Learn how current Windows operating systems are designed and implemented, then immediately apply that knowledge to isolate the causes of system and application failures. 

Level

Intermediate

Audience

Applications developers; systems software developers; device driver developers; system administrators; system integrators; hardware OEMs; I.T. support personnel

Description

This seminar is a combination of our Windows Internals and Windows Troubleshooting and Memory Dump Analysis seminars, INT201 and INT211. We’ve merged the “how it all works” material of the former with the “what to do when it isn’t working” information and lab problems from the latter, forming a single, tightly integrated presentation. We give you a comprehensive “guided tour” of the internal design and implementation of Windows operating systems and, for each key feature, show you how to observe it working, measure it, and optimize it… and when it isn’t working, you’ll know how to find out why, and how to fix it. A significant portion of the time will be spent on system memory dump (“blue screen”) analysis, including how to isolate problems to the component level.

A significant portion of the time will be spent on system memory dump (“blue screen”) analysis, to the extent of isolating problems to the component level.

Topics

• Tools and terminology

• Introduction to the debuggers

• System architecture overview

• Program execution environment

• Kernel mode components: Executive, kernel, and HAL

• Environment subsystems and user-to-kernel call implementation

• Supporting the Windows GUI; understanding "GUI hangs"

• Handles, objects, and security

• Kernel mode execution contexts and environment

• Kernel mode stacks

• Paged and nonpaged pools

• Interrupt Request Levels (IRQLs)

• Scheduling and waiting; multiprocessor/hyperthreading issues

• Identifying CPU-bound tasks

• User mode memory management

• User mode heaps

• Virtual memory implementation

• Paging

• Working set management

• Physical memory management

• Virtual and physical memory leaks

• I/O subsystem and device driver architectures

• File system cache

• Types of system failures

• Analyzing system failures and "hangs"

• Interpreting stop codes

• Understanding stack traces and disassembly code

• Identifying problem components in system crashes

• Interpreting call sequences

• "Live" kernel and user mode debugging

Prerequisites

Experience using, administering, or writing applications or drivers for Windows operating systems.

Windows versions

Windows Server 2003, Windows XP, Windows 2000

Duration and formats

5 days with labs
4 days with labs for troubleshooting and memory dump analysis only

Labs

We strongly recommend the hands-on labs version of this seminar. As in all of our seminars, we have carefully designed a series of demonstrations, lab exercises, and problems that illustrate and build on the information presented. Every key operating system principle is illustrated and demonstrated by one or more “hand on” exercises. In addition, we have a variety of problem scenarios – some involving deliberately created failures; others from real systems with actual bugs in real, shipping drivers – each designed or selected to illustrate the use and applicability of a particular analysis technique. After each lab period, we will lead a walkthrough and discussion of at least one approach to the problem given. By the end of this seminar, you’ll have seen and solved failures of each of the most common types. After the seminar, we will also provide you with a document that gives a detailed walkthrough of the analysis procedures for each problem scenario, and copies of the corresponding example memory dump files, for your further study.

Short formats

There is no short form of this seminar as such. If you are interested in a "fast-track" approach to these topics, we suggest one of our one-day internals seminars (INT150, INT151, or DRV150), followed by the one-day version of INT211.