Process directory table base doesn’t match CR3

You might occasionally have seen this error when opening a crash dump file:

WARNING: Process directory table base <address> doesn't match CR3 <address>

What does it mean and why does it happen?

The answer to what it means lies in virtual memory. The page directory table is the term used for the base of the virtual memory tables that describe the address space of a process. When you dereference any virtual address on a processor, the processor retrieves the base of the virtual memory tables from the CR3 register on the processor. From there, the processor can walk the tables and translate the virtual address to the underlying physical address and retrieve the requested memory.

In Windows, each process has its own address space where the lower half of the virtual address space is the application code and data and the upper half of the address space is the operating system code and data, the drivers, the executive pools (sounds posh), etc. In order to switch between process address spaces, all that Windows has to do is switch the CR3 register from the base of process A’s tables to the base of process B’s tables. From there on the processor will decode all virtual addresses relative to the new process’ tables.

Thus, Windows keeps track of the base of each process’ tables inside the per-processor data structure. This can be seen as the DirBase in the !process output:

dirbase

Note that the address here is the physical address of the page directory table base. This is the exact value that will be put into the CR3 register on the processor when using this process’ address space.

Now that we have that out of the way, we can get back to the error message:

WARNING: Process directory table base <address> doesn't match CR3 <address>

What happens here is that the debugger looks at the current thread on the processor and then retrieves the containing process. From there it retrieves the DirBase value and compares it against the CR3 register. If the two don’t match, then you receive this error message when opening the dump. This can indicate that the dump file is corrupted somehow, but generally is a result of two things:

1) A crash occurring inside the process switching code. The switching of the current thread and the CR3 register are not an atomic operation, thus there are transient states where the current thread will reference a different process than the CR3 register.  Sounds scary, but the O/S is OK during this state since the O/S address space is the same across all processes.

2) You generate a crash dump with any of the “live dump” utilities, such was Windd (http://pangowings.msuiche.net/) or LiveKD (http://technet.microsoft.com/en-us/sysinternals/bb897415.aspx). These tools provide an “in flight” snapshot of the system and thus can collect inconsistent information.

The error code is important to note if you’re trying to look at per-process state as you may be looking at process memory using the wrong set of virtual tables. You’ll need to make sure that you manually switch into whatever process you want to look at, even if it’s the current process at the time of the dump.

Comments are closed.