Quick Links
Quick Links
Categories
Categories
Top Submitters
Top Submitters
Random Tutorials
Random Tutorials
|
|
Announcments
Announcments
Welcome to Tutorial System!
|
 
SETUP INSTRUCTIONS FOR WINDOWS OS INTERNALS LABS
|
Tutorial Information
|
| Name: |
SETUP INSTRUCTIONS FOR WINDOWS OS INTERNALS LABS |
| Submitter: |
www.yourforum.gr |
| Category: |
Windows Tutorials |
|
| Submitted: |
23 Jul 2008 |
| Updated: |
23 Jul 2008 |
| Views: |
483 |
| Rating: |
This tutorial is unrated. |
|
|
|
|
Description:
SysInternals Walthrough |
|
Tutorial Instructions
|
BASIC SETUP:
Any supported 32-bit or 64-bit Windows installation (XP, Server 2003, Vista, or Server 2008)
One computer can be shared by 2 students, but 1 per student is better
The account that you will log into must be a member of the local administrators group
NOTE: Labs are nondestructive (except one lab in the crash dump analysis section, which you can choose to skip during class), but can be done in a virtual machine if you prefer
TOOLS SETUP:
Install the Debugging Tools for Windows.
Public location: http://www.microsoft.com/whdc/devtools/deb...ng/default.mspx
Microsoft internal location: http://dbg (we advise using the latest released version)
Download and unzip the Sysinternals tools suite (this is a single zip file with the majority of the Sysinternals tools). The class notes assume they are unzipped to c:\sysint, but you can put them anywhere you choose:
http://www.microsoft.com/technet/sysintern...rnalssuite.mspx
Download and unzip to c:\sysint the Blue Screen Screen Saver (the one tool not included in the Sysinternals Tools Suite):
http://www.microsoft.com/technet/sysintern...BlueScreen.mspx
Download and unzip to c:\sysint the tools that are referenced by the book Windows Internals:
http://download.sysinternals.com/Files/Notmyfault.zip
http://download.sysinternals.com/Files/Testlimit.zip
http://download.sysinternals.com/Files/Accvio.zip
Download http://www.solsem.com/solsem.zip into c:\solsem (these are additional files and tools used for various demonstrations and labs)
If you are running Vista or later, download these tools by Alex Ionescu and unzip into c:\solsem (note: these tools do not run on XP or 2003):
http://www.winsiderss.com/tools/meminfo/meminfo.zip - displays memory usage
http://www.winsiderss.com/tools/sctagquery/sctagqry.zip - displays service tag
Download Dependency Walker from www.dependencywalker.com into c:\sysint (you may already have this tool on your system)
Go to the Startup and Recovery Settings (right click on Computer, click Advanced system settings, on Advanced Tab, click "Settings" under Startup and Recovery). Uncheck "Automatically restart" and make sure dump type is "Kernel memory dump" (not minidump).
Add a system-wide environment variable for the symbol path:
Right click on My Computer->Properties, click on Advanced Tab
Press Environment variables button
Press "New" button under System Variables section and enter:
Variable name: _NT_SYMBOL_PATH (must be upper case)
Value:
Non-Microsoft employees:
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Microsoft employees:
srv*c:\symbols*\\symbols\symbols
Or on Vista/2008 you can use the new SETX command line command:
Public symbol server:
setx _NT_SYMBOL_PATH
"srv*c:\symbols*http://msdl.microsoft.com/download/symbols" /M
Microsoft-internal symbol server (for Microsoft employees):
setx _NT_SYMBOL_PATH "srv*c:\symbols*\\symbols\symbols" /M
NOTE! It is not necessary to download and install the symbols - please use the symbol server (configured above) to automatically download symbols as needed. For more information on symbols, see http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx (or for MS internal, http://dbg)
If XP 32-bit (5.1 kernel) or earlier, run Gflags (in the Debugging Tools folder) and enable pool tagging, press Apply, then OK, and reboot (not necessary for XP 64-bit, Server 2003, Vista, or Server 2008).
Please test in advance that you can perform local kernel debugging (requires the Debug privilege, normally granted to administrators). NOTE TO MICROSOFT EMPLOYEES: If you are having problems getting this to work and you are using an internal build of the debugger tools, try using the latest released version and the public symbols (vs the internal symbols).
Vista/Server 2008: you must boot in Debugging Mode to perform local kernel debugging (fyi, this breaks MPEG2/DVD video playback - this is not a bug but is there to prevent getting around digital rights management by using the kernel debugger). To boot in debugging mode, you can either press F8 during the boot process and choose Debugging Mode from the list of advanced boot options or configure the system to boot automatically in debugging mode (either run MsConfig, click on the Boot tab, then click the Advanced Options button, then check Debug or from a command prompt type "bcdedit /debug ON").
SPECIAL NOTE FOR SYSTEMS CONFIGURED WITH BITLOCKER ENCRYPTION:
Please either disable Bitlocker for the class or bring your recovery key, since to boot in debugging mode (or last known good) with a system configured with Bitlocker requires entering the recovery key.
Run Windbg from the Debugging Tools (on Vista, make sure you run it elevated with administrative credentials if you have UAC enabled)
Click on File->Kernel Debug, Click on Local tab & click OK
If symbols are configured properly, a command window should open up
Type "!process" at the "lkd>" prompt to make sure symbols are loaded and configured. This should show information for the Windbg process that starts like this:
OPTIONAL: Force the download of other kernel symbol files to your local symbol cache (typically c:\symbols) by typing ".reload /f" (if you are sure that you will have network connectivity during the class, you can skip this step and let the symbols download on demand as they are referenced during the class).
NOTE: It is normal to get symbol loading errors for third party device drivers, as their symbols are not available on the symbol server.
Configure symbols for Process Explorer and Process Monitor
Run Process Explorer and Process Monitor. In both tools, click on Options->Configure Symbols. Change the Dbghelp.dll path to reference the one in your Debugging Tools folder and make sure the symbol path is set (see step 9). NOTE: you cannot use the Dbghelp.dll in \Windows\System32 as it does not support the symbol service; you must use the one in the Debugging Tools folder.
An example configuration dialog (for a 64-bit system) using public symbols would be:
In the Process Explorer's list of processes, double click on the process called "System" (usually 4th in the list) and click on the Threads tab (there may be a delay while symbols are downloaded).
When the list of threads are displayed, to confirm symbols were downloaded properly, sort by the Start Address column and scroll down until you see threads with start addresses in the form "ntoskrnl.exe!xxx" or ""ntkrnlpa.exe!xxx" - make sure you do NOT see any "+0x" after any of these entries. This is an example of a correct output:
If you see entries like "ntoskrnl.exe!yyyyyy+0xnnn" for most of the Ntoskrnl/Ntkrnlpa lines, then your symbols are not configured correctly. For example, this kind of display indicates kernel symbols are NOT correctly configured:
Finally, double click on several other processes to force the download of other user mode symbols: Explorer.exe, a few Svchost.exe processes, Csrss.exe, Winlogon.exe, etc. The reason for doing this is to get a variety of other user mode .EXE symbol files cached on your machine for use during the class. After doing the above, you should see a number of subfolders under c:\symbols -- these folders contain symbols for the various images referenced.
[source]Solsem[/source]
|
|
Comments
|
There have been no comments made as of yet. Why not be the first?
|
|
