Browse by Tags


  • Blog Post: Understanding Pool Corruption Part 3 – Special Pool for Double Frees

    In Part 1 and Part 2 of this series we discussed pool corruption and how special pool can be used to identify the cause of such corruption.  In today’s article we will use special pool to catch a double free of pool memory.   A double free of pool will cause a system to blue screen, however...
  • Blog Post: Debugging a Generation 2 Virtual Machine

    Hyper-V is based on the 440BX (PCI) chipset for emulation. The decision to use this chipset started years ago with Connectix Virtual PC.  The advantage of using an emulated chipset based on a popular motherboard like the 440BX, along with associated peripherals, is the compatibility with a large...
  • Blog Post: Understanding Pool Corruption Part 2 – Special Pool for Buffer Overruns

    In our previous article we discussed pool corruption that occurs when a driver writes too much data in a buffer.  In this article we will discuss how special pool can help identify the driver that writes too much data.   Pool is typically organized to allow multiple drivers to store data in...
  • Blog Post: Understanding Pool Corruption Part 1 – Buffer Overflows

    Before we can discuss pool corruption we must understand what pool is.  Pool is kernel mode memory used as a storage space for drivers.  Pool is organized in a similar way to how you might use a notepad when taking notes from a lecture or a book.  Some notes may be 1 line, others may be...
  • Blog Post: Debugging a Network Connectivity Issue - TrackNblOwner to the Rescue

    Hello Debug community this is Karim Elsaid again.  Today I’m going to discuss a recent interesting case where intermittently the server is losing access to the network.  No communication (even pings) can be done from / to the server when the issue hits.   We went through the normal exercise...
  • Blog Post: Leaving the Do Not Disturb Sign on the Door Will Cause the KERNEL_APC_PENDING_DURING_EXIT Bugcheck

    This is Ron Stock from the Global Escalation Services team and I recently worked with a customer to determine which misbehaving driver was crashing their critical server. This particular crash was a STOP 0x00000020 which maps to KERNEL_APC_PENDING_DURING_EXIT.   The KERNEL_APC_PENDING_DURING_EXIT...
  • Blog Post: Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012

    What is a bug check 0x133? Starting in Windows Server 2012, a DPC watchdog timer is enabled which will bug check a system if too much time is spent in DPC routines. This bug check was added to help identify drivers that are deadlocked or misbehaving.  The bug check is of type "DPC_WATCHDOG_VIOLATION"...
  • Blog Post: Troubleshooting Pool Leaks Part 7 – Windows Performance Toolkit

    In Part 1 of this series we identified a pool leak in non paged pool.  In Part 2 and Part 3 of this series we identified what pool tag was leaking.  In Part 5 and Part 6 we got call stacks showing the memory being allocated.  In this article we are going to discuss a tool that combines...
  • Blog Post: Troubleshooting Pool Leaks Part 6 – Driver Verifier

    In part 5 we used poolhittag to get call stacks of pool being allocated and freed.  This information is often essential to identifying the cause of a memory leak; however it is not always feasible to configure a live kernel debug to obtain this information.  Fortunately there are alternative...
  • Blog Post: Breaking down the "Cl" in !irp

    Hey there NTDEBUGGERS my name is Randy Monteleone and today we are going to talk about IRPs. In the past we have talked about the IRP structure in passing and showed a field here and there that can be pulled out and used to find answers to stalled IO. I was recently working on a debugger extension and...
  • Blog Post: Troubleshooting Pool Leaks Part 5 – PoolHitTag

    In Part 4 we narrowed the source of the leaked pool memory to the specific driver which is allocating it, and we identified where in the driver this allocation was taking place.  However, we did not capture contextual information such as the call stack leading up to this code.  Also, we didn...
  • Blog Post: Troubleshooting Pool Leaks Part 4 – Debugging Multiple Users for a Tag

    In our previous articles we discussed various techniques for identifying a pool memory leak and narrowing the scope of the leak to an individual pool tag.  Knowing the leaking pool tag is often sufficient to identify the cause of the problem and find a solution.  However, there may be a scenario...
  • Blog Post: Troubleshooting Pool Leaks Part 3 – Debugging

    In our previous articles we discussed identifying a pool leak with perfmon , and narrowing the source of the leak with poolmon .  These tools are often preferred because they are easy to use, provide verbose information, and can be run on a system without forcing downtime.  However, it is not...
  • Blog Post: Troubleshooting Pool Leaks Part 2 – Poolmon

    In our previous article we discussed how to identify a pool leak using perfmon.  Although it may be interesting to know that you have a pool leak, most customers are interested in identifying the cause of the leak so that it can be corrected.  In this article we will begin the process of identifying...
  • Blog Post: Troubleshooting Pool Leaks Part 1 – Perfmon

    Over the years the NTDebugging Blog has published several articles about pool memory and pool leaks.  However, we haven’t taken a comprehensive approach to understanding and troubleshooting pool memory usage.  This upcoming series of articles is going to tackle pool leaks from the basics to...
  • Blog Post: How To Deadlock Yourself (Don’t Do This)

    Some APIs should come with a warning in big red letters saying “ DANGER! ”, or perhaps more subtly “ PROCEED WITH CAUTION ”.  One such API is ExSetResourceOwnerPointer . Although the documentation contains an explanation of what limited activity you can do with the resource after making this call...
  • Blog Post: What Did Storport Do With My I/O?

    In a previous article I showed how to track an I/O request from the filesystem, through the class driver, and to the storage driver.  In that article I concluded with " From this data we can usually assume that the request has been sent to the disk drive and we are waiting for the disk to respond"...
  • Blog Post: Debugging a Crash, Found a Trojan

    Hi, I'm Manish from Global Escalation Services. I would like to present a multiple random bug check issue, which was caused by malicious code (trojan) running on the machine. This is the walkthrough of how we found the virus on the server. In this particular dump, the machine crashed with Bugcheck 0xA...
  • Blog Post: How the Clipboard Works, Part 2

    Last time , we discussed how applications place data on the clipboard, and how to access that data using the debugger.   Today, we'll take a look at how an application can monitor the clipboard for changes.   Understanding this is important because it is a place where Windows allows 3 rd -party...
  • Blog Post: How the Clipboard Works, Part 1

    Recently I had the opportunity to debug the clipboard in Windows, and I thought I’d share some of the things I learned.   The clipboard is one of those parts of Windows that many of us use dozens (hundreds?) of times a day and don’t really think about.   Before working on this case, I had never...
  • Blog Post: What Should Never Happen... Did

    Hi, this is Bob Golding; I wanted to write a blog about an interesting hardware issue I ran into. Hardware problems can be tricky to isolate. I recently came across one that I thought was interesting and gave an example of how to trace code execution.  The machine executed the filler “int 3” instructions...
  • Blog Post: Identifying Global Atom Table Leaks

    Hi, it's the Debug Ninja back again with another debugging adventure.   Recently I have encountered several instances where processes fail to initialize, and a review of available resources showed that there was no obvious resource exhaustion.   A more in depth review found that there were...
  • Blog Post: Stop 0x19 in a Large Pool Allocation

    Hello all, Scott Olson here again to share another interesting issue I recently debugged with pool corruption and found that using special pool does not work with large pool allocations ( pool allocations greater than a PAGE_SIZE ).   Here is an example of a valid large page allocation. Notice the...
  • Blog Post: Configuring a Hyper-V VM For Kernel Debugging

    Yesterday's blog prompted some questions about how to set up a debugger for a Windows OS running in a Hyper-V VM.   I was surprised that I wasn't able to find good, publicly available, Microsoft issued documentation for this configuration.   The first step is to configure the Windows OS in...
  • Blog Post: My Kernel Debugger Won't Connect

    Hello ntdebugging readers, the Debug Ninja is back again with a quick blog this holiday season.   I recently encountered a situation where the kernel debugger could not connect to a Windows Server 2008 R2 system running in a Hyper-V virtual machine.   The configuration appeared correct; however...
Page 1 of 2 (31 items) 12