lazy write" some code back to disk. This is discussed further below. So you should come close to your physical memory by totaling the working sets of your processes, the file cache, and the available memory. The NT File Cache The NT File Cache takes a good-sized chunk of your physical memory, that which isn't being used by your applications' working sets, and puts "less active code" in that file cache. The idea is to keep as much as possible in memory while keeping your available bytes figure pretty high so you can open more stuff if you need to. When you open more programs, the file cache can then swap out the pages of least-requested code and data in the File Cache to the paging file, and possibly trim some more memory from current active working sets (if they've become less active, which is usually the case when you open new programs), and keep your available bytes high even though you've opened more programs. While the user can't specify whether or not NT should use a file cache, and if so, exactly how big it should be, there is one file cache setting in the registry which determines if NT should use a large or small file cache. The small file cache is the default for Workstations, while the large file cache is the default for Servers. If you'd like to try operating using a "large" file cache, modify the following registry entry to read: HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\LargeSystemCache=1 For further reading, see the Knowledge Base article How Windows NT Provides 4 Gigabytes of Memory.