Trojan Analytical Method Source: Wood Isno
Recently, there is a new domestic Trojan. It has a nice name called "Guangxiang Girl". This Trojan is a work of Guangdong Foreign Trade University, Guangwai Girls' network team, which can be running on WIN98, WIN98SE, WINME, WINNT, WIN2000, or WIN95 / 97 that has already been installed in Winsock 2.0. Compared with past Trojans, it has a smaller and hidden characteristics. It can be expected that in future days it will become a variety of Trojans after the "Ice".
Due to the "Guangwai Girl", the start-up method is typical, and I will explain to you through the detailed analysis process of this new Trojan to you. The following test environment is Windows2000 Chinese version.
I. Required Tools 1. REGSNAP V2.80 Monitoring Registry and System File Changes Best Tools 2.Fport V1.33 Tools Tools Opening the program 3.Fileinfo V2.45A View file type Tool 4.Procdump V1.6.2 Shelling Tool 5. IDA V4.0.4 Anti-Disassembly Tool 2, Analysis Steps
Everything is ready, and we start to analyze this Trojan. Once the server side of the general Trojan, once there is still some hands-on the registry and system file, we must make a backup of the registry and system file before analysis.
First open the regsnap, select New from the File menu, then click OK. This makes a record on the current registry and system file. If the Trojan modified one of them, we can analyze it. After the backup is complete, it stores it as regsnp1.rgs.
Then we run "Guangxiao Girl" server side on our computer, don't be afraid, because we have made more detailed backups, we can change it by the original. Double-click GDufs.exe, then wait a small party. If you are running the "Tianwang Fire Wall" or "Jinshan Taxi", you should find that these two programs are automatically exited, is it very strange? And listen to our later analysis. Now the Trojan has already resides in our system. Let's take a look at what operations do it do. Re-open the regsnap, select New from the File menu, then point OK, save this SNAP result as regsnp2.RGS.
Select Compare from RegSnap, select Open Regsnp1.RGS in First Snapshot, select Open RegSnp2.RGS in Second Snapshot, and select Show ModifiedKey Names and key values in the following radio box. Then press the OK button so that REGSNAP starts to compare the difference between the two records. When the comparison is complete, the analysis result file regsnp1-regsnp2.htm is automatically opened.
Look at regsnp1-regsnp2.htm, pay attention to:
Summary Info: Deleted Keys: 0Modified Keys: 15New Keys: 1
It means that in both records, no registry keys have been deleted, modify 15 registry, and add a registry. Let's take a look at:
File List In C: / Winnt / System32 /*.-
Summary Info: DELETED Files: 0Modified Files: 0New Files: 1
New filesdiagcfg.exe size: 97 792, Date / Time: July 01, 2001 23:00:12 -------------- Total Positions: 1
The meaning of this paragraph is, in the C: / Winnt / System32 / directory, newly adding a file Diagcfg.exe, this file is very suspicious, because we only run "Guangxiao Girl" between comparative two system information. Trojans, so we have reason to believe that Diagcfg.exe is the backdoor procedure for Trojans in the system. If you don't believe, you open the Task Manager, you will find that there is a process of Diagcfg.exe, this is the native of Trojans. But don't delete Diagcfg.exe at this time, otherwise the system will not run normally. Trojans generally set some key values in the registry so that it can be automatically run when the system is restarted each time. Let's take a chance to see which registry entries in regsnp1-regsnp2.htm have changed. With experience, you should pay attention to the following:
HKEY_LOCAL_MACHINE / SOFTWARE / CLASSES / EXEFILE / Shell / Open / Command / @
Old Value: String: ""% 1 "% *" new value: string: "c: /winnt/system32/diagcfg.exe"% 1 "% *"
This key value is modified by the original "% 1"% * to c: /winnt/system32/diagcfg.exe "% 1", because of which Trojan Diagcfg.exe is most suspicious. So what is the role of this registry? It is the format that runs the executable file. It is changed to c: /winnt/system32/diagcfg.exe "% 1" after running any executable files, you must run C: / Winnt / System32 / Diagcfg This program is. It turned out that this Trojan is to do a hands and feet here, so that you can run automatically. Its startup method is not only the same as usual ordinary Trojan, and the general Trojan is increasing in hklm / currentversion / run * key to add a key. Value, so that you can start, but this method is well known by anti-virus software, so it is easy to kill. And "Guangxiang Girl" This Trojan is more embarrassing, it sets the startup item in another location.
Now we have mastered the resilient position of this Trojan and the startup item in the registry, and it is also important to find out which port it has listened to. Use fport to easily implement this. Run fport.exe in the command line, you can see:
C: / Tool / Fport> Fportfport V1.33 - TCP / IP Process To Port MapperCopyright 2000 by Foundstone, Inc.http://www.foundstone.com
Pid Process Port Proto Path584 tcpsvcs -> 7 TCP C: /WINNT/System32/tcpsvcs.exe584 tcpsvcs -> 9 TCP C: /WINNT/System32/tcpsvcs.exe584 tcpsvcs -> 13 TCP C: /WINNT/System32/tcpsvcs.exe584 TCPSVCS -> 17 TCP C: /Winnt/System32/tcpsvcs.exe584 TCPSVCS -> 19 TCP C: /Winnt/System32/tcpsvcs.exe836 inetinfo -> 80 TCP C: /WINNT/SYSTEM32/INETSRV/INETINFO.EXE408 SVCHOST -> 135 TCP C: /Winnt/System32/svchost.exe836 inetinfo -> 443 TCP C: /WinNT/System32/INetsrv/inetinfo.exe8 System -> 445 TCP464 MSDTC -> 1025 TCP C: /Winnt/System32/msdtc.exe684 MStask -> 1026 TCP C: /Winnt/System32/mstask.exe584 TCPSVCS -> 1028 TCP C: /Winnt/System32/tcpsvcs.exe836 inetinfo -> 1029 TCP C: /WinNT/System32/inetsrv/inetinfo.exe8 system -> 1030 TCP464 MSDTC -> 3372 TCP C: /Winnt/System32/msdtc.exe1176 Diagcfg -> 6267 TCP C: /Winnt/System32/Diagcfg.exe ~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note this! ! ! 836 inetinfo -> 7075 TCP C: /WINNT/System32/INetsrv/inetinfo.exe584 TCPSVCS -> 7 UDP C: /Winnt/System32/tcpsvcs.exe584 TCPSVCS -> 9 UDP C: /Winnt/System32/tcpsvcs.exe584 TCPSVCS - > 13 UDP C: /Winnt/System32/tcpsvccs.exe584 TCPSVCS -> 17 UDP C: /Winnt/System32/tcpsvcs.exe584 TCPSVCS -> 19 UDP C: /Winnt/System32/tcpsvcs.exe584 TCPSVCS -> 68 UDP C: / Winnt/System32/tcpsvcs.exe408 svchost -> 135 udp c: /winnt/system32/svchost.exe8 system -> 445 udp228 services -> 1027 udp c: /winnt/system32/services.exe836 inetinfo -> 3456 UDP C: /Winnt/System32/inetsrv/inetinfo.exe We can clearly see that Trojans are listened to the 6267 port of TCP. We can say that "Guangxiang Girl" can be said to have all the movements in our system, now we can easily kill it.
Three, killing
After analysis, we have learned how to work in the "Guangxiang Girl", now we will clean it. Below is a way to completely clear "Guangxiao girl", pay attention: The order of this step cannot be reversed, otherwise it may not be fully removed. 1. Press the "Start" menu to select "Run", enter regedit, press OK. Open the following key value: HKEY_LOCAL_MACHINE / SOFTWARE / CLASS / EXEFILE / SHELL / OPEN / COMMAND /, but do not modify it, because if you modify the registry at this time, the Diagcfg.exe process will immediately change it.
2. Open Task Manager, find the process of Diagcfg.exe, select it, press "End Process" to turn off this process. Note that you should not turn off the process again to open the Registry Manager, otherwise you will start Diagcfg.exe when you perform regedit.exe.
3. The key value of the hkey_local_machine / Software / CLASS / EXEFILE / SHELL / OPEN / COMMAND / the original C: /Winnt/System32/diagcfg.exe "% 1"% * is changed to "% 1"% *.
4. You can delete Diagcfg.exe under the C: / Winnt / System32 / directory at this time. Remember that Millions cannot first delete this file, otherwise, if you cannot run any executable files. Since we still plan to further analyze this Trojan, do not delete it, but copy it to other directories to study.
Fourth, in-depth study
We already know the basic working principle of "Guangxiao Girl", start the process, how to completely clear it, but there is still a little unclear, that is how it is deal with "Tianwang firewall" or "Jinshan drug tyrant" . To understand this, we must go to the code of "Guangxiang Girl", this Trojan does not announce the source code, but we can still look at it by disassembly.
"Guangxiang Girl" server side is only 96K, apparently uses the compression software to make the shell, we must first determine what shells have been added. It can be detected by using the fileinfo this gadget. Now let's copy the diagcfg.exe of the previously analyzed to the fileinfo directory, then Fi.exe in the command, then press Enter, will display:
FileInfo V2.45A (C) 1997-2001 from Jun-06-2001
Fileinfo v2.45a (c) 1997-2001 by Michael Hering - Herinmi@tu-cottbus.de
C: / Tool / Fi / ═─ * Aspack v1.06b a.solodovnikov .data diagcfg.exe ..... 98304 01.01.1997apack v0.98 / 0.99 (jibz) {Short} ....... Exteools .Com ....... 895 10.11.2000! APACK V0.98 / 0.99 (JIBZ) ............. Fi.exe .... 135458 06.06.2001! .................................... file_id.diz ... 1088 06.06. 2001!? 7-bit text ......................... reg.bat ....... 280 06.06.2001!. ................................... "Summer.Key ....... 157 06.06. 2001!
* Detected 4/6 Files in 110 ms
═ Fileinfo Summary ═ - ─ Date: Mi, 01.01.1997 ─ Time: 21:32:15 ─ Scan Path: c: / Tool / Fifile Mask: *. * All size: 236182 bytes = 230 kB
4/6 Files in 110 ms (18.33 ms / file)
FileInfo has detected Diagcfg.exe to use Aspack V1.06B to handle it. We know its encryption method. We can use procdump to take it back. Trojan analysis method (2)
ISNO
Run ProCDump, click the UNPACK button, because we want to take off the Aspack V1.06B case, so the aspack <108 is selected, and then OK. At this time, it will let you open the file you want to take, we choose Diagcfg.exe, open. Then wait for a few seconds to press "OK", ProCDUMP will take the Diagcfg.exe, and then you will have a dialog box to put the shell-over the file store, we save it as GWNS.exe.
Note: At this time, Trojans have running on your system, so you must re-remove it according to the previous clear step. Due to the previous removal method, it will not be described here.
Ok, now we have got the original document before this Trojan's shell, look at the shell-behind GWNS.exe, there are 194K bigger, more than double more than the original procedure, this is the shell software I have a merit. Now you can use the disassembler to disassemble it, then look at its assembler code.
We use IDA to disassemble it. By the way, this IDA is a super anti-assembly tool, which is a tool necessary for Cracker and Windows Hacker. Let's take a look at some of the disassembled code:
0042B1AC push offset aKernel32_dll; "kernel32.dll" 0042B1B1 call j_LoadLibraryA0042B1B6 mov [ebx], eax0042B1B8 push offset aRegisterservic; "RegisterServiceProcess" 0042B1BD mov eax, [ebx] 0042B1BF push eax0042B1C0 call j_GetProcAddress0042B1C5 mov ds: dword_42EA5C, eax0042B1CA cmp ds: dword_42EA5C, 00042B1D1 JZ Short Loc_42b1e10042b1d3 push 10042b1d5 call j_getcurrentprocessid0042b1da Push Eax0042B1DB Call DS: DWORD_42EA5C
Trojan first loads kernel32.dll, then use GetProcAddress to get the address of the RegisterServiceProcess this API, Trojan first needs to register himself as system services so that it is not easy to be discovered by the task manager when running in Win9X. Then it will getCommandLinea to get running parameters. If the parameter is an executable file, call Winexec to run.
0042B271 mov eax, ds: dword_42EA800042B276 mov edx, offset aSnfw_exe; "snfw.exe" 0042B27B call sub_4039000042B280 jz short loc_42B2930042B282 mov eax, ds: dword_42EA800042B287 mov edx, offset aKav9x_exe; "kav9x.exe" Trojan then looks snfw.exe and kav9x .exe's process, is the process of "Tianwang Fire Wall" or "Jinshan Taxi" and then kills it.
0042B6AD push ebx0042B6AE push 00042B6B0 push 00042B6B2 push offset aSoftwareMicr_0; "Software // Microsoft // Windows // CurrentVersi" ... 0042B6B7 push 80000002h0042B6BC call j_RegOpenKeyExA_00042B6C1 push offset aKingsoftAntivi; "Kingsoft AntiVirus" 0042B6C6 mov eax, [ebx] 0042B6C8 push eax0042B6C9 call J_regdeletevaluea0042B6CE MOV EAX, [EBX] 0042B6D0 PUSH EAX0042B6D1 CALL J_REGCLOSEKEY_0
Trojans will also modify the "Tianwang Fire Wall" or "Jinshan Director" in the registry, which cannot run automatically when the next system is restarted.
0042B820 mov dword ptr [esi], 100h0042B826 push esi0042B827 push edi0042B828 push offset a_exe_1; ".exe" 0042B82D push 80000000h0042B832 call j_RegQueryValueA0042B837 push 80042B839 push offset a1; "/"% 1 / "% *" 0042B83E push 10042B840 lea eax, [ebp var_10] 0042B843 mov edx, edi0042B845 mov ecx, 100h0042B84A call sub_4037A00042B84F lea eax, [ebp var_10] 0042B852 mov edx, offset aShellOpenComma; "// shell // open // command" 0042B857 call sub_4037F80042B85C mov eax, [ebp var_10 ] 0042B85F call sub_4039A40042B864 push eax0042B865 push 80000000h0042B86A call j_RegSetValueA0042B86F push 00042B871 mov eax, ds: dword_42D0400042B876 mov eax, [eax] 0042B878 push eax0042B879 call j_WinExec
Below is a modification of the registry launch item that modifies the Trojan, that is, hkey_local_machine / software / command / item, enables it to start itself when the system is restarted. Next, Trojans will initialize the Winsock DLL, bind port, and wait for the Trojan client connection.
Five, summary
As of now, we have completed all the analytical processes of the Trojan of "Guangxiao Girl", understand the launch and operation mechanism of Trojans. Of course, I wrote the purpose of this article is not a simple introduction to the Trojan of "Guangxiao Girl", but through the detailed analysis of this typical Trojan, introduce you to the analysis method of general Trojan. With this paper, you are analyzed for any unknown Trojan variety. Finally, let's summarize the methods and steps on Trojan analysis:
First, back up the system registry and system file, then run the Trojan server, and then record the registry of the Trojan and the system file, and use the Registry Analysis Tool to compare the two record results, so you can understand the Trojan What are the hands and feet in the system. Use fport to view the Trojan Monitor port. Then use the obtained information to make Trojan clearance methods.
If you want to analyze the Trojans, you should take a shell and disassemble the Trojan server side. This will completely master any movements of the Trojan, of course, this requires you to have a considerable master of assembly language and certain patience, because the lengthy assembly code is not a general novice that can be fully read.
If you want to further analyze the Trojan packet format, Sniffer is listened to the port of Trojan, and then compare analysis, this analysis method is more complicated, and this article is not explained.
Just reading the article is still still, if you want to completely analyze a Trojan, you need to practice it! good luck! (Finish)
Understand Windows 2000 and NT4 systems and processes (-)
Source: Wales
This lecture number is TNQ 400-02, I am David Solomon, in the next two hours we will discuss how to observe Wind through the appearance
OWS 2000 and Windows NT 4.0 in order to understand its internal operational mechanism and how to implement these mechanisms in the system level, will also understand
The process running in the system. The purpose of this lecture is: when you feel in the NT system's position or from behavior's position
It seems to give you help when an error is wrong; allow you to close some of the parties under the system housing and understand how CPU time is allocated. Such as
If the system is running slowly, telling you what is running, why and how to separate the operating system time from the application execution.
This lecture assumes that you are familiar with the basic operating system concept, such as the concept of the process, multitasking concept, virtual memory, pagination, etc.
You are an experienced NT user - don't have to be a system administrator, but at least be an authoritative NT user.
After this lecture is over, you will be able to use a series of different tools to observe the activities inside the process so that you can find which file is opened, IO
Sources and objectives, which dynamic connection library (DLL) is being used by a process and where they are loaded from where they are on disk, related processes
Some details of security.
As I mentioned, one of the purposes of this lecture is to explain the CPU time. So if the CPU is running, then what is it doing?
Why do you do this? Time spend there and how to occupy: is an operating system, device driver, executive or application
Use? It is understood that another aspect of the content of the NT operating system is to know which system processes exist. Therefore, if a transaction is being transported
Rows and it is not running, then it is part of NT. What is the role of running processes, and how you can track it?
It occupies the possible cause of CPU time? One of them is a Windows NT service consisting of a Windows NT system process. Sometimes it is not very clear that the service running is backward to which admin views can be seen by the management interface.
Finally, let's pay close attention to the particle size level in the very special process of the system process, which contains special types of drivers.
The program thread runs the clip and NT fragment, and due to the existence of this special process, it is necessary to in depth to understand which
The fragment is running and why.
This has a road map for this lecture. First of all, I will make a concise overview of the relevant tools and their sources. This will be a highly dependent tool
Block, and I will use the partial tools obtained on the toolkit, resource toolbox, and Internet. Next, we will view from three angles
NT system activity: The first is the process and thread, which is the interruption time and its service and interpretation mechanism in NT, finally, the system process
The tree is traversed.
The final topic is a process activity we don't want to happen, but often encountered, that is, when the process dies, when the process is died, the situation is
condition. We will see what leads to Dr. Watson, which you can get further, and how you should deal with these outputs.
Let us first take a look at the tool first. This is a summary of the tools used in this lecture to tools. Performance Monitor - It is under
A key role in the observation of NT system activities. We will also see some registry keys. The registry is NT used to configure itself.
System database, therefore, it includes how to help understand where the program is run, from, and map the service name to the image name
information. Next, we will explore the two process observation tools from the support kit ... for those who first contact Windows 2000
The support kit does not exist in NT 4.0. There have been a limited subset of NT 4.0 resource kits, which is with Service Pack 4.0
Bundally, called Windows NT Resource Toolbox Support Tool, the toolkit has renamed Windows 2000 support in Windows 2000
To eliminate confusion concepts between it and the resource tool. It is the composition of each Windows NT and Windows 2000 sales versions
section. It exists in the support tool folder. It uses a suitable installer to install. It includes 40 to 50 integrated integrated in resource tools
The tools in the package are critical, but the toolkit is critical, indispensable to Windows 2000 users. I will use two from the resource kit
Tools. They are a molecule in the resources of more than 200 tools in the resource kit, and I will recommend it, if you haven't previously been in the resource kit.
If the tool is browsing, these two tools are an important attachment for support tools. Through them, you will be able to inspect the NT system and understand it.
Department activities.
The four tools listed next are from the Sysinternals.com website. You may have been very familiar with the site. It is called NT INTERNALS past.
Here I will enter its homepage so that you see the face of the site. Sysinternals is a free software website, here there is free to download
tool. Most source code in these tools are also disclosed, which are designed to get information about NT through the support interface, and this
Some information is often not accessible through standard Microsoft tools. Most NT administrators are very familiar with this, you will be in the lecture.
See the use of two tools.
Then, let us start from the most basic level process with thread events, before the beginning, first define the terms. Process and thread
What is the difference? The process is an instance of the execution program. For example, when you run a notepad program (NodePad), you created one
The process used to accommodate the code that makes NotePad.exe and its required calls. Each process in NT runs within its dedicated and protected address space. Therefore, if you run the two copies of the notepad, the data is being used in the respective instances are each other.
Stand up. A copy of the program will not be seen in a copy of the Notepad. I hereby elaborate with a sandbox as an example.
A process is better than a sandbox. Threads are like children in the sandbox. The children ran in the sandbox and maybe the sand
In other children's eyes, they will kick or bite each other. However, these sandboxs are slightly different lies in that each sandbox is completely made from walls and ceiling.
Close, no matter how children in the box, they will not affect other children in other sandboxes. Therefore, each process is like
A protected sandbox. No one can enter and exit without permission. This is the formation mechanism of powerful memory protection model in NT, is due to
This mechanism allows NT to distinguish between Windows 3.1, Windows 95, and Windows 98.
In Windows NT and Windows 2000, programs, program instances, or processes on other processes or memory space impacts are not
possible. The only way to obtain private data or memory between two processes is to share memory blocks through the protocol. This is a collaborative strategy.
NT running thread. In other words, the thread is running and the process is not running. Each process contains a single thread, so when you run a notepad, it is generated.
The corresponding process sandbox is used to accommodate code and data, and a thread is created to start at the beginning of the main entrance point to the notebook program.
The process. Once the thread is running, it can create additional threads, and multiple threads of a process are dispatched in parallel, which makes multi-line program
The process is very complex, and each thread shares the dedicated memory space in the process. Therefore, in the elaboration of this slide, the process shown in the process
Three threads (all potential capabilities of simultaneous operation) have equal access to dedicated data or address space in the process, so that
Three threads must be synchronized with each other.
So why do you have multiple threads? Why is the programmer chooses to split the program into multiple threads? There are two reasons: 1) it produces better
Responsive illusion. Take Microsoft Word as an example. When you make a file print, you have selected the background printing method, print processing
Will go asynchronously while you continue to edit the document. How did this happen? Word has created a separate thread to make print processing, and will
The priority setting of the print thread is lower than the thread that handles the user, thereby providing the user with an illusion, that is, the application will be relatively excellent.
Proproidism is specified to different threads to respond to users. However, you can't get in Win 98 and Windows 95, and in Windows
The biggest benefits that can be obtained in 2000 and Windows NT 4.0 is that if you work in a multiprocessor system, and if there are multiple threads
To run, these threads will actually operate simultaneously on the available processors. In other words, multi-threaded applications can run automatically
On the processor, as long as: a) This application needs to run simultaneously at the same time; b) Priority of these threads support the application
Operation. In other words, if there is a higher priority thread exists on another CPU ... Although your application needs to run
Threads, because because there is a more important task in other CPUs, then only one thread can be run at a time.
Skills problem. Is it possible to add a second processor to run a single thread application faster? Let us imagine that you have a very simple calculation
Set, single thread application. In addition to doing calculation work or calculating work. Add a processor to run the application faster? Ok, your first reaction is not, but the answer is affirmative, because NT also has several pieces of its own segment as threads. Most
Like the operating system, NT also has future internal management work. Therefore, the addition of the second processor means that when the main calculation intensive application
This type of back-end internal processing work will continue when there is no short interrupt to perform the background operating system handler.
will happen.
The above is a brief description of the processes and threads. When considering the planning of the sandbox, NT and Windows 2000 are a 32-bit operating system. in case
If you count, you will know that 32 points mean 4GB. By default, NT divides the 4GB address space into two 2GB address space, one of them.
Assigned to the user process, the other is assigned to the operating system. In other words, each process provides a hypothesis that the process has a maximum
For 2GB, the virtual memory space of code or data can be loaded. Of course, on a 128 megaby laptop, if you run 5
Itself extends to 2GB of applications, apparently, a subset of these memory spaces exists in physical memory at any time. Above
The situation is transparent and executed in the background. This is a virtual memory everywhere. Just like any operating system using virtual memory technology
Windows 2000 is only introduced into physical memory only those memory space segments that are occupied by the process. Take a notepad as an example, when
When you run NotePad.exe, NT is not read all NOTEPAD.exe when the program starts. It will only happen to be executed by the main thread
References of the executable image clip read. Similarly, the dynamic link library called the Notepad is not read from the disk when it is called.
And only when the subroutines in these dynamic link libraries are actually called, those that contain the desired reference code and exist on the disk.
Section will read in demand.
At the lower half of the screen, 2GB system sandbox is quite compelling because NT does not provide protection between operating components and drivers.
. I believe that many of you have experienced the blue screen caused by the NT system management, and the blue screen caused by the program error and third-party driver.
It is often accused of these phenomena, in fact, this is caused by errors in a third-party device driver, and NT suffers from the above finger.
One of the reasons for responsibility is because all of NT and all device drivers are in the same sandbox. However, every process is running
It does not affect other processes, which cannot affect the operating system, operating system and
The driver is survived in the same sandbox, and there is no protection mechanism between the driver and the operating system. Now you may ask,
Why is that? The answer is performance. This is the system of the 32-bit operating system for each fact. The address space must be driver or exercise
There may be a lot of performance losses, but it should be emphasized here that this switch has the original when adding a driver.
One of the facts is to avoid or limit the extension of all the extensions of Windows 2000 to the driver registration and Windows file protection.
The sort will add a chance to the system in the system sandbox in the absence of a comprehensive verification and test.
The operating system process does not exist. Below we will see a process called "system". But that is not an operating system. At this
In some processes, some operating systems are running, but there are also several processes that perform background in the background. A notepad
When you open a file, it produces a system call to open the file on the disk. This open disk file is generated to generate the requested note
The context of this lever is completed. In this sense, the operating system operates inside the Notepad process, and because the operating system is precisely a large subroutine that creates user threads such as opening files, reading files, assigning virtual memory, and creation processes The library, so it is also the same
Run in every other process.
Windows 2000 adds new objects that allow multiple process clusters to be a job. One job is shared by one or more shares, limited
Composition of processes and other settings, and these settings are only available on the basis of one process. For example, if you have a running in Windows 20
The Batch Server system on 00, and you want to limit the number of active processes in your job for a particular customer, this is possible -
- As an attribute of the job, the activity process restrictions can be set; for example, you want to set the job to use more than 50 megabytes of memory,
There is also a way to specify the maximum memory capacity that the job can be used, and the job will still include several processes that perform a full work segment.
If you look at Windows 2000 Server and Windows 2000advanced Server, you may not pay attention to the job right at all.
The existence of icons. This is because, unless you have created a job object and use a performance monitor to observe it, on the user interface
There will be no things to indicate that the job object has been added to the system. Windows 2000 Datacenter Server will provide a kind of
Process Control Manager tool, the tool will allow system administrators to create job objects, at the same time, specify the process to the job object and specify
Restrictions and quotas as shown on this tide. The homework object can be described as a Windows 2000 basic group customized for the use of third-party applications.
Element. You can want to batch the use of job objects at the beginning, and the process control manager and data center will also use this.
Nuclear object.
Here, I want to mention an aspect of the homework object - the scheduling level, it is very interesting for large-scale servers, even though we are not
Talking about the scheduling issues of the thread in Windows 2000, and interesting things about job scheduling level is it allows for one of thread executions.
Important aspects are controlled, to know, this cannot be set in Windows NT 4.0. Scheduling level is a number from 0 to 9
. 5 is the default value. If the value is raised to 5 or more, the scheduling level will make the thread in the process to run longer at the turn to it;
If the value falls below 5, the scheduling level will shorten the running time length of the thread. This is the level scheduling, in other words, you can say a certain job
With 20% of the CPU, the other work takes up 50% of the CPU. In Windows NT 4.0, this level scheduling is unresolved. Someone maybe
Think, "I can improve the priority of a process, and this will provide more run time to this thread", but so that this will
Division of running is given this process. So if you run two processes at the same time, one of the priorities is higher than that, they all
Trying to run, and a higher priority process is basically take up 100% of the CPU. This scheduling level attribute is now allowed according to CPU time
The percentage of the CPU for the corresponding partition, and this is a very exciting ability to be brought by the homework object.
Now, observing the work of the basic processes and thread information in NT is a bit headache, mainly due to the identification of the same basic information (process
The tools for different subsets of the list exist. Some tools also display threads existing in each process. Although many can display processes and lines
The tools for the list tend to reference information from the same data source, but each of these tools can also display other tools.
Unique information fragment. Here, we will use two of them to demonstrate, these two tools meet the main needs of the observation process and thread information, but I should also explain that other tools also have the corresponding functions, just in this lecture. use. Another obstacle to understand "
What is in operation? "The factor of this problem is the name of the image being running, for example, Notepad.exe may represent it in execution.
The program name, but it may not mean the program name being executed. In other words, the name of an executable file may not indicate you.
Which product is part of it, which directory it comes from. Therefore, the system administrator observes the process activity in the Windows 2000 system.
One of the basic work that should be made is the executable which corner from the disk. If you know which program folder exists in the process,
For example, Microsoft Office, or existing in your WIN NT System 32 directory, if you know what the folder is, then,
You will be able to know what components from this process.
Ok, there is a Visual Basic script called the PS in the Windows 2000 Resource Toolkit, which is 90 in Windows 2000 in WINDOWS 2000.
A new infrastructure (WMI, the Windows Management Tool) is one of the VB demonstration samples. WMI allows you to do many before Windows 2000
The information that cannot be accessed is accessed, and more importantly, WMI allows access to access only in the network.
Information. Therefore, through the PS VBS script, you will be able to easily observe the list of processes on the remote system. There is also one of you
Kill the VB script of the process on the remote system. If you haven't seen this 90 scattered VB script examples in the Windows 2000 toolkit, I
Take a try to see you.
But our primary problem is that whether in the workstation or on the server, if the process looks very slow, what is it running? Correct
Let me find out what is the fastest way to run, that is, call the task manager, turn it back to the process tab, and consumes according to the CPU
Sort by a clip. Before we do this, let's introduce the task manager as our first process browsing tool.
The tube task manager may be seen as a tool that is quite simple and clear, but the name of the tab and the information listed may still not
Very clear. Therefore, let us call out the task manager mentioned in the slide.
There are three ways to start the task manager. I will use the fastest type, that is, the combination key Ctrl Shift ESC. I press CTRL SHIFT E
SC, the default tab we see is the Application tab. Now, if I ask you, this list is about what, how would you answer?
? No, this is not a list of applications; no, this is not a list of processes. In fact, it is about a very special grid
A list of top-level visual windows, in other words, this is a list of windows, but the window in the table is not all the windows in the system, nor the table.
All visual windows on the face, but in general, it is a top-level and visible window list, you can click directly on the taskbar or press
Alt tab combination key is seen.
Now, the window is owned by the thread, and the thread has the process, which is why there is a reason why the window is mapped to the process.
If I click on the right mouse button, turn into the process, it will bring me to the process tab that is displayed in high brightness, now I click on the mouse to reverse it.
Color (blue), showing the thread with the window and a process with threads. Here, we see mappings between windows and processes. Now, return to the Application Tab again.
Since we are now known this is a list list, what does this status mean? Ok, the window is not running. Run meaning
The thread with the window is not running, and there is no response means that the thread with the window is running, it runs in the background. In other words, a transport
The window is a window that is accepting a mouse, that is, the window input of the graphical user interface. The thread with the window is currently waiting
At present, you can click on the window. Therefore, the normal state of the window is an operational state. Repeat again, run means the line with the window
Cheng Zheng wait for you to click on the window. The window is not running.
No response is that when the window seems to be suspended, you can see the status indication, or that the state is visually implied, when you move above the window
When the mouse is scheduled, the window will not mark a response. What do you see? An hourglass. Hourglass simply means that the thread with the window is currently not
Accept the graphical user interface input. It doesn't necessarily mean that the application is hang. The thread may be busy with other tasks, perhaps just waiting
IO on disk or network, and will soon turn it back to the receiving window input. Therefore, when the thread turns back to the waiting graphical user interface input
When the normal is normal, there is no response is sometimes cleared to thread itself. Of course, if the application is really hanging, and the thread will not return to
The window input status, then the window will appear as no longer respond, you can click on the end task, which will send to the thread with the window.
An information is available to release the window. The end task option on the Application Tab does not turn off the process and does not turn off the window. It issued one
Friendly Mr. Thread information, ask if you want to release or close the window. This is the information it issued.
Let's perform a quick demonstration of an end task by running a notepad, enter some unsaved text and try turning off the window.
. I will select the Notepad window in the Task Manager, press the end task and pay attention to what happened on the left. Notepad received a closed window
Request and rejected, I will no longer repeat the above operation because you have not presented your changes. At the same time, the task manager is for that you.
The window that requires it to close and released, it is impatient. In other words, the window you asked and closed is still there. So,
The manager said, hey, we can't end this program. Because the task manager is waiting for your response to return to the window and inspect
In the order of the cancellation, it has turned off this window in fact. If you choose to end the program immediately, you will lose all without saving.
The data. Pressing the current End button in a sense of dangerous operation, because this will kill the process with threads, and
The thread is already in an active state in the process of semi-cut. It has been updating files on disk, doing network IO, who knows? Sincere
When you choose to end now, be careful, because, the process whose thread with the window is released from the system, but no
He retains the room.
Now let's take a look at the Process tab. The process here refers to a series of processes, such as what we are talking about, they are running
The executable program instance is identified, which is why the first column in the Process Tab gives the mapping name. Please note that there is no progress here.
Cheng Name Column. The process does not have mapping names independent of their home instance. In other words, if you run 5 notepad, you will see
5 processes called NotePad.exe. How do they distinguish between each other? One way is through their process ID because each process has its own unique encoding. The process ID is generated by Windows NT or Windows 2000 and can be used. Therefore, the process ID will
Do not get more and more, they can get cyclic utilization.
The third column is the percentage of CPU time occupied by the thread in the process. It is not the number of the CPU, but is percentage of CPU time occupied by the process.
In the current display, my system is basically free. Although the system seems to use only a small number of CPU times every second, but
The system idle process still consumes approximately 99% CPU time. We will see the phenomenon for a while.
The fourth column, the CPU time is the hour, minute, and second number of hours, minutes, and seconds of threads in the process of the CPU. Please note that I use the threads in the process
Use the word. This doesn't necessarily mean that the process consumed of the process of CPU time, because we will see, NT timing
The formula is when the specific clock is excited, no matter who happens to be in the current thread, it will be calculated within the CPU cycle. usually,
In most NT systems, the clock operates at intervals of 10 milliseconds. Every 10 milliseconds of the heart beats. There are some driver code fragments
The line is displayed who is the current thread. Let us record the last 10 milliseconds of the CPU time on its account. So if a thread starts running,
After the continuous operation of 8 milliseconds, then, the second thread started to run and lasted for 2 milliseconds. At this time, the clock excited, please guess this whole
10 millisecond clock cycles I record which thread is on? The answer is the second thread. Therefore, there are some inherent inaccuracies in NT,
NT is just in this way, the actual situation is, for example, there are intervals based timing mechanisms in most 32-bit operating systems.
. Keep in mind this, because, sometimes when you observe the CPU sum of the CPU consumed by the thread, although the thread may seem to have run
100,000 times, but its CPU time occupies may be zero or very short-lived, then the above explanation is why. The above is we are
The basic information column you can see in the Task Manager's Process tab.
Now, if you select a column in the View menu, this feature will allow you to add some additional details such as IO counter, IO read and write.
Column. This is the new feature of Windows 2000 and can be allowed to view IO activities in a process of processes. In NT 4.0, the IO counter is overwritten
The whole system and all disks. Tracking IO operations in a process of processes. This additional function is not to understand the process activities.
Often important, because now we can see which process that occurs on the system happens. I have added a thread counter, it's table
The number of threads included in the process; I also added handle counters, which represent the number of open objects. Subsequent part of this lecture, I
We will also look back at the relevant content of opening the handle.
Finally let us go to the Performance tab. The Performance Tab shows 200 to 300 NT core performance counts that can be displayed by performance monitors.
The value of 13 counter in the unit. We once again see a kid of the core system performance counter that usually use performance monitor tools.
Set, and some tags above may not be clear enough. For example, there is no relationship between memory usage columns and physical use. This is all in the system
Dedicated and specified virtual memory. We will not go deep into these details, just to make some projects in the display area may make you
A deep scrutiny can be performed before the system capacity limit is made. This is the task manager on the housing. It is a shortcut. use
This tool, you can find who the annoying process is on a slow system. Here, call the task manager again, press the CTRL SHIFT ESC key button, enter the Process tab, click the CPU consumption, and sort the output of the task manager according to the CPU utilization.
Keep in mind that each time you call the task manager, it is sorted by the process ID, although the process ID is not a very useful sort order. because
Therefore, the task manager does not save the settings after you call each time. If you want to sort by the percentage of CPU, you must click
CPU column. This is a shortcut to quickly find which or which process is consumer in the system.
Now let us transfer to the process viewer utility, that is, PViewer.exe. This is the Windows 2000 Support Tools we will run.
One of them, it shows more details about the processes and threads needed to be in the test of the system process later
. Now we will start the process by clicking Start Menu / Program / Windows 2000 Support Tool / Tool / Process Browser.
. The initial display area is a list of processes on a system. Please note that there is a way to choose a remote workstation or server name.
. Unlike the use of the task manager, you can view the access license for the remote workstation or server registry.
Remote process list. This is because the basic processes and thread information displayed by most tools are actually from the system by executing the registry query.
Restore to the NT performance curler. Now, according to what we know, the process viewing tools must use the reasons for the performance record mechanism, according to
The total score view the first process in the list. That is not a real process, nor does it disclose in the list of task manager, but if
You have used performance monitor, you will see that most of the performance counters that contain multiple instances (such as process objects) have a name
The special internal construction instance name of the total scribe line is the total amount of the scribe is a selected and performance monitor to use it in all object instances.
Fast aggregate count value in the range. If you want to quickly summarize one or more counters of multiple objects, the process views can be described as
It is a very convenient feature in the performance counter mechanism. PVIEWER's intelligence is not enough to show this. It is displayed in the way
Indicated. But it is not a process. The first real process in the list is CMD. Now, pay attention to these letters according to the executable program file name
The order is sorted by the process. The CMD is the first executable file name arranged in alphabetical order. Don't forget, task manager
It is sorted according to the process ID. The task manager displays the process ID with a decimal number, and PViewer is displayed in a hexadecimal number after the mapping name.
A process ID.
There is a significant distinction between priority time and user time, which provides related to each process in an application compared to inside the operating system.
How much time is megadownloadpic. In the later part of the lecture, we will also look back in the priority and user time comparison, but should remember, PV
iEwer is a work that allows you to pay more about the CPU time occupied by the process to master the time consumption between the application and the operating system
One of them. Now, when I click from the process to the process, and when the process list is scrolling, what happened in the bottom display area?
That is the thread list. Because, if you have an impression on the description you made in front, you know that each process includes a set of threads. This
Some threads are dedicated to each process. Obviously, the thread list in each process should be different from the list of threads in the next process.
. If I select a thread and click on it, turn the thread list down, please note what changes have occurred at the bottom of the display area.
The bottom side of the PViewer display area gives information including each thread including priority values (between 1 to 30). The number of context switches is also the number of times NT selection running the thread. Now, there is a thread that looks a little special. It has been selected for 58 times, but it is only
The CPU time occupied by 1% seconds. Do you remember this reason for this deviation? When the clock interval is excited at 10 milliseconds, the line
Cheng definitely is not in the current state. There is also an example, the process 5 in the service host seems to have run at all, but please take a look at it.
The context switching - 76 times. The thread is selected for 76 times. It actually runs 76 times. But it is one cycle in 10 milliseconds
When the clock is excited, it is never in the current state. Therefore, if we go back to the process list, you can see the CPU consumed by the process.
Time is only 0.871 seconds, which obviously does not reflect the sum of the CPU time consumed by all threads during the process. Now, please remember
Live, we will not lose the CPU cycle. NT does not lose the trajectory of the CPU cycle. It only measures the CPU of each thread with an increment of 10 milliseconds.
Time, therefore, threads are sometimes misady, but this error will be offset, without making a real problem.
This is the process viewing tool. Another explanation about the tool is that if you occasionally select a different computer name and press the connection button
To view the remote system, a button will disappear. You will lose a part of the function, the button disappears is killing the process button. kill
The reason for the disappearance of death is ... Do you still remember how PVIEWER is retrieved in the list of processes? It is through the registry. When I
When viewing a remote process list, I can query the registry from the remote process and read the list of processes, but the registry is not a controller.
system. I can't kill a process through the registry. Therefore, if you want to kill the process on another machine, there are two tools to get.
One is the Kill Process Script in the Windows 2000 Resource Toolkit --kill.bbs. It uses new WMI in Windows 2000 (ie Wi
NDOWS Management Specification) To access those remote process control operations, you can't use this through the network. Another tool is in the resource toolkit
Customer server application called remote kill, the tool needs you
Want to install the server-side program on the remote server system of the process. Whether it is through Kill.BBS or remotely killing customer server applications
In order, you can kill a process. Both tools are present in the Windows 2000 Resource Toolkit.
Now, we have used two tools to view the list of processes, and the list appears as a planar structure. There is no father and child relationship in the list, but things
In fact, when we transfer to the next slide, we will see that NT keeps the information about which process creates which process. In other words
Who is my father? Who is my son? This hierarchy is displayed by a tool called TLIST through the Windows 2000 Support Toolkit. right now
, TLIST represents a list of tasks, but it also displays a list of processes. In fact, this term does not necessarily mean in NT.
Everything in the core. I will call the command line and type TLIST / T in this way. TLIST is doing to generate a process about each process
The parent-child relationship of yoursides, it is the father, who is the father, who is the father, who is the son by using a simple indentation format. However, TLIST is also only
The information recorded with NT has equal intelligence. When we returned to the slide, we will notice that if the parent process is dead, TLIST will turn the process to the left.
Align. This is because NT only records the ID of the parent process. If your father is not in the world, you can't trace out who your grandfather is. When TLIST
When the parent process of the current child is no longer run, the process will be left to the left, and this process is indicated by this process. Now, when you see a child process without a parent process, there is nothing to be rare. When you log out, all processes in your interactive session will delete
except. NT does not lose the sub-process at the same time due to the failure of the parent process. Let's go back to the output of TList / T, we will see, on my system, explo
Re.exe just is an orphan, it does not have a parent process, the reason is that when you log in to the network, the login process will run one.
Explore program, and this intermediary program will exit when it completes the mission. Explore's all child processes represent today I have begun to have a lecture.
Run all programs. For example, I started from the Internet Explorer instance. I have run the command line. From the mode of order, I
Run PowerPoint and TLIST, and this time I am also generating the display area by running TLIST. Just showing a slide, we
Also run from the Start button, the process viewing tool is also owned by Explorer. TLIST / T is an important diagnosis tool, because
To, by mastering the parent process of a process or observing the location in the system process level (or tree) structure, you can quickly
The source of the process is classified. If this process is a child process in Explorer, the process is inevitably starting from the desktop graphical user interface.
In progress. If this process is a child process for a system process, the process is inevitably a piece of NT. We will explain in the next section.
All processes in the tool process tree. Therefore, we will go back to the upper part of the display area.
The new options in the Windows 2000 Task Manager are the end process tree. However, Based on the Windows NT I said earlier, I have not retained my father's process.
ID more information, then if you try to end the process task tree and from all the processes from the tree, there will be no hair.
Born? Will Task Manager discover all the sub-process from the same parent process? Let us conduct a quick demo. I will go to the command line
And to start the command line mode of the child process by typing CMD from the command line mode. Now, we will transport from the second process.
Paint pen (ie MS Paint). In this way, we have a tree structure - a command line created another command line method.
And another command line created a brush (ie MS Paint). Let us take a look at the TLIST / T look at how this tree structure is
to show. Here, we have seen the parent command line mode, the subsis line mode and the MS Paint as a grandson. What is the problem?
What will happen if I quit this number of age-numbered command line? Ok, let us go to the middle of your life.
Let's write out, what will I leave? The brush still exists. Therefore, when the parent process exits, the child process does not exit. This
There is an interesting issue. If we now call the task manager by pressing the Ctrl Shift ESC key key, go to the application selection
Item card, select the first command line method, click the right mouse button, transfer to the process, and then find the process with the window, this is the way the command line
Example --cmb.exe, that is, has the process of the first window. Now, if I am right-click on the process tree, WINDOWS 2000 will
Discover brush? Keep in mind that the brush is the grandson of the command line. Let's try it, click the process tree. Task Manager warns me,
Termination of a process may cause data loss - this is because there is no chance to clear the thread. So I will do it, click Yes. The brush is still running. why? Explain again, this is because NT only retains the trace of creating a process, but does not keep the trace of grandfather or grandson.
So, keep in mind that you are using the new end process tree option.
Now let's take a look at another important information fragment in the process activity, which file is opened. WINDOWS 2000 or
The corresponding tools are not included in Windows NT to implement the above features, but this is indeed a very important diagnosis test task, because if
You encountered a file to lock the error, which is definitely opened by a local workstation or a process on the server. Do not use this slide
The tool mentioned, you can't find anyone who opened the file.
Another important aspect of opening a file is reflected in the case where the application contains unable to turn off file errors. It sends its own performance as a system
Memory leaks, because each open file occupies a part of the system memory. Therefore, in the application constantly open the object without turning off it
Among our systems, NT will exhaust system resources due to these applications that do not turn off handles.
First, let's take a look at how the task manager quickly views the number of handles opened by the process. I press CTRL SHIFT ESC Combination Key
To call up the task manager, just, when we watch the settings, I have added a list to display the handle of each process.
Number, and I will move the mouse to this column. If I click on the click of the hook, the task manager will press the size of the number of handles.
The order is sorted. Here, we saw a process called ServiceHost.exe, with 760 open handles, we will be slightly
Look again. If you have an application that doesn't close your handle, this is the number you see. And this column should also be checked. you also
It is possible to view the value of this data on the entire system, because, in the Performance tab, the total number of handles, total threads and total
number. If you hang a handle, you should check the total number of handles. If the number is slow up slowly, it should go to the process tab selection sentence.
The handle column and sort it according to the number of open handles, so you will be able to quickly identify the process that does not turn off the handle. When you end
When a process, all handles in the process should be turned off, and the system resources they occupy will also be returned. This is to view the handle information
One aspect. Another aspect is to make this handle which object is opened. In other words, what is the 760 handles? it
They are representative documents, network objects, registry keys, threads, and processes, or something else? This issue will introduce us to make us
See the two tools of the handle table in the process.
The first is the OH tool. OH represents an open handle, which is a tool in the Windows 2000 Resource Toolkit. Out of ensuring the consideration of OH work,
The OH tool must set a special internal sign in the registry read when the system reboots, so you need to use this tool for the first time.
Reboot the system. This special marker enables NT retention to open handle information than usual. Run OH in all NT systems and
It is not a major problem that opens the settings, and thus does not cause serious consequences, but these tasks are not set to default. So when you first
When running OH, you will get an error message or some prompts that you have set a special mark and you should re-boot the system. Ok,
I have made the above work on the laptop, let us enter the command line. We will call up a command line. First of all
, I will type OH /? And to see the option. OH has two options. In the first option, you can specify the process ID you are interested in.
In other words, I will display the handle that is opened by the process of Issue 43. The second option is to view a specific type of open handle. For example, a file may be an open file, a registry key, a thread that is opened by a thread, and the like. I will emphasize the last option to find the right to have a specific name.
Icon open handle. We will give an example to figure out the problem. If I want to find the handle for the PowerPoint (PPT) file
, I should enter Oh -T file, meaning only the handle of the file object, that is, those including the .ppt extension existing in the object name.
name. What is the answer? It is PowerPoint. Here with the open handle for the powerpoint file, and the powerpoint file here is also packaged.
Contains the presentation we are running - TNQ400-02.ppt. If you encounter a file to lock the wrong, then, this is to find out
The shortcut method of the processor process related to the document. However, if you look at the output, you will find some of the important file information.
Not displayed by OH. What did you miss before the file name? It is the drive name. This brings us to the second work shown on the slide.
With - athandle.exe, the tool is a graphical user interface tool, and its command line version is NT Handle. This is what we have run
The first tool from the Sys Internals website. It is a free software. Please record a little, the tool is like Sysinternal
Most of the tools for S.com also include the use of the device driver. When you first run Handle.exe, it will be loaded in the system.
A driver, as we mentioned earlier, like other drivers and Windows NT systems, the device driver also shared the same
Memory space (or a sandbox), which means that if there is an error in the driver, it will have a possible possible. This is driven for any device
Dynamics are realistic. Handle.exe Reasons for Using the Device Driver is that the tool is bypassed by the security mechanism from the process handle
The full name of the open file is retrieved in the list, which touches information that is usually not accessible from the general Windows application. let me
Let's take a look at the Handle.exe tool. This is a graphical user interface version. When it starts, a system is displayed
List of the process. When I choose a process, for example, I scroll down the list and select PowerPoint, and Handle.exe will display it.
The handle form opened by the process. Now, the tool is sorted by handle numbers, which is not very important information. I will follow the handle
The form is re-sorted. Now, I click the type column, so we immediately saw the list of open files and saw the package from it.
The full path name of the PowerPoint file in the current presentation. Here, the magnetic disk C: is added to the path name. Visible, Handle
.Exe is another way to view the handle. This tool does not need to reboot the system like an OH tool to enable the set special flag to take effect.
The negative aspect is, it needs to use the device driver and will thus lead to regular restrictions and warning information for calling driver code.
The appearance on your system. Only for personal concern, I have never encountered the process of crash, but the tool indeed transferred the authorization system code to the operation.
System sandbox.
Another way to use Handle EXE to view handle information is to perform a search. If I click the search discovery menu item or press the F3 key directly,
I will be able to enter an incomplete file name (for example, .ppt) in the dialog that appears, then click the Search button, Handle Exe
You will search all handles that include .ppt extensions. So, I found a process of opening a PowerPoint file again. This is another way to view the open handle.
Another class is called by those who brought troubles from the Windows system administrator to the dynamic link library. Dynamic link library conflict has become
Many malfunctions in the eyes of system administrators. This problem is adaptive application support and Windows by Windows 2000 Windows Installers in WINDOWS 2000.
File protection features greatly resolved, Windows Installer Adaptive Application Support and Windows File Protection Features Automatic Recovery Delete or
System Dynamic Link Library with an error versions. Therefore, dynamic link libraries conflicts and replacement issues will be changed overall in Windows 2000,
However, you can view the process and find out that the dynamic link library they calls and their disk is still very important for us.
Before observing a living process, let us see the static view. In other words, specify an executable file, tell me when it is running
Which dynamic link library (DLL) will be loaded, in order to observe this, we will use a dependency browser (Dependenc
Tool of y walker). This tool is included in the Windows 2000 Resource Toolkit, I will start it by starting / run / depends. DEP
After the Endency Walker window appears, I can now open an executable or an executable image. I will click to open the file.
Single items and as an example I will select Notepad. Now, the default folder used by Dependency Walker is Win NT System.
32 Folders, most of Windows 2000 and Windows NT 4 will be saved here. Therefore, we have positioned
Open the correct directory of the NOTEPAD.EXE file. Select NotePad and click Open. Now I have not created any processes, I have done
The Department is just open the notepad.exe file. At this time, Dependency Walker has listed the image name of the dynamic link library links linked to the Notepad program.
A list. In other words, the eight dynamic link libraries are libraries that contain support routines when the Notepad is run. Please remember that they are not remembering
The full list of all dynamic link libraries that will be used at the time program run, but only the list of dynamic link libraries that will be loaded when the program is started.
Because the dynamic link library can be dynamically loaded in the program operation. So this is a very interesting display, it didn't really tell us to make
What to use, at the same time, because when the dynamic link library is loaded, it will generate an exact collection of use, and it does not show the DLL file on disk.
s position. First look for the corresponding DLL file in the directory where the executable is located. Secondly, the current directory will be used. Finally use record search
The environment variable of the path, and if a dynamic link library is known, it will be overwritten because it means that it has been started at the system.
Opened. Although this is a meaningful display, a more meaningful output will display dynamic links when the process is actually running.
Where is the library is loaded. This will bring us the next topic: observe the use of dynamic link libraries in actual situation.
If you encounter a dynamic link library conflict or due to the loading of a dynamic link library of an incorrect version, if you don't
Know how to capture the process or want to observe the process before activating the process to find the full path to the dynamic link library being loaded, then this part may be able to
Help you diagnose dynamic link library conflicts.
Now, Dependency Walker in Windows 2000 has a new option to briefly describe a process. This option means
An instance of actually created a process or executable program is used to detect and track the load of the dynamic link library. So I will go back to Dependency Walke
R and click Profile Launch the configuration file. I will choose the default setting. Dependency Walker will be created when I click OK button
A test process runs a notepad program and tracks and monitors activities in all dynamic link libraries in the lower window of the display area. Let us do it. There is now a notebook. If I go back to Dependency Walker and observe the lower part of the display area, I will find a small part about picking.
The required log record is generated. Here is a list records the dynamic link library that is loaded when the process starts. Similarly, it didn't tell us that
The full file name seen in the next introduced tool, but at least we can see the loaded dynamic link library. Now, if I returned
Notepad and try to open a file, when the standard open file dialog is turned on, 10 to 20 additional dynamics can be observed in the background.
The linker is loaded. Let us do it. Can you see it in the background? Let's go back to Dependency Walker if you scroll up
It will be found that the result of opening the file dialog as a standard is displayed, and there are many dynamic link libraries previously unloaded have been added to the process.
If we return to the dynamic link library list, it will find that the number of dynamic link libraries has increased much on 8 basis. I can also be displayed
The central part of the area is observed, let us count the number of adds - to display the standard open file dialog
There are 31 dynamic link libraries to be loaded, but the full path has not been seen. This will be brought into the next tool - TLIST used in front, but this
We will use a parameter that is not introduced in front to specify a specific process name.
In the next presentation, we will use the TLIST tool to display the dynamic link library list in the process and view the information it displayed.
Switch to a status of simultaneous run command line, TLIST, and PowerPoint, and view the dynamic link list list that is loaded by the PowerPoint process.
The memory addresses of these dynamic link libraries are located in the process address segment. We really have some useful information, but what data is missing? Correct
It is the full path name of the dynamic link library. On this slide, it will eventually show us the full path name. It is our from sysinter.
The second tool List DLL obtained on the nals.com website. The List DLL tool can display the full path to each dynamic link library, and it also
The full path to the running executor is displayed by the way. This is another important aspect of analyzing the content of the NT system.
As we mentioned earlier, the name of an executable file may not always make you immediately understand its role, but if you know the file
At least it may allow you to quickly know which package is part of the file. Therefore, we use the List DLL tool not only
To view the details of the dynamic link library, more importantly, it should keep in mind that it is a shortcut to view an executable full path.
We will return to the command line, now let us try the List DLL tool from our demonstration directory, we will continue to use the previous notepad
Example - that is the process we started from Dependency Walker. Now if you look at the path name in the table, we can get
It is to include the full path names in the drive symbol, directory name, and file name, which is the purpose of trying to achieve in this example. let us
This operation is made for Power Point.
Similarly, this also shows that the executable file and the dynamic link library are complete when the basic process error handling or analysis is performed in Windows 2000.
The importance of the path.
Another angle of the system and process activity is an IO operation. Typically, the main load on a server system is derived from the server application.
Inter-network or IO activity for disks. Therefore, when the system looks very busy and the disk is constantly rotating and vibrating, how can you determine?
Which file is generated? Is the IO operation? In other words, how can we track it on a busy system?
Which process, file name or file is working? Ok, in NT 4, it is as mentioned earlier, there is no method that can be independent of IO activity based on each process. However, in Windows 2000, some new counters have been added to enable you
Observe separate IO activities based on each process. Therefore, in our first presentation, performance monitors will be used to view these new counters
To quickly learn how to determine which or which processes in the Windows 2000 system are generating IO operations.
We will switch to the command line status and start the performance monitor by command Perfmon. Click to join the tag or add the counter button, because
For us only to the process-level counter, select the process object, scroll down the list will find the newly added IO counter - per second IO
The number of data bytes and the number of IO data operations per second.
The number of IO data operations per second is the total number of read and / or write combination operations. Although there is a counter for recording the read operation and write operation, but
It is here, for this level of analysis, we only care about the IO operation instead of it is a read operation or write operation. Now, we
Select the number of IO data operations per second. In addition, by pressing the CTRL button, select the number of other IO operations per second. Other IO operations represent those not
The IO operation read and written. For example, open a file or read a file attribute such as a file size. If you want to see a process
All IO operations generated - include data operations and other IO operations, then the above two counters must be selected. Next, we want
Which process is inserted into the selected counter? The answer is all processes. So click the first process in the instance list box. Remember, _T
Otal option is not a process. Press and hold the mouse and drag to the bottom of the list box to select all the processes, press the Add button, follow
Use or close the button.
Now we are observing the IO operation generated by each process in the system through the display area of the performance monitor. There are two fold lines for each process
.
Other operations. Soon, the system calm down like this. Now let's go back to the command line status and start some will lead to many exercises.
Make activities. Let's take a look at the operation involving all directories on the hard disk - DIR C: / S. This will mean starting from the root directory of the C
A list of directory lists allocate all subdirectors from the top. As we see, in order to display the required data being implemented in many directories
Read operation. In the operation of this operation, let us return to the performance monitor and see the lines of the display of the content as someone is
Large amount of IO operation. Ok, now consider how to determine the process of actually mapping this representative of a large number of IO operations.
Let us open the highlight display. Click the highlight button or use the shortcut Ctrl-H. If you have used performance monitor, then you
Be sure that after opening the bright function, when scrolling the counter on the list of the lower arrow on the keyboard, the process or fold of the currently selected in the list box
The line will be highlighted as white. Therefore, I will scroll down the counter until the fold line currently at the top becomes white. That's it. You can
See the instance name displayed at the bottom? It is CMD. Therefore, the process CMD is the process that generates all of these IO operations. This is easy to understand
, Because CMD is here. It is the command line window and it is the IO operation involving the directory. How can you see this, use
Performance Monitor, monitor each process per second and which process is responsible for when the IO operation is performed. Ok, this is very
Interest, but also has a problem, where is the go of IO operations? The content just introduced only told our IO operation. It will take me
They are brought into the next tool on the slide - file monitor.
File Mon is the third tool we use so far we used to stems from the Sysinternals.com website. As us with us
Like the tool, it involves the use of a device driver. When we run the file monitor, what it does is to load a file system driver that can take each IO operation in the system, display each IO operation on the screen, then send it to the corresponding device
Actors. Therefore, it reduces the speed of IO operations to a large extent, but it does provide an effective way to determine the IO operation.
Source, because each IO operation will be recorded by it, the recorded information includes a process name, the referenced file name, and the type of operation - read
Or some. Let us take a look at it in specific ways.
Back to the command line status, run the file monitor from the demo command via the filemon command. Now the file monitor launches the monitoring of the file
move. Although it seems that there are some IO operations that are running in the background, the system is still calm down, in fact, in this special Windows
There is a system process in the 2000 system, which performs some IO operations that access the database every 1 or 2 seconds. Let us return to the command line status
And try to imitate some heavy IO activities for a particular file. This particular objective file is one of every Windows 2000 system.
A large file, that is, the driver compressed package file.
This driver compression package file contains a compressed version of all device drivers issued with Windows 2000. It is stored in WIN NT
Driver cache folder. I will launch the Window NT Explorer and enter this in my Win NT Driver Acche folder.
A simple copy operation is made. I open the C drive, expand the Winnt directory, then expand the driver cache directory and I
386 directory, there is a Driver.cab file. Please note that its size is 51 megabytes. So it will be an ideal test object. I will only
A simple file copy is made only by the copy command and the paste command in the editing menu. You can see that we are now copying a 51 trillion
document.
Let's go back to the file monitor and observe its display content. Ok, like we have seen in the output area, we can observe
A large number of IO operations for Driver.cab files and their backups. I use shortcuts Ctrl-e to terminate the monitoring activity of the file monitor, and we can
To see some read and write operations - read operations from the DRiver.cab file and the write operations for their same name. Let us return now
And cancel the file copy, you will see a file monitor to observe independent IO operations and allow you to view the IO operation?
An example.
You can do some filtering work with a file monitor. For example, if you only have only a special directory on a C or D drive or these drives
IO operation is interested, you can filter your specific path, you can also highlight a specified path name so that you can easily
Find all special documents you are interested in all monitored files. This is again verified, and the IO activity and the tracking IO operation occurred
On which file, the file monitor is an important tool.
The last point of this part is that the file monitor can indicate the paging IO operation by adding a small asterisk in a row. Due to Windows 2000
Cache Manager uses the usual paging mechanism and memory manager to complete file IO operations, you can see that occurred by the application
Paging activities in the file. In other words, since the cache subsystem reads data from the file using the usual paging mechanism using the memory manager,
For an application that opens and read files, its IO operation itself is displayed in the file monitor as a paging read operation.
The last area of the file or system process activity is also the same as that require the content that can be monitored is registration activities. Such as most of you
What people know that the registry is NT for the database that is configured to configure itself, and the driver that needs to be loaded, all management settings and each
The settings of the user file are all stored here. Sometimes, for a system administrator, I know that a particular setting is stored in the registry.
What location is very helpful. There is a tool called a registry monitor on the sysinternals.com website to monitor every read and / or write to the registry. Let's run the registry monitor. I will return to the command line status and run from the SYSINTER in the demo directory.
A copy of the registry monitor for the Nals.com website. When the registry monitor is launched, it will load a driver to start cutting
Take all the queries for the registry. At this moment, the MMC process as a performance monitor container is also conducting some registry queries. Therefore
We return and close Performance Monitor to stop these queries. Ok, now the system calm down. The registry is usually calm. In other words
If a process is performing regular registration or write operations, an error occurs, you may consider making a mistake for the manufacturer
report. When the process or NT starts, the registry will be queried. It is not a database that will be accessed. Use registry monitor
Maximize the maximum sensation to find a specific system settings in the registry to store locations. For example, if you start the registry monitor, enter the control
Board, access some setup programs or tabs, you will be able to see the setting information involved in the control panel in the registry location
Accurate tracking information, and it may boot some deeper research on the registry, so as the Windows 2000 Resource Kit Help file (
This file has recorded aid for most registry keys). This is the registry monitor utility. Next, two questions will be mentioned.
What is running in NT? What is the scheduled unit? The answer is thread. Remember, the process does not run, threads can run. At least each process
Contains a thread.
How do threads have a lot running much, but does not occupy the CPU time? One thread has a lot of content that is not related to the context, they
The thread can be run by NT, but it is rarely occupied or does not occupy the CPU time. The answer is: NT uses a spacing-based clock timer machine
Calculate the CPU time. If the clock is excited, the thread that has been running is no longer running, which will not take up the clock cycle. Be used by default
Clock space, every 10 milliseconds - although the default values of different systems are different, no matter which thread is current thread, it will be considered to take up this 10.
Second cycle. If no thread is running, it will be used as an idle thread. Idle threads are idle in the system displayed in the task manager.
Part of the process. Let us recall, the first process listed in the List of Process Tab is the idle process. The role of this process is:
All CPU clock cycles are accumulated and occupied without threads.
last question. What is the size of the process address space? NT is a 32-bit operating system, and 32-bit corresponds to 4GB. By default, NT will
Half of the address space is given to the user process and leaves the other half of the 4GB to yourself.
We have spent some time to observe internal processes and IO activities within these processes, dynamic link library usage, open handles,
Registry activity. In the following section, we will understand how NT is distinguished from the CPU time and application occupied by operating system work.
CPU time, and how NT maintains and calculates interrupt time. The interruption processing is a very important topic because it does not take any
Threads are not displayed in any process. In other words, a system with heavy interrupt loads seems to be very slow, but it doesn't seem
There is a process running. We will answer this question in this section.
Now, I suggest that we are best going to discuss the time of spending the time and spending the time in the application code itself.
limit. NT uses two memory protected states, which are sometimes referred to as core states and user states, or in additional occasions, called privileges and user states.
Each page in a process 4GB address space is marked in a pages it is in a core state. The page in all system address spaces is marked as
The core page. The page in all user address spaces is marked by the user page. The only way to access the page tagged as the core page is to run in the core state and only the operating system and device driver can run in the core state. In other words, one will not be used by the load device driver.
User programs will not be able to run themselves in the core state. This is the solid level of memory protection provided between applications and operating systems.
No matter how the application is run, no matter what the memory address is tried to reference and change, it will never destroy the number of systems.
According to the structure, this is because all operating systems and device driver memory structures are marked as core pages. They are in the system address space, the same
When the application runs in a user state, it cannot see or modify the data.
Threads are often switched between user states and core states. Each time a system call is performed, for example, open a file, turn off a file.
Read data, write data, which changes from the user-state application code into a core state or operating system code. When the clock interval of 10 milliseconds
When it is excited, how will NT decide how to take up the CPU time? If the thread is in the core state or is running part of the operating system, it will
The thread increases the privileged time counter value. However, if the thread is running inside the user or application, it will make the thread occupy user time.
Therefore, NT is accurately tracking a thread cost in the application and spending the amount of time in the operating system. Observe the task manager process option
The CPU time column in the card will find that it does not distinguish between privilege time and user time, but only shows all CPU times, but there are some tools.
We observe our app and quickly calculate how much time this application takes yourself and operating system. It takes us
Enter the next demonstration: Use the QSLICE or Quick Slice tool to detect the process CPU time.
Let's run Quick Slice by starting / running / QSLice. It is included in the Windows 2000 Support Tool. Quick slice is displayed
It is the CPU activity of the process, where red instructions are core states, blue instructions as user states. Please note what happened in my system now? Qui
100% of the No. 0 process called system processes is at a core state, but the process in the task manager is called a system free process.
. You can see a quirks in the NT process display tool, for idle processes, each tool creates their own name and these names
Inconsistency. The idle process is NT for the counterfeit process for statistical idle CPU cycles, and these CPU cycles are counted as core state time.
Let's run a program to simulate a usual user application. This is a program called CPUSTRESS, which is included in the resource tool
in the bag. I will run the program by starting / run / cpustress. When it starts to run, it will have a run in low activity.
Level threads. The low activity level means that it has 25% of the time in operation and the other 75% of the time is waiting. CPUSTIES at the bottom
The S procedure often suddenly appears and runs for a short period of time in the user state - the manifestation is a blue strip map, and then reforms. Let us put it
The activity level becomes maximum.
Click the active list box to scroll down and select the maximum. Please pay attention to what happened now. It turned 100% blue. Maximum activity level makes CPUST
The RESS has fallen into an infinite loop. There is only one process here, so it is basically in the application. And did not produce any system
Conditioning. If I see a set of separate blue and red, this shows that this program is in a usual situation, that is, one
Some time spent in the application, some time spent in the operating system. Similarly, using QSLICE can also be considerably easily observed.
Process and quickly determine how the process is consumed - is it in a user-state application or within a core state operating system.
Based on the following three reasons, NT will run the operating system code under core state or privileges, we will only describe the first case,
That is, the user application issues a system call request - such as open a file, turn off a file and release the memory that it assigns, releases the memory, create a process, create a thread, etc. We will also introduce the second case and introduce the third case in the next section.
In other words, the second reason for NT spent time is due to interrupt call users cannot continue to run. Interrupt call is the user
It is caused by a program to issue IO requests. In the next few slides, we will see some technical details, and it seems that only NT device drivers.
The writer of the program will be interested in these contents, which prompted us to go deep into this level of detail.
Through two separate counters in the Performance Monitor - a counter for statistical interrupt call time and another is called DPC time percentage
Counter - You can display interrupt call times. So, what is DPC? In order to understand these two counters, first we need to understand DP
C. Let us first see what will happen when an interrupt call is generated. When the interrupt call is generated, the running thread will be
Supreme interruption. A NT system code will be run so as to find a driver with this interrupt source, and call the driver, the driver
The order is completed, and after the work is completed, the interrupt is released and returned to the thread being executed. Only as one side, due to interruption generation
The context has nothing to do, in terms of general operating system and processing interrupt calls, NT is considered to be perfect and fast. NT does not switch to some special
Breaking process thread. It only saves the status of the current running thread and calls the driver to complete the work, then interrupt is released, the line is interrupted
The process returns to the operating state. Since interrupt calls may originate from many different interrupt sources, a mechanism must be used to implement interrupt priority
Intersection, this is why two different counters - interrupt call times and DPC time - to monitor interrupt. NT uses 32 related
Priority is prioritized and served. It is one of you never see in the user program, and you are always
It does not see it in the Performance Monitor. It is called interrupt request priority or IRQL.
When a driver is loaded, it tells NT your own interrupt source and IRQL. please consider it. In other words, the interrupt has a related priority
right. Therefore, when an interrupt is generated, the NT must look at the IRQL of the interrupt source. If its value is higher than the programs currently running
First, then the interrupt will be available. Processing for this interrupt if its value is below or equal to the priority of the program being running now
Will be delayed to the high priority interrupt source to complete the work. What will be blocked when an interrupt is generated? What work will not be in the driver
What happened during processing interrupt? The answer is: Other interrupts with the same or lower priority and all threads are performed. In other words,
Interrupt calls always interrupt the process activity regardless of how it has a process or thread priority, all process activities in the system will be hanged
. In order to make the time occupied by the driver with high priority, NT provides such a method: the driver seems to be said,
I did work that should be made under this interrupt priority, but I still have more work to do. Now I will release the interrupt, but please wait later.
I call me so that I can do my unable to do it under high priority. This operation is referred to as a delay assignment (DPC). Delay
Molding is a method of calling it again later. There is a system team for recording the driver callback request.
Columns or lists. When is the callback? When there is no higher priority interrupt call to be submitted. Please see the last slide and pay attention to DPC (delay
What location is allocated to the priority line? They fall into priority 2, which is lower than the hardware device interrupt but higher than the regular thread
Row.
A simple way is to treat interrupt calls as two phases: The first phase is at the interrupt level, and the second phase is in the DPC level. In Performance Monitor, DPC and Interrupt Call Time These two counters are in front of you because they are in the processor's default CPU time counter.
This is why we explain the details of the interrupt submission process, where you can understand the interruption call time and DPC time represented.
Rong. The interrupt call time reflects the first phase of the interrupt process. The DPC time reflects the second phase of the interrupt process. Let us be a
Demonstrate and observe interrupt activities in performance monitor.
Start performance monitor. Let us add interrupt call times and DPC times to the display area by clicking the Add button. The display area has appeared
The counter we just described. Click Add. Click Close. Since the default scale range of performance monitors is 0 to 100, here is only displayed.
Some quite small numbers. I will open the Properties dialog box by right-key, and switch to the chart tab, the maximum displayed vertically displayed by
100 minus 10 for easy read values. Let us do, now we are observing interrupts through DPC activities. The red line represents DPC time,
The green line represents the interrupt call time. If we come back and forth back to move the mouse, like this, notice that there are some sudden on the green line.
Have you jumped? It is formed by an interrupt generated by the mobile mouse. Now, the DPC time seems to have regularly per second, which is certainly certain
The result of the IO operation. If you see this continuous occurrence of this continuous DPC operation, we should return to the previous content. Our next step
It is to find out who is executing IO operation. Do you remember the tool to complete this work? It is a file monitor. Document monitor will tell us?
A process produces a later process that will lead to the DPC IO operation. It is necessary to remember when observing the interrupt call time activity is that it will not take up any thread.
Or processes, this will lead to a quick question and answer from our section.
If the system looks very slow, but did not see the process is running in the task manager, what is happening? It must be an interrupt call.
Use Performance Monitor to see the number of interrupts per second and the percentage of DPC per second or interrupt call time percentage and DPC time percentage. Returning again, interruption
The time consumed in the call does not take up the thread, so there is no process running. Please observe the interrupt call time.
I said that we will return to the head to identify every process created by NT and run in the system. Why is this important? Because if some context
It is running and not by you, then it must be part of NT - some system processes. Therefore, you can identify all systems
The process is another important component of troubleshooting or performance analysis in Windows 2000 and Windows NT 4.0 systems.
Now, we use the TLIST / T that the system process tree will be introduced in front. Similarly, TLIST / T will display layers between processes.
Secondary structure. Therefore, use this tool, we can quickly browse the process sources and processes in the tree in the tree. Act as the section
Review, I will return to the command line, perform TLIST / T, and refer to these content when reviewing the slide. Please observe the output of TLIST / T, in the system
The first two processes are exactly what we will describe-their process ID is 0 and 8.0. Process is an idle process. In multiprocessor system, this
A process that does not run the actual program will allocate a thread for each CPU. In other words, the idle time of each CPU will be calculated separately. By the way
Next, this is also a rapid and simple way to check the second, third, four, and five CPU usage efficiency in your system. Each CPU is observed by respectively
Idle time, you can determine the uniformity of the load distribution in your multiprocessor server or workstation. The idle process is not displayed as run. please
Remember, in Quick Slice and Task Manager, the idle process looks in operation, because when the clock is excited, there is no
The thread is running, so the clock interval is occupied by the idle thread of the CPU. Therefore, it looks like running, but in fact, the system is in an idle state.
The second process -8 process (the process ID in NT 4.0 is 2) is a special type thread family called a core state system thread. This
A system process called system, contains two version NT systems and some need to make its own part of the actual thread.
A subroutine example. In other words, they need to perform concurrently with other system activities. Some examples can help understand this concept.
Several portions in the operating system need to run in the background - such as a swap program - running a system thread. When NT thinks one time
When the process in which the process is not running is idle, if other processes request physical memory, it will mark the memory space of the process as cleared. Then
Who will complete the work of the process to exchange this process? It is exchanging program. The switch is running with other threads running in the system.
A thread. The file server is a driver for creating a system thread. This is an interesting illustration, a heavy load service service
On the server, the process of manifesting as a running state as the result of the client IO activity but because the file server itself is not a process without manifesting
A server process. To know, the driver creates and uses system threads to provide servo and request service for remote network IO. Therefore, this
It is a very important monitor point, here, the load-bearing file server will make the system thread to continue, but because the system thread is mainly
In the process called the system, we need some way to in depth and closely pay attention to the system process, so that what thread is found.
It is running. Based on what we have already told, if you tell your system process is running, what do you know? Basically
Say, you can't know anything. You only know some fragment in NT (perhaps a driver) is running, but you don't know it specific
Which piece is.
This will bring us in the next demo: understand which thread in the system process is running, and thus know which driver or film in NT
The segment creates this thread. This is a messy process, because it needs to use 3 tools: performance monitor, process browser, and
NT 4.0 Resource Toolkit Tools called PSTAT, this tool does not only exist in the Windows 2000 Resource Toolkit, it is also a PLA
The components of TForm SDK (That are, platform software development kits) are sent with MSDN (Microsoft Development Network) and its subsequent versions.
cloth. It is also an integral part of this lecture demo file.
What we must do first is to use the Performance Monitor to find threads running in the system process. Then we will use PViewer to give them
Some threads we are interested in and find the initial address of the thread, and the memory start address is a representative of the system thread from the system sandbox
Start running numbers. Finally, we will use PSTAT, the tool provides a memory map of the system sandbox and runs on the thread.
A driver is positioned, in other words, the code snippet running in the thread is to which driver is belonging. Therefore, how many times this process is
Miscellaneous, it used three tools, but let us take this demonstration to see how it works.
First, we will return to the performance monitor. Let us start from a new chart. In fact, because we have changed chart settings, we will
A new performance monitor instance. I will click the plus sign and add the CPU time of the thread in the system process to the chart. I am going to thread objects
, Select the processor time percentage, scroll down to the process called the system, click the first thread - thread 0, drag the mouse, and roll down
Move until all the threads in all system processes are all selected, then click Add. Now, I have not been able to wish, because there is still another process in Windows 2000, which also contains some system threads, which is the CSR Access - a Windows subsystem process. This
The process is a NT fragment containing part of the Windows system. In NT 4.0, all system threads are present in the system process. In Windows 2000
Some system threads exist in the CSR access process, while others are present in the process called the system. We click Add, then
Click Close.
I now look at the implementation of more than 30 scattered system threads. Let us move the mouse quickly, you can see something that has been running. How are I
This is found in the list consisting of more than 30 zerozers to find thread random memory arrangement? I will open the highlight switch again, click the high brightness
Button, scroll down the screen until the counter moves with the mouse is also highlighted in white. There is a green raised in the middle of the display area. at
Where have you seen it? It is the one from green to white. When I move my mouse, I look at the line 6 of the CSR access.
. The second step is to use PViewer, which exists in the support kit, click Start / Program / Windows 2000 Support Tools / Tools
Process browser. Select the CSR Access, scroll down and select the line 6 thread, the information we are looking for is the start address of the thread, which is located in PV
The IEWER displays the bottom of the area. This address is the starting point of the thread start execution. It shows hexadecimal, 0x represents A000-9CBF in hexadecimal
. Ok, we have a memory address. What are you doing next? Step 3 - Run PSTAT, the tool exists in our presentation and
At the end of the PSTAT. Therefore, please ignore all details from the thread. The last part of the PSTAT display area is the inside of the system sandbox
Mave map. It lists the names of each driver and addresses in system memory. If I let it reach the end and look forward, I will
Look for drivers that are started at the thread run address. Unfortunately, PSTAT does not display the end address of the driver, and only the start address is provided.
. Therefore, it is necessary to pay close attention to which driver we are looking at. Our current example is very simple
Single, because only one driver is called at A00. If you view the entire list, any other event is made of f, 8 or b
Number. Therefore, I will immediately determine that the thread device is definitely a code snippet in the driver Win32k.sys. It is Win32 map
One component of the shape and window operating system. This is a bit meant. When you move your mouse, you will expect a fragment in the window operating system.
Can run to indicate which window moves to move the mouse. Although this is just a person as an example, it demonstrates three above
Tools (Performance Monitor, PViewer and PSTAT) with inquiry system processes or CSR access and find the technique of creating a thread driver.
This is a very important trick, because if the system process is running on Windows 2000, it is not to find out which driver belongs to
In the case of preface or system fragment, you will not be able to make any judgment on the current situation. If the thread start addresses happens to the operating system image
(NTOSS (?) Kernel.exe, the problem may be somewhat complicated. So, what do you know? You know everything
Can't. For example, let's take a look at the PSTAT output. The most reliable device driver - it is not a real driver, but only
It is the operating system itself - is called at 80400000. If I return to PViewer and select a system process - please pay attention, not a CSR access,
Instead, several threads in this process are started near address 804. So, I click on the system, please note that when I scroll down the first
When the thread, the starting address of the majority thread is near 804. So, what is it telling us? It tells us that the thread is NT
A fragment, but is not indicated which fragment is NT, but some can be affirmed, the thread is a NT fragment, not a driver. Such as
If you still want to take a step forward, there is a way to convert the memory address into a subroutine name, that is, the operating system core
Implementing the way to store forms (or debug logo), this method is provided by Windows 2000 user diagnosis. This needs to be used
A tool called kernel debugger, however, I will not demonstrate in this lecture, but if you want to understand how to perform this additional step
Please read the second edition of Windows NT (the book is available free of charge on the Microsoft Press website) on how to dump NTOSS kernel
Identify and track the system thread address to get the details of the operating system subroutine name.
Now let us go back to complete the remaining system process tree. Keep in mind that TLIST / T shows us this tree structure. This slide is
The graphical way demonstrated the father and child relationship between the processes. Next, let us complete the description of the remaining process. If you look at the TLIST / T output
It will notice that the first process ends with .exe is SMSS, which represents the session manager. This is the first process that is created and is left with the system.
Partial load is related. In order to allow you to view the output of TLIST / T, I will return to the command line, and type TLIST / T. Conversation tube
There are two children, namely CSR and WinLogin. The CSR we just mentioned is a fragment of the window operating system, when you see the next slide
When the film, there will be two additional details on why running the process. CSR is not a frequently running process, it is only a small department
Split window system requests. If you often run the CSR access process in your system, you may have one or two reasons, which is this child.
The last two parts of the world - the window management and the application running in the terminal window in the character application (such as a command line method).
The above application is processed by CSR access. If you run 16-bit DOS or Windows 3.1 applications, some support for the program package
Included in CSR access, however, in a conventional NT server or Windows 2000 Professional desktop system, the process should be stationary
. Now let's return to the previous slide and complete the remaining process tree.
As the name suggests, Winlogon is a login process. This process provides the dialog box required for the type control and input port to log in. When you lose
When entering the username and password, Winlogon sends it to a sub-process called LSASS. If you perform local logistics to the server or workstation
Record, the LSASS process will check the relevant user name and password in the secure database (ie SAM). Since the network login service is running in LSASS
Inside, if you are logging in to the NT 4.0 domain account, Winlogon sends the username and password to the LSASS running on the domain controller.
The process, and the above domain controller exists in the domain that contains the account you are logging in.
Now let's come back to see the output of TLIST / T. In the display area, can we see how many sub-processes in Winlogon? Two, ie
Service controller and LSASS. Let us talk about the service controller. What is Windows NT service? A service is the server application
A fragment, the application is typically installed in the registry and will be activated by the service controller when the system boots. If we go to the next slide, we will see a picture about the service process hierarchy. In a service, such as SQL Server or Extreme Server
When the system application is added to the registry, when the system boots, the service controller will search in the registry service database, and
Create a slave chart (because the service items can be rely on each other), thereby starting them in the correct order. Such as the TLIST / T output,
The service controller has many child processes, which represent images of executable programs, and these executable programming also contains operational services.
Server application components of services. Now how will you view the list of installed services? Let's click Start / Setup / Control
Forming board and click on the management tool in Windows 2000. In the Administrative Tool, we click Services. Currently available display with you from Windows
It is similar to NT 4.0 and accompanying information. For example, the description is the new information added to Windows 2000. This is provided
Some extra descriptive texts explain what the service is doing. View Ability to Detailed Attributes of Services is also Windows
New characteristics of 2000. For example, I will scroll down to the offline print service and click the right mouse button, in turn, select the properties item on the fast display menu that appears.
Typographically, one of the properties shown is the path to executable program. Why is this important? The reason is that the service name is not
Always mapped to the executable file name containing the constituent service function code, in other words, if you are looking at the task manager and find one
The service process is running, and the executable file name of the service may not tell you immediately whether it is displayed in the control panel.
The service function.
Let's look at the next slide, it shows how to map the service activities you see in the system to the services defined in the registry.
Activity pathway. Ok, we just saw how to map a service to the executable file name, but how do we do this?
What about the reverse process? TLIST solves this issue by adding a parameter-/ s we have not used. The content displayed by this parameter is
Those who contain services are designed, as I am now using the service name that is running in the process in white. Please note that some services
The process contains a single service like offline printing, while others contain multiple services, which means that these service processes are known.
Under which service is run, it is still difficult to explain the occupation of CPU time, but you have shrunk this problem to a smaller range.
Inside. Keep in mind that the names displayed in the third column are not what you see in the control panel, because the service actually has three names.
Word: System administrator see the name seen in the Control Panel, contains the name of the service's executable, and the service name in the registry. TLI
ST display is the service name in the registration. So if you enter the registry and view the list of service (this list exists in the H keystone current control
In the uniform, that is, you can view the registry key name in alphabetical order. Under this registry key, you will look at the control panel.
The name of the display and the name of the executable file. Therefore, with TLIST / T this tool, you will be at least to these services to some extent
Whether a process in the process is in a running state, and is precisely one or more services leads to occupancy of the CPU time.
The content of our last section involves observing its abnormal process activity when the process crashes. No one is willing to see the application crash, but I
I believe that all of you have at least see the contents of the upper half of the screen - the message box generated by the famous Dr. Watson program. right now
What we see is actually a DR. Watson message box updated in Windows 2000, which is less information than the same message box in NT 4.0. Windows NT 4.0 displays the application crash in the message box. And labeled it to Dr. Watson. Now it is only
Labeling is an application error and adds some help characters in NT 4.0, mainly including "You need to restart the program".
. Although most users know that they should do this, this message box is more clearly specified in the application's crash. You need to restart
program. Unfortunately, it still does not tell users what to do for the application's crash. It only shows an error that produced
Log record. So, where is this error log record and what to do? This is exactly what we will consider in this section.
.
First of all, how to cause a process crash? An unwilling abnormality is generated, for example, references an illegal memory address, or is divided by 0. most
The number of Windows NT 4.0 and Windows 2000 systems are configured to run Dr. Watson when an application is wrong. AE Debug button in the registry
Indicates the name of the debugger, which is located in the software branch. If you find the registry key, you will find that it is configured in most cases.
Dr. Watson, Dr. Watson is not a real debugger, but only a post-entries that generate information snapshots when the process crashes.
If you have already installed Visual Studio or some other development tools, the registry may have been modified, no longer use Dr. Watson,
Instead, as an example of the Visual Studio development environment, when the process crashes, you will see the message displayed under the screen.
Box, including detailed information about abnormalities and an option to the programmer an exit program or run the debugger. But in most cases,
It will still be displayed on the message box.
What happens when a program crashes? First, let us create such a situation and take a look at its results. Let's go back to the command line
And run a program that will immediately cause access to illegal procedures immediately, which references the 0 address such an illegal address. One by one by one
The message box generated by Dr. Watson is displayed, and at the same time creates an error logging, we still don't know where it comes from, so
Click OK. Below, we will run the Dr. Watson tool to determine the location of the wrong log record by interactively running the Dr. Watson tool. I will run Drwtsn32,
It is a program name that makes up the Dr. Watson tool. When you run the Dr. Watson tool, it displays a configuration dialog to tell you the log.
The location of the file and fault dump file, although not mentioned in the message box, it can be seen that the failed dump file is obviously created. Window
The default action in S NT 4.0 and Windows 2000 is to create a log file for Dr. Watson and a failed dump file. Among them
User.dmp's fault dump file contains content in private memory spaces in the death process. The log file contains I don't know if it is helped for programmers.
Help text information. The User.dmp file contains the exact state of the process. In other words, it contains the dirty sand in the sandbox during the death. Dump
The file can be applied to a tool or Windows debugger called Windbg to observe the state when the process crashes.
I hope to be able to debug or diagnose the problem. In reality, for each crash process, you should send a user.dmp file to the program owner. E.g,
If Outlook crashes, and is an unknown issue, you should send a dump file to Microsoft. If it is a third party soft
This should be sent to its vendor to send a USER.DMP file. Dump files will be overwritten each time, in contrast, the log file is appended to the default. The log file will save the tracking information of all process crashes, unfortunately, the user.dmp file will be overwritten. therefore
Unless other mechanisms or guarantees that users have been trained to be able to locate and rename files, only the recent death process information will be guaranteed.
stay.
Currently, it is not a NT core failure dump generated by the system crash, but a dump file generated by a process crash. Different tools will be used
Observe these two dump files. The most basic, if your user encounters a Dr. Watson error or program error, someone should get
Store the file and transfer it to his own system, change its name and send it to the vendor.
Another tool related to the system crash is called an enhanced user dump tool as part of the debugging tool is added to Windows 2000.
program. This tool will be installed when installing a debug tool from the user diagnostic CD. This tool can be completed and Dr. Watson is currently not implemented.
The function is to generate a user.dmp file for a suspend in the process without affecting the process. Now, if there is one
The hangs hang, and your only choice is to kill this process. In this case, there is also a method of obtaining a memory snapshot so that you can
Send it to the vendor and expect the problem to be resolved. This method is configured to be from the command line status or by predefined shortcuts (this is not
Very useful when changing to the command line status) Run the tool. In order to get more information, you can refer to the help file for the Windows 2000 debugging tool.
.
The above is about understanding Windows NT 4.0 and Windows 2000 systems and process activities. I hope these hands we have seen.
The tool of the header, when the system is running slowly or if there is any failure, you can go deep into the process or system activity and identify the CPU time
Where is it, and why is this.
For more information, you can get a lot of information about NT troubleshooting in the article on the TechNet website. Of course, Windows 2000
Microsoft official courses are also useful. The Windows 2000 Technology Center on the Technet website is another good reference resource. Slide
There are also some useful information about the Window 2000 operating system, for example, my work "INSIDE Windows 2000 Second Edition",
The value information contained in the Windows 2000 Resource Toolkit is included in the NT system configuration, and another one you may not think of going to visit.
Web - Hardware Developer Web (Microsoft.com/hwdev), the web page contains some NT internal articles of interest in driver writers
. Finally, there are some additional tools and technical information on the sysinternals.com website.
I would like to thank the WINDOWS NT and WINDOWS 2000 development group members and My Customer Jamie Hanrahan. The former is in my book and is a discussion
The permission to access the source code is provided in the process of preparing; the latter has written the NT internal classification section required for this lecture. if you want
For more information, please visit our website www.salsin.com. The number of the number TNQ 00 ended.
Understand Window 2000, NT Process (2)
Source: Wales
Now we are observing the IO operation generated by each process in the system through the display area of the performance monitor. Save for each process
In two fold lines. One of them is used to record data operations, and another other operations used to record files open and off. quickly,
The system calm down like we think. Now let's return to the command line status and launch some activities that will lead to many operations. let me
Let's take a look at the operation involving all directories on the hard disk - DIR C: / S. This will mean generating a self-top and down from the root directory of C.
A list of directories of all subdirectories on the C drive. As we see, in order to display the required data being executed, many directory read operations are being performed. During this operation, let's go back to the performance monitor and see the lines on the top of the display. It is seen as someone is performing a large number of IO operations.
. Ok, now consider how to determine the process of actually mapping this representative of a large number of IO operations.
Let us open the highlight display. Click the highlight button or use the shortcut Ctrl-H. If you have used performance monitor, then you
Be sure that after opening the bright function, when scrolling the counter on the list of the lower arrow on the keyboard, the process or fold of the currently selected in the list box
The line will be highlighted as white. Therefore, I will scroll down the counter until the fold line currently at the top becomes white. That's it. You can
See the instance name displayed at the bottom? It is CMD. Therefore, the process CMD is the process that generates all of these IO operations. This is easy to understand
, Because CMD is here. It is the command line window and it is the IO operation involving the directory. How can you see this, use
Performance Monitor, monitor each process per second and which process is responsible for when the IO operation is performed. Ok, this is very
Interest, but also has a problem, where is the go of IO operations? The content just introduced only told our IO operation. It will take me
They are brought into the slideshow
A tool - file monitor.
File Mon is the third tool we use so far we used to stems from the Sysinternals.com website. As us with us
Like the tool, it involves the use of a device driver. When we run a file monitor, what it does is loading a
To intercept the file system driver of each IO operation in the system, display each IO operation on the screen, then send it to the corresponding device
Actors. Therefore, it reduces the speed of IO operations to a large extent, but it does provide an effective way to determine the IO operation.
Source, because each IO operation will be recorded by it, the recorded information includes a process name, the referenced file name, and the type of operation - read
Or some. Let us take a look at it in specific ways. Back to the command line status, run the file monitor from the demo command via the filemon command. Now
The file monitor launched a monitoring activity on the file. Although it seems that there are some IO operations that are running in the background, the system is still calm down.
Come, in fact, in
There is a system process in this special Windows 2000 system, which performs some access to the IO operation of the database every 1 or 2 seconds. Now let
We return to the command line status and try to imitate some heavy IO activities for a particular file. This specific target file is every Windows
A large file owned by the 2000 system, that is, the driver compressed package file.
This driver compression package file contains a compressed version of all device drivers issued with Windows 2000. It is stored in WIN NT D
The River Cache folder. I will start the Window NT Explorer and enter my WIN NT Driveracche folder to this article.
A simple copy operation is made. I open the C drive, expand the Winnt directory, then expand the driver cache directory and I386
Directory, there is a driver.cab file. Please note that its size is 51 megabytes. So it will be an ideal test object. I will just pass
The copy command and the paste command in the edit menu make a simple file copy. You can see that we are copying a 51 trillion now.
Part.
Let's go back to the file monitor and observe its display content. Ok, like we have seen in the output area, we can observe
A large number of IO operations for Driver.cab files and their backups. I use shortcuts Ctrl-e to terminate the monitoring activity of the file monitor, and we can
To see some read and write operations - read operations from the DRiver.cab file and the write operations for their same name. Now let's return and cancel the file copy, you will see a file monitor to observe the independent IO operation and enable you to view the IO action which file
An example.
You can do some filtering work with a file monitor. For example, if you only have only a special directory on a C or D drive or these drives
IO operation is interested, you can filter your specific path, you can also highlight a specified path name so that you can easily
Find all special documents you are interested in all monitored files. This is again verified, and the IO activity and the tracking IO operation occurred
On which file, the file monitor is an important tool.
The last point of this part is that the file monitor can indicate the paging IO operation by adding a small asterisk in a row. Due to Windows 2000
Cache Manager uses the usual paging mechanism and memory manager to complete file IO operations, you can see that occurred by the application
Paging activities in the file. In other words, since the cache subsystem reads data from the file using the usual paging mechanism using the memory manager,
For an application that opens and read files, its IO operation itself is displayed in the file monitor as a paging read operation.
The last area of the file or system process activity is also the same as that require the content that can be monitored is registration activities. Such as most of you
What people know that the registry is NT for the database that is configured to configure itself, and the driver that needs to be loaded, all management settings and each
The settings of the user file are all stored here. Sometimes, for a system administrator, I know that a particular setting is stored in the registry.
What location is very helpful. There is a tool called a registry monitor on the sysinternals.com website to monitor the registry.
Every reading and (or) write. Let's run the registry monitor. I will return to the command line status and run from the SYSINTER in the demo directory.
A copy of the registry monitor for the Nals.com website. When the registry monitor is launched, it will load a driver to start cutting
Take all the queries for the registry. At this moment, the MMC process as a performance monitor container is also conducting some registry queries. therefore,
Let's return and close
Performance Monitor to stop these queries. Ok, now the system calm down. The registry is usually calm. In other words, if a
Cheng is performing a registered or write operation, and there is an error in this point, you may consider organizing a wrong report. In the process or
When NT starts, the registry will be queried. It is not a database that will be accessed. Use the registry monitor to find a specific system
Set to get to be inspired when the location in the registry is stored. For example, if you start the registry monitor, enter the control panel, access one
Some setup programs or tabs, you will be able to see precise tracking information in the registry in the registry in the registry,
And it may boot some deeper research on the registry, so as a Windows 2000 resource toolkit help file (this file is recorded
Most registry keys). This is the registry monitor utility. Next, two questions will be mentioned. What is running in NT? Scheduling unit
What is it? The answer is thread. Remember, the process does not run, threads can run. Each process contains at least one thread.
How do threads have a lot running much, but does not occupy the CPU time? A thread has a lot of content that has nothing to do with the context, it
We make the thread can be run by NT, but it is rarely occupied or does not occupy the CPU time. The answer is: NT uses a spacing-based clock timing
Mechanism to calculate the CPU time. If the clock is excited, the thread that has been running is no longer running, which will not take up the clock cycle. As a
Default clock interval, every 10 milliseconds - although the default values of different systems are different, no matter which thread is current thread, it will be considered to occupy this 10 millisecond cycle. If no thread is running, it will be used as an idle thread. Idle thread is the system displayed in the task manager
Part of the idle process. Let us recall, the first process listed in the List of Process Tab is the idle process. Of this process
The role is: All CPU clock cycles are accumulated and occupied when there is no thread run.
last question. What is the size of the process address space? NT is a 32-bit operating system, and 32-bit corresponds to 4GB. By default, NT will
Half of the site space to the user process and leaves the other half of the 4GB to yourself.
We have spent some time to observe internal processes and IO activities within these processes, dynamic link library usage, open handles,
Registry activity. In the following section, we will understand how NT is distinguished from the CPU time and application occupation of operating system work.
How CPU time, and how NT maintenance and calculate interrupt time. The interruption is a very important topic because it does not take it.
How threads are not displayed in any process. In other words, a system with heavy interrupt loads can look very slow, but it seems
No process is running. We will answer this question in this section. Now, I suggest that we are best going back to discuss spending in the operating system.
The boundary of time and spending in the application code itself. NT uses two memory protection, they are sometimes referred to as core states and
User state, or in other occasions, it is called privilegemia and user state. Each page in a process 4GB address space is marked if it is
Page in the core state. Instant
The page in the system address space is marked as the core page. The page in all user address spaces is marked by the user page. Access is labeled as core
The unique way to page pages is to run in the core state and only the operating system and device driver can run at the core state. In other words, unless
By loading the device driver, a user program will not be able to run in the core state. This is in the application and operating system
Rugged levels of room for memory protection. No matter how the application is run, no matter what it tries to reference and change what memory
Address, it will never destroy the system data structure, because all operating systems and device driver memory structure are marked as core
page. They are in the system address space, because the application runs in a user state, it is impossible to see or modify the data.
Threads are often switched between user states and core states. Each time a system call is performed, for example, open a file, turn off a file.
Read data, write data, which changes from the user-state application code into a core state or operating system code. When the clock interval of 10 milliseconds
When it is excited, how will NT decide how to take up the CPU time? If the thread is in the core state or is running part of the operating system, it will
The thread increases the privileged time counter value. However, if the thread is running inside the user or application, it will make the thread occupy user time.
Therefore, NT is accurately tracking a thread cost in the application and spending the amount of time in the operating system. Observe the task manager process option
The CPU time column in the card will find that it does not distinguish between privilege time and user time, but only shows all CPU times, but there are some tools.
We observe our app and quickly calculate how much time this application takes yourself and operating system. It takes us
Entered the next demonstration:
Use the QSLICE or Quick Slice tool to detect the process CPU time.
Let's run Quick Slice by starting / running / QSLice. It is included in the Windows 2000 Support Tool. Quick slice is displayed
It is the CPU activity of the process, where red instructions are core states, blue instructions as user states. Please note what happened in my system now? Qui
100% of the No. 0 process called system processes is in a core state, but the process in Task Manager is called the system idle process. You can see a quirks in the NT process display tool, for idle processes, each tool creates their own name and these names
Inconsistency. The idle process is NT for the counterfeit process for statistical idle CPU cycles, and these CPU cycles are counted as core state time.
Let's run a program to simulate a usual user application. This is a program called CPUSTRESS, which is included in the resource tool
in the bag. I will run the program by starting / run / cpustress. When it starts to run, it will have a run in low activity.
Level threads. The low activity level means that it has 25% of the time in operation and the other 75% of the time is waiting. CPUSTRE at the bottom
The SS program is often suddenly appearing and runs a short period of time in the user state - manifests as a blue strip map, and then reforms. Let us put it
The activity level becomes the maximum.
Click the active list box to scroll down and select the maximum. Please pay attention to what happened now. It turned 100% blue. Maximum activity level makes CPUSTR
ESS has fallen into an infinite loop. There is only one process here, so it is basically in the application. And no system is generated
transfer. If you see a set of separate blue and red, this shows that this program is in a usual situation, namely
Time spending in the app, some time spent in the operating system. Similarly, using QSLICE can also observe a process very easy to observe
And quickly determine how the process is consumed - is it in a user-state application or within a core state operating system.
Based on the following three reasons, NT will run the operating system code under core state or privileges, we will only describe the first case,
That is, the user application issues a system call request - if open a file, turn off a file and release the memory allocated, release within
Save, create a process, create a thread, etc.. We will also introduce the second case and introduce the third case in the next section.
In other words, the second reason for NT spent time is due to interrupt call users cannot continue to run. Interrupt call is user application
The program is caused by the IO request. In the next few slides, we will see some technical details, and there seems to be only the NT device driver.
The writer will be interested in these contents, which prompted us to go deep into this level of detail because NT calculation interruption call time, through sex
The two separate counters in the monitors - a counter for statistical interrupt call time and another count called DPC time percentage
The server can display the interrupt call time. So, what is DPC? In order to understand these two counters, we first we need to understand DPC. First of all
Let's take a look at what will happen when an interrupt call is generated. When the interrupt call is generated, the running thread will be interrupted in turn.
A NT system code will be run so as to find the driver with this interrupt source and call the driver, the driver is required
To do it by it
After the work, the interrupt is released and returned to the thread being executed. Only as a side, since the interrupt is generated, it is independent of the context.
Operating system and processing interrupt calls, NT is considered to be perfect and fast. NT does not switch to some special interrupt processing threads. It only guarantees
The status of the current running the thread and calls the driver to complete the work, then interrupt is released, the thread being interrupted returns to the run state.
Since interrupt calls may originate from many different interrupt sources, a mechanism must be used to achieve interrupt priority submitting, which is also using two
Different counters - interrupt call times and DPC time - to monitor interrupt reasons. NT uses 32 related priorities to achieve interrupt priority
Submit and serve. It is one of you never see in the user program, and you will never see in performance monitor.
it. It is called interrupt request priority or IRQL.
When a driver is loaded, it tells NT your own interrupt source and IRQL. please consider it. In other words, there is a related priority. Therefore, when an interrupt is generated, the NT must look at the IRQL of the interrupt source. If its value is higher than the programs currently running
First, then the interrupt will be available. Processing for this interrupt if its value is below or equal to the priority of the program being running now
Will be delayed to the high priority interrupt source to complete the work. What will be blocked when an interrupt is generated? What work will not be in the driver
What happened during processing interrupt? The answer is: Other interrupts with the same or lower priority and all threads are performed. In other words,
Interrupt calls always interrupt the process activity regardless of how it has a process or thread priority, all process activities in the system will be hanged
. In order to make the time occupied by the driver with high priority, NT provides such a method: the driver seems to be said,
I did work that should be made under this interrupt priority, but I still have more work to do. Now I will release the interrupt, but please wait later.
I call me so that I can do my unable to do it under high priority. This operation is referred to as a delay assignment (DPC). Delay
Molding is a method of calling it again later. There is a system team for recording the driver callback request.
Columns or lists. When is the callback? When there is no higher priority interrupt call to be submitted. Please see the last slide and pay attention to DPC (extension
What is the location in the priority pedigree? They fall into priority 2, which is lower than the hardware device interrupt but higher than the regular line
Cheng execution.
A simple way is to treat interrupt calls as two phases: The first phase is at the interrupt level, and the second phase is in the DPC level. In performance
In the monitor, DPC and interrupt call time These two counters are in front of you, because they are in the processor's default CPU time counter.
This is why we explain the details of the interrupt submission process, where you can understand the interruption call time and DPC time represented.
content. The interrupt call time reflects the first phase of the interrupt process. The DPC time reflects the second phase of the interrupt process. Now let us do one
Demonstrate and observe interrupt activity in performance monitor.
Start performance monitor. Let us add interrupt call times and DPC times to the display area by clicking the Add button. The display area has appeared
The counter we just described. Click Add. Click Close. Since the default scale range of performance monitors is 0 to 100, only one is displayed here.
Some quite small numbers. I will open the Properties dialog box by right-key, and switch to the chart tab, the maximum displayed vertically displayed by
100 minus 10 for easy read values. Let us do, now we are observing interrupts through DPC activities. The red line represents DPC time,
The green line represents the interrupt call time. If we come back and forth back to move the mouse, like this, notice that there are some sudden on the green line.
Have you jumped? It is formed by an interrupt generated by the mobile mouse. Now, the DPC time seems to have occurred regularly per second, which is definitely some IO.
The result of the operation. If you see this continuous occurrence of this continuous DPC operation, we should return to the previous content. Our next step
Yes I find out who is executing IO operation.
Do you remember the tool to complete this work? It is a file monitor. The file monitor will tell us which process will result in the DPC later.
IO operation. The focus of remember when observing the interrupt call time activity is that it will not take up any threads or processes, which will lead to our section.
Quick question and answer.
If the system looks very slow, but did not see the process is running in the task manager, what is happening? It must be an interrupt call.
Use Performance Monitor to see the number of interrupts per second and the percentage of DPC per second or interrupt call time percentage and DPC time percentage. Returning again, interruption
The time consumed in the call does not take up the thread, so there is no process running. Please observe the interrupt call time. I said that we will return to the head to identify every process created by NT and run in the system. Why is this important? Because if some context
It is running and not by you, then it must be part of NT - some system processes. Therefore, you can identify all systems
The process is another important component of troubleshooting or performance analysis in Windows 2000 and Windows NT 4.0 systems.
Now, we use the TLIST / T that the system process tree will be introduced in front. Similarly, TLIST / T will display the level between the processes
structure. Therefore, use this tool, we can quickly browse the process sources and processes in the tree in the tree. As a return on that section
Gu, I will return to the command line, perform TLIST / T, and refer to these content when reviewing the slide. Please observe the output of TLIST / T, in the system
The first two processes are what we will describe-their process ID is 0 and 8.0. Process is an idle process. This is not in multiprocessor system, this is not
The process running the actual program will allocate a thread for each CPU. In other words, the idle time of each CPU will be calculated separately. by the way,
This is also a rapid and simple way to check the second, third, fourth and five CPU usage efficiency in your system. By observing the idle of each CPU, respectively
Time, you can determine the uniformity of the load distribution in your multiprocessor server or workstation. The idle process is not displayed as run. please remember
In Quick Slice and Tasks Manager, the idle process looks in operation because it is not thread when the clock is excited.
It is running, so the clock space is occupied by the idle thread of the CPU. So it looks like it is running, but in fact, the system is in an empty
Leisure.
The second process -8 process (the process ID in NT 4.0 is 2) is a special type thread family called a core state system thread. This
A system process called system, contains two version NT systems and some need to make its own part of the actual thread.
A subroutine example. In other words, they need to perform concurrently with other system activities. Some examples can help understand this concept.
Several portions in the operating system need to run in the background - such as a swap program - running a system thread. When NT thinks one time
When the process in which the process is not running is idle, if other processes request physical memory, it will mark the memory space of the process as cleared. Then
Who will complete the work of the process to exchange this process? It is exchanging program. The switch is running with other threads running in the system.
A thread. The file server is a driver for creating a system thread. This is an interesting illustration, a heavy load service service
On the server, the process of manifesting as a running state as the result of the client IO activity but because the file server itself is not a process without manifesting
A server process. To know, the driver creates and uses system threads to provide servo and request service for remote network IO. Therefore, this
It is a very important monitor point, here, the load-bearing file server will make the system thread to continue, but because the system thread is mainly
In the process called the system, we need some way to in depth and closely pay attention to the system process, so that what thread is found.
It is running. Based on what we have already told, if you tell your system process is running, what do you know? Basically
Say, you can't know anything. You only know some fragment in NT (perhaps a driver) is running, but you don't know it specific
Which piece is. This brings us to the next demo: understand which thread in the system process is running, and thus know which NT is
This thread is created a driver or clip. This is a messy process, because it requires 3 tools: Performance Monitor, Process Browser, and NT 4.0 Resource Tools, a tool called PSTAT, this tool does not only exist in Windows2000 Resource Tools. in the bag
It is also an integral part of Platform SDK (that is, platform software development kit), and with MSDN (Microsoft Development Network) and after
Continued version is released. It is also an integral part of this lecture demo file. What we must do first is to use performance monitor to find out running in the system.
Threads in the process. Next, we will use PViewer to give them the thread we are interested in and find the initial address of the thread.
The memory start address is a number representing where the system thread starts running from the system sandbox. Finally, we will use PSTAT, the work
It is provided with a memory map of the system sandbox and positions in which driver runs in the thread, in other words, the thread is running
The code snippet is a driver belonging to. Therefore, how many complexities have been used, it has used three tools, but let us do
This demonstration is to see how it works.
First, we will return to the performance monitor. Let us start from a new chart. In fact, because we have changed chart settings, we will
A new performance monitor instance. I will click the plus sign and add the CPU time of the thread in the system process to the chart. I am going to thread object,
Select the processor time percentage, scroll down to the process called the system, click the first thread - thread 0, drag the mouse, roll down
To place all the threads in all system processes, then click Add. Now, I have not been able to wish because of the WINDOWS 2000.
There is still another process, which also contains some system threads, which is CSR access - a Windows subsystem process. This process is
The NT fragment of the partial Windows system is included. In NT 4.0, all system threads are present in the system process. In Windows 2000, a
Some system threads exist in the CSR access process, while others are present in the process called the system. We click Add, then click
close.
I now look at the implementation of more than 30 scattered system threads. Let us move the mouse quickly, you can see something that has been running. How are I
This is found in the list consisting of more than 30 zerozers to find thread random memory arrangement? I will open the highlight switch again, click the high brightness
Button, scroll down the screen until the counter moves with the mouse is also highlighted in white. There is a green raised in the middle of the display area. at
Where have you seen it? It is the one from green to white. When I move my mouse, I look at the line 6 of the CSR access.
. The second step is to use PViewer, which exists in the support kit, click Start / Program / Windows 2000 Support Tool / Tool into
Cheng Browser. Select the CSR access, scroll down and select the line No. 6, and the information we are looking for is the starting address of the thread, which is located in PVIE
The bottom of the WER display area. This address is the starting point of the thread start execution. It shows hexadecimal, 0x represents A000-9CBF in hexadecimal.
Ok, we have a memory address. What are you doing next? Step 3 - Run PSTAT, the tool exists in our demonstration and executive
Live PSTAT tail. Therefore, please ignore all details from the thread. The last part of the PSTAT display area is the memory of the system sandbox
Shot. It lists the names of each driver and addresses in system memory. If I let it reach the end and look forward, I will look for
The driver initiated at the thread running address. Unfortunately, PSTAT does not display the end address of the driver, and only the start address is provided. Therefore, it is necessary to pay close attention to which driver we are looking at. The example we have now is very simple.
Because only one driver is called at A00. If you view the entire list, any other event has a number with f, 8 or b
code. Therefore, I will immediately determine that the thread device is definitely a code snippet in the driver Win32k.sys. It is Win32 graphics and
An assembly of the window operating system. This is a bit meant. When you move your mouse, you will expect a piece of window in the window operating system to be able to
Run to indicate which window you are moving on the mouse. Although this is just a person as an example, but it demonstrates three tools described above after all.
Performance Monitor, PVIEWER and PSTATs are in-depth exploration of system processes or CSR access and identify the techniques of creating thread drivers. this is one
A very important trick, because if the system process runs on Windows 2000, which driver or system is not found
In the case of a university, you will not be able to make any judgment on the current situation. If the thread start addresses happens to the operating system image (NTOSS (?)
If the problem is within the range, the problem may be somewhat complicated. So, what do you know? You can't know anything. E.g,
Let's take a look at the PSTAT output. The most upstanding device driver - it is not a real driver, but only the operating system
Body - is called at 80400000. If I returned to PViewer and selected
System Process - Please note that not CSR access, but the system, then several threads in the process are started near address 804. So I
Take the system, please note that when I scroll down the first set of threads, the starting address of the most thread is near 804. So, this also told us
what? It told us that the thread is a fragment of NT, but it is not specified which fragment is NT, but it can be sure, the thread is
A NT fragment instead of a driver. If you still want to take a step forward, there is a way to convert the memory address into a sub-example.
The name of the process, that is, by means of the operating system kernel image identifier form (or debug ID), the method is made by Windows.
2000 user diagnosis CD is provided. This requires a tool called kernel debugger, but I will not be demonstrated in this lecture, but if
If you want to know how to perform this step, please read the second edition of Windows NT (this book is free on the Microsoft Press website.
For the second chapter in the second chapter on how to dump the NTOSS kernel ID and track the system thread address to get the details of the operating system subroutine name
. Now let us go back to complete the remaining system process tree. Keep in mind that TLIST / T shows us this tree structure. This slide
The parent child relationship between the process is exactly shown in a graphic method. Next, let us complete the description of the remaining process. If you view TLIST / T loss
Out, it will notice the first process ending with .exe is SMSS, which represents the session manager. This is the first process that is created and is left with the system.
The load is related. In order to allow you to view the output of TLIST / T, I will return to the command line, and type TLIST / T. This meeting
There are two children, namely CSR and WinLogin. The CSR we just mention is a fragment of the window operating system, when you see the next
When the slide slide, there will be two additional details on why running the process. CSR is not a frequently running process, it is only
Call for a small partial window system request. If you often run the CSR access process in your system, there may be one or two reasons, which is also the last two parts of this submission - window management and running on the character application (such as command line mode). In the middle
Use the program. The above application is processed by CSR access. If you run 16-bit DOS or Windows 3.1 applications, some of the programs
Support is included in CSR access, however, in a regular NT server or Windows 2000 Professional desktop system, the process should be
stationary. Now let's return to the previous slide and complete the remaining process tree.
As the name suggests, Winlogon is a login process. This process provides the dialog box required for the type control and input port to log in. When you lose
When entering the username and password, Winlogon sends it to a sub-process called LSASS. If you perform local logistics to the server or workstation
Record, the LSASS process will check the relevant user name and password in the secure database (ie SAM). Since the network login service is running in LSASS
Inside, if you are logging in to the NT 4.0 domain account, Winlogon sends the username and password to the LSASS running on the domain controller.
The process, and the above domain controller exists in the domain that contains the account you are logging in.
Now let's come back to see the output of TLIST / T. In the display area, can we see how many sub-processes in Winlogon? Two, ie
Service controller and LSASS. Let us talk about the service controller. What is Windows NT service? A service is the server application
A fragment, the application is typically installed in the registry and will be activated by the service controller when the system boots. If we go to the next
Slides will see a picture about the service process hierarchy. In a service, such as SQL Server or Extreme Server
When the system application is added to the registry, when the system boots, the service controller will search in the registry service database, and
Create a slave chart (because the service items can be rely on each other), thereby starting them in the correct order. Such as the TLIST / T output,
The service controller has many child processes, which represent images of executable programs, and these executable programming also contains operational services.
Server application components of services. Now how will you view the list of installed services? Let's click Start / Setup / Control
Forming board and click on the management tool in Windows 2000. In the Administrative Tool, we click Services. Currently get displayed with you from Window
So NT 4.0 is more similar and accompanied by some incident information. For example, the description is the new information added to Windows 2000. This provides
Some extra descriptive texts to explain what the service is doing. View Ability to Detailed Attributes of Services is also Windows
New characteristics of 2000. For example, I will scroll down to the offline print service and click the right mouse button, in turn, select the properties item on the fast display menu that appears.
Typographically, one of the properties shown is the path to executable program. Why is this important? The reason is that the service name is not
Always mapped to the executable file name containing the constituent service function code, in other words, if you are looking at the task manager and find one
The service process is running, and the executable file name of the service may not tell you immediately whether it is displayed in the control panel.
The service function. Let's look at the next slide, it shows how to map the service activity you see in the system to the registration
The way the service activity defined in the table. Ok, we just saw how to map a service to the process of executable file name, but we
How should I perform the reverse process of this process? TLIST solves this issue by adding a parameter-/ s we have not used. The content displayed by this parameter is designed for the process that contains the service. As I am now using the service name of the process in the process in the process.
. Note that some service processes contain a single service like offline print, while others contain multiple services, and this means that they have
Know that these service processes are running on the premise of explaining the occupation of CPU time, but you have contracted this problem after all.
To a smaller range. Keep in mind that the names displayed in the third column are not what you see in the control panel, because
Do three names, the system administrator, the name you see in the control panel, contain the name of the executable of the service and the registry
Service name. TLIST displayed is the service name in the registration. So if you enter the registry and view the service list (this list exists in h
In the current control service of the key, you can view the registry key name in alphabetical order. Under this registry key, you will
The name of the display name and the name of the executable can be executed in the control panel. Therefore, with TLIST / T this tool, you will be at least to a certain extent
Whether a process in these service processes is in a running state, and it is precisely one or more services leads to the CPU time.
Occupation.
The content of our last section involves observing its abnormal process activity when the process crashes. No one is willing to see the application crash, but I
I believe that all of you have at least see the contents of the upper half of the screen - the message box generated by the famous Dr. Watson program. right now
What we see is actually a DR. Watson message box updated in Windows 2000, which is less than one message in NT 4.0.
Click information. Windows NT 4.0 displays the application crash in the message box. And labeled it to Dr. Watson. Now it is only
Labeling is an application error and adds some help characters in NT 4.0, mainly including "You need to restart the program".
. Although most users know that they should do this, this message box is more clearly specified in the application's crash. You need to restart
program. Unfortunately, it still does not tell users what to do for the application's crash. It only shows an error that produced
Log record. that
What do this error log records and what to do? This is exactly what we will consider in this section. First of all, how
Leading a process crash? An unwilling abnormality is generated, for example, references an illegal memory address, or is divided by 0. Most Windows
NT 4.0 and Windows 2000 systems are configured to run Dr. Watson when an application is wrong. The AE Debug button in the registry indicates debugging
The name of the device, the key is located in the software branch. If you find the registry key, you will find that it is configured as debugger Dr. WA in most cases
Tson, Dr. Watson is not a real debugger, but only a post-entries that generate information snapshots when the process crashes. If you have
Visual Studio or some other development tools are installed, the registry may have been modified, no longer use Dr. Watson, replaced it,
The Visual Studio development environment is an example. When the process crashes, you will see the message box that is displayed under the screen below the screen, including
Abnormal details and give programmers an option to exit or run the debugger. But in most cases, it still shows above
Message box.
What happens when a program crashes? First, let us create such a situation and take a look at its results. Let's go back to the command line
And run a program that will immediately cause access to illegal procedures immediately, which references the 0 address such an illegal address. A message box generated by Dr. Watson is displayed, and at the same time create an error logging, we still don't know where it comes from, so
Click OK. Below, we will run the Dr. Watson tool to determine the location of the wrong log record by interactively running the Dr. Watson tool. I will run Drwtsn32,
It is a program name that makes up the Dr. Watson tool. When you run the Dr. Watson tool, it displays a configuration dialog to tell you the log.
The location of the file and fault dump file, although not mentioned in the message box, it can be seen that the failed dump file is obviously created. Window
The default action in S NT 4.0 and Windows 2000 is to create a log file for Dr. Watson and a failed dump file. Among them
User.dmp's fault dump file contains content in private memory spaces in the death process. The log file contains I don't know if it is helped for programmers.
Help text information. The User.dmp file contains the exact state of the process. In other words, it contains the dirty sand in the sandbox during the death. Dump
The file can be applied to a tool or Windows debugger called Windbg to observe the state when the process crashes.
I hope to be able to debug or diagnose the problem. In reality, for each crash process, you should send a user.dmp file to the program owner. E.g,
If Outlook crashes, and is an unknown issue, you should send a dump file to Microsoft. If it is a third party soft
This should be sent to its vendor to send a USER.DMP file. Dump files will be overwritten each time, in contrast, the log file is default
It is appended. The log file will save the tracking information of all process crashes, unfortunately, the user.dmp file will be overwritten. therefore
Unless you use some mechanisms or to ensure users
It has been trained to be able to locate and rename files, otherwise, only the recent death process information will be retained.
Currently, it is not a NT core failure dump generated by the system crash, but a dump file generated by a process crash. Different tools will be used
Observe these two dump files. The most basic, if your user encounters a Dr. Watson error or program error, someone should get
Store the file and transfer it to his own system, change its name and send it to the vendor. Another tool related to the system crash is made
Added to a part of the debugging tool to enhance the program of the user dump tool in Windows 2000. This tool will be in diagnose CD from the user
Install it when installing the debug tool. The tool can be done and the function that Dr.Watson is currently unable to implement is that without affecting the process.
A suspended process generates a User.dmp file. Now, if there is a hang-up program, and your only choice is killing
Death process. In this case, there is also a method of obtaining a memory snapshot, so that you can send it to the manufacturer and expect the problem to solve
. This method is configured to run the command line status or by pre-defined shortcuts (which is useful when it cannot switch to the command line status)
tool. To get more information, you can refer to the Help file for the Windows 2000 debugging tool.
The above is about understanding Windows NT 4.0 and Windows 2000 systems and process activities. I hope these hands we have seen.
The tool of the header, when the system is running slowly or if there is any failure, you can go deep into the process or system activity and identify the CPU time
Where is it, and why is this.
For more information, you can get a lot of information about NT troubleshooting in the article on the TechNet website. Of course, Windows 200
0 Microsoft official courses are also useful. The Windows 2000 Technology Center on the Technet website is another good reference resource. There are also some useful information about the Window 2000 operating system in the lower part of the slides, for example, my work "INSIDE Windows 2000 Second
Version ", the Very valuable information about the NT system configuration in the Windows 2000 Resource Toolkit, and the other you may not think
Go access to the web page - Hardware Developer Web (Microsoft.com/hwdev), the web page contains some driver writers Interested NT
Internal article. Finally, there are some additional tools and technical information on the sysinternals.com website.
