Professional Documents
Culture Documents
Mark Russinovich
Chief Software Architect
Winternals Software
Copyright © 2006 Mark Russinovich
About The Speaker
WinLogon
Session 2
Manager Memory.dmp
3
SaveDump
1 4
User mode
Kernel mode
NtCreatePagingFile
Paging
File
At The Reboot
Session Manager process (\Windows\system32\smss.exe) initializes
paging file
NtCreatePagingFile 1
NtCreatePagingFile determines if the dump has a crash header 2
Protects the dump from use
Note: crash dump portion of paging file is in use during the copy, so
virtual memory can run low while the copy is in progress
WinLogon calls NtQuerySystemInformation to tell if there’s a dump 3
to extract
If there’s a dump, Winlogon executes SaveDump 4
(\Windows\system32\savedump.exe)
Writes an event to the System event log
SaveDump writes contents to appropriate file
On Windows XP or later, checks to see if Windows Error Reporting
should be invoked
Online Crash Analysis (OCA)
drivers
2. Minidump file
What Does OCA Do?
SYNCH_LEVEL
:
Hardware : Unmasked
Interrupts :
Current IRQL DEVICE_IRQL 2
DEVICE_IRQL 1
Software DISPATCH_LEVEL Masked
Interrupts APC_LEVEL
PASSIVE_LEVEL
Key IRQLs
PASSIVE_LEVEL:
No interrupts are masked
User mode code always executes at PASSIVE_LEVEL
Kernel-mode code executes at PASSIVE_LEVEL most
of the time
DISPATCH_LEVEL:
Highest software interrupt level
Scheduler is off
Page faults cannot be handled and are illegal
operations
Stacks
Parameter 3
Higher
Parameter 2 Addresses
Parameter 1
Function 2 Stack Return Address
Frame Frame Pointer
Local Variable 1
Local Variable 2
Function 3 Parameter 2
Parameter 1
Return Address
Frame Pointer
Local Variable 1
Calling Conventions
The Recipe:
1. First, try any “suspicious” drivers (recently updated, known to
be problematic, etc.)
2. If still un-analyzable crashes, try enabling verification on all
third-party drivers and/or all unsigned drivers
3. As a last resort enable verification on groups of 10-20 drivers
at a time
4. Run the Windows Memory Diagnostic
The following crash examples demonstrate the Driver
Verifier making “un-analyzable” crashes into ones that
point at the problem
Buffer overflow
System code overwrite
Buffer Overruns
Result when a driver goes past the end (overrun) or the
beginning (underrun) of a buffer
Usually detected when
overwritten data
is referenced
Higher Another Driver’s Buffer
Another driver or the Addresses
kernel makes the reference
There can be a long delay Pool Structures
between corruption
and detection Driver Buffer
Causing a Buffer Overrun
Virtual Labs
http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
Newsgroups
http://communities2.microsoft.com/
communities/newsgroups/en-us/default.aspx
User Groups
http://www.microsoft.com/communities/usergroups/default.mspx
Live from Tech·Ed Webcast
Series has Been
Brought to You by:
www.microsoft.com/hpc
Fill out a session
evaluation on
CommNet for
a chance to
Win an XBOX 360!
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.