Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Defrag Tools: #22 - WinDbg - Memory Kernel Mode

Download

Right click “Save as…”

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer.

This installment goes over the commands used to show the memory used in a kernel mode debug session. We cover these commands:

  • !vm
  • !vm 1
  • !memusage 8
  • !poolused 2
  • !poolused 4
  • !poolfind <tag>
  • !pool <addr>
  • !pool <addr> 2
  • !pte

Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.

Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
Sysinternals LiveKD
Sysinternals RAMMap

Timeline:
[00:45] - Sysinternals LiveKD debug of the machine
[01:47] - Virtual Memory summary (!vm 1)
[05:10] - Sysinternals LiveKD live kernel dump (livekd.exe -m -o kernel.dmp)
[09:30] - Sysinternals RAMMap
[11:10] - Memory List summary (!memusage 8)
[16:15] - Pool Usage by Non-Paged Pool (!poolused 2)
[20:16] - Pool Tags (c:\debuggers\triage\pooltag.txt)
[28:06] - Pool Usage by Paged Pool (!poolused 4)
[29:27] - Pool issues lead to Bugchecks
[34:00] - Find Pool by Address (!pool <addr>)
[36:05] - Find Pool by Tag (!poolfind <tag>)
[40:30] - Page Table Entry (PTE) and Page Frame Number (PFN) (!pte <addr>)
[42:45] - Sometimes it is a physical hardware failure

Tags:

Follow the Discussion

  • The video seems to bug out at 31:57.  Is anyone else having this issue or is it just me?

  • Golnazgolnazal HEY HEY HEY

    @JohnLudlow: what's happening with your video exactly? 

  • d_blkdcrearer d_blk

    Happy New Year!!! 

    Dudes I love this series its totally awesome... I feel you guy's are providing a great learning outlet especially for a beginner like myself. However at times the show gets hi jacked and it never gets back on course. I felt the past two episodes could have been a bit more linear and detailed.

    keep up the good work dudes.

  • Andrew Richardswindev Andrew Richards

    @dcrearer:  Send us an email at defragtools@microsoft.com to explain what you exactly mean. We'd really like to hear your feedback in detail.

    Since we are making up the content (live) as we go to air, we may get off track from time-to-time. When we do, call us on it and we will revisit the episode.

  • igarvinigarvin

    Great series, very beneficial for the forensic troubleshooting connoisseur.

    Btw, concerning the 'bad' pages mentioned in !memusage, this value is typically not an accurate representation of actual bad pages. Pavel Lebedinsky, SDET at Microsoft, commented on this at the blog below:

    http://analyze-v.com/?p=558#comments

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.