Pool Fragmentation

Hello! My name is Stephen, an escalation engineer on the Microsoft Global Escalation Services Team. Today I’m going to share my experience of a pool fragmentation issue I came across recently. Let’s jump right in with the dump file.This is the output of !vm *** Virtual Memory Usage ***       Physical Memory:      917368 (   3669472 Kb)      Page File: \??\C:\pagefile.sys       …

3

Part 3: ETW Methods of Tracing

Introduction and Overview   This is Ivan from the Platforms OEM team and this is the final installment of the ETW series. In this article, we are going to continue our exploration of the ETW tracing available in Windows. This post is going to cover some of the other methods available to enable and capture…

2

Part 2: Got Stack? No. We ran out and kv won’t tell me why!

Hello. It’s Ryan again with the second installment of my stack depletion walkthrough.  Part 1 of this blog covered the initial analysis of a kernel memory dump captured due to a Stop 0x7f EXCEPTION_DOUBLE_FAULT.  Our initial analysis revealed that kv was not able to provide us with a useful stack backtrace. Background information relating to Task States…

2

Part 1: Got Stack? No. We ran out of Kernel Mode Stack and kv won’t tell me why!

My name is Ryan Mangipano (ryanman) and I am a Sr. Support Escalation Engineer at Microsoft.  This two part blog will consist of a complete walkthrough of a bugcheck that occurred due to an overflowed stack condition. What is unique about this situation is the stack backtrace wasn’t being displayed.  As we proceed with the…

1

How to Track Leaky Pool

Today I want to talk about tracking down leaking pool. Back with Server 2003 and before, leaking pool was a major issue because it was a limited resource. In Vista and beyond, it isn’t as much of an issue since pool is allocated dynamically, but it can still cause system performance issues if a component uses too…

2

System Won’t Power Down

Hi All. Recently I had a Windows 2000 case where the machine wouldn’t shut down. After initiating the shutdown process, we saw the user get logged off, and on the console we watched the services shut down. The final “Windows is shutting down…” message was displayed on the screen, and then the screen would go…

2

MmCm – A Non Paged Pool Accounting Adventure

Here’s one from the Rube Goldberg debug collection! The dripping sarcasm is because I’m about to show the reeeeally long way to figure out what’s eating MmCm, skip down to the end if you are in a time crunch.   Otherwise, do resist the temptation to skip ahead as some of the techniques can be…

1

WMI Nugget: How to Gather the Provider Binary from a WMI Class Name

It’s Venkatesh with a WMI nugget. While troubleshooting or debugging WMI issues you may come across WMI queries wherein you don’t know which provider implemented the WMI class used in the query. You may want to know the binary and the product that implemented the provider so you can contact the vendor or upgrade the binary to…

0

Part 2 – Exploring and Decoding ETW Providers using Event Log Channels

Introduction and Overview In this article we will explore a practical use for ETW tracing, and discover what ETW (Event Tracing for Windows) tracing is available for a popular Windows user-mode component, Internet Explorer. In my previous article ETW Introduction and Overview, we covered what ETW tracing is and how it could be used. The goal in this…

1

Push Locks – What are they?

Pushlocks were a new locking primitive first introduced in Windows Server 2003 and are primarily used in place of spinlocks to protect key kernel data structures. Unfortunately, Pushlocks are not documented in the WDK, and are not available for public use; however, a few internal drivers do use them, so you might see them while…

0