Windows Internals PART-2

permissions mapped files, 314–315 minidumps, 554 device memory, 323 mapped page writer, 188. See also verbose analysis, 567–568 drivers, 6 viewing dump files, 558–559 dynamic IRQ resources, 510 mapped page writer parent objects (KMDF), 71, 74 KMDF support, 68 memory manager, 314–315, 412 parent virtual hard disks, 162 workarounds, 521 modified lists, 188, 314 parity bytes, 152 PCI Express buses, 509 modified page writer, 188, 196. See parity errors, 297, 317 pciexpress element, 509 parity information, 425 Pciide.sys driver, 133 also modified page writer parked cores Pciidex.sys driver, 133 noncached I/O, 412 check phases, 116, 117–118 PCMCIA buses, 6, 68 page faults and fault handling, 314 defined, 109 PCRs (platform configuration pages, 196, 314–315 frequency settings, 120 paging files, 314–315 increase/decrease actions, 113–114 registers), 168–169, 170, 174 PFN database, 314–315 overriding, 113, 115 PDAs (personal digital assistants), 78 PTEs (page table entries), 315 parking policies, 115 PDEs (page directory entries), 254, recovery process, 359 PPM parking and unparking, 119 working sets, 315 viewing, 121–122 255, 261 write-behind operations, 385, 386 parse functions, 409 PDOs (physical device objects), 89–90, paging boosts, 61 partial MDLs, 296 paging bumps, 62 partition device objects, 136 163 paging files partition entries (LDM), 142–143 PDPT (page directory pointer table), commit charge, 278–279 partition manager, 131, 138, 141 commit limit, 199 partitions 260, 262, 263 complete memory dumps, basic disks, 138 PDRIVE_LAYOUT_INFORMATION_EX bootable, 502 553–554, 555 boot processes, 500, 501 structure, 138 containing crash dumps, 559 defined, 125 peak commit charge, 278, 279 Control Panel applet, 188 extended, 139 peak paging file usage, 277 copy-on-write avoidance, 180 file object pointers, 19 peak working set size, 331 crashes, 549 GUID Partition Table style, 139–140 PEBs (process environment blocks), creating, 274, 523 LDM database, 141–145 defragmentation, 274, 437 LDM partitioning, 145–146 246, 351 file system driver operations, 412 MBR style, 139 PE headers, 248–249 headers, 315 multipartition volumes, 147–152 pending file rename operations, 525 I/O not in Process Monitor, 415 nested, 140 Pendmoves utility, 525 kernel memory dumps, 556–557 NTFS dynamic, 437–439 per-file cache data structures, 368–373 lists of, 273–274 partition manager, 131, 138, 141 perfmem element, 509 memory manager, 189 physical sectors, 128 performance. See also Performance memory quotas, 245–246 primary, 139 modified page writer, 314–315 recovery, 535 Monitor not on VHDs, 163 registry information, 153 page files, 278 offsets, 268, 269 software provider interface, 160 pageheap, 226 page faults, 267, 268, 273–274, partition tables, 125, 139, 501–502 physical memory limits, 320 Partmgr.sys (partition manager), 131, standby lists, 338 278–279 performance check intervals paging bumps, 62 138, 141 routines, 189 passive filter drivers, 413–414 (processors), 114, 115 section objects, 287 passive IRQL (0), 39 performance checks, 116–120, shadow copies, 179 PASSIVE_LEVEL IRQL, 39 shared pages, 270 passwords, 170, 172–173, 175, 425 121–122 shutdown process, 545 patches, installing, 538 performance counters size, 189, 278–279 Patchguard DPC, 240 troubleshooting without, 581 path names, 154, 408, 431 cache faults, 335 viewing, 274 paths clock sources, 510 viewing usage, 278–279 pool sizes, 213, 214 Windows use of, 275 hard links, 429–430 performance data logging buffers, 509 paging I/O IRPs, 30, 411, 412 multipath drivers, 134–136 Performance Monitor, 150–151, 277, paging lists, 300–302, 343 operating systems, 510 paging memory to disk, 187 symbolic links, 20 331, 387–388 paging system (memory manager), PC/AT keyboard buffer, 505 performance states, 113–114, 114–116, PCI buses 27–28 ACPI BIOS information, 511 120 parallel I/Os, 76, 132 debugging devices, 504 PERFSTATE_POLICY_CHANGE_IDEAL parallel ports, 137, 511 parameters state, 113 PERFSTATE_POLICY_CHANGE_ROCKET heap checking, 225 state, 114 PERFSTATE_POLICY_CHANGE_STEP state, 114 per-handle caching information, 19 periods (.), 449 permissions access-denied errors, 416 file, 435 629

per-processor look-aside lists permissions, continued complete memory dumps, replacing CMOS, 511 no execute page protection, 204 553–554 resource arbitration, 81 NTFS security, 425 shutting down, 545 traversal, 436 displaying information, 190–192, Start values, 84–85 510 volume manager, 141 per-processor look-aside lists, 390 PnP drivers, 6, 14, 69 per-process private code and data, dumping information about, 362 PnP manager. See Plug and Play global memory manager, 361–362 228 limits, 320–323 manager per-user quotas, 246, 433–434 lists, 189 Poavltst.exe utility, 106 PFAST_IO_DISPATCH pointers, 26–27 locking pages, 199 !pocaps command, 103 PF files, 325 maximums, 187 PoClearPowerRequest API, 106 !pfn command,  310, 319 notification events, 335–337 PoCreatePowerRequest API, 106 PFN database system variables, 318 PoDeletePowerRequestI API, 106 truncating, 506 PoEndDeviceBusy API, 105 memory manager, 189 physical memory access method, 373 pointer encoding, 209 modified page writer, 314–315 physical memory limits, 320–323 pointers overview, 297–319 physical NVRAM stores, 350 page list dynamics, 300–310 physical page allocations, 305–306, device objects, 19 page priority, 310–313 section object, 19 PFN data structures, 315–319 574 VPBs, 19 Superfetch rebalancer, 339 physical page numbers (PFNs), 253, pointer values, 573 viewing, 300 polling behavior, 415 viewing entries, 319 255, 261, 315–319 pool PFN data structures physical pages, 318, 504 allocation, 219, 592 collided page faults and, 272 physical storage devices, 125 compared to look-aside lists, 219 creating, 243 PIDs (product IDs), 90 corruption, 203, 569–572, 590–592 PFN database, 315–319 PIN_HIGH_PRIORITY flag, 366 crash stop codes, 550 viewing, 263 pinning, 366, 373, 374–375 execution protection, 205 x64 address translation, 265 PIN numbers, 166 expanding, 243 PFN image verified flag, 317 PipCallDriverAddDevice function, 531 freelists, 285 PFN_LIST_CORRUPT stop code, 550 pipes, 4 leaks, 218–219 PFN of PTE numbers, 317 PKI (public key infrastructure), 496 look-aside pointers, 516 PFNs (page frame numbers), 253, 255, placement policies, 328–329 monitoring usage, 215–219 plaintext attacks, 173 nonpaged pools, 212–213 261, 315–319 platform configuration registers NUMA nodes, 285 Pf routines, 344 paged pool, 213 phase 0 initialization, 516–518 (PCRs), 168–169, 170, 174 pool manager, 550 phase 1 initialization, 518–522 Platform Validation Profile (TPM), Poolmon tags, 216 Phase1Initialization routine, 518 pool tags, 569 physical addresses 168–170 quotas, 294 Plug and Play (PnP) session space, 213 BCD elements, 504 sizes, 213–214 DMA interface, 375 add-device routines, 12 special, 213 physical memory support, 321 commands, 29 system memory (kernel-mode reading/writing data to buffers, container notifications, 65 drivers, 6, 14, 69 heaps), 212–220 373 exposing interfaces, 15 tracking, 217, 294 size, 261 I/O system and, 1 types, 216 sorting pages, 309 Plug and Play manager. See Plug verification, 519 Physical Address Extension. See PAE verifying allocations, 592 and Play manager !pool command, 569, 592 (Physical Address Extension) UMDF reflectors, 79 pool freelists, 285 physical byte offsets, 443 WDM drivers, 6–7 pool manager, 550 physical client CLFS logs, 418 Plug and Play BIOS, 520 Poolmon utility, 215–219 physical container identifiers, 420 Plug and Play drivers, 6, 14, 69 pool nonpaged bytes, 191 physical descriptions, 481 Plug and Play manager pool paged bytes, 191 physical device objects (PDOs), 89–90, defined, 2 pool quotas, 294 device enumeration, 85–89 pool tags, 569 163 device stack driver loading, 90–94 Pooltag.txt file, 569–570 physical disk objects, 136 device stacks, 89–90 pool tracking, 217, 294 physical LSNs, 422–423 device trees, 86 !poolused command, 217 physical memory driver installation, 84–98 !popolicy command, 104, 115 driver loading, 84–94, 531–532 pop operations, 241 Address Windowing Extensions, initialization, 84–94, 518 210 –212 levels of support, 82 overview, 81 cache flushing operations, 379 PnP drivers, 6 cache manager, 355, 356 processing routines, 82–84 cache physical size, 363–364 client memory limits, 321–323 630

processes PoRegisterDeviceForIdleDetection power domains, 109, 120 prereading blocks of data, 378, 383 function, 105 powering on, 499 pretransaction data, 470 power-managed queues, 75 Previous Versions data, 182–184 PoRequestPowerIrp function, 101 power-on self test (POST), 537 primary buses, 86 portable music players, 78 power policies, 100, 103–104, 114–116 primary partitions, 138, 139 port drivers power request objects, 106–108 primitives in memory manager, PowerSetRequest API, 106 bandwidth reservation, 64 power states, 102–104, 108–109, 120, 20 0 –202 defined, 7 printer drivers, 6 function drivers, 89 549 printer mappings, 526 operating system specific, 132 PPM (processor power management) Print Spooler, 106 prioritization strategy, 60 priorities storage management, 132–136 algorithm overrides, 113 storage stacks, 131 core parking policies, 109–110 I/O. See I/O prioritization porting drivers, 1 increase/decrease actions, 113–114 memory, 311 port notifications, 57–58 performance checks, 116–120 page, 310–313, 342–344 PoSetDeviceBusyEx function, 105 thresholds and policy settings, PFN entries, 316 PoSetDeviceBusy function, 105 priority boosts, 301 PoSetPowerRequest function, 106 114–116 zero page thread, 301 PoSetSystemPower function, 545 utility function, 110–113 prioritized standby lists, 339 POSIX subsystems, 4–5, 436, 449–450 viewing check information, Priority 1–7 pages, 343 POST (power-on self test), 537 private address space, 228, 247 PoStartDeviceBusy API, 105 121–122 private byte offsets, 23 PostQueuedCompletionStatus !ppmcheck command, 121–122 PrivateCacheMap field, 410 PpmCheckPhase... processes, 116, private cache maps function, 55, 57 cache data structures, 364 post tick queue, 390 117–118 file object attributes, 19 potential page file usage, 279 PpmCheckPhaseInitiate phase, 116, file object pointers, 368 power and power manager file objects, 410 117 read requests, 378 ACPI power states, 98–100 PpmCheckRecordAllUtility process, 118 viewing, 371–373 commands, 29 PpmCheckRun process, 116, 117 private data (physical memory), 260 crashes, 549 PpmCheckStart callbacks, 116, 117 Private Header (LDM), 142 defined, 2 !ppm command, 111 private heaps, 221 driver and application control, 105 PpmPerfApplyDomainState function, private keys, 97, 436, 491–493, 496 driver power management, private memory, 194, 275, 276, 277, 120 101–102 PpmPerfApplyProcessorState routine, 303 functionality, 100–101 private pages. See committed pages initializing, 519, 521 120 private page tables, 387 I/O system, 2 PpmPerfChooseCoresToUnpark proactive memory management. See KMDF queues, 75 MPIO, 134 function, 119 Superfetch service (proactive overview, 98–100 !ppmperfpolicy extension, 116 memory management) PnP dispatch routines, 82 PpmPerfRecordUtility function, 118 ProbeForRead function, 33 PnP drivers, 6 PpmPerfSelectDomainState function, ProbeForWrite function, 33 policies, 100, 103–104, 114–116 problems. See troubleshooting power availability requests, 120 Procdump utility, 352 PpmPerfSelectDomainStates function, process buffers, 373, 377 105–108 !process command power domains, 109, 120 120 DirBase field, 262 powering on, 499 PpmPerfSelectProcessorState function, listing processes, 575 power-managed queues, 75 minidump data, 554–555 power request objects, 106–108 120 Notmyfault.exe, 52 processor power management. PpmPerfSelectProcessorStates outstanding IRPs, 31 processor information, 580 See PPM (processor power function, 120 viewing processes, 43 management) PpmScaleIdleStateValues function, 120 Process counter objects, 190–192 shutting down, 545 !ppmstate command, 112 process environment blocks (PEBs), states, 102–104, 108–109, 120, 549 PRCBs (processor control blocks), 121 246, 351 stress tests, 67 preboot process, 171, 499–502 processes UMDF reflectors, 79 prefetched shared pages, 196 address space, 237, 248 WDM drivers, 6–7 prefetcher, 324–328, 520 attaching to, 196 power availability requests, 105–108 prefetch operations cache coherency, 356–358 Powercfg utility, 108 PowerClearRequest API, 106 clustered page faults, 272–273 PowerCreateRequest API, 106 defragmentation, 328 power dispatch routines, 101 disabling, 325 files, 412–413 ideal NUMA node, 285 logical prefetcher, 324–328, 520 Superfetch rebalancer, 339 viewing, 326, 327 Preflect utility, 352–353 prepare records, 477 631

Process Explorer processes, continued process heaps, 221, 246, 247 product IDs (PIDs), 90 child, 193 process manager, 50, 414, 517, 518, programs. See applications copy-on-write, 209–210 progress bars, 506 cross-process memory access, 196 521 promotion (performance states), 114 current, 554 Process Monitor (Procmon.exe), protected boot mode, 503 DEP protection, 207 protected driver list, 98 emptying working sets, 307–308 62–64, 327, 380–386, 413–416 protected mode with paging execution protection, 205 process objects, 203 heap types, 221–222 processor control blocks (PRCBs), 121 (processors), 500, 503 hung, 351 processor cores protected prefixes, 523 increasing address space, 229–231 protected processes, 521 IRP cancellation, 50–51 check phases, 116, 117–118 protecting memory, 203–204 lists of running, 554, 575 domains, 109 protection mapped private code and data, increase/decrease actions, 113–114 228 PPM parking and unparking, 119 copy-on-write, 209–210 memory limits, 320–323 thresholds and policy settings, pages, 193, 195, 272, 287 memory quotas, 245–246 protective MBR, 140 minidumps, 351 114–116 protocol device classes, 78 page directories, 256 utility, 110–113 protocol drivers, 6 pages modified by, 387 processor power management. Prototype bit (PTEs), 257 page tables, 256 prototype PFNs, 297–298 priorities, 311, 342 See PPM (processor power prototype PTEs, 269–271, 272, 288, private address spaces, 203, 228 management) process objects, 203 processors 302, 317 process reflection, 351–353 APIC clusters, 506 PS/2 keyboards, 578 process/stack swapper, 188 check phases, 116, 117–118 PsBoostThreadIo API, 61 process VADs, 283–284 concurrency value, 55 Psexec tool, 594 protecting memory, 203–204 configuration flags, 506 PspAllocateProcess function, 352 prototype PTEs, 269–271 cores. See processor cores !pte command, 256, 263, 586 reparse points, 431 deadlocks, 577 PTEs (page table entries) section objects, 286 displaying information, 510 sessions, 233–235 DPC stacks, 279, 282 access bits, 341 shared memory, 200–202 environment variables, 523 addresses, 316 shutdown levels, 543 groups, 508 defined, 252 switching address space, 555 initializing, 516 dynamic address space, 232 termination, 48 listing compatible, 574 expanding, 243 troubleshooting, 351–353, maximum number, 508 hardware or software Write bits, 415 – 416 no execute page protection, 204 unkillable, 48–49, 52 page sizes, 199 258 viewing for IRPs, 43 performance checking, 121–122 IA64 address translation, 266–267 virtual size, 187 preparing registers, 512 in-paging I/O, 271–272 working sets, 324–329 processor power management invalid, 267–269 (PPM), 108–122 nonexecutable pages, 205 Process Explorer server threading models, 53 original, 317 ASLR protection, 251 single bit corruption, 570 overview, 256–258 cache size, 364 stack traces, 574 page fault handling, 268–271 DEP protection, 207 states, 120 page files, 268 device handles, 22–23 switching CPU contexts, 580 page writer, 315 displaying memory information, thresholds and policy settings, PFN database, 297–298 191 114–116 prototype, 269–271 listing kernel-mode drivers, 10–11 TPM, 168 system, 235–236 mapped files, 202, 287 utility and frequency, 111–112 system, viewing, 235–236 maximum pool sizes, 214–215 x64 system virtual address system space, 229 power request objects, 106–107 limitations, 240–242 VADs, 283 prioritized standby lists, 312 processor states, 120 valid fields, 256–257 reserved and committed pages, process page file quotas, 275, 277, 282 viewing, 235–236, 262–264, 586 197–198 process reflection, 351–353 virtual addresses, 254 threads, 44 process/stack swapper, 188 public key cryptography, 97, 164, 436, UMDF interactions, 80 process VADs, 283–284 unkillable processes, 52 PROCESS_VM_READ or WRITE rights, 491– 493 196 public key infrastructure (PKI), 496 process working set list, 318 pushlocks, 189, 240, 258 process working sets, 324, 329 push operations, 241 Procmon.exe (Process Monitor), PXE, 514 62–64, 327, 380–386, 413–416 632

recovery agents Q pool sizes, 213 crashes, 547 single bit corruption, 570 diagrammed, 25, 26 quadwords, 263 translating address space. See explicit file I/O, 408 quantum expiration, 38 fast I/O, 376–377 query APIs, 472 address translation file attributes, 447 QueryDosDevice function, 23 usage, 190 file handles, 473 QueryMemoryResourceNotification viewing working sets, 332 in-paging I/O, 271–272 vs. flash memory, 128 KMDF, 76, 77 function, 335 ramdiskimagelength element, 509 leases, 405 query remove notification, 83–84 ramdiskimageoffset element, 509 LFS log files, 480 query-stop command, 83–84 ramdisks, 507, 509 logical blocks, 127 QueryUsersOnEncryptedFile function, ramdisksdipath element, 509 mirrored volumes, 150–151 ramdisktftpblocksize element, 509 PAGE attributes, 203–204 497 ramdisktftpclientport element, 509 paging files, 62 queue objects, 56 ramdisktftpwindowsize element, 509 prefetched pages, 272–273 queue pointers, 56 RAMMap utility, 192, 304–310 ReadyBoost, 348 queues, 75, 76 random I/O, 19, 347 scatter/gather I/O, 28 quietboot element, 509 randomization (block metadata), 225 shadow copies, 179 quietboot option, 519 random number generation, 168, 510 transacted writers and readers, 470 quota control entries, 466–467 RAW disks, 510 ReadProcessMemory function, 196, Quota Entries tool, 434 RAW file system driver, 157, 398 quota files ($Quota), 446, 466–467 raw traces and logs, 341 203 QUOTA_LIMITS_HARDWS_MIN_ RDBSS (Redirected Drive Buffering read/write access, 195, 211 ReadyBoost, 346–350, 397, 527–528 ENABLE flag, 329 Subsystem), 400 ReadyBoot, 527–528 quotas Rdyboost.sys (ReadyBoost), 346–350, ReadyDrive, 348–350 real boot mode, 502–503 control entries, 466–467 397, 527–528 reason callbacks, 548 initializing, 526 read-ahead operations rebalancer, 339, 341, 342–344 NTFS per-user, 433–434 rebooting processes, 517 asynchronous with history, 378 quota files, 446, 466–467 cache manager work requests, automatic, 508 virtual address space, 245–246 breaking into hung systems, 579 quota tracking, 465, 466–467 390, 412–413 Windows RE, 536 compressed files, 460 reciprocals, 517 R disabling, 378–379 recognizing volumes, 398 fast I/O, 377 recording utility values, 118 R handles, 405 file system drivers, 408 record offsets (LSNs), 421 $R index, 469 file system operations, 412–413 records, NTFS file, 447–449 race conditions, 258, 570 intelligent read-ahead, 378–379 recoverable file systems, 355, 359, RADAR (Windows Resource Exhaustion oplocks, 401–402 overview, 377 478 – 479 Detection and Resolution), system threads, 390 recovery 351, 352 viewing, 380–386 RAID-0 volumes. See striped volumes read-commited isolation, 470–471 analysis pass, 484–485 RAID-1 volumes. See mirrored volumes ReadDirectoryChanges API, 473 bad-cluster recovery, 487–490 (RAID-1) ReadDirectoryChangesW function, disk recovery, 483–487 RAID-5 volumes, 141, 151, 425, 490 dynamic bad-cluster remapping, RAID volumes 415, 433 creating, 442 ReadEncryptedFileRaw function, 497 429 port drivers, 132 ReadFileEx function, 38 fault tolerance, 425 RAM ReadFile function, 25, 32, 408, 409, 473 implementation, 477 Address Windowing Extensions, ReadFileScatter function, 28 log file passes, 484–487 211, 212 read-in-progress bits, 272 log files ($LogFile), 359, 445 commit charge, 275–277 read-in-progress PFN flag, 317 NTFS recoverability, 424–425, commit limits, 199, 275–277 read-isolation rules, 473 corruption, 548 read-modify-write operations, 127 477– 491 crashes, 548 read-only file attributes, 448 RAID-5 recoverability, 152 diagnostic tools, 534 read-only memory, 297, 547, 573 recoverable file systems, 355, 359, DMA errors, 570 read-only status, 195, 211, 258, 264, I/O priorities, 58 478 – 479 optimization software, 345–346 267 recovery partitions, 535 optimizing boot process, 527–528 read operations redo pass, 485 page files, 274, 278–279 self-healing, 490–491 physical memory limits, 320–323 active views, 360 striped volumes, 149 buffered I/O, 32 TxF process, 477 cached and noncached versions, undo pass, 485–487 recovery agents, 494–495, 496 373, 381 copies of files in memory, 288 633

recoveryenabled element recoveryenabled element, 506 processor thresholds and policy resource allocation (PnP), 81 recovery keys, 170, 172–173, 175 settings, 114–116 resource arbitration (PnP), 81, 83 recovery partitions, 535 resource lists (KMDF), 71 recovery sequence (BCD), 506 self-healing entries, 491 resource manager objects, 519 recoverysequence element, 506 service configuration keys, 531 resource managers, 473–475, 477 recursive callouts, 281, 589 subkeys, 89, 91 resource range lists (KMDF), 72 recursive faults, 584 system code write protection, 574 resource requirements lists (KMDF), 72 Redirected Drive Buffering Subsystem tracking PTEs, 236 restart area (LFS), 479–480 troubleshooting issues, 415 restart LSNs, 421, 476, 477 (RDBSS), 400 VDS information, 160 restart records, 476 redirectors, 400, 401, 440 registry hive files restore points, 183, 534, 539, 540, 542 redo entries, 481, 482 encryption, 163 restoring previous versions, 182–184 redo pass, 477, 480, 485 HARDWARE hive, 515, 520 restrictapiccluster element, 509 redo records, 476 loading, 510, 523 resumeobject element, 504, 509 redundant volumes, 488 loading user set, 526 Retrieve API, 70 reference counts, 315, 316, 318 SYSTEM hive, 520, 540 RH (Read-Handle) handles, 405 referenced directory traces, 325 regular queues (cache management), Rivest-Shamir-Adleman (RSA), 492, 496 referenced file traces, 325 RMs (resource managers), 473–475, reflectors, 79 390 Regedit utility, 541 rekeying volumes, 165 477 regions relative paths, 430 robusted pages, 344–345 releasing address space, 196 robust performance, 344–346 CLFS, 421 relocatephysical element, 506 rocket model (PPM), 114, 120 FAT, 394 remapping bad sectors, 487 rollback operations, 425, 481, 485, 542 registered device driver bugcheck remote boot debugging, 504 Rom PFN flag, 317 remote disks, booting from, 514 Rom PFN state, 297, 299 callbacks, 581 remote file replication services, 413 Root bus driver, 85 registered drivers, 10–11, 155, 398, remote FSDs, 400–407 root directories, 395, 435, 445 removable devices, 153, 158 rotate VADs, 284 403–404 removal requested PFN flag, 317 rotating magnetic disks, 126–128 registers, 39 remove command, 83–84 rotational latency, 347 registry remove/eject device utility, 83 RSA (Rivest-Shamir-Adleman), 492, 496 removememory element, 509 RtlCloneUserProcess function, 351 boot process, 132 RemoveUsersFromEncryptedFile RtlCreateProcessReflection function, cache virtual size, 361 complete crash dump enabling, function, 497 351, 352 rename APIs, 472 RtlGenerate8dot3Name function, 451 554 renaming files, 461, 525 Rtl interfaces, 221, 250, 294, 295 crash parameters, 550 $Repair (transaction repair directory), Rtlp functions, 351, 352 deciphering driver names, 552 Run DLL Component (Rundll32.exe), dedicated dump files, 551 446 device driver identification and repairing 95, 325 runs, 444–458, 459 loading, 90–94, 530–532 installation, 535–537 run-time environments, 78, 80 Driver Verifier values, 293 self-healing volumes, 490–491 RW (Read-Write) handles, 405 dump file names, 550 repair installations, 539 RWH handles, 405 enumeration keys, 89, 91 reparse data, 431 errata manager, 520 $REPARSE_POINT attribute, 448 S file rename operations, 525 reparse point files ($Reparse), 446, 469 forcing high memory addresses, reparse points, 154, 431, 448, 462, 469 S0 (fully on) power state, 98–99, 101 reparse tags, 431, 469 S1 (sleeping) power state, 98–99, 101 231 replacement policies, 328–329 S2 (sleeping) power state, 98–99, 101 high and low memory values, 336 replication agents, 417 S3 (sleeping) power state, 98–99, 101, hive files. See registry hive files. reporting errors, 561–562 initializing, 522, 523 repurpose counts, 312 106 I/O system, 2 reserve cache, 191 S4 (hibernating) power state, 98–99, KMDF object keys, 71 reserved pages, 195, 197–198, large page size key, 194 101 last known good settings, 530 199–200, 226 S5 (fully off) power state, 99, 101 lists of page files, 273–274 reserving and committing pages, safebootalternateshell element, 509 loading drivers and services, safeboot element, 509 195–198 SAFEBOOT variable, 523 84–85 resident attributes (NTFS), 453–456 safe mode Memory.dmp file options, 557 resident pages, faults, 267 mounted device letters, 153 resident shared pages, 196 boot logging, 533–534 overrun detection, 294 resident size of paged pool, 214 boot options, 509 partitions, 138 resolution (BCD elements), 505 per-user quotas, 246 resolution settings (video), 524 prefetch settings, 325 634

servers driver errors, 569 section object pointers, 19, 288, 289, cross-process memory access, 196 driver loading, 529–532 368 database, 445 Driver Verifier settings, 293 file attributes, 448 registry entries, 521 section objects (control areas) files, 21 safe-mode-aware programs, 532 control areas, 288, 289–292 indexing features, 429 troubleshooting startup, 529 creating, 520, 524 section objects, 201 Windows RE alternative, 534–537 defined, 286 $Secure metadata files, 425, 445, safemode BCD option, 531 file mapping objects, 356 Safe Mode With Command Prompt, increasing virtual memory, 210 467, 468, 469 memory manager, 200–202, sharing descriptors, 469 509, 530 286–292 Security Descriptor Stream ($SDS), 425, Safe Mode With Networking, 530 memory mapped files, 187, 193, safe save programming, 452 525, 549 467, 468 safe structured exception handling, prototype PTEs, 269–270 \\Security directory, 519 section objects, 200–202 security files ($Secure), 425, 445, 467, 208 viewing, 287 salt (encryption keys), 172 468, 469 SANs (storage area networks), 125, sections, 196, 269 Security ID Index ($SII), 467, 468 sector-level disk I/O, 138 security IDs (SIDs), 434, 466–467, 468, 133, 155 sectors SAS (Serial Attached SCSI), 126, 132 494 SATA devices, 60, 64, 126, 132 bad-sector remapping, 487 security mitigations, 250 saved system states, 99 blocks, 126 security reference monitor, 518, 519, scalability defined, 125, 391, 501 disk sector formats, 126–128 522 heap functions, 224 encrypting, 173–174 SeDebugPrivilege rights, 196, 203 I/O system, 1 GPT bits, 140 seek times, 324, 347 scaling (performance states), 114, 120 larger sizes, 443 segment dereference thread, 189 scanning (Startup Repair tool), 536 LDM database, 142 segments, 222, 270 scatter/gather I/O, 28 NAND-type flash memory, 129 segment structures, 288 SCB (stream control block), 441, 473 remapping bad clusters, 429 SEH handler, 208 scenario manager, 339 sector to client mapping, 423 SEHOP (Structured Exception Handler scenarios, 342 signatures, 421 scheduled file I/O, 64 size, 349 Overwrite Protection), 208 scheduled file I/O extension, 20 trim command, 130 self-healing, 398, 490–491 scheduled tasks, 58 updating, 130 SE_LOCK_MEMORY privilege, 48 scheduler, 113, 519 sector signatures, 421 semaphore object, 519 SCM (service control manager) sector size, 349 SendTarget portals, 134 boot process, 501 sector to client mapping, 423 sequential I/O, 19, 76, 344 initializing, 525 Secure Digital cards, 347 sequentially reading files, 360 loading auto-start drivers, 88 $Secure metafiles, 425, 445, 467, 468, sequential read-ahead, 378 safe mode boots, 532 Serial Advanced Technology SCM process, 31 469 screen savers, blue screen, 594 security Attachment (SATA), 60, 64, scripting (BitLocker), 164 126, 132 scripts, user, 526 AWE memory, 211 Serial Attached SCSI (SAS), 126, 132 scrubbing pages, 317 BitLocker, 163–176 serial devices, debugging, 504 SCSI devices, 60, 126 boot process, 501 serial hypervisor debugging, 507 Scsiport.sys driver, 132, 133 consolidated NTFS security, serializing IRPs, 12 SD cards, 347 serial ports SD Client buses, 68 467– 469 BCD elements, 504, 505 $SDH (Security Descriptor Hash), 467, encryption recovery agents, 495 breaking into hung systems, 578 heap manager, 224–225 device objects, 137 468 I/O system, 1 hypervisor debugging, 507 SDI ramdisks, 509 NTFS design goals, 425 kernel debugger, 582 SD/MMC support, 126 page files, 274 server applications $SDS (Security Descriptor Stream), 425, troubleshooting issues, 415 cache manager, 440 zero-initialized pages, 300 dynamic bad-cluster remapping, 467, 468 zones, 427 429 sealing VMKs, 168, 170 security contexts, 409 execution protection, 205 search indexing priorities, 58 security cookies, 576 threading models, 53 secondary dump data, 554 $SECURITY_DESCRIPTOR attribute, 448 server farms (crash analysis), 563 secondary resource managers, 473, security descriptor database, 445 Server Message Block (SMB) protocol, Security Descriptor Hash ($SDH), 467, 400–401, 404 474 – 475 servers Second Layer Address Translation 468 crash buttons, 578 security descriptors internal error reporting servers, (SLAT), 507 561–562 SeCreateSymbolicLink privilege, 431 change journal, 461 635

server-side remote FSDs servers, continued SetFileCompletionNotificationModes SideShow-compatible devices, 78 last known good (LKG) set, 526 API, 57 SIDs (security IDs), 434, 466–467, 468, Memory.dmp files, 557 physical memory support, 321 SetFileInformationByHandle function, 494 shadow copies, 179 59, 473 signatures server-side remote FSDs, 400–407 SetFileIoOverlappedRange API, 20 driver signing, 95–96, 97, 98 service control manager. See SCM SetFileShortName API, 473 heap tail checking, 225 SetFileTime API, 473 verification, 97 (service control manager) SetFileToOverlappedRanges API, 48 $SII (Security ID Index), 467, 468 Service Hosting Process (Svchost.exe), SetPriorityClass function, 59 simple volumes, 126, 151 SetProcessDEPPolicy function, 208 single bit corruption, 570 94, 325 SetProcessShutdownParameters single-layered drivers, 33–39 service loading, 84–85 single-level cell (SLC) memory, 128 service packs, 525, 538 function, 543 single-page granularity, 200 services, shutting down, 545 SetProcessWorkingSetSizeEx function, singly linked lists, 240, 242 Services.exe, 31 SLAT (Second Layer Address Services for Unix Applications, 352 199, 329, 330 Services registry key, 552 SetProcessWorkingSetSize function, Translation), 507 Session 0 window hook, 525 SLC (single-level cell) memory, 128 SESSION5_INITIALIZATION_FAILED 329 sleep states, 82, 98–100, 101, 105–108 SET_REPAIR flags, 491 SLIST_HEADER data structure, 240, 241 code, 522 SetThreadExecutionState API, 105 slots in cache structures, 364 !session command, 233 SetThreadPriority function, 59 small-IRP look-aside lists, 28 Session Manager (Smss.exe) Setupapi.dll, 95 small memory dumps (minidumps), Setupcl.exe, 524 boot logging in safe mode, 533 SetupDiEnumDeviceInterfaces 351, 554–556, 562, 579 boot logs, 542 small pages, 193–195 boot process, 500, 501, 522–526 function, 15 smartcards, 174, 175 checking for crash dumps, 550 SetupDiGetDeviceInterfaceDetail SMB Server Message Block (SMB) DLL order, 249 initialization tasks, 522–525 function, 15 protocol, 400–401, 404 initializing, 522 Sfc.exe utility, 538 SmpCheckForCrashDump function, large address space aware, 231 SfclsFileProtected API, 538 page file setup, 273–274 SfclsKeyProtected API, 538 550 process, 228 shadow copies SmpConfigureSharedSession­D­ ata running Chkdsk, 158 shutdowns and, 545 backup operations, 181–182 function, 524 session manager process, 228 operations, 178–181 SmpCreateDynamicEnvironment­ session namespaces, 409 set IDs, 185 session-private object manager shadow copy volumes, 185 Variables function, 523 transportable, on servers, 179 SmpCreateInitialSession function, 524 namespace, 228 Volume Shadow Copy Service, SmpCreatePagingFiles function, 523 sessions SmpExecuteCommand function, 523 177–186 SmpInit function, 523, 524 container notifications, 65 Shadow Copies for Shared Folders, 182 SmpInitializeDosDevices function, 523 defined, 228 shadow copy device objects, 185 SmpInitializeKnownDlls function, 524 dynamic address space, 243 Shadow Copy Provider, 179–181 SmpLoadDataFromRegistry function, initializing, 524 shadow copy volumes, 185 namespaces, 228, 409 shareable address space, 247 523 session space utilization, 235 shareable pages, 195, 196 SmpProcessFileRenames function, 523 sessionwide code and data, 228 share-access checks, 19 SmpStartCsr function, 524 working sets, 324 share counts, 315, 316, 317, 318 SMP system processors, 521 x86 session space, 233–235 shared access leases, 405 SmpTranslateSystemPartition­ \\Sessions directory, 523 shared access locks, 401 session space shared cache maps, 368, 371–373, 411 Information function, 524 64-bit layouts, 237 shared encrypted files, 493 Smss.exe. See Session Manager defined, 228 shared heaps, read-only, 222 dynamic address space, 233 shared memory, 200–202, 203, 228 (Smss.exe) IA64 address translation, 266 shared pages, 211, 269–271, 310 SMT cores, 109, 110 page tables, 256 share modes (file objects), 19 snapshot devices, 179 pool, 213 shell, 434–435, 526, 563 snapshots, 162, 177–186 utilization, 235 shell namespace, 434–435 soft faults, 325 x86 systems, 233–235 shim mechanisms, 227 soft links, 430–432 Set APIs, 70, 472 short names, 448, 450, 451, 453 soft page faults, 285 SetEndOfFile API, 473 ShrinkAbort request, 438 soft partitions, 142, 143, 146 SetFileBandwidthReservation API, ShrinkCommit request, 438 software attacks, 166 shrinking engine (partitions), 438 software data execution prevention, 20, 64 ShrinkPrepare request, 438 shutdown, 66, 537, 542–545 208–209 software DEP, 208–209 software keys, 94. See also enumeration 636

stop code analysis software mirroring, 177 stack overflow errors, 12 Standby PFN state, 297, 299 software providers, 160 stack overruns (stack trashes), 575–577 standby scenario, 342 software PTEs, 268–269 stack pointer register, 576–577, 589 start-device command, 83 software resumption from power stack randomization, 249–250 start-device IRPs, 15 StackRandomizationDisabled, 249–250 start I/O routines, 12 states, 98 stacks Startup.com, 502 software Write bits, 258 startup process. See boot process solid state disks. See SSDs (solid state address space, 246, 247 Startup Repair tool, 534, 536 analyzing, 576–577 Start values, 84–85, 88 disks) in commit charge, 276 state-transition table, 83–84 sos element, 510 cookies, 209 static physical NVRAM cache, 350 space quotas, 245–246 crash dump analysis, 575–577 Static Root of Trust Measurement spaces (file names), 449 defined, 279 spanned volumes, 148 DEP stack cookies, 209 (SRTM), 168 spare bits, 129 DPC, 279, 282 STATUS_ACCESS_ VIOLATION sparse files, 393, 432–433, 456–458 inswapping and outswapping, 188 sparse matrix, 457 jumping, 281 exception, 204, 586–588 sparse multilevel VACB arrays, 370 kernel, 279, 281–282 STATUS_BREAKPOINT exception, spatial locality (cache), 412 memory manager, 279–282 special agents (prefetch), 344 pointer register, 576–577, 589, 599 586–588 special pool randomization, 249–250 STATUS_INVALID_DEVICE_REQUEST stack bases, 589 crash dumps, 569–572 stack trashes, 575–577 exception, 74 defined, 213 swapper, 188 STATUS_REPARSE code, 431 Driver Verifier option, 571, traces. See stack traces step model (PPM), 113–114, 120 user-mode, 196–197, 279 stolen USB keys, 166 590 –592 verifying limits, 589 “STOP: 0xC000136” error, 538 dynamic address space, 232 !stacks command, 581 stop code analysis enabling, 571–572 stack swapper, 188 expanding, 243 stack traces BAD_POOL_CALLER, 550 registry settings, 294 displaying device driver, 585 BAD_POOL_HEADER, 550, 570 verification, 293–294 heap debugging, 226 BUGCODE_USB_DRIVER, 550 wild-pointer bugs, 573 kernel-mode thread exceptions, CRITICAL_OBJECT_TERMINATION, speed, cluster size and, 443 spinlocks 587–588 550 –551 accessing directly, 39 pool corruption, 590–591 DRIVER_CORRUPTED_EXPOOL, context areas, 73 processors, 574 detecting, 577 read-ahead operations, 382 550, 590–592 eliminating need for, 241 verbose analysis, 567–568 DRIVER_IRQL_NOT_LESS_OR_ KMDF objects, 72 write-behind operations, 385, 386 pools and, 219 stack trashes, 575–577 EQUAL, 549, 585–586 splash screens, hangs and, 540–542 stampdisks element, 510 DRIVER_OVERRAN_STACK_ split log blocks, 422 standard BitLocker operation, 164 split mirrors (clone shadow copies), $STANDARD_INFORMATION attribute, BUFFER, 576 DRIVER_POWER_STATE_FAILURE, 177 448, 467, 468 Spoolsvc.exe, 106 standby cache, 191 549 SRTM (Static Root of Trust standby lists IRQL_NOT_LESS_OR_EQUAL, 549 KERNEL_DATA_INPAGE_ERROR, Measurement), 168 cache physical size, 363 SSDs (solid state disks) page faults, 269 550 page list dynamics, 300–302 KERNEL_MODE_EXCEPTION_NOT_ file deletion and trim, 130–131 page priority, 310 ReadyBoost, 346–348 PFNs, 316, 318 HANDLED, 575, 586–588 slowing down, 129 prefetched pages, 272 KERNEL_MODE_EXCEPTION_NOT_ storage management, 125 prioritized, 311–313 wearing out, 129 rebalancer, 339 HANDLED with P1..., 550 wear-leveling, 129–130 redistributing memory, 341 KMODE_EXCEPTION_NOT_ stack bases, 589 shared pages, 270 stack cookies, 209 Superfetch service, 338, 339 HANDLED, 549, 575 stack limits, 589 system cache, 361, 363–364 MANUALLY_INITIATED_CRASH, stack locations viewing page allocations, 304–310 allocating to drivers, 42 standby mode, 103–104, 339 578 I/O request packets (IRPs), 29–31 standby page lists, 191, 267 MEMORY_MANAGEMENT, 550 IRP reuse and, 41 standby pages, 316 NTFS_FILE_SYSTEM, 551 large-IRP look-aside list, 28 overview, 585 managing, 67 PAGE_FAULT_IN_NONPAGED_ request completion, 36–38 AREA, 550 PFN_LIST_CORRUPT, 550 SYSTEM_SERVICE_EXCEPTION, 549 SYSTEM_THREAD_EXCEPTION_ NOT_HANDLED, 549 UNEXPECTED_KERNEL_MODE_ TRAP, 549, 588–590 verbose analysis, 567–568 637

stop codes stop code analysis, continued stream-controlled block (SCB), 155, boot status file information, 537 VIDEO_TDR_FAILURE, 550 441, 473 operations, 98–99 WHEA_UNCORRECTABLE_ERROR, Svchost.exe (Service Hosting Process), 550 streaming playback, 58, 64, 105–108 stream names, 358 94, 325 stop codes (bugchecks) streams swapper thread, 334 blue screen crashes, 549–551 switching CPU contexts, 580 bugcheck parameters, 566, 586 associated with file names, 341 Swprov.dll (shadow copy provider), bugcheck screens, 517 attributes, 426–427 Bugcodes.h file, 549 cache working set, 362 179–181 defined, 548 caching, 358 symbol-file paths, 566, 582 help files, 549 change journal, 461–464 symbol files, 517, 566, 591 high IRQL faults, 586 CLFS, 417 symbolic exception registration illegal instruction fault crashes, defined, 358 573–574 multiple, NTFS design goals, records, 208 manual crashes, 566 symbolic links minidumps, 554 426 – 428 numeric identifiers, 548 TxF, 474 change journal, 462 viewing, 558–559 viewing, 428 device names, 23 strided data access, 378 device objects, 15 stop command, 83–84 strings, 72, 73, 570, 592 file object extensions, 20 storage area networks (SANs), 125, Strings utility, 217, 326, 570 initializing, 519, 520 striped arrays, 141 MS-DOS devices, 523 133, 155 striped volumes naming conventions, 136 storage devices, 348–350, 514 data redundancy, 425 NTFS design goals, 430–432 storage device states, 81 defined, 148–149 reparse points, 154 storage drivers I/O operations, 159 shadow copies, 185 LDM partition entries, 143 viewing, 24 class drivers, 132–136 RAID-5 volumes, 141, 151, 425, 490 volumes, 154, 409 device drivers, 125, 398–399 rotated parity (RAID-5), 141, 151, symbols, kernel, 214 disk I/O operations, 159–160 symbol server, 556 management, 132–136 425, 490 SymLinkEvaluation option, 431 opening files, 409 Structured Exception Handler symmetric encryption, 491 port drivers, 60 synchronization storage management Overwrite Protection (SEHOP), heap manager, 223 basic disks, 139–141 208 internal memory, 189 BitLocker, 163–176 subkeys, 89, 91 I/O requests, 38–39 BitLocker To Go, 175–176 subst command, 24 KMDF callbacks, 74 disk devices, 126–131 Subst.exe utility, 186 KMDF queues, 75 disk drivers, 131–138 subsystem DLLs, 33–34, 524 not supported by heap functions, dynamic disks, 141–147 success codes, 58, 76 full-volume encryption driver, successful boots, 551 222 Superfetch service (proactive memory synchronization objects, 25, 271, 295, 173–174 management) multipartition volume components, 338–340 296 ideal NUMA node, 285 synchronization primitives, 577. See management, 147–152 idle I/O, 62 overview, 125 initializing, 520 also fast mutexes; mutexes; terminology, 125–126 I/O priorities, 58 spinlocks Trusted Platform Module, 168–170 logical prefetcher, 325 synchronization scope object virtual disk service, 160–162 organizing files, 327 attribute, 76 virtual hard disk support, 162–163 overview, 338 synchronous I/O volume I/O operations, 159–160 page priority, 342–344 cancellation, 49 volume management, 138–162 pretraining, 343 completion, 37 volume namespaces, 153–158 process reflection, 351–353 defined, 25–26 Volume Shadow Copy Service, ReadyBoost, 346–348 fast I/O, 376, 377 ReadyDrive, 348 file object attributes, 19 177–186 rebalancing, 342–344 single-layered drivers, 33–39 storage stacks, 60–61, 131, 134–136 robust performance, 344–346 Synchronous Paging I/O, 383 store keys, 350 scenarios, 342 Synchronous Paging I/O, 383 Store Manager (unified caching), tracing and logging, 341 SYSCALL instruction, 282 unified caching, 348–350 SYSENTER instruction, 282 348–350, 520 surprise-remove command, 83–84 Sysmain.dll. See Superfetch store pages, 349 suspending service (proactive memory stores, 349 BitLocker, 171 management) Storport minidriver, 163 sysptes command, 235–236 Storport.sys driver, 132, 133 system address space, 228–229, 237, stream-based caching, 358 281 638

threads system cache system service dispatch tables, 519 reserved and committed pages, address space, 237 SYSTEM_SERVICE_EXCEPTION stop 198 copying files, 374 expanding, 243 code, 549 unkillable processes, 52 prefetching pages, 272 system shutdown notification routines, Task Scheduler, 58 reclaiming virtual addresses, 244 TBS (TPM Base Services), 164, 168–170, in system space, 229 14 system start device drivers, 550 174 system cache working sets, 229, 334, system start (1) value, 84, 85 Tbssvc.dll, 164 361–362 system-start values, 88 TCG (Trusted Computing Group), 168 system storage class device drivers, 60 TCP/IP, 78, 133 system code, in system space, 228–229 SystemSuperFetchInformation class, TEB allocations, 200, 246 system code write protection, 573–574 temporal locality (cache), 412 system commit limit, 199, 275–277, 342 temporary dump file names, 550 SYSTEM_THREAD_EXCEPTION_NOT_ temporary files, 386, 525 279. See also commit limits temporary page states, 297 system crash dumps, 135. See also HANDLED stop code, 549 Terminal Services notifications, 65 system threads, 314–315, 390. See also termination crash dumps System Deployment Image (SDI), 507 threads processes, 50–51 system environment variables, 523 system time, 519, 574 threads, 50–53 system failures, 359, 379. See also system variables, 318 TestLimit64.exe utility, 280 system virtual address spaces, 189, TestLimit utility crashes; hung or unresponsive creating handles, 245 systems; recovery 245–246, 356 leaking memory, 232, 313 System File Checker (Sfc.exe), 540 system virtual memory limits, 320–323 private pages, 302–303, 304 system files System Volume Information directory, reserved or committed pages, backup copies, 538 repairing corruption, 538–540 180 197–198 SYSTEM hive, 510, 511, 515, 520, 540 system volumes, 145, 150, 445, 502, reserving address space, 237 system identifiers (TPM), 168 thread creation, 280 System Image Recover (Windows RE), 524 working sets vs. virtual size, 534 systemwide code and data, 228 System Image Recovery images, 539 systemwide environment variables, 331–332 system images, 230–231, 534, 539 testsigning element, 506 “system in a VHD,” 162 582 test-signing mode, 506 System Information tool, 552 system worker threads, 390, 520 TFAT (Transaction-Safe FAT), 397 system integrity checks (TPM), 168 system working set lists, 318 TFTP (Trivial FTP), 509 SystemLowPriorityIoInformation class, system working sets thaws, VSS writers and, 177, 178 64 thinly provisioned virtual hard disks, system-managed paging files, 274 cache physical size, 363–364 system-managed shared resources, defined, 324, 362 162 275 forcing code out of, 295 third-party drivers, 216, 556 system mapped views, 229, 232, 233 overview, 334–335 third-party RAM optimization system memory pools (kernel-mode in system space, 229 heaps), 212–220 working sets, 334–335 software, 345–346 system partitions, 502, 524 thread-agnostic I/O, 19, 30, 48, 55 system paths, 514 T !thread command, 31, 43, 574, 576, system pool size, 214. See also pool system power policies, 100, 103–104 T states (processors), 114, 120 580, 581, 589 system power requests, 106 $T stream, 474 threaded boosts, 61 System process, 188–189, 415 T10 SPC4 specification, 134 thread environment block (TEB) system process shutdowns, 544–545 table of contents area (LDM), 142 System Properties tool, 553 tags allocations, 200, 246 system PTEs, 229, 232, 235–237, 243 threads system PTE working sets, 229, 334 heap debugging, 226 System Recovery Options dialog box, pool allocation, 216 activating, 54 535 precedence, 85 asynchronous and synchronous system resources, releasing, 13–14 Tag value, 84, 85 System Restore, 178, 182–184, 534, tail checking, 225, 226 I/O, 25–26 540, 542 tamper-resistant processors, 168 completion ports, 54, 56 System Restore Wizard, 542 target computers, 582–584 concurrency value, 55 systemroot element, 510 targetname element, 506, 510 creating, 520 system root paths, 517 target portals (iSCSI), 134 current, 554, 574 “system running low on virtual task gates, 588 deadlocks, 577 memory” error, 278 Task Manager file system drivers, 407 cache values, 364 heap synchronization, 223 memory information, 190–192 higher-priority, 38 page file usage, 278–279 IDs, 248 pool leaks, 218 inactive, 57 injected in cloned processes, 351 I/O completion, 37 639

thread-scheduling core threads, continued top dirty page threshold, 389 logged information, 482 I/O requests, 4 $TOPS files, 474, 476 logging implementation, 476–477 kernel-mode, 586–588 torn writes, 421 on-disk implementation, 475–476 maximum number, 280 total memory, displaying, 190 overview, 469–470 outstanding IRPs, 31 total process working sets, 331 recovery implementation, 477 page priority, 311 total virtual address space, 275 recovery process, 477 preempting windowing system TPM (Trusted Platform Module) resource managers, 473–475 driver, 577 VSS writers, 178 priorities, 62–64, 342 BitLocker, 164 Transaction-Safe FAT (TFAT), 397 private address space, 228 Boot Entropy policy, 510 transaction semantics, 397, 416 read-ahead, 412–413 boot entropy values, 522 transaction tables, 477, 483, 484 server threading models, 53 chips, 168, 169, 174 transition, pages in, 269, 270 shutdown process, 543, 544 encrypting volume master keys, transition pages, 316 stacks, 205, 246, 248, 249–250, Transition PFN state, 297, 299 279–282 166 transition PTEs, 317 stack trace analysis, 567–568 MMC snap-in, 164, 168, 169 translation, 188, 203, 422–423. See also synchronizing access to shareable storage management, 168–170 resources, 23 Tpm.sys driver, 164 address translation system, 390 Windows support, 168 translation look-aside buffer (TLB), termination, 48, 50–53 TPM Base Services (TBS), 164, 168–170, thread-scheduling core, 188 194, 258, 259–260, 507 thread thrashing, 53 174 translation-not-valid handler, 188 user-initiated I/O cancellation, 49 tpmbootentropy element, 510 transportable shadow copies, 179 viewing for IRPs, 43 TPM chips, 168, 169, 174 transport layer, 582 virtual files, 4–5 TPM MMC snap-in, 164, 168, 169 transport parameters, 578 Tpm.sys driver, 164 trap command, 585–586 thread-scheduling core, 188 trace collector and processor, 338 trap frames, 585, 588, 589, 591 thread stacks, 205, 246, 248, 249–250 trace file names, 325, 326 trap handler, 35 thread thrashing, 53 trace information (ReadyBoot), 527 traps, 35, 547, 549–550, 588–590 thresholds, 114–116 tracer mechanism (Superfetch), 338 trap to debugger instruction, 587 throttle states (processors), 114, 120 traces traversal permissions, 436 throttling (write throttling), 388–389 triage dumps (minidumps), 351, throughput, 62–64 name logging traces, 341 ticks (lazy writer), 390 page access traces, 341 554–556, 562, 579 time (BIOS information), 511 prebuilt traces, 343 Triage.ini file, 566–567 time-check intervals (processors), 114 Process Monitor, 416 trim command, 130–131 time command, 574 Superfetch service, 341 trimmed private data, 260 Timeout element, 504 trace file names, 316, 325 trimmed working sets, 315, 318 timeouts traditionalksegmappings element, 506 trimming training Superfetch, 343 I/O manager, 4 Transactdemo.exe tool, 471–472 page files, 273 power options, 104 transacted APIs, 469 pretraining Superfetch, 343 shutdown process, 543 transacted writers and readers, 470 system working set, 295 timers transactional APIs, 472–473 working sets, 330, 333–334 expiration, 517 transactional NTFS. See TxF Triple DES algorithm (3DES), 495 idle prioritization strategy, 59 triple faults, 584 KMDF objects, 72 (transactional NTFS) Trivial FTP (TFTP), 509 object types, 519 transactional NTFS library, 470 troubleshooting prefetch operations, 413 transaction isolation directory ($Txf), Application Verifier, 65 time segments (Superfetch), 344 boot logging, 533–534 time-slice expiration, 38 446 changes to encrypted system time stamps transaction log ($TxfLog), 446, 474 as attributes, 447 transaction log (CLFS), 417 components, 170 change journal, 462 transaction log (LDM), 142, 143, 144 common boot problems, 537–542 debugging information, 574 transaction log records, 359, 480 crash dump tools. See crash dumps file attributes, 448 transaction manager, 519, 521 driver loading, 529–532 indexing, 465 transaction parameter blocks, 20 Driver Verifier, 65–68, 292–296 load offset number, 248–249 transaction parameters, 20 file systems, 415–416 POSIX standard, 436 transaction repair directory ($Repair), heap, 225–226 timing requirements (UMDF), 78 Knowledge Base, 549 TLB (translation look-aside buffer), 446 large page allocation failures, 194 transactions last known good. See last known 194, 258, 259–260, 507 toolsdisplayorder element, 504 after system failures, 477 good (LKG) APIs, 472–473 processes, 351–353 atomic, 424–425 Process Monitor, 415–416 committed, 481 safe mode, 529–534 isolation, 470–472 listing, 471–472 640

user process address space safe-mode-aware programs, 532 UNC (Universal Naming Convention), KMDF objects, 72 SSDs, 129 85 pipes, 72 stop code help files, 549 ports, 505 WDK Bugcodes file, 549 underrun detection, 294 support, 126 Windows Recovery Environment, UNDI (Universal Network Device UMDF support, 78 USB debugger, 506, 510 534–537 Interface), 514 USB dongles, 578 without crash dumps, 581–584 undocking, 82 USB flash devices. See also SSDs (solid troubleshooting user menus, 506 undo entries, 481, 482 truncatememory element, 506 undo pass, 477, 480, 485–487 state disks) truncating data, 461 undo records, 476 BitLocker, 166 trusted applications, 522 undo/redo histories, 417 BitLocker To Go, 164, 175–176 Trusted Computing Group (TCG), 168 UNEXPECTED_KERNEL_MODE_TRAP KMDF objects, 72 TrustedInstaller account, 538 ReadyBoost, 347–348 trusted locations, 427 stop code, 549, 588–590 recovery keys, 172–173 Trusted Platform Module. See TPM Unicode, 392, 395, 428–429, 448, startup disks, 164 storage management, 125 (Trusted Platform Module) 4 49 – 450 stores, 350 try/except blocks, 33, 410 unified caching (Store Manager), UMDF display, 80 tunneling cache, 452 USB keyboards, 578 TxF (transactional NTFS), 416 348–350, 520 use after free bugs, 570 Unified Extensible Firmware Interface usefirmwarepcisettings element, 510 APIs, 472–473 uselegacyapicmode element, 510 backward compatibility, 469 (UEFI), 139–140, 499, 512–513 usephysicaldestination element, 510 base log file, 446 unique IDs (partition manager), 138 useplatformclock element, 510 change journal, 462 Universal Disk Format (UDF), 2, 392, user address space file attributes, 449 64-bit layouts, 237 log files, 446, 469, 474 393, 398 heap randomization, 250 log records, 476–477 Universal Network Device Interface image randomization, 248–249 log stream, 446, 474 kernel address space, 250 old page stream ($Tops), 446, 474 (UNDI), 514 layout overview, 246–248 overview, 469–470 universal serial bus. See USB (universal security mitigations, 250 recovery, 478 stack randomization, 249–250 resource managers, 473–475 serial bus) viewing, 247–248 snapshot device operations, 179 unkillable processes, 48–49, 51–53 virtual address space layouts, transaction isolation directory, 446 “unknown driver” solutions, 564 $TxF directory, 473 unknown page fault errors, 269 228–229 $TxfLog directory, 474 unloading drivers, 1, 17 user buffers, 48 TxID (TxF file ID), 475–476 unload routines, 13–14 user code address translation, 266 $TXF_DATA attribute, 475–476, 477 unmapped pages, 273 user data stream caching, 356 $TxF directory, 473 unnamed data attributes, 447, 448 user defined file system (UDFS), 503 TxF file ID (TxID), 475–476 unnamed file streams, 362, 428 user IDs, 466–467 TxF log files ($TxfLog.blf), 446, 469, unparked cores, 115, 116, 117–118 Userinit.exe, 526, 532 unpinning pages, 375 user-initiated I/O cancellation, 49–50 474 unresponsive systems. See hung or user-mode accessible bit, 264 TxfLog stream, 446, 474 user-mode applications, 4–5 TxF old page stream ($Tops), 446, 474 unresponsive systems user-mode buffers, 20 Txfw32.dll library, 469 unsigned drivers, 95, 97, 569, 577 user-mode code, 257 TxID (TxF file ID), 475–476 untrusted locations, 427 user-mode debugging framework, TxR (transactional registry), 416 unwinding, 281 update records, 481, 482, 484–485 518, 519 U update sequence numbers (USNs), User-Mode Driver Framework (UMDF), UDF (Universal Disk Format), 2, 392, 433, 461, 476 6, 78–81, 79 393, 398 updating user-mode drivers, 6, 78–81 user-mode exceptions, 505 UDFS (user defined file system), 503 device drivers, 542, 568 user-mode heaps, 222 Udfs.sys (UDF driver), 393, 398 flash memory, 128 user-mode page faults, 267 UEFI systems, 139–140, 499, 512–513 kernel, 568 user-mode pages, 205 UFDs. See USB flash devices problems with, 542 user-mode processes, 335–337 UI0Detect.exe (Interactive Services sectors, 130 user-mode stack, 196–197 uppercase characters, 446 user-mode virtual address space, 240 Detection service), 525 uppercase file ($UpCase), 446 User objects, 221 UMDF (User-Mode Driver Framework), upper-level filter drivers, 90, 93 user process address space, 508 uptime, listing, 574 6, 78–81, 79 USB (universal serial bus) Umpnpmgr.dll, 94 bandwidth reservation, 64 basic disks, 139 crashes, 550 dongles, 578 drivers, 6 hierarchy prioritization strategy, 60 interfaces, 72 641

users users VCN-to-LCN mapping, 444–445, virtual addresses, 242–245, 331–332, 642 fast-user switching, 342 455–456, 488 341, 373 memory quotas, 246 user IDs, 466–467 VDM (Virtual DOS Machine), 521 virtual address space Vdrvroot driver, 163 commit charge and limits, 275–277 user scripts, 526 VDS (Virtual Disk Service), 141, fast allocation, 283 user space layouts, 246–251 I/O completion, 37 user stacks, 279, 280 160 –162 layouts. See virtual address space Usndump.exe utility, 462 Vdsbas.dll, 160 layouts $UsnJrnl files, 446, 461–464 VDS Basic Provider, 160 mapping files into, 356 USN_REASON identifiers, 461–462 VDS Dynamic Provider, 160 mapping into physical memory, USNs (update sequence numbers), 433, Vdsdyn.dll, 160 187 Vds.exe, 160–162 mapping to pages. See address 461, 476 Vdsldr.exe process, 161 translation UTF-16 characters, 428 vendor IDs (VIDs), 90 memory manager, 187 utility, processor, 110–115, 118, 119, verbose analysis, 567–568, 570, 573, paged and nonpaged pools, 213 pages, 193–195 120 575 reserving/committing pages, Uuidgen utility, 15 verification 195–198 system virtual address spaces, 189 V driver errors, 569 viewing allocations, 306, 307 Driver Verifier, 292–296 vs. physical memory, 187 VACB arrays, 365 enabling special pool, 571–572 VACB index arrays, 368, 369, 370 initializing, 519 virtual address space layouts VACBs (virtual address control blocks) !verifier command, 294 64-bit layouts, 237–239 Verify Image Signatures option, 528 dynamic address space, 232–233 cache data structures, 365 versioning information, 517 dynamic management, 242–245 cache manager, 360–361 version numbers, displaying, 510 memory manager, 228–251 cache slots, 364 Very Low I/O priority, 58, 62–64 overview, 228–229 displaying, 367 VESA display modes, 505 session space, 232–235 shared cache maps, 411 Vf* functions, 293 space quotas, 245–246 structure, 366 VfLoadDriver function, 293 system PTEs, 235–236 types, 366 VGA display, crashes and, 548 user space layouts, 246–251 !vad command, 284 VGA display drivers, 509, 510, 531 x64 limitations, 240–242 VADs (virtual address descriptors) vga element, 510 x86 layouts, 229–232, 232–235 defined, 282–283 VGA font files, 511 granular allocation, 200 vgaoem.fon file, 511 virtual-address-to-working-set pairs, memory manager, 282–284 Vhdmp miniport driver, 163 341 overview, 282–283 VHDs (virtual hard disks), 125, page faults, 269, 270, 411 virtual allocator, 242 page table creation, 255 162–163, 503 VirtualAlloc functions process, 283–284 video adapters, 6, 321, 323, 511 process address space, 196 video drivers, 233, 284, 524 backing stores, 275 rotate, 284 video port drivers, 7 committed storage, 276–277 VAD trees, 269 VIDEO_TDR_FAILURE stop code, 550 growth in allocations, 231 viewing, 284 VIDs (vendor IDs), 90 large memory regions, 221, 282 VAD trees, 269 view indexes, 465 large pages, 194 validation (heap debugging), 226 views (virtual address space) mapping views, 211 Valid bit (PTEs), 257 private pages, 195 valid pages, 270, 316 cache data structures, 365 viewing allocations, 306 Valid (Active) PFN state, 297, 299 cache virtual memory virtual block caching, 355, 358 valid PTE bits, 264 virtual bus drivers, 85 valid PTE fields, 256–257 management, 360 virtual byte offset (VBO), 379 valid PTEs, 317 copy-on-write, 209–210 virtual bytes, 277 valid shared pages, 270 dynamic address space, 232, 233 virtual clients, 418 VBO (virtual byte offset), 379 mapped into cache, 368 virtual cluster numbers. See VCNs VBRs (volume boot records), 157, 444, preallocated for VACBs, 366 prototype PTEs, 270 (virtual cluster numbers) 500, 502 reusing, 378 virtual devices, 78 VCNs (virtual cluster numbers) section objects, 201–202 Virtual Disk Service (VDS), 141, shared page mapping, 196 compressed files, 458, 459–460 in system space, 229 160 –162 defined, 443 valid and invalid pages, 271 Virtual DOS Machine (VDM), 521 index mapping, 465 virtual address control blocks. See virtual FCBs, 418 noncompressed files, 457 virtual files, 4 runs, 445 VACBs (virtual address control VirtualFree functions, 196 blocks) virtual hard disks (VHDs), 125, virtual address descriptors. See VADs (virtual address descriptors) 162–163, 503

WerFault.exe VirtualLock function, 199, 211 disk offset management, 147 Volume Shadow Copy Service. See VSS virtual log LSNs, 422 dynamic disks, 146–147 (Volume Shadow Copy Service) virtual LSNs, 422–423 file system drivers, 47, 411 Virtual Machine Extensions (VME), 521 layering drivers, 8 volume snapshots, 131 virtual machines (VMs), 162, 582–584 recovery, 487 !vpb command, 156 virtual memory storage stacks, 131 VPBs (volume parameter blocks) symbolic links, 136 Address Windowing Extensions, volume master keys (VMKs), 165–168, device objects, 411 210 –212 file object pointers, 19 170–171, 172 file system drivers, 155 cache manager, 360–361 $Volume metadata file, 438, 489 I/O manager, 399 Control Panel applet, 188 VOLUME_NAME attribute, 448 mounting process, 155 debugging information, 574–575 volume namespace mechanism, mount operations, 155 displaying information, 190–192 viewing, 156–157 fast I/O, 376, 377 153–158 VSS (Volume Shadow Copy Service) functions, 193 volume namespaces, 153–158 architecture, 177–178 limits, 320–323 volume objects, 159, 409 enumeration, 178 mapped file I/O, 27 volume parameter blocks. See VPBs operation, 178–181 releasing or decommitting pages, overview, 177 (volume parameter blocks) shrinking volumes, 438–439 196 volume quotas, 433–434 storage management, 177–186 scatter/gather I/O, 28 volume-recognition process, 155–158, VSS providers, 177, 178, 179–181 virtual NVRAM stores, 350 VSS requestors, 177, 178 virtual page numbers, 253, 254 398 VSS writers, 177, 178 virtual pages, 188, 328–329 volumes. See also volume manager Windows backup/restore, 181–186 Virtual PC, 162 Vssadmin utility, 185–186 VirtualProtect functions, 203–204 (VolMgr) VirtualQuery functions, 203–204 basic disk partitions, 140 W virtual size basic disks, 139–141 caches, 361 boot processes, 500, 501 WaitForMultipleObjects function, 54 paged pool, 214 clone and original volumes, 177 wait functions, 335 virtual storage (SANs), 125, 133, 155 compression, 456–461 wait locks, 72 virtual TLB entries, 507 defined, 442 wait states, 38 virtual-to-physical memory defragmentation, 436–437 waking power state, 99–100 dependent, 163 watermarked desktops, 506 translation, 203 drive letters, 141 WDF (Windows Driver Foundation), Virtualxxx functions, 193 dynamic, 141–147 virus scanning, 58, 413 encryption, 163–176 68–77 !vm command, 192, 215, 235–236, 574 FAT cluster sizes, 393–394 WdfDeviceCreate function, 71 VME (Virtual Machine Extensions), 521 file object pointers, 19 WDFDEVICE object, 71 VMKs (volume master keys), 165–168, foreign, 173 WDFDRIVER structure, 71 indexing, 429 Wdfkd.dll extension, 69 170–171, 172 I/O operations, 159–160 !wdfkd.wdfldr debugger, 69 VMMap utility, 192, 247–248, 304–310 label file ($Volume), 438 WDF_OBJECT_ATTRIBUTES structure, VMs (virtual machines), 162, 582–584 mounting, 155–158, 444 vnodes, 20 multipartition, 126, 147–152 73–74 volatile data, 379 names, 155 WDFQUEUE processing, 75 volatile physical NVRAM cache, 350 namespaces, 153–158 WDFREQUEST objects, 75 VolMgr driver, 141, 146, 147 NTFS on-disk structure, 442 WDI (Windows Diagnostic VolMgr-Internal GUID, 153 quotas, 433–434 VolMgrX driver, 146, 147 recovery, 478 Infrastructure), 351 Volsnap.sys driver, 179–181 recovery keys, 173 WDK (Windows Driver Kit), 14, 398, volume book records (VBRs), 157, 444, redundant, 488 self-healing, 490–491 549, 576 500, 502 shadow copy service. See VSS WDM (Windows Driver Model), 2, 6–7, volume device objects, 141, 155, 156 volume entries (LDM), 142–143 (Volume Shadow Copy Service) 68, 74, 79 volume file ($Volume), 442, 445–446 simple, 126 wear-leveling, 129–130 $VOLUME_INFORMATION attribute, snapshots, 131, 163 web attachments, 427 software provider interface, 160 webcams, 78 448 target dump files, 550 websites, crash analysis, 594 volume label file ($Volume), 438, 489 VDS subsystem, 160–162 weighting (affinity history), 115 volume manager (VolMgr) version and labels, 448 well-known installers, 538 virtual disk service, 160–162 WER (Windows Error Reporting), 227, associated IRPs, 46–47 volume sets (spanned volumes), 148 bad sector handling, 490 Volume Shadow Copy Driver, 179–181 551–552, 561–562, 563 basic disks, 141 WerFault.exe, 550–551, 562, 563–564 disk I/O operations, 159–160 643

WHEA_UNCORRECTABLE_ERROR stop code WHEA_UNCORRECTABLE_ERROR stop Windows Driver Model (WDM), 2, 6–7, Windows Task Scheduler, 58 code, 550 68, 74, 79 Windows Ultimate, 162, 175, 320 WHQL (Windows Hardware Quality Windows Embedded CE, 397 physical memory support, 321 Labs), 65, 96 Windows Enterprise, 162, 175, 320, 321 Windows Update, 95, 98, 539, 568 Windows Error Reporting (WER), 227, Windows Web Server, 320 wild-pointer bugs, 573 Wininit.exe (Windows initialization WIM (Windows Installation Media), 551–552, 561–562, 563 Windows file systems process), 501, 522–526, 545, 503, 507, 509 550 Win32_EncryptableVolume interface, CDFS, 392 Winload.efi, 513 exFAT, 396–397 Winload.exe 174 FAT12, FAT16, FAT32, 393–396 BCD elements, 504 Win32 GUI driver, 221 NTFS. See NTFS file system BCD options, 506–511 Win32k.sys (windowing system driver) UDF, 393 boot process tasks, 500 Windows Hardware Quality Labs boot volume loading, 511–512 boot process, 501 device and configuration Driver Verifier and, 293 (WHQL), 65, 96 information, 511 graphic system calls, 281 Windows Home Basic, 320 iSCSI booting, 514 illegal instruction faults, 573 Windows Home Premium, 320 LDM invisible, 145 mapping, 229 Windows Installation Media (WIM), loading, 503 preempting, 577 loading drivers, 85 session space, 233 503, 507, 509 multipartition volumes and, 150 Win32_Tpm interface, 174 Windows kernel. See kernel NVRAM code, 512–513 WinDbg.exe storage management, 132 basic crash analysis, 564 (Ntoskrnl.exe, Ntkrnlpa.exe) virtual addresses, 243 breaking into hung systems, Windows logo animation, 506 Winlogon.exe, 228, 524, 526–527, Windows Management 542–543 578–581 Winobj.exe. See Object Viewer connecting to host computer, 583 Instrumentation. See WMI (Winobj.exe) extracting minidumps, 556 (Windows Management winpe element, 510 loading symbols, 566 Instrumentation) WinPe registry keys, 521 remote boot debugging, 504 Windows Media Player Network WinRE (Windows Recovery unkillable processes, 52 Sharing Service, 106 Environment), 534–542 Windiff utility, 541 Windows Memory Diagnostic Tool, Winresume.exe, 500, 503 windowing system driver. See Win32k. 534 Winsock 2 (Windows Sockets 2), 54 Windows Modules Installer service, Winver utility, 321 sys (windowing system driver) 538 WMI (Windows Management Windows Windows NT, 136 Instrumentation) Windows PE, 506, 510 BitLocker interface, 174 functions, 4–5 Windows Portable Device (WPD), 78 initializing, 521 I/O manager, 4 Windows Professional, 320, 321 instances, 72 native API, 522 Windows Recovery Environment I/O system and, 2 object model, 425 (WinRE), 534–542 IRP handling, 74 processor execution, 501 Windows Resource Exhaustion IRP stress tests, 67 security, 425 Detection and Resolution KMDF objects, 72 splash screen hangs or crashes, (RADAR), 351, 352 providers, 72, 164, 554 Windows Resource Protection (WRP), WDM drivers, 6–7 540 –542 538–539 WDM WMI, 2 Windows 7, 175, 442, 549–551 Windows Server Wmic.exe, 554 Windows Application Compatibility 2008 Datacenter Edition, 155, 320 WMI providers, 72, 164, 554 2008 R2, 134, 175, 442 Wmpntwk.exe, 106 Toolkit, 205 BitLocker To Go, 175 WM_QUERYENDSESSION message, Windows Backup and Restore, 539 Enterprise Edition, 155, 320 543, 544 Windows boot process. See boot Foundation, 320 worker threads, 520, 545 FTH, 227 working set manager, 188, 314, 330, process HPC Edition, 320 333 “Windows could not start... “ error, for Itanium, 320 working sets MPIO support, 134 active pages in, 297 538, 540 NTFS v. 3.1, 442 aging, 341 Windows Cryptography Next physical memory support, 320 balance set manager/swapper, Standard Edition, 320 333–334 Generation (CNG), 492 Windows Setup, 502, 535–537, 539 commit charge, 277 Windows Defender, 58 Windows Sockets 2 (Winsock2), 54 Windows Diagnostic Infrastructure Windows software trace preprocessor (WPP), 521 (WDI), 351 Windows Starter Edition, 320, 321 Windows directory, 435 Windows subsystems, 522 Windows Disk Management snap-in. See Disk Management MMC snap-in Windows Driver Foundation (WDF), 68–77 Windows Driver Kit (WDK), 14, 398, 549, 576 644

Zw functions defined, 187 system threads, 390 AWE functions, 212 demand paging, 324 viewing, 380–386 device memory support, 321 Dirty bits, 258 write-back caching, 379–380 limitations, 240–242 emptying, 307–308 write throttling, 388–389 MBR, 139 expanding, 333–334 Write bit (PTEs), 257, 258 PAE, 260 hash trees, 318 write-combined memory access, 204, page file size, 274 index field, 318 page sizes, 194 limits, 329 257 prioritized standby lists, 312 locking pages, 199 WriteEncryptedFileRaw function, 497 process virtual address space, 187 locks, 189 WriteFileEx function, 38 system code write protection, 574 logical prefetcher, 324–328 WriteFile function, 25, 32, 384, 408, virtual address limitations, management, 329–333 memory manager, 189, 324–337 411, 473 240 –242 memory notification events, WriteFileGather function, 28 working set limits, 329 write in progress PFN flag, 317 x86 systems 335–337 write operations address translation, 252–259 memory quotas, 245–246 boot processes, 500, 501 moving pages out of, 196 active views, 360 layouts and session space, 232–235 overview, 324 bad clusters, 488 MBR, 139 paged pool working set, 334–335 buffered I/O, 32 no execute page protection, 205 pages trimmed from, 302 copies of files in memory, 288 non-PAE systems, 253–254 page writer, 315 crashes, 547, 581 PAE systems, 260–264 physical memory, 260 explicit file I/O, 408 page files, 274 placement policies, 328–329 fast I/O, 376–377 page sizes, 194 pretraining Superfetch, 343 file attributes, 447 page tables, 256 process working sets, 324 file handles, 473 physical memory support, 321 RAM optimization software, 346 KMDF, 76, 77 real mode, 502–503 redistributing memory, 341 large page bugs, 195 SEHOP, 208 session working sets, 324 leases, 405 session space, 233–235 share counts, 316 LFS log files, 480 system code write protection, 574 size, 361–362 logical blocks, 127 triple faults, 584 software and hardware Write bits, mirrored volumes, 150–151 viewing page allocations, 303 oplocks, 401–402 virtual address space layouts, 258 PAGE attributes and, 203–204 system cache working sets, paging files, 62 232–235 scatter/gather I/O, 28 working set limits, 329 334–335 torn writes, 421 X.509 version 3 certificates, 495, 496 system PTEs working sets, 334–335 transacted writers and readers, 470 XOR operation, 152 in system space, 229 write throttling, 388–389 xsaveaddfeature0-7 element, 510 system working sets, 324, 334–335 WriteProcessMemory function, 196, xsavedisable element, 511 trimming, 330 XSAVE instruction, 511 types, 324 203 xsavepolicy element, 510 viewing, 331 write protection, 573–574 XSAVE Policy Resource Driver viewing set lists, 332–333 write throttling, 388–389 working set manager, 188, 314, Write through bit (PTEs), 257 (Hwpolicy.sys), 510 write-through operations, 377, 387, xsaveprocessorsmask element, 511 330, 333 xsaveremovefeature element, 510 WorkingSetSize variable, 214 478 work items (KMDF objects), 72 WRP (Windows Resource Protection), Z work requests (cache manager), 390 Wow64 environment, 237, 280 538–539 zeroed pages, 189, 195, 316 WPD (Windows Portable Device), 78 !wsle command, 332–333 Zeroed PFN state, 297, 299, 300–302 WpdRapi2.dll, 80 WUDFHost.exe, 80 zero-filled pages, 201, 268 WPP (Windows software trace WUDFPlatform.dll, 80 zero-length buffers, 76 WUDFx.dll, 80 zero page lists, 191, 300–303, 315, preprocessor), 521 writable pages, 200, 258 X 341, 346 write-behind operations zero page threads, 189, 301, 522 x2apicpolicy element, 510 zero-size memory allocations, 66 cache manager work requests, 390 x64 systems zones, 427 disabling lazy writing, 386 Zw functions, 201, 351–352) flushing mapped files, 387–388 address space layouts, 239 lazy writer, 379–380 address translation, 265–266 overview, 377 645



About the Authors Mark Russinovich is a Technical Fellow in Windows Azure at Microsoft, ­working on M­ icrosoft’s cloud operating system. He is the author of the cyberthriller Zero Day (Thomas Dunne Books, 2011) and coauthor of Windows Sysinternals Administrator’s ­Reference (Microsoft Press, 2011). Mark joined Microsoft in 2006 when Microsoft ­acquired Winternals Software, the company he cofounded in 1996, as well as S­ ysinternals, where he still authors and publishes dozens of popular Windows administration and diagnostic utilities. He is a featured speaker at major industry conferences. Follow Mark on Twitter at @markrussinovich and on Facebook at http://facebook.com/markrussinovich. David Solomon, president of David Solomon Expert Seminars (www.solsem.com), has focused on explaining the internals of the Microsoft Windows NT operating system line since 1992. He has taught his world-renowned Windows internals classes to thousands of developers and IT professionals worldwide. His clients include all the major software and hardware companies, including Microsoft. He was nominated a Microsoft Most Valuable Professional in 1993 and from 2005 to 2008. Prior to starting his own company, David worked for nine years as a project leader and developer in the VMS operating system development group at Digital ­Equipment Corporation. His first book was entitled Windows NT for Open VMS ­Professionals ­(Digital Press/Butterworth Heinemann, 1996). It explained Windows NT to VMS-­ knowledgeable programmers and system administrators. His second book, Inside ­Windows NT, Second Edition (Microsoft Press, 1998), covered the internals of Windows NT 4.0. Since the third edition (Inside Windows 2000) David has coauthored this book series with Mark Russinovich. In addition to organizing and teaching seminars, David is a regular speaker at t­echnical conferences such as Microsoft TechEd and Microsoft PDC. He has also served as technical chair for several past Windows NT conferences. When he’s not researching Windows, David enjoys sailing, reading, and watching Star Trek.

Alex Ionescu is the founder of Winsider Seminars & Solutions Inc., specializing in l­ow-level system software for administrators and developers as well as reverse ­engineering and security training for government and infosec clients. He also teaches Windows internals courses for David Solomon Expert Seminars, including at M­ icrosoft. From 2003 to 2007, Alex was the lead kernel developer for ReactOS, an open source clone of Windows XP/Server 2003 written from scratch, for which he wrote most of the Windows NT-based kernel. While in school and part-time in summers, Alex worked as an intern at Apple on the iOS kernel, boot loader, firmware, and drivers on the original core platform team behind the iPhone, iPad, and AppleTV. Returning to his Windows security roots, Alex is now chief architect at CrowdStrike, a startup based in Seattle and San Francisco. Alex continues to be very active in the security research community, discovering and reporting several vulnerabilities related to the Windows kernel, and presenting talks at conferences such as Blackhat, SyScan, and Recon. His work has led to the fixing of many critical kernel vulnerabilities, as well as to fixing over a few dozen nonsecurity bugs. Previous to his work in the security field, Alex’s early efforts led to the publishing of nearly complete NTFS data structure documentation, as well as the Visual Basic metadata and pseudo-code format specifications.

SIT DOWN WITH THE EXPERTS who literally wrote the book on Windows internals! If you liked their book, you’ll love hearing them in person. Get one of their video tutorials or come to a live class. LIVE, INSTRUCTOR LED CLASSES INTERACTIVE DVD TUTORIAL If you’re an IT professional deploying Sit down with the experts who and supporting Windows servers and literally wrote the book on Win- workstations, you need to be able to dows internals. Windows Internals dig beneath the surface when things go COMPLETE consists of 12 hours of wrong. In our classes, you’ll gain a deep interactive training taking you under understanding of the internals of the the hood of the operating system to operating system and how to leverage learn how the kernel components advanced troubleshooting tools to work. As the ultimate compliment, solve system and application problems Microsoft Corporation licensed these and understand performance issues videos for their corporate training more effectively. Attend a public class worldwide. or schedule a private on site seminar The Sysinternals Video Library (also at your location. For dates, course de- 12 hours) covers essential Windows tails, pricing, and registration informa- troubleshooting topics such as crash tion, see www.solsem.com. dump analysis and memory trouble- shooting as well as how to leverage key “The information given Sysinternals tools. in this class should be required for all Windows “These videos drill into the core of the platform, engineers/administrators.” capture its technical essence and present it in a powerful interactive video format.”–Rob Short, “This course holds the Vice President Core Technologies, key to understanding Microsoft Corporation Windows.” To view video samples or for a detailed outline, “Should be required train- visit www.solsem.com or email [email protected] ing for anyone responsible for Windows software development, administra- tion, or design.”

What do you think of this book? We want to hear from you! To participate in a brief online survey, please visit: microsoft.com/learning/booksurvey Tell us how well this book meets your needs­—what works effectively, and what we can do better. Your feedback will help us continually improve our books and learning resources for you. Thank you in advance for your input!