Channel 9

Defrag Tools: #41 - WPT - Command Line

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 20 May 2013 14:24:52 GMT

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue walking you through the Windows Performance Toolkit (WPT).

Resources:
Defrag Tools: #23 - Windows 8 SDK
Defrag Tools: #29 - WinDbg - ETW Logging
Windows Performance Analysis Developer Center
Windows Performance Toolkit
Channel 9 Videos
NTDebugging Blog Article
PFE Blog Series

Timeline:
[00:00] - UI vs. Command Line
[02:15] - wpr.exe -profiles
[02:48] - wpr.exe -profiledetails
[05:30] - wpr.exe -start
[06:06] - wpr.exe -stop result.etl
[09:25] - xperf.exe -help
[09:30] - xperf.exe -providers kg
[12:18] - xperf.exe -providers kf
[16:47] - xperf.exe -on
[18:17] - xperf.exe -stop -d result.etl
[21:42] - xperf.exe ... -BufferSize
[25:55] - xperf.exe ... -MinBuffers -MaxBuffers
[27:08] - xperf.exe ... -MaxFile
[27:44] - xperf.exe ... -FileMode Circular
[30:42] - xperf.exe -merge
[32:28] - Andrew's Scripts on SkyDrive [link]
[33:15] - xperf.exe -help stackwalk
[35:10] - xperf.exe ... -stackwalk

Examples:
wpr.exe -start GeneralProfile
pause
wpr.exe -stop result.etl

xperf.exe -on Base -stackwalk Profile -BufferSize 1024 -MinBuffers 256 -MaxBuffes 256 -MaxFile 256 -FileMode Circular
pause
xperf.exe -stop -d result.etl

Defrag Tools: #40 - WPT - WPR & WPA

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 13 May 2013 15:20:42 GMT

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue walking you through the Windows Performance Toolkit (WPT).

Timeline:
[00:40] - Windows Performance Recorder (UI)
[06:00] - Windows Performance Analyzer
[06:40] - Providers vs. Visualization
[08:00] - (CPU Usage) Sampled vs. Precise
[12:30] - Analysis Pane
[14:11] - * I was thinking of MDI (Multiple Document Interface]
[14:35] - Blue Bar
[15:27] - Gold/Yellow Bar - How to Aggregate
[19:18] - Symbols & SymCache
[28:40] - Column Customization
[31:50] - More next week... and many more weeks to come!

Defrag Tools: #39 - Windows Performance Toolkit

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 06 May 2013 18:00:45 GMT

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen starting walking you through the Windows Performance Toolkit (WPT).

Timeline:
[00:00] - What is the Windows Performance Toolkit (WPT)?
[06:23] - Articles
[10:33] - Architecture of Event Tracing for Windows (ETW)
[18:30] - Windows Performance Recorder
[21:50] - Default, Resource and Scenario Profiles
[29:07] - More next week... and many more weeks to come!

Defrag: Keyboard Fail, Search Auto-Suggest, Wider CMD Window

Larry Larsen, Chad Beeder — Fri, 26 Apr 2013 22:55:18 GMT

Microsoft tech troubleshooter extraordinaire Chad Beeder (filling in for Gov who will be back next week) and I help walk you through troubleshooting solutions to your tech support problems. If you have a problem you want to send us, you can use the Problem Step Recorder in Windows 7 (see this for details on how) and send us the zip file to DefragShow@microsoft.com. We will also be checking comments for problems, but the email address will let us contact you if needed.

[00:24] - DPC Watchdog update from previous show. [link]
[05:55] - Keyboard missing some keypresses.
[07:52] - Looking at browser history.
[10:28] - Outlook showing friends birthdays but not own.
[11:32] - MSTSC behavior not consistent.
[12:45] - Sending us a Proc Dump. [link]
[15:00] - Search no longer showing auto-suggest.
[17:12] - Task bar on wrong screen after detaching.
[19:12] - How to restart Task Bar without rebooting.
[20:33] - Windows Store app fails on update.
[21:47] - Screen doesn't paint in IE sometimes until scroll.
[22:53] - How to make CMD window wider.
[24:49] - Suggesting on re-enabling PIN logon.
[25:50] - How to MKLink to share so web can save files to it.
[29:05] - Pick of the Week: Auto-hiding Task Bar based on tablet orientation. [link]

Defrag Tools: #32 - Desktops

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 18 Mar 2013 22:20:50 GMT

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen walk you through Sysinternals Desktops. Desktops allows you to organize your applications on up to four virtual desktops. We go under the covers and show how Desktops fits in to the Session, Window Station and Desktop object/security model.

** I didn't do a great job explaining Sessions/Window Stations/Desktops -- If you want to know about those concepts in detail, I suggest you watch Sysinternals Primer: Gems instead.

Resources:
Sysinternals Desktops
Sysinternals WinObj
Sysinternals LogonSessions
Aaron Margosis' TSSessions
Sysinternals Administrator's Reference - [Amazon]
Sysinternals Primer: Gems [TechEd EMEA 2012 @13:45]
Malware Hunting with the Sysinternals Tools [TechEd USA 2012 @ 44:30]

Timeline:
[01:05] - Sysinternals Desktops
[04:50] - Sessions, Window Stations and Desktops
[05:13] - Sysinternals WinObj
[05:43] - Sessions
[06:40] - Window Stations
[09:00] - Enumeration (Standard User)
[10:11] - Desktops
[11:38] - Local Security Authority (LSA) - Sessions via Logons *
[12:16] - Enumeration (Elevated User)
[15:20] - psexec -sid cmd.exe
[16:38] - Enumeration (NT Authority\SYSTEM)
[17:15] - Sessions via Logons (NT Authority\SYSTEM)
[18:26] - Media Center Extender example

* You can enumerate sessions directly via the Remote Desktop Services API.

Exercises:

Use Sysinternals LogonSessions to view the logon sessions.
Use Aaron Margosis' TSSessions to view the Sessions/Window Stations/Desktops (and much more).

Session: 0
WinStation: WinSta0
    Desktop: Default
    Desktop: Disconnect
    Desktop: Winlogon
WinStation: Service-0x0-3e4$
  WinStation: Service-0x0-3e5$
  WinStation: Service-0x0-3e7$
  WinStation: msswindowstation
     Desktop: mssrestricteddesk
Session: 1
WinStation: WinSta0
    Desktop: Default
    Desktop: Disconnect
    Desktop: Winlogon
...

Defrag Tools: #31 - ZoomIt

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 11 Mar 2013 20:27:38 GMT

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen walk you through Sysinternals ZoomIt. ZoomIt is a screen zoom and annotation tool for technical presentations that include application demonstrations. ZoomIt runs unobtrusively in the tray and activates with customizable hotkeys to zoom in on an area of the screen, move around while zoomed, and draw on the zoomed image.

Resources:
Sysinternals ZoomIt
Sysinternals Administrator's Reference - [Amazon]

Timeline:
[00:00] - Overview
[01:42] - Windows Magnifier (Win-+)
[03:35] - Ctrl-1 - Static Zoom
[05:30] - Ctrl-2 - Draw
[06:38] - Ctrl-4 - Live Zoom
[08:12] - File Save *
[10:05] - Ctrl-3 - Break Timer

* Zoomed to 480x300 on a 1920x1200 screen, the file sizes are:

Zoomed - 1920x1200
Actual - 480x300

Defrag Tools: #30 - MCTS Windows Internals

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 04 Mar 2013 23:00:00 GMT

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen review MCP exam 70-660 - MCTS Windows Internals.

Resources:
MCTS Windows Internals
Windows Internals Books
Kernrate
Poolmon
UMDH

Timeline:
[01:42] - Summary of the exam
[03:00] - Windows Internals books
[05:50] - Identifying Architectural Components
[14:17] - Designing Solutions
[21:34] - Monitoring Windows
[29:25] - Analyzing User Mode
[41:39] - Analyzing Kernel Mode
[45:17] - Debugging Windows
[48:32] - Good Luck!

Defrag Tools: #29 - WinDbg - ETW Logging

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 25 Feb 2013 22:30:47 GMT

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer.

This installment goes over the Event Tracing for Windows (ETW) buffers in a kernel mode dump or live session. The ETW buffers can be extracted from the dump and viewed using the Windows Performance Toolkit (WPT). The buffers give you insight in to what has beem happening recently on the computer.

We use these commands:

!wmitrace.strdump
!wmitrace.logsave 0xNN c:\example.etl
!wmitrace.eventlogdump 0xNN
!wmitrace.help

Make sure you watch Defrag Tools Episode #1 and Defrag Tools Episode #23 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbol and source code resolution. This episode shows how install the Windows Performance Toolkit.

Timeline:
[00:00] - Event Tracing for Windows (ETW)
[02:18] - Windows Performance Toolkit (WPT)
[03:48] - !wmitrace.strdump
[04:53] - !wmitrace.logsave 0xNN c:\example.etl
[05:50] - Windows Performance Analyzer (WPA) & xPerfView
[07:57] - _NT_SYMCACHE_PATH
[10:24] - !wmitrace.eventlogdump 0xNN
[12:16] - Used for logging and performance by many teams
[15:35] - Private PDBs are needed to decode some entries
[20:00] - Windows Performance Recorder (wprui.exe)
[20:35] - Disable Paging Executive
[23:40] - WPR adds the NT Kernel Logger
[24:19] - 10min run-through of the data collected with the General, CPU and Disk providers

Defrag Tools: #28 - WinDbg - Scheduling

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 18 Feb 2013 16:17:53 GMT

This installment goes over the Windows Scheduler. We look at Running, Ready and Waiting threads, and talks about the effect of Power Management on scheduling.

We use these commands:

!running
!running -t
!ready
!dpcs
!thread 17
!thread -1 17 (current thread)

Resources:
Microsoft Data Center Tour

Timeline:
[00:00] - Episode #27's demo issue
[02:47] - Kernel Hangs
[05:18] - !running
[05:48] - Idle Threads & Processor Power Management
[10:10] - !running -t
[13:53] - !ready
[14:15] - Thread State Diagram
[16:45] - Saturated example
[20:48] - Thread Priority Diagram
[22:22] - Balance Set Manager
[25:30] - Waiting Threads
[26:52] - Summary

Defrag Tools: #27 - WinDbg - Configure Kernel Debugging

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 11 Feb 2013 17:02:42 GMT

This installment goes over the cables and configuration steps required to set up kernel mode debugging.

We use these BCDEdit commands:

bcdedit
bcdedit /dbgsettings
bcdedit /dbgsettings 1394 channel:42
bcdedit /dbgsettings net hostip:192.168.0.10 port:50000 key:a.b.c.d
bcdedit /debug on
bcdedit /debug off

In the debug session, we use these commands:

.crash
.dump /f
lm
!lmi
.reload /f
!drvobj
!drvobj 2
bl
bc *
be
bd
bp
bm
x
g

Resources:
NT Debugging Blog - How to Setup a Debug Crash Cart to Prevent Your Server from Flat Lining
NT Debugging Blog - Remoting Your Debug Crash Cart With KDNET [10th May 2013]
USBView
USB3 Debugging Cable
- Note, you must use a USB3 A-A cable designed for debugging, otherwise it will fry your box!

Timeline:
[00:45] - Kernel Debugging Cables
[02:14] - USB 2.0
[04:13] - USB 3.0 - New in Windows 8/Windows RT
[05:30] - 1394 (Firewire)
[10:39] - Break
[11:38] - Driver Objects
[16:00] - Network - New in Windows 8/Windows RT
[17:30] - Breakpoint commands
[26:00] - Network - BCDEdit
[33:37] - SecureBoot and BitLocker

Defrag Tools: #26 - WinDbg - Semaphores, Mutexes and Timers

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 04 Feb 2013 18:11:10 GMT

This installment goes over the commands used to diagnose Semaphores, Mutexes and (Waitable) Timers in a user mode application. For timers, we delve deep in to the kernel to gather more information about them. We use these commands:

!handle
!handle
!object
!object
!timer
!timer
ub @rip
dt nt!_KTHREAD

Resources:
Synchronization Functions
Semaphore Objects
Mutex Objects
Waitable Timer Objects
Sysinternals LiveKD
Sysinternals WinObj
Windows 7 and Windows Server 2008 R2 Kernel Changes (Timer Coalescing)

Timeline:
[02:47] - Demo Apps [SkyDrive]
[03:08] - Semaphores
[09:32] - Mutexes
[15:32] - Waitable Timers
[15:58] - Clock Resolution
[17:05] - Timer Coalescing
[19:45] - Timer demo application
[25:05] - LiveKD makes a kernel dump
[26:37] - Object Manager - !object
[29:40] - DPC Timers - !timer
[35:22] - !timer
[35:52] - Waiting Threads - !thread 17
[37:08] - Wait Start TickCount
[38:55] - Kernel Wait Routines
[41:12] - Dump Type of Kernel Thread - dt nt!_KTHREAD
[42:00] - Running, Ready and Waiting states
[44:54] - Wakable Timers
[47:22] - powercfg.exe /waketimers
[49:18] - 'Century' DPC Timer Routine
[50:43] - Post in the forums and email us at defragtools@microsoft.com!

Defrag Tools: #25 - WinDbg - Events

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 28 Jan 2013 17:57:16 GMT

This installment goes over the commands used to diagnose an Event hang in a user mode application. We talk about single and multiple event hangs, automatic and manual events, waitable object handles and common design patterns that you will encounter. We use these commands:

~*k
~*kv
~
~~[TID]s
dp
!handle
!handle
.dumpdebug
!uniqstack
!findstack

Resources:
Synchronization Functions
Sysinternals WinObj

Timeline:
[00:00] - Event objects
[03:56] - Waitable objects and Design Patterns
[08:00] - Handles
[10:52] - x64/x86/ARM calling conventions and 32/64bit addressing
[14:10] - WaitForSingleObject with a single Auto-Reset Event
[14:55] - !handle
[16:02] - .dumpdebug -- MiniDumpWithHandleData
[16:36] - !handle
[19:48] - Sysinternals WinObj
[24:14] - WaitForMultipleObjects with multiple Thread Handles
[30:00] - Work and Quit Event Design Pattern
[33:45] - WaitForMultipleObjects with multiple Event Handles
[38:52] - Windows Explorer example
[44:50] - Process Explorer also shows Handles (Ctrl-H)

Defrag Tools: #24 - WinDbg - Critical Sections

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 21 Jan 2013 18:24:14 GMT

This installment goes over the commands used to diagnose a Critical Section hang in a user mode application. We start with an overview of the four synchronization primitives and then delve deep in to temporary hangs, orphaned Critical Sections and deadlocks. We use these commands:

~*k
~*kv
~
~~[TID]s
!cs
!cs
!locks

Resources:
Critical Section Objects

Timeline:
[01:00] - Hang types - CPU Looping, Temporary Hangs and Permanent Hangs
[02:00] - Synchronization Objects - Event, Semaphore, Mutex, Critical Section
[06:54] - Critical Sections
[11:45] - Debugging a Hang
[28:08] - Debugging an Orphan
[32:40] - Debugging a Deadlock

Defrag Tools: #23 - Windows 8 SDK

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 14 Jan 2013 16:57:44 GMT

In this episode of Defrag Tools, Andrew Richards and Larry Larsen upgrade the software we downloaded in Episode #1 to the Windows 8 (x86 &x64) and Windows RT (ARM) versions.

Resources:
Windows Software Development Kit (SDK) for Windows 8
Sysinternals
USB3 Debugging Cable
- Note, you must use a USB3 A-A cable designed for debugging, otherwise it will fry your box!

Timeline:
[00:00] - Table tablets and 4K screens at CES 2013
[02:30] - Time to upgrade our tools to the Windows 8\Windows RT versions!
[03:20] - www.sysinternals.com
[05:34] - Win7SP1 and Win8RTM folders
[06:16] - Bing: "Windows 8 SDK"
[06:53] - Bing: "Debugging Tools for Windows"
[07:25] - New web installer does installation or download.
[10:02] - MSI files are in the ..\Windows Kits\8.0\StandaloneSDK\Installers
[13:00] - Sync your 'My' folder with SkyDrive so it is always available!
[13:30] - Install the Debugging Tools for Windows to gather the files for xcopy deployment
[15:33] - Visual Studio 2012 builds PDBs with Inline Frame information
[17:23] - Visual Studio 2012 builds PDBs with Local Variable information
[18:55] - Windows 8 supports Network and USB3 kernel debugging
[21:10] - Visual Studio 2012 now supports both the VS and DbgEng debugger engines
[21:40] - Keep posting questions and sending email to defragtools@microsoft.com!

CES 2013:
Microsoft PixelSense
The Hobbit - Production Diary #4 - Film shot at 5K 48fps 3D

Defrag Tools: #22 - WinDbg - Memory Kernel Mode

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 07 Jan 2013 20:31:31 GMT

This installment goes over the commands used to show the memory used in a kernel mode debug session. We cover these commands:

!vm
!vm 1
!memusage 8
!poolused 2
!poolused 4
!poolfind
!pool
!pool 2
!pte

Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.

Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
Sysinternals LiveKD
Sysinternals RAMMap

Timeline:
[00:45] - Sysinternals LiveKD debug of the machine
[01:47] - Virtual Memory summary (!vm 1)
[05:10] - Sysinternals LiveKD live kernel dump (livekd.exe -m -o kernel.dmp)
[09:30] - Sysinternals RAMMap
[11:10] - Memory List summary (!memusage 8)
[16:15] - Pool Usage by Non-Paged Pool (!poolused 2)
[20:16] - Pool Tags (c:\debuggers\triage\pooltag.txt)
[28:06] - Pool Usage by Paged Pool (!poolused 4)
[29:27] - Pool issues lead to Bugchecks
[34:00] - Find Pool by Address (!pool )
[36:05] - Find Pool by Tag (!poolfind )
[40:30] - Page Table Entry (PTE) and Page Frame Number (PFN) (!pte )
[42:45] - Sometimes it is a physical hardware failure

Defrag Tools: #21 - WinDbg - Memory User Mode

Larry Larsen, Andrew Richards, Chad Beeder — Tue, 01 Jan 2013 08:46:14 GMT

This installment goes over the commands used to show the memory used in a user mode debug session. We cover these commands:

!address -summary
!address
!vprot
!mapped_file

Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
Sysinternals VMMap
Performance and Memory Consumption Under WOW64
MEMORY_BASIC_INFORMATION structure
Memory Protection Constants

Timeline:
[00:50] - Live Debug of Notepad
[01:10] - VMMap of Notepad
[02:08] - Virtual Address Space summary (!address -summary)
[04:30] - 'Large Address Space Aware' increases the VA space from 2GB to 4GB
[08:11] - Memory Mapped Files
[10:11] - Memory Type, State and Protection (inc. Guard Pages)
[21:22] - Allocation Base vs. Base Address (!address )
[26:52] - Virtual Protection shows the Alloc. Base Protection (!vprot )
[29:14] - Mapped Files (!mapped_file )

Defrag Tools: #20 - WinDbg - Basic Commands

Larry Larsen, Andrew Richards, Chad Beeder — Tue, 25 Dec 2012 04:19:23 GMT

This installment goes over the commands used to show the state of debug session. It also shows some of the basic commands used to view process and thread information of a user mode process. We cover these commands:

version
vertarget
|
||
.sympath
.srcpath
.exepath
.extpath
.chain
!analyze -v
.bugcheck
!error
~
~NNs
~~[TID]s
~*k
~*r
!process 0 17
!threads
!findstack
!uniqstack
!peb
!teb
k=
dps
dpu
dpa
dpp
.reload /f
.reload /user
!gle
!tls

Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
System Error Codes

Timeline:
[01:01] - Live Debug of Notepad
[02:14] - Overview of the debug session (version)
[03:10] - OS Version/Architecture and System/Debug/User/Kernel times (vertarget)
[09:03] - Process and System Status (| {pipe}, || {double pipe})
[10:16] - Symbol Path (.sympath)
[10:52] - Source Path (.srcpath)
[11:00] - Executable Path (.exepath, lmvm - Memory Mapped Image File)
[11:40] - Extension Path (.extpath)
[12:20] - Loaded Extensions (.chain)
[13:43] - !analyze is for both User and Kernel crashes (!analyze -v)
[14:56] - Bugcheck code and arguments (.bugcheck)
[15:26] - Error Code Lookup (!error)
[16:04] - Threads in a User Process (~ {tilde})
[17:33] - Change Current Thread Context (~NNs)
[20:13] - Show all the call stacks or registers (~*k, ~*r)
[21:04] - Change Current Thread Context by TID (~~[TID]s)
[24:18] - Show all the call stacks in all the processes in a kernel session (!process 0 17)
[25:29] - Configuration summary of all thread (!threads)
[26:54] - Find call stack (!findstack)
[27:35] - Unique call stacks (!uniqstack)
[28:30] - Process Environment Block (!peb)
[30:50] - Thread Environment Block (!teb)
[32:02] - Buffer Overflow of a stack variable
[33:11] - Call Stack Recreation (k= {x64})
[34:40] - Display Pointers as a Symbol, Unicode, ANSI or Pointer (dps, dpu, dpa, dpp)
[37:40] - Force the loading of symbols (.reload /f)
[38:43] - Force the loading of user symbols in the kernel when you change thread context (.reload /user)
Note: /u is for unload, not load user symbols - that's why Chad is the kernel guy!
[39:18] - SetLastError/GetLastError value in the TEB (!gle)
[40:14] - Thread Local Storage values in the TEB (!tls)

Defrag Tools: #19 - WinDbg - OCA

Larry Larsen, Andrew Richards, Chad Beeder — Tue, 18 Dec 2012 02:54:20 GMT

In this week's episode of Defrag Tools, Graham McIntyre, Senior Developer from the Windows Reliability team, gives us an overview of Online Crash Analysis (OCA). Graham describes OCA and how dump collection has been enhanced in Windows 8.

Resources:
Debugging Tools for Windows
Bugcheck 0x133 - DPC_WATCHDOG_VIOLATION
Bugcheck 0x144 - BUGCODE_USB3_DRIVER

Timeline:
[00:00] Intro
[01:00] "Send to Microsoft" does go somewhere!
[02:00] What happens at a Bugcheck
[08:00] OCA 'Buckets'
[11:17] "Request for Additional Data"
[12:09] OCA 'Solutions'
[13:00] Data Mining
[15:25] Trending issues
[17:46] Firmware and DMA bugs caught by PFN tracking
[19:32] Reliability History and Problem Reports
[22:15] Event Viewer - 'Windows Error Reporting' source
[23:38] 'Automatic' dump type
[26:15] OEM/ISV/IHV Relationships
[28:02] Bugcheck 0x133 - DPC_WATCHDOG_VIOLATION [NT Debugging Blog]
[30:30] !findxmldata
[31:06] Bugcheck 0x144 - BUGCODE_USB3_DRIVER

Defrag Tools: #18 - WinDbg - Driver Verifier - Part 3

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 10 Dec 2012 20:33:55 GMT

In this followup to last week's episode of Defrag Tools, Michael Fourre, senior test engineer from the Driver Verifier team, gives us an overview of all the available verifier settings, and explains when you might need to use them.

Resources:

Debugging Tools for Windows

About Driver Verifier

Timeline:

[00:00] Intro
[00:58] Volatile mode (also known as "No Reboot Feature")
[02:09] Using Verifier on production systems
[03:19] Different ways to configure Verifier (command line vs. GUI)
[05:55] /query vs. /querysettings
[07:38] "Deadlock Detection." How does it work?
[11:07] Standard Flags overview
[13:28] Additional Flags overview
[15:43] /log switch

Defrag Tools: #17 - WinDbg - Driver Verifier - Part 2

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 03 Dec 2012 19:13:52 GMT

In this episode of Defrag Tools, Michael Fourre, senior test engineer from the Driver Verifier team, pays a visit to Larry Larsen and Chad Beeder in the Channel 9 studios to give us some deeper insight into this valuable tool for catching device driver bugs!

Resources:

Debugging Tools for Windows

About Driver Verifier

Timeline:
[00:00] Intro - Michael Fourre
[01:45] New Windows 8 feature: DDI compliance checking
[02:33] Verifier.exe: command line vs. GUI
[03:10] Looking at a Windows 8 verifier crash
[04:37] New Windows 8 verifier feature - VerifierExt.sys driver
[05:39] !ruleinfo tells you what the driver did wrong
[08:00] Best practices with Driver Verifier when you suspect a faulty driver
[09:03] Performance impact of enabling Driver Verifier
[10:37] Using !verifier in the debugger to view verifier settings and statistics
[11:50] Viewing IRQL transition log with !verifier 0x8
[13:13] What are IRQLs (Interrupt Request Levels)
[15:41] Does Driver Verifier make drivers behave differently?
[19:00] Other useful flags to use with !verifier
[22:10] Viewing kernel pool allocate/free log with !verifier 0x80
[22:45] Viewing IRP allocate/complete log with !verifier 0x100
[23:19] Disable verifier on the fly: !verifier -disable

Defrag Tools: #16 - WinDbg - Driver Verifier

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 26 Nov 2012 17:27:00 GMT

Not all Blue Screens of Death are easy to debug! Sometimes, you need to enable extra checking to help catch a buggy device driver. In this episode of Defrag Tools, Chad Beeder and Larry Larsen discuss using Driver Verifier in conjunction with WinDbg to track down a driver which is corrupting kernel mode pool memory.

Debugger commands used:

!analyze -v
.trap
ub
dp
dps
dc
kv

Resources:

Debugging Tools for Windows

Windows Internals book tools (including NotMyFault)

Forcing a System Crash from the Keyboard

How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system

Driver Verifier Options

Timeline:

[00:09] - What is Driver Verifier?
[01:54] - Using NotMyFault to cause a buffer overflow
[06:04] - Looking at a buffer overflow dump in WinDbg
[08:10] - What is the .trap command? (see: x64 Register Usage)
[12:45] - First dump was inconclusive. Looking at a second buffer overflow dump.
[15:47] - Memory is corrupted, but how to find out who is corrupting it? Driver Verifier!
[16:55] - Launching and configuring Driver Verifier
[20:20] - Verifier enabled, let's crash the system!
[21:25] - What is special pool?
[22:27] - Looking at the memory dump (captured with Verifier enabled)
[25:13] - Forcing a memory dump of a hung system via keyboard
[28:00] - Forcing a memory dump of a hung system via NMI switch
[31:52] - Advanced/custom Driver Verifier settings

Defrag Tools: #15 - WinDbg - Bugchecks (BSOD)

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 19 Nov 2012 08:58:11 GMT

In this episode of Defrag Tools, Chad Beeder and Larry Larsen discuss analyzing kernel mode bugchecks (colloquially known as Blue Screens of Death) using WinDbg from the Debugging Tools For Windows.

We use these commands:

!analyze -v
.hh
.trap
!pte
!process
!thread
.formats
.process
.thread
k
~
.reload

Resources:

Debugging Tools for Windows

How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2

Windows Internals book tools (including NotMyFault)

Timeline:

[00:50] - What is a bugcheck (blue screen)?
[03:23] - Different types of memory dump files (complete, kernel-only, mini)
[05:16] - Windows Error Reporting
[07:17] - Configuring your system for a memory dump
[07:54] - Enabling "Complete memory dump" option on Windows 7 and Server 2008 R2; see KB 969028
[10:45] - Looking at a 32-bit memory dump created by NotMyFault
[12:04] - Symbol path
[13:21] - Step 1 is always: !analyze -v
[15:40] - Looking up bug check descriptions - Windows Debugger Help (.hh)
[19:45] - Looking at the trap frame (.trap)
[20:18] - Why did a memory access fail? (Using !pte command to look at virtual memory mappings)
[22:15] - What is a trap frame? (64-bit systems do not store all registers in trap frames; see blog post here)
[26:50] - Showing all running processes with !process 0 0
[28:48] - View more details on a specific process with !process
[31:43] - Converting between numerical formats with .formats
[32:55] - Switching the debugger into a process or thread context: use .process or .thread
[35:10] - Switching between CPUs (~ command)
[38:13] - Next week: Driver Verifier

Defrag Tools: #14 - WinDbg - SOS

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 12 Nov 2012 18:24:02 GMT

In this episode of Defrag Tools, Andrew Richards and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer.

This installment shows how you can view the user mode call stack and stack variables in a native, managed (.NET) or Silverlight process. We use these commands:

dv
dt
!sos.dumpstack
!sos.dumpstackobjects / !sos.dso
!sos.dumpobj / !sos.do
!sos.printexception / !sos.pe
.frame
.f+
.f-
.load
.unload
.loadby
.chain
lm / lmm / lmvm
.extmatch
.prefer_dml 1
.lines
.ecxr
.cls

Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
Sysinternals ProcDump
Silverlight Developer Runtime

Timeline:
[01:05] - Native vs. Managed variables
[02:35] - Display Variables (dv) and Display Type (dt)
[03:38] - Debugger Extensions (.chain, .load, .unload)
[05:43] - Extension Match (.extmatch)
[07:08] - ProcDump v5.1 captures a .NET 2 and .NET 4 exception
[08:46] - .NET engines versus .NET releases
[10:34] - Loading "Son of Strike" for .NET 2 engine applications (.loadby sos.dll mscorwks)
[13:44] - Loading "Son of Strike" for .NET 4 engine applications (.loadby sos.dll clr)
[15:24] - Dump Call Stack (!sos.dumpstack)
[16:32] - Dump Stack Objects (!sos.dumpstackobjects / !sos.dso)
[17:30] - Dump Object (!sos.dumpobject / !sos.do)
[17:51] - Enable DML (.prefer_dml 1)
[20:14] - Toggling Line display (.lines)
[20:52] - Current Frame Context (.frame, .f+, .f-); Note, registers do not change
[22:58] - ProcDump v5.1 misses Silverlight exceptions
[24:50] - Silverlight Developer Runtime (dbgshim.dll & sos.dll)
[26:10] - ProcDump v5.1 captures a Silverlight exception
[28:10] - Loading "Son of Strike" for Silverlight applications (.loadby sos.dll coreclr)
[30:47] - Missed: Exceptions can also be displayed with !sos.printexception / !sos.pe
[31:29] - Episode review and next week... Kernel debugging

Defrag Tools: Live - //build/ 2012

Larry Larsen, Mark Russinovich, Andrew Richards, Chad Beeder — Tue, 06 Nov 2012 17:50:16 GMT

Mark Russinovich joins Larry Larsen and Andrew Richards for a live version of Defrag Tools where they take questions about troubleshooting Windows 8, the changes to the Sysinternals Tools, Driver support, VHD support, Security, and much more.

Defrag Tools: #13 - WinDbg

Larry Larsen, Andrew Richards, Chad Beeder — Mon, 22 Oct 2012 18:34:59 GMT

In this episode of Defrag Tools, Andrew Richards and Larry Larsen start walking you through the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer.

This first WinDbg installment configures the system to open dumps files via an adjusted Context Menu. It shows how to set WinDbg as the (AeDebug) postmortem debugger, and how to use ProcDump v5.1 to do the same but capture the process as a dump file. It then starts to explain some basic concepts of debugging: call stacks (k), registers (r) and exception context records (.ecxr).

Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
Sysinternals ProcDump

Timeline:
[00:00] - Windows 8 General Availability (GA)
[02:45] - WinDbg -IA - Register File Associations
[05:45] - Custom Context Menu
[10:15] - WinDbg -I - Register Postmortem Debugger
[11:07] - Custom AeDebug: -c ".jdinfo %p"
[15:00] - ProcDump v5.1: -i
[18:00] - Internals of Windows Error Reporting
[21:48] - Registers (r)
[29:50] - Exception Context Record (.ecxr)
[32:01] - Examples - NT Debugging Blog
[34:02] - MSJ Magazine - Under The Hood
[35:20] - Intel Developer's Manual
[38:40] - Next week, Call Stacks, Locals and .NET/Silverlight extensions

MSJ (MSDN) Magazine:

Assembly Language
http://www.microsoft.com/msj/0298/hood0298.aspx
http://www.microsoft.com/msj/0797/hood0797.aspx

NT Debugging Blog: http://blogs.msdn.com/b/ntdebugging/

Debugging Techniques
http://blogs.msdn.com/b/ntdebugging/archive/2007/06/13/hung-window-no-source-no-problem-part-1.aspx
http://blogs.msdn.com/b/ntdebugging/archive/2007/06/15/hung-window-no-source-no-problem-part-2.aspx
http://blogs.msdn.com/b/ntdebugging/archive/2007/06/15/this-button-doesn-t-do-anything.aspx

Fundamentals
http://blogs.msdn.com/b/ntdebugging/archive/tags/fundamentals+exercise/

Puzzles
http://blogs.msdn.com/b/ntdebugging/archive/tags/puzzler/

Custom Context Menu (WinDbg -IA):

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.dmp]
@="WinDbg.DumpFile.1"
 
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1]
@="WinDbg Post-Mortem Dump File"
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\DefaultIcon]
@="\"C:\\debuggers\\windbg.exe\",-3002"
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\shell]
@="Open"
 
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\shell\Open]
@="Open x&64"
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\shell\Open\command]
@="\"C:\\debuggers\\windbg.exe\" -z \"%1\" -c \".prefer_dml 1\""
 
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\shell\Open_x86]
@="Open x&86"
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\shell\Open_x86\command]
@="\"C:\\debuggers_x86\\windbg.exe\" -z \"%1\" -c \".prefer_dml 1\""

Custom AeDebug (WinDbg -I):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"
"Debugger"="\"C:\\debuggers\\windbg.exe\" -p %ld -e %ld -c \".jdinfo %p\""
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"
"Debugger"="\"C:\\debuggers_x86\\windbg.exe\" -p %ld -e %ld -c \".jdinfo %p\""