Windows Internals, Fifth Edition

Windows Internals, Fifth Edition

by David A. Solomon Mark E. Russinovich and Alex Ionescu
Released June 2009
Publisher(s): Microsoft Press
ISBN: 9780735625303

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

See how the core components of the Windows operating system work behind the scenes—guided by a team of internationally renowned internals experts. Fully updated for Windows Server(R) 2008 and Windows Vista(R), this classic guide delivers key architectural insights on system design, debugging, performance, and support—along with hands-on experiments to experience Windows internal behavior firsthand.

Delve inside Windows architecture and internals:

  • Understand how the core system and management mechanisms work—from the object manager to services to the registry

  • Explore internal system data structures using tools like the kernel debugger

  • Grasp the scheduler's priority and CPU placement algorithms

  • Go inside the Windows security model to see how it authorizes access to data

  • Understand how Windows manages physical and virtual memory

  • Tour the Windows networking stack from top to bottom—including APIs, protocol drivers, and network adapter drivers

  • Troubleshoot file-system access problems and system boot problems

  • Learn how to analyze crashes

    •

    Table of contents

    1. Windows Internals, Fifth Edition
    2. Dedication
    3. Foreword
    4. Acknowledgments
    5. Introduction
      1. Structure of the Book
      2. History of the Book
      3. Fifth Edition Changes
      4. Hands-On Experiments
      5. Topics Not Covered
      6. A Warning and a Caveat
      7. Find Additional Content Online
      8. Support
        1. From the Authors
        2. From Microsoft Press
        3. Questions and Comments
    6. 1. Concepts and Tools
      1. Windows Operating System Versions
      2. Foundation Concepts and Terms
        1. Windows API
        2. Services, Functions, and Routines
        3. Processes, Threads, and Jobs
        4. Virtual Memory
        5. Kernel Mode vs. User Mode
        6. Terminal Services and Multiple Sessions
        7. Objects and Handles
        8. Security
        9. Registry
        10. Unicode
      3. Digging into Windows Internals
        1. Reliability and Performance Monitor
        2. Kernel Debugging
        3. Symbols for Kernel Debugging
        4. Debugging Tools for Windows
        5. LiveKd Tool
        6. Windows Software Development Kit
        7. Windows Driver Kit
        8. Sysinternals Tools
      4. Conclusion
    7. 2. System Architecture
      1. Requirements and Design Goals
      2. Operating System Model
      3. Architecture Overview
        1. Portability
        2. Symmetric Multiprocessing
        3. Scalability
        4. Differences Between Client and Server Versions
        5. Checked Build
      4. Key System Components
        1. Environment Subsystems and Subsystem DLLs
          1. Windows Subsystem
          2. POSIX Subsystem
        2. Ntdll.dll
        3. Executive
        4. Kernel
          1. Kernel Objects
          2. Kernel Processor Control Region and Control Block (KPCR and KPRCB)
          3. Hardware Support
        5. Hardware Abstraction Layer
        6. Device Drivers
          1. Windows Driver Model (WDM)
          2. Windows Driver Foundation
        7. System Processes
          1. Idle Process
          2. Interrupts and DPCs
          3. System Process and System Threads
          4. Session Manager (Smss)
          5. Winlogon, LogonUI, LSASS, and Userinit
          6. Service Control Manager (SCM)
      5. Conclusion
    8. 3. System Mechanisms
      1. Trap Dispatching
        1. Interrupt Dispatching
        2. Hardware Interrupt Processing
        3. x86 Interrupt Controllers
        4. x64 Interrupt Controllers
        5. IA64 Interrupt Controllers
        6. Software Interrupt Request Levels (IRQLs)
        7. Software Interrupts
        8. Exception Dispatching
        9. Unhandled Exceptions
        10. Windows Error Reporting
        11. System Service Dispatching
          1. 32-Bit System Service Dispatching
          2. 64-Bit System Service Dispatching
          3. Kernel-Mode System Service Dispatching
          4. Service Descriptor Tables
      2. Object Manager
        1. Executive Objects
        2. Object Structure
          1. Object Headers and Bodies
          2. Type Objects
          3. Object Methods
          4. Object Handles and the Process Handle Table
          5. Object Security
          6. Object Retention
          7. Resource Accounting
          8. Object Names
          9. Session Namespace
          10. Object Filtering
      3. Synchronization
        1. High-IRQL Synchronization
          1. Interlocked Operations
          2. Spinlocks
          3. Queued Spinlocks
          4. Instack Queued Spinlocks
          5. Executive Interlocked Operations
        2. Low-IRQL Synchronization
          1. Kernel Dispatcher Objects
          2. Keyed Events
          3. Fast Mutexes and Guarded Mutexes
          4. Executive Resources
          5. Pushlocks
          6. Critical Sections
          7. Condition Variables
          8. Slim Reader Writer Locks
          9. Run Once Initialization
      4. System Worker Threads
      5. Windows Global Flags
      6. Advanced Local Procedure Calls (ALPCs)
      7. Kernel Event Tracing
      8. Wow64
        1. Wow64 Process Address Space Layout
        2. System Calls
        3. Exception Dispatching
        4. User Callbacks
        5. File System Redirection
        6. Registry Redirection and Reflection
        7. I/O Control Requests
        8. 16-Bit Installer Applications
        9. Printing
        10. Restrictions
      9. User-Mode Debugging
        1. Kernel Support
        2. Native Support
        3. Windows Subsystem Support
      10. Image Loader
        1. Early Process Initialization
        2. Loaded Module Database
        3. Import Parsing
        4. Post Import Process Initialization
      11. Hypervisor (Hyper-V)
        1. Partitions
        2. Root Partition
          1. Root Partition Operating System
          2. VM Service and Worker Processes
          3. Virtualization Service Providers
          4. VM Infrastructure Driver and Hypervisor API Library
          5. Hypervisor
        3. Child Partitions
          1. Virtualization Service Clients
          2. Enlightenments
        4. Hardware Emulation and Support
          1. Emulated Devices
          2. Synthetic Devices
          3. Virtual Processors
          4. Memory Virtualization
          5. Intercepts
      12. Kernel Transaction Manager
      13. Hotpatch Support
      14. Kernel Patch Protection
      15. Code Integrity
      16. Conclusion
    9. 4. Management Mechanisms
      1. The Registry
        1. Viewing and Changing the Registry
        2. Registry Usage
        3. Registry Data Types
        4. Registry Logical Structure
          1. HKEY_CURRENT_USER
          2. HKEY_USERS
          3. HKEY_CLASSES_ROOT
          4. HKEY_LOCAL_MACHINE
          5. HKEY_CURRENT_CONFIG
          6. HKEY_PERFORMANCE_DATA
        5. Transactional Registry (TxR)
        6. Monitoring Registry Activity
          1. Process Monitor Internals
          2. Process Monitor Troubleshooting Techniques
          3. Logging Activity in Unprivileged Accounts or During Logon/Logoff
        7. Registry Internals
          1. Hives
          2. Hive Size Limits
          3. Hive Structure
          4. Cell Maps
          5. The Registry Namespace and Operation
          6. Stable Storage
          7. Registry Filtering
          8. Registry Optimizations
      2. Services
        1. Service Applications
          1. Service Accounts
          2. The Local System Account
          3. The Network Service Account
          4. The Local Service Account
          5. Running Services in Alternate Accounts
          6. Running with Least Privilege
          7. Service Isolation
          8. Interactive Services and Session 0 Isolation
        2. The Service Control Manager
        3. Service Startup
        4. Startup Errors
        5. Accepting the Boot and Last Known Good
        6. Service Failures
        7. Service Shutdown
        8. Shared Service Processes
        9. Service Tags
        10. Service Control Programs
      3. Windows Management Instrumentation
          1. WMI Architecture
        2. Providers
        3. The Common Information Model and the Managed Object Format Language
          1. The WMI Namespace
        4. Class Association
        5. WMI Implementation
        6. WMI Security
      4. Windows Diagnostic Infrastructure
        1. WDI Instrumentation
        2. Diagnostic Policy Service
        3. Diagnostic Functionality
      5. Conclusion
    10. 5. Processes, Threads, and Jobs
      1. Process Internals
        1. Data Structures
        2. Kernel Variables
        3. Performance Counters
        4. Relevant Functions
      2. Protected Processes
      3. Flow of CreateProcess
        1. Stage 1: Converting and Validating Parameters and Flags
        2. Stage 2: Opening the Image to Be Executed
        3. Stage 3: Creating the Windows Executive Process Object (PspAllocateProcess)
          1. Stage 3A: Setting Up the EPROCESS Block
          2. Stage 3B: Creating the Initial Process Address Space
          3. Stage 3C: Creating the Kernel Process Block
          4. Stage 3D: Concluding the Setup of the Process Address Space
          5. Stage 3E: Setting Up the PEB
          6. Stage 3F: Completing the Setup of the Executive Process Object (PspInsertProcess)
        4. Stage 4: Creating the Initial Thread and Its Stack and Context
        5. Stage 5: Performing Windows Subsystem–Specific Post-Initialization
        6. Stage 6: Starting Execution of the Initial Thread
        7. Stage 7: Performing Process Initialization in the Context of the New Process
      4. Thread Internals
        1. Data Structures
        2. Kernel Variables
        3. Performance Counters
        4. Relevant Functions
        5. Birth of a Thread
      5. Examining Thread Activity
        1. Limitations on Protected Process Threads
      6. Worker Factories (Thread Pools)
      7. Thread Scheduling
        1. Overview of Windows Scheduling
        2. Priority Levels
        3. Windows Scheduling APIs
        4. Relevant Tools
        5. Real-Time Priorities
        6. Thread States
        7. Dispatcher Database
        8. Quantum
          1. Quantum Accounting
          2. Controlling the Quantum
          3. Quantum Boosting
          4. Quantum Settings Registry Value
        9. Scheduling Scenarios
          1. Voluntary Switch
          2. Preemption
          3. Quantum End
          4. Termination
        10. Context Switching
        11. Idle Thread
        12. Priority Boosts
          1. Priority Boosting after I/O Completion
          2. Boosts After Waiting for Events and Semaphores
          3. Boosts During Waiting on Executive Resources
          4. Priority Boosts for Foreground Threads After Waits
          5. Priority Boosts After GUI Threads Wake Up
          6. Priority Boosts for CPU Starvation
          7. Priority Boosts for MultiMedia Applications and Games (MMCSS)
        13. Multiprocessor Systems
          1. Hyperthreaded and Multicore Systems
          2. NUMA Systems
          3. Affinity
          4. Ideal and Last Processor
          5. Dynamic Processor Addition and Replacement
        14. Multiprocessor Thread-Scheduling Algorithms
          1. Choosing a Processor for a Thread When There Are Idle Processors
          2. Choosing a Processor for a Thread When There Are No Idle Processors
          3. Selecting a Thread to Run on a Specific CPU
        15. CPU Rate Limits
      8. Job Objects
      9. Conclusion
    11. 6. Security
      1. Security Ratings
        1. Trusted Computer System Evaluation Criteria
        2. The Common Criteria
      2. Security System Components
      3. Protecting Objects
        1. Access Checks
          1. Security Identifiers (SIDs)
          2. Integrity Levels
          3. Tokens
          4. Impersonation
          5. Restricted Tokens
          6. Filtered Admin Token
        2. Security Descriptors and Access Control
          1. ACL Assignment
          2. Determining Access
      4. Account Rights and Privileges
        1. Account Rights
        2. Privileges
        3. Super Privileges
      5. Security Auditing
      6. Logon
        1. Winlogon Initialization
        2. User Logon Steps
      7. User Account Control
        1. Virtualization
          1. File Vir tualization
          2. Registry Virtualization
        2. Elevation
          1. Running with Administrator Rights
          2. Requesting Administrative Rights
      8. Software Restriction Policies
      9. Conclusion
    12. 7. I/O System
      1. I/O System Components
        1. The I/O Manager
        2. Typical I/O Processing
      2. Device Drivers
        1. Types of Device Drivers
          1. WDM Drivers
          2. Layered Drivers
        2. Structure of a Driver
        3. Driver Objects and Device Objects
        4. Opening Devices
      3. I/O Processing
        1. Types of I/O
          1. Synchronous and Asynchronous I/O
          2. Fast I/O
          3. Mapped File I/O and File Caching
          4. Scatter/Gather I/O
          5. I/O Request Packets
          6. IRP Stack Locations
          7. IRP Buffer Management
        2. I/O Request to a Single-Layered Driver
          1. Servicing an Interrupt
          2. Completing an I/O Request
          3. Synchronization
        3. I/O Requests to Layered Drivers
          1. Thread Agnostic I/O
        4. I/O Cancellation
          1. User-Initiated I/O Cancellation
          2. I/O Cancellation for Thread Termination
        5. I/O Completion Ports
          1. The IoCompletion Object
          2. Using Completion Ports
          3. I/O Completion Port Operation
        6. I/O Prioritization
          1. I/O Priorities
          2. Bandwidth Reservation (Scheduled File I/O)
        7. Driver Verifier
      4. Kernel-Mode Driver Framework (KMDF)
        1. Structure and Operation of a KMDF Driver
        2. KMDF Data Model
        3. KMDF I/O Model
      5. User-Mode Driver Framework (UMDF)
      6. The Plug and Play (PnP) Manager
        1. Level of Plug and Play Support
        2. Driver Support for Plug and Play
        3. Driver Loading, Initialization, and Installation
          1. The Start Value
          2. Device Enumeration
          3. Devnodes
          4. Devnode Driver Loading
        4. Driver Installation
      7. The Power Manager
        1. Power Manager Operation
        2. Driver Power Operation
        3. Driver and Application Control of Device Power
      8. Conclusion
    13. 8. Storage Management
      1. Storage Terminology
      2. Disk Drivers
        1. Winload
        2. Disk Class, Port, and Miniport Drivers
          1. iSCSI Drivers
          2. Multipath I/O (MPIO) Drivers
        3. Disk Device Objects
        4. Partition Manager
      3. Volume Management
        1. Basic Disks
          1. MBR-Style Partitioning
          2. GUID Partition Table Partitioning
          3. Basic Disk Volume Manager
        2. Dynamic Disks
          1. The LDM Database
          2. LDM and GPT or MBR-Style Partitioning
          3. Dynamic Disk Volume Manager
        3. Multipartition Volume Management
          1. Spanned Volumes
          2. Striped Volumes
          3. Mirrored Volumes
          4. RAID-5 Volumes
        4. The Volume Namespace
          1. The Mount Manager
          2. Mount Points
          3. Volume Mounting
        5. Volume I/O Operations
        6. Virtual Disk Service
      4. BitLocker Drive Encryption
        1. BitLocker Architecture
        2. Encryption Keys
        3. Trusted Platform Module (TPM)
        4. BitLocker Boot Process
        5. BitLocker Key Recovery
        6. Full Volume Encryption Driver
        7. BitLocker Management
      5. Volume Shadow Copy Service
        1. Shadow Copies
          1. Clone Shadow Copies
          2. Copy-on-Write Shadow Copies
        2. VSS Architecture
        3. VSS Operation
          1. Shadow Copy Provider
        4. Uses in Windows
          1. Backup
          2. Previous Versions and System Restore
          3. Shadow Copies for Shared Folders
      6. Conclusion
    14. 9. Memory Management
      1. Introduction to the Memory Manager
        1. Memory Manager Components
        2. Internal Synchronization
        3. Examining Memory Usage
      2. Services the Memory Manager Provides
        1. Large and Small Pages
        2. Reserving and Committing Pages
        3. Locking Memory
        4. Allocation Granularity
        5. Shared Memory and Mapped Files
        6. Protecting Memory
        7. No Execute Page Protection
          1. Software Data Execution Prevention
        8. Copy-on-Write
        9. Address Windowing Extensions
      3. Kernel-Mode Heaps (System Memory Pools)
        1. Pool Sizes
        2. Monitoring Pool Usage
        3. Look-Aside Lists
      4. Heap Manager
        1. Types of Heaps
        2. Heap Manager Structure
        3. Heap Synchronization
        4. The Low Fragmentation Heap
        5. Heap Security Features
        6. Heap Debugging Features
        7. Pageheap
      5. Virtual Address Space Layouts
        1. x86 Address Space Layouts
        2. x86 System Address Space Layout
        3. x86 Session Space
        4. System Page Table Entries
        5. 64-Bit Address Space Layouts
        6. 64-Bit Virtual Addressing Limitations
        7. Dynamic System Virtual Address Space Management
        8. System Virtual Address Space Quotas
      6. User Address Space Layout
        1. Image Randomization
        2. Stack Randomization
        3. Heap Randomization
      7. Address Translation
        1. x86 Virtual Address Translation
          1. Page Directories
          2. Page Tables and Page Table Entries
          3. Byte Within Page
        2. Translation Look-Aside Buffer
        3. Physical Address Extension (PAE)
        4. IA64 Virtual Address Translation
        5. x64 Virtual Address Translation
      8. Page Fault Handling
        1. Invalid PTEs
        2. Prototype PTEs
        3. In-Paging I/O
        4. Collided Page Faults
        5. Clustered Page Faults
        6. Page Files
      9. Stacks
        1. User Stacks
        2. Kernel Stacks
        3. DPC Stack
      10. Virtual Address Descriptors
        1. Process VADs
        2. Rotate VADs
      11. NUMA
      12. Section Objects
      13. Driver Verifier
      14. Page Frame Number Database
        1. Page List Dynamics
        2. Page Priority
        3. Modified Page Writer
        4. PFN Data Structures
      15. Physical Memory Limits
        1. Windows Client Memory Limits
          1. 32-Bit Client Effective Memory Limits
      16. Working Sets
        1. Demand Paging
        2. Logical Prefetcher
        3. Placement Policy
        4. Working Set Management
        5. Balance Set Manager and Swapper
        6. System Working Set
        7. Memory Notification Events
      17. Proactive Memory Management (SuperFetch)
        1. Components
        2. Tracing and Logging
        3. Scenarios
        4. Page Priority and Rebalancing
        5. Robust Performance
        6. ReadyBoost
        7. ReadyDrive
      18. Conclusion
    15. 10. Cache Manager
      1. Key Features of the Cache Manager
        1. Single, Centralized System Cache
        2. The Memory Manager
        3. Cache Coherency
        4. Virtual Block Caching
        5. Stream-Based Caching
        6. Recoverable File System Support
      2. Cache Virtual Memory Management
      3. Cache Size
        1. Cache Virtual Size
        2. Cache Working Set Size
        3. Cache Physical Size
      4. Cache Data Structures
        1. Systemwide Cache Data Structures
        2. Per-File Cache Data Structures
      5. File System Interfaces
        1. Copying to and from the Cache
        2. Caching with the Mapping and Pinning Interfaces
        3. Caching with the Direct Memory Access Interfaces
      6. Fast I/O
      7. Read Ahead and Write Behind
        1. Intelligent Read-Ahead
        2. Write-Back Caching and Lazy Writing
          1. Disabling Lazy Writing for a File
          2. Forcing the Cache to Write Through to Disk
          3. Flushing Mapped Files
        3. Write Throttling
        4. System Threads
      8. Conclusion
    16. 11. File Systems
      1. Windows File System Formats
        1. CDFS
        2. UDF
        3. FAT12, FAT16, and FAT32
        4. exFAT
        5. NTFS
      2. File System Driver Architecture
        1. Local FSDs
        2. Remote FSDs
        3. File System Operation
          1. Explicit File I/O
          2. Memory Manager’s Modified and Mapped Page Writer
          3. Cache Manager’s Lazy Writer
          4. Cache Manager’s Read-Ahead Thread
          5. Memory Manager’s Page Fault Handler
        4. File System Filter Drivers
          1. Process Monitor
      3. Troubleshooting File System Problems
        1. Process Monitor Basic vs. Advanced Modes
        2. Process Monitor Troubleshooting Techniques
      4. Common Log File System
          1. Marshalling
          2. Log Types
          3. Log Layout
          4. Log Sequence Numbers
          5. Log Blocks
          6. Owner Pages
          7. Translating Virtual LSNs to Physical LSNs
          8. Management Policies
      5. NTFS Design Goals and Features
        1. High-End File System Requirements
          1. Recoverability
          2. Security
          3. Data Redundancy and Fault Tolerance
        2. Advanced Features of NTFS
          1. Multiple Data Streams
          2. Unicode-Based Names
          3. General Indexing Facility
          4. Dynamic Bad-Cluster Remapping
          5. Hard Links
          6. Symbolic (Soft) Links and Junctions
          7. Compression and Sparse Files
          8. Change Logging
          9. Per-User Volume Quotas
          10. Link Tracking
          11. Encryption
          12. POSIX Support
          13. Defragmentation
          14. Dynamic Partitioning
      6. NTFS File System Driver
      7. NTFS On-Disk Structure
        1. Volumes
        2. Clusters
        3. Master File Table
        4. File Reference Numbers
        5. File Records
        6. File Names
        7. Resident and Nonresident Attributes
        8. Data Compression and Sparse Files
          1. Compressing Sparse Data
          2. Compressing Nonsparse Data
          3. Sparse Files
        9. The Change Journal File
        10. Indexing
        11. Object IDs
        12. Quota Tracking
        13. Consolidated Security
        14. Reparse Points
        15. Transaction Support
          1. Isolation
          2. Transactional APIs
          3. Resource Managers
          4. On-Disk Implementation
          5. Logging Implementation
          6. Recovery Implementation
      8. NTFS Recovery Support
        1. Design
        2. Metadata Logging
          1. Log File Service
          2. Log Record Types
        3. Recovery
          1. Analysis Pass
          2. Redo Pass
          3. Undo Pass
        4. NTFS Bad-Cluster Recovery
        5. Self-Healing
      9. Encrypting File System Security
        1. Encrypting a File for the First Time
          1. Constructing Key Rings
          2. Encrypting File Data
          3. Encryption Process Summary
        2. The Decryption Process
          1. Decrypted FEK Caching
          2. Decrypting File Data
        3. Backing Up Encrypted Files
      10. Conclusion
    17. 12. Networking
      1. Windows Networking Architecture
        1. The OSI Reference Model
        2. Windows Networking Components
      2. Networking APIs
        1. Windows Sockets
          1. Winsock Client Operation
          2. Winsock Server Operation
          3. Winsock Extensions
          4. Extending Winsock
          5. Winsock Implementation
        2. Winsock Kernel (WSK)
          1. WSK Implementation
        3. Remote Procedure Call
          1. RPC Operation
          2. RPC Security
          3. RPC Implementation
        4. Web Access APIs
          1. WinInet
          2. WinHTTP
          3. HTTP
        5. Named Pipes and Mailslots
          1. Named Pipe Operation
          2. Mailslot Operation
          3. Named Pipe and Mailslot Implementation
        6. NetBIOS
          1. NetBIOS Names
          2. NetBIOS Operation
          3. NetBIOS API Implementation
        7. Other Networking APIs
          1. BITS
          2. Peer-to-Peer Infrastructure
          3. DCOM
          4. Message Queuing
          5. UPnP with PnP-X
      3. Multiple Redirector Support
        1. Multiple Provider Router
        2. Multiple UNC Provider
      4. Name Resolution
        1. Domain Name System
        2. Windows Internet Name Service
        3. Peer Name Resolution Protocol
          1. PNRP Resolution and Publication
      5. Location and Topology
        1. Network Location Awareness (NLA)
        2. Link-Layer Topology Discovery (LLTD)
      6. Protocol Drivers
        1. Windows Filtering Platform (WFP)
          1. Network Address Translation
          2. IP Filtering
          3. Internet Protocol Security
      7. NDIS Drivers
        1. Variations on the NDIS Miniport
        2. Connection-Oriented NDIS
        3. Remote NDIS
        4. QoS
      8. Binding
      9. Layered Network Services
        1. Remote Access
        2. Active Directory
        3. Network Load Balancing
        4. Distributed File System and DFS Replication
      10. Conclusion
    18. 13. Startup and Shutdown
      1. Boot Process
        1. BIOS Preboot
        2. The BIOS Boot Sector and Bootmgr
        3. The EFI Boot Process
        4. Initializing the Kernel and Executive Subsystems
        5. Smss, Csrss, and Wininit
        6. ReadyBoot
        7. Images That Start Automatically
      2. Troubleshooting Boot and Startup Problems
        1. Last Known Good
        2. Safe Mode
          1. Driver Loading in Safe Mode
          2. Safe-Mode-Aware User Programs
          3. Boot Logging in Safe Mode
        3. Windows Recovery Environment (WinRE)
        4. Solving Common Boot Problems
          1. MBR Corruption
          2. Boot Sector Corruption
          3. BCD Misconfiguration
          4. System File Corruption
          5. System Hive Corruption
          6. Post–Splash Screen Crash or Hang
      3. Shutdown
      4. Conclusion
    19. 14. Crash Dump Analysis
      1. Why Does Windows Crash?
      2. The Blue Screen
      3. Troubleshooting Crashes
      4. Crash Dump Files
        1. Crash Dump Generation
      5. Windows Error Reporting
      6. Online Crash Analysis
      7. Basic Crash Dump Analysis
        1. Notmyfault
        2. Basic Crash Dump Analysis
        3. Verbose Analysis
      8. Using Crash Troubleshooting Tools
        1. Buffer Overrun, Memory Corruptions, and Special Pool
        2. Code Overwrite and System Code Write Protection
      9. Advanced Crash Dump Analysis
        1. Stack Trashes
        2. Hung or Unresponsive Systems
        3. When There Is No Crash Dump
      10. Conclusion
    20. Glossary
    21. Index
    22. About the Authors
    23. Copyright

    Product information

    • Title: Windows Internals, Fifth Edition
    • Author(s): David A. Solomon Mark E. Russinovich and Alex Ionescu
    • Release date: June 2009
    • Publisher(s): Microsoft Press
    • ISBN: 9780735625303