Windows Critical Problem Management Workshop Day 1


‘Windows Critical Problem Management Workshop’ is a 2 days course. The objective is to learn how to effectively identify and troubleshoot critical problems with Windows.The learning material is ‘Windows Internal Book’ 

image

On day 1, the trainer mainly introduced the Windows architecture and some useful troubleshooting tools. Here are my notes.

The starting point is to understand the Windows architecture, and keep it in mind when analyze the Windows problems.

User Mode: process/ applications and services.
Kernel Mode: system and drivers.

image

Process, Thread, Handle, DLL relationship

image 

Virtual Memory: simplify programming by allowing each application see the same address range. Map virtual memory address to the physical memory address.

32 bits addressing limits (User Mode: 2G 0x0000 0000 – 0x7FFF FFFF, Kernel Mode 2G: 0x8000 0000 – 0xFFFF FFFF) and options (save 1G from kernel to user:  /3GB /USERVA, up to 64G: /PAE)

64 bits native memory layout: 8TB for kernel, 8TB for each process

Windows Debugging Tools (WinDBG): http://msdn.microsoft.com/en-us/windows/hardware/gg463009 

Symbols: SRV*C:\symbols*http://msdl.microsoft.com/download/symbols

Sysinternals suite: http://technet.microsoft.com/en-us/sysinternals/bb842062

PAL (Performance Analysis of Logs): http://pal.codeplex.com/ 

Problem classes and tools:

image

Kernel Memory Pools: Non-paged Pool/ Paged Pool. 32bit – fixed, 64bit – dynamic

image

PTE (Page Table Entries) provides:
– Mapping between virtual address and physical address
– Location of Kernel Stacks
– Location of I/O Stacks.

Memory Leaking: Use perfmon and poolmon to identify kernel-mode leaks.

Useful blogs:
Mark Russinovich’s blog
Ned Pyle’s blog

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s