About Me

My photo
This blog has been created to share technical information, interesting innovations that I notice on daily basis and Architectural/Consulting overview of various technologies. My areas of interest, on which I would be blogging, are VMware, Microsoft and Citrix Technologies. I hope you will enjoy this blog and share your experience with me.

Clustering and HA Resources -- clustering Blog

General Resources

· Cluster Team Site: Clustering Technical Resources
· Guide: Failover Clustering Deployment
· Guide: Validating Hardware for a Failover Cluster
· Guide: Migrating Cluster Settings
· Guide: Configuring the Quorum in a Failover Cluster
· Guide: Configuring Accounts in Active Directory
· Guide: Configure a Service or Application for High Availability
· Guide: Modifying Settings for a Failover Cluster
· Guide: Installing a Failover Cluster
· Guide: Creating a Failover Cluster
· Guide: Cluster Requirements
· Guide: Validating a cluster
· Guide: Managing a Failover Cluster
· Guide: The Failover Cluster Management Snap-In
· TechNet: Support Policy
· Webcast: Top 10 Windows Server 2008 Failover Clustering Enhancements over Windows Server 2003 Clustering, Based on Best Practices (Level 300)
· Webcast: Failover Clustering 101
· Webcast: Achieving High Availability with Windows Server “Longhorn” Clustering (Level 200)
Webcast: Microsoft Webcast: Reducing IT Overhead with Windows Server 2008 Storage Features 
Webcast: TechNet Webcast: Build High-Availability Infrastructures with Windows Server 2008 Failover Clustering
Webcast: IT Manager Webcast: Delivering High Availability to Your Infrastructure
Webcast: TechNet Webcast: Failover Cluster Validation and Troubleshooting with Windows Server 2008
Webcast: TechNet Webcast: Failover Clustering and Quorum in Windows Server 2008 Enterprise Storage
Webcast: TechNet Virtual Lab: Windows Server 2008 Enterprise Failover Clustering Lab
· Whitepaper: Failover Cluster Architecture Overview
· Whitepaper: Microsoft’s HA Strategy
· Whitepaper: Overview of Failover Clustering


· Utility: Remote Server Administration Tools (simplifies Server Core configurations)
· Guide: Server Core
· TechNet: Installation
· Webcast: How Microsoft does IT: Enhancing High Availability with Server Core in Windows Server 2008

Exchange Server

File Server

· Guide: Configuring a Two-Node File Server Failover Cluster
· TechNet: Creating a Clustered File Server checklist
· TechNet: Create a Shared Folder in a Clustered File Server
· WebCast: TechNet Webcast: Prepare Yourself for Windows Server 2008 (Part 5 of 8): New File Server Features
· WebCast: How Microsoft IT Deploys Windows 2008 Clusters for File Services
· Webcast: New File Server Features of Windows Server 2008 (Level 200)


· Guide: Testing Hyper-V and Failover Clustering
· Guide: Getting Started with Hyper-V
· Guide: Design for a Failover Cluster in Which All Nodes Run Hyper-V
· TechNet: High-Availability for a Server Running Hyper-V
· TechNet: Requirements and Recommendations for Failover Clusters in Which All Nodes Run Hyper-V
· TechNet: Failover Cluster in which the Servers run Hyper-V
· Webcast: TechNet Webcast: High Availability with Hyper-V
· Webcast: TechNet Webcast: 24 Hours of Windows Server 2008 (Part 24 of 24): High Availability with Hyper-V
· Webcast: TechNet Webcast: Creating Business Continuity Solutions Using Windows Virtualization
· Whitepaper: Quick Migration with Hyper-V

Multi-Site Clustering

· Cluster Team Site: http://www.microsoft.com/windowsserver2008/en/us/clustering-multisite.aspx
· Guide: Deployment Considerations for Windows Server 2008 failover cluster nodes on different, routed subnets
· Webcast: TechNet Webcast: Geographically Dispersed Failover Clustering in Windows Server 2008 Enterprise
· Webcast: How You Can Achieve Greater Availability with Failover Clustering Across Multiple Sites (Level 300) 
· Whitepaper: Multi-site Clustering

Network Load Balancing

· Guide: NLB Troubleshooting Overview
· Guide: Server Core: Install the NLB feature
· Guide: Create/manage/destroy NLB clusters via NLB Manager remotely from another server, or from RSAT client (admin pack) on Vista
· TechNet: Configuring NLB with Terminal Services
· TechNet: NLB Deployment Guide
· TechNet: Implementing a new NLB Cluster
· TechNet: Verifying the NLB Cluster and Enabling Client Access
· TechNet: Overview of NLB
· TechNet: Creating NLB Clusters
· TechNet: Managing NLB Clusters
· TechNet: Setting NLB Parameters
· TechNet: Controlling Hosts on NLB clusters
· TechNet: Troubleshooting for System Event Messages Related to NLB Cluster
· TechNet: User Interface: NLB Manager
· TechNet: Upgrading a NLB Cluster
· Webcast: 24 Hours of Windows Server 2008 (Part 23 of 24): Failover Clustering and Network Load Balancing

SQL Server

Useful Link:http://blogs.msdn.com/clustering/

Windows Server 2008 Step-by-Step Guides

These step-by-step guides help IT Professionals learn about and evaluate Windows Server 2008.

  • Creating_and_Deploying_Active_Directory_Rights_Management_Services_Templates_Step-by-Step_Guide.doc
  • Deploying Active Directory Rights Management Services in an Extranet Step-by-Step Guide.doc
  • Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide.doc
  • Deploying SSTP Remote Access Step by Step Guide.doc
  • Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.doc
  • Server Manager Scenarios Step-by-Step Guide.doc
  • Step-by-Step Guide for Configuring a Two-Node File Server Failover Cluster in Windows Server 2008.doc
  • Step-by-Step Guide for Configuring a Two-Node Print Server Failover Cluster in Windows Server 2008.doc
  • Step-by-Step Guide for Windows Deployment Services in Windows Server 2008.doc
  • Step-by-Step Guide to Deploying Policies for Windows Firewall with Advanced Security.doc
  • Using Identity Federation with Active Directory Rights Management Services Step-by-Step Guide.doc
  • Windows Server 2008 Active Directory Certificate Services Step-By-Step Guide.doc
  • Windows Server 2008 Foundation Network Guide.doc
  • Windows Server 2008 Step-by-Step Guide for DNS in Small Networks.doc
  • Windows Server 2008 TS Gateway Server Step-By-Step Setup Guide.doc
  • Windows_ Server_Active_Directory_Rights_Management_Services_Step-by-Step_Guide.doc
  • Windows_Server_2008_Terminal_Services_RemoteApp_Step-by-Step_Guide.doc
  • Windows_Server_2008_TS_Licensing_Step-By-Step_Setup_Guide.doc
  • Windows_Server_2008_TS_Session_Broker_Load_Balancing_Step-By-Step_Guide.doc

    Download Link: http://www.microsoft.com/downloads/details.aspx?FamilyID=518d870c-fa3e-4f6a-97f5-acaf31de6dce&DisplayLang=en


  • Storage Manager for SANs Step-by-Step Guide

    With Storage Manager for SANs, you can create and manage logical unit numbers (LUNs) on Fibre Channel and iSCSI disk drive subsystems that support Virtual Disk Service (VDS) in your storage area network (SAN). This guide provides server and storage subsystem requirements, an introduction to managing LUNs, and step-by-step walkthroughs for creating and assigning LUNs using Storage Manager for SANs in Windows Server 2008.

    Download: http://www.microsoft.com/downloads/details.aspx?FamilyID=06556478-838c-450e-9173-9851378271ad&DisplayLang=en


    Failover Cluster Validation Report failed for Duplicate IP address Windows 2008

    Cluster validation wizard is used to check pre-requisite\best practices before building the cluster. While playing with my lab, I came across a issue under Network Test.

    Found duplicate IP address fe80::100:7f:fffe%14 on node node1.vodka.com adapter Local Area Connection* X and node node2.vodka.com adapter Local Area Connection* X.



    It turns out that this is the result of the Teredo, an IPv6 Tunneling Protocol. Teredo allows IPv6 communications to pass through IPv4 NATs and IPv4 servers. However Teredo gives an identical IPv6 address to its network interfaces, which Failover Clustering flags as an error since it require unique IP addresses.

    So how do you fix this? There are 2 ways, some details are provided here: http://technet2.microsoft.com/WindowsVista/en/library/91d35c9f-3049-44f4-b711-743dc152c7c31033.mspx?mfr=true

    1) Disable Teredo through command line

    a. Open ‘Command Prompt’ and ‘Run as Administrator’
    b. Type:
               i. > netsh
              ii. > interface
              iii. > teredo
              iv. > set state disabled
    c. Teredo will now be disabled


    2) Disable Teredo through the registry

    a. Open the Registry Editor

    i. This can be done through an elevated Command Prompt and typing ‘regedit’

    b. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6

    c. Right-click on the ‘Parameters’ tab, select ‘New’, choose ‘DWORD’

    i. Enter the following name (including capitalization): “DisabledComponents”

    d. Double-click on “DisabledComponents”, select ‘Hexadecimal’, under ‘Value data’

    i. Enter “8”

    e. Click ‘OK’
    f. Restart your machine
    g. Teredo will now be disabled


    But what about disabling Teredo through Device Manager?  This will only disable the Teredo adapter so the system does not see it anymore, however this does not disable the underlying logic.  This could cause issues later, so it is recommended to disable it through the command line or the registry.

    Run Validate and this test will now pass. Enjoy your fully supported cluster!

    Don’t forget to leave your valuable comments.


    Useful Blogs:
    Microsoft's Failover and Network Load Balancing Clustering Team Blog: http://blogs.msdn.com/clustering/

    Troubleshoot Active Directory Logon issue – By Anang Kumar

    • Note the error message (Sometime the error message is very specific )
    • Login to the machine using local admin account
    • Check the system Date and time / Time zone – Make sure they are similar to authenticating DC
    • Check DNS – Make Sure they are pointing to Right DNS (DNS which is alive and doing the name resolution)
    • Check DNS records with the help of NSLOOKUP
    • Ping the DC – IP, Netbios Name and FQDn
    • Ping the DC to DC with 1500 MTU
    • Run Netdiag and check DNS and Trust and Kerberos test
    • Make sure NIC card is enabled of “register me in DNS”
    • Check event viewer for any know errors like Userenv, Kerberos, netlogon
    • Enable netlogon log and do the further troubleshooting  

    Don't forget to post your comments :)

    Anang Kumar

    PowerGUI, a graphical user interface and script editor for Windows PowerShell!

    What is PowerGUI?

    PowerGUI is an extensible graphical administrative console for managing systems based on Windows PowerShell. These include Windows OS (XP, 2003, Vista), Exchange 2007, Operations Manager 2007 and other new systems from Microsoft. The tool allows to use the rich capabilities of Windows PowerShell in a familiar and intuitive GUI console.

    PowerShell is built-in feature under Windows Server 2008

    Download PowerShell for Windows Vista, Windows 2003 and Windows XP

    Download PowerGUI

    Power Packs

    Active Directory: http://powergui.org/kbcategory.jspa?categoryID=46

    Microsoft Operations Manager (MOM): http://powergui.org/kbcategory.jspa?categoryID=49

    Virtualization: http://powergui.org/kbcategory.jspa?categoryID=290

    Microsoft Exchange: http://powergui.org/kbcategory.jspa?categoryID=47

    Network: http://powergui.org/kbcategory.jspa?categoryID=48

    SQL: http://powergui.org/kbcategory.jspa?categoryID=54

    Others: http://powergui.org/kbcategory.jspa?categoryID=21

    User manuals

    For PowerGUI and QAD cmdlets user manuals and FAQ please visit PowerGUI wiki.


    Latest PowerGUI and QAD cmdlets news can be found at our team members' blogs:

    Videos and Flash Demos

    Don't forget to post your comments :)


    XP as Domain Controller :)

    This is very funny XP machine as a domain controller

    1) Create a share called SYSVOL on an XP machine

    2) Try to unshare the directory you shared as SYSVOL.

    3) You will get a nice warning stating:

    "This share is required for the machine to act properly as a domain controller. Removing it will cause a loss of functionality on all clients that this domain controller serves. Are you sure you wish to stop sharing SYSVOL?"


    But do not worry - unsharing SYSVOL on XP will not break your AD. This is just an example of code reuse that Microsoft does.

    Don't forget to post your comments :)


    Useful Blog:
    Guy Teverovsky: http://blogs.microsoft.co.il/blogs/guyt/archive/2007/09/06/XP-as-Domain-Controller-_3F00_.aspx

    ADRestore GUI version

    Accidentally deleted user, computer account or OU’s from Active Directory. Don’t worry, now you can get them back using ADRestore tool using GUI interface.

    Though there is a command line version of tombstone reanimation tool called adrestore - sysinternals, many people are not CLI savvies and having a GUI version of this functionality could really help them out.

    Insight on tombstone: Reanimating Active Directory Tombstone Objects - By Gil Kirkpatrick
    Gil Kirkpatrick's article at Technet

    Main features:

    • Browsing the tombstones
    • Domain Controller targeting
    • Can be used with alternative credentials (convenient if you do not logon to your desktop as Domain Admin, which you should never do anyway)
    • User/Computer/OU/Container reanimation
    • Preview of tombstone attributes

    Here are some sceenshots:

    Enumerating tombstones

    Previewing the tombstone attributes

    Restoring a deleted user account

    Notice that if you delete an OU with accounts in it, you will have to restore first the OUs the accounts were in, otherwise the reanimation of the child object will fail. It is not enough to create an OU with the same name as this will be a totally new object in AD and child object's lastKnowParent attribute will still reference the deleted OU. Here is a walthrough:

    Initial state:

    TestOU organizational unit is deleted:

    State of tombstones (notice that lastKnownParent attribute of user and computer accounts reference the deleted OU):

    OU is restored (lastKnowParent points to the restored OU's distinguished name):

    Both computer and user accounts that resided in TestOU are reanimated:

    Download ADRestore.NET

    Don't forget to post your comments :)


    Useful Blogs:

    ADRestore Rewrite: http://blogs.microsoft.co.il/blogs/guyt/ 
    Reanimating Active Directory Tombstone Objects: http://technet.microsoft.com/en-us/magazine/cc137800.aspx

    Hyper-V Videos by John Savill

    One of the most useful videos I have found on the internet, for Hyper-V. Thanks to John Savill for his efforts and time.

    Don't forget to post your comments :)


    32-bit Memory Management Explained

    Windows 32-bit Operating Systems implement a virtual memory system based on a flat 32-bit address space.  32-bits of address space translates into 4GB of virtual memory.  A process can access up to 4GB of memory address space (using the /3GB switch changes this behavior - and we'll cover that in a later post).

    You can't have a discussion of Memory Management basics, without distinguishing between Kernel-mode and User-mode memory.  The system space (aka Kernel space) is the portion of the address space in which the OS and kernel-mode drivers reside.  Only kernel-mode code can access this space.  User-mode threads can access data only in the context of their own process.  User-mode threads cannot access data within another processes space directly, nor can it access the system address space directly.  Kernel-mode drivers are trusted by the OS and can access both kernel and user space.  When a driver routine is called from a user thread, the thread's data remains in the user-mode space.  However, the kernel-mode driver can access the user-mode data for the thread and access the kernel-mode space.


    OK - so looking at the diagram above, we can see how the 4GB memory address space is divided.  Windows allocates the lower half of the 4GB address space (from 0x00000000 to 0x7FFFFFFF) to processes for their own unique private storage, and reserves the other half (from 0x80000000 to 0xFFFFFFFF) for the Operating System's use.  Virtual memory provides a view of memory that does not necessarily correspond to the physical layout of memory.

    Kernel memory chart for Windows 2003 Server:


    Default                            ( /PAE for 6-16GB )



    Free System PTE: 51k          Paged Pool: 282MB 
    Non Paged Pool: 212MB

    Free System PTE: 32k          Paged Pool: 163MB 
    Non Paged Pool: 131MB


    Free System PTE: 196k          Paged Pool: 360MB 
    Non Paged Pool: 262MB

    Free System PTE: 16k          Paged Pool: 262MB
    Non Paged Pool: 131MB


    Free System PTE: 195k         Paged Pool: 360MB
    Non Paged Pool: 262MB

    Free System PTE: 14k
    Paged Pool: 262MB
    Non Paged Pool: 131MB


    Free System PTE: 106k          Paged Pool: 336MB 
    Non Paged Pool: 285MB

    Free System PTE: 15k          Paged Pool: 258MB 
    Non Paged Pool: 154MB


    Free System PTE: 186k          Paged Pool: 366MB 
    Non Paged Pool: 262MB

    Free System PTE: 12k          Paged Pool: 239MB 
    Non Paged Pool: 131MB


    Free System PTE: 182k          Paged Pool: 366MB 
    Non Paged Pool: 262MB

    Free System PTE: 12k          Paged Pool: 225MB 
    Non Paged Pool: 131MB


    Free System PTE: 175k          Paged Pool: 366MB 
    Non Paged Pool: 262MB

    Free System PTE: 12k         Paged Pool: 196MB 
    Non Paged Pool: 131MB


    Free System PTE: 167k          Paged Pool: 366MB 
    Non Paged Pool: 262MB

    Free System PTE: 12k          Paged Pool: 169MB 
    Non Paged Pool: 131MB


    What is /3GB?:

    /3GB is a switch used within the Boot.ini to Increase the size of a user process address space from 2 GB to 3G B. This in-turn reduces the Kernel space from 2 GB to 1 GB. This is a positive aspect for virtual-memory-intensive applications such as database servers a larger address space can improve their performance. For an application to take advantage of this feature, however, two additional conditions must be met: the system must be running Windows 2000 Advanced Server or Datacenter Server or Windows 2003 (All Editions) and the application .exe must be flagged as a 3-GB-aware application

    With the /3GB switch we enable 3 GB area of  user-mode memory for programs to use. This feature can expand the virtual address range for user-mode memory from 0x0000000 through 0xBFFFFFF (the user-mode address range is typically from 0x00000000 through 0x7FFFFFFF). The range of memory that is available for kernel-mode components shrinks from 0x80000000-0xFFFFFFFF to 0xC0000000-0xFFFFFFFF.


    What is /USERVA?:

    Windows 2003 Servers and Windows XP SP1 incorporate a new /USERVA switch to work in conjunction with /3GB switch. You can use the /userva=<xxxx> switch for more precise tuning of user and kernel virtual memory space in the Windows Server 2003 family. Use this new switch with the /3GB switch in the Boot.ini file to tune the User-mode space to a value between 2 and 3 gigabytes (GB), with the difference being given back to Kernel mode.


    Useful Blogs:

    Windows Internals Mark Russinovich's: http://blogs.technet.com/markrussinovich/archive/2008/07/21/3092070.aspx 
    Memory Management - Demystifying /3GB : http://blogs.technet.com/askperf/archive/2007/03/23/memory-management-demystifying-3gb.aspx
    Memory Management: http://blogs.technet.com/askperf/archive/2007/02/23/memory-management-101.aspx

    Performance Analysis of Logs (PAL) Tool

    Tired of parsing the Perfmon (*.blg) manually. Let PAL make your job easier, give you html output and highlight high thresholds.

    Website: http://www.codeplex.com/PAL

    Project Description
    Ever have a performance problem, but don't know what performance counters to collect or how to analyze them? The PAL (Performance Analysis of Logs) tool is a new and powerful tool that reads in a performance monitor counter log (any known format) and analyzes it using complex, but known thresholds (provided). The tool generates an HTML based report which graphically charts important performance counters and throws alerts when thresholds are exceeded. The thresholds are originally based on thresholds defined by the Microsoft product teams and members of Microsoft support, but continue to be expanded by this ongoing project. This tool is not a replacement of traditional performance analysis, but it automates the analysis of performance counter logs enough to save you time. This is a VBScript and requires Microsoft LogParser (free download).


    • Thresholds files for most of the major Microsoft products such as IIS, MOSS, SQL Server, BizTalk, Exchange, and Active Directory.
    • An easy to use GUI interface which makes creating batch files for the PAL.vbs script.
    • A GUI editor for creating or editing your own threshold files.
    • Creates an HTML based report for ease of copy/pasting into other applications.
    • Analyzes performance counter logs for thresholds using thresholds that change their critieria based on the computer's role or hardware specs.

    Download Link: http://www.codeplex.com/PAL/Release/ProjectReleases.aspx?ReleaseId=16807  

    To use PAL

    The PAL tool is primarily a VBScript that requires arguments/parameters passed to it in order to properly analyze performance monitor logs. In v1.1 and later of PAL, a GUI interface has been added to help with this process.


    Operating Systems
    PAL runs successfully on all of the following operating systems: Windows XP SP2, Windows Vista, and Windows 2003 Server. 32-bit only due to OWC11 requirements.
    Note: The optional GUI (windows form) portion of PAL requires the Microsoft .NET Framework v2.0.

    Log Parser 2.2
    Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®. PAL uses the Log Parser tool to query perform logs and to create charts and graphs for the PAL report.

    Microsoft Office Web Components 2003
    Log Parser requires the Office Web Components 2003 in order to create charts.

    Watch online at: http://www.livemeeting.com/cc/microsoft/view?id=JKGT3N
    Download it (20071005IntrotoPALwmv.zip) from:

    Related Blogs and Reviews
    Clint Huffman's Windows Performance Analysis Blog
    Mike Lagase's Exchange Performance Analysis Blog
    Two Exchange Server Tools You Should Know About


    Failover Clustering Windows 2008 Videos by John Savill

    One of the most useful videos I have found on the internet, for failover clustering. Thanks to John Savill for his efforts and time.

    Don't forget to post your comments :)


    Few useful Debugging Commands - WinDbg

    All of these commands are for kernel mode. These are few useful commands, that I use on daily basis for debugging. I hope you find them useful

    Lists Version information for the machine/dump you're debugging.  You can also use "version" to tell you about the debugger bits.

    1: kd> vertarget
    Windows Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x64
    Product: LanManNt, suite: TerminalServer SingleUserTS
    Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
    Kernel base = 0xfffff800`0160c000 PsLoadedModuleList = 0xfffff800`017d1db0
    Debug session time: Tue Apr  1 14:29:22.553 2008 (GMT-7)
    System Uptime: 0 days 0:03:14.328


    Good utility to check the CPU revs, BIOS revs, etc

    1: kd> !sysinfo machineid
    Machine ID Information [From Smbios 2.31, DMIVersion 0, Size=1695]
    BiosVendor = Phoenix Technologies LTD
    BiosVersion = 6.00
    BiosReleaseDate = 09/24/2007
    SystemManufacturer = VMware, Inc.
    SystemProductName = VMware Virtual Platform
    SystemVersion = None
    BaseBoardManufacturer = Intel Corporation
    BaseBoardProduct = 440BX Desktop Reference Platform
    BaseBoardVersion = None

    1: kd> !sysinfo cpuinfo
    [CPU Information]
    ~MHz = REG_DWORD 2000
    Component Information = REG_BINARY 0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0
    Configuration Data = REG_FULL_RESOURCE_DESCRIPTOR ff,ff,ff,ff,ff,ff,ff,ff,0,0,0,0,0,0,0,0
    Identifier = REG_SZ x86 Family 6 Model 15 Stepping 8
    ProcessorNameString = REG_SZ Intel(R) Xeon(R) CPU           L5335  @ 2.00GHz
    Update Signature = REG_BINARY 0,0,0,0,b4,0,0,0
    Update Status = REG_DWORD 2
    VendorIdentifier = REG_SZ GenuineIntel
    MSR8B = REG_QWORD b400000000


    Getting the Server Name from the dump:
    It's quite a bit easier to do internally, but this will get it done too.  Good to know you're debugging the right server. :)

    1: kd> dS srv!srvcomputername
    e1b64db0  "Phantom"


    Display current thread on the target system

    1: kd> !thread
    THREAD fa6046c8  Cid 1ab4.1f34  Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 1
    IRP List:
        fa0cc490: (0006,01d8) Flags: 00000404  Mdl: 00000000
    Not impersonating
    Owning Process            fa15f3e0       Image:         cmd.exe
    Wait Start TickCount      16627733       Ticks: 0
    Context Switch Count      1102                 LargeStack
    UserTime                  00:00:00.312
    KernelTime                00:00:00.109
    Win32 Start Address 0x00407ccc
    Start Address 0x77e617f8
    Stack Init f1e9d000 Current f1e9c4b8 Base f1e9d000 Limit f1e99000 Call 0
    Priority 6 BasePriority 6 PriorityDecrement 0
    ChildEBP RetAddr  Args to Child             
    f1e9c174 e105bba7 0000008e c0000005 e11294a0 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
    f1e9c538 e10346b4 f1e9c554 00000000 f1e9c5a8 nt!KiDispatchException+0x3a2 (FPO: [Non-Fpo])
    f1e9c5a0 e1034668 f1e9c628 e11294a0 badb0d00 nt!CommonDispatchException+0x4a (FPO: [0,20,0])
    f1e9c628 e1131ac4 fa6046c8 fa15f3e0 f9de0310 nt!Kei386EoiHelper+0x186
    f1e9c628 e1131ac4 fa6046c8 fa15f3e0 f9de0310 nt!SeCreateAccessState+0x27 (FPO: [Non-Fpo])
    f1e9c648 e112d742 f9de0310 f9de03c8 00000180 nt!SeCreateAccessState+0x27 (FPO: [Non-Fpo])
    f1e9c680 e112c65d 00000000 00000000 b57f0000 nt!ObOpenObjectByName+0x8f (FPO: [Non-Fpo])
    f1e9c6fc e1131d22 f1e9c7fc 00000180 f1e9c7b8 nt!IopCreateFile+0x447 (FPO: [Non-Fpo])
    f1e9c758 f4df068a f1e9c7fc 00000180 f1e9c7b8 nt!IoCreateFile+0xa3 (FPO: [Non-Fpo])
    WARNING: Stack unwind information not available. Following frames may be wrong.
    f1e9c7a4 f4defe67 80005510 00540052 e9fa0920 savrt+0x4668a
    00000000 00000000 00000000 00000000 00000000 savrt+0x45e67


    Display information about an I/O request packet

    1: kd> !irp fa0cc490
    Irp is active with 10 stacks 12 is current (= 0xfa0cc68c)
    No Mdl: No System Buffer: Thread fa6046c8:  Irp is completed. 
         cmd  flg cl Device   File     Completion-Context
    [  0, 0]   0  0 00000000 00000000 00000000-00000000   

                Args: 00000000 00000000 00000000 00000000
    [  0, 0]   0  0 00000000 00000000 00000000-00000000   

                Args: 00000000 00000000 00000000 00000000
    [ 12, 0]   0  0 fd1a8020 00000000 00000000-00000000   
                Args: 00000000 00000000 00000000 00000000
    [ 12, 0]   0  0 fd101cd8 00000000 00000000-00000000   
              *** ERROR: Symbol file could not be found.  Defaulted to export symbols for SYMEVENT.SYS -
                Args: 00000000 00000000 00000000 00000000


    Investigate what data structures are consuming the various memory pools

    !poolused 2 - sorted by Non-paged pool, summary
    !poolused 3 - sorted by Non-Paged pool, details*
    !poolused 4 - sorted by Paged pool, summary
    !poolused 5 - sorted by Paged pool, details*


    !running -ti
    This will dump the stacks of each thread that is running on each processor

    1: kd> !running -ti

    System Processors 3 (affinity mask)
      Idle Processors 1

         Prcb      Current   Next   
      0  ffdff120  8089d8c0            ................

    ChildEBP RetAddr 
    f45f0c70 bf8bb568 win32k!CanForceForeground+0x42
    f45f0ca4 bf8bab6a win32k!CheckAllowForeground+0x79
    f45f0cb4 bf8b7f41 win32k!xxxInitProcessInfo+0x54
    f45f0cdc bf8b8032 win32k!xxxUserProcessCallout+0x23
    f45f0cf8 809456dd win32k!W32pProcessCallout+0x43
    f45f0d54 8088948e nt!PsConvertToGuiThread+0x13d
    f45f0d58 00000000 nt!KiBBTUnexpectedRange+0xc
    WARNING: Process directory table base EFFC7BE0 doesn't match CR3 EFFC7020
    WARNING: Process directory table base EFFC7BE0 doesn't match CR3 EFFC7020

      1  f7727120  8c034bd0            ................

      *** Stack trace for last set context - .thread/.cxr resets it
    ChildEBP RetAddr 
    f45f0c70 bf8bb568 win32k!CanForceForeground+0x42
    f45f0ca4 bf8bab6a win32k!CheckAllowForeground+0x79
    f45f0cb4 bf8b7f41 win32k!xxxInitProcessInfo+0x54
    f45f0cdc bf8b8032 win32k!xxxUserProcessCallout+0x23
    f45f0cf8 809456dd win32k!W32pProcessCallout+0x43
    f45f0d54 8088948e nt!PsConvertToGuiThread+0x13d
    f45f0d58 00000000 nt!KiBBTUnexpectedRange+0xc

    This is a great utility to check what threads are waiting on for each process.  Find out more in the debuggers chm.

    1: kd> !stacks 2
    Proc.Thread  .Thread  Ticks   ThreadState Blocker
    Max cache size is       : 1048576 bytes (0x400 KB)
    Total memory in cache   : 0 bytes (0 KB)
    Number of regions cached: 0
    0 full reads broken into 0 partial reads
        counts: 0 cached/0 uncached, 0.00% cached
        bytes : 0 cached/0 uncached, 0.00% cached
    ** Prototype PTEs are implicitly decoded
                                [fffffa8000c77950 System]
       4.000008  fffffa8000c774c0 ffffe94b GATEWAIT   nt!KiSwapContext+0x7f
       4.000010  fffffa8000ca0720 ffffff8c Blocked    nt!KiSwapContext+0x7f
       4.000014  fffffa8000c78bb0 fffffcb0 Blocked    nt!KiSwapContext+0x7f


    It will display a list of all kernel mode locks that are being held by threads. Each lock is displayed with the mode the lock was taken out with (shared or exclusive). The owning thread(s) will be listed with an asterisk next to the thread id. If any waiters are queued up for the lock, it will list these too.

    1: kd> !locks
    KD: Scanning for held locks....

    Resource @ nt!CmpRegistryLock (0xe10ad4c0)    Shared 2 owning threads
        Contention Count = 87
         Threads: fc783020-01<*> feee9db0-01<*>
    KD: Scanning for held locks...

    Resource @ 0xfeeed078    Shared 4 owning threads
         Threads: fad42330-01<*> fad33020-01<*> fad33db0-01<*> fad42b40-01<*>
    KD: Scanning for held locks.......................................

    Resource @ 0xfc6df828    Shared 1 owning threads
         Threads: fa6046c8-01<*>
    KD: Scanning for held locks..

    Resource @ 0xfc7e91c8    Shared 1 owning threads
         Threads: fa6046c8-01<*>
    KD: Scanning for held locks.

    Resource @ savrt (0xf4daf040)    Shared 1 owning threads
        Contention Count = 1
         Threads: fa6046c8-01<*>
    KD: Scanning for held locks.........................

    Resource @ 0xfa6c1380    Shared 1 owning threads
        Contention Count = 71388
         Threads: f9ed1918-01<*>
    KD: Scanning for held locks..............................

    Resource @ 0xfaab7840    Shared 1 owning threads
         Threads: feee9db3-01<*> *** Actual Thread feee9db0
    KD: Scanning for held locks....................
    11756 total locks, 7 locks currently held


    command which displays all the various spinlocks. All processors are displayed across the top and codes appear next to the corresponding spinlock if owned or not, waiting or corrupt.

    1: kd> !qlocks
    Key: O = Owner, 1-n = Wait order, blank = not owned/waiting, C = Corrupt

                           Processor Number
        Lock Name         0  1  2  3

    KE   - Dispatcher              
    MM   - Expansion               
    MM   - PFN                     
    MM   - System Space            
    CC   - Vacb                    
    CC   - Master                  
    EX   - NonPagedPool            
    IO   - Cancel                  
    EX   - WorkQueue               
    IO   - Vpb                     
    IO   - Database                
    IO   - Completion              
    NTFS - Struct                  
    AFD  - WorkQueue               
    CC   - Bcb                     
    MM   - NonPagedPool            

    Command will show you some useful info from the processor control block.  Like the current thread, next, DPQ queues (Can run !dpcs).

    1: kd> !pcr
    KPCR for Processor 1 at f7727000:
        Major 1 Minor 1
        NtTib.ExceptionList: f4ac3d44
            NtTib.StackBase: 00000000
           NtTib.StackLimit: 00000000
         NtTib.SubSystemTib: f7727fe0
              NtTib.Version: 00336d13
          NtTib.UserPointer: 00000002
              NtTib.SelfTib: 7ffde000

                    SelfPcr: f7727000
                       Prcb: f7727120
                       Irql: 0000001f
                        IRR: 00000000
                        IDR: ffffffff
              InterruptMode: 00000000
                        IDT: f772d800
                        GDT: f772d400
                        TSS: f7727fe0

              CurrentThread: 8c034bd0
                 NextThread: 00000000
                 IdleThread: f772a090


    lm t n
    Displaying the list of installed drivers reveals our obsolete culprit

    1: kd> lm t n
    start             end                module name
    dd800000    dd9d0000     win32k   win32k.sys   Wed Mar 19 17:01:40 2008 (47E0F99C)
    dd9d0000    dd9e7000     dxg      dxg.sys      Sat Feb 17 11:44:39 2007 (45D69D4F)
    dd9e7000    dda3e100     ati2drad ati2drad.dll Mon Mar 22 21:53:41 2004 (405F130D)
    dda3f000    dda5d000     RDPDD    RDPDD.dll    Sat Feb 17 19:31:19 2007 (45D70AAF)
    e1000000  e127a000     nt       ntkrnlmp.exe Mon Mar 05 18:32:02 2007 (45EC14CA)
    e127a000   e12a6000     hal      halmacpi.dll Sat Feb 17 11:18:26 2007 (45D6972A)
    f1ca4000   f1cb81e0      naveng   naveng.sys   Fri Aug 15 09:30:26 2008 (48A4FF5A)
    f1cb9000   f1d8ca20      navex15  navex15.sys  Fri Aug 15 08:40:42 2008 (48A4F3B2)
    f31a0000  f31cb000      RDPWD    RDPWD.SYS    Sat Feb 17 11:14:38 2007 (45D69646)
    f38b4000  f38bf000     TDTCP    TDTCP.SYS    Sat Feb 17 11:14:32 2007 (45D69640)
    f3904000  f3912000     HIDCLASS HIDCLASS.SYS Tue Mar 25 12:40:17 2003 (3E8000D9)
    f3d14000   f3d1d000     hidusb   hidusb.sys   Tue Mar 25 12:40:17 2003 (3E8000D9)
    f3d74000   f3d9e000     Fastfat  Fastfat.SYS  Sat Feb 17 11:57:55 2007 (45D6A06B)
    f4046000   f40a3000     srv      srv.sys      Sat Feb 17 11:57:20 2007 (45D6A048)
    f466b000   f4683000     clusnet  clusnet.sys  Sat Feb 17 11:32:57 2007 (45D69A91)
    f48b3000   f48c8000     Cdfs     Cdfs.SYS     Sat Feb 17 11:57:08 2007 (45D6A03C)

    !LMI <driver>
    When I want to find out ifno about a particular driver in the dump, i use "lm n t" to get all of them, but then !lmi to drill into one.

    1: kd> !lmi win32k.sys
    Loaded Module Info: [win32k.sys]
             Module: win32k
       Base Address: bf800000
         Image Name: win32k.sys
       Machine Type: 332 (I386)
         Time Stamp: 47e0f99c Wed Mar 19 17:01:40 2008
               Size: 1d0000
           CheckSum: 1cd134
    Characteristics: 10e  perf
    Debug Data Dirs: Type  Size     VA  Pointer
                 CODEVIEW    23, 1935ac,  1929ac RSDS - GUID: {09B6D936-14C4-4CA1-90CF-A00888CD89A8}
                   Age: 2, Pdb: win32k.pdb
                    CLSID     4, 1935a8,  1929a8 [Data not mapped]
         Image Type: MEMORY   - Image read successfully from loaded memory.
        Symbol Type: PDB      - Symbols loaded successfully from symbol server.
        Load Report: public symbols , not source indexed


    Don’t forget to leave your comments :)


    My Blog List