Clik here to view.
Updated Archive of the NtDebugging Twitter Debug Tips
Every Wednesday (usually) we post a debug tip to our twitter page at https://twitter.com/#!/ntdebugging. This blog is an archive of these tips to allow our readers to find this information easily....
View ArticleClik here to view.
Debugging a Crash, Found a Trojan
Hi, I'm Manish from Global Escalation Services. I would like to present a multiple random bug check issue, which was caused by malicious code (trojan) running on the machine. This is the walkthrough...
View ArticleClik here to view.
Hotfix to Enable Mini-Filter Performance Diagnostics With XPerf for Windows...
Greetings ntdebugging community, Bob here again and today I would like to let everyone know about a new feature implemented in Windows Server 2008 R2’s kernel and filter manager binaries released in...
View ArticleClik here to view.
What Did Storport Do With My I/O?
In a previous article I showed how to track an I/O request from the filesystem, through the class driver, and to the storage driver. In that article I concluded with "From this data we can usually...
View ArticleClik here to view.
How To Deadlock Yourself (Don’t Do This)
Some APIs should come with a warning in big red letters saying “DANGER!”, or perhaps more subtly “PROCEED WITH CAUTION”. One such API is ExSetResourceOwnerPointer. Although the documentation contains...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 1 – Perfmon
Over the years the NTDebugging Blog has published several articles about pool memory and pool leaks. However, we haven’t taken a comprehensive approach to understanding and troubleshooting pool...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 2 – Poolmon
In our previous article we discussed how to identify a pool leak using perfmon. Although it may be interesting to know that you have a pool leak, most customers are interested in identifying the...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 3 – Debugging
In our previous articles we discussed identifying a pool leak with perfmon, and narrowing the source of the leak with poolmon. These tools are often preferred because they are easy to use, provide...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 4 – Debugging Multiple Users for a Tag
In our previous articles we discussed various techniques for identifying a pool memory leak and narrowing the scope of the leak to an individual pool tag. Knowing the leaking pool tag is often...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 5 – PoolHitTag
In Part 4 we narrowed the source of the leaked pool memory to the specific driver which is allocating it, and we identified where in the driver this allocation was taking place. However, we did not...
View ArticleClik here to view.
Breaking down the "Cl" in !irp
Hey there NTDEBUGGERS my name is Randy Monteleone and today we are going to talk about IRPs. In the past we have talked about the IRP structure in passing and showed a field here and there that can be...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 6 – Driver Verifier
In part 5 we used poolhittag to get call stacks of pool being allocated and freed. This information is often essential to identifying the cause of a memory leak; however it is not always feasible to...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 7 – Windows Performance Toolkit
In Part 1 of this series we identified a pool leak in non paged pool. In Part 2 and Part 3 of this series we identified what pool tag was leaking. In Part 5 and Part 6 we got call stacks showing the...
View ArticleClik here to view.
Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on...
What is a bug check 0x133?Starting in Windows Server 2012, a DPC watchdog timer is enabled which will bug check a system if too much time is spent in DPC routines. This bug check was added to help...
View ArticleClik here to view.
Use Caution When Implementing IPC for Performance Counters
Recently I was working with a developer who had created performance counters that work in Performance Monitor but are never collected in a user defined data collector set. The customer explained that...
View ArticleClik here to view.
Case of the Unexplained Services exe Termination
Hello Debuggers! This is Ron Stock from the Global Escalation Services team and I recently worked an interesting case dispatched to our team because Services.exe was terminating. Nothing good ever...
View ArticleClik here to view.
How to Setup a Debug Crash Cart to Prevent Your Server from Flat Lining
This is Ron Stock from the Global Escalation Services team and I recently had the task of live debugging a customer’s remote server. In debug circles we use what is known as a crash cart to live debug...
View ArticleClik here to view.
Debugging a Debugger to Debug a Dump
Recently I came across an instance where my debugger did not do what I wanted. Rarely do computers disobey me, but this one was unusually stubborn. There was no other option; I had to bend the...
View ArticleClik here to view.
Leaving the Do Not Disturb Sign on the Door Will Cause the...
This is Ron Stock from the Global Escalation Services team and I recently worked with a customer to determine which misbehaving driver was crashing their critical server. This particular crash was a...
View ArticleClik here to view.
Don't Believe Everything You Read
Recently, I was contacted by a customer who was advised by an ISV to set a registry value under one of the sub keys in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\. Let's call...
View Article