Identifying Architectural Components

Identify memory types and mechanisms.

Nonpaged vs. Paged; Memory Descriptor Lists; Physical Memory vs. Logical Memory; Address translation; Heap memory.

Identify I/O mechanisms.

Plug and play; IRQL levels; I/O Request Packet IRP; I/O manager; device stacks; filter drivers; timers

Identify subsystems.

Object Manager; cache manager; process manager; memory manager; security reference monitor

Identify processor functions and architecture.

Interrupts; processor affinity; system service calls; 64-bit vs. 32-bit

Identify process and threads.

Process environment block (PEB), thread environment block (TEB); thread scheduling, states and priority

Designing Solutions

Optimize a system for its drivers.

Driver signing; identifying filter drivers; timers and deferred procedure calls (DPCs); system worker threads; Driver Verifier

Design applications.

Application Verifier; gflags; kernel mode vs. user mode threads; structured exception handling (SEH); memory mapped files; authentication mechanisms; synchronization primitives

Deploy compatible applications.

Application Verifier; Application Compatibility Toolkit (ACT); Global Flags Editor (GFlags

Identify optimal I/O models for applications.

Synchronous vs. asynchronous I/O; I/O completion ports; multithreaded applications

Monitoring Windows

Monitor I/O latency.

Perfmon; disk I/O; application performance; device I/O

Monitor I/O throughput.

Filter drivers; cache manager; xperf; kernrate

Monitor memory usage.

Nonpaged vs paged pool; user memory vs. kernel memory; debugging memory leaks; memory corruption; heap corruption

Monitor CPU utilization.

Thread time; kernel vs. user time; thread states; Perfmon; WinDbg; Xperf; Kernrate

Monitor handled and unhandled exceptions.

Adplus; Dr Watson; Windows Error Reporting; default post-mortem debuggers; exception handling

Analyzing User Mode

Analyze heap leaks.

UMDH (User-mode dump heap); user mode stack tracing; WinDbg; Application Verifier; Gflags; Perfmon


Analyze heap corruption.

Page heap; WinDbg; Application Verifier; Gflags

Handle leaks.

Procmon (Process Monitor); Perfmon; WinDbg; htrace; Process Explorer; Handle.exe

Resolve image load issues.

Tlist; loader snaps; dll dependencies; application manifests; 64-bit applications vs. 32-bit applications; tasklist

Analyze services and host processes.

sc.exe; services; service dependencies; service isolation; services startup types; service registry entries

Analyze cross-process application calls.

RPC; LPC; shared memory; named pipes; process startup; winsock

Analyze the modification of executables at runtime.

WinDbg; Image corruption; Detours; hot patches

Analyze GUI performance issues.

Spy++; message queues; Application Verifier; TraceTools; ATL Trace; Task Manager

Analyzing Kernel Mode

Find and identify objects in object manager namespaces and identify the objects’ attributes.

Winobj.exe; symbolic links; object namespace; security descriptors; global namespace; device objects; file objects; object manager; semaphores

Analyze Plug and Play (PnP) device failure.

Removal failures; global device list; WinDbg; device adds and removes; power handling

Analyze pool corruption.

Driver Verifier; WinDbg; pool tags; Poolmon; guard pages

Analyze pool leaks.

WinDbg; poolmon; Driver Verifier; crash dump analysis; paged and nonpaged pool; cache trimming

Isolate the root cause of S state failure.

System power states and transitions; power IRP handling

Analyze kernel mode CPU utilization.

Kernrate.exe; WinDbg; deadlocks; Performance monitoring; event tracing

Debugging Windows

Debug memory.

Heap; pool; virtual memory vs. physical memory; stack; analyzing crash dumps and user dumps

Identify a pending I/O.

WinDbg; deadlocks; I/O manager; IRP processing

Identify a blocking thread.

Thread state; locks; synchronization objects

Identify a runaway thread.

Thread priorities; processor affinity; Perfmon; kernrate

Debug kernel crash dumps.

WinDbg; DPCs; Assembler; forcing kernel crash dumps; trap processing; register usage; call stack composition (prolog/epilog); processes vs. threads

Debug user crash dumps.

Dump types; forcing user crash dumps; gflags; system resource utilization (CPU, disk, network; memory)

Set up the debugger.

WinDbg; physical connection (USB, rs-232, 1394); boot.ini; bcdedit; remoting; NMI; debugging system processes