« Software Generalist Worldview
Computational Collectives »

Reading Notebook: 05-October-09

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

.local file (p. 226) - found this explanation: http://msdn.microsoft.com/en-us/library/aa375142(VS.85).aspx

bound import table, forwarder entries (pp. 226 - 227)

TLS initializers as possible causes of DLL load failures (p. 228)

Hyper-V architectural stack (p. 229) - running processes inside W2K8 Hyper-V host running additional instance of W2K8:

         063c vmwp.exe         13755 (     55020 Kb)
         0750 vmconnect.exe    13445 (     53780 Kb)
         0aa4 mmc.exe          13184 (     52736 Kb)
         0714 vmms.exe         12228 (     48912 Kb)
         011c svchost.exe       7930 (     31720 Kb)
         09c0 explorer.exe      4603 (     18412 Kb)
         0340 svchost.exe       4525 (     18100 Kb)
         0ba4 WmiPrvSE.exe      2485 (      9940 Kb)
         04b0 svchost.exe       2321 (      9284 Kb)
         03e4 svchost.exe       2222 (      8888 Kb)
         0158 SLsvc.exe         2220 (      8880 Kb)
         01ec svchost.exe       1858 (      7432 Kb)
         0238 svchost.exe       1753 (      7012 Kb)
         05a8 spoolsv.exe       1698 (      6792 Kb)
         029c lsass.exe         1630 (      6520 Kb)
         0530 taskeng.exe       1275 (      5100 Kb)
         0768 svchost.exe       1120 (      4480 Kb)
         06cc WmiPrvSE.exe      1018 (      4072 Kb)
         03cc msdtc.exe         1007 (      4028 Kb)
         0384 svchost.exe        979 (      3916 Kb)
         0944 taskeng.exe        953 (      3812 Kb)
         0104 svchost.exe        910 (      3640 Kb)
         02a8 lsm.exe            877 (      3508 Kb)
         0708 svchost.exe        820 (      3280 Kb)
         0290 services.exe       802 (      3208 Kb)
         0348 svchost.exe        696 (      2784 Kb)
         0628 svchost.exe        680 (      2720 Kb)
         0004 System             673 (      2692 Kb)
         0214 csrss.exe          579 (      2316 Kb)
         0240 csrss.exe          531 (      2124 Kb)
         0274 winlogon.exe       520 (      2080 Kb)
         0980 dwm.exe            482 (      1928 Kb)
         0248 wininit.exe        472 (      1888 Kb)
         0634 svchost.exe        347 (      1388 Kb)
         068c svchost.exe        306 (      1224 Kb)
         01d0 smss.exe           117 (       468 Kb)
         0b7c wlrmdr.exe           0 (         0 Kb)

optimization enlightments (p. 229)

VM Infrastructure driver vid.sys and hypervisor API winhv.sys (p. 232)

Vdev virtual devices (p. 234) - here is the list of loaded modules in the virtualization worker process vmwp.exe:

0: kd> lm1m
odbcint
kernel32
USER32
ntdll
PSAPI
vmwp
dssenh
vmbusvdev
rdp4vs
vmicshutdown
vmicvss
vmickvpexchange
synthnic
vmictimesync
vmicheartbeat
azroles
cryptnet
ODBC32
fastprox
wbemsvc
msxml3
SensApi
wbemprox
vsconfig
framedynos
wbemcomn
vmprox
vmwpctrl
vid_7fefb420000
vmbuspipe
COMCTL32_7fefbb80000
napinsp
winrnr
rasadhlp
WINTRUST
XmlLite
comctl32
NLAapi
wshtcpip
NTMARTA
GPAPI
rsaenh
schannel
mswsock
wship6
kerberos
bcrypt
ncrypt
dhcpcsvc6
dhcpcsvc
tspkg
wevtapi
slc
credssp
IPHLPAPI
CRYPT32
MPR
NTDSAPI
MSASN1
SAMLIB
DNSAPI
cryptdll
NETAPI32
WINNSI
AUTHZ
Secur32
USERENV
GDI32
MSCTF
SETUPAPI
ole32
SHLWAPI
msvcrt
ADVAPI32
CLBCatQ
USP10
RPCRT4
IMM32
LPK
imagehlp
WS2_32
OLEAUT32
COMDLG32
NSI
SHELL32
WLDAP32

0: kd> lmv m vmicheartbeat
start             end                 module name
000007fe`fa540000 000007fe`fa57c000   vmicheartbeat   (deferred)           Â
    Image path: C:\Windows\System32\vmicheartbeat.dll
    Image name: vmicheartbeat.dll
    Timestamp:        Wed Jun 11 15:27:36 2008 (484FE0D8)
    CheckSum:         00033B40
    ImageSize:        0003C000
    File version:     6.0.6001.18016
    Product version:  6.0.6001.18016
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     vmicheartbeat
    OriginalFilename: vmicheartbeat.dll
    ProductVersion:   6.0.6001.18016
    FileVersion:      6.0.6001.18016 (vistasp1_gdr_vm_rtm.080611-0040)
    FileDescription:  Virtual Machine Integration Service Heartbeat Vdev
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

emulated and synthetic (enlightened I/O) devices (pp. 234 - 237):

0: kd> lmv m synthnic
start             end                 module name
000007fe`fa340000 000007fe`fa38a000   synthnic   (deferred)           Â
    Image path: C:\Windows\System32\synthnic.dll
    Image name: synthnic.dll
    Timestamp:        Wed Jun 11 15:27:30 2008 (484FE0D2)
    CheckSum:         0003D7AA
    ImageSize:        0004A000
    File version:     6.0.6001.18016
    Product version:  6.0.6001.18016
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     SynthNic.dll
    OriginalFilename: SynthNic.dll
    ProductVersion:   6.0.6001.18016
    FileVersion:      6.0.6001.18016 (vistasp1_gdr_vm_rtm.080611-0040)
    FileDescription:  Microsoft Synthetic Network Card
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

VSC vs. VSP, VSC driver re-routes requests to VMBus (PnP enum for synthetic devices) (pp. 236 - 237)

Virtualized processors, virtual APIC, dynamic processor addition (pp. 237 - 238)

GVA, guest virtual address space -> GPA, guest physical address space -> SPA, system physical address space (pp. 238 - 239) - need to add this to my debugging dictionary: http://www.dumpanalysis.org/blog/index.php/category/dictionary-of-debugging/

SPT. shadow page tables, for direct GVA -> SPA

- Dmitry Vostokov @ SoftwareGeneralist.com -

           

Announcements

Coming Soon:

Management Bits: An Anthology from Reductionist Manager

Crash Dump Analysis: Practical Foundations (Windows Edition, Systematic Software Fault Analysis Series)

Debugging Notebook: Essential Concepts, WinDbg Commands and Tools

Crash Dump Analysis for System Administrators and Support Engineers

New Magazines:

Debugged! MZ/PE: MagaZine for/from Practicing Engineers


New Books:

Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3

Memory Dump Analysis Anthology, Volume 3

First Fault Software Problem Solving: A Guide for Engineers, Managers and Users

x64 Windows Debugging: Practical Foundations

Also available:

Windows Debugging: Practical Foundations

DLL List Landscape: The Art from Computer Memory Space

Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov

WinDbg: A Reference Poster and Learning Cards

Memory Dump Analysis Anthology, Volume 2

Memory Dump Analysis Anthology, Volume 1

New Children's Book:

Baby Turing

This entry was posted on Wednesday, October 7th, 2009 at 5:44 pm and is filed under Notes on Windows Internals, Reading Notebook. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply