M01 IIS6CPM WindowsArchitecture v1.3

7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3

1/32

Modules

All modules

Module 1: Windows Architecture

Module 2: IIS 6.0 ArchitectureModule 3: Tools for Debugging and Analysis

Module 4: Problem Analysis


2/32

Module 1:Windows Architecture

Microsoft Confidential

2006 Microsoft Corporation


3/32

Module Overview

Windows Architecture

Section 1: Windows Architecture (Win32)

Section 2: Applications, Processes, Threads

Section 3: Windows Memory Management

Exception Handling

Section 4: Exception Handling


4/32

Section 1: Windows Architecture (Win32)

Section Overview

User Mode versus Kernel Mode

Windows Architecture Diagram

Demo: Displaying User and Kernel time in Task Manager Demo: Displaying User and Kernel time in Performance

Monitor


5/32

User Mode versus Kernel Mode

Microsoft Windows uses two processor executionlevelsuser mode and kernel mode

Kernel mode is where lower-level operating system codeexecutes

User mode is where services and application codeexecutes

Dividing execution increases performance and stability


6/32

Kernel Mode

Windows Architecture Diagram

Executive Services

SecurityReferenceMonitor

IPCManager

MemoryManager

ProcessManager

Plug &Play

Manager

I/OManager

FileSystems

WindowManager

GraphicsDisplayDriver

PowerManager

Object Manager

Device Drivers Microkernel

Hardware Abstraction Layer (HAL)

User ModeWin32

Subsystem

Win32 Applications

Inetinfo.exe

Aspnet_wp.exe

W3wp.exe

HTTP.SYS


7/32

Demonstration: Displaying User and Kernel Times inTask Manager

Using Task Manager to display User andKernel times


8/32

Demonstration: Displaying User and Kernel time inPerformance Monitor

Using Performance Monitor to displayUser and Kernel time


9/32

Section 2: Applications, Processes, Threads

Section OverviewApplications, Processes, Threads

Demo: Displaying Running Processes in Task Manager

Demo: Displaying Thread Information by Using

PSTAT.EXE


10/32

Applications, Processes, Threads (Cont)

An application consists of one or more processes

A process is a container for a running program, librariesand different resources used by them like a virtualaddress space, a security context, a number of threads,

handles, heaps etcA thread is the basic unit of execution in which theoperating system allocates processor time to do work


11/32

Demonstration: Displaying Running Processes inTask Manager

Running processes shown in TaskManager


12/32

Demonstration: Displaying Thread Information byUsing PSTAT.EXE

The utility pstat.exe also shows somegeneral information about the threadsthat make up each of the processes on

the system at the time pstat.exe is run


13/32

Section 3: Windows Memory Management

Section Overview Virtual Memory Layout

Windows Memory Management

Reserved vs. Committed Memory

Heap and Stack

Demo: Displaying Driver Information by UsingPSTAT.EXE


14/32

Virtual Memory Layout

0xFFFFFFFF

0x00000000

KernelMode

2 GB

UserMode

2 GB

0x80000000

All 32-bit Windows Versions

this is hidden more hiddenmore hidden more

Kernel

Mode

1 GB

User

Mode

3 GB

Microsoft Windows 2000 Advanced

Server/Datacenter, Windows XP SP2,Windows Server 2003

0xC0000000


15/32

Windows Memory Management

Is a virtual memory system

Translates the virtual addresses where drivers andapplications store data to a location in physicalmemory

Paging File

RAM

inetinfo.exe0x00000000

0x7FFFFFFF

0x80000000

0xFFFFFFFF

0x70C60000

Windows MemoryManager

Virtual Addresses Physical Memory


16/32

Virtual Memory

Virtual Memory

Inetinfo

Physical Memory

(RAM)

Virtual Memory

W3WP.EXE

Inetinfo Data

NTDLL.DLL

W3WP.exe

W3WP Data

Inetinfo Data

Inetinfo.exe

Inetinfo Data

Inetinfo.exe

0x00000000

0xFFFFFFFF 256 MB, 4 GB, ???

Use

rMode

Kernel

Mode

NTDLL.DLL

W3WP data

W3WP.exe

NTDLL.DLL


17/32

Using pstat.exe to verify loaded driversbase addresses within Kernels addressspace

Using a user-mode debugger to verifyloaded modules base addresses within aprocess user-mode address space

Demonstration: Base address


18/32

Virtual Memory (Cont)

Virtual bytesMemory belonging to the process (Reserved +

Committed)

Private bytes

Amount of memory committed by the process

Working set

Memory belonging to a process (private +shared) that is resident in the physical memory


19/32

Reserved versus Committed Memory

Windows protects memory

Each process has a separate address space

Memory pages can be in three states

Free pages

Reserved pages

Committed pages

Windows permits allocated memory in two steps

1.Reserve address space

2.Commitstorage in that address space


20/32

Heap and Stack

Heap - A region of one or more pages of memory that canbe subdivided and allocated into smaller chunks; defaultinitial size 1 MBPurposes:

For allocating and freeing objects dynamically

When number and size of objects are not known in advance

When an object is too large to fit in to a stack allocator

Stack -A region of reserved memory where programsstore operational information that can bepushedon or

poppedoff; default initial size 1 MBMemory Allocation:

The OS will grow the stack as needed by committing 1 page blockout of the reserved stack memory

Demonstration: Displaying Driver Information by


21/32

Demonstration: Displaying Driver Information byUsing PSTAT.EXE

It is possible to use pstat.exe to view theload addresses and range of all thedrivers loaded in kernel mode on your

system.


22/32

Section 4: Exception Handling

Section Overview

What Is an Exception?

Dealing with Exceptions

User-Mode Exceptions

Dr. Watson

Kernel-Mode Exceptions

Demonstration: Configuring a Server for a CompleteMemory Dump


23/32

What Is an Exception?

An exception is an anomaly that occurs while aprogram is running and prevents further execution

Example:

Developers can write exception handlers to handleexpected or unexpected exceptions

int a = 5;

int b = 0;

int c = a / b; EXCEPTION!

int d = a + b + c;


24/32

Dealing with Exceptions

First Chance Exceptions

An exception that has not yet been handled by the

process/application

Second Chance Exceptions

An exception that the application/process had a chance tohandle, but decided not to


25/32

User-Mode Exceptions

Windows will invoke the Just In Time (JIT) debugger thatis defined in the registry

By default, Dr. Watson will attach to the process andgenerate a memory dump of the user-mode process

address space


26/32

Demonstration: Configuring Dr. Watson

Dr. Watson can be configured to gatherseveral different pieces of information whenan application crashes


27/32

Reading a Dr. Watson Log

Log file named: Drwtsn32.log

Contains information about the crash, such as

Process name and PID

Date and time of crashType of exception

Computer name and user name

List of running processes

Thread-specific information


28/32

Dr. Watson Generated User.dmp

Dr. Watson also creates a User.dmp file

User.dmp is overwritten each time Dr. Watson

catches a user-mode exception

User.dmp can be loaded into a debugger like cdb.exe

or windbg.exe

Debugging the dump file can help resolve the cause

of the exception


29/32

Kernel-Mode Exceptions

When an unhandled exception occurs in a kernelmode function, Windows stops execution

Depending on how Windows is configured, you will

usually get a blue screen

The stop code and parameters contain information

important to troubleshooting the problem

Windows can write a Memory.dmp of the faulting

thread and its registers, all of the kernel address

space in RAM, or all of the user-mode and kernel-

mode address space in RAM


30/32

Kernel-Mode Exceptions (Cont)

*** STOP: 0x0000001E (0xC0000047,0xFA8418B4,0x8025ea21,0xfd6829e8)KMODE_EXCEPTION_NOT_HANDLED*** Address fa8418b4 has base at fa840000 - i8042prt.SYSIf this is the first time youve seen this Stop error screen, restart yourcomputer. If this screen appears again, follow these steps:Check to be sure you have adequate disk space. If a driver is identified inthe Stop message, disable the driver or check with the manufacturer fordriver updates. Try changing video adapters.Check with your hardware vendor for any BIOS updates. Disable BIOS memoryoptions such as caching or shadowing. If you need to use Safe Mode toremove or disable components, restart your computer, press F8 to selectAdvanced Startup Options, and then select Safe Mode.Refer to your Getting Started manual for more information on troubleshootingStop errors.Beginning dump of physical memoryPhysical memory dump complete. Contact your system administrator ortechnical support group.

Demonstration: Configuring a Server for a Complete


31/32

Demonstration: Configuring a Server for a CompleteMemory Dump

How to configure a server for a completememory dump


32/32

Review

Windows uses two execution modesuser modeand kernel mode

The CPU runs threads, and each process containsone or more threads

The Win32 version of Windows Memory Manageruses a 32-bit address range for each process

Unhandled user-mode exceptions are handled by theJIT debugger; drwtsn32.exe by default

Unhandled kernel-mode exceptions cause bluescreens

M01 IIS6CPM WindowsArchitecture v1.3

Documents

Transcript of M01 IIS6CPM WindowsArchitecture v1.3