Reading Notebook: 25-November-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
FailureActionsOnNonCrashFailures (p. 310)
WaitToKillApp(Service)Timeout (p. 311)
Shutdown ordering and preshutdown notification (pp. 312 - 313)
Shared services vulnerability to a crashing bug (p. 313) - Because an exception in one thread doesn’t affect another thread if there is no dependency (see MTCrash application, http://www.dumpanalysis.org/blog/index.php/2008/12/31/mtcrash/) if we preserve the crashed process, for example, using Crash2Hang tool (http://www.dumpanalysis.org/blog/index.php/2008/12/29/crash2hang/) we might temporarily preserve functionality of the remaining services (if there is no dependency)
CNG-KeyIso service (p. 313)
Viewing services inside processes (pp. 315 - 316) - We can also see them in Task Manager when we sort Processes by PID:
SubProcessTag (p. 316) - Here is an example from svchost.exe PID 1016 from the screenshot above:
lkd> !process 0n1016 1f
Searching for Process with Cid == 3f8
Cid Handle table at fffff88008156000 with 1063 Entries in use
PROCESS fffffa8004adec10
   SessionId: 0 Cid: 03f8   Peb: 7fffffdd000 ParentCid: 0280
   DirBase: add75000 ObjectTable: fffff88007f3c4d0 HandleCount: 436.
   Image: svchost.exe
   VadRoot fffffa80048b9220 Vads 153 Clone 0 Private 1630. Modified 1512. Locked 6.
   DeviceMap fffff8800802ef40
   Token                            fffff880080aa060
   ElapsedTime                      5 Days 01:31:56.632
   UserTime                         00:00:05.257
   KernelTime                       00:00:04.555
   QuotaPoolUsage[PagedPool]        132496
   QuotaPoolUsage[NonPagedPool]     21488
   Working Set Sizes (now,min,max) (3650, 50, 345) (14600KB, 200KB, 1380KB)
   PeakWorkingSetSize               3725
   VirtualSize                      78 Mb
   PeakVirtualSize                  84 Mb
   PageFaultCount                   38144
   MemoryPriority                   BACKGROUND
   BasePriority                     8
   CommitCharge                     3976
[...]
       THREAD fffffa8004b55060 Cid 03f8.046c Teb: 000007fffff9e000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
           fffffa8004b54a80 NotificationEvent
           fffffa8004b52a50 SynchronizationEvent
           fffffa8004b55e00 NotificationEvent
           fffffa8004b55118 NotificationTimer
       Not impersonating
       DeviceMap                fffff8800802ef40
       Owning Process           fffffa8004adec10      Image:        svchost.exe
       Attached Process         N/A           Image:        N/A
       Wait Start TickCount     28044441      Ticks: 4968 (0:00:01:17.501)
       Context Switch Count     3784           Â
       UserTime                 00:00:00.000
       KernelTime               00:00:00.000
       Win32 Start Address dhcpcsvc6!Dhcpv6Main (0×000007fefd726884)
       Stack Init fffffa6003c47db0 Current fffffa6003c47230
       Base fffffa6003c48000 Limit fffffa6003c42000 Call 0
       Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
       Child-SP         RetAddr          Call Site
       fffffa60`03c47270 fffff800`018a46fa nt!KiSwapContext+0×7f
       fffffa60`03c473b0 fffff800`018a9feb nt!KiSwapThread+0×13a
       fffffa60`03c47420 fffff800`01b03a8e nt!KeWaitForMultipleObjects+0×2eb
       fffffa60`03c474a0 fffff800`01b040d3 nt!ObpWaitForMultipleObjects+0×26e
       fffffa60`03c47960 fffff800`018a1ef3 nt!NtWaitForMultipleObjects+0xe2
       fffffa60`03c47bb0 00000000`776e72ca nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`03c47c20)
       00000000`0272f5e8 00000000`7758bc03 ntdll!ZwWaitForMultipleObjects+0xa
       00000000`0272f5f0 000007fe`fd726117 kernel32!WaitForMultipleObjectsEx+0×10b
       00000000`0272f700 000007fe`fd726944 dhcpcsvc6!ProcessDhcpv6RequestForever+0×143
       00000000`0272f7c0 00000000`7758be3d dhcpcsvc6!Dhcpv6Main+0xc0
       00000000`0272f800 00000000`776c6a51 kernel32!BaseThreadInitThunk+0xd
       00000000`0272f830 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
[...]
lkd> dt _TEB 000007fffff9e000 SubProcessTag
ntdll!_TEB
  +0x1720 SubProcessTag : 0x00000000`00000011
Advanced .NET Debugging by M. Hewardt:
Debugging Tools for Windows (pp. 3 -4) - Here are quick links for download: http://windbg.org
No major CLR changes for .NET 3.x (p. 5)
DbgClr (p. 6)
MSBUILD XML example (pp. 6 - 7)
.load vs. .loadby (pp. 8 - 11) - Some additional load scenarios for legacy SOS and its server version can be found in comments to Managed Code Exception pattern: http://www.dumpanalysis.org/blog/index.php/2007/07/20/crash-dump-analysis-patterns-part-17/
SOSEX (pp. 10 - 11) - Added to my blog roll and links on http://DumpAnalysis.org
CLR Profiler (pp. 11 - 13) - Looks similar to functionality of unmanaged UMDH tool (user mode heap stack trace database)
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
March 16th, 2010 at 9:29 pm
“Viewing services inside processes (pp. 315 - 316) - We can also see them in Task Manager when we sort Processes by PID”
Which OS is that?
March 18th, 2010 at 12:01 pm
Windows Server 2008