Software Generalist

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Diagnostic Policy Service, DPS (pp. 330 - 331)

SMART (p. 332) - Don’t confuse with recursive acronym Smart Memory Analysis in Real Time (coined by me)

Windows system responsiveness performance diagnostics (p. 332)

Program Compatibility Assistant, PCA (p. 333)

_EPROCESS and _KPROCESS (pp. 337 - 339) - x64 equivalents from W2K8:

lkd> dt _EPROCESS
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x0c0 ProcessLock      : _EX_PUSH_LOCK
   +0x0c8 CreateTime       : _LARGE_INTEGER
   +0x0d0 ExitTime         : _LARGE_INTEGER
   +0x0d8 RundownProtect   : _EX_RUNDOWN_REF
   +0x0e0 UniqueProcessId  : Ptr64 Void
   +0x0e8 ActiveProcessLinks : _LIST_ENTRY
   +0x0f8 QuotaUsage       : [3] Uint8B
   +0x110 QuotaPeak        : [3] Uint8B
   +0x128 CommitCharge     : Uint8B
   +0x130 PeakVirtualSize  : Uint8B
   +0x138 VirtualSize      : Uint8B
   +0x140 SessionProcessLinks : _LIST_ENTRY
   +0x150 DebugPort        : Ptr64 Void
   +0x158 ExceptionPortData : Ptr64 Void
   +0x158 ExceptionPortValue : Uint8B
   +0x158 ExceptionPortState : Pos 0, 3 Bits
   +0x160 ObjectTable      : Ptr64 _HANDLE_TABLE
   +0x168 Token            : _EX_FAST_REF
   +0x170 WorkingSetPage   : Uint8B
   +0x178 AddressCreationLock : _EX_PUSH_LOCK
   +0x180 RotateInProgress : Ptr64 _ETHREAD
   +0x188 ForkInProgress   : Ptr64 _ETHREAD
   +0x190 HardwareTrigger  : Uint8B
   +0x198 PhysicalVadRoot  : Ptr64 _MM_AVL_TABLE
   +0x1a0 CloneRoot        : Ptr64 Void
   +0x1a8 NumberOfPrivatePages : Uint8B
   +0x1b0 NumberOfLockedPages : Uint8B
   +0x1b8 Win32Process     : Ptr64 Void
   +0x1c0 Job              : Ptr64 _EJOB
   +0x1c8 SectionObject    : Ptr64 Void
   +0x1d0 SectionBaseAddress : Ptr64 Void
   +0x1d8 QuotaBlock       : Ptr64 _EPROCESS_QUOTA_BLOCK
   +0x1e0 WorkingSetWatch  : Ptr64 _PAGEFAULT_HISTORY
   +0x1e8 Win32WindowStation : Ptr64 Void
   +0x1f0 InheritedFromUniqueProcessId : Ptr64 Void
   +0x1f8 LdtInformation   : Ptr64 Void
   +0x200 Spare            : Ptr64 Void
   +0x208 VdmObjects       : Ptr64 Void
   +0x210 DeviceMap        : Ptr64 Void
   +0x218 EtwDataSource    : Ptr64 Void
   +0x220 FreeTebHint      : Ptr64 Void
   +0x228 PageDirectoryPte : _HARDWARE_PTE
   +0x228 Filler           : Uint8B
   +0x230 Session          : Ptr64 Void
   +0x238 ImageFileName    : [16] UChar
   +0x248 JobLinks         : _LIST_ENTRY
   +0x258 LockedPagesList  : Ptr64 Void
   +0x260 ThreadListHead   : _LIST_ENTRY
   +0x270 SecurityPort     : Ptr64 Void
   +0x278 Wow64Process     : Ptr64 Void
   +0x280 ActiveThreads    : Uint4B
   +0x284 ImagePathHash    : Uint4B
   +0x288 DefaultHardErrorProcessing : Uint4B
   +0x28c LastThreadExitStatus : Int4B
   +0x290 Peb              : Ptr64 _PEB
   +0x298 PrefetchTrace    : _EX_FAST_REF
   +0x2a0 ReadOperationCount : _LARGE_INTEGER
   +0x2a8 WriteOperationCount : _LARGE_INTEGER
   +0x2b0 OtherOperationCount : _LARGE_INTEGER
   +0x2b8 ReadTransferCount : _LARGE_INTEGER
   +0x2c0 WriteTransferCount : _LARGE_INTEGER
   +0x2c8 OtherTransferCount : _LARGE_INTEGER
   +0x2d0 CommitChargeLimit : Uint8B
   +0x2d8 CommitChargePeak : Uint8B
   +0x2e0 AweInfo          : Ptr64 Void
   +0x2e8 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x2f0 Vm               : _MMSUPPORT
   +0x358 MmProcessLinks   : _LIST_ENTRY
   +0x368 ModifiedPageCount : Uint4B
   +0x36c Flags2           : Uint4B
   +0x36c JobNotReallyActive : Pos 0, 1 Bit
   +0x36c AccountingFolded : Pos 1, 1 Bit
   +0x36c NewProcessReported : Pos 2, 1 Bit
   +0x36c ExitProcessReported : Pos 3, 1 Bit
   +0x36c ReportCommitChanges : Pos 4, 1 Bit
   +0x36c LastReportMemory : Pos 5, 1 Bit
   +0x36c ReportPhysicalPageChanges : Pos 6, 1 Bit
   +0x36c HandleTableRundown : Pos 7, 1 Bit
   +0x36c NeedsHandleRundown : Pos 8, 1 Bit
   +0x36c RefTraceEnabled  : Pos 9, 1 Bit
   +0x36c NumaAware        : Pos 10, 1 Bit
   +0x36c ProtectedProcess : Pos 11, 1 Bit
   +0x36c DefaultPagePriority : Pos 12, 3 Bits
   +0x36c PrimaryTokenFrozen : Pos 15, 1 Bit
   +0x36c ProcessVerifierTarget : Pos 16, 1 Bit
   +0x36c StackRandomizationDisabled : Pos 17, 1 Bit
   +0x36c AffinityPermanent : Pos 18, 1 Bit
   +0x36c AffinityUpdateEnable : Pos 19, 1 Bit
   +0x36c CrossSessionCreate : Pos 20, 1 Bit
   +0x370 Flags            : Uint4B
   +0x370 CreateReported   : Pos 0, 1 Bit
   +0x370 NoDebugInherit   : Pos 1, 1 Bit
   +0x370 ProcessExiting   : Pos 2, 1 Bit
   +0x370 ProcessDelete    : Pos 3, 1 Bit
   +0x370 Wow64SplitPages  : Pos 4, 1 Bit
   +0x370 VmDeleted        : Pos 5, 1 Bit
   +0x370 OutswapEnabled   : Pos 6, 1 Bit
   +0x370 Outswapped       : Pos 7, 1 Bit
   +0x370 ForkFailed       : Pos 8, 1 Bit
   +0x370 Wow64VaSpace4Gb  : Pos 9, 1 Bit
   +0x370 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x370 SetTimerResolution : Pos 12, 1 Bit
   +0x370 BreakOnTermination : Pos 13, 1 Bit
   +0x370 DeprioritizeViews : Pos 14, 1 Bit
   +0x370 WriteWatch       : Pos 15, 1 Bit
   +0x370 ProcessInSession : Pos 16, 1 Bit
   +0x370 OverrideAddressSpace : Pos 17, 1 Bit
   +0x370 HasAddressSpace  : Pos 18, 1 Bit
   +0x370 LaunchPrefetched : Pos 19, 1 Bit
   +0x370 InjectInpageErrors : Pos 20, 1 Bit
   +0x370 VmTopDown        : Pos 21, 1 Bit
   +0x370 ImageNotifyDone  : Pos 22, 1 Bit
   +0x370 PdeUpdateNeeded  : Pos 23, 1 Bit
   +0x370 VdmAllowed       : Pos 24, 1 Bit
   +0x370 SmapAllowed      : Pos 25, 1 Bit
   +0x370 ProcessInserted  : Pos 26, 1 Bit
   +0x370 DefaultIoPriority : Pos 27, 3 Bits
   +0x370 ProcessSelfDelete : Pos 30, 1 Bit
   +0x370 SpareProcessFlags : Pos 31, 1 Bit
   +0x374 ExitStatus       : Int4B
   +0x378 Spare7           : Uint2B
   +0x37a SubSystemMinorVersion : UChar
   +0x37b SubSystemMajorVersion : UChar
   +0x37a SubSystemVersion : Uint2B
   +0x37c PriorityClass    : UChar
   +0x380 VadRoot          : _MM_AVL_TABLE
   +0x3c0 Cookie           : Uint4B
   +0x3c8 AlpcContext      : _ALPC_PROCESS_CONTEXT

lkd> dt _KPROCESS
ntdll!_KPROCESS
   +0x000 Header           : _DISPATCHER_HEADER
   +0x018 ProfileListHead  : _LIST_ENTRY
   +0x028 DirectoryTableBase : Uint8B
   +0x030 Unused0          : Uint8B
   +0x038 IopmOffset       : Uint2B
   +0x040 ActiveProcessors : Uint8B
   +0x048 KernelTime       : Uint4B
   +0x04c UserTime         : Uint4B
   +0x050 ReadyListHead    : _LIST_ENTRY
   +0x060 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x068 InstrumentationCallback : Ptr64 Void
   +0x070 ThreadListHead   : _LIST_ENTRY
   +0x080 ProcessLock      : Uint8B
   +0x088 Affinity         : Uint8B
   +0x090 AutoAlignment    : Pos 0, 1 Bit
   +0x090 DisableBoost     : Pos 1, 1 Bit
   +0x090 DisableQuantum   : Pos 2, 1 Bit
   +0x090 ReservedFlags    : Pos 3, 29 Bits
   +0x090 ProcessFlags     : Int4B
   +0x094 BasePriority     : Char
   +0x095 QuantumReset     : Char
   +0x096 State            : UChar
   +0x097 ThreadSeed       : UChar
   +0x098 PowerState       : UChar
   +0x099 IdealNode        : UChar
   +0x09a Visited          : UChar
   +0x09b Flags            : _KEXECUTE_OPTIONS
   +0x09b ExecuteOptions   : UChar
   +0x0a0 StackCount       : Uint8B
   +0x0a8 ProcessListEntry : _LIST_ENTRY
   +0x0b8 CycleTime        : Uint8B

Working set list, MMWSL (p. 340) - I guessed the structure name right:

lkd> dt _MMWSL
nt!_MMWSL
   +0x000 FirstFree        : Uint4B
   +0x004 FirstDynamic     : Uint4B
   +0x008 LastEntry        : Uint4B
   +0x00c NextSlot         : Uint4B
   +0x010 Wsle             : Ptr64 _MMWSLE
   +0x018 LowestPagableAddress : Ptr64 Void
   +0x020 LastInitializedWsle : Uint4B
   +0x024 NextEstimationSlot : Uint4B
   +0x028 NextAgingSlot    : Uint4B
   +0x02c EstimatedAvailable : Uint4B
   +0x030 GrowthSinceLastEstimate : Uint4B
   +0x034 NumberOfCommittedPageTables : Uint4B
   +0x038 VadBitMapHint    : Uint4B
   +0x03c NonDirectCount   : Uint4B
   +0x040 LastVadBit       : Uint4B
   +0x044 MaximumLastVadBit : Uint4B
   +0x048 LastAllocationSizeHint : Uint4B
   +0x04c LastAllocationSize : Uint4B
   +0x050 NonDirectHash    : Ptr64 _MMWSLE_NONDIRECT_HASH
   +0x058 HashTableStart   : Ptr64 _MMWSLE_HASH
   +0x060 HighestPermittedHashAddress : Ptr64 _MMWSLE_HASH
   +0x068 HighestUserAddress : Ptr64 Void
   +0x070 MaximumUserPageTablePages : Uint4B
   +0x074 MaximumUserPageDirectoryPages : Uint4B
   +0x078 CommittedPageTables : Ptr64 Uint4B
   +0x080 NumberOfCommittedPageDirectories : Uint4B
   +0x088 CommittedPageDirectories : [128] Uint8B
   +0x488 NumberOfCommittedPageDirectoryParents : Uint4B
   +0x490 CommittedPageDirectoryParents : [1] Uint8B

PEB (pp. 341 - 342) - here’s x64 PEB structure from W2K8:

lkd> dt _PEB
ntdll!_PEB
   +0x000 InheritedAddressSpace : UChar
   +0x001 ReadImageFileExecOptions : UChar
   +0x002 BeingDebugged    : UChar
   +0x003 BitField         : UChar
   +0x003 ImageUsesLargePages : Pos 0, 1 Bit
   +0x003 IsProtectedProcess : Pos 1, 1 Bit
   +0x003 IsLegacyProcess  : Pos 2, 1 Bit
   +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit
   +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit
   +0x003 SpareBits        : Pos 5, 3 Bits
   +0x008 Mutant           : Ptr64 Void
   +0x010 ImageBaseAddress : Ptr64 Void
   +0x018 Ldr              : Ptr64 _PEB_LDR_DATA
   +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS
   +0x028 SubSystemData    : Ptr64 Void
   +0x030 ProcessHeap      : Ptr64 Void
   +0x038 FastPebLock      : Ptr64 _RTL_CRITICAL_SECTION
   +0x040 AtlThunkSListPtr : Ptr64 Void
   +0x048 IFEOKey          : Ptr64 Void
   +0x050 CrossProcessFlags : Uint4B
   +0x050 ProcessInJob     : Pos 0, 1 Bit
   +0x050 ProcessInitializing : Pos 1, 1 Bit
   +0x050 ProcessUsingVEH  : Pos 2, 1 Bit
   +0x050 ProcessUsingVCH  : Pos 3, 1 Bit
   +0x050 ReservedBits0    : Pos 4, 28 Bits
   +0x058 KernelCallbackTable : Ptr64 Void
   +0x058 UserSharedInfoPtr : Ptr64 Void
   +0x060 SystemReserved   : [1] Uint4B
   +0x064 SpareUlong       : Uint4B
   +0x068 SparePebPtr0     : Uint8B
   +0x070 TlsExpansionCounter : Uint4B
   +0x078 TlsBitmap        : Ptr64 Void
   +0x080 TlsBitmapBits    : [2] Uint4B
   +0x088 ReadOnlySharedMemoryBase : Ptr64 Void
   +0x090 HotpatchInformation : Ptr64 Void
   +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void
   +0x0a0 AnsiCodePageData : Ptr64 Void
   +0x0a8 OemCodePageData  : Ptr64 Void
   +0x0b0 UnicodeCaseTableData : Ptr64 Void
   +0x0b8 NumberOfProcessors : Uint4B
   +0x0bc NtGlobalFlag     : Uint4B
   +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER
   +0x0c8 HeapSegmentReserve : Uint8B
   +0x0d0 HeapSegmentCommit : Uint8B
   +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B
   +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B
   +0x0e8 NumberOfHeaps    : Uint4B
   +0x0ec MaximumNumberOfHeaps : Uint4B
   +0x0f0 ProcessHeaps     : Ptr64 Ptr64 Void
   +0x0f8 GdiSharedHandleTable : Ptr64 Void
   +0x100 ProcessStarterHelper : Ptr64 Void
   +0x108 GdiDCAttributeList : Uint4B
   +0x110 LoaderLock       : Ptr64 _RTL_CRITICAL_SECTION
   +0x118 OSMajorVersion   : Uint4B
   +0x11c OSMinorVersion   : Uint4B
   +0x120 OSBuildNumber    : Uint2B
   +0x122 OSCSDVersion     : Uint2B
   +0x124 OSPlatformId     : Uint4B
   +0x128 ImageSubsystem   : Uint4B
   +0x12c ImageSubsystemMajorVersion : Uint4B
   +0x130 ImageSubsystemMinorVersion : Uint4B
   +0x138 ActiveProcessAffinityMask : Uint8B
   +0x140 GdiHandleBuffer  : [60] Uint4B
   +0x230 PostProcessInitRoutine : Ptr64     void
   +0x238 TlsExpansionBitmap : Ptr64 Void
   +0x240 TlsExpansionBitmapBits : [32] Uint4B
   +0x2c0 SessionId        : Uint4B
   +0x2c8 AppCompatFlags   : _ULARGE_INTEGER
   +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER
   +0x2d8 pShimData        : Ptr64 Void
   +0x2e0 AppCompatInfo    : Ptr64 Void
   +0x2e8 CSDVersion       : _UNICODE_STRING
   +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
   +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
   +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
   +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
   +0x318 MinimumStackCommit : Uint8B
   +0x320 FlsCallback      : Ptr64 _FLS_CALLBACK_INFO
   +0x328 FlsListHead      : _LIST_ENTRY
   +0x338 FlsBitmap        : Ptr64 Void
   +0x340 FlsBitmapBits    : [4] Uint4B
   +0x350 FlsHighIndex     : Uint4B
   +0x358 WerRegistrationData : Ptr64 Void
   +0x360 WerShipAssertPtr : Ptr64 Void

PEB and pointers to process heap (p. 340) - couldn’t find them after PEB on x86 and x64. Needs more clarification:

7: kd> !peb
PEB at 7ffdb000
[...]

7: kd> dt _PEB
ntdll!_PEB
[...]
   +0x22c FlsHighIndex     : Uint4B

7: kd> dd 7ffdb000 +0x22c +4
7ffdb230  00000000 00000000 00000000 00000000
7ffdb240  00000000 00000000 00000000 00000000
7ffdb250  00000000 00000000 00000000 00000000
7ffdb260  00000000 00000000 00000000 00000000
7ffdb270  00000000 00000000 00000000 00000000
7ffdb280  00000000 00000000 00000000 00000000
7ffdb290  00000000 00000000 00000000 00000000
7ffdb2a0  00000000 00000000 00000000 00000000

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

WMI CIM Studio (pp. 321 - 322)

dynamic and static MOF classes (p. 323) 

WbemTest, BMF (binary MOF), Mofcomp.exe (p. 323)

Object keys as WMI class instance specifiers (\\computer\root\namespace:class_name.Key1=”…”, Key2=”…”, … ) (pp. 324 - 325)

WMI association classes (p. 325) 

WQL exampe (p. 327)

wmiprvse.exe as a WMI provider host (p. 327)

wmic.exe (p. 328)

Namespace level WMI secutiry (p. 329)

WDI, Windows Diagnostic Infrastructure and its instrumentation, DiagLog, SEM Scenario Event Mapper, on-demand diagnosis (pp. 329 - 330) - looks interesting, especially in the context of possible first fault software problem solving techniques (OpenTask has published a book on this topic: http://www.dumpanalysis.com/First+Fault+Software+Problem+Solving)

Advanced Windows Debugging by M. Hewardt and D. Pravat:

LRPC_CCALL(ADDRESS) vs. OSF_CCALL(ADDRESS) vs. DG_CCALL(ADDRESS) (pp. 389 - 390)

Undocumented MSRPC (p. 391) - there is an empirical technique to find LRPC server endpoint: http://www.dumpanalysis.org/blog/index.php/2008/07/11/in-search-of-lost-pid/

!lpc message (p. 393) - some additional scenarios can be found in patterns: http://www.dumpanalysis.org/blog/index.php/2008/12/17/crash-dump-analysis-patterns-part-42e/, http://www.dumpanalysis.org/blog/index.php/2007/11/29/crash-dump-analysis-patterns-part-9d/ and various case studies involving LPC chains: http://www.dumpanalysis.org/blog/index.php/pattern-cooperation/

_PS_IMPERSONATION_INFORMATION (p. 395) - Looks like on W2K8 x64 it is another bit union:

lkd> dt -r _ETHREAD
[…]
  +0×3b0 ClientSecurity   : _PS_CLIENT_SECURITY_CONTEXT
      +0×000 ImpersonationData : Uint8B
      +0×000 ImpersonationToken : Ptr64 Void
      +0×000 ImpersonationLevel : Pos 0, 2 Bits
      +0×000 EffectiveOnly    : Pos 2, 1 Bit

RPC cell debugging configuration (pp. 397 - 398)

Advanced .NET Debugging by M. Hewardt:

Lutz Roeder’s .NET Reflector (pp. 15 - 16)

Roberto Farah’s PowerDbg (pp. 17 -18)

MDA Managed Debugging Assistants (pp. 19 - 21) - looks similar to WDI (Windows Diagnostic Infrastructure) on-demand diagnostics for unmanaged code mentioned in Windows Internals book

CLI(+BCL) -> CLR (p. 24)

Rotor (p. 25) - looks like it has the same value as WINE for unmanaged code: http://www.dumpanalysis.org/blog/index.php/2006/11/16/how-wine-can-help-in-crash-dump-analysis/ 

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

FailureActionsOnNonCrashFailures (p. 310)

WaitToKillApp(Service)Timeout (p. 311)

Shutdown ordering and preshutdown notification (pp. 312 - 313)

Shared services vulnerability to a crashing bug (p. 313) - Because an exception in one thread doesn’t affect another thread if there is no dependency (see MTCrash application, http://www.dumpanalysis.org/blog/index.php/2008/12/31/mtcrash/) if we preserve the crashed process, for example, using Crash2Hang tool (http://www.dumpanalysis.org/blog/index.php/2008/12/29/crash2hang/) we might temporarily preserve functionality of the remaining services (if there is no dependency)

CNG-KeyIso service (p. 313)

Viewing services inside processes (pp. 315 - 316) - We can also see them in Task Manager when we sort Processes by PID:

SubProcessTag (p. 316) - Here is an example from svchost.exe PID 1016 from the screenshot above:

lkd> !process 0n1016 1f
Searching for Process with Cid == 3f8
Cid Handle table at fffff88008156000 with 1063 Entries in use
PROCESS fffffa8004adec10
    SessionId: 0  Cid: 03f8    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: add75000  ObjectTable: fffff88007f3c4d0  HandleCount: 436.
    Image: svchost.exe
    VadRoot fffffa80048b9220 Vads 153 Clone 0 Private 1630. Modified 1512. Locked 6.
    DeviceMap fffff8800802ef40
    Token                             fffff880080aa060
    ElapsedTime                       5 Days 01:31:56.632
    UserTime                          00:00:05.257
    KernelTime                        00:00:04.555
    QuotaPoolUsage[PagedPool]         132496
    QuotaPoolUsage[NonPagedPool]      21488
    Working Set Sizes (now,min,max)  (3650, 50, 345) (14600KB, 200KB, 1380KB)
    PeakWorkingSetSize                3725
    VirtualSize                       78 Mb
    PeakVirtualSize                   84 Mb
    PageFaultCount                    38144
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      3976

[...]

        THREAD fffffa8004b55060  Cid 03f8.046c  Teb: 000007fffff9e000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
            fffffa8004b54a80  NotificationEvent
            fffffa8004b52a50  SynchronizationEvent
            fffffa8004b55e00  NotificationEvent
            fffffa8004b55118  NotificationTimer
        Not impersonating
        DeviceMap                 fffff8800802ef40
        Owning Process            fffffa8004adec10       Image:         svchost.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      28044441       Ticks: 4968 (0:00:01:17.501)
        Context Switch Count      3784           Â
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
        Win32 Start Address dhcpcsvc6!Dhcpv6Main (0×000007fefd726884)
        Stack Init fffffa6003c47db0 Current fffffa6003c47230
        Base fffffa6003c48000 Limit fffffa6003c42000 Call 0
        Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
        Child-SP          RetAddr           Call Site
        fffffa60`03c47270 fffff800`018a46fa nt!KiSwapContext+0×7f
        fffffa60`03c473b0 fffff800`018a9feb nt!KiSwapThread+0×13a
        fffffa60`03c47420 fffff800`01b03a8e nt!KeWaitForMultipleObjects+0×2eb
        fffffa60`03c474a0 fffff800`01b040d3 nt!ObpWaitForMultipleObjects+0×26e
        fffffa60`03c47960 fffff800`018a1ef3 nt!NtWaitForMultipleObjects+0xe2
        fffffa60`03c47bb0 00000000`776e72ca nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`03c47c20)
        00000000`0272f5e8 00000000`7758bc03 ntdll!ZwWaitForMultipleObjects+0xa
        00000000`0272f5f0 000007fe`fd726117 kernel32!WaitForMultipleObjectsEx+0×10b
        00000000`0272f700 000007fe`fd726944 dhcpcsvc6!ProcessDhcpv6RequestForever+0×143
        00000000`0272f7c0 00000000`7758be3d dhcpcsvc6!Dhcpv6Main+0xc0
        00000000`0272f800 00000000`776c6a51 kernel32!BaseThreadInitThunk+0xd
        00000000`0272f830 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

[...]

lkd> dt _TEB 000007fffff9e000 SubProcessTag
ntdll!_TEB
   +0x1720 SubProcessTag : 0x00000000`00000011

Advanced .NET Debugging by M. Hewardt:

Debugging Tools for Windows (pp. 3 -4) - Here are quick links for download: http://windbg.org

No major CLR changes for .NET 3.x (p. 5)

DbgClr (p. 6)

MSBUILD XML example (pp. 6 - 7)

.load vs. .loadby (pp. 8 - 11) - Some additional load scenarios for legacy SOS and its server version can be found in comments to Managed Code Exception pattern: http://www.dumpanalysis.org/blog/index.php/2007/07/20/crash-dump-analysis-patterns-part-17/

SOSEX (pp. 10 - 11) - Added to my blog roll and links on http://DumpAnalysis.org

CLR Profiler (pp. 11 - 13) - Looks similar to functionality of unmanaged UMDH tool (user mode heap stack trace database)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SCM executable: services.exe (p. 300) - !process 0 0 shows the start order of processes:

lkd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffa8003bf1040
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00124000  ObjectTable: fffff88000000080  HandleCount: 568.
    Image: System

PROCESS fffffa8004710040
    SessionId: none  Cid: 019c    Peb: 7fffffdb000  ParentCid: 0004
    DirBase: bc8ef000  ObjectTable: fffff880000eb7e0  HandleCount:  33.
    Image: smss.exe

PROCESS fffffa80047cfa40
    SessionId: 0  Cid: 01e0    Peb: 7fffffd6000  ParentCid: 01d4
    DirBase: b4353000  ObjectTable: fffff88007de31b0  HandleCount: 468.
    Image: csrss.exe

PROCESS fffffa80047e7040
    SessionId: 0  Cid: 0214    Peb: 7fffffdf000  ParentCid: 019c
    DirBase: b31ba000  ObjectTable: fffff88007e66cb0  HandleCount: 789.
    Image: psxss.exe

PROCESS fffffa80047f5870
    SessionId: 0  Cid: 0238    Peb: 7fffffdf000  ParentCid: 01d4
    DirBase: b2919000  ObjectTable: fffff88007df7ed0  HandleCount: 101.
    Image: wininit.exe

PROCESS fffffa800481b5e0
    SessionId: 0  Cid: 0280    Peb: 7fffffdf000  ParentCid: 0238
    DirBase: b1b3d000  ObjectTable: fffff88007eac280  HandleCount: 271.
    Image: services.exe

PROCESS fffffa8004820360
    SessionId: 0  Cid: 028c    Peb: 7fffffdd000  ParentCid: 0238
    DirBase: b15eb000  ObjectTable: fffff88007ecbae0  HandleCount: 728.
    Image: lsass.exe

PROCESS fffffa80048252d0
    SessionId: 0  Cid: 0294    Peb: 7fffffde000  ParentCid: 0238
    DirBase: b14f1000  ObjectTable: fffff88007ecf4d0  HandleCount: 178.
    Image: lsm.exe

PROCESS fffffa800429f2b0
    SessionId: 0  Cid: 0338    Peb: 7fffffdf000  ParentCid: 0280
    DirBase: af2a2000  ObjectTable: fffff880082807d0  HandleCount: 306.
    Image: svchost.exe

PROCESS fffffa8004a82270
    SessionId: 0  Cid: 0374    Peb: 7fffffdb000  ParentCid: 0280
    DirBase: aef26000  ObjectTable: fffff88008036e60  HandleCount: 311.
    Image: svchost.exe

PROCESS fffffa8004a97c10
    SessionId: 0  Cid: 0398    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: aebb0000  ObjectTable: fffff88008009950  HandleCount: 379.
    Image: svchost.exe

PROCESS fffffa8004adec10
    SessionId: 0  Cid: 03f8    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: add75000  ObjectTable: fffff88007f3c4d0  HandleCount: 395.
    Image: svchost.exe

PROCESS fffffa8004ae8950
    SessionId: 0  Cid: 00f8    Peb: 7fffffd9000  ParentCid: 0280
    DirBase: ada7a000  ObjectTable: fffff880080d4690  HandleCount: 172.
    Image: svchost.exe

PROCESS fffffa8004af2750
    SessionId: 0  Cid: 012c    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: ad83f000  ObjectTable: fffff880080d7b10  HandleCount: 897.
    Image: svchost.exe

PROCESS fffffa8004af7040
    SessionId: 0  Cid: 0140    Peb: 7fffffdb000  ParentCid: 0280
    DirBase: ad5c6000  ObjectTable: fffff880080e3580  HandleCount:  99.
    Image: SLsvc.exe

PROCESS fffffa8004b0f500
    SessionId: 0  Cid: 0278    Peb: 7fffffd7000  ParentCid: 0280
    DirBase: ac4ce000  ObjectTable: fffff8800812d330  HandleCount: 301.
    Image: svchost.exe

PROCESS fffffa8004b20770
    SessionId: 0  Cid: 0194    Peb: 7fffffd4000  ParentCid: 0280
    DirBase: abfd3000  ObjectTable: fffff8800814fd30  HandleCount: 354.
    Image: svchost.exe

PROCESS fffffa8004b315c0
    SessionId: 0  Cid: 0410    Peb: 7fffffdf000  ParentCid: 0280
    DirBase: abc98000  ObjectTable: fffff88008083420  HandleCount:  76.
    Image: svchost.exe

PROCESS fffffa8004b4a040
    SessionId: 0  Cid: 0448    Peb: 7fffffdd000  ParentCid: 0280
    DirBase: ab164000  ObjectTable: fffff880081a42e0  HandleCount: 479.
    Image: svchost.exe

PROCESS fffffa8004b9c740
    SessionId: 0  Cid: 050c    Peb: 7fffffdf000  ParentCid: 03f8
    DirBase: a9c86000  ObjectTable: fffff880081e8750  HandleCount: 141.
    Image: audiodg.exe

PROCESS fffffa8004ba0880
    SessionId: 0  Cid: 0524    Peb: 7fffffd7000  ParentCid: 0280
    DirBase: a96a9000  ObjectTable: fffff88008217c10  HandleCount: 269.
    Image: svchost.exe

PROCESS fffffa8004c15c10
    SessionId: 0  Cid: 0588    Peb: 7fffffda000  ParentCid: 0280
    DirBase: a8906000  ObjectTable: fffff8800825a810  HandleCount: 131.
    Image: svchost.exe

PROCESS fffffa8004b1c7a0
    SessionId: 0  Cid: 0604    Peb: 7fffffdb000  ParentCid: 0280
    DirBase: a7598000  ObjectTable: fffff8800827de90  HandleCount: 373.
    Image: spoolsv.exe

PROCESS fffffa8004ca4040
    SessionId: 0  Cid: 067c    Peb: 7efdf000  ParentCid: 0280
    DirBase: a6a24000  ObjectTable: fffff8800833af00  HandleCount:  71.
    Image: mdm.exe

PROCESS fffffa8004cbd040
    SessionId: 0  Cid: 06e8    Peb: 7fffffdf000  ParentCid: 012c
    DirBase: a6363000  ObjectTable: fffff880083735f0  HandleCount: 310.
    Image: taskeng.exe

PROCESS fffffa8004cda8f0
    SessionId: 0  Cid: 0720    Peb: 7fffffd3000  ParentCid: 0280
    DirBase: a5dfb000  ObjectTable: fffff8800801ae20  HandleCount:  57.
    Image: svchost.exe

PROCESS fffffa8004cfbc10
    SessionId: 0  Cid: 0768    Peb: 7fffffdc000  ParentCid: 0280
    DirBase: a5400000  ObjectTable: fffff880083c46d0  HandleCount:  54.
    Image: svchost.exe

PROCESS fffffa8004cfb7e0
    SessionId: 0  Cid: 0774    Peb: 7fffffdb000  ParentCid: 0280
    DirBase: a5185000  ObjectTable: fffff880017f9bf0  HandleCount: 131.
    Image: svchost.exe

PROCESS fffffa8004cfdc10
    SessionId: 0  Cid: 0780    Peb: 7fffffd4000  ParentCid: 0280
    DirBase: a51ca000  ObjectTable: fffff880083b0270  HandleCount:  75.
    Image: svchost.exe

PROCESS fffffa8004d18c10
    SessionId: 0  Cid: 07b4    Peb: 7fffffdb000  ParentCid: 0280
    DirBase: a4acf000  ObjectTable: fffff880083de5c0  HandleCount: 147.
    Image: svchost.exe

PROCESS fffffa8004d2e4a0
    SessionId: 0  Cid: 07d4    Peb: 7fffffdc000  ParentCid: 0280
    DirBase: a4554000  ObjectTable: fffff88008404b40  HandleCount:  43.
    Image: svchost.exe

PROCESS fffffa8005273830
    SessionId: 0  Cid: 0740    Peb: 7fffffdf000  ParentCid: 0280
    DirBase: 8ac6a000  ObjectTable: fffff88008ff53f0  HandleCount: 228.
    Image: svchost.exe

PROCESS fffffa80052e4b10
    SessionId: 0  Cid: 0a50    Peb: 7fffffda000  ParentCid: 0280
    DirBase: 87170000  ObjectTable: fffff8800912ced0  HandleCount: 234.
    Image: svchost.exe

PROCESS fffffa80054c7770
    SessionId: 0  Cid: 09a4    Peb: 7fffffd8000  ParentCid: 0280
    DirBase: 129ab5000  ObjectTable: fffff8800973aa40  HandleCount: 163.
    Image: msdtc.exe

PROCESS fffffa8005206860
    SessionId: 2  Cid: 0b10    Peb: 7fffffd9000  ParentCid: 0310
    DirBase: 72584000  ObjectTable: fffff88007ea0ac0  HandleCount: 518.
    Image: csrss.exe

PROCESS fffffa8004dfa880
    SessionId: 2  Cid: 062c    Peb: 7fffffd3000  ParentCid: 0310
    DirBase: 70609000  ObjectTable: fffff8800971e5c0  HandleCount: 115.
    Image: winlogon.exe

PROCESS fffffa8003c1bc10
    SessionId: 2  Cid: 08d4    Peb: 7fffffde000  ParentCid: 012c
    DirBase: 6c096000  ObjectTable: fffff880082729b0  HandleCount: 311.
    Image: taskeng.exe

PROCESS fffffa80055b32c0
    SessionId: 2  Cid: 0990    Peb: 7fffffdb000  ParentCid: 0194
    DirBase: 6e1db000  ObjectTable: fffff880092f70d0  HandleCount:  76.
    Image: dwm.exe

PROCESS fffffa800521ac10
    SessionId: 2  Cid: 0458    Peb: 7fffffd6000  ParentCid: 0840
    DirBase: 6f1d2000  ObjectTable: fffff8800a00f580  HandleCount: 644.
    Image: explorer.exe

SvcctrlStartEvent_A3752DX and LSA_RPC_SERVER_ACTIVE (pp. 300 - 301) - this is how to check them:

lkd> !object \BaseNamedObjects
Object: fffff88007df3ab0  Type: (fffffa8003bacb00) Directory
    ObjectHeader: fffff88007df3a80 (old version)
    HandleCount: 32  PointerCount: 143
    Directory Object: fffff88000005d50  Name: BaseNamedObjects

    Hash Address          Type          Name
    ---- -------          ----          ----
[...]
       fffffa800482fa30 Event         SvcctrlStartEvent_A3752DX
[...]
       fffffa80048b33e0 Event         LSA_RPC_SERVER_ACTIVE
[...]
       fffffa8004858ed0 Event         SC_AutoStartComplete
[...]

lkd> dt -r _KEVENT fffffa80048b33e0
ntdll!_KEVENT
   +0x000 Header           : _DISPATCHER_HEADER
      +0x000 Type             : 0 ''
      +0x001 Abandoned        : 0 ''
      +0x001 Absolute         : 0 ''
      +0x001 NpxIrql          : 0 ''
      +0x001 Signalling       : 0 ''
      +0x002 Size             : 0x6 ''
      +0x002 Hand             : 0x6 ''
      +0x003 Inserted         : 0 ''
      +0x003 DebugActive      : 0 ''
      +0x003 DpcActive        : 0 ''
      +0x000 Lock             : 393216
      +0×004 SignalState      : 1
      +0×008 WaitListHead     : _LIST_ENTRY [ 0xfffffa80`048b33e8 - 0xfffffa80`048b33e8 ]

WM_DEVICECHANGE (p. 303)

Service startup (pp. 303 - 307) - I use this command to see what functions SvcCtrlMain potentially calls (we can then inspect the called function for its potential calls too):

lkd> .process /r /p fffffa800481b5e0
Implicit process is now fffffa80`0481b5e0

lkd> uf /c SvcCtrlMain
services!SvcctrlMain (00000000`ffe68d18)
  services!SvcctrlMain+0x2f (00000000`ffe68d47):
    call to kernel32!SetUnhandledExceptionFilter (00000000`77592c40)
  services!SvcctrlMain+0x3a (00000000`ffe68d52):
    call to kernel32!SetErrorMode (00000000`7758c740)
  services!SvcctrlMain+0x48 (00000000`ffe68d60):
    call to ntdll!RtlSetProcessIsCritical (00000000`77745f10)
  services!SvcctrlMain+0x58 (00000000`ffe68d70):
    call to kernel32!HeapSetInformation (00000000`7758f020)
  services!SvcctrlMain+0x7a (00000000`ffe68d92):
    call to services!ScStartTracingSession (00000000`ffe70920)
  services!SvcctrlMain+0x7f (00000000`ffe68d97):
    call to services!ScWriteLogHeader (00000000`ffe71178)
  services!SvcctrlMain+0x94 (00000000`ffe68dac):
    call to ntdll!NtOpenProcessToken (00000000`776e7c70)
  services!SvcctrlMain+0xb0 (00000000`ffe68dc8):
    call to services!ScRemoveProcessPrivileges (00000000`ffe6ff54)
  services!SvcctrlMain+0xf2 (00000000`ffe68e0a):
    call to ADVAPI32!RegOpenKeyExW (000007fe`fdd5ace8)
  services!SvcctrlMain+0x12c (00000000`ffe68e44):
    call to ADVAPI32!RegQueryValueExW (000007fe`fdd5a688)
  services!SvcctrlMain+0x152 (00000000`ffe68e57):
    call to ADVAPI32!RegCloseKey (000007fe`fdd5a7f0)
  services!SvcctrlMain+0x158 (00000000`ffe68e5d):
    call to services!ScInitTcpKeepAlive (00000000`ffe7000c)
  services!SvcctrlMain+0x164 (00000000`ffe68e69):
    call to kernel32!GetModuleHandleW (00000000`7759d860)
  services!SvcctrlMain+0x197 (00000000`ffe68e82):
    call to kernel32!GetProcAddress (00000000`7759d8a0)
  services!SvcctrlMain+0x1ea (00000000`ffe68eaa):
    call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
  services!SvcctrlMain+0x201 (00000000`ffe68ec1):
    call to kernel32!LocalAlloc (00000000`7758ce70)
  services!SvcctrlMain+0x243 (00000000`ffe68ee4):
    call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
  services!SvcctrlMain+0x282 (00000000`ffe68f04):
    call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
  services!SvcctrlMain+0x299 (00000000`ffe68f1b):
    call to kernel32!LocalAlloc (00000000`7758ce70)
  services!SvcctrlMain+0x2db (00000000`ffe68f3e):
    call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
  services!SvcctrlMain+0x308 (00000000`ffe68f4c):
    call to services!ScCreateWellKnownSids (00000000`ffe70130)
  services!SvcctrlMain+0×339 (00000000`ffe68f5e):
    call to services!ScCreateAutoStartEvent (00000000`ffe6fe48)
  services!SvcctrlMain+0×384 (00000000`ffe68f8a):
    call to services!ScRegOpenKeyExW (00000000`ffe626b0)
  services!SvcctrlMain+0×397 (00000000`ffe68fa1):
    call to kernel32!CreateEventW (00000000`7758be70)
  services!SvcctrlMain+0×426 (00000000`ffe68fbf):
    call to services!ScGetStartEvent (00000000`ffe6fc94)
  services!SvcctrlMain+0×452 (00000000`ffe68fcc):
    call to services!ScCreateScManagerObject (00000000`ffe70f40)
  services!SvcctrlMain+0×485 (00000000`ffe68fe0):
    call to ntdll!RtlGetNtProductType (00000000`776cee90)
  services!SvcctrlMain+0×4b3 (00000000`ffe68fef):
    call to services!ScCheckLastKnownGood (00000000`ffe6f8a4)
  services!SvcctrlMain+0×4df (00000000`ffe68ffc):
    call to services!ScGetComputerName (00000000`ffe6fbd8)
  services!SvcctrlMain+0×564 (00000000`ffe69062):
    call to ntdll!RtlInitializeResource (00000000`776b5d70)
  services!SvcctrlMain+0×571 (00000000`ffe6906f):
    call to ntdll!RtlInitializeResource (00000000`776b5d70)
  services!SvcctrlMain+0×57e (00000000`ffe6907c):
    call to ntdll!RtlInitializeResource (00000000`776b5d70)
  services!SvcctrlMain+0×584 (00000000`ffe69082):
    call to services!ScGenerateServiceDB (00000000`ffe70ca8)
  services!SvcctrlMain+0×5b7 (00000000`ffe69096):
    call to services!ScGetAccountDomainInfo (00000000`ffe6f36c)
  services!SvcctrlMain+0×617 (00000000`ffe690aa):
    call to ntdll!RtlInitializeCriticalSection (00000000`776c5d20)
  services!SvcctrlMain+0×61d (00000000`ffe690b0):
    call to services!ScInitTransactNamedPipe (00000000`ffe6e43c)
  services!SvcctrlMain+0×62c (00000000`ffe690bf):
    call to kernel32!CreateEventW (00000000`7758be70)
  services!SvcctrlMain+0×670 (00000000`ffe690e4):
    call to ADVAPI32!RegOpenKeyW (000007fe`fdd52550)
  services!SvcctrlMain+0×82b (00000000`ffe690f2):
    call to services!ScInitBSM (00000000`ffe6e58c)
  services!SvcctrlMain+0×83a (00000000`ffe69101):
    call to kernel32!CreateEventW (00000000`7758be70)
  services!SvcctrlMain+0×857 (00000000`ffe6911e):
    call to ntdll!RtlInitializeCriticalSection (00000000`776c5d20)
  services!SvcctrlMain+0×85d (00000000`ffe69124):
    call to kernel32!GetCurrentProcessId (00000000`7758cf10)
  services!SvcctrlMain+0×865 (00000000`ffe6912c):
    call to USER32!RegisterServicesProcess (00000000`774a1010)
  services!SvcctrlMain+0×89f (00000000`ffe69148):
    call to services!ScLockDatabase (00000000`ffe66244)
  services!SvcctrlMain+0×8da (00000000`ffe69155):
    call to services!ScEnableRpcInterface (00000000`ffe6e8c4)
  services!SvcctrlMain+0×923 (00000000`ffe6917f):
    call to services!WPP_SF_ (00000000`ffe62608)
  services!SvcctrlMain+0×931 (00000000`ffe6918d):
    call to kernel32!SetConsoleCtrlHandler (00000000`7758e660)
  services!SvcctrlMain+0×974 (00000000`ffe691a2):
    call to kernel32!SetProcessShutdownParameters (00000000`775e4e90)
  services!SvcctrlMain+0×9cd (00000000`ffe691cd):
    call to services!WPP_SF_ (00000000`ffe62608)
  services!SvcctrlMain+0×9d9 (00000000`ffe691d9):
    call to services!ScesrvInitializeServer (00000000`ffe6ebe0)
  services!SvcctrlMain+0xa14 (00000000`ffe691e6):
    call to services!SvcStartRPCProxys (00000000`ffe6f510)
  services!SvcctrlMain+0xa19 (00000000`ffe691eb):
    call to services!InitNCEvents (00000000`ffe6f0d0)
  services!SvcctrlMain+0xa22 (00000000`ffe691f4):
    call to services!ScUpdateServiceSidCache (00000000`ffe6ecac)
  services!SvcctrlMain+0xa27 (00000000`ffe691f9):
    call to services!ScCheckAutostartEventsEnabled (00000000`ffe6eafc)
  services!SvcctrlMain+0xa34 (00000000`ffe69206):
    call to kernel32!SetEvent (00000000`77586840)
  services!SvcctrlMain+0xa70 (00000000`ffe69214):
    call to services!ScAutoStartServices (00000000`ffe6c820)
[…]

HKLM\S\CCS\C\W\NoInteractiveServices (p. 305)

HKLM\S\CCS\C\ServicesPipeTimeout (p. 306)

Delayed auto-start services (p. 307)

BootVerificationProgram (p. 309)

- Dmitry Vostokov @ SoftwareGeneralist.com -

ModerN Reading System

Gradually I perfected my cooperative multireading technique by combining modular arithmetic with software data structures and algorithms like sets, circular buffers, priority queues and round-robin scheduling. It sounds complicated but in reality the technique is very simple and suited well to everyone who wants to learn everything at once and doesn’t like traditional a book after a book method. All books we want to read are organized in sets (here I give my own arrangements as an example):

• Commuting sets
• Home reading set
• Background office reading sets
• Lunch reading set

Every set is organized as a circular buffer (mod N). Some buffers are optimized to avoid heavy load while commuting. For example, my commuting set is split into two buffers: one is at home and another is in the office. When I leave to the office I take 2 books from the top of the example queue I have currently at home:

When I arrive to the office I put them at the bottom of the corresponding office book set. When I leave for my home I take 2 books from the top of the office queue and when I arrive at home I put them at the bottom of the depicted queue above. Thus I manage to read 4 different books every day during commuting. Sometimes I don’t have a place to sit on the train or just stand waiting for its arrival. For such cases I have a separate queue of 16 Routledge books (The Basics series). They are small and I read only one of them every day. In total this amounts to 5 different books a day and I read 4 - 12 pages from each. For each commuting direction I have 3 books (2 + 1).

Next I have semi-fixed set of books for lunch reading, usually 5 or 6 of them. I read 6 - 12 pages from each. These books are organized as a priority queue where books with more pages have higher priority. If 2 or 3 books are on the same topic they are put into a circular buffer to read one per day. In addition, I put a few magazines I’m subscribed to in a cyclic buffer too.

In addition to this, I read only one book at the time at home from cover to cover (usually in Russian). At home I mostly write books (instead of reading).

In the office I have different sets for background reading (instead of cigarette breaks I had before I quit smoking). This set of sets is organized as a priority queue with every subset having a circular structure as well if it has more than one book. One long term set with higher priority is The CRC Encyclopedia of Mathematics. Other books I read in the office include software engineering titles and for them I publish notes on this blog.

It can be boring sometimes to read the same 1,000 page books for long periods of time so I also introduce an element of randomness by injecting some recently purchased book or a book from the pool of old unread books.

It is very scalable even if you have only a few hours to read per day. Most important, it also gives a certain satisfactory feeling of having started reading all books you accumulated and provides cross-book idea fertilization and better knowledge acquisition by repetition.

Now I apply the same reading system to my renewed study of foreign languages. Currently it is German where I have 10 basic language level books arranged in a circular buffer.

Another thing to keep in mind is that you need to have a goal: why you read all these books.

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

ChangeServiceConfig2 (p. 292) - http://msdn.microsoft.com/en-us/library/ms681988(VS.85).aspx

sc qprivs <service name> (p. 293) - example for Terminal Service:

C:\Users\Administrator>sc qprivs TermService
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: TermService
        PRIVILEGES       : SeAssignPrimaryTokenPrivilege
                         : SeAuditPrivilege
                         : SeChangeNotifyPrivilege
                         : SeCreateGlobalPrivilege
                         : SeImpersonatePrivilege
                         : SeIncreaseQuotaPrivilege

Union of privileges for svchost.exe (p. 294)

Service SID (restricted and unrestricted) (p. 295)

process - window station - desktop - windows (p. 297) - an entity relationship diagram on slide 14 (Intro: Windows) in my past Selected Citrix Tools presentation: http://www.dumpanalysis.org/CitrixTools/Selected%20Citrix%20Troubleshooting%20Tools.htm

Hung non-interactive services waiting for user input (p. 298) - this partially inspired Message Box crash dump analysis pattern: http://www.dumpanalysis.org/blog/index.php/2008/02/19/crash-dump-analysis-patterns-part-51/

SERVICE_INTERACTIVE_PROCESS Type modifier only for local system accounts (p. 298)

Shatter attacks by window messages (p. 299)

Interactive Services Detection (UI0Detect) service (p. 299)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SApp - SCP - SCM (p. 282)

HKLM\S\CCS\Ss\<>\ErrorControl = 3, SERVICE_ERROR_CRITICAL (p. 284) - can be used to force BSOD if service startup fails for postmortem memory dump analysis of the failure

HKLM\S\CCS\Ss\<>\PreshutdownTimeout (p. 286)

HKLM\S\CCS\Ss\<>\RequiredPrivileges (p. 286)

Service threads (p. 287) - some typical thread stack traces can be seen in this case study that also show that service main thread calls control handler functions: http://www.dumpanalysis.org/blog/index.php/2007/10/01/windows-service-crash-dumps-on-vista/

Service accounts (p. 288) - attached WinDbg will not download symbols from MS symbol server unless Run as Administrator

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

!reg hivelist -> viewlist -> db (pp. 274 - 275)

Registry cell index mapping as directory:table:offset (p. 275)

Registry key handle -> kcb (pp. 276 - 278)

Hive sync every 5 seconds, *.log{1|2} (pp. 278 - 279)

Registry filtering altitudes (p. 280)

Internal registry optimizations (pp. 280 - 281) - good implementation case study if you need to devise your own database. I perhaps borrow some ideas for the next version of PDBFinder.

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

TxR -> CLFS + \System32\Config\Txr (pp. 260 - 261)

Precedence of a non-transactional writer (p. 261)

Read-commit vs. predictable-read (p. 261)

Process Monitor internals (p. 262) - rather short section but inspired yet another DebugWare pattern: http://www.dumpanalysis.org/blog/index.php/2009/10/28/debugware-patterns-part-11-2/

Process Monitor troubleshooting techniques (pp. 264 - 265) - PM log is a kind of a software trace so the following growing list of patterns may be useful to keep in mind: http://www.dumpanalysis.org/blog/index.php/trace-analysis-patterns/

Surviving logoff (persistent processes) (pp. 265 - 266)

Service profiles are stored in \ServiceProfiles\{Local|Network}Service\Ntuser.dat (p. 267)

HKLM\S\CCS\C\hivelist shows hive to file name mapping (p. 267)

x64 paged pol for registry - x86 mapped views (p. 268)

System and Software hives support values of >1Mb (p. 269)

Bin - block - cell - cell index (pp. 270 - 272)

Disk Probe, dskprobe.exe (pp. 271 - 272)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

REG_NONE and REG_QWORD (p. 251) - the former should have a purpose as a name switch

REG_LINK (pp. 251 - 252)

HKU\.DEFAULT as a local system profile (p. 253)

\Users location can be changed in HKLM\So\M\WNT\CV\ProfileList\ProfilesDirectory (p. 254)

BCDEdit is for HKLM\BCD, how to enable /DEBUG (pp. 255 - 257) - I also had to add more permissions to Administrators for Elements key to be able to add modifications. Before editing:

C:\Users\Administrator>bcdedit

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
resume                  No

Windows Boot Loader
-------------------
identifier              {current}

After editing:

C:\Users\Administrator>bcdedit

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
resume                  No

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Microsoft Windows Server 2008
locale                  en-US
inherit                 {bootloadersettings}
osdevice                partition=C:
systemroot              \Windows
resumeobject            {cc03280e-0762-11de-b63a-af7e963a0201}
nx                      OptOut
debug                   Yes

Pdh.dll (p. 260) - Typical stack trace in TS environments:

[...]
winsta!WinStationQueryInformationW+0x2a
perfts!CollectTSObjectData+0x12f
advapi32!QueryExtensibleData+0x617
advapi32!PerfRegQueryValue+0x536
advapi32!LocalBaseRegQueryValue+0x306
advapi32!RegQueryValueExW+0x96
pdh!GetSystemPerfData+0x83
pdh!GetQueryPerfData+0x7f
pdh!PdhiCollectQueryData+0x40
pdh!PdhCollectQueryData+0x42
[...]

- Dmitry Vostokov @ SoftwareGeneralist.com -