Guided path: Memory deep dive
Step 2 of 6
VAD tree
How Windows tracks ranges of virtual memory for a process.
Related labs
Hands-on exercises for this area — in the browser or on a Windows machine.
View all labsOfficial Microsoft docs
Closest official references related to this topic on Microsoft Learn.
Why it matters
VADs explain how allocations, stacks, images, and memory-mapped files are represented internally.
Mental model
A VAD tree is Windows' map of 'which region belongs to what purpose' inside a process address space.
Go one level deeper
Extra detail for readers who want more precision before opening a child topic.
- VAD nodes describe range type: private, mapped file, image, stack, etc.
- Prototype PTEs allow shared image pages across many processes.
How it works
- 1Each node describes a virtual range and its protection/type metadata.
- 2The Memory Manager consults this structure during allocation and page fault handling.
- 3Memory tools and forensic workflows often reconstruct process memory behavior from VADs.
Key terms
- VAD
- Virtual Address Descriptor; a node describing a region of process virtual memory.
Loaded image vs heap allocation
A DLL image and a heap allocation are both memory ranges, but they have different metadata and semantics in the VAD tree.
Common misconception
A VAD is not a page table. It is a higher-level description of memory regions.
You should read next
Ranked from your current topic, related links, branch depth, and any active guided path.
expert
Pool & heap
Kernel pool tags and user-mode heaps as different allocation worlds.
Next step in your guided path
beginner
Processes & threads
How Windows represents work, isolates applications, and schedules execution.
Related topic
beginner
Memory management
Virtual address spaces, paging, working sets, and how Windows tracks memory.
Part of a guided learning path