Browse by Tags

Hi, it's the Debug Ninja back again with another debugging adventure.   Recently I have encountered several instances where processes fail to initialize, and a review of available resources showed that there was no obvious resource exhaustion.   A more in depth review found that there were...

Hello all, Scott Olson here again to share another interesting issue I recently debugged with pool corruption and found that using special pool does not work with large pool allocations ( pool allocations greater than a PAGE_SIZE ).   Here is an example of a valid large page allocation. Notice the...

Yesterday's blog prompted some questions about how to set up a debugger for a Windows OS running in a Hyper-V VM.   I was surprised that I wasn't able to find good, publicly available, Microsoft issued documentation for this configuration.   The first step is to configure the Windows OS in...

Hello ntdebugging readers, the Debug Ninja is back again with a quick blog this holiday season.   I recently encountered a situation where the kernel debugger could not connect to a Windows Server 2008 R2 system running in a Hyper-V virtual machine.   The configuration appeared correct; however...

Hi debuggers, Andrew Richards here with a NTDebugging post that is a little different to what is usually posted.   Instead of talking about debugging, I’m going to talk about an issue I just faced while writing a debugger.   This debugger work is an extension of an upcoming article that I’ve...

Hello, Mr. Ninja back again.   I recently discovered that although my team often tracks I/O from the file system through to the disk controller, we have never publicly documented the steps required to do this.   This seems like a great opportunity for a blog because most of the structures are...

Hello, it's the Debug Ninja back again for another NtDebugging Blog article.   For as long as I can remember user mode debuggers have had an easy way to get call stacks for heap allocations.   On more recent versions of Windows this has been as simple as using gflags +ust and umdh or !heap...

Hi debuggers, Andrew Richards here for my first NT Debugging post. I thought I’d share a recent case that used a lot of discovery techniques to uncover the details of what was going on. Most bugchecks give you the information you need as arguments, but in the case of bugcheck 0x101, I had to go digging...

Hello everyone, my name is Sean Walker, and I am on the Platforms OEM team in Washington.   This article is for those people who have had a hard time switching from the old boot.ini configuration to the new BCD store (myself included). Doing the simple tasks such as enabling kernel debugging over...

Hi debuggers, this is Graham McIntyre again. These days I’m working more closely with hardware so I thought I’d share some hardware related debugging tips.  I recently debugged an issue where a PCI-E storage device failed to work after hot swapping it from one slot to another slot on the system...

Every Wednesday (usually) I post a debug tip to our twitter page at https://twitter.com/#!/ntdebugging . This blog is an archive of these tips to allow our readers to find this information easily. I will update this blog periodically with the new tips; follow us on twitter if you want to see the tips...

Hello all, East here.   I wanted to give you a hint on how to use a RHS dump to find what thread was part of the Windows Server 2008 R2 cluster RHS recovery deadlock.   First let me start off with letting you know that Windows Server 2008 R2 will create two types of user-mode dumps: 1 - A heap...

Hi All, this is Karim Elsaid and I’m a Support Escalation Engineer working with the Dubai platforms support team.   Recently I was working on a very challenging and interesting case, and I wanted to share that experience with you.   One of our customers was experiencing a problem on all his...

A customer recently reported a rather peculiar problem.   They were working on a roll out of Windows 7, and one of the policies they employed on their domain was the “ Show only specified control panel applets ” setting.   As its name implies, this policy allows an administrator to specify...

I recently worked on an interesting system hang issue with a deadlocked work queue and wanted to share some information about how we resolved the issue.   In this example, we will demonstrate how a cascaded work item can deadlock a work queue.  As you can see from the illustration, we have...

Howdy fellow debuggers! This is Graham McIntyre, I am an Escalation Engineer in Platforms Global Escalation Services.   We get questions from time to time from customers who experience a WHEA bugcheck 0x124, or system event, for help in interpreting the error record. The information applies to Windows...

Hi All, my name is Ron Riddle and I’m an Escalation Engineer on the core Windows team. I worked an issue recently wherein a svchost.exe was crashing due to heap corruption; so, after enabling Page Heap and breaking out the services as needed, I received a user-mode dump that would show me the culprit...

Hello folks, Pushkar here. I recently worked on a case where the server was hung at “Applying User Settings” during the logon phase. You might ask what’s going to be new in this post, NTDebugging has bunch of posts covering such debug scenarios J . In my defense, this case was particularly...

Every Wednesday I post a debug tip to our twitter page at www.twitter.com/ntdebugging . This blog is an archive of these tips to allow our readers to find this information easily. We will update this blog every few weeks with the new tips; follow us on twitter if you want to see the tips as I post them...

If you have not had the luxury of debugging optimized x64 code as of yet, don’t wait much longer and fall behind the times! Due to the x64 fastcall-like calling convention coupled with the abundance of general purpose registers, finding variable values at arbitrary points in a call stack can be very...

GES (Global Escalation Services) is not only responsible for helping our external customers, but we spend a great deal of time collaborating with engineers and developers around the world at our support and development sites. We often look at large dump files, but in some cases we perform a live debug...

Hello, my name is John Marlin, and I am a Support Escalation Engineer on the Microsoft Platform Cluster Services Support team. I wanted to talk about the Windows 2003 Cluster Resource Monitor and with what happens when it crashes. In this blog I’ll show you how to look under the hood to determine why...

Hi, this is Anurag again. Here is a case study of an NDIS driver causing a problem due to double completion of a send packet. A protocol driver allocates a NDIS packet and gives it to the miniport driver to be sent on the wire. A miniport driver is supposed to send or complete the packet, but miniport...

Today we’re posting links to some of our favorite debugging - related content on the web . Post your own favorites as a comment to share them with everyone! Reverse Engineering and Debugging Blogs DumpAnalysis MetaSploit Nynaeve Mark Russinovich's Blog Steve’s Techspot John...

Hi, my name Anurag Sarin, I am an escalation engineer in the Platforms Global Escalation Team. I would like to give some insight on NDIS. NDIS Introduction The Network Driver Interface Specification (NDIS) library abstracts the network hardware from network drivers. NDIS also specifies a standard...