Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Identifying Architectural Components
Identify memory types and mechanisms.
Nonpaged vs. Paged; Memory Descriptor Lists; Physical Memory vs. Logical Memory; Address translation; Heap memory.
Identify I/O mechanisms.
Plug and play; IRQL levels; I/O Request Packet IRP; I/O manager; device stacks; filter drivers; timers
Identify subsystems.
Object Manager; cache manager; process manager; memory manager; security reference monitor
Identify processor functions and architecture.
Interrupts; processor affinity; system service calls; 64-bit vs. 32-bit
Identify process and threads.
Process environment block (PEB), thread environment block (TEB); thread scheduling, states and priority
Designing Solutions
Optimize a system for its drivers.
Driver signing; identifying filter drivers; timers and deferred procedure calls (DPCs); system worker threads; Driver Verifier
Design applications.
Application Verifier; gflags; kernel mode vs. user mode threads; structured exception handling (SEH); memory mapped files; authentication mechanisms; synchronization primitives
Deploy compatible applications.
Application Verifier; Application Compatibility Toolkit (ACT); Global Flags Editor (GFlags)
Identify optimal I/O models for applications.
Synchronous vs. asynchronous I/O; I/O completion ports; multithreaded applications
Monitoring Windows
Monitor I/O latency.
Perfmon; disk I/O; application performance; device I/O
Monitor I/O throughput.
Filter drivers; cache manager; xperf; kernrate
Monitor memory usage.
Nonpaged vs paged pool; user memory vs. kernel memory; debugging memory leaks; memory corruption; heap corruption
Monitor CPU utilization.
Thread time; kernel vs. user time; thread states; Perfmon; WinDbg; Xperf; Kernrate
Monitor handled and unhandled exceptions.
Adplus; Dr Watson; Windows Error Reporting; default post-mortem debuggers; exception handling
Analyzing User Mode
Analyze heap leaks.
UMDH (User-mode dump heap); user mode stack tracing; WinDbg; Application Verifier; Gflags; Perfmon
Analyze heap corruption.
Page heap; WinDbg; Application Verifier; Gflags
Handle leaks.
Procmon (Process Monitor); Perfmon; WinDbg; htrace; Process Explorer; Handle.exe
Resolve image load issues.
Tlist; loader snaps; dll dependencies; application manifests; 64-bit applications vs. 32-bit applications; tasklist
Analyze services and host processes.
sc.exe; services; service dependencies; service isolation; services startup types; service registry entries
Analyze cross-process application calls.
RPC; LPC; shared memory; named pipes; process startup; winsock
Analyze the modification of executables at runtime.
WinDbg; Image corruption; Detours; hot patches
Analyze GUI performance issues.
Spy++; message queues; Application Verifier; TraceTools; ATL Trace; Task Manager
Analyzing Kernel Mode
Find and identify objects in object manager namespaces and identify the objects’ attributes.
Winobj.exe; symbolic links; object namespace; security descriptors; global namespace; device objects; file objects; object manager; semaphores
Analyze Plug and Play (PnP) device failure.
Removal failures; global device list; WinDbg; device adds and removes; power handling
Analyze pool corruption.
Driver Verifier; WinDbg; pool tags; Poolmon; guard pages
Analyze pool leaks.
WinDbg; poolmon; Driver Verifier; crash dump analysis; paged and nonpaged pool; cache trimming
Isolate the root cause of S state failure.
System power states and transitions; power IRP handling
Analyze kernel mode CPU utilization.
Kernrate.exe; WinDbg; deadlocks; Performance monitoring; event tracing
Debugging Windows
Debug memory.
Heap; pool; virtual memory vs. physical memory; stack; analyzing crash dumps and user dumps
Identify a pending I/O.
WinDbg; deadlocks; I/O manager; IRP processing
Identify a blocking thread.
Thread state; locks; synchronization objects
Identify a runaway thread.
Thread priorities; processor affinity; Perfmon; kernrate
Debug kernel crash dumps.
WinDbg; DPCs; Assembler; forcing kernel crash dumps; trap processing; register usage; call stack composition (prolog/epilog); processes vs. threads
Debug user crash dumps.
Dump types; forcing user crash dumps; gflags; system resource utilization (CPU, disk, network; memory)
Set up the debugger.
WinDbg; physical connection (USB, rs-232, 1394); boot.ini; bcdedit; remoting; NMI; debugging system processes