Loading DLLs
In the world of system administrators, many know DLLs are files required to start certain processes. A few know in what order Windows looks for DLLs during process startup. Before going into more detail, I will first briefly explain what a DLL is and why it is needed. What is a DLL A DLL, [...]
Syscalls explained
Ever wondered why there is always a Trap Frame on the first stack entry executed in kernel mode after running functions in user mode? 00000000`00000000 : nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`05ae2c20) This relates to another question: “How can code executing in user-mode ever call a kernel-mode function without being able to access kernel-mode memory?”. [...]
Synchronization Mechanisms: Spin Locks
Spinlocks are a synchronization mechanism available to kernel mode in order to gain exclusive access. This protects shared data or resources from simultaneous access by routines that can execute concurrently. In order to obtain the lock, the kernel tries to get mutual access to every core by raising the IRQL level to DPC/dispatch or above. [...]
Synchronization Mechanisms
What are they and why do we need them? Imagine working on a Word document with two users simultaneously. Both users make changes but the first user saves the document before the second user can. When the second user saves the document, the changes the first user made are overwritten. That is why, if there [...]
EventID 7011 on Unresponsive Windows Server 2008
This problem first occurred around October 2010 and was caused by a deadlock in win32k.sys. Threads become part of a wait-chain when they try to access a blocked resource. After 30000 milliseconds Windows detects the thread as being unresponsive. Event id 7011 is logged if it belongs to a service process. The wait chain continues [...]
Windows 2008 Terminal Servers hang when under high load
A customer with a new Citrix farm of ~20 Windows 2008 servers was reporting about 50% of their farm hanging every day. They were able to provide us with full memory dumps in order to find the root cause. The !locks command shows a lot of ERESOURCE contention caused by fffffa8017415110. Resource @ 0xfffffa800e1f18b0 Exclusively [...]
Troubleshooting hangs and crashes
In this post I will focus on troubleshooting hangs or freezes. The mentioned steps however could also be used for crashing systems. There are a couple of ways to face this in case you are unable to reproduce the issue directly, namely: Process of elimination Cause and effect Analytical approach Educated guess Process [...]
What is a deadlock
When a system is reported to be in a hung state there can be several causes. One of the patterns I have been seeing a lot lately is the deadlock. Depending on the cause of the lock, users of systems affected by a deadlock sometimes report more and more applications being in a hung state [...]