Post on 14-Apr-2018
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
1/32
Modules
All modules
Module 1: Windows Architecture
Module 2: IIS 6.0 ArchitectureModule 3: Tools for Debugging and Analysis
Module 4: Problem Analysis
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
2/32
Module 1:Windows Architecture
Microsoft Confidential
2006 Microsoft Corporation
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
3/32
Module Overview
Windows Architecture
Section 1: Windows Architecture (Win32)
Section 2: Applications, Processes, Threads
Section 3: Windows Memory Management
Exception Handling
Section 4: Exception Handling
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
4/32
Section 1: Windows Architecture (Win32)
Section Overview
User Mode versus Kernel Mode
Windows Architecture Diagram
Demo: Displaying User and Kernel time in Task Manager Demo: Displaying User and Kernel time in Performance
Monitor
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
5/32
User Mode versus Kernel Mode
Microsoft Windows uses two processor executionlevelsuser mode and kernel mode
Kernel mode is where lower-level operating system codeexecutes
User mode is where services and application codeexecutes
Dividing execution increases performance and stability
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
6/32
Kernel Mode
Windows Architecture Diagram
Executive Services
SecurityReferenceMonitor
IPCManager
MemoryManager
ProcessManager
Plug &Play
Manager
I/OManager
FileSystems
WindowManager
GraphicsDisplayDriver
PowerManager
Object Manager
Device Drivers Microkernel
Hardware Abstraction Layer (HAL)
User ModeWin32
Subsystem
Win32 Applications
Inetinfo.exe
Aspnet_wp.exe
W3wp.exe
HTTP.SYS
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
7/32
Demonstration: Displaying User and Kernel Times inTask Manager
Using Task Manager to display User andKernel times
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
8/32
Demonstration: Displaying User and Kernel time inPerformance Monitor
Using Performance Monitor to displayUser and Kernel time
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
9/32
Section 2: Applications, Processes, Threads
Section OverviewApplications, Processes, Threads
Demo: Displaying Running Processes in Task Manager
Demo: Displaying Thread Information by Using
PSTAT.EXE
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
10/32
Applications, Processes, Threads (Cont)
An application consists of one or more processes
A process is a container for a running program, librariesand different resources used by them like a virtualaddress space, a security context, a number of threads,
handles, heaps etcA thread is the basic unit of execution in which theoperating system allocates processor time to do work
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
11/32
Demonstration: Displaying Running Processes inTask Manager
Running processes shown in TaskManager
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
12/32
Demonstration: Displaying Thread Information byUsing PSTAT.EXE
The utility pstat.exe also shows somegeneral information about the threadsthat make up each of the processes on
the system at the time pstat.exe is run
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
13/32
Section 3: Windows Memory Management
Section Overview Virtual Memory Layout
Windows Memory Management
Reserved vs. Committed Memory
Heap and Stack
Demo: Displaying Driver Information by UsingPSTAT.EXE
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
14/32
Virtual Memory Layout
0xFFFFFFFF
0x00000000
KernelMode
2 GB
UserMode
2 GB
0x80000000
All 32-bit Windows Versions
this is hidden more hiddenmore hidden more
Kernel
Mode
1 GB
User
Mode
3 GB
Microsoft Windows 2000 Advanced
Server/Datacenter, Windows XP SP2,Windows Server 2003
0xC0000000
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
15/32
Windows Memory Management
Is a virtual memory system
Translates the virtual addresses where drivers andapplications store data to a location in physicalmemory
Paging File
RAM
inetinfo.exe0x00000000
0x7FFFFFFF
0x80000000
0xFFFFFFFF
0x70C60000
Windows MemoryManager
Virtual Addresses Physical Memory
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
16/32
Virtual Memory
Virtual Memory
Inetinfo
Physical Memory
(RAM)
Virtual Memory
W3WP.EXE
Inetinfo Data
NTDLL.DLL
W3WP.exe
W3WP Data
Inetinfo Data
Inetinfo.exe
Inetinfo Data
Inetinfo.exe
0x00000000
0xFFFFFFFF 256 MB, 4 GB, ???
Use
rMode
Kernel
Mode
NTDLL.DLL
W3WP data
W3WP.exe
NTDLL.DLL
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
17/32
Using pstat.exe to verify loaded driversbase addresses within Kernels addressspace
Using a user-mode debugger to verifyloaded modules base addresses within aprocess user-mode address space
Demonstration: Base address
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
18/32
Virtual Memory (Cont)
Virtual bytesMemory belonging to the process (Reserved +
Committed)
Private bytes
Amount of memory committed by the process
Working set
Memory belonging to a process (private +shared) that is resident in the physical memory
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
19/32
Reserved versus Committed Memory
Windows protects memory
Each process has a separate address space
Memory pages can be in three states
Free pages
Reserved pages
Committed pages
Windows permits allocated memory in two steps
1.Reserve address space
2.Commitstorage in that address space
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
20/32
Heap and Stack
Heap - A region of one or more pages of memory that canbe subdivided and allocated into smaller chunks; defaultinitial size 1 MBPurposes:
For allocating and freeing objects dynamically
When number and size of objects are not known in advance
When an object is too large to fit in to a stack allocator
Stack -A region of reserved memory where programsstore operational information that can bepushedon or
poppedoff; default initial size 1 MBMemory Allocation:
The OS will grow the stack as needed by committing 1 page blockout of the reserved stack memory
Demonstration: Displaying Driver Information by
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
21/32
Demonstration: Displaying Driver Information byUsing PSTAT.EXE
It is possible to use pstat.exe to view theload addresses and range of all thedrivers loaded in kernel mode on your
system.
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
22/32
Section 4: Exception Handling
Section Overview
What Is an Exception?
Dealing with Exceptions
User-Mode Exceptions
Dr. Watson
Kernel-Mode Exceptions
Demonstration: Configuring a Server for a CompleteMemory Dump
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
23/32
What Is an Exception?
An exception is an anomaly that occurs while aprogram is running and prevents further execution
Example:
Developers can write exception handlers to handleexpected or unexpected exceptions
int a = 5;
int b = 0;
int c = a / b; EXCEPTION!
int d = a + b + c;
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
24/32
Dealing with Exceptions
First Chance Exceptions
An exception that has not yet been handled by the
process/application
Second Chance Exceptions
An exception that the application/process had a chance tohandle, but decided not to
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
25/32
User-Mode Exceptions
Windows will invoke the Just In Time (JIT) debugger thatis defined in the registry
By default, Dr. Watson will attach to the process andgenerate a memory dump of the user-mode process
address space
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
26/32
Demonstration: Configuring Dr. Watson
Dr. Watson can be configured to gatherseveral different pieces of information whenan application crashes
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
27/32
Reading a Dr. Watson Log
Log file named: Drwtsn32.log
Contains information about the crash, such as
Process name and PID
Date and time of crashType of exception
Computer name and user name
List of running processes
Thread-specific information
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
28/32
Dr. Watson Generated User.dmp
Dr. Watson also creates a User.dmp file
User.dmp is overwritten each time Dr. Watson
catches a user-mode exception
User.dmp can be loaded into a debugger like cdb.exe
or windbg.exe
Debugging the dump file can help resolve the cause
of the exception
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
29/32
Kernel-Mode Exceptions
When an unhandled exception occurs in a kernelmode function, Windows stops execution
Depending on how Windows is configured, you will
usually get a blue screen
The stop code and parameters contain information
important to troubleshooting the problem
Windows can write a Memory.dmp of the faulting
thread and its registers, all of the kernel address
space in RAM, or all of the user-mode and kernel-
mode address space in RAM
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
30/32
Kernel-Mode Exceptions (Cont)
*** STOP: 0x0000001E (0xC0000047,0xFA8418B4,0x8025ea21,0xfd6829e8)KMODE_EXCEPTION_NOT_HANDLED*** Address fa8418b4 has base at fa840000 - i8042prt.SYSIf this is the first time youve seen this Stop error screen, restart yourcomputer. If this screen appears again, follow these steps:Check to be sure you have adequate disk space. If a driver is identified inthe Stop message, disable the driver or check with the manufacturer fordriver updates. Try changing video adapters.Check with your hardware vendor for any BIOS updates. Disable BIOS memoryoptions such as caching or shadowing. If you need to use Safe Mode toremove or disable components, restart your computer, press F8 to selectAdvanced Startup Options, and then select Safe Mode.Refer to your Getting Started manual for more information on troubleshootingStop errors.Beginning dump of physical memoryPhysical memory dump complete. Contact your system administrator ortechnical support group.
Demonstration: Configuring a Server for a Complete
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
31/32
Demonstration: Configuring a Server for a CompleteMemory Dump
How to configure a server for a completememory dump
7/30/2019 M01 IIS6CPM WindowsArchitecture v1.3
32/32
Review
Windows uses two execution modesuser modeand kernel mode
The CPU runs threads, and each process containsone or more threads
The Win32 version of Windows Memory Manageruses a 32-bit address range for each process
Unhandled user-mode exceptions are handled by theJIT debugger; drwtsn32.exe by default
Unhandled kernel-mode exceptions cause bluescreens