** I didn't do a great job explaining Sessions/Window Stations/Desktops -- If you want to know about those concepts in detail, I suggest you watch Sysinternals Primer: Gems instead.

Resources:
Sysinternals Desktops
Sysinternals WinObj
Sysinternals LogonSessions
Aaron Margosis' TSSessions
Sysinternals Administrator's Reference - [Amazon]
Sysinternals Primer: Gems [TechEd EMEA 2012 @13:45]
Malware Hunting with the Sysinternals Tools [TechEd USA 2012 @ 44:30]

Timeline:
[01:05] - Sysinternals Desktops
[04:50] - Sessions, Window Stations and Desktops
[05:13] - Sysinternals WinObj
[05:43] - Sessions
[06:40] - Window Stations
[09:00] - Enumeration (Standard User)
[10:11] - Desktops
[11:38] - Local Security Authority (LSA) - Sessions via Logons *
[12:16] - Enumeration (Elevated User)
[15:20] - psexec -sid cmd.exe
[16:38] - Enumeration (NT Authority\SYSTEM)
[17:15] - Sessions via Logons (NT Authority\SYSTEM)
[18:26] - Media Center Extender example

* You can enumerate sessions directly via the Remote Desktop Services API.

Exercises:

Use Sysinternals LogonSessions to view the logon sessions.
Use Aaron Margosis' TSSessions to view the Sessions/Window Stations/Desktops (and much more).

Session: 0
  WinStation: WinSta0
    Desktop: Default
    Desktop: Disconnect
    Desktop: Winlogon
  WinStation: Service-0x0-3e4$
  WinStation: Service-0x0-3e5$
  WinStation: Service-0x0-3e7$
  WinStation: msswindowstation
     Desktop: mssrestricteddesk
Session: 1
  WinStation: WinSta0
    Desktop: Default
    Desktop: Disconnect
    Desktop: Winlogon
...

Resources:
Sysinternals ZoomIt
Sysinternals Administrator's Reference - [Amazon]

Timeline:
[00:00] - Overview
[01:42] - Windows Magnifier (Win-+)
[03:35] - Ctrl-1 - Static Zoom
[05:30] - Ctrl-2 - Draw
[06:38] - Ctrl-4 - Live Zoom
[08:12] - File Save *
[10:05] - Ctrl-3 - Break Timer

* Zoomed to 480x300 on a 1920x1200 screen, the file sizes are:

• Zoomed - 1920x1200
• Actual - 480x300

Resources:
Windows Software Development Kit (SDK) for Windows 8
Sysinternals
USB3 Debugging Cable
- Note, you must use a USB3 A-A cable designed for debugging, otherwise it will fry your box!

Timeline:
[00:00] - Table tablets and 4K screens at CES 2013
[02:30] - Time to upgrade our tools to the Windows 8\Windows RT versions!
[03:20] - www.sysinternals.com
[05:34] - Win7SP1 and Win8RTM folders
[06:16] - Bing: "Windows 8 SDK"
[06:53] - Bing: "Debugging Tools for Windows"
[07:25] - New web installer does installation or download.
[10:02] - MSI files are in the ..\Windows Kits\8.0\StandaloneSDK\Installers
[13:00] - Sync your 'My' folder with SkyDrive so it is always available!
[13:30] - Install the Debugging Tools for Windows to gather the files for xcopy deployment
[15:33] - Visual Studio 2012 builds PDBs with Inline Frame information
[17:23] - Visual Studio 2012 builds PDBs with Local Variable information
[18:55] - Windows 8 supports Network and USB3 kernel debugging
[21:10] - Visual Studio 2012 now supports both the VS and DbgEng debugger engines
[21:40] - Keep posting questions and sending email to defragtools@microsoft.com!

CES 2013:
Microsoft PixelSense
The Hobbit - Production Diary #4 - Film shot at 5K 48fps 3D

This installment goes over the commands used to show the memory used in a kernel mode debug session. We cover these commands:

• !vm
• !vm 1
• !memusage 8
• !poolused 2
• !poolused 4
• !poolfind <tag>
• !pool <addr>
• !pool <addr> 2
• !pte

Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.

Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
Sysinternals LiveKD
Sysinternals RAMMap

Timeline:
[00:45] - Sysinternals LiveKD debug of the machine
[01:47] - Virtual Memory summary (!vm 1)
[05:10] - Sysinternals LiveKD live kernel dump (livekd.exe -m -o kernel.dmp)
[09:30] - Sysinternals RAMMap
[11:10] - Memory List summary (!memusage 8)
[16:15] - Pool Usage by Non-Paged Pool (!poolused 2)
[20:16] - Pool Tags (c:\debuggers\triage\pooltag.txt)
[28:06] - Pool Usage by Paged Pool (!poolused 4)
[29:27] - Pool issues lead to Bugchecks
[34:00] - Find Pool by Address (!pool <addr>)
[36:05] - Find Pool by Tag (!poolfind <tag>)
[40:30] - Page Table Entry (PTE) and Page Frame Number (PFN) (!pte <addr>)
[42:45] - Sometimes it is a physical hardware failure

This installment shows how you can view the user mode call stack and stack variables in a native, managed (.NET) or Silverlight process. We use these commands:

• dv
• dt
• !sos.dumpstack
• !sos.dumpstackobjects / !sos.dso
• !sos.dumpobj / !sos.do
• !sos.printexception / !sos.pe
• .frame
• .f+
• .f-
• .load
• .unload
• .loadby
• .chain
• lm / lmm / lmvm
• .extmatch
• .prefer_dml 1
• .lines
• .ecxr
• .cls

Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.

Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
Sysinternals ProcDump
Silverlight Developer Runtime

Timeline:
[01:05] - Native vs. Managed variables
[02:35] - Display Variables (dv) and Display Type (dt)
[03:38] - Debugger Extensions (.chain, .load, .unload)
[05:43] - Extension Match (.extmatch)
[07:08] - ProcDump v5.1 captures a .NET 2 and .NET 4 exception
[08:46] - .NET engines versus .NET releases
[10:34] - Loading "Son of Strike" for .NET 2 engine applications (.loadby sos.dll mscorwks)
[13:44] - Loading "Son of Strike" for .NET 4 engine applications (.loadby sos.dll clr)
[15:24] - Dump Call Stack (!sos.dumpstack)
[16:32] - Dump Stack Objects (!sos.dumpstackobjects / !sos.dso)
[17:30] - Dump Object (!sos.dumpobject / !sos.do)
[17:51] - Enable DML (.prefer_dml 1)
[20:14] - Toggling Line display (.lines)
[20:52] - Current Frame Context (.frame, .f+, .f-); Note, registers do not change
[22:58] - ProcDump v5.1 misses Silverlight exceptions
[24:50] - Silverlight Developer Runtime (dbgshim.dll & sos.dll)
[26:10] - ProcDump v5.1 captures a Silverlight exception
[28:10] - Loading "Son of Strike" for Silverlight applications (.loadby sos.dll coreclr)
[30:47] - Missed: Exceptions can also be displayed with !sos.printexception / !sos.pe
[31:29] - Episode review and next week... Kernel debugging

This first WinDbg installment configures the system to open dumps files via an adjusted Context Menu. It shows how to set WinDbg as the (AeDebug) postmortem debugger, and how to use ProcDump v5.1 to do the same but capture the process as a dump file. It then starts to explain some basic concepts of debugging: call stacks (k), registers (r) and exception context records (.ecxr).

Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.

Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
Sysinternals ProcDump

Timeline:
[00:00] - Windows 8 General Availability (GA)
[02:45] - WinDbg -IA - Register File Associations
[05:45] - Custom Context Menu
[10:15] - WinDbg -I - Register Postmortem Debugger
[11:07] - Custom AeDebug: -c ".jdinfo %p"
[15:00] - ProcDump v5.1: -i <folder>
[18:00] - Internals of Windows Error Reporting
[21:48] - Registers (r)
[29:50] - Exception Context Record (.ecxr)
[32:01] - Examples - NT Debugging Blog
[34:02] - MSJ Magazine - Under The Hood
[35:20] - Intel Developer's Manual
[38:40] - Next week, Call Stacks, Locals and .NET/Silverlight extensions

MSJ (MSDN) Magazine:

Assembly Language
http://www.microsoft.com/msj/0298/hood0298.aspx
http://www.microsoft.com/msj/0797/hood0797.aspx

NT Debugging Blog:  http://blogs.msdn.com/b/ntdebugging/

Debugging Techniques
http://blogs.msdn.com/b/ntdebugging/archive/2007/06/13/hung-window-no-source-no-problem-part-1.aspx
http://blogs.msdn.com/b/ntdebugging/archive/2007/06/15/hung-window-no-source-no-problem-part-2.aspx
http://blogs.msdn.com/b/ntdebugging/archive/2007/06/15/this-button-doesn-t-do-anything.aspx

Fundamentals
http://blogs.msdn.com/b/ntdebugging/archive/tags/fundamentals+exercise/

Puzzles
http://blogs.msdn.com/b/ntdebugging/archive/tags/puzzler/

Custom Context Menu (WinDbg -IA):

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.dmp]
@="WinDbg.DumpFile.1"
 
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1]
@="WinDbg Post-Mortem Dump File"
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\DefaultIcon]
@="\"C:\\debuggers\\windbg.exe\",-3002"
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\shell]
@="Open"
 
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\shell\Open]
@="Open x&64"
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\shell\Open\command]
@="\"C:\\debuggers\\windbg.exe\" -z \"%1\" -c \".prefer_dml 1\""
 
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\shell\Open_x86]
@="Open x&86"
[HKEY_CLASSES_ROOT\WinDbg.DumpFile.1\shell\Open_x86\command]
@="\"C:\\debuggers_x86\\windbg.exe\" -z \"%1\" -c \".prefer_dml 1\""

Custom AeDebug (WinDbg -I):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"
"Debugger"="\"C:\\debuggers\\windbg.exe\" -p %ld -e %ld -c \".jdinfo %p\""
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"
"Debugger"="\"C:\\debuggers_x86\\windbg.exe\" -p %ld -e %ld -c \".jdinfo %p\""

Part 1 covers what the tool captures and the outage durations that can be expected.
Part 2 goes through the wide variety of triggering options; in particular 1st and 2nd chance exceptions.
Part 3 (this week) goes through Windows 8 Modern Application support and Process Monitor logging support.

Resources:
Sysinternals ProcDump

Timeline:
[00:00] - Overview of Windows 8 Modern Applications
[01:09] - ProcDump v5.0 vs. PLMDebug
[01:38] - Registry - Package and Application Names (AppUserModeId)
[02:00] - Activation and Monitoring (-x <folder> <appusermodeid>) 
[04:42] - User created ProcDump
[05:21] - Registry changes - DebugInformation
[05:40] - PLM created ProcDump
[06:53] - Process Monitor - Debug Output Profile events
[09:50] - PLM behaviour for Attach vs. Launch
[11:17] - And that's it for ProcDump!

Part 1 covers what the tool captures and the outage durations that can be expected.
Part 2 (this week) goes through the wide variety of triggering options; in particular 1st and 2nd chance exceptions.
Part 3 goes through Windows 8 Modern Application support and Process Monitor logging support.

Resources: 
Sysinternals ProcDump

Timeline:
[00:27] - WinDbg -IA - Register File Associations
[00:58] - WinDbg -I - Postmortem Debugger (AeDebug) **
[04:48] - Triggers
[05:13] - Breakpoints (-b)
[06:03] - CPU (-c) and Uniprocessor scale (-u) [Compound Case of the Outlook Hangs]
[11:06] - Count (-n)
[11:42] - Examples (-? -e)
[12:02] - Performance Counters (-p <counter> <value>) *
[13:20] - Hung window (-h)
[13:36] - Wait (-w <process>) and Execute (-x <folder> <process>)
[14:28] - Crashes (e.g. procdump -e -x c:\dumps notepad) ***
[16:45] - Memory Commit (-m <Mb>)
[18:25] - Timed (-n <count> -s <seconds>)
[21:30] - Process Name vs PID
[22:24] - Exceptions; C++ (msc) vs CLR vs OS
[23:35] - Crashes & Recovery - aka 2nd Chance Exceptions (-e)
[28:40] - 1st Chance Exceptions (-e 1)
[31:07] - Exception Filtering (-f <filter>)
[33:30] - Exception Names
[34:50] - System Error Codes and !error
[36:30] - Ignore transistion to .NET 4 managed debugging (-g)
[38:07] - Next time... Windows 8 Modern Applications and Process Monitor Logging

* The Performance Counter (-p) trigger does use the seconds (-s) parameter.
** ProcDump v5.1 (not yet released) adds procdump.exe -i <folder> support to set ProcDump as the postmortem debugger for both x64 and x86 applications (includes a JIT context).
*** If you are using ProcDump v5.0 as the postmortem debugger (doesn't include a JIT context), use these AeDebug settings:
Auto = "1"
Debugger = "C:\my\sysinternals\procdump.exe %ld -ma c:\dumps"

Part 1 (this week) covers what the tool captures and the outage durations that can be expected.
Part 2 goes through the wide variety of triggering options; in particular 1st and 2nd chance exceptions.
Part 3 goes through Windows 8 Modern Application support and Process Monitor logging support.

Resources:
Sysinternals ProcDump
Sysinternals VMMap

Timeline:
[01:15] - Download latest version - www.sysinternals.com
[02:23] - ProcDump v5 features
[03:52] - Task Manager, Process Explorer vs. ProcDump
[05:32] - Dump architecture (x86 vs. x64) needs to match the target
[08:02] - Mini, Full (-ma), MiniPlus (-mp) and Custom (-d) dumps
[13:45] - WinDbg - rely on Mapped Memory Image File
[16:54] - ProcDump Custom Dump Support (-d <dll>) - [MSDN Magazine]
[18:34] - Detach at Shutdown, Logoff, Console Close, Ctrl-C, Ctrl-Break
[19:15] - Process Reflection (-r)
[21:44] - Episode review and required permissions
[23:03] - Next episode, triggering...

Write a comment before 24th Sept. for a chance to win a signed copy of Trojan Horse!

Blog:
Mark's Blog (TechNet) - http://blogs.technet.com/b/markrussinovich/
Mark's Web Site - http://www.russinovich.com/
Sysinternals Web Site - http://www.sysinternals.com

Videos:
All of Mark's videos on Channel 9 and talks at conferences. Of note:
* Case of the Unexplained...
* Mysteries of Memory Management Revealed - Part 1, Part 2
* Malware Hunting with the Sysinternals Tools
* RSA Conference 2012 -- Zero Day: A Non-Fiction View
* Inside Windows 7
* Inside Windows 7 Redux
* Windows 7 and Windows Server 2008 R2 Kernel Changes
* Windows Vista and Windows Server 2008 Kernel Changes

Books:
Sysinternals Administrator's Reference - [Amazon]
Windows Internals books:
* 4th Edition - Windows XP and Windows Server 2003 - [Amazon]
* 5th Edition - Windows Vista and Windows Server 2008 - [Amazon]
* 6th Edition - Windows 7 and Windows Server 2008 R2 - [Amazon: Part 1, Part 2]
Cybersecurity novels:
* Zero Day - A Novel - [Amazon]
* Trojan Horse - A Novel - [Amazon]
* Operation Desolation - A Short Story - [Amazon]

Timeline:
[00:00] - How did Sysinternals start?
[02:20] - Tools that never got released and tool retirement
[03:55] - The most complex tool - Process Explorer
[04:51] - Favorite tool - ZoomIt
[07:01] - Windows Internals books
[10:54] - What's the best way to learn how to troubleshoot?
[12:47] - Do traditional techniques work when analyzing viruses?
[13:49] - Cybersecurity awareness
[14:40] - Cybersecurity novels
[16:28] - Cybersecurity advice for corporations and individuals
[20:25] - White Listing
[22:53] - User Account Control (UAC)
[29:55] - Winternals vs Sysinternals vs Windows Internals
[31:08] - New Windows 8 features/support in the Sysinternals tools:
* Process Explorer v15.1
* Process Monitor v3.0
* ProcDump v5.0
* RAMMap v1.2
* DebugView v4.78
* AccessChk v5.1
[33:57] - Windows Internals 7th edition (for Windows 8)? Windows Azure Internals?
[36:47] - New tools - PsPing, RAMMap, VMMap
[40:33] - Win a signed copy of Trojan Horse!

Resources:
Sysinternals VMMap
'Mysteries of Memory Management Revealed' talk [Part 1, Part 2]
Sysinternals Administrator's Reference - [Amazon]

Timeline:
[01:32] - Bar Graphs
[02:58] - Committed, Reserved or Free
[03:35] - Shared Memory and Copy on Write
[05:35] - Memory Types
[09:06] - CPU Addressing Limit (~44bits)
[10:17] - Manual Refresh (F5) and Difference (Ctrl-D)
[11:49] - 'Image' entries
[14:55] - Menus
[17:33] - Timeline... First look
[18:30] - Symbols
[19:30] - Tracing an application from launch
[21:19] - Timeline... Second look
[22:58] - Tracing an application from launch (2nd attempt)
[24:15] - Application Symbol and Source Paths
[25:50] - Source code from a Stack
[27:07] - Summary

Resources:
Sysinternals RAMMap

Timeline:
[01:00] - 'Mysteries of Memory Management Revealed' talk [Part 1, Part 2]
[01:40] - The brick wall analogy
[05:35] - Page Faults
[06:32] - 'Use Counts' tab
[07:40] - Memory Lists - state transition explanation
[13:37] - 'Use Counts' tab... continued
[16:33] - Paged and Nonpaged Pool
[19:00] - Driver Locked
[21:40] - 'Processes' tab... inc. Zombie Processes
[24:00] - 'Priority Summary' tab... inc. Memory Pressure
[26:56] - 'Physical Pages' tab
[28:00] - 'Physical Ranges' tab
[28:38] - 'File Summary' tab
[29:36] - 'File Details' tab
[30:20] - 'Empty' menu... inc. Performance Analysis
[31:33] - Sysinternals Administrator's Reference [Amazon]
[32:05] - Next time...VMMap

Resources:
Sysinternals Autoruns

Timeline:
[01:05] - A look back in time...
[03:20] - SysEdit on Windows 95
[04:32] - Bar Napkin (Janet Harris)
[06:19] - MSConfig on Windows 98
[07:25] - MSConfig on Windows 7
[13:03] - Sysinternals Autoruns
[33:19] - Reboot required

Raymond Chen's Blog:
The Old New Thing

Part 1 (last week) covers the tool itself.
Part 2 (this week) goes though a wide variety of examples showing how different techniques are required for different investigations.

Resources:
Sysinternals Process Monitor

Timeline:
[00:00] - Last week...
[01:08] - Finding the Registry keys of the Explorer 'Folder Options' dialog
[08:30] - Using Summary reports to see the current filter's resource usage
[15:09] - Capturing a ProcMon log of system boot
[19:25] - Analyzing the boot log
[27:32] - The Startup/Shutdown chapter of the Windows Internals book [4th edition, 5th edition, 6th edition Part 2]. Note, it's Chapter 13, not Chapter 4, as mentioned on the show. Chapter 13 is in Part 2 of the 6th edition.
[28:17] - Next time...Autoruns

More Examples:
Case of the Unexplained... by Mark Russinovich
Sysinternals Gems by Aaron Margosis

Part 1 (this week) covers the tool itself.
Part 2 (next week) goes though a wide variety of examples showing how different techniques are required for different investigations.

Resources:
Sysinternals Process Monitor

Timeline:
[01:03] - Episode Overview
[01:55] - www.sysinternals.com
[03:30] - Launching & EULA
[04:00] - Events traced
[06:28] - Sysinternals Administrator's Reference - [Amazon]
[07:00] - File Menu - Open, Save, Backing Files/Pagefile, Capture Events and Configuration
[10:34] - Edit Menu - Copy, Find, Highlight, Bookmarks, Auto Scroll and Clear Display
[14:52] - Events Menu - Jump To, Search Online, (Quick) Filtering, Filemon/Regmon heritage, Highlight &Filter dialogs
[22:48] - Filter Menu - Advanced Output, Load/Save/Organize Filters, Drop Filtered Events
[25:02] - Tools Menu - Next episode...
[25:28] - Options Menu - Symbols, History Depth, Profiling and Network Addresses
[28:47] - Command Line - Refer to the book, help file and the dialog
[29:08] - Columns - in particular, the Relative Time and Duration columns
[31:48] - Next episode, examples...

Resources:
Sysinternals Process Explorer

Timeline:
[00:15] - www.sysinternals.com
[01:18] - Launching & EULA
[02:45] - Task Manager vs. Process Explorer
[03:30] - CPU Usage
[05:00] - OS Support - Windows XP/2003 SP3 and above - x86, x64 and IA64
[05:25] - Multiple Architecture binary - procexp.exe (32bit) creates procexp64.exe (64bit) on x64 system
[06:53] - "Show Details for all users" to access all processes
[07:24] - Interrupts not shown in Task Manager (it's in Idle)
[07:56] - Performance Graphs - Menu, Tray and System Information
[09:00] - System Commit (Limit) - Physical Memory + Pagefile
[10:22] - Historical data via tooltips on graphs
[11:24] - Always run Process Explorer - "procexp.exe /t /e" with run it elevated and will immediately minimize it to the notification tray (note, these switches are order sensitive)
[13:12] - Data obtained via the Process Explorer device driver
[14:20] - Process Tree
[16:06] - Autostart Location and the Explore button (Jump to)
[17:30] - Find Window target tool
[18:07] - Security - Integrity Levels (and UAC Virtualization), ASLR and Verified Signer
[21:50] - Columns - Process, I/O, GPU, Handle (View), DLL (View) and .NET
[26:18] - Sysinternals Administrator's Reference - [Amazon]
[26:42] - File Menu
[26:55] - Options Menu - in particular: Replace Task Manager, Minimize to Tray and Configure Symbols
[36:40] - View Menu - in particular: Lower Pane, DLL View and Handle View (includes Find)
[39:12] - Process Menu
[39:43] - Find, Users and Help Menus
[40:00] - Properties dialog
[41:05] - Tooltip of service processes

Examples:
Case of the Unexplained... by Mark Russinovich
Sysinternals Gems by Aaron Margosis

In this episode we'll be showing you how to get started by creating a thumb drive that you can use to fix PC's and troubleshoot problems.

Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
www.sysinternals.com

Timeline:
[00:00] - What is Defrag Tools?
[02:50] - The USB Stick light saber
[03:59] - Download, unblock and extract the Sysinternals Suite
[08:07] - Add c:\my\sysinternals to the PATH
[09:23] - Download and install the Microsoft Windows SDK for Windows 7 and .NET Framework 4
[13:30] - What is a Symbol?
[15:10] - Symbols script for environment variables
[18:57] - Symbol Logging (DbgHelp)
[20:45] - Gather the 'Redist' MSI files of Application Verifier, Debugging Tools for Windows, and Windows Performance Toolkit from the SDK
[22:29] - Debugging Tool for Windows
- Install both the x64 and x86 versions of the Debugging Tool for Windows (to "c:\debuggers" and "c:\debuggers_x86" respectively)
- Copy the "c:\debuggers" and "c:\debuggers_x86" folders in to the "C:\My\Debugging Tool for Windows" folder for 'xcopy' use on any computer (no installation necessary)
[25:09] - Windows Performance Toolkit
- Install the x64 or x86 version of the Windows Performance Toolkit using the default options
- Copy "C:\Program Files\Microsoft Windows Performance Toolkit" to "C:\My\Windows Performance Toolkit" folder for 'xcopy' use on any computer (no installation necessary)
[25:43] - DbgHelp.dll v6.12
[26:55] - Next episode... Process Explorer

Scripts:
Symbols.cmd

md c:\My
md c:\My\Src
md c:\My\Sym
md c:\My\SymCache
setx /M _NT_SOURCE_PATH SRV*C:\My\Src
setx /M _NT_SYMBOL_PATH SRV*C:\My\Sym*http://msdl.microsoft.com/download/symbols
setx /M _NT_SYMCACHE_PATH C:\My\SymCache

DbgHelp_Logging.cmd

rem msdn.microsoft.com/en-us/library/windows/desktop/ms680687.aspx
md c:\My
md c:\My\DbgHelp
setx DBGHELP_DBGOUT 1 
setx DBGHELP_LOG C:\My\DbgHelp\DbgHelpLog.txt

Make sure to watch Mark's TechEd 2012 North America Windows Azure session to get much more thorough treatment of the new (and future) Windows Azure features/services Mark mentioned in this conversation.

Tune in. Enjoy.

• Mark's TechEd North America Sessions
• Mark's TechEd Europe Sessions

For the first time, we now have a definitive guide to all of these tools: Windows Sysinternals Administrator's Reference.

Mark Russinovich, Technical Fellow working on the managed cloud OS kernel—you know this as the Windows Azure Fabric Controller—is the primary author of these powerful tools - all written in C and C++ (so, Mark's an expert native and managed dev). Aaron Margosis, meanwhile, is a Microsoft Consultant and Sysinternals user with expert-level knowledge and experience using Sysinternals tools. They are an important part of his job. Aaron yearned for a book that encapsulates detailed information about all of the Sysinternals tools. Mark agreed and asked Aaron to coauthor it with him—be careful what you ask for! 

Here, we talk about the book, Mark demos a really cool new Sysinternals tool for GPU analysis that's not in the book, Charles randomizes the conversation, and we head all over the place (taking advantage of having Mark's undivided attention!) and even geek out a little on security. If you use Sysinternals tools, then this conversation is for you! Truly incredible work. It's hard to believe that for Mark this stuff is just a hobby.

Tune in.