Software Generalist

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

FailureActionsOnNonCrashFailures (p. 310)

WaitToKillApp(Service)Timeout (p. 311)

Shutdown ordering and preshutdown notification (pp. 312 - 313)

Shared services vulnerability to a crashing bug (p. 313) - Because an exception in one thread doesn’t affect another thread if there is no dependency (see MTCrash application, http://www.dumpanalysis.org/blog/index.php/2008/12/31/mtcrash/) if we preserve the crashed process, for example, using Crash2Hang tool (http://www.dumpanalysis.org/blog/index.php/2008/12/29/crash2hang/) we might temporarily preserve functionality of the remaining services (if there is no dependency)

CNG-KeyIso service (p. 313)

Viewing services inside processes (pp. 315 - 316) - We can also see them in Task Manager when we sort Processes by PID:

SubProcessTag (p. 316) - Here is an example from svchost.exe PID 1016 from the screenshot above:

lkd> !process 0n1016 1f
Searching for Process with Cid == 3f8
Cid Handle table at fffff88008156000 with 1063 Entries in use
PROCESS fffffa8004adec10
    SessionId: 0  Cid: 03f8    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: add75000  ObjectTable: fffff88007f3c4d0  HandleCount: 436.
    Image: svchost.exe
    VadRoot fffffa80048b9220 Vads 153 Clone 0 Private 1630. Modified 1512. Locked 6.
    DeviceMap fffff8800802ef40
    Token                             fffff880080aa060
    ElapsedTime                       5 Days 01:31:56.632
    UserTime                          00:00:05.257
    KernelTime                        00:00:04.555
    QuotaPoolUsage[PagedPool]         132496
    QuotaPoolUsage[NonPagedPool]      21488
    Working Set Sizes (now,min,max)  (3650, 50, 345) (14600KB, 200KB, 1380KB)
    PeakWorkingSetSize                3725
    VirtualSize                       78 Mb
    PeakVirtualSize                   84 Mb
    PageFaultCount                    38144
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      3976

[...]

        THREAD fffffa8004b55060  Cid 03f8.046c  Teb: 000007fffff9e000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
            fffffa8004b54a80  NotificationEvent
            fffffa8004b52a50  SynchronizationEvent
            fffffa8004b55e00  NotificationEvent
            fffffa8004b55118  NotificationTimer
        Not impersonating
        DeviceMap                 fffff8800802ef40
        Owning Process            fffffa8004adec10       Image:         svchost.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      28044441       Ticks: 4968 (0:00:01:17.501)
        Context Switch Count      3784           Â
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
        Win32 Start Address dhcpcsvc6!Dhcpv6Main (0×000007fefd726884)
        Stack Init fffffa6003c47db0 Current fffffa6003c47230
        Base fffffa6003c48000 Limit fffffa6003c42000 Call 0
        Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
        Child-SP          RetAddr           Call Site
        fffffa60`03c47270 fffff800`018a46fa nt!KiSwapContext+0×7f
        fffffa60`03c473b0 fffff800`018a9feb nt!KiSwapThread+0×13a
        fffffa60`03c47420 fffff800`01b03a8e nt!KeWaitForMultipleObjects+0×2eb
        fffffa60`03c474a0 fffff800`01b040d3 nt!ObpWaitForMultipleObjects+0×26e
        fffffa60`03c47960 fffff800`018a1ef3 nt!NtWaitForMultipleObjects+0xe2
        fffffa60`03c47bb0 00000000`776e72ca nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`03c47c20)
        00000000`0272f5e8 00000000`7758bc03 ntdll!ZwWaitForMultipleObjects+0xa
        00000000`0272f5f0 000007fe`fd726117 kernel32!WaitForMultipleObjectsEx+0×10b
        00000000`0272f700 000007fe`fd726944 dhcpcsvc6!ProcessDhcpv6RequestForever+0×143
        00000000`0272f7c0 00000000`7758be3d dhcpcsvc6!Dhcpv6Main+0xc0
        00000000`0272f800 00000000`776c6a51 kernel32!BaseThreadInitThunk+0xd
        00000000`0272f830 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

[...]

lkd> dt _TEB 000007fffff9e000 SubProcessTag
ntdll!_TEB
   +0x1720 SubProcessTag : 0x00000000`00000011

Advanced .NET Debugging by M. Hewardt:

Debugging Tools for Windows (pp. 3 -4) - Here are quick links for download: http://windbg.org

No major CLR changes for .NET 3.x (p. 5)

DbgClr (p. 6)

MSBUILD XML example (pp. 6 - 7)

.load vs. .loadby (pp. 8 - 11) - Some additional load scenarios for legacy SOS and its server version can be found in comments to Managed Code Exception pattern: http://www.dumpanalysis.org/blog/index.php/2007/07/20/crash-dump-analysis-patterns-part-17/

SOSEX (pp. 10 - 11) - Added to my blog roll and links on http://DumpAnalysis.org

CLR Profiler (pp. 11 - 13) - Looks similar to functionality of unmanaged UMDH tool (user mode heap stack trace database)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SCM executable: services.exe (p. 300) - !process 0 0 shows the start order of processes:

lkd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffa8003bf1040
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00124000  ObjectTable: fffff88000000080  HandleCount: 568.
    Image: System

PROCESS fffffa8004710040
    SessionId: none  Cid: 019c    Peb: 7fffffdb000  ParentCid: 0004
    DirBase: bc8ef000  ObjectTable: fffff880000eb7e0  HandleCount:  33.
    Image: smss.exe

PROCESS fffffa80047cfa40
    SessionId: 0  Cid: 01e0    Peb: 7fffffd6000  ParentCid: 01d4
    DirBase: b4353000  ObjectTable: fffff88007de31b0  HandleCount: 468.
    Image: csrss.exe

PROCESS fffffa80047e7040
    SessionId: 0  Cid: 0214    Peb: 7fffffdf000  ParentCid: 019c
    DirBase: b31ba000  ObjectTable: fffff88007e66cb0  HandleCount: 789.
    Image: psxss.exe

PROCESS fffffa80047f5870
    SessionId: 0  Cid: 0238    Peb: 7fffffdf000  ParentCid: 01d4
    DirBase: b2919000  ObjectTable: fffff88007df7ed0  HandleCount: 101.
    Image: wininit.exe

PROCESS fffffa800481b5e0
    SessionId: 0  Cid: 0280    Peb: 7fffffdf000  ParentCid: 0238
    DirBase: b1b3d000  ObjectTable: fffff88007eac280  HandleCount: 271.
    Image: services.exe

PROCESS fffffa8004820360
    SessionId: 0  Cid: 028c    Peb: 7fffffdd000  ParentCid: 0238
    DirBase: b15eb000  ObjectTable: fffff88007ecbae0  HandleCount: 728.
    Image: lsass.exe

PROCESS fffffa80048252d0
    SessionId: 0  Cid: 0294    Peb: 7fffffde000  ParentCid: 0238
    DirBase: b14f1000  ObjectTable: fffff88007ecf4d0  HandleCount: 178.
    Image: lsm.exe

PROCESS fffffa800429f2b0
    SessionId: 0  Cid: 0338    Peb: 7fffffdf000  ParentCid: 0280
    DirBase: af2a2000  ObjectTable: fffff880082807d0  HandleCount: 306.
    Image: svchost.exe

PROCESS fffffa8004a82270
    SessionId: 0  Cid: 0374    Peb: 7fffffdb000  ParentCid: 0280
    DirBase: aef26000  ObjectTable: fffff88008036e60  HandleCount: 311.
    Image: svchost.exe

PROCESS fffffa8004a97c10
    SessionId: 0  Cid: 0398    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: aebb0000  ObjectTable: fffff88008009950  HandleCount: 379.
    Image: svchost.exe

PROCESS fffffa8004adec10
    SessionId: 0  Cid: 03f8    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: add75000  ObjectTable: fffff88007f3c4d0  HandleCount: 395.
    Image: svchost.exe

PROCESS fffffa8004ae8950
    SessionId: 0  Cid: 00f8    Peb: 7fffffd9000  ParentCid: 0280
    DirBase: ada7a000  ObjectTable: fffff880080d4690  HandleCount: 172.
    Image: svchost.exe

PROCESS fffffa8004af2750
    SessionId: 0  Cid: 012c    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: ad83f000  ObjectTable: fffff880080d7b10  HandleCount: 897.
    Image: svchost.exe

PROCESS fffffa8004af7040
    SessionId: 0  Cid: 0140    Peb: 7fffffdb000  ParentCid: 0280
    DirBase: ad5c6000  ObjectTable: fffff880080e3580  HandleCount:  99.
    Image: SLsvc.exe

PROCESS fffffa8004b0f500
    SessionId: 0  Cid: 0278    Peb: 7fffffd7000  ParentCid: 0280
    DirBase: ac4ce000  ObjectTable: fffff8800812d330  HandleCount: 301.
    Image: svchost.exe

PROCESS fffffa8004b20770
    SessionId: 0  Cid: 0194    Peb: 7fffffd4000  ParentCid: 0280
    DirBase: abfd3000  ObjectTable: fffff8800814fd30  HandleCount: 354.
    Image: svchost.exe

PROCESS fffffa8004b315c0
    SessionId: 0  Cid: 0410    Peb: 7fffffdf000  ParentCid: 0280
    DirBase: abc98000  ObjectTable: fffff88008083420  HandleCount:  76.
    Image: svchost.exe

PROCESS fffffa8004b4a040
    SessionId: 0  Cid: 0448    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: ab164000  ObjectTable: fffff880081a42e0  HandleCount: 479.
    Image: svchost.exe

PROCESS fffffa8004b9c740
    SessionId: 0  Cid: 050c    Peb: 7fffffdf000  ParentCid: 03f8
    DirBase: a9c86000  ObjectTable: fffff880081e8750  HandleCount: 141.
    Image: audiodg.exe

PROCESS fffffa8004ba0880
    SessionId: 0  Cid: 0524    Peb: 7fffffd7000  ParentCid: 0280
    DirBase: a96a9000  ObjectTable: fffff88008217c10  HandleCount: 269.
    Image: svchost.exe

PROCESS fffffa8004c15c10
    SessionId: 0  Cid: 0588    Peb: 7fffffda000  ParentCid: 0280
    DirBase: a8906000  ObjectTable: fffff8800825a810  HandleCount: 131.
    Image: svchost.exe

PROCESS fffffa8004b1c7a0
    SessionId: 0  Cid: 0604    Peb: 7fffffdb000  ParentCid: 0280
    DirBase: a7598000  ObjectTable: fffff8800827de90  HandleCount: 373.
    Image: spoolsv.exe

PROCESS fffffa8004ca4040
    SessionId: 0  Cid: 067c    Peb: 7efdf000  ParentCid: 0280
    DirBase: a6a24000  ObjectTable: fffff8800833af00  HandleCount:  71.
    Image: mdm.exe

PROCESS fffffa8004cbd040
    SessionId: 0  Cid: 06e8    Peb: 7fffffdf000  ParentCid: 012c
    DirBase: a6363000  ObjectTable: fffff880083735f0  HandleCount: 310.
    Image: taskeng.exe

PROCESS fffffa8004cda8f0
    SessionId: 0  Cid: 0720    Peb: 7fffffd3000  ParentCid: 0280
    DirBase: a5dfb000  ObjectTable: fffff8800801ae20  HandleCount:  57.
    Image: svchost.exe

PROCESS fffffa8004cfbc10
    SessionId: 0  Cid: 0768    Peb: 7fffffdc000  ParentCid: 0280
    DirBase: a5400000  ObjectTable: fffff880083c46d0  HandleCount:  54.
    Image: svchost.exe

PROCESS fffffa8004cfb7e0
    SessionId: 0  Cid: 0774    Peb: 7fffffdb000  ParentCid: 0280
    DirBase: a5185000  ObjectTable: fffff880017f9bf0  HandleCount: 131.
    Image: svchost.exe

PROCESS fffffa8004cfdc10
    SessionId: 0  Cid: 0780    Peb: 7fffffd4000  ParentCid: 0280
    DirBase: a51ca000  ObjectTable: fffff880083b0270  HandleCount:  75.
    Image: svchost.exe

PROCESS fffffa8004d18c10
    SessionId: 0  Cid: 07b4    Peb: 7fffffdb000  ParentCid: 0280
    DirBase: a4acf000  ObjectTable: fffff880083de5c0  HandleCount: 147.
    Image: svchost.exe

PROCESS fffffa8004d2e4a0
    SessionId: 0  Cid: 07d4    Peb: 7fffffdc000  ParentCid: 0280
    DirBase: a4554000  ObjectTable: fffff88008404b40  HandleCount:  43.
    Image: svchost.exe

PROCESS fffffa8005273830
    SessionId: 0  Cid: 0740    Peb: 7fffffdf000  ParentCid: 0280
    DirBase: 8ac6a000  ObjectTable: fffff88008ff53f0  HandleCount: 228.
    Image: svchost.exe

PROCESS fffffa80052e4b10
    SessionId: 0  Cid: 0a50    Peb: 7fffffda000  ParentCid: 0280
    DirBase: 87170000  ObjectTable: fffff8800912ced0  HandleCount: 234.
    Image: svchost.exe

PROCESS fffffa80054c7770
    SessionId: 0  Cid: 09a4    Peb: 7fffffd8000  ParentCid: 0280
    DirBase: 129ab5000  ObjectTable: fffff8800973aa40  HandleCount: 163.
    Image: msdtc.exe

PROCESS fffffa8005206860
    SessionId: 2  Cid: 0b10    Peb: 7fffffd9000  ParentCid: 0310
    DirBase: 72584000  ObjectTable: fffff88007ea0ac0  HandleCount: 518.
    Image: csrss.exe

PROCESS fffffa8004dfa880
    SessionId: 2  Cid: 062c    Peb: 7fffffd3000  ParentCid: 0310
    DirBase: 70609000  ObjectTable: fffff8800971e5c0  HandleCount: 115.
    Image: winlogon.exe

PROCESS fffffa8003c1bc10
    SessionId: 2  Cid: 08d4    Peb: 7fffffde000  ParentCid: 012c
    DirBase: 6c096000  ObjectTable: fffff880082729b0  HandleCount: 311.
    Image: taskeng.exe

PROCESS fffffa80055b32c0
    SessionId: 2  Cid: 0990    Peb: 7fffffdb000  ParentCid: 0194
    DirBase: 6e1db000  ObjectTable: fffff880092f70d0  HandleCount:  76.
    Image: dwm.exe

PROCESS fffffa800521ac10
    SessionId: 2  Cid: 0458    Peb: 7fffffd6000  ParentCid: 0840
    DirBase: 6f1d2000  ObjectTable: fffff8800a00f580  HandleCount: 644.
    Image: explorer.exe

SvcctrlStartEvent_A3752DX and LSA_RPC_SERVER_ACTIVE (pp. 300 - 301) - this is how to check them:

lkd> !object \BaseNamedObjects
Object: fffff88007df3ab0  Type: (fffffa8003bacb00) Directory
    ObjectHeader: fffff88007df3a80 (old version)
    HandleCount: 32  PointerCount: 143
    Directory Object: fffff88000005d50  Name: BaseNamedObjects

    Hash Address          Type          Name
    ---- -------          ----          ----
[...]
       fffffa800482fa30 Event         SvcctrlStartEvent_A3752DX
[...]
       fffffa80048b33e0 Event         LSA_RPC_SERVER_ACTIVE
[...]
       fffffa8004858ed0 Event         SC_AutoStartComplete
[...]

lkd> dt -r _KEVENT fffffa80048b33e0
ntdll!_KEVENT
   +0x000 Header           : _DISPATCHER_HEADER
      +0x000 Type             : 0 ''
      +0x001 Abandoned        : 0 ''
      +0x001 Absolute         : 0 ''
      +0x001 NpxIrql          : 0 ''
      +0x001 Signalling       : 0 ''
      +0x002 Size             : 0x6 ''
      +0x002 Hand             : 0x6 ''
      +0x003 Inserted         : 0 ''
      +0x003 DebugActive      : 0 ''
      +0x003 DpcActive        : 0 ''
      +0x000 Lock             : 393216
      +0×004 SignalState      : 1
      +0×008 WaitListHead     : _LIST_ENTRY [ 0xfffffa80`048b33e8 - 0xfffffa80`048b33e8 ]

WM_DEVICECHANGE (p. 303)

Service startup (pp. 303 - 307) - I use this command to see what functions SvcCtrlMain potentially calls (we can then inspect the called function for its potential calls too):

lkd> .process /r /p fffffa800481b5e0
Implicit process is now fffffa80`0481b5e0

lkd> uf /c SvcCtrlMain
services!SvcctrlMain (00000000`ffe68d18)
  services!SvcctrlMain+0x2f (00000000`ffe68d47):
    call to kernel32!SetUnhandledExceptionFilter (00000000`77592c40)
  services!SvcctrlMain+0x3a (00000000`ffe68d52):
    call to kernel32!SetErrorMode (00000000`7758c740)
  services!SvcctrlMain+0x48 (00000000`ffe68d60):
    call to ntdll!RtlSetProcessIsCritical (00000000`77745f10)
  services!SvcctrlMain+0x58 (00000000`ffe68d70):
    call to kernel32!HeapSetInformation (00000000`7758f020)
  services!SvcctrlMain+0x7a (00000000`ffe68d92):
    call to services!ScStartTracingSession (00000000`ffe70920)
  services!SvcctrlMain+0x7f (00000000`ffe68d97):
    call to services!ScWriteLogHeader (00000000`ffe71178)
  services!SvcctrlMain+0x94 (00000000`ffe68dac):
    call to ntdll!NtOpenProcessToken (00000000`776e7c70)
  services!SvcctrlMain+0xb0 (00000000`ffe68dc8):
    call to services!ScRemoveProcessPrivileges (00000000`ffe6ff54)
  services!SvcctrlMain+0xf2 (00000000`ffe68e0a):
    call to ADVAPI32!RegOpenKeyExW (000007fe`fdd5ace8)
  services!SvcctrlMain+0x12c (00000000`ffe68e44):
    call to ADVAPI32!RegQueryValueExW (000007fe`fdd5a688)
  services!SvcctrlMain+0x152 (00000000`ffe68e57):
    call to ADVAPI32!RegCloseKey (000007fe`fdd5a7f0)
  services!SvcctrlMain+0x158 (00000000`ffe68e5d):
    call to services!ScInitTcpKeepAlive (00000000`ffe7000c)
  services!SvcctrlMain+0x164 (00000000`ffe68e69):
    call to kernel32!GetModuleHandleW (00000000`7759d860)
  services!SvcctrlMain+0x197 (00000000`ffe68e82):
    call to kernel32!GetProcAddress (00000000`7759d8a0)
  services!SvcctrlMain+0x1ea (00000000`ffe68eaa):
    call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
  services!SvcctrlMain+0x201 (00000000`ffe68ec1):
    call to kernel32!LocalAlloc (00000000`7758ce70)
  services!SvcctrlMain+0x243 (00000000`ffe68ee4):
    call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
  services!SvcctrlMain+0x282 (00000000`ffe68f04):
    call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
  services!SvcctrlMain+0x299 (00000000`ffe68f1b):
    call to kernel32!LocalAlloc (00000000`7758ce70)
  services!SvcctrlMain+0x2db (00000000`ffe68f3e):
    call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
  services!SvcctrlMain+0x308 (00000000`ffe68f4c):
    call to services!ScCreateWellKnownSids (00000000`ffe70130)
  services!SvcctrlMain+0×339 (00000000`ffe68f5e):
    call to services!ScCreateAutoStartEvent (00000000`ffe6fe48)
  services!SvcctrlMain+0×384 (00000000`ffe68f8a):
    call to services!ScRegOpenKeyExW (00000000`ffe626b0)
  services!SvcctrlMain+0×397 (00000000`ffe68fa1):
    call to kernel32!CreateEventW (00000000`7758be70)
  services!SvcctrlMain+0×426 (00000000`ffe68fbf):
    call to services!ScGetStartEvent (00000000`ffe6fc94)
  services!SvcctrlMain+0×452 (00000000`ffe68fcc):
    call to services!ScCreateScManagerObject (00000000`ffe70f40)
  services!SvcctrlMain+0×485 (00000000`ffe68fe0):
    call to ntdll!RtlGetNtProductType (00000000`776cee90)
  services!SvcctrlMain+0×4b3 (00000000`ffe68fef):
    call to services!ScCheckLastKnownGood (00000000`ffe6f8a4)
  services!SvcctrlMain+0×4df (00000000`ffe68ffc):
    call to services!ScGetComputerName (00000000`ffe6fbd8)
  services!SvcctrlMain+0×564 (00000000`ffe69062):
    call to ntdll!RtlInitializeResource (00000000`776b5d70)
  services!SvcctrlMain+0×571 (00000000`ffe6906f):
    call to ntdll!RtlInitializeResource (00000000`776b5d70)
  services!SvcctrlMain+0×57e (00000000`ffe6907c):
    call to ntdll!RtlInitializeResource (00000000`776b5d70)
  services!SvcctrlMain+0×584 (00000000`ffe69082):
    call to services!ScGenerateServiceDB (00000000`ffe70ca8)
  services!SvcctrlMain+0×5b7 (00000000`ffe69096):
    call to services!ScGetAccountDomainInfo (00000000`ffe6f36c)
  services!SvcctrlMain+0×617 (00000000`ffe690aa):
    call to ntdll!RtlInitializeCriticalSection (00000000`776c5d20)
  services!SvcctrlMain+0×61d (00000000`ffe690b0):
    call to services!ScInitTransactNamedPipe (00000000`ffe6e43c)
  services!SvcctrlMain+0×62c (00000000`ffe690bf):
    call to kernel32!CreateEventW (00000000`7758be70)
  services!SvcctrlMain+0×670 (00000000`ffe690e4):
    call to ADVAPI32!RegOpenKeyW (000007fe`fdd52550)
  services!SvcctrlMain+0×82b (00000000`ffe690f2):
    call to services!ScInitBSM (00000000`ffe6e58c)
  services!SvcctrlMain+0×83a (00000000`ffe69101):
    call to kernel32!CreateEventW (00000000`7758be70)
  services!SvcctrlMain+0×857 (00000000`ffe6911e):
    call to ntdll!RtlInitializeCriticalSection (00000000`776c5d20)
  services!SvcctrlMain+0×85d (00000000`ffe69124):
    call to kernel32!GetCurrentProcessId (00000000`7758cf10)
  services!SvcctrlMain+0×865 (00000000`ffe6912c):
    call to USER32!RegisterServicesProcess (00000000`774a1010)
  services!SvcctrlMain+0×89f (00000000`ffe69148):
    call to services!ScLockDatabase (00000000`ffe66244)
  services!SvcctrlMain+0×8da (00000000`ffe69155):
    call to services!ScEnableRpcInterface (00000000`ffe6e8c4)
  services!SvcctrlMain+0×923 (00000000`ffe6917f):
    call to services!WPP_SF_ (00000000`ffe62608)
  services!SvcctrlMain+0×931 (00000000`ffe6918d):
    call to kernel32!SetConsoleCtrlHandler (00000000`7758e660)
  services!SvcctrlMain+0×974 (00000000`ffe691a2):
    call to kernel32!SetProcessShutdownParameters (00000000`775e4e90)
  services!SvcctrlMain+0×9cd (00000000`ffe691cd):
    call to services!WPP_SF_ (00000000`ffe62608)
  services!SvcctrlMain+0×9d9 (00000000`ffe691d9):
    call to services!ScesrvInitializeServer (00000000`ffe6ebe0)
  services!SvcctrlMain+0xa14 (00000000`ffe691e6):
    call to services!SvcStartRPCProxys (00000000`ffe6f510)
  services!SvcctrlMain+0xa19 (00000000`ffe691eb):
    call to services!InitNCEvents (00000000`ffe6f0d0)
  services!SvcctrlMain+0xa22 (00000000`ffe691f4):
    call to services!ScUpdateServiceSidCache (00000000`ffe6ecac)
  services!SvcctrlMain+0xa27 (00000000`ffe691f9):
    call to services!ScCheckAutostartEventsEnabled (00000000`ffe6eafc)
  services!SvcctrlMain+0xa34 (00000000`ffe69206):
    call to kernel32!SetEvent (00000000`77586840)
  services!SvcctrlMain+0xa70 (00000000`ffe69214):
    call to services!ScAutoStartServices (00000000`ffe6c820)
[…]

HKLM\S\CCS\C\W\NoInteractiveServices (p. 305)

HKLM\S\CCS\C\ServicesPipeTimeout (p. 306)

Delayed auto-start services (p. 307)

BootVerificationProgram (p. 309)

- Dmitry Vostokov @ SoftwareGeneralist.com -

ModerN Reading System

Gradually I perfected my cooperative multireading technique by combining modular arithmetic with software data structures and algorithms like sets, circular buffers, priority queues and round-robin scheduling. It sounds complicated but in reality the technique is very simple and suited well to everyone who wants to learn everything at once and doesn’t like traditional a book after a book method. All books we want to read are organized in sets (here I give my own arrangements as an example):

• Commuting sets
• Home reading set
• Background office reading sets
• Lunch reading set

Every set is organized as a circular buffer (mod N). Some buffers are optimized to avoid heavy load while commuting. For example, my commuting set is split into two buffers: one is at home and another is in the office. When I leave to the office I take 2 books from the top of the example queue I have currently at home:

When I arrive to the office I put them at the bottom of the corresponding office book set. When I leave for my home I take 2 books from the top of the office queue and when I arrive at home I put them at the bottom of the depicted queue above. Thus I manage to read 4 different books every day during commuting. Sometimes I don’t have a place to sit on the train or just stand waiting for its arrival. For such cases I have a separate queue of 16 Routledge books (The Basics series). They are small and I read only one of them every day. In total this amounts to 5 different books a day and I read 4 - 12 pages from each. For each commuting direction I have 3 books (2 + 1).

Next I have semi-fixed set of books for lunch reading, usually 5 or 6 of them. I read 6 - 12 pages from each. These books are organized as a priority queue where books with more pages have higher priority. If 2 or 3 books are on the same topic they are put into a circular buffer to read one per day. In addition, I put a few magazines I’m subscribed to in a cyclic buffer too.

In addition to this, I read only one book at the time at home from cover to cover (usually in Russian). At home I mostly write books (instead of reading).

In the office I have different sets for background reading (instead of cigarette breaks I had before I quit smoking). This set of sets is organized as a priority queue with every subset having a circular structure as well if it has more than one book. One long term set with higher priority is The CRC Encyclopedia of Mathematics. Other books I read in the office include software engineering titles and for them I publish notes on this blog.

It can be boring sometimes to read the same 1,000 page books for long periods of time so I also introduce an element of randomness by injecting some recently purchased book or a book from the pool of old unread books.

It is very scalable even if you have only a few hours to read per day. Most important, it also gives a certain satisfactory feeling of having started reading all books you accumulated and provides cross-book idea fertilization and better knowledge acquisition by repetition.

Now I apply the same reading system to my renewed study of foreign languages. Currently it is German where I have 10 basic language level books arranged in a circular buffer.

Another thing to keep in mind is that you need to have a goal: why you read all these books.

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

ChangeServiceConfig2 (p. 292) - http://msdn.microsoft.com/en-us/library/ms681988(VS.85).aspx

sc qprivs <service name> (p. 293) - example for Terminal Service:

C:\Users\Administrator>sc qprivs TermService
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: TermService
        PRIVILEGES       : SeAssignPrimaryTokenPrivilege
                         : SeAuditPrivilege
                         : SeChangeNotifyPrivilege
                         : SeCreateGlobalPrivilege
                         : SeImpersonatePrivilege
                         : SeIncreaseQuotaPrivilege

Union of privileges for svchost.exe (p. 294)

Service SID (restricted and unrestricted) (p. 295)

process - window station - desktop - windows (p. 297) - an entity relationship diagram on slide 14 (Intro: Windows) in my past Selected Citrix Tools presentation: http://www.dumpanalysis.org/CitrixTools/Selected%20Citrix%20Troubleshooting%20Tools.htm

Hung non-interactive services waiting for user input (p. 298) - this partially inspired Message Box crash dump analysis pattern: http://www.dumpanalysis.org/blog/index.php/2008/02/19/crash-dump-analysis-patterns-part-51/

SERVICE_INTERACTIVE_PROCESS Type modifier only for local system accounts (p. 298)

Shatter attacks by window messages (p. 299)

Interactive Services Detection (UI0Detect) service (p. 299)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SApp - SCP - SCM (p. 282)

HKLM\S\CCS\Ss\<>\ErrorControl = 3, SERVICE_ERROR_CRITICAL (p. 284) - can be used to force BSOD if service startup fails for postmortem memory dump analysis of the failure

HKLM\S\CCS\Ss\<>\PreshutdownTimeout (p. 286)

HKLM\S\CCS\Ss\<>\RequiredPrivileges (p. 286)

Service threads (p. 287) - some typical thread stack traces can be seen in this case study that also show that service main thread calls control handler functions: http://www.dumpanalysis.org/blog/index.php/2007/10/01/windows-service-crash-dumps-on-vista/

Service accounts (p. 288) - attached WinDbg will not download symbols from MS symbol server unless Run as Administrator

- Dmitry Vostokov @ SoftwareGeneralist.com -