Software Generalist

Resuming reading notebook with the new book set to read

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Use Windows API term instead of Win32 API for both 32-bit and 64-bit code (p. 2)

Categories of Windows API (p. 2) - The good book that I can recommend for Graphics category that talks about GDI internals too:  Windows Graphics Programming: Win32 GDI and DirectDraw. For understanding Component services: Essential COM

.NET space (p. 3) - Another good book to recommend is Essential .NET, Volume I: The Common Language Runtime. From a typical combined .NET/unmanaged stack trace we can construct component relationships and see that mscorwks.dll is CLR DLL that calls kernel32.dll, for example (Windows API DLL). For some examples from crash dumps see patterns: Managed Code Exception or JIT Code.

UAC virtualization state and limited user account state (p. 5)

PID as part of internal CID (p.5) - Examples of CID (PID.TID) in blue in a user dump:

0:000> ~*kc

.  0  Id: 1350.1354 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen
Call Site
USER32!GetWindowLongPtrW
USER32!GetMessageW
notepad
notepad
kernel32!BaseThreadInitThunk
ntdll!RtlUserThreadStart

1: kd> !thread fffffa8001cc7bb0
THREAD fffffa8001cc7bb0  Cid 13e4.01dc  Teb: 000000007efdb000 Win32Thread: fffff900c210ed50 WAIT: (WrLpcReply) UserMode Non-Alertable

The possibility of an empty process (p. 5) - One example is so the called “orphaned” process that finished its execution but some code still keeps a reference to it:

2: kd> !process 0364
Searching for Process with Cid == 364
Cid Handle table at e20ae000 with 6199 Entries in use
PROCESS 88eeac20  SessionId: 0  Cid: 0364    Peb: 7ffde000  ParentCid: 0724
    DirBase: cff97920  ObjectTable: 00000000  HandleCount:   0.
    Image: cmd.exe
    VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 4. Locked 0.
    DeviceMap e1006e10
    Token                             e2b28928
    ElapsedTime                       05:06:04.542
    UserTime                          00:00:00.000
    KernelTime                        415 Days 11:06:24.640
    QuotaPoolUsage[PagedPool]         0
    QuotaPoolUsage[NonPagedPool]      0
    Working Set Sizes (now,min,max)  (7, 50, 345) (28KB, 200KB, 1380KB)
    PeakWorkingSetSize                661
    VirtualSize                       11 Mb
    PeakVirtualSize                   15 Mb
    PageFaultCount                    707
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      0

No active threads

Parent process (p.5) - See ParenCid in the example of !process output above. 

tlist /t (pp. 5 - 6)

End process tree in Task Manager (p. 6) - Could be useful to decimate certain runaway populations of processes. See Process Factory pattern for an example.

Ctrl-Shift-Esc to start Task Manager (p. 7) - Good to know, I always used Ctrl-Alt-Delete

Application tab: top-level visible windows from desktops in the interactive window station. Not Responding status means not in a state of waiting for user input (pp. 7 - 8 ) - Not in a message loop. I modelled this by running notepad.exe, attaching  a WinDbg to it:

0:000> k
Child-SP          RetAddr           Call Site
00000000`0028fcb8 00000000`7734d5be USER32!ZwUserGetMessage+0xa
00000000`0028fcc0 00000000`ffd06f4a USER32!GetMessageW+0x34
00000000`0028fcf0 00000000`ffd0d00b notepad!WinMain+0x176
00000000`0028fd70 00000000`7741be3d notepad!IsTextUTF8+0x24f
00000000`0028fe30 00000000`77556a51 kernel32!BaseThreadInitThunk+0xd
00000000`0028fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Although the proccess is fozen it is still listed as Running in Task Manager. Then I put a breakpoint on GetMessageW return address and resumed the execution:

0:000> bp notepad!WinMain+0x176

0:000> g
Breakpoint 1 hit
notepad!WinMain+0x176:
00000000`ffd06f4a 85c0            test    eax,eax

The main GUI thread is no longer in message loop and it is now listed as Not Responding.

0:000> k
Child-SP          RetAddr           Call Site
00000000`0028fcf0 00000000`ffd0d00b notepad!WinMain+0x176
00000000`0028fd70 00000000`7741be3d notepad!IsTextUTF8+0x24f
00000000`0028fe30 00000000`77556a51 kernel32!BaseThreadInitThunk+0xd
00000000`0028fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Using symbol servers for Process Explorer (p. 10) - Quick download links and symbol server information (for Citrix as well) can be found at WinDbg.org

Displaying hosted COM objects and rundll32 targets (p. 10)

- Dmitry Vostokov @ SoftwareGeneralist.com -

           

Announcements

Coming Soon:

Management Bits: An Anthology from Reductionist Manager

Crash Dump Analysis: Practical Foundations (Windows Edition, Systematic Software Fault Analysis Series)

Debugging Notebook: Essential Concepts, WinDbg Commands and Tools

Crash Dump Analysis for System Administrators and Support Engineers

New Magazines:

Debugged! MZ/PE: MagaZine for/from Practicing Engineers

New Books:

Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3

Memory Dump Analysis Anthology, Volume 3

First Fault Software Problem Solving: A Guide for Engineers, Managers and Users

x64 Windows Debugging: Practical Foundations

Also available:

Windows Debugging: Practical Foundations

DLL List Landscape: The Art from Computer Memory Space

Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov

WinDbg: A Reference Poster and Learning Cards

Memory Dump Analysis Anthology, Volume 2

Memory Dump Analysis Anthology, Volume 1

New Children's Book:

Baby Turing

This entry was posted on Wednesday, July 15th, 2009 at 7:15 pm and is filed under Notes on Windows Internals, Reading Notebook. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.