Reading Notebook: 18-March-10
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Deferred ready and standby thread states (p. 400)
Gait waiting (p. 401)
Transition state as state with paged out kernel stack (p. 401) - flattening thread state transition diagram for ready state:
deferred ready -> ready <-> running
Thread state counter in Performance Monitor (pp. 402 - 404)
Per-processor ready queues and O(1) (pp. 404 - 405)
PRCB (p. 404) - rather a huge structure on x64 W2K8:
0: kd> dt nt!_KPRCB
+0x000 MxCsr : Uint4B
+0x004 Number : Uint2B
+0x006 InterruptRequest : UChar
+0x007 IdleHalt : UChar
+0x008 CurrentThread : Ptr64 _KTHREAD
+0x010 NextThread : Ptr64 _KTHREAD
+0x018 IdleThread : Ptr64 _KTHREAD
+0x020 NestingLevel : UChar
+0x021 Group : UChar
+0x022 PrcbPad00 : [6] UChar
+0x028 RspBase : Uint8B
+0x030 PrcbLock : Uint8B
+0x038 SetMember : Uint8B
+0x040 ProcessorState : _KPROCESSOR_STATE
+0x5f0 CpuType : Char
+0x5f1 CpuID : Char
+0x5f2 CpuStep : Uint2B
+0x5f2 CpuStepping : UChar
+0x5f3 CpuModel : UChar
+0x5f4 MHz : Uint4B
+0x5f8 HalReserved : [8] Uint8B
+0x638 MinorVersion : Uint2B
+0x63a MajorVersion : Uint2B
+0x63c BuildType : UChar
+0x63d CpuVendor : UChar
+0x63e CoresPerPhysicalProcessor : UChar
+0x63f LogicalProcessorsPerCore : UChar
+0x640 ApicMask : Uint4B
+0x644 CFlushSize : Uint4B
+0x648 AcpiReserved : Ptr64 Void
+0x650 InitialApicId : Uint4B
+0x654 Stride : Uint4B
+0x658 PrcbPad01 : [3] Uint8B
+0x670 LockQueue : [49] _KSPIN_LOCK_QUEUE
+0x980 PPLookasideList : [16] _PP_LOOKASIDE_LIST
+0xa80 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0x1680 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0x2280 PacketBarrier : Uint8B
+0×2288 DeferredReadyListHead : _SINGLE_LIST_ENTRY
+0×2290 MmPageFaultCount : Int4B
+0×2294 MmCopyOnWriteCount : Int4B
+0×2298 MmTransitionCount : Int4B
+0×229c MmDemandZeroCount : Int4B
+0×22a0 MmPageReadCount : Int4B
+0×22a4 MmPageReadIoCount : Int4B
+0×22a8 MmDirtyPagesWriteCount : Int4B
+0×22ac MmDirtyWriteIoCount : Int4B
+0×22b0 MmMappedPagesWriteCount : Int4B
+0×22b4 MmMappedWriteIoCount : Int4B
+0×22b8 KeSystemCalls : Uint4B
+0×22bc KeContextSwitches : Uint4B
+0×22c0 CcFastReadNoWait : Uint4B
+0×22c4 CcFastReadWait : Uint4B
+0×22c8 CcFastReadNotPossible : Uint4B
+0×22cc CcCopyReadNoWait : Uint4B
+0×22d0 CcCopyReadWait : Uint4B
+0×22d4 CcCopyReadNoWaitMiss : Uint4B
+0×22d8 LookasideIrpFloat : Int4B
+0×22dc IoReadOperationCount : Int4B
+0×22e0 IoWriteOperationCount : Int4B
+0×22e4 IoOtherOperationCount : Int4B
+0×22e8 IoReadTransferCount : _LARGE_INTEGER
+0×22f0 IoWriteTransferCount : _LARGE_INTEGER
+0×22f8 IoOtherTransferCount : _LARGE_INTEGER
+0×2300 TargetSet : Uint8B
+0×2308 IpiFrozen : Uint4B
+0×230c PrcbPad3 : [116] UChar
+0×2380 RequestMailbox : [64] _REQUEST_MAILBOX
+0×3380 SenderSummary : Uint8B
+0×3388 PrcbPad4 : [120] UChar
+0×3400 DpcData : [2] _KDPC_DATA
+0×3440 DpcStack : Ptr64 Void
+0×3448 SparePtr0 : Ptr64 Void
+0×3450 MaximumDpcQueueDepth : Int4B
+0×3454 DpcRequestRate : Uint4B
+0×3458 MinimumDpcRate : Uint4B
+0×345c DpcInterruptRequested : UChar
+0×345d DpcThreadRequested : UChar
+0×345e DpcRoutineActive : UChar
+0×345f DpcThreadActive : UChar
+0×3460 TimerHand : Uint8B
+0×3460 TimerRequest : Uint8B
+0×3468 TickOffset : Int4B
+0×346c MasterOffset : Int4B
+0×3470 DpcLastCount : Uint4B
+0×3474 ThreadDpcEnable : UChar
+0×3475 QuantumEnd : UChar
+0×3476 PrcbPad50 : UChar
+0×3477 IdleSchedule : UChar
+0×3478 DpcSetEventRequest : Int4B
+0×347c KeExceptionDispatchCount : Uint4B
+0×3480 DpcEvent : _KEVENT
+0×3498 PrcbPad51 : Ptr64 Void
+0×34a0 CallDpc : _KDPC
+0×34e0 ClockKeepAlive : Int4B
+0×34e4 ClockCheckSlot : UChar
+0×34e5 ClockPollCycle : UChar
+0×34e6 PrcbPad6 : [2] UChar
+0×34e8 DpcWatchdogPeriod : Int4B
+0×34ec DpcWatchdogCount : Int4B
+0×34f0 PrcbPad70 : [2] Uint8B
+0×3500 WaitListHead : _LIST_ENTRY
+0×3510 WaitLock : Uint8B
+0×3518 ReadySummary : Uint4B
+0×351c QueueIndex : Uint4B
+0×3520 PrcbPad71 : [12] Uint8B
+0×3580 DispatcherReadyListHead : [32] _LIST_ENTRY
+0×3780 InterruptCount : Uint4B
+0×3784 KernelTime : Uint4B
+0×3788 UserTime : Uint4B
+0×378c DpcTime : Uint4B
+0×3790 InterruptTime : Uint4B
+0×3794 AdjustDpcThreshold : Uint4B
+0×3798 SkipTick : UChar
+0×3799 DebuggerSavedIRQL : UChar
+0×379a PollSlot : UChar
+0×379b PrcbPad80 : [5] UChar
+0×37a0 DpcTimeCount : Uint4B
+0×37a4 DpcTimeLimit : Uint4B
+0×37a8 PeriodicCount : Uint4B
+0×37ac PeriodicBias : Uint4B
+0×37b0 PrcbPad81 : [2] Uint8B
+0×37c0 ParentNode : Ptr64 _KNODE
+0×37c8 MultiThreadProcessorSet : Uint8B
+0×37d0 MultiThreadSetMaster : Ptr64 _KPRCB
+0×37d8 StartCycles : Uint8B
+0×37e0 MmSpinLockOrdering : Int4B
+0×37e4 PageColor : Uint4B
+0×37e8 NodeColor : Uint4B
+0×37ec NodeShiftedColor : Uint4B
+0×37f0 SecondaryColorMask : Uint4B
+0×37f4 Sleeping : Int4B
+0×37f8 CycleTime : Uint8B
+0×3800 CcFastMdlReadNoWait : Uint4B
+0×3804 CcFastMdlReadWait : Uint4B
+0×3808 CcFastMdlReadNotPossible : Uint4B
+0×380c CcMapDataNoWait : Uint4B
+0×3810 CcMapDataWait : Uint4B
+0×3814 CcPinMappedDataCount : Uint4B
+0×3818 CcPinReadNoWait : Uint4B
+0×381c CcPinReadWait : Uint4B
+0×3820 CcMdlReadNoWait : Uint4B
+0×3824 CcMdlReadWait : Uint4B
+0×3828 CcLazyWriteHotSpots : Uint4B
+0×382c CcLazyWriteIos : Uint4B
+0×3830 CcLazyWritePages : Uint4B
+0×3834 CcDataFlushes : Uint4B
+0×3838 CcDataPages : Uint4B
+0×383c CcLostDelayedWrites : Uint4B
+0×3840 CcFastReadResourceMiss : Uint4B
+0×3844 CcCopyReadWaitMiss : Uint4B
+0×3848 CcFastMdlReadResourceMiss : Uint4B
+0×384c CcMapDataNoWaitMiss : Uint4B
+0×3850 CcMapDataWaitMiss : Uint4B
+0×3854 CcPinReadNoWaitMiss : Uint4B
+0×3858 CcPinReadWaitMiss : Uint4B
+0×385c CcMdlReadNoWaitMiss : Uint4B
+0×3860 CcMdlReadWaitMiss : Uint4B
+0×3864 CcReadAheadIos : Uint4B
+0×3868 MmCacheTransitionCount : Int4B
+0×386c MmCacheReadCount : Int4B
+0×3870 MmCacheIoCount : Int4B
+0×3874 PrcbPad91 : [3] Uint4B
+0×3880 PowerState : _PROCESSOR_POWER_STATE
+0×3998 KeAlignmentFixupCount : Uint4B
+0×399c VendorString : [13] UChar
+0×39a9 PrcbPad10 : [3] UChar
+0×39ac FeatureBits : Uint4B
+0×39b0 UpdateSignature : _LARGE_INTEGER
+0×39b8 DpcWatchdogDpc : _KDPC
+0×39f8 DpcWatchdogTimer : _KTIMER
+0×3a38 Cache : [5] _CACHE_DESCRIPTOR
+0×3a74 CacheCount : Uint4B
+0×3a78 CachedCommit : Uint4B
+0×3a7c CachedResidentAvailable : Uint4B
+0×3a80 HyperPte : Ptr64 Void
+0×3a88 WheaInfo : Ptr64 Void
+0×3a90 EtwSupport : Ptr64 Void
+0×3aa0 InterruptObjectPool : _SLIST_HEADER
+0×3ab0 HypercallPageList : _SLIST_HEADER
+0×3ac0 HypercallPageVirtual : Ptr64 Void
+0×3ac8 VirtualApicAssist : Ptr64 Void
+0×3ad0 StatisticsPage : Ptr64 Uint8B
+0×3ad8 RateControl : Ptr64 Void
+0×3ae0 CacheProcessorMask : [5] Uint8B
+0×3b08 PackageProcessorSet : Uint8B
+0×3b10 CoreProcessorSet : Uint8B
Changed thread quantum accounting in Vista (now: clock cycles), quantum targets, partial quantum decay (pp. 406 - 407)
The mystery of huge number in KiCyclesPerClockQuantum (p. 408) - here is an output on my PC:
0: kd> dd KiCyclesPerClockQuantum l1
fffff800`01a45170 008e58db
0: kd> !cpuinfo
CP F/M/S Manufacturer MHz PRCB Signature MSR 8B Signature Features
0 6,15,2 GenuineIntel 1794 0000005600000000 20193ffe
1 6,15,2 GenuineIntel 1794 0000005600000000 20193ffe
Cached Update Signature 0000005a00000000
Initial Update Signature 0000005600000000
C:\>C:\DL\Clockres.exe
ClockRes v2.0 - View the system clock resolution
Copyright (C) 2009 Mark Russinovich
SysInternals - www.sysinternals.com
Maximum timer interval: 15.600 ms
Minimum timer interval: 0.500 ms
Current timer interval: 1.000 ms
HKLM\S\CCS\C\PriorityControl\Win32PrioritySeparation vs. PsPrioritySeperation - looks like a misprint that needs fixing in the next version of Windows 
Why it was a deliberate misspelling (p. 411) we can only guess…
0: kd> dd PsPrioritySeperation l1
fffff800`01a45228 00000002
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
March 21st, 2010 at 7:56 pm
>PsPrioritySeperation
Indeed, this variable’s name was fixed in w7 – no more ‘PsPrioritySeperation’, but ‘PsPrioritySeparation’ present instead.
That’s slightly surprising, since misprints in some other places in windows code tend to persist from build to build. For example, ‘bHasMeun’ member of window structure:
lkd> dt win32k!tagWND
+0×000 head : _THRDESKHEAD
+0×028 state : Uint4B
+0×028 bHasMeun : Pos 0, 1 Bit
+0×028 bHasVerticalScrollbar : Pos 1, 1 Bit
Or misprint in address space layout table (\ntos\mm\amd64\miamd.h):
FFFF080000000000 | Start of System space | MM_SYSTEM_RANGE_START
Here, author of original layout probably meant “FFFF800000000000″, since for virtual address to be regarded as Canonical, its bits 63..48 shall be sign-extension of bit 47 – but back in the day that erratum slipped through and its results are still there, in w7 kernel:
lkd> dp MmSystemRangeStart l1
fffff800`02aa90e0 ffff0800`00000000
(Althought there might actually be some valid reason for this value – we don’t really know).