Windows Critical Problem Management Workshop Day 1

‘Windows Critical Problem Management Workshop’ is a 2 days course. The objective is to learn how to effectively identify and troubleshoot critical problems with Windows.The learning material is ‘Windows Internal Book’ 


On day 1, the trainer mainly introduced the Windows architecture and some useful troubleshooting tools. Here are my notes.

The starting point is to understand the Windows architecture, and keep it in mind when analyze the Windows problems.

User Mode: process/ applications and services.
Kernel Mode: system and drivers.


Process, Thread, Handle, DLL relationship


Virtual Memory: simplify programming by allowing each application see the same address range. Map virtual memory address to the physical memory address.

32 bits addressing limits (User Mode: 2G 0x0000 0000 – 0x7FFF FFFF, Kernel Mode 2G: 0x8000 0000 – 0xFFFF FFFF) and options (save 1G from kernel to user:  /3GB /USERVA, up to 64G: /PAE)

64 bits native memory layout: 8TB for kernel, 8TB for each process

Windows Debugging Tools (WinDBG): 

Symbols: SRV*C:\symbols*

Sysinternals suite:

PAL (Performance Analysis of Logs): 

Problem classes and tools:


Kernel Memory Pools: Non-paged Pool/ Paged Pool. 32bit – fixed, 64bit – dynamic


PTE (Page Table Entries) provides:
– Mapping between virtual address and physical address
– Location of Kernel Stacks
– Location of I/O Stacks.

Memory Leaking: Use perfmon and poolmon to identify kernel-mode leaks.

Useful blogs:
Mark Russinovich’s blog
Ned Pyle’s blog


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s