Reading Notebook: 20-July-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Simplified system architecture (p. 36) - I personally prefer space than mode partitioning or indicate both: http://www.dumpanalysis.org/blog/index.php/2009/07/17/on-space-and-mode/ and show user space at the bottom to highlight lower virtual addresses. Here is one example, UML component diagram for SystemDump tool: http://www.dumpanalysis.org/blog/index.php/2006/09/12/new-systemdump-tool/. More examples are in the forthcoming book Windows Device Drivers: Practical Foundations
Support processes (p. 36) - winlogon.exe process also uses subsystem DLLs:
0:000> ~*kc
. 0 Id: 23c.240 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen
Call Site
ntdll!ZwWaitForSingleObject
kernel32!WaitForSingleObjectEx
winlogon!StateMachineRun
winlogon!WinMain
winlogon!ConvertSidToStringSidW
kernel32!BaseThreadInitThunk
ntdll!RtlUserThreadStart
1 Id: 23c.3c4 Suspend: 1 Teb: 000007ff`fffd4000 Unfrozen
Call Site
ntdll!ZwWaitForMultipleObjects
ntdll!TppWaiterpThread
kernel32!BaseThreadInitThunk
ntdll!RtlUserThreadStart
2 Id: 23c.1190 Suspend: 1 Teb: 000007ff`fffda000 Unfrozen
Call Site
ntdll!NtRemoveIoCompletion
kernel32!GetQueuedCompletionStatus
RPCRT4!COMMON_ProcessCalls
RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents
RPCRT4!ProcessIOEventsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadInitThunk
ntdll!RtlUserThreadStart
session manager smss.exe doesn’t indeed:
0:000> ~*kc
. 0 Id: 1a0.1a4 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen
Call Site
ntdll!ZwWaitForMultipleObjects
smss!wmain
smss!NtProcessStartupW_AfterSecurityCookieInitialized
ntdll!RtlUserThreadStart
1 Id: 1a0.1d4 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen
Call Site
ntdll!ZwAlpcSendWaitReceivePort
smss!SmpApiLoop
smss!SmpCreateInitialSession
ntdll!RtlUserThreadStart
2 Id: 1a0.1e0 Suspend: 1 Teb: 000007ff`fffda000 Unfrozen
Call Site
ntdll!ZwAlpcSendWaitReceivePort
smss!SmpApiLoop
ntdll!RtlUserThreadStart
3 Id: 1a0.204 Suspend: 1 Teb: 000007ff`fffd8000 Unfrozen
Call Site
ntdll!ZwAlpcSendWaitReceivePort
smss!SmpApiLoop
smss!SmpCreateInitialSession
ntdll!RtlUserThreadStart
SUA: Subsystem for Unix-based Applications (p. 36)
HAL isolation of platform specifics (i.e. motherboard diffs) (p. 37)
Hyperthreading: scheduling algorithms favour idle physical processor vs. idle logical (p. 40)
NUMA: scheduling and memory allocs preference for the same node (p. 40)
64 processors support for x64 (p. 40)
PAE kernel for most x86 systems due to NX/XD no-execute memory support (p. 41)
Uniprocessor backward compatibility field - could be interesting troubleshooting advise
Checking system version (pp. 41 - 42) - there is another method. Attach WinDbg noninvasively to any process and run version command:
0:000> version
Windows Server 2008/Windows Vista Version 6002 (Service Pack 2) MP (2 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
kernel32.dll version: 6.0.6001.18000 (longhorn_rtm.080118-1840)
Machine Name:
Debug session time: Mon Jul 20 17:57:34.819 2009 (GMT+1)
System Uptime: 5 days 9:27:00.143
Process Uptime: 0 days 2:42:42.846
Kernel time: 0 days 0:00:00.000
User time: 0 days 0:00:00.000
Live user mode: <Local>
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
