‘Windows Critical Problem Management Workshop’ is a 2 days course. The objective is to learn how to effectively identify and troubleshoot critical problems with Windows.The learning material is ‘Windows Internal Book’
On day 1, the trainer mainly introduced the Windows architecture and some useful troubleshooting tools. Here are my notes.
The starting point is to understand the Windows architecture, and keep it in mind when analyze the Windows problems.
User Mode: process/ applications and services.
Kernel Mode: system and drivers.
Process, Thread, Handle, DLL relationship
Virtual Memory: simplify programming by allowing each application see the same address range. Map virtual memory address to the physical memory address.
32 bits addressing limits (User Mode: 2G 0x0000 0000 – 0x7FFF FFFF, Kernel Mode 2G: 0x8000 0000 – 0xFFFF FFFF) and options (save 1G from kernel to user: /3GB /USERVA, up to 64G: /PAE)
64 bits native memory layout: 8TB for kernel, 8TB for each process
Windows Debugging Tools (WinDBG): http://msdn.microsoft.com/en-us/windows/hardware/gg463009
Symbols: SRV*C:\symbols*http://msdl.microsoft.com/download/symbols
Sysinternals suite: http://technet.microsoft.com/en-us/sysinternals/bb842062
PAL (Performance Analysis of Logs): http://pal.codeplex.com/
Problem classes and tools:
Kernel Memory Pools: Non-paged Pool/ Paged Pool. 32bit – fixed, 64bit – dynamic
PTE (Page Table Entries) provides:
– Mapping between virtual address and physical address
– Location of Kernel Stacks
– Location of I/O Stacks.
Memory Leaking: Use perfmon and poolmon to identify kernel-mode leaks.
Useful blogs:
Mark Russinovich’s blog
Ned Pyle’s blog
Jackie Chen's IT Workshop 