Читаем Windows® Internals, Sixth Edition, Part 2 полностью

A great way to remind yourself of what a blue screen looks like or to fool your office workers and friends is to run the Sysinternals Blue Screen screen saver from Sysinternals. The screen saver simulates authentic looking blue screens that reflect the version of Windows on which you run it, generating all blue screen text using actual system information, such as the list of loaded drivers. It also mimics an automatic reboot, complete with the Windows startup splash screen. Note that unlike other screen savers, where a mouse movement dismisses them, the Blue Screen screen saver requires a key press.

By using the following syntax for the Psexec tool from Sysinternals, you can even run the screen saver on another system:psexec \\computername -c -f -i -d "SysInternalsBluescreen.scr" -s -accepteula

The command requires that you have administrative privilege on the remote system. (You can use the –u and –p Psexec switches to specify alternate credentials.) Make sure that your coworker has a sense of humor!

Conclusion

Although many crashes can be analyzed with some of the techniques described in this chapter, many require analysis that goes beyond the scope of this book. Here are some additional resources that may be useful if you want to learn more advanced crash analysis techniques and information:

The Microsoft Platforms Global Escalation Services team blog, at http://blogs.msdn.com/ntdebugging, provides various tips and tricks and real-life scenarios encountered by the team.

The website http://www.dumpanalysis.org provides hundreds of patterns and advanced analysis scenarios and hints.

Appendix A. Contents of Windows Internals, Sixth Edition, Part 1

          Introduction

Chapter 1 Concepts and Tools

          Windows Operating System Versions

          Foundation Concepts and Terms

                  Windows API

                  Services, Functions, and Routines

                  Processes, Threads, and Jobs

                  Virtual Memory

                  Kernel Mode vs. User Mode

                  Terminal Services and Multiple Sessions

                  Objects and Handles

                  Security

                  Registry

                  Unicode

          Digging into Windows Internals

                  Performance Monitor

                  Kernel Debugging

                  Windows Software Development Kit

                  Windows Driver Kit

                  Sysinternals Tools

          Conclusion

Chapter 2 System Architecture

          Requirements and Design Goals

          Operating System Model

          Architecture Overview

                  Portability

                  Symmetric Multiprocessing

                  Scalability

                  Differences Between Client and Server Versions

                  Checked Build

          Key System Components

                  Environment Subsystems and Subsystem DLLs

                  Ntdll.dll

                  Executive

                  Kernel

                  Hardware Abstraction Layer

                  Device Drivers

                  System Processes

          Conclusion

Chapter 3 System Mechanisms

          Trap Dispatching

                  Interrupt Dispatching

                  Timer Processing

                  Exception Dispatching

                  System Service Dispatching

          Object Manager

                  Executive Objects

                  Object Structure

          Synchronization

                  High-IRQL Synchronization

                  Low-IRQL Synchronization

          System Worker Threads

          Windows Global Flags

          Advanced Local Procedure Call

                  Connection Model

                  Message Model

                  Asynchronous Operation

                  Views, Regions, and Sections

                  Attributes

                  Blobs, Handles, and Resources

                  Security

                  Performance

                  Debugging and Tracing

          Kernel Event Tracing

          Wow64

                  Wow64 Process Address Space Layout

                  System Calls

                  Exception Dispatching

                  User APC Dispatching

                  Console Support

                  User Callbacks

                  File System Redirection

                  Registry Redirection

                  I/O Control Requests

                  16-Bit Installer Applications

                  Printing

                  Restrictions

          User-Mode Debugging

                  Kernel Support

                  Native Support

                  Windows Subsystem Support

          Image Loader

                  Early Process Initialization

                  DLL Name Resolution and Redirection

                  Loaded Module Database

                  Import Parsing

                  Post-Import Process Initialization

                  SwitchBack

                  API Sets

          Hypervisor (Hyper-V)

                  Partitions

                  Parent Partition

                  Child Partitions

                  Hardware Emulation and Support

          Kernel Transaction Manager

          Hotpatch Support

          Kernel Patch Protection

          Code Integrity

          Conclusion

Chapter 4 Management Mechanisms

          The Registry

                  Viewing and Changing the Registry

                  Registry Usage

                  Registry Data Types

                  Registry Logical Structure

                  Transactional Registry (TxR)

                  Monitoring Registry Activity

                  Process Monitor Internals

                  Registry Internals

          Services

                  Service Applications

                  The Service Control Manager

                  Service Startup

                  Startup Errors

                  Accepting the Boot and Last Known Good

                  Service Failures

                  Service Shutdown

                  Shared Service Processes

                  Service Tags

          Unified Background Process Manager

                  Initialization

                  UBPM API

                  Provider Registration

                  Consumer Registration

                  Task Host

                  Service Control Programs

          Windows Management Instrumentation

                  Providers

                  The Common Information Model and the Managed Object

                  Format Language

                  Class Association

                  WMI Implementation

                  WMI Security

           Windows Diagnostic Infrastructure

                  WDI Instrumentation

                  Diagnostic Policy Service

                  Diagnostic Functionality

          Conclusion

Chapter 5 Processes, Threads, and Jobs

          Process Internals

                  Data Structures

          Protected Processes

          Flow of CreateProcess

                  Stage 1: Converting and Validating Parameters and Flags

                  Stage 2: Opening the Image to Be Executed

                  Stage 3: Creating the Windows Executive Process Object (PspAllocateProcess)