Understanding Pool Corruption Part 3 – Special Pool for Double Frees

In Part 1 and Part 2 of this series we discussed pool corruption and how special pool can be used to identify the cause of such corruption.  In today’s article we will use special pool to catch a double free of pool memory.   A double free of pool will cause a system to blue…

1

Event ID 157 "Disk # has been surprise removed"

Hello my name is Bob Golding and I would like to share information on a new error you may see in the system event log. It is Event ID 157 "Disk <n> has been surprise removed" with Source: disk.  This error indicates that the CLASSPNP driver has received a “surprise removal” request from the plug…

16

Understanding ARM Assembly Part 1

My name is Marion Cole, and I am a Sr. EE in Microsoft Platforms Serviceability group.  You may be wondering why Microsoft support would need to know ARM assembly.  Doesn’t Windows only run on x86 and x64 machines?  No.  Windows has ran on a variety of processors in the past.  Those include i860, Alpha, MIPS,…

11

The Compiler Did What?

I was recently investigating a crash in an application.  As I researched the issue I found a very old defect in the code that was only recently being exposed by the compiler.   The crash occurred at the below instruction because the ebx register does not hold a valid pointer.   0:001> r eax=d9050cf7 ebx=003078c0…

0

Great power. Great responsibility.

When it comes to the registry, administrators are given great power to manually configure Windows to suit their needs, but even slight, seemingly innocuous changes to a particular key or value can have a drastic impact on basic operations of the system, even affecting its ability to boot properly.   I recently had the pleasure…

1

Debugging a Generation 2 Virtual Machine

Hyper-V is based on the 440BX (PCI) chipset for emulation. The decision to use this chipset started years ago with Connectix Virtual PC.  The advantage of using an emulated chipset based on a popular motherboard like the 440BX, along with associated peripherals, is the compatibility with a large number of operating systems.   Windows Server…

1

Performance Monitor Averages, the Right Way and the Wrong Way

Performance Monitor (perfmon) is the preferred tool to measure the performance of Windows systems.  The perfmon tool provides an analysis view with a chart and metrics of the Last, Average, Minimum, and Maximum values.   There are scenarios where the line in the chart is the most valuable piece of information, such as a memory…

4

ResAvail Pages and Working Sets

Hello everyone, I’m Ray and I’m here to talk a bit about a dump I recently looked at and a little-referenced memory counter called ResAvail Pages (resident available pages).   The problem statement was:  The server hangs after a while.   Not terribly informative, but that’s where we start with many cases. First some good…

0

Missing System Writer Case Explained

I worked on a case the other day where all I had was a procmon log and event logs to troubleshoot a problem where the System Writer did not appear in the VSSADMIN LIST WRITERS output. This might be review for the folks that know this component pretty well but I figured I would share…

6

Understanding Pool Corruption Part 2 – Special Pool for Buffer Overruns

In our previous article we discussed pool corruption that occurs when a driver writes too much data in a buffer.  In this article we will discuss how special pool can help identify the driver that writes too much data.   Pool is typically organized to allow multiple drivers to store data in the same page…

1