Reading Notebook: 18-August-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Using Process Explorer diff. highlighting to see handle leaks (p. 151)
Similarity of handle tables to virtual-2-physical mapping tables on x86 (pp. 151 - 152) - Seems the theoretical handle limit value for x86 is 512 * 512 * 511 = 133,955,584 (if I didn’t miss anything)
Testlimit tool (pp. 152 - 153) - I try it for my book Software Defect Construction: Simulation and Modeling of Software Bugs (ISBN: 978-1906717759) and also for later crash dump analysis volumes
!devhandles WinDbg command, searching for open files (p. 155) - it looks like it is done through device prefix to a file name; I’ve done simple text search for a file name if known through all handle tables: http://www.dumpanalysis.org/blog/index.php/2008/05/30/who-opened-that-file/
!obtrace monitors more than !htrace (p. 156)
nt!_OBJECT_TYPE.Key is pool tag, needed to enable object reference tracing (p. 157)
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Management Bits: An Anthology from Reductionist Manager
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Introduction to Pattern-Driven Software Problem Solving
Memory Dump Analysis Anthology: Color Supplement for Volumes 4-5
Windows Debugging Notebook: Essential User Space WinDbg Commands
Memory Dump Analysis Anthology, Volume 5
Memory Dump Analysis Anthology, Volume 4
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
August 18th, 2009 at 3:47 pm
Keep in mind that handles must be multiples of 4, since the bottom 2 bits are sometimes used to contain Win32 flags associated with the underlying object (such as for file objects and completion ports).
Also, your calculation is slightly incorrect:
- First, the mid-level table has enough to store a “full page’s worth of pointers”, quoting from the book. PAGE_SIZE / 4 (for x86) is 1024 entries, not 512.
- Secondly, in order to maintain compatibility with Windows 2000, the amount of high-level tables is artificially constricted to the minimum required to describe Windows 2000’s limit (256^3 ~ 16 million) based on the amount of handles described by mid and low level tables on the system. In this case, for x86, that number would be 32.
You can use the following definitions for a more “abstract” understanding:
#define LOW_LEVEL_ENTRIES (PAGE_SIZE / sizeof(HANDLE_TABLE_ENTRY))
#define MID_LEVEL_ENTRIES (PAGE_SIZE / sizeof(PHANDLE_TABLE_ENTRY))
#define HIGH_LEVEL_ENTRIES (16777216 / (LOW_LEVEL_ENTRIES * MID_LEVEL_ENTRIES))
Regarding point #2, the book is unclear about this fact, and I will make sure that it is updated for the next edition — nowhere is it explained why the limit is still 16 million even though theoretically, x86 could have much larger handle values.
–
Best regards,
Alex Ionescu
August 19th, 2009 at 11:58 pm
Thanks for clarification!
Dmitry