Before talking about Windows 9x/NT memory configuration, I want to talk about the history of Intel compatible CPUs first. The first model of 16-bit Intel CPUs is 8086. It supports 640KB conventional memory plus 384KB upper memory. The 8086 CPU is very simple. Programs can do everything they want to do. They can access not only memory that are allocated for them, but also memory of other programs. Actually, they can access the entire 1MB memory with ease. Also, they can communicate with any device if they want to.
The second generation of 16-bit Intel CPUs are 80286 CPUs. Each of them supports up to 16MB memory. They do calculation faster, but they are still not secure. A revolution happened on the third generation Intel CPUs: 80386 CPUs. 80386 CPUs can run programs in "protected mode", thus people call the traditional 8086 mode "real mode". Under protected mode, access rights of applications are limited. The operating system can forbid user applications from accessing core memory of the OS. Under protected mode, the CPU supports virtual memory. Applications access virtual memory addresses, and the OS interprets the addresses. The OS manages virtual memory pages so that disk space can be used to extend physical memory. In order to keep a high efficiency, the OS usually swaps virtual memory pages according to activities of applications.
An 80386 CPU supports up to 4096MB memory. This is quite related with the topic we are going to talk about today. Let's first see Windows 95. Windows 95 lets applications access the whole 4GB memory space. Above the first 2GB memory address space, data is shared. Shared data includes Windows system code, Windows DLLs and memory mapped files. Of course, memory within the first 2GB space can also be shared. MFC42.DLL and custom DLLs are usually there. At lower memory addresses, there are user applications. Usually, the code segment of a user application is at an address lower than the data segment.
This layout lets applications easily share their code and data. Code segments of applications and DLLs are protected, but the top 1GB space that contains Windows 95 system data is not protected. This is a drawback of Windows 9x/Me series. "An errant program could wipe out important system tables located in this region" - said David J. Kruglinski, the author of Programming Visual C++.
As to Windows NT, I want to let you see what David J. Kruglinski said:
A process in Windows NT can access only the bottom 2 GB of its address space, and the lowest and highest 64 KB of that is inaccessible. The EXE, the application's DLLs and Windows DLLs, and memory-mapped files all reside in this space between 0x00010000 and 0x7FFEFFFF. The Windows NT kernel, executive, and device drivers all reside in the upper 2 GB, where they are completely protected from any tampering by an errant program. Memory-mapped files are safer, too. One process cannot access another's memory-mapped file without knowing the file's name and explicitly mapping a view.