Clik here to view.
Call Stacks for Pool Allocations
Hello, it's the Debug Ninja back again for another NtDebugging Blog article. For as long as I can remember user mode debuggers have had an easy way to get call stacks for heap allocations. On more...
View ArticleClik here to view.
Where Did My Disk I/O Go?
Hello, Mr. Ninja back again. I recently discovered that although my team often tracks I/O from the file system through to the disk controller, we have never publicly documented the steps required to...
View ArticleClik here to view.
My Kernel Debugger Won't Connect
Hello ntdebugging readers, the Debug Ninja is back again with a quick blog this holiday season. I recently encountered a situation where the kernel debugger could not connect to a Windows Server 2008...
View ArticleClik here to view.
Configuring a Hyper-V VM For Kernel Debugging
Yesterday's blog prompted some questions about how to set up a debugger for a Windows OS running in a Hyper-V VM. I was surprised that I wasn't able to find good, publicly available, Microsoft issued...
View ArticleClik here to view.
Identifying Global Atom Table Leaks
Hi, it's the Debug Ninja back again with another debugging adventure. Recently I have encountered several instances where processes fail to initialize, and a review of available resources showed that...
View ArticleClik here to view.
Updated Archive of the NtDebugging Twitter Debug Tips
Every Wednesday (usually) we post a debug tip to our twitter page at https://twitter.com/#!/ntdebugging . This blog is an archive of these tips to allow our readers to find this information easily....
View ArticleClik here to view.
What Did Storport Do With My I/O?
In a previous article I showed how to track an I/O request from the filesystem, through the class driver, and to the storage driver. In that article I concluded with " From this data we can usually...
View ArticleClik here to view.
How To Deadlock Yourself (Don’t Do This)
Some APIs should come with a warning in big red letters saying “ DANGER! ”, or perhaps more subtly “ PROCEED WITH CAUTION ”. One such API is ExSetResourceOwnerPointer . Although the documentation...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 1 – Perfmon
Over the years the NTDebugging Blog has published several articles about pool memory and pool leaks. However, we haven’t taken a comprehensive approach to understanding and troubleshooting pool memory...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 2 – Poolmon
In our previous article we discussed how to identify a pool leak using perfmon. Although it may be interesting to know that you have a pool leak, most customers are interested in identifying the cause...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 3 – Debugging
In our previous articles we discussed identifying a pool leak with perfmon , and narrowing the source of the leak with poolmon . These tools are often preferred because they are easy to use, provide...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 4 – Debugging Multiple Users for a Tag
In our previous articles we discussed various techniques for identifying a pool memory leak and narrowing the scope of the leak to an individual pool tag. Knowing the leaking pool tag is often...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 5 – PoolHitTag
In Part 4 we narrowed the source of the leaked pool memory to the specific driver which is allocating it, and we identified where in the driver this allocation was taking place. However, we did not...
View ArticleClik here to view.
Troubleshooting Pool Leaks Part 7 – Windows Performance Toolkit
In Part 1 of this series we identified a pool leak in non paged pool. In Part 2 and Part 3 of this series we identified what pool tag was leaking. In Part 5 and Part 6 we got call stacks showing the...
View ArticleClik here to view.
Use Caution When Implementing IPC for Performance Counters
Recently I was working with a developer who had created performance counters that work in Performance Monitor but are never collected in a user defined data collector set. The customer explained...
View ArticleClik here to view.
Debugging a Debugger to Debug a Dump
Recently I came across an instance where my debugger did not do what I wanted. Rarely do computers disobey me, but this one was unusually stubborn. There was no other option; I had to bend the...
View ArticleClik here to view.
Understanding Pool Corruption Part 1 – Buffer Overflows
Before we can discuss pool corruption we must understand what pool is. Pool is kernel mode memory used as a storage space for drivers. Pool is organized in a similar way to how you might use a...
View ArticleClik here to view.
Understanding Pool Corruption Part 2 – Special Pool for Buffer Overruns
In our previous article we discussed pool corruption that occurs when a driver writes too much data in a buffer. In this article we will discuss how special pool can help identify the driver that...
View ArticleClik here to view.
The Compiler Did What?
I was recently investigating a crash in an application. As I researched the issue I found a very old defect in the code that was only recently being exposed by the compiler. The crash occurred at...
View ArticleClik here to view.
Call Stacks for Pool Allocations
Hello, it's the Debug Ninja back again for another NtDebugging Blog article. For as long as I can remember user mode debuggers have had an easy way to get call stacks for heap allocations. On more...
View Article