All of these are for kernel mode, these are just commands I use often that don't troubleshoot a particular problem, but are helpful in getting a general picture of the system. If you have a specific issue you're trying to understand, drop a note and I'll see if there is a command to help you out. ...

So this book has been getting mentioned around by a lot of reputable contacts internally so my teammate picked up a couple copies and I've been browsing it since. Browsing? Like all books in this category (Windows Internals, C++ Programming, etc) I don't read it cover to cover, if you do you should earn...

Just some more tricks/tools I use frequently... Scale-to-Fit in Perfmon If you deal a lot with perfmon you know you can have a ton of different counters in one line graph or in one bar graph and that the scale is usually 0-100 which really isn't applicable in some cases. Now you can just alt click the...

So when your an app developer or someone in my position where you need to track down memory leaks one of the tools to use is Htrace once you've identified it's a handle leak . I just wanted to put this post out there to show that I found you can use Htrace against a usermode process like LSASS below...

Backstory: With the advent of Windows Vista there are changes made in how the operating system determines if it can take a kernel memory dump or not. Starting in Vista the amount of memory allocated for kernel mode could vary dynamically . If the pagefile is not big enough, switching to minidump at dump...

You might find yourself debugging an issue and a thread you are interested in is paged out. Here's the steps to use to page in the stack for the kernel side and user side... Be careful when doing this on a live machine that you want to release after debugging as paging in certain section of memory can...

Sometimes a system just goes offline or reboots and we cannot catch it in the debugger or it is not a stop error (bugcheck) so that machine just reboots from underneath you. One technique you can use is to set a breakpoint on nt!NtSetSystemPowerState. This function is the last thing called during ANY...

Say you want to check something out in KD but you don't have a debugger attached, like !vm perhaps, or you want to attach to a user mode process like LSASS and dump the threads running and their current state? Well there's is solution, obviously everything doesn't work when its noninvasive, but you can...

Ran into another issue today where I needed to set and IFEO for the particular instance of SVCHOST.exe running terminal service. Here is the easiest way of doing so: 1) Make a copy of SVCHOST.exe on the server, name it Mysvchost.exe and leave it in %Systemroot%\system32\ 2) Open regedit and go to HKLM...

Some might call me a control freak, but when I have the opportunity to investigate a machine myself or provide instructions via the phone/mail to the end-user you know what I'm going to choose. One of the easier ways that I find is to use remote.exe which is part of the debugging package. I'm just going...

Ran into a case today where each time we tried to start sidebar.exe it would fail silently. No crash to investigate, no error, so where to next? First I set an IFEO for sidebar.exe to launch windbg.exe when started, by doing this it stops at the initial breakpoint. Secondly I enabled loader snaps...

You may run into instances where a machine becomes "hard hung", I usually can tell when a machine is in this state because the "num lock" and "caps lock" key don't work. So what can you do in these instances? Well Windows has the ability to create a manual crash dump. Manual crash dumps will always have...