This interesting little question came up on one of our internal email lists. Sometimes when debugging you want to know whether a particular process is linked using the /LARGEADDRESSAWARE flag and therefore capable of using usermode addresses above the 2Gb boundary. Here is my solution:
!address -summary will show you the effective user mode address space for the process:
0:022> !address –summary
Tot: 7fff0000 (2097088 KB) Busy: 278fd000 (648180 KB) <<< 2Gb for non-large-address-aware EXE or large address aware EXE on x86 system without /3Gb in boot.ini
Tot: bd7f0000 (3104704 KB) Busy: 23dee000 (587704 KB) <<< 3Gb for large-address-aware EXE on x86 system with /3Gb in boot.ini
Tot: ffff0000 (4194240 KB) Busy: 268b2000 (631496 KB) <<< 4Gb for large-address-aware EXE running with WoW64 on x64 system
However, since the first case is ambiguous, to actually see if the EXE is linked with /LARGEADDRESSAWARE or not do this:
0:000> !dlls -c inetinfo <<< inetinfo is the module name of the EXE in this case]
Dump dll containing 0x01000000:
Base 0x01000000 EntryPoint 0x0100326e Size 0x00006000
Flags 0x00004000 LoadCount 0x0000ffff TlsIndex 0x00000000
0:000> .shell -i – -ci “!dlls -f 0x00081eb0” FIND “characteristics”
The characteristics field in the header is the key: 0x12f & 0x20 == 0x20. This is the value of IMAGE_FILE_LARGE_ADDRESS_AWARE – see winnt.h in the Platform SDK for this and related definitions.
So this EXE is large address aware.
Note the above usage of the .shell command (which is used to shell to another EXE, in this case “FIND”) is something I use all the time to filter the output of debugger commands. Very handy.