Software Generalist

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

FailureActionsOnNonCrashFailures (p. 310)

WaitToKillApp(Service)Timeout (p. 311)

Shutdown ordering and preshutdown notification (pp. 312 - 313)

Shared services vulnerability to a crashing bug (p. 313) - Because an exception in one thread doesn’t affect another thread if there is no dependency (see MTCrash application, http://www.dumpanalysis.org/blog/index.php/2008/12/31/mtcrash/) if we preserve the crashed process, for example, using Crash2Hang tool (http://www.dumpanalysis.org/blog/index.php/2008/12/29/crash2hang/) we might temporarily preserve functionality of the remaining services (if there is no dependency)

CNG-KeyIso service (p. 313)

Viewing services inside processes (pp. 315 - 316) - We can also see them in Task Manager when we sort Processes by PID:

SubProcessTag (p. 316) - Here is an example from svchost.exe PID 1016 from the screenshot above:

lkd> !process 0n1016 1f
Searching for Process with Cid == 3f8
Cid Handle table at fffff88008156000 with 1063 Entries in use
PROCESS fffffa8004adec10
    SessionId: 0  Cid: 03f8    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: add75000  ObjectTable: fffff88007f3c4d0  HandleCount: 436.
    Image: svchost.exe
    VadRoot fffffa80048b9220 Vads 153 Clone 0 Private 1630. Modified 1512. Locked 6.
    DeviceMap fffff8800802ef40
    Token                             fffff880080aa060
    ElapsedTime                       5 Days 01:31:56.632
    UserTime                          00:00:05.257
    KernelTime                        00:00:04.555
    QuotaPoolUsage[PagedPool]         132496
    QuotaPoolUsage[NonPagedPool]      21488
    Working Set Sizes (now,min,max)  (3650, 50, 345) (14600KB, 200KB, 1380KB)
    PeakWorkingSetSize                3725
    VirtualSize                       78 Mb
    PeakVirtualSize                   84 Mb
    PageFaultCount                    38144
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      3976

[...]

        THREAD fffffa8004b55060  Cid 03f8.046c  Teb: 000007fffff9e000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
            fffffa8004b54a80  NotificationEvent
            fffffa8004b52a50  SynchronizationEvent
            fffffa8004b55e00  NotificationEvent
            fffffa8004b55118  NotificationTimer
        Not impersonating
        DeviceMap                 fffff8800802ef40
        Owning Process            fffffa8004adec10       Image:         svchost.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      28044441       Ticks: 4968 (0:00:01:17.501)
        Context Switch Count      3784            
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
        Win32 Start Address dhcpcsvc6!Dhcpv6Main (0×000007fefd726884)
        Stack Init fffffa6003c47db0 Current fffffa6003c47230
        Base fffffa6003c48000 Limit fffffa6003c42000 Call 0
        Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
        Child-SP          RetAddr           Call Site
        fffffa60`03c47270 fffff800`018a46fa nt!KiSwapContext+0×7f
        fffffa60`03c473b0 fffff800`018a9feb nt!KiSwapThread+0×13a
        fffffa60`03c47420 fffff800`01b03a8e nt!KeWaitForMultipleObjects+0×2eb
        fffffa60`03c474a0 fffff800`01b040d3 nt!ObpWaitForMultipleObjects+0×26e
        fffffa60`03c47960 fffff800`018a1ef3 nt!NtWaitForMultipleObjects+0xe2
        fffffa60`03c47bb0 00000000`776e72ca nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`03c47c20)
        00000000`0272f5e8 00000000`7758bc03 ntdll!ZwWaitForMultipleObjects+0xa
        00000000`0272f5f0 000007fe`fd726117 kernel32!WaitForMultipleObjectsEx+0×10b
        00000000`0272f700 000007fe`fd726944 dhcpcsvc6!ProcessDhcpv6RequestForever+0×143
        00000000`0272f7c0 00000000`7758be3d dhcpcsvc6!Dhcpv6Main+0xc0
        00000000`0272f800 00000000`776c6a51 kernel32!BaseThreadInitThunk+0xd
        00000000`0272f830 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

[...]

lkd> dt _TEB 000007fffff9e000 SubProcessTag
ntdll!_TEB
   +0x1720 SubProcessTag : 0x00000000`00000011

Advanced .NET Debugging by M. Hewardt:

Debugging Tools for Windows (pp. 3 -4) - Here are quick links for download: http://windbg.org

No major CLR changes for .NET 3.x (p. 5)

DbgClr (p. 6)

MSBUILD XML example (pp. 6 - 7)

.load vs. .loadby (pp. 8 - 11) - Some additional load scenarios for legacy SOS and its server version can be found in comments to Managed Code Exception pattern: http://www.dumpanalysis.org/blog/index.php/2007/07/20/crash-dump-analysis-patterns-part-17/

SOSEX (pp. 10 - 11) - Added to my blog roll and links on http://DumpAnalysis.org

CLR Profiler (pp. 11 - 13) - Looks similar to functionality of unmanaged UMDH tool (user mode heap stack trace database)

- Dmitry Vostokov @ SoftwareGeneralist.com -

           

Announcements

Coming Soon:

Debugging Notebook: Essential Concepts, WinDbg Commands and Tools

Crash Dump Analysis for System Administrators and Support Engineers

New Magazines:

Debugged! MZ/PE: MagaZine for/from Practicing Engineers

New Books:

Memory Dump Analysis Anthology, Volume 3

First Fault Software Problem Solving: A Guide for Engineers, Managers and Users

x64 Windows Debugging: Practical Foundations

Also available:

Windows Debugging: Practical Foundations

DLL List Landscape: The Art from Computer Memory Space

Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov

WinDbg: A Reference Poster and Learning Cards

Memory Dump Analysis Anthology, Volume 2

Memory Dump Analysis Anthology, Volume 1

New Children's Book:

Baby Turing

This entry was posted on Wednesday, November 25th, 2009 at 11:48 pm and is filed under Notes on Advanced .NET Debugging, Notes on Windows Internals, Reading Notebook. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.