Browse by Tags

Related Posts
  • Blog Post: How to identify a driver that calls a Windows API leading to a pool leak on behalf of NT Kernel?

    Hello my name is Gurpreet Singh Jutla and I would like to share information on how we can trace the caller which ends up allocating “Se  “ Pool tag. When we use the Windows debugger and investigate the pool allocation and the binary associated with ...read more
  • Blog Post: Windows Troubleshooting – Special Pool

    The Windows Support team has a new YouTube channel, “ Windows Troubleshooting ”.  The first set of videos cover debugging blue screens. In this video, Bob Golding, Senior Escalation Engineer, describes how the Special Pool Windows diagnostics tool ...read more
  • Blog Post: Bugchecking a Computer on A Usermode Application Crash

    Hello my name is Gurpreet Singh Jutla and I would like to share information on how we can bugcheck a box on any usermode application crash. Set the application as a critical process when the application crash is reproducible. We may sometimes need a complete ...read more
  • Blog Post: Debugging a Windows 8.1 Store App Crash Dump (Part 2)

    In Part 1 , we covered the debugging of a Windows Store Application crash dump that contains a Stowed Exceptions Version 1 (SE01) structure.   This post continues on from Part 1, covering the changes introduced in March 2014. These Windows Updates ...read more
  • Blog Post: Debugging a Windows 8.1 Store App Crash Dump

    Quality reports on the App Summary page Microsoft provides triage dumps of your Windows Store application’s crashes and hangs through the Quality section of the App Summary page on the Dev Center - Windows Store apps portal.   Back in June 2012, ...read more
  • Blog Post: Understanding Pool Corruption Part 3 – Special Pool for Double Frees

    In Part 1 and Part 2 of this series we discussed pool corruption and how special pool can be used to identify the cause of such corruption.  In today’s article we will use special pool to catch a double free of pool memory.   A double free of ...read more
  • Blog Post: How To Deadlock Yourself (Don’t Do This)

    Some APIs should come with a warning in big red letters saying “ DANGER! ”, or perhaps more subtly “ PROCEED WITH CAUTION ”.  One such API is ExSetResourceOwnerPointer . Although the documentation contains an explanation of what limited activity ...read more
  • Blog Post: Debugging a CLOCK_WATCHDOG_TIMEOUT Bugcheck

    Hi debuggers, Andrew Richards here for my first NT Debugging post. I thought I’d share a recent case that used a lot of discovery techniques to uncover the details of what was going on. Most bugchecks give you the information you need as arguments, but ...read more
  • Blog Post: Where Did My Disk I/O Go?

    Hello, Mr. Ninja back again.   I recently discovered that although my team often tracks I/O from the file system through to the disk controller, we have never publicly documented the steps required to do this.   This seems like a great opportunity ...read more
  • Blog Post: How to Setup a Live Debug Using Physical Machines

    For this example I am using a Windows Server 2012 Physical machine that will be used to debug a problem machine. I will setup a live Debug session with a Windows 7 sp1 physical machine. Win2012Debugger (Host) - This is the physical machine that will be used to do the debug Win7 client (Target) - This...
  • Blog Post: What Should Never Happen... Did

    Hi, this is Bob Golding; I wanted to write a blog about an interesting hardware issue I ran into. Hardware problems can be tricky to isolate. I recently came across one that I thought was interesting and gave an example of how to trace code execution ...read more
  • Blog Post: Updated Archive of the NtDebugging Twitter Debug Tips

    Every Wednesday (usually) we post a debug tip to our twitter page at https://twitter.com/#!/ntdebugging . This blog is an archive of these tips to allow our readers to find this information easily. Periodically we post an updated blog with the current ...read more
  • Blog Post: Case of the Unexplained Services exe Termination

    Hello Debuggers! This is Ron Stock from the Global Escalation Services team and I recently worked an interesting case dispatched to our team because Services.exe was terminating. Nothing good ever happens when Services.exe exits. In this particular case ...read more
  • Blog Post: Identifying Global Atom Table Leaks

    Hi, it's the Debug Ninja back again with another debugging adventure.   Recently I have encountered several instances where processes fail to initialize, and a review of available resources showed that there was no obvious resource exhaustion.   ...read more
  • Blog Post: ResAvail Pages and Working Sets

    Hello everyone, I'm Ray and I'm here to talk a bit about a dump I recently looked at and a little-referenced memory counter called ResAvail Pages (resident available pages).   The problem statement was:  The server hangs after a while.   ...read more
  • Blog Post: Bcdedit Tips and Tricks For Debugging Part 1

    Hello everyone, my name is Sean Walker, and I am on the Platforms OEM team in Washington.   This article is for those people who have had a hard time switching from the old boot.ini configuration to the new BCD store (myself included). Doing the ...read more
  • Blog Post: What killed my process?

    Hello, world! We're often challenged with a process that exits unexpectedly, but this doesn't always equate to an application "crash".  Occasionally this behavior is caused by cross-process termination, where one process terminates another one. Discovering root cause of this behavior used...
  • Blog Post: Call Stacks for Pool Allocations

    Hello, it's the Debug Ninja back again for another NtDebugging Blog article.   For as long as I can remember user mode debuggers have had an easy way to get call stacks for heap allocations.   On more recent versions of Windows this has been ...read more
  • Blog Post: Debugging a Crash, Found a Trojan

    Hi, I'm Manish from Global Escalation Services. I would like to present a multiple random bug check issue, which was caused by malicious code (trojan) running on the machine. This is the walkthrough of how we found the virus on the server. In this particular ...read more
  • Blog Post: The Compiler Did What?

    I was recently investigating a crash in an application.  As I researched the issue I found a very old defect in the code that was only recently being exposed by the compiler.   The crash occurred at the below instruction because the ebx register ...read more
  • Blog Post: Debugging a Debugger to Debug a Dump

    Recently I came across an instance where my debugger did not do what I wanted.  Rarely do computers disobey me, but this one was unusually stubborn.  There was no other option; I had to bend the debugger to my will.   There are many ways ...read more
  • Blog Post: Fixing an ICorDebugUnmanagedCallback induced hang

    Hi debuggers, Andrew Richards here with a NTDebugging post that is a little different to what is usually posted.   Instead of talking about debugging, I’m going to talk about an issue I just faced while writing a debugger.   This debugger work ...read more
  • Blog Post: Debugging a Network Connectivity Issue - TrackNblOwner to the Rescue

    Hello Debug community this is Karim Elsaid again.  Today I’m going to discuss a recent interesting case where intermittently the server is losing access to the network.  No communication (even pings) can be done from / to the server when the ...read more
  • Blog Post: Debugging Backwards: Proving root cause

    Matt Burrough here again.   On rare occasions when debugging, we'll actually know (or strongly suspect) what the root cause of a problem is at the beginning of our analysis - but we still need to investigate to confirm our assertion.   The following ...read more
  • Blog Post: Leaving the Do Not Disturb Sign on the Door Will Cause the KERNEL_APC_PENDING_DURING_EXIT Bugcheck

    This is Ron Stock from the Global Escalation Services team and I recently worked with a customer to determine which misbehaving driver was crashing their critical server. This particular crash was a STOP 0x00000020 which maps to KERNEL_APC_PENDING_DURING_EXIT ...read more