Software Generalist

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Hard CPU limits per-session, -user and -system (pp. 444-445)

Security and user-interface limits on jobs (p. 447)

job objects (pp. 447 - 450) - we can dump all processes via !process 0 1 command and look for “Job ” in the output as on my x64 W2K8 system:

1: kd> !process 0 1

PROCESS fffffa8004e28c10
    SessionId: 1  Cid: 0a70    Peb: 7fffffd8000  ParentCid: 09ec
    DirBase: 93cfb000  ObjectTable: fffff88008ec2a20  HandleCount: 405.
    Image: MSASCui.exe
    VadRoot fffffa8004de0390 Vads 106 Clone 0 Private 1932. Modified 352. Locked 0.
    DeviceMap fffff88008479c90
    Token                             fffff88008edb060
    ElapsedTime                       00:03:15.554
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         197440
    QuotaPoolUsage[NonPagedPool]      21728
    Working Set Sizes (now,min,max)  (3259, 50, 345) (13036KB, 200KB, 1380KB)
    PeakWorkingSetSize                3259
    VirtualSize                       96 Mb
    PeakVirtualSize                   96 Mb
    PageFaultCount                    5245
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      2214
    Job                               fffffa80050f8860

PROCESS fffffa800511b260
    SessionId: 1  Cid: 0a78    Peb: 7fffffd3000  ParentCid: 09ec
    DirBase: 93dcb000  ObjectTable: fffff880089d4ae0  HandleCount: 128.
    Image: wmdSync.exe
    VadRoot fffffa800511aba0 Vads 77 Clone 0 Private 436. Modified 0. Locked 0.
    DeviceMap fffff88008479c90
    Token                             fffff88008ee1060
    ElapsedTime                       00:03:15.429
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         150088
    QuotaPoolUsage[NonPagedPool]      7296
    Working Set Sizes (now,min,max)  (1554, 50, 345) (6216KB, 200KB, 1380KB)
    PeakWorkingSetSize                1558
    VirtualSize                       75 Mb
    PeakVirtualSize                   76 Mb
    PageFaultCount                    1643
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      584
    Job                               fffffa80050f8860

PROCESS fffffa8005120a30
    SessionId: 1  Cid: 0a88    Peb: 7efdf000  ParentCid: 09ec
    DirBase: 923cd000  ObjectTable: fffff88008e29560  HandleCount:  99.
    Image: daemon.exe
    VadRoot fffffa8004a8cba0 Vads 96 Clone 0 Private 843. Modified 0. Locked 0.
    DeviceMap fffff88008479c90
    Token                             fffff88008eed730
    ElapsedTime                       00:03:14.976
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         175272
    QuotaPoolUsage[NonPagedPool]      9024
    Working Set Sizes (now,min,max)  (2608, 50, 345) (10432KB, 200KB, 1380KB)
    PeakWorkingSetSize                2615
    VirtualSize                       92 Mb
    PeakVirtualSize                   94 Mb
    PageFaultCount                    3463
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      1397
    Job                               fffffa80050f8860

PROCESS fffffa80051b5640
    SessionId: 1  Cid: 0b98    Peb: 7efdf000  ParentCid: 09ec
    DirBase: 8e371000  ObjectTable: fffff8800910ced0  HandleCount:  59.
    Image: WZQKPICK.EXE
    VadRoot fffffa80051c1630 Vads 58 Clone 0 Private 215. Modified 0. Locked 0.
    DeviceMap fffff88008479c90
    Token                             fffff8800910c860
    ElapsedTime                       00:03:00.903
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         123744
    QuotaPoolUsage[NonPagedPool]      5376
    Working Set Sizes (now,min,max)  (1274, 50, 345) (5096KB, 200KB, 1380KB)
    PeakWorkingSetSize                1274
    VirtualSize                       62 Mb
    PeakVirtualSize                   63 Mb
    PageFaultCount                    1304
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      331
    Job                               fffffa80050f8860

PROCESS fffffa800530e040
    SessionId: 0  Cid: 0bcc    Peb: 7fffffd6000  ParentCid: 0328
    DirBase: 12c7cc000  ObjectTable: fffff880097c19e0  HandleCount: 193.
    Image: WmiPrvSE.exe
    VadRoot fffffa80053864c0 Vads 107 Clone 0 Private 766. Modified 0. Locked 0.
    DeviceMap fffff88007fe7530
    Token                             fffff8800995f060
    ElapsedTime                       00:00:27.349
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         102888
    QuotaPoolUsage[NonPagedPool]      10176
    Working Set Sizes (now,min,max)  (2338, 50, 345) (9352KB, 200KB, 1380KB)
    PeakWorkingSetSize                2338
    VirtualSize                       56 Mb
    PeakVirtualSize                   56 Mb
    PageFaultCount                    2724
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      1359
    Job                               fffffa8004d71560

1: kd> !job fffffa8004d71560
Job at fffffa8004d71560
  TotalPageFaultCount      0
  TotalProcesses           1
  ActiveProcesses          1
  TotalTerminatedProcesses 0
  LimitFlags               2b08
  MinimumWorkingSetSize    0
  MaximumWorkingSetSize    0
  ActiveProcessLimit       20
  PriorityClass            0
  UIRestrictionsClass      0
  SecurityLimitFlags       0
  Token                    0000000000000000

1: kd> !job fffffa80050f8860
Job at fffffa80050f8860
  TotalPageFaultCount      0
  TotalProcesses           4
  ActiveProcesses          4
  TotalTerminatedProcesses 0
  LimitFlags               1000
  MinimumWorkingSetSize    0
  MaximumWorkingSetSize    0
  ActiveProcessLimit       0
  PriorityClass            0
  UIRestrictionsClass      0
  SecurityLimitFlags       0
  Token                    0000000000000000 

1: kd> dt _EJOB fffffa80050f8860
nt!_EJOB
   +0x000 Event            : _KEVENT
   +0x018 JobLinks         : _LIST_ENTRY [ 0xfffff800`019c2450 - 0xfffffa80`04d71578 ]
   +0x028 ProcessListHead  : _LIST_ENTRY [ 0xfffffa80`04e28e58 - 0xfffffa80`051b5888 ]
   +0x038 JobLock          : _ERESOURCE
   +0x0a0 TotalUserTime    : _LARGE_INTEGER 0x0
   +0x0a8 TotalKernelTime  : _LARGE_INTEGER 0x0
   +0x0b0 ThisPeriodTotalUserTime : _LARGE_INTEGER 0x0
   +0x0b8 ThisPeriodTotalKernelTime : _LARGE_INTEGER 0x0
   +0x0c0 TotalPageFaultCount : 0
   +0x0c4 TotalProcesses   : 4
   +0x0c8 ActiveProcesses  : 4
   +0x0cc TotalTerminatedProcesses : 0
   +0x0d0 PerProcessUserTimeLimit : _LARGE_INTEGER 0x0
   +0x0d8 PerJobUserTimeLimit : _LARGE_INTEGER 0x0
   +0x0e0 LimitFlags       : 0x1000
   +0x0e8 MinimumWorkingSetSize : 0
   +0x0f0 MaximumWorkingSetSize : 0
   +0x0f8 ActiveProcessLimit : 0
   +0x100 Affinity         : 0
   +0x108 PriorityClass    : 0 ''
   +0x110 AccessState      : (null)
   +0x118 UIRestrictionsClass : 0
   +0x11c EndOfJobTimeAction : 0
   +0x120 CompletionPort   : (null)
   +0x128 CompletionKey    : (null)
   +0x130 SessionId        : 1
   +0x134 SchedulingClass  : 5
   +0x138 ReadOperationCount : 0
   +0x140 WriteOperationCount : 0
   +0x148 OtherOperationCount : 0
   +0x150 ReadTransferCount : 0
   +0x158 WriteTransferCount : 0
   +0x160 OtherTransferCount : 0
   +0x168 ProcessMemoryLimit : 0
   +0x170 JobMemoryLimit   : 0
   +0x178 PeakProcessMemoryUsed : 0x912
   +0x180 PeakJobMemoryUsed : 0x11b3
   +0x188 CurrentJobMemoryUsed : 0x11ae
   +0x190 MemoryLimitsLock : _EX_PUSH_LOCK
   +0x198 JobSetLinks      : _LIST_ENTRY [ 0xfffffa80`050f89f8 - 0xfffffa80`050f89f8 ]
   +0x1a8 MemberLevel      : 0
   +0x1ac JobFlags         : 1

C2 reqs: SLF - DAC - SAC - ORP (p. 452) - mnemonic to remember perhaps for security exams like CISSP

B reqs: TPF - TFM (p. 453)

Security targets and protection profiles (p. 453)

Advanced .NET Debugging by M. Hewardt:

type handle as a pointer to method table (p. 53) - I liked managed heap - execution engine boundary and propose this colored space diagram (will add this to Dictionary of Debugging soon as a tripartite “virtual” memory  division) :

 

!DumpModule command (p. 57)

!U command (pp. 58 - 59)

!DumpMT command (p. 59)

!DumpMT -md to dump type method descriptors (p. 60)

!DumpMD command (p. 60)

m_CodeOrIL: 00920070 (p. 61) - the address looks like as UNICODE string but I belive this is just a coincidence, the false positive of Wild Pointer pattern: http://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

per-PRCB queued, system-wide dispatcher, system-wide context swap and per-thread spinlocks (pp. 434-435)

physical over logical processor preference for scheduling (p. 435)

!smt command (p. 436) - here is the putput from x64 machine (from the output we can infer the following relationship logical processor -> core -> physical processor):

1: kd> !smt
SMT Summary:
------------
  KeActiveProcessors: **-------------------------------------------------------------- (0000000000000003)
  KiIdleSummary: -*-------------------------------------------------------------- (0000000000000002)
 No PRCB SMT Set APIC Id
  0 fffff80001991680 **-------------------------------------------------------------- (0000000000000003) 0x00000000
  1 fffffa60005ec180 **-------------------------------------------------------------- (0000000000000003) 0x00000001

Maximum cores per physical processor: 2
Maximum logical processors per core: 1

NUMA (pp. 436 - 438) - I can see NUMA even on my small desktop system

1: kd> !numa
NUMA Summary:
------------
  Number of NUMA nodes : 1
  Number of Processors : 2
  MmAvailablePages : 0x000C7CB9
  KeActiveProcessors : (3)

NODE 0 (FFFFF80001995640):
 ProcessorMask : (3)
 Color : 0x00000000
 MmShiftedColor : 0x00000000
 Seed : 0x00000001
 Right : 0x00000000
 Left : 0x00000001
 Zeroed Page Count: 0x0000000000000000
 Free Page Count : 0x0000000000000000

Thread affinity (pp. 438 - 440) - see also Affine Thread crash dump analysis pattern: http://www.dumpanalysis.org/blog/index.php/2008/06/27/crash-dump-analysis-patterns-part-68/

uniprocessor flag as a workaround for multithreading defects (p. 439)

Set(Query)ProcessAffinityUpdateMode and dynamic processor changes (p. 442)

choosing a processor (idle ideal -> idle current -> idle previous -> current -> ideal running less priority thread) (pp. 433 - 444)

no guarantee to run all highest priority threads vs. always runs the highest priority thread (p. 444)

Advanced .NET Debugging by M. Hewardt:

value vs. reference types (p. 42)

sosex!bpsc (p. 46)

per frame managed stack trace: !ClrStack -a (p. 46)

d* for simple local value types, !dumpobj for references, !dumpvc for value type fields (pp. 46 - 47)

sync blocks (pp. 49 - 52) - here is the output from my x64 test program:

0:000> !ClrStack -a
OS Thread Id: 0x6e8 (0)

000000000013ed10 000007ff001ac709 System.IO.TextReader+SyncTextReader.ReadLine()
  PARAMETERS:
  this = 0x0000000002a2b568

0:000> !dumpobj 0x0000000002a2b568
Name: System.IO.TextReader+SyncTextReader
MethodTable: 000007feee67bea8
EEClass: 000007feedb851e0
Size: 32(0x20) bytes
 (C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
Fields:
  MT Field Offset Type VT Attr Value Name
000007feede86048 400018a 8 System.Object 0 instance 0000000000000000 __identity
000007feedecd198 4001c87 b18 System.IO.TextReader 0 shared static Null
  >> Domain:Value 0000000000220840:0000000002a2b060 <<
000007feedecd198 4001c88 10 System.IO.TextReader 0 instance 0000000002a2af28 _in
ThinLock owner 1 (0000000000000000), Recursive 0

0:000> dq 0x0000000002a2b568-8
00000000`02a2b560 00000001`00000000 000007fe`ee67bea8
00000000`02a2b570 00000000`00000000 00000000`02a2af28
00000000`02a2b580 00000000`00000000 00000000`00000000
00000000`02a2b590 00000000`00000000 00000000`00000000
00000000`02a2b5a0 00000000`00000000 00000000`00000000
00000000`02a2b5b0 00000000`00000000 00000000`00000000
00000000`02a2b5c0 00000000`00000000 00000000`00000000
00000000`02a2b5d0 00000000`00000000 00000000`00000000

0:000> !syncblk 1
Index SyncBlock MonitorHeld Recursion Owning Thread Info SyncBlock Owner
  1 0000000000259bf8 0 0 0000000000000000 none 0000000002a28030 System.EventHandler
-----------------------------
Total 1
CCW 0
RCW 0
ComClassFactory 0
Free 0

thin sync blocks (p. 52)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Impossibility to disable foreground after-wait priority boosts (p. 423)

CPU Stress tool (pp. 423 - 425, 428 - 430) - Good tool to model CPU spikes. See also Modeling CPU Spikes article I co-authored for Debugging Expert magazine: http://debuggingexpert.dumpanalysis.org/Debugged_June_2009.htm

CPU starvation prevention via balance set manager thread (p. 427)

MMCSS priority boosts (p. 432)

Network throttling to prevent DPC activity interrupting MMCSS boosting (p. 433)

Advanced .NET Debugging by M. Hewardt:

System | shared | def app := bookkeeping, precreation | mscorlib | app code (pp. 37 - 38) - here we check that mscorlib assembly belongs to the shared domain:

0:003> !dumpdomain
--------------------------------------
System Domain: 000007fef00f8ef0
LowFrequencyHeap: 000007fef00f8f38
HighFrequencyHeap: 000007fef00f8fc8
StubHeap: 000007fef00f9058
Stage: OPEN
Name: None
--------------------------------------
Shared Domain: 000007fef00f9860
LowFrequencyHeap: 000007fef00f98a8
HighFrequencyHeap: 000007fef00f9938
StubHeap: 000007fef00f99c8
Stage: OPEN
Name: None
Assembly: 00000000003a2d10
————————————–
Domain 1: 0000000000390840
LowFrequencyHeap: 0000000000390888
HighFrequencyHeap: 0000000000390918
StubHeap: 00000000003909a8
Stage: OPEN
SecurityDescriptor: 00000000003930e0
Name: TestCLR.exe

[...]

Assembly: 00000000003a2d10[C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll]
ClassLoader: 00000000003a2dd0
SecurityDescriptor: 00000000003a2110
  Module Name
000007feeda51000 C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

0:003> !dumpassembly 00000000003a2d10
Parent Domain: 000007fef00f9860
Name: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
ClassLoader: 00000000003a2dd0
SecurityDescriptor: 000000000335db78
  Module Name
000007feeda51000 C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

Multimodule assemblies with separate PE file for a manifest (p. 40)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Kernel Process variables (p. 343)

0: kd> !process poi(PsIdleProcess)
PROCESS fffff800019910c0
    SessionId: none  Cid: 0000    Peb: 00000000  ParentCid: 0000
    DirBase: 00124000  ObjectTable: fffff88000000080  HandleCount: 606.
    Image: Idle
    VadRoot fffffa8003b97c70 Vads 1 Clone 0 Private 1. Modified 0. Locked 0.
    DeviceMap 0000000000000000
    Token                             fffff88000003330
    ElapsedTime                       00:00:00.000
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         0
    QuotaPoolUsage[NonPagedPool]      0
    Working Set Sizes (now,min,max)  (6, 50, 450) (24KB, 200KB, 1800KB)
    PeakWorkingSetSize                6
    VirtualSize                       0 Mb
    PeakVirtualSize                   0 Mb
    PageFaultCount                    1
    MemoryPriority                    BACKGROUND
    BasePriority                      0
    CommitCharge                      0

        THREAD fffff80001990b80  Cid 0000.0000  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
        Not impersonating
        DeviceMap                 fffff88000007310
        Owning Process            fffff800019910c0       Image:         Idle
        Attached Process          fffffa8003bf1040       Image:         System
        Wait Start TickCount      16021          Ticks: 13224 (0:00:03:26.295)
        Context Switch Count      142852           Â
        UserTime                  00:00:00.000
        KernelTime                00:06:13.700
        Win32 Start Address nt!KiIdleLoop (0xfffff80001876880)
        Stack Init fffff80002bdadb0 Current fffff80002bdad40
        Base fffff80002bdb000 Limit fffff80002bd5000 Call 0
        Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
        Child-SP          RetAddr           Call Site
        fffff800`02bdad80 fffff800`01a43860 nt!KiIdleLoop+0x11b
        fffff800`02bdadb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

        THREAD fffffa60005f5d40  Cid 0000.0000  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
        Not impersonating
        DeviceMap                 fffff88000007310
        Owning Process            fffff800019910c0       Image:         Idle
        Attached Process          fffffa8003bf1040       Image:         System
        Wait Start TickCount      0              Ticks: 29245 (0:00:07:36.224)
        Context Switch Count      162365           Â
        UserTime                  00:00:00.000
        KernelTime                00:06:14.808
        Win32 Start Address nt!KiIdleLoop (0xfffff80001876880)
        Stack Init fffffa600191bdb0 Current fffffa600191bd40
        Base fffffa600191c000 Limit fffffa6001916000 Call 0
        Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
        Child-SP          RetAddr           Call Site
        fffffa60`0191bd80 fffff800`01a43860 nt!KiIdleLoop+0x11b
        fffffa60`0191bdb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

Relevant process functions (pp. 344 - 345) - More of them can be found here: http://msdn.microsoft.com/en-us/library/ms684847(VS.85).aspx

Protected processes (pp. 346 - 348) - It can be seen in _EPROCESS block (the output taken from a complete memory dump):

0: kd> dt _EPROCESS fffffa8004b5e040
ntdll!_EPROCESS
[...]
   +0x36c ProtectedProcess : 0y1
[...]

The following script lists protected processes on W2K8:

0: kd> !for_each_process "dt _EPROCESS ImageFileName @#Process; dt _EPROCESS ProtectedProcess @#Process"
ntdll!_EPROCESS
   +0x238 ImageFileName : [16]  "System"
ntdll!_EPROCESS
   +0x36c ProtectedProcess : 0y1
[...]
ntdll!_EPROCESS
   +0x238 ImageFileName : [16]  "audiodg.exe"
ntdll!_EPROCESS
   +0x36c ProtectedProcess : 0y1
[...]

System process is protected because of Ksecdd.sys stores info in user space (p. 347)

PROCESS_QUERY_LIMITED_INFORMATION (p. 347)

Access violation by design for Protected Media Path processes when a kernel-mode debugger is enabled (p. 348) - this is not an optimal design in my opinion - I had problems with that: http://www.dumpanalysis.org/blog/index.php/2010/01/08/live-kernel-debugging-of-a-system-freeze-case-study/. The better way is to show a message box and gracefully exit and only emit AV if message box is bypassed. 

Advanced .NET Debugging by M. Hewardt:

PE format and its relation to .NET (pp. 26 - 27)

AddressOfEntryPoint (pp. 28 - 29 and p. 31) - we can also use !dh command to find that address (similar to what dumpbin.exe does):

0:001> lm m notepad
start             end                 module name
00000000`ff180000 00000000`ff1af000   notepad    (deferred)        

0:001> !dh 00000000`ff180000
[...]
OPTIONAL HEADER VALUES
     20B magic #
    8.00 linker version
    E400 size of code
   1CC00 size of initialized data
       0 size of uninitialized data
    D1B4 address of entry point
    1000 base of code
         —– new —–
00000000ff180000 image base
    1000 section alignment
     200 file alignment
       2 subsystem (Windows GUI)
    6.00 operating system version
    6.00 image version
    6.00 subsystem version
   2F000 size of image
     400 size of headers
   32C26 checksum
[…]

0:001> u 00000000`ff180000+D1B4
notepad!WinMainCRTStartup:
00000000`ff18d1b4 4883ec28        sub     rsp,28h
00000000`ff18d1b8 e88b020000      call    notepad!_security_init_cookie (00000000`ff18d448)
00000000`ff18d1bd 4883c428        add     rsp,28h
00000000`ff18d1c1 e9b6fcffff      jmp     notepad!IsTextUTF8+0xc0 (00000000`ff18ce7c)
00000000`ff18d1c6 cc              int     3
00000000`ff18d1c7 cc              int     3
00000000`ff18d1c8 cc              int     3
00000000`ff18d1c9 cc              int     3

Application domains in ASP.NET; 3 default app domains (system, shared, default) in normal app (p. 34)

!dumpdomain SOS command (pp. 35 - 36)

Low(High)FrequencyHeap and StubHeap (p. 36) - Looks like they are not normal heaps or heap segments. I plan to test all commands on x64 .NET:

0:003> !dumpdomain
--------------------------------------
System Domain: 000007fef15a8ef0
LowFrequencyHeap: 000007fef15a8f38
HighFrequencyHeap: 000007fef15a8fc8
StubHeap: 000007fef15a9058
Stage: OPEN
Name: None
--------------------------------------
Shared Domain: 000007fef15a9860
LowFrequencyHeap: 000007fef15a98a8
HighFrequencyHeap: 000007fef15a9938
StubHeap: 000007fef15a99c8
Stage: OPEN
Name: None
Assembly: 0000000000372d10
--------------------------------------
Domain 1: 0000000000360840
LowFrequencyHeap: 0000000000360888
HighFrequencyHeap: 0000000000360918
StubHeap: 00000000003609a8
Stage: OPEN
SecurityDescriptor: 00000000003630e0
Name: TestCLR.exe
[...]

- Dmitry Vostokov @ SoftwareGeneralist.com -Â

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

WMI CIM Studio (pp. 321 - 322)

dynamic and static MOF classes (p. 323) 

WbemTest, BMF (binary MOF), Mofcomp.exe (p. 323)

Object keys as WMI class instance specifiers (\\computer\root\namespace:class_name.Key1=”…”, Key2=”…”, … ) (pp. 324 - 325)

WMI association classes (p. 325) 

WQL exampe (p. 327)

wmiprvse.exe as a WMI provider host (p. 327)

wmic.exe (p. 328)

Namespace level WMI secutiry (p. 329)

WDI, Windows Diagnostic Infrastructure and its instrumentation, DiagLog, SEM Scenario Event Mapper, on-demand diagnosis (pp. 329 - 330) - looks interesting, especially in the context of possible first fault software problem solving techniques (OpenTask has published a book on this topic: http://www.dumpanalysis.com/First+Fault+Software+Problem+Solving)

Advanced Windows Debugging by M. Hewardt and D. Pravat:

LRPC_CCALL(ADDRESS) vs. OSF_CCALL(ADDRESS) vs. DG_CCALL(ADDRESS) (pp. 389 - 390)

Undocumented MSRPC (p. 391) - there is an empirical technique to find LRPC server endpoint: http://www.dumpanalysis.org/blog/index.php/2008/07/11/in-search-of-lost-pid/

!lpc message (p. 393) - some additional scenarios can be found in patterns: http://www.dumpanalysis.org/blog/index.php/2008/12/17/crash-dump-analysis-patterns-part-42e/, http://www.dumpanalysis.org/blog/index.php/2007/11/29/crash-dump-analysis-patterns-part-9d/ and various case studies involving LPC chains: http://www.dumpanalysis.org/blog/index.php/pattern-cooperation/

_PS_IMPERSONATION_INFORMATION (p. 395) - Looks like on W2K8 x64 it is another bit union:

lkd> dt -r _ETHREAD
[…]
  +0×3b0 ClientSecurity   : _PS_CLIENT_SECURITY_CONTEXT
      +0×000 ImpersonationData : Uint8B
      +0×000 ImpersonationToken : Ptr64 Void
      +0×000 ImpersonationLevel : Pos 0, 2 Bits
      +0×000 EffectiveOnly    : Pos 2, 1 Bit

RPC cell debugging configuration (pp. 397 - 398)

Advanced .NET Debugging by M. Hewardt:

Lutz Roeder’s .NET Reflector (pp. 15 - 16)

Roberto Farah’s PowerDbg (pp. 17 -18)

MDA Managed Debugging Assistants (pp. 19 - 21) - looks similar to WDI (Windows Diagnostic Infrastructure) on-demand diagnostics for unmanaged code mentioned in Windows Internals book

CLI(+BCL) -> CLR (p. 24)

Rotor (p. 25) - looks like it has the same value as WINE for unmanaged code: http://www.dumpanalysis.org/blog/index.php/2006/11/16/how-wine-can-help-in-crash-dump-analysis/ 

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

FailureActionsOnNonCrashFailures (p. 310)

WaitToKillApp(Service)Timeout (p. 311)

Shutdown ordering and preshutdown notification (pp. 312 - 313)

Shared services vulnerability to a crashing bug (p. 313) - Because an exception in one thread doesn’t affect another thread if there is no dependency (see MTCrash application, http://www.dumpanalysis.org/blog/index.php/2008/12/31/mtcrash/) if we preserve the crashed process, for example, using Crash2Hang tool (http://www.dumpanalysis.org/blog/index.php/2008/12/29/crash2hang/) we might temporarily preserve functionality of the remaining services (if there is no dependency)

CNG-KeyIso service (p. 313)

Viewing services inside processes (pp. 315 - 316) - We can also see them in Task Manager when we sort Processes by PID:

SubProcessTag (p. 316) - Here is an example from svchost.exe PID 1016 from the screenshot above:

lkd> !process 0n1016 1f
Searching for Process with Cid == 3f8
Cid Handle table at fffff88008156000 with 1063 Entries in use
PROCESS fffffa8004adec10
    SessionId: 0  Cid: 03f8    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: add75000  ObjectTable: fffff88007f3c4d0  HandleCount: 436.
    Image: svchost.exe
    VadRoot fffffa80048b9220 Vads 153 Clone 0 Private 1630. Modified 1512. Locked 6.
    DeviceMap fffff8800802ef40
    Token                             fffff880080aa060
    ElapsedTime                       5 Days 01:31:56.632
    UserTime                          00:00:05.257
    KernelTime                        00:00:04.555
    QuotaPoolUsage[PagedPool]         132496
    QuotaPoolUsage[NonPagedPool]      21488
    Working Set Sizes (now,min,max)  (3650, 50, 345) (14600KB, 200KB, 1380KB)
    PeakWorkingSetSize                3725
    VirtualSize                       78 Mb
    PeakVirtualSize                   84 Mb
    PageFaultCount                    38144
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      3976

[...]

        THREAD fffffa8004b55060  Cid 03f8.046c  Teb: 000007fffff9e000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
            fffffa8004b54a80  NotificationEvent
            fffffa8004b52a50  SynchronizationEvent
            fffffa8004b55e00  NotificationEvent
            fffffa8004b55118  NotificationTimer
        Not impersonating
        DeviceMap                 fffff8800802ef40
        Owning Process            fffffa8004adec10       Image:         svchost.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      28044441       Ticks: 4968 (0:00:01:17.501)
        Context Switch Count      3784           Â
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
        Win32 Start Address dhcpcsvc6!Dhcpv6Main (0×000007fefd726884)
        Stack Init fffffa6003c47db0 Current fffffa6003c47230
        Base fffffa6003c48000 Limit fffffa6003c42000 Call 0
        Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
        Child-SP          RetAddr           Call Site
        fffffa60`03c47270 fffff800`018a46fa nt!KiSwapContext+0×7f
        fffffa60`03c473b0 fffff800`018a9feb nt!KiSwapThread+0×13a
        fffffa60`03c47420 fffff800`01b03a8e nt!KeWaitForMultipleObjects+0×2eb
        fffffa60`03c474a0 fffff800`01b040d3 nt!ObpWaitForMultipleObjects+0×26e
        fffffa60`03c47960 fffff800`018a1ef3 nt!NtWaitForMultipleObjects+0xe2
        fffffa60`03c47bb0 00000000`776e72ca nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`03c47c20)
        00000000`0272f5e8 00000000`7758bc03 ntdll!ZwWaitForMultipleObjects+0xa
        00000000`0272f5f0 000007fe`fd726117 kernel32!WaitForMultipleObjectsEx+0×10b
        00000000`0272f700 000007fe`fd726944 dhcpcsvc6!ProcessDhcpv6RequestForever+0×143
        00000000`0272f7c0 00000000`7758be3d dhcpcsvc6!Dhcpv6Main+0xc0
        00000000`0272f800 00000000`776c6a51 kernel32!BaseThreadInitThunk+0xd
        00000000`0272f830 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

[...]

lkd> dt _TEB 000007fffff9e000 SubProcessTag
ntdll!_TEB
   +0x1720 SubProcessTag : 0x00000000`00000011

Advanced .NET Debugging by M. Hewardt:

Debugging Tools for Windows (pp. 3 -4) - Here are quick links for download: http://windbg.org

No major CLR changes for .NET 3.x (p. 5)

DbgClr (p. 6)

MSBUILD XML example (pp. 6 - 7)

.load vs. .loadby (pp. 8 - 11) - Some additional load scenarios for legacy SOS and its server version can be found in comments to Managed Code Exception pattern: http://www.dumpanalysis.org/blog/index.php/2007/07/20/crash-dump-analysis-patterns-part-17/

SOSEX (pp. 10 - 11) - Added to my blog roll and links on http://DumpAnalysis.org

CLR Profiler (pp. 11 - 13) - Looks similar to functionality of unmanaged UMDH tool (user mode heap stack trace database)

- Dmitry Vostokov @ SoftwareGeneralist.com -