Why Problems Occur with Windows

So many things can go wrong with Windows because every single PC is unique. It is highly unlikely, especially outside of a business space, that another PC exists with exactly the same hardware, installed software specification, and updates as yours. Your PC will contain a unique mix of software and hardware components, and there would be no way for any person or any company to ever test all of the possible combinations for stability. There are logo certification programs for Windows hardware and software, and a great many vendors do indeed put their products forward for testing by Microsoft. All that these tests prove, however, is that on a basic Windows system, they will be stable and not cause the system to crash. What can’t be tested is how a certain piece of software or hardware will interact with other software or hardware on your machine, some of which might not have been submitted for certification.


Keep Things Simple
The sheer number of software packages you have installed or the number of hardware devices you have plugged in can also cause problems on your computer. I always keep my Windows systems simple and uncomplicated. When it comes to hardware, I like multifunctional devices such as printer/scanner combinations, and I avoid unnecessary USB devices, such as USB attached speakers. Your PC already comes with audio out jacks that are perfectly good.

I also try to avoid installing all the software that comes with a new device. Wi-Fi adapters and printers are common culprits for loading your PC with bloatware. You may also find, if you have a new PC, that it came preloaded with lots of software that you don’t need and will never use. The software packages that come bundled with hardware devices broadly fall into the following categories.

• Trialware. Software that will expire after a period, normally 30 days. If you do not intend to buy the software after this time, you should uninstall it because it might, especially in the case of trial anti-virus software, leave programs and services running that can slow down Windows 7 or cause other problems.

• Dupliware. Programs that duplicate Windows features, such as Wi-Fi connection software, media players, or CD/DVD burners.

• Craplets. ‘Useful’ utilities that your PC supplier might have preloaded onto your computer. They are intended to simplify certain tasks, such as writing notes or accessing media files. They will always run when Windows launches at startup, although you will probably never use them.


Don’t Install Programs that Duplicate Features in Windows
Why would you want to install a software package that simply duplicates Windows functionality? By default, the operating system can burn CDs and DVDs (including audio discs and ISO image files), play media (video, TV, and audio), display photos and images, and much more.

Although a few Windows functionalities available in Windows Vista have been removed from Windows 7, such as the Calendar and Email software, a great many functions still exist. (Note that these programs have been moved to the excellent Microsoft Live Essentials Suite, which you can get from http://download.live.com.)

The more software you install on your PC, the more problems you invite. If at all possible, avoid having software packages installed that duplicate functionality that’s already in Windows. CD/DVD burning software is a good example. You should need these only if you have a Blu-Ray burner in your machine.

Source of Information :  Microsoft Press - Troubleshooting Windows 7 Inside Out

Read More

How Does Windows Compare to Other Operating Systems?

Windows was built over the foundation of the DOS disk operating system that shipped with the very first PCs from IBM in the early 1980s. This brought with it several problems, many of which still exist today. The biggest issue is the need to maintain compatibility with legacy hardware and software. DOS did not support or need to support multiple users or multitasking. Support for these has been added with later versions of Windows.

As computers have changed in the last 30 years, and with the introduction of new technologies such as the Internet, the need for extra security has come to the forefront of operating system design. Unfortunately, this has meant having to build security over the top of the existing Windows system. This has inevitably led to some compromises and security flaws, which have been exploited by the authors of malicious software. With Windows 8, it is rumored that the legacy support will be moved into a virtual machine. This means that the security subsystem in Windows 8 will be able to be treated differently, making it much more secure.

Most other desktop and server operating systems, including Linux, Apple OS X, and Google Chrome OS, are all built on top of an operating system called UNIX. This operating system was developed in 1969 and was initially designed to accommodate multitasking and multiusers on mainframe computers.

This means that user permissions and overall operating system security have always been handled differently in UNIX, with users never being given default administrator access to the operating system files. UNIX has slowly made its way from mainframe and minicomputers over the years to the desktop market, during which time this security system has remained unchanged.

None of this means that Windows 7 is an insecure and unstable operating system, quite the opposite. It is the most secure and stable operating system that Microsoft has ever released, and many experts believe it to be every bit as secure as a UNIX-based operating system. It is the vast popularity of Windows that has made it such a security target in the past.

Source of Information : Microsoft Press - Troubleshooting Windows 7 Inside Out

Read More

The Windows 7 File and Folder Structure

Windows runs from a series of files and folders on your computer’s hard disk. The basic folder structure is extremely logical and has been simplified immensely over the years. There are three basic Windows 7 folders with some extra folders for user and configuration data and temporary files.

• Program Files. This is where all the files for any programs and software you install in Windows 7 sit. There are two Program Files folders in the 64-bit version of Windows 7: Program Files x86 for 32-bit software and Program Files for newer 64-bit software. Each program sits in its own custom folder under one of these folders. In the 32-bit version, there is only a Program Files folder.

• Users. This is where, by default, all of your documents and files sit, and it is also the location of the Windows registry, the database of settings for Windows and your software. Within the main Users folder, there is one subfolder for each user and another folder called Public, where shared files and folders are kept. There are also hidden user folders called Default and All Users.

• Windows. This is the main folder into which the operating system is installed.
Windows also installs hidden system files across the disk, including the Root folder.

These hidden files and folders are where Windows stores operating system recovery software and folders to support legacy software, including Documents and Settings and the Autoexec.bat and Config.sys files that date back to the earliest versions of DOS.

Inside the main Windows folder are a great many different folders, some of which exist to maintain compatibility with legacy hardware and software and some of which service specific features within the operating system.

All of these files and folders are essential, and you should not move, rename, or delete any of them. Folders you might find of particular interest include the following.

• Globalization. This is where you will find the desktop wallpapers in Windows.

• Resources. This is a similar folder to Globalization but is for Windows desktop themes.

• System32. The main operating system files, including hardware device drivers, are located in this folder.

Source of Information : Microsoft Press - Troubleshooting Windows 7 Inside Out

Read More

What Is Windows 7 ?

Windows 7 is the latest edition in a series of desktop operating systems and graphical user interfaces (GUI) from Microsoft. Windows 1.0 was released in 1985 as a GUI that sat on top of Microsoft’s popular DOS disk operating system. Over the years Windows has been changed and refined, finally subsuming DOS and becoming a full operating system in its own right with the launch of Windows 98.

Windows 7 was released in October 2009. It is not exactly the seventh version of Windows. Rather it is the seventh version from its particular branch of the software. There have been two branches of Windows: the original consumer versions and the New Technology (NT) business versions. The original consumer lineup included the popular Windows 3.1, Windows 95, and Windows 98. It ended with Windows Me. The NT series began in 1993 as an offshoot of Windows 3.1, with much of the underlying code reengineered to make it more stable and suitable for business users. This NT development tree has split off further with the Server, Desktop, and Home Server variations of the operating system. In turn, the NT branch spawned various server versions of the operating system and then Windows XP, Windows Vista, and most recently, Windows 7.

There is some debate about whether Windows 7 really is the seventh iteration of the NT family, but it’s not the most important concern facing the world today. Windows 7 is officially the seventh iteration if you follow the tree Windows 1.0, Windows 2.0, Windows NT 3.1, Windows NT 4.0, Windows XP, Windows Vista, and Windows 7. Depending on your view, there have been as many as 28 versions of Windows since it first launched, up to 2010. Windows in its various versions is currently used by approximately four billion people worldwide.

Source of Information :  Microsoft Press - Troubleshooting Windows 7 Inside Out

Read More

Social engineering – the hidden cyber threat

During the cold war spies were used to infiltrate governments, the military, businesses and other organisations. Their job was to steal information (both non-classified and classified) that might prove valuable to another nation-state. There were some people who did this for individual financial gain, but in the main it was governments who wanted to learn about some new technology or secret weapon to find a way of developing it themselves.

This is still going on today but has evolved into more than just cyber spying – there is also something called social engineering. This is where one individual attempts to trick someone else (through manipulation) into letting them inside a network for example to crack the system (rather than attempting to hack in from the outside).

Social engineering is often misunderstood and not considered as part of corporate and government security policies. It is without doubt one of the biggest risks to a nation-states and business security.

Think about two-factor authentication in IT security – the same principles can be applied to individuals but the real advantage is that individuals can be convinced into sharing authentication details – it also will take a lot less time to extract. Social engineers would be well versed in how to extract sensitive information from individuals (people traits and behaviour patterns are good starting points). Social engineers (often referred to as security crackers) use the telephone system to learn company or corporate lingo (and they will search the Internet for additional company or corporate data to assist their knowledgebase) and weave their way in to the IT security department. Once in the security department a security cracker could impersonate someone from that department and ask for the remote login credentials. It has been done.


Why not Google Kevin Mitnick?
He’s one of the world’s leading social engineering wizards and has managed to crack many a system just using social engineering techniques. Individuals are the weakest link in the cyber security strategy but with good education and motivation it is possible to reduce the risk of this attack vector.

Source of Information :  Hakin9 November 2010

Read More

2010 Graphics Cards You Care The Most About

For Nvidia, 2010 was the year of Fermi, the GPU architecture found on the GeForce GTX 480, 470, 465, 460, and 580 graphics cards. Earlier, AMD launched the Radeon HD 5670, 5570, and 5450, which were designed to appeal to the budget gamer and HDTV crowd. We also saw the Radeon HD 5870 Eyefinity Edition, which allows for sixmonitor gaming setups. Recently, AMD released the 6870 and 6850 to compete at the midrange level.


Winner: Nvidia GeForce GTX 460 (1GB)
$199.99; www.nvidia.com
The GeForce GTX 460 was a top midrange performer in 2010, and it helped show what Nvidia’s Fermi architecture is capable of. The GTX 460 is built using the GF104 GPU, which is an update from the GTX 480 and 470’s GF100 GPU. As a midrange card, it features two GPCs (Graphics Processing Clusters)—whereas the GTX 480 had four—but compared to the GF100 GPU, Nvidia has improved the GPCs by adding an additional 16 CUDA cores and twice the number of special function units and texture units. The result is an affordable graphics card that still provides you the ability to play today’s newest games at high frame rates.

Nvidia offers two versions of the GTX 460, one with 768MB of GDDR5 memory and one with 1,024MB. The 1GB version offers 32 ROPs and a 256-bit memory controller, while the 768MB version features 24 ROPs and a 192-bit memory controller. Core (675MHz), shader (1,350MHz), and memory (1,800MHz) frequencies are identical on both versions. There are 336 stream processors and 56 texture units to improve your computer’s ability to process large amounts of parallel tasks.

For outputs, the GTX 460 offers two dual-link DVI ports and a mini HDMI port. Those with limited space in their case will also like that the GeForce GTX 460 is only 8.25 inches long. It requires two 6-pin PCI-E power connectors, and Nvidia suggests that your power supply should be 450 watts or greater.


First Runner-Up: AMD Radeon HD 6850
$179.99; www.amd.com
In late October, AMD released the Radeon HD 6800 series, and the Radeon HD 6850 was a top performer in terms of price/performance. The Barts GPU found in the Radeon HD 6850 is a redesigned version of the Cypress GPU found in the 5800 series. The Barts GPU took 25% of the engines for compute, shader, and texture performance and reassigned them to handle rasterization, tessellation, and ROP. The changes meant that even though the Radeon HD 6850 offers a half a billion fewer transistors than the 5850, it can deliver gaming performance close to what you experience with the 5850, and you’ll pay $50 to $70 less for the 6850.

The Radeon HD 6850 features a core clock of 775MHz and 1GB of GDDR5 memory that runs at 1,000MHz. There are 960 stream processors, 48 texture units, and 32 color ROP units. AMD also improved the technology for video outputs. There’s a DisplayPort 1.2 connector that allows a max resolution of 2,560 x 1,600 per display, and the HDMI 1.4a port allows for stereoscopic 3D and high bit-rate audio. There are also two dual-link DVI outputs. The Radeon HD 6850’s integrated audio controller can provide 7.1-channel surround sound over either the HDMI or DisplayPort connections. Finally, the card features support for DirectX 11, Shader Model 5.0, OpenGL 1.4, and AMD’s Eyefinity.


Second Runner-Up: Nvidia GeForce GTX 580
$499; www.nvidia.com
The GeForce GTX 580 is the newest iteration of Fermi, and it attempts to make amends for the heat and noise problems found in the GTX 470 and 480. The GeForce GTX 580 also captured the single GPU performance crown over the GTX 480, because it offers more stream processors, faster clock speeds, and more texture units.

Overall, clock speeds are around 10% faster than the GTX 480. Even better, Nvidia claims that the GTX 580 offers lower power consumption than the GTX 480, so you’ll battle fewer heat issues. In terms of specs, the GeForce GTX offers 512 CUDA Cores, 1.5GB of GDDR5, and a 384-bit memory controller. It supports DirectX 11, OpenGL 4.1, and Shader Model 5.0.

2010 Motherboards You Care The Most About

Source of Information : Computer Power User (CPU) January 2011

Read More

China and Russia – politically motivated cyber attacks

China as previously discussed, has the potential to wreak havoc so it’s no surprise to understand that is has developed a comprehensive cyber espionage programmes (which targets for example computer hardware and software); created citizen hacker groups; established cyber warfare units (very much like many other nation-states) and embedded logic bombs and trap doors in many nation-state infrastructure networks and computer software. Chinese warfare strategy is very much politically driven.

China has developed a detailed cyber warfare strategy which works very closely with private hacker groups. To date there are probably 2-300 hacker groups working directly with the Chinese government. Take into account that they now have the Microsoft source code; they can now fully understand the security vulnerabilities long before they are identified and fixed by Microsoft. The Chinese government do not use Microsoft software for their networks – rather they use open source software called Kylin. The reason for this is clear – they plan to use their knowledge of Microsoft to inflict sabotage and or exploit as yet unidentified software vulnerabilities on those nation-states that use Windows operating systems.

Russia however, still remains the biggest threat in cyber space according to leading US security researchers and the US government. After all this is the land of the chess masters. In January of 2009 the world witnessed the third successful cyber attack against a country (all cyber attacks by this time had been committed by Russia). The target was the small country of Kyrgyzstan. The country is only about 77,000 square miles in size with a population of just over 5 million. The attackers focused on the three of the four Internet service providers. They launched a distributed denial of service attack traffic and quickly overwhelmed the three and disrupting all Internet communications.

The IP traffic was traced back to Russian-based servers primarily known for cyber crime activity. Multiple sources have blamed the cyber attack on the Russian cyber militia and/or the Russian Business Network (RBN). RBN is thought to control the world’s largest botnet with between 150 and 180 million nodes. In this particular cyber attack it is believed that the Russian government wanted to put itself an arm’s length away from the hostile act.

Did you know? The Russian Business Network (RBN) is a cybercrime organization specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of the MPack exploit kit and alleged operator of the Storm botnet. (Reference:Wikipedia/edited)

Source of Information : Hakin9 November 2010

Read More

Other potential targets – Border Gateway Routing (BGP) prefix hijack

Cyber warriors will attempt to sabotage the backbone of the Web which includes attacking the BGP. The BGP according to leading security experts is one of the most vulnerable access points on the web. The BGP is a core routing protocol which maps routing options for the best (i.e. shortest path) available routes for traffic to flow across the Internet. There have been two instances in 2010 where bad routing information sourced from China has disrupted the Internet. About 10 per cent of the Internet was affected by bad routing tables – in effect about 36,000 global networks were affected. This BGP routing error caused dropped connections, and most worryingly of all, Internet traffic to be re-routed through China.


Software and technology outsourcing
Many Western countries have over the years outsourced their IT and technology overseas, mainly to cut development costs. This has inadvertently led to some security researchers to speculate that there is a significant risk of Western businesses selling compromised technology/software back to governments and customers alike. The western military for example doesn’t have restrictions concerning where computer chips are made so it’s conceivable that malicious code such as logic bombs and trap doors may well be embedded in the millions of lines of outsourced computer code.

Microsoft software development doesn’t just happen in the US; it is in fact developed all over the world and on many different development servers. The US Department of Defense uses Microsoft Windows so you can identify the potential opportunities the cyber criminals and cyber warriors will see. The obvious risks of having the Windows source code distributed all over the world leaves the code open to trap doors and other malicious activity. It’s very difficult to control and manage millions of lines of code – if the code couldn’t be exploited, why do Microsoft release monthly security patches? The answer here (and I’m sure the US government agrees) is to keep the Windows source code in the US domain and under total US control.


Cyber weapons – what would be considered an act of war?
Most cyber weapons are only going to be designed to be used once. If these weapons are used more than once, then the cyber defenders will be able to detect them and apply the appropriate research to be able to defend against the same family of cyber weapons. Some nation-states (mentioned earlier) have the capability to strike at other nation-states to launch sophisticated cyber attacks to DDOS the stock market, activate logic bombs to ground the airlines and disable the transport and electricity grid.

If you were to take the US, the fact they are probably the most digitally connected country in the world (militarily at least), the prospect of the US provoking a cyber war wouldn’t be a clever plan. The other big problem facing a cyber war is who ever goes first will undoubtedly stand a better chance of winning. China for example could strike the US with an all out cyber attack and then disconnect itself from the rest of cyberspace.

So, what constitutes an act of war? It’s difficult to determine because there are so many attack vectors (which are common today and happening right now) that haven’t provoked a cyber war. Is it the penetration of a network? Is it sabotage of a network? Is it when a military network has had classified government documents stolen? What are the stages for cyber war? Let’s assume the malicious code has been planted and propagates across the network – the code isn’t activated yet, but when it is – is this an act of war? Who decides whether this is an act of war? There are lots of questions and not many answers right now.

Source of Information :  Hakin9 November 2010

Read More

Why were parallel databases a limited success?

As with any new technology, time is needed for development and experience in tuning for good performance and acceptable stability. Recall, again, that Teradata has been providing massively parallel systems running a proprietary DBMS since 1984. The major DBMS vendors embarked on their versions towards the end of the 80s.

When used for decision support, parallel databases provide excellent results. On the other hand, their use for transaction processing has been less satisfactory.

The difficulty in obtaining a suitable scalability in transaction processing (a much larger portion of the market than decision support) explains their limited success. This is a real-world example of the difficulties faced in writing software for massively parallel architectures.

Source of Information : Elsevier Server Architectures 2005

Read More

What should we think of manufacturers who claim 99.999% availability for their hardware?

Hardware availability is just one, albeit important, factor in server availability. Over the past few years, hardware availability has increased because of technology improvements. Key factors in this are the increasing level of integration (which reduces the component count necessary to implement a system, as well as the number of connectors needed), improvements in data integrity, and the use of formal methods during the design of hardware components.

Systems based around standard technologies increasingly integrate functionality— such as system partitioning or the ability to swap subsystems “online,” i.e., without requiring that the system be brought down—that was until very recently the prerogative of mainframe systems and of “Fault Tolerant” systems. As a result of such advancements, it is possible to reach very high levels of hardware availability without entering the domain of specialized, expensive machinery.

On the other hand, it must be realized that software failures are more frequent than hardware failures. This trend is increasing. Hardware reliability keeps improving, but the amount of software in a system keeps increasing while its quality (as measured, for example, by the number of defects per thousand lines of code) shows little sign of improving. What matters, for a system, is total availability—a combination of hardware quality, the quality of software written or provided by the manufacturer, the quality of third-party software, and finally the quality of any application and/or operating procedures developed within the company. This last factor requires special attention—only too often, underestimating the importance of the quality of the in-house applications and/or operating procedures has its effect on the failure rate of the system.

It is appropriate to be very precise in any calculation concerning availability. To illustrate this point, consider a system that works 24 hours a day, 7 days a week, with an availability of 99.999%. This figure implies that the system is down no more than five minutes a year. Whether planned downtime is included in this budget makes a big difference in the difficulty of achieving this objective. Finally, we must not forget that any use of redundancy to improve availability tends to have an effect on performance.

Are RISC processors dead, killed by Intel?

Source of Information : Elsevier Server Architectures 2005

Read More

WEB BROWSER DRIVE - BY EXPLOITS ON THE WILD

Client side exploits are the real concern of security staffs of every company worldwide. As reported by Neil Daswani, CTO and founder of Dasient, in OWASP AppSec DC conference, an incredible growth in the number of exploits against client applications versus server daemons demonstrates that the weakest link is still the end-user. Moreover, it proves to be hard to deploy a corporate wide policy to mitigate the use of, or apply patches for vulnerable applications, when a 0-day is released every other week against common applications such as Adobe Reader, Flash Player or Mozilla Firefox. The most targeted among these client applications are web browsers and their plugins. By means of drive by download exploits, botnets, easily recruit new zombies, by silently downloading and installing malware without ever rising any suspicion in the victim. These drive by exploits have become more and more complex in terms of distribution and obfuscation. Most of them involve Javascript and iFrame injection. Others involve exploitation of the latest Flash player vulnerabilities.

Read More

Information Technology Cloud: Wireless Signal Propagation

Electronic signals for wireless communication must be converted into electromagnetic waves by an antenna for transmission. Conversely, an antenna at the receiver side is responsible for converting electromagnetic waves into electronic signals. An antenna can be omnidirectional or directional, depending on specific usage scenarios. For an antenna to be effective, it must be of a size consistent with the wavelength of the signals being transmitted or received. Antennas used in cell phones are omnidirectional and can be a short rod on the handset or hidden within the handset. A recent advancement in antenna technology is the multiple-in, multiple out (MIMO) antenna, or smart antenna, which combines spatially, separated small antennas to provide high bandwidth without consuming more power or spectrum. To take advantage of multipath propagation, these small antennas must be separated by at least half of the wavelength of the signal being transmitted or received.

Read More

Highly Persistent Browser Cookies

If you dislike having your Web browsing history tracked, you probably delete cookies and clear your browsers’ caches regularly. But Evercookie, written in Javascript, produces “extremely persistent cookies” that can identify a computer even after you’ve removed standard or Flash cookies, according to Threatpost (find.pcworld.com/70919).

Evercookie stores cookie data in your browser in several ways—HTTP, Flash, force-cached PNG images, various HTML5 storage systems, Web history, and SQLite. If Evercookie detects that you’ve been deleting your cookies, the program re-creates them.

According to Threatpost, Evercookie author samy Kamkar, who spawned a Myspace worm in 2005, created the deletion-resistant cookie to increase public awareness of privacy issues raised by tracking cookies—whether traditional HTML or Flash. The opensource code is available at Kamkar’s Website for free downloading.

One way around Evercookie’s persistence is safari’s Private Browsing feature, which blocks all of the cookie’s methods. Other browsers might stand up to evercookie’s methods of cookie resuscitation, as well; Kamkar has not performed exhaustive testing.

Be careful about which browsers you accept cookies from. Keep tabs, too, on the developing HTML5 standard, which some critics say emphasizes functionality at the expense of security.

Read More

Information Technology Cloud: Should You Police Your Community?

Information Technology Cloud: Should You Police Your Community?: "The issue of negative comments is one that every brand who signs up for a Facebook Page has to deal with. Although this could be an issue within a Group, especially if it is around an industry topic that might cause some level of debate, you will more likely feel this concern around Facebook Pages. The reason being, of course, that the comments or content is public. It can be seen by all.

- Sent using Google Toolbar"

Read More

Ultimate Boot CD 5

The UBCD Team
www.ultimatebootcd.com Free

It’s still sometimes shocking that various BIOS-flashing utilities and hard drive manufacturers’ tools require you to boot to DOS with a floppy disk, especially since floppy drives are virtually extinct. Thankfully, there’s Ultimate Boot CD, which combines hundreds of these kinds of DOS utilities (along with many Linuxbased utilities) onto one self-booting CD. UBCD includes tools for RAM and CPU testing, boot/OS management, data recovery, hard disk partitioning, hard disk diagnostics, hard disk cloning and wiping, benchmarking, and more. There’s even an updated version of Avira antivirus for DOS, and a utility to copy the UBCD onto flash drives. This is one disc that should be in everyone’s computing toolkit.

Other Disk File Utilities » Total Commander 7.55a

Source of Information : CPU Computer Power User November 2010

Read More

Move over, iPad

After months of enjoying virtual ownership of the tablet computer market, Apple will finally get to see how consumers react to the first legitimate competitors to the iPad. Samsung’s Galaxy Tab was set for European release in mid-September, with the Android-powered mobile devices expected to land in the U.S. by the holidays. If Samsung reaches its goal of shipping 10 million units by the third quarter of 2011, it will give the Galaxy one-third of the worldwide tablet market now belonging solely to the iPad — with an array of new tablets scheduled for release throughout the next year. With an expected lower price point and rear- and front-facing cameras, the slightly smaller Galaxy may provide a viable alternative for users and add some intrigue to the mobile marketplace.

What about an iPhone or iPad?

How to select your iOS4 iPhone

Read More

Using Symbol Files and Debuggers

You can also analyze memory dump files by using a kernel debugger. Kernel debuggers are primarily intended to be used by developers for in-depth analysis of application behavior. However, kernel debuggers are also useful tools for administrators troubleshooting Stop errors. In particular, kernel debuggers can be used to analyze memory dump files after a Stop error has occurred.

A debugger is a program that users with the Debug Programs user right (by default, only the Administrators group) can use to step through software instructions, examine data, and check for certain conditions. The following two examples of kernel debuggers are installed by installing Debugging Tools For Windows:

• Kernel Debugger. Kernel Debugger (Kd.exe) is a command-line debugging tool that you can use to analyze a memory dump file written to disk when a Stop message occurs. Kernel Debugger requires that you install symbol files on your system.

• WinDbg Debugger. WinDbg Debugger (WinDbg.exe) provides functionality similar to Kernel Debugger, but it uses a graphical user interface (GUI).

Both tools allow users with the Debug Programs user right to analyze the contents of a memory dump file and debug kernel-mode and user-mode programs and drivers. Kernel Debugger and WinDbg Debugger are just a few of the many tools included in the Debugging Tools For Windows installation. For more information about these and other debugging tools included with Debugging Tools For Windows, see Help in Debugging Tools For Windows.

To use WinDbg to analyze a crash dump, first install the debugging tools available at http://www.microsoft.com/whdc/devtools/debugging/.

To gather the most information from a memory dump file, provide the debugger access to symbol files. The debugger uses symbol files to match memory addresses to human friendly module and function names. The simplest way to provide the debugger access to symbol files is to configure the debugger to access the Microsoft Internet-connected symbol server.

To configure the debugger to use the Microsoft symbol server, follow these steps:

1. Click Start, point to All Programs, point to Debugging Tools For Windows, right-click WinDbg, and then click Run As Administrator.

2. Select Symbol File Path from the File menu.

3. In the Symbol Path box, type

SRV*localpath*http://msdl.microsoft.com/download/symbols

where localpath is a path on the hard disk that the debugger will use to store the downloaded symbol files. The debugger will automatically create localpath when you analyze a dump file.

For example, to store the symbol files in C:\Websymbols, set the symbol file path to
“SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols”.

4. Click OK.
Debuggers do not require access to symbol files to extract the Stop error number and parameters from a memory dump file. Often, the debugger can also identify the source of the Stop error without access to symbols.


To analyze a memory dump file, follow these steps:
1. Click Start, point to All Programs, point to Debugging Tools For Windows, right-click WinDbg, and then click Run As Administrator.

2. Select Open Crash Dump from the File menu.

3. Type the location of the memory dump file and then click Open. By default, this location is %SystemRoot%\Memory.dmp.

4. In the Save Workspace Information dialog box, click No.

5. Select the Command window.


Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Using Windows 7 Error Reporting

When enabled, the WER service monitors your operating system for faults related to operating system features and applications. By using the WER service, you can obtain more information about the problem or condition that caused the Stop error.

When a Stop error occurs, Windows displays a Stop message and writes diagnostic information to the memory dump file. For reporting purposes, the operating system also saves a small memory dump file. The next time you start your system and log on to Windows as Administrator, WER gathers information about the problem and performs the following actions:

1. Windows displays the Windows Has Recovered From An Unexpected Shutdown dialog box. To view the Stop error code, operating system information, and dump file locations, click View Problem Details. Click Check For Solution to submit the minidump file information and possibly several other temporary files to Microsoft.

2. You might be prompted to collect additional information for future errors. If prompted, click Enable Collection.

3. You might also be prompted to enable diagnostics. If prompted, click Turn On Diagnostics.

4. If prompted to send additional details, click View Details to review the additional information being sent. Then, click Send Information.

5. If prompted to automatically send more information about future problems, choose Yes or No.

6. When a possible solution is available, Action Center displays an icon in the system tray with a notification message.

7. Open Action Center to view the solution. Alternatively, you can search for View All Problem Reports in Control Panel.

If WER does not identify the source of an error, you might be able to determine that a specific driver caused the error by using a debugger.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Key Features of the Cache Manager (II)

Single, Centralized System Cache
Some operating systems rely on each individual file system to cache data, a practice that results either in duplicated caching and memory management code in the operating system or in limitations on the kinds of data that can be cached. In contrast, Windows offers a centralized caching facility that caches all externally stored data, whether on local hard disks, floppy disks, network file servers, or CD-ROMs. Any data can be cached, whether it’s user data streams (the contents of a file and the ongoing read and write activity to that file) or file system metadata (such as directory and file headers).



The Memory Manager
One unusual aspect of the cache manager is that it never knows how much cached data is actually in physical memory. This statement might sound strange because the purpose of a cache is to keep a subset of frequently accessed data in physical memory as a way to improve I/O performance. The reason the cache manager doesn’t know how much data is in physical memory is that it accesses data by mapping views of files into system virtual address spaces, using standard section objects (file mapping objects in Windows API terminology). As addresses in these mapped views are accessed, the memory manager pages in blocks that aren’t in physical memory. And when memory demands dictate, the memory manager pages data out of the cache and back to the files that are open in (mapped into) the cache. By caching on the basis of a virtual address space using mapped files, the cache manager avoids generating read or write I/O request packets (IRPs) to access the data for files it’s caching.

Instead, it simply copies data to or from the virtual addresses where the portion of the cached file is mapped and relies on the memory manager to fault in (or out) the data into (or out of) memory as needed. This process allows the memory manager to make global tradeoffs on how much memory to give to the system cache versus how much to give to user processes. Also, as you’ll learn in the next section, this design makes it possible for processes that open cached files to see the same data as do processes that are mapping the same files into their user address spaces.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Key Features of the Cache Manager

The cache manager has several key features:

• Supports all file system types (both local and network), thus removing the need for each file system to implement its own cache management code.

• Uses the memory manager to control which parts of which files are in physical memory (trading off demands for physical memory between user processes and the operating system)

• Caches data on a virtual block basis (offsets within a file)—in contrast to many caching systems, which cache on a logical block basis (offsets within a disk volume)—allowing for intelligent read-ahead and high-speed access to the cache without involving file system drivers.

• Supports “hints” passed by applications at file open time (such as random versus sequential access, temporary file creation, and so on)

• Supports recoverable file systems (for example, those that use transaction logging) to recover data after a system failure

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

The New Features in Access 2010

Access 2010 doesn’t represent as radical a change as Access 2007, which revamped the program’s main window and introduced the now-infamous ribbon. However, Access 2010 still has an impressive number of enhancements, most notably:

• Backstage view. Earlier in this Introduction, you got a glimpse of Access’s new control center for managing databases. Whether you need to open an existing database file, create a new one, print your work, or tune up Access options, backstage view gives you a bit more breathing room.

• Report refinements. Access fans have been creating reports (printable lists and summaries of their data) for years. Access 2010 gives reports a minor tune-up, with new support for Office themes (reusable font and color settings) and data bars (which represent numeric values with bars of different length).

• The WebBrowser control. This frill lets you put a web browser in one of your custom-designed database forms. For example, imagine equipping your database with your company’s website or an online product page.

• Navigation forms. As you design better and more complex databases, you’ll need a way to get around. For years, the only solution Access had for database navigation was the clumsy and irredeemably ugly switchboard manager. Access 2010 tosses that feature out and replaces it with slick navigation controls that make moving around your database as easy as browsing a website.

• Trusted databases. Access 2010 remembers the databases you trust on your computer. That means there’s no need to click Enable Content every time you open your database. It’s a small feature, but a nice one.

• Revamped macro designer. The old macro designer was a place no Access fan wanted to linger. Its dense grid of information was a depressing combination: boring and confusing. The new macro designer is dramatically different. It’s cleanly organized, with helpful pop-up tips, a collapsible display that lets you home in on the important stuff, and a drag-and-drop feature that lets you rearrange your actions with the mouse. All these changes reflect Microsoft’s new vision—that macros will become an increasingly useful part of the database developer’s toolkit, not just a poor substitute for Visual Basic code.

• Data macros. Data macros are macros that leap into action when someone inserts, edits, or deletes a record. This feature has a few quirks, but it still gives you a powerful way to track changes, synchronize data, and perform sophisticated error-checking.

• Web databases. Wouldn’t it be cool to view your Access database on the Web? And wouldn’t it be even better if you could print reports and use forms to edit that database, all without leaving the comfort of your browser? And wouldn’t it be just a little mind-blowing if a large crowd of people could use your web database all at once, even if they didn’t have Access installed on their computers? For the first time, Access 2010 makes these scenarios possible.

• Easier ribbon customization. In Access 2007, changing the ribbon was nearly impossible, unless you were willing to become a master programmer. In Access 2010, you just need a leisurely trip to the Customize Ribbon section of the Access Options dialog box, where you can add, remove, and reorder Access’s panoply of buttons to suit your preferences.

Source of Information : Oreilly Access 2010 The Missing Manual

Read More

Access vs SQL Server

Microsoft provides another database product—the industrial-strength SQL Server, which powers everything from Microsoft’s own search engine to the NASDAQ stock exchange. Clearly, SQL Server is big business, and many Access fans wonder how their favorite database software compares. One of the most important differences between Access and database products like SQL Server is that Access is a client-side database. In non-techie terms, that means that Access runs right on your personal computer. Database engines like SQL Server are server-based: They store the data on a high-powered server computer, which you access from a garden variety PC. (This interaction happens over a local network.)

Server-based databases are much more complex to set up and maintain, but they provide enhanced performance and rock-solid stability, even when thousands of people use them at once. However, the only people that require high-end databases like SQL Server are large organizations. Amazon.com wouldn’t last 5 minutes if it had to rely on an Access database. But Access works just fine for most small and mid-sized businesses. It’s also perfect for personal use.

Another important difference between Access and server-side database products is that Access is an all-in-one solution for storing and interacting with data. Serverside database engines like SQL Server focus exclusively on storing data (and sending that data to other computers when they request it). However, this single-minded design has a sizable price. An ordinary person can’t directly edit a database that’s stored by SQL Server. Instead, you need to use yet another program that can talk to SQL Server and ask for the information it needs. In most cases, this program needs to be hand-built by a savvy programmer. In other words, if you’re using SQL Server, you need to write a whole application before you can effectively use your database.

Sometimes, Access fans do turn into SQL Server gurus. You can start with a modest Access database and then step up to SQL Server when your needs exceed what Access provides. The process isn’t always seamless, but it’s possible. You can even keep using Access as a front end to manage your SQL Server database.

Source of Information : Oreilly Access 2010 The Missing Manual

Read More

Access vs. Excel

Access isn’t the only Office product that can deal with lists and tables of information. Microsoft Excel also includes features for creating and managing lists. So what’s the difference?

Although Excel’s perfectly good for small, simple amounts of information, it just can’t handle the same quantity and complexity of information as Access. Excel also falters if you need to maintain multiple lists with related information (for example, if you want to track a list of your business customers and a list of the orders they’ve made). Excel forces you to completely separate these lists, which makes it harder to analyze your data and introduces the possibility of inconsistent information. Access lets you set up strict links between tables, which prevents these problems.

Access also provides all sorts of features that don’t have any parallel in the spreadsheet world, such as the ability to create customized search routines, design fine tuned forms for data entry, and print a variety of snazzy reports.

Of course, all this isn’t to say that Access is better than Excel. In fact, in many cases you might want Excel to partner up with Access. Excel shines when crunching reams of numbers to create graphs, generate statistics, or predict trends. Many organizations use Access to store and manage information, and then export a portion of that information to an Excel spreadsheet whenever they need to analyze it.

Source of Information : Oreilly Access 2010 The Missing Manual

Read More

The Benefits of a Good Database

Many people use an address book to keep track of close friends, distant relatives, or annoying coworkers. For the most part, the low-tech address book works great. But consider what happens if you decide to store the same information in an Access database. Even though your contact list isn’t storing Google-sized volumes of information, it still offers a few features that you wouldn’t have without Access:

• Backup. If you’ve ever tried to decipher a phone number through a coffee stain, you know that sometimes it helps to have things in electronic form. Once you place all your contact information into a database, you’ll be able to preserve it in case of disaster, and print as many copies as you need (each with some or all of the information showing). You can even share your list with a friend who needs the same numbers.

• Space. Although most people can fit all the contacts they need into a small address book, a database ensures you’ll never fill up that “M” section. Not to mention that you can cross out and rewrite the address for your itinerant Uncle Sid only so many times before you run out of room.

• Searching. An address book organizes contacts in one way—by name. But what happens once you’ve entered everyone in alphabetical order by last name, and you need to look up a contact you vaguely remember as Joe? Access can effortlessly handle this search. It can also find a matching entry by phone number, which is great if your phone gives you a log of missed calls, and you want to figure out who’s been pestering you.

• Sharing. Only one person at a time can edit most ordinary files like Microsoft Word documents and spreadsheets. This limitation causes a problem if you need your entire office team to collaborate on a potluck menu. But Access lets multiple people review and change your data at the same time, on different computers.

• Integration with other applications. Access introduces you to a realm of timesaving possibilities like mail merge. You can feed a list of contacts into a form letter you create in Word, and automatically generate dozens of individually addressed letters.

All these examples demonstrate solid reasons to go electronic with almost any type of information.

Source of Information : Oreilly Access 2010 The Missing Manual

Read More

Using Memory Dump Files to Analyze Stop Errors

Memory dump files record detailed information about the state of your operating system when the Stop error occurred. You can analyze memory dump files manually by using debugging tools or by using automated processes provided by Microsoft. The information you obtain can help you understand more about the root cause of the problem.

You can use WER to upload your memory dump file information to Microsoft. You can also use the following debugging tools to analyze your memory dump files manually:

• Microsoft Kernel Debugger (Kd.exe)
• Microsoft WinDbg Debugger (WinDbg.exe)

You can view information about the Stop error in the System Log after a Stop error occurs. For example, the following information event (with a source of Bugcheck and an Event ID of 1001) indicates that a 0xFE Stop error occurred.

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000fe (0x00000008, 0x00000006, 0x00000001, 0x87b1e000). A dump was saved in: C:\Windows\MEMORY.DMP.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

How to Manually Initiate a Stop Error and Create a Dump File

To be absolutely certain that a dump file will be created when a Stop error occurs, you can manually initiate a Stop error by creating a registry value and pressing a special sequence of characters. After Windows restarts, you can verify that the dump file was correctly created.

To initiate a crash dump manually, follow these steps:

1. Click Start and type Regedit. On the Start menu, right-click Regedit and click Run As Administrator. Respond to the User Account Control (UAC) prompt that appears.

2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters.

3. On the Edit menu, click New, DWORD (32-bit) Value, and then add the following registry value:
• Value Name: CrashOnCtrlScroll
• Value: 1

4. Close the Registry Editor and then restart the computer.

5. Log on to Windows. While holding down the right Ctrl key, press the Scroll Lock key twice to initiate a Stop error.

You cannot manually initiate a Stop error on a virtual machine that has virtual machine extensions installed.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Configuring Complete Memory Dump Files

A complete memory dump file, sometimes referred to as a full dump file, contains everything that was in physical memory when the Stop error occurred. This includes all the information included in a kernel memory dump file, plus user-mode memory. Therefore, you can examine complete memory dump files to find the contents of memory contained within applications, although this is rarely necessary or feasible when troubleshooting application problems.

If you choose to use complete memory dump files, you must have available space on the systemdrive partition large enough to hold the contents of the physical RAM. Additionally, you must have a paging file equal to the size of your physical RAM.

When a Stop error occurs, the operating system saves a complete memory dump file to a file named %SystemRoot%\Memory.dmp and creates a small memory dump file in the %SystemRoot%\Minidump folder. A Microsoft technical support engineer might ask you to change this setting to facilitate data uploads over slow connections. Depending on the speed of your Internet connection, uploading the data might not be practical, and you might be asked to provide the memory dump file on removable media.

By default, new complete memory dump files overwrite existing files. To change this, clear the Overwrite Any Existing File check box. You can also choose to archive or move a dump file prior to troubleshooting.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Configuring Kernel Memory Dump Files

By default, Windows systems create kernel memory dump files. The kernel memory dump file is an intermediate-size dump file that records only kernel memory and can occupy several megabytes of disk space. A kernel memory dump file takes longer to create than a small dump file and thus increases the downtime associated with a system failure. On most systems, the increase in downtime is minimal.

Kernel memory dumps contain additional information that might assist troubleshooting. When a Stop error occurs, Windows saves a kernel memory dump file to a file named %SystemRoot%\Memory.dmp and creates a small memory dump file in the %SystemRoot%\ Minidump folder.

A kernel memory dump file records only kernel memory information, which expedites the dump file creation process. The kernel memory dump file does not include unallocated memory or any memory allocated to user-mode programs. It includes only memory allocated to the Executive, kernel, Hardware Abstraction Layer (HAL), and file system cache, in addition to nonpaged pool memory allocated to kernel-mode drivers and other kernel-mode routines.

The size of the kernel memory dump file will vary, but it is always less than the size of the system memory. When Windows creates the dump file, it first writes the information to the paging file. Therefore, the paging file might grow to the size of the physical memory. Later, the dump file information is extracted from the paging file to the actual memory dump file. To ensure that you have sufficient free space, verify that the system drive would have free space greater than the size of physical memory if the paging file were extended to the size of physical memory. Although you cannot exactly predict the size of a kernel memory dump file, a good rule of thumb is that roughly 50 MB to 800 MB, or one-third the size of physical memory, must be available on the boot volume for the paging file.

For most purposes, a kernel memory dump file is sufficient for troubleshooting Stop errors. It contains more information than a small memory dump file and is smaller than a complete memory dump file. It omits those portions of memory that are unlikely to have been involved in the problem. However, some problems do require a complete memory dump file for troubleshooting.

By default, a new kernel memory dump file overwrites an existing one. To change the default setting, clear the Overwrite Any Existing File check box. You can also rename or move an existing dump file prior to troubleshooting.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Configuring Small Memory Dump Files

Small memory dump files contain the least amount of information, but they also consume the least amount of disk space. By default, Windows stores small memory dump files in the %SystemRoot%\Minidump folder.

Windows always creates a small memory dump file when a Stop error occurs, even when you choose the kernel dump file or complete memory dump file options. Small memory dump files can be used by both Windows Error Reporting (WER) and debuggers. These tools read the contents of a small memory dump file to help diagnose problems that cause Stop errors.

A small memory dump file records the smallest set of information that might identify the cause of the system stopping unexpectedly. For example, the small memory dump includes the following information:

• Stop error information Includes the error number and additional parameters that describe the Stop error.

• A list of drivers running on the system Identifies the modules in memory when the Stop error occurred. This device driver information includes the file name, date, version, size, and manufacturer.

• Processor context information for the process that stopped Includes the processor and hardware state, performance counters, multiprocessor packet information, deferred procedure call information, and interrupts.

• Kernel context information for the process that stopped Includes offset of the directory table and the page frame number database, which describes the state of every physical page in memory.

• Kernel context information for the thread that stopped Identifies registers and IRQLs and includes pointers to operating system data structures.

• Kernel-mode call stack information for the thread that stopped Consists of a series of memory locations and includes a pointer to the initial location. Developers might be able to use this information to track the source of the error. If this information is greater than 16 kilobytes (KB), only the topmost 16 KB is included.

A small memory dump file requires a paging file of at least 2 megabytes (MB) on the boot volume. The operating system saves each dump file with a unique file name every time a Stop error occurs. The file name includes the date the Stop error occurred. For example, Mini011007-02.dmp is the second small memory dump generated on January 10, 2007.

Small memory dump files are useful when space is limited or when you are using a slow connection to send information to technical support personnel. Because of the limited amount of information that can be included, these dump files do not include errors that were not directly caused by the thread that was running when the problem occurred.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Memory Dump Files

When a Stop error occurs, Windows displays information that can help you analyze the root cause of the problem. Windows writes the information to the paging file (Pagefile.sys) on the %SystemDrive% root by default. When you restart the computer in normal or safe mode after a Stop error occurs, Windows uses the paging file information to create a memory dump file in the %SystemRoot% folder. Analyzing dump files can provide more information about the root cause of a problem and lets you perform offline analysis by running analysis tools on another computer.

You can configure your system to generate three types of dump file:

• Small memory dump files Sometimes referred to as minidump files, these dump files contain the least amount of information but are very small. Small memory dump files can be written to disk quickly, which minimizes downtime by allowing the operating system to restart sooner. Windows stores small memory dump files (unlike kernel and complete memory dump files) in the %SystemRoot%\Minidump folder, instead of using the %SystemRoot%\Memory.dmp file name.

• Kernel memory dump files These dump files record the contents of kernel memory. Kernel memory dump files require a larger paging file on the boot device than small memory dump files and take longer to create when a failure has occurred. However, they record significantly more information and are more useful when you need to perform in-depth analysis. When you choose to create a kernel memory dump file, Windows also creates a small memory dump file.

• Complete memory dump files These dump files record the entire contents of physical memory when the Stop error occurred. A complete memory dump file’s size will be slightly larger than the amount of physical memory installed at the time of the error. When you choose to create a complete memory dump file, Windows also creates a small memory dump file.

By default, Windows is configured to create kernel memory dump files. By default, small memory dump files are saved in the %SystemRoot%\Minidump folder, and kernel and complete memory dump files are saved to a file named %SystemRoot%\Memory.dmp. To change the type of dump file Windows creates or to change their location, follow these steps:

1. Click Start, right-click Computer, and then select Properties.

2. Click Advanced System Settings.

3. In the System Properties dialog box, click the Advanced tab. Under Startup And Recovery, click Settings.

4. Use the drop-down Write Debugging Information list and then select the debugging type.

5. If desired, change the path shown in the Dump File box.

6. Click OK twice and then restart the operating system if prompted. The sections that follow describe the different types of dump files in more detail.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Types of Stop Errors

A hardware or software problem can cause a Stop error, which causes a Stop message to appear. Stop messages typically fit into one of the following categories:

• Stop errors caused by faulty software. A Stop error can occur when a driver, service, or system feature running in Kernel mode introduces an exception. For example, a driver attempts to perform an operation above its assigned interrupt request level (IRQL) or tries to write to an invalid memory address. A Stop message might seem to appear randomly, but through careful observation, you might be able to associate the problem with a specific activity. Verify that all installed software (especially drivers) in question is fully Windows 7–compatible and that you are running the latest versions. Windows 7 compatibility is especially important for applications that might install drivers.

• Stop errors caused by hardware issues. This problem occurs as an unplanned event resulting from defective, malfunctioning, or incorrectly configured hardware. If you suspect a Stop error is caused by hardware, first install the latest drivers for that hardware. Failing hardware can cause Stop errors regardless of the stability of the driver, however.

• Executive initialization Stop errors. Executive initialization Stop errors occur only during the relatively short Windows executive initialization sequence. Typically, these Stop errors are caused by corrupted system files or faulty hardware. To resolve them, run Startup Repair as described in Chapter 29. If problems persist, verify that all hardware features have the latest firmware and then continue troubleshooting.

• Installation Stop errors that occur during setup. For new installations, installation Stop errors typically occur because of incompatible hardware, defective hardware, or outdated firmware. During an operating system upgrade, Stop errors can occur when incompatible applications and drivers exist on the system. Update the computer’s firmware to the version recommended by the computer manufacturer before installing Windows. Consult your system documentation for information about checking and upgrading your computer’s firmware.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Stop Messages

Stop messages report information about Stop errors. The intention of the Stop message is to assist the system administrator in isolating and eventually resolving the problem that caused the Stop error. Stop messages provide a great deal of useful information to administrators who understand how to interpret the information in the Stop message.

When examining a Stop message, you need to have a basic understanding of the problem so that you can plan a course of action. Always review the Stop message and record as much information about the problem as possible before searching through technical sources. Stop messages use a full-screen character mode format.

A Stop message screen has several major sections, which display the following information:
• Bugcheck Information
• Recommended User Action
• Technical Information
• Driver Information (if available)
• Debug Port and Dump Status Information


Bugcheck Information
The Bugcheck Information section lists the Stop error descriptive name. Descriptive names are directly related to the Stop error number listed in the Technical Information section.


Recommended User Action
The Recommended User Action section informs the user that a problem has occurred and that Windows was shut down. It also provides the symbolic name of the Stop error. The symbolic name is BUGCODE_USB_DRIVER. It also attempts to describe the problem and lists suggestions for recovery. In some cases, restarting the computer might be sufficient because the problem is not likely to recur. But if the Stop error persists after you restart the operating system, you must determine the root cause to return the operating system to an operable state. This process might involve undoing recent changes, replacing hardware, or updating drivers to eliminate the source of the problem.


Technical Information
The Technical Information section lists the Stop error number, also known as the bugcheck code, followed by up to four Stop error–specific codes (displayed as hexadecimal numbers enclosed in parentheses), which identify related parameters. Stop error codes contain a 0x prefix, which indicates that the number is in hexadecimal format. For example, the Stop error hexadecimal code is 0x000000FE (often written as 0xFE).


Driver Information
The Driver Information section identifies the driver associated with the Stop error. If a file is specified by name, you can use safe mode to verify that the driver is signed or has a date stamp that coincides with other drivers. If necessary, you can replace the file manually (in Startup Repair or in safe mode) or use Roll Back Driver to revert to a previous version.


Debug Port and Dump Status Information
The Debug Port and Dump Status Information section lists Component Object Model (COM) port parameters that a kernel debugger uses, if enabled. If you have enabled memory dump file saves, this section also indicates whether one was successfully written. As a dump file is being written to the disk, the percentage shown after Dumping physical memory to disk is incremented to 100. A value of 100 indicates that the memory dump was successfully saved.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Stop Message - Identifying the Stop Error

Finding Troubleshooting Information
Each Stop error requires a different troubleshooting technique. Therefore, after you identify the Stop error and gather the associated information, use the following sources for troubleshooting information specific to that Stop error:

- The section titled “Common Stop Messages” later in this chapter This section is intended as a reference for troubleshooting Stop errors; however, it does not include every possible Stop error. If the Stop error number you are troubleshooting is not listed in “Common Stop Messages,” refer to the Debugging Tools For Windows Help.

- Microsoft Debugging Tools For Windows Help Install Microsoft Debugging Tools For Windows and consult Help for that tool. This Help contains the definitive list of Stop messages, including many not covered in this chapter, and explains how to troubleshoot a wide variety of Stop errors. To install Debugging Tools For Windows, visit http://www.microsoft.com/whdc/devtools/debugging/.

- Microsoft Knowledge Base The Knowledge Base includes timely articles about a limited subset of Stop errors. Stop error information in the Knowledge Base is often specific to a particular driver or hardware feature and generally includes step-by-step instructions for resolving the problem.

- Microsoft Help and Support For related information, see Microsoft Help and Support at http://support.microsoft.com.

- Microsoft Product Support Services If you cannot isolate the cause of the Stop error, obtain assistance from trained Microsoft Product Support Services personnel. You might need to furnish specific information and perform certain procedures to help technical support investigate your problem. For more information about Microsoft product support, visit http://www.microsoft.com/services/microsoftservices/srv_enterprise.mspx.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Stop Message - Identifying the Stop Error

Many different types of Stop errors occur. Each has its own possible causes and requires a unique troubleshooting process. Therefore, the first step in troubleshooting a Stop error is to identify the Stop error. You need the following information about the Stop error to begin troubleshooting:

- Stop error number This number uniquely identifies the Stop error.

- Stop error parameters These parameters provide additional information about the Stop error. Their meaning is specific to the Stop error number.

- Driver information When available, the driver information identifies the most likely source of the problem. Not all Stop errors are caused by drivers, however.

This information is often displayed as part of the Stop message. If possible, write it down to use as a reference during the troubleshooting process. If the operating system restarts before you can write down the information, you can often retrieve the information from the System Event Log in Event Viewer.

If you are unable to gather the Stop error number from the Stop message and the System Log, you can retrieve it from a memory dump file. By default, Windows is configured to create a memory dump whenever a Stop error occurs. If no memory dump file was created, configure the system to create a memory dump file. Then, if the Stop error reoccurs, you will be able to extract the necessary information from the memory dump file.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Read More

Single, Centralized System Cache and The Memory Manager

Single, Centralized System Cache

Some operating systems rely on each individual file system to cache data, a practice that results either in duplicated caching and memory management code in the operating system or in limitations on the kinds of data that can be cached. In contrast, Windows offers a centralized caching facility that caches all externally stored data, whether on local hard disks, floppy disks, network file servers, or CD-ROMs. Any data can be cached, whether it’s user data streams (the contents of a file and the ongoing read and write activity to that file) or file system metadata (such as directory and file headers).


The Memory Manager
One unusual aspect of the cache manager is that it never knows how much cached data is actually in physical memory. This statement might sound strange because the purpose of a cache is to keep a subset of frequently accessed data in physical memory as a way to improve I/O performance. The reason the cache manager doesn’t know how much data is in physical memory is that it accesses data by mapping views of files into system virtual address spaces, using standard section objects (file mapping objects in Windows API terminology). As addresses in these mapped views are accessed, the memory manager pages in blocks that aren’t in physical memory. And when memory demands dictate, the memory manager pages data out of the cache and back to the files that are open in (mapped into) the cache.

By caching on the basis of a virtual address space using mapped files, the cache manager avoids generating read or write I/O request packets (IRPs) to access the data for files it’s caching. Instead, it simply copies data to or from the virtual addresses where the portion of the cached file is mapped and relies on the memory manager to fault in (or out) the data into (or out of) memory as needed. This process allows the memory manager to make global tradeoffs on how much memory to give to the system cache versus how much to give to user processes.

Source of Information : Microsoft Press Windows Internals 5th Edition

Read More

Cache Manager

The cache manager is a set of kernel-mode functions and system threads that cooperate with the memory manager to provide data caching for all Windows file system drivers (both local and network).

Key Features of the Cache Manager
The cache manager has several key features:

• Supports all file system types (both local and network), thus removing the need for each file system to implement its own cache management code

• Uses the memory manager to control which parts of which files are in physical memory (trading off demands for physical memory between user processes and the operating system)

• Caches data on a virtual block basis (offsets within a file)—in contrast to many caching systems, which cache on a logical block basis (offsets within a disk volume)—allowing
for intelligent read-ahead and high-speed access to the cache without involving file system drivers.

• Supports “hints” passed by applications at file open time (such as random versus sequential access, temporary file creation, and so on)

• Supports recoverable file systems (for example, those that use transaction logging) to recover data after a system failure

None of the cache manager’s internal functions are outlined in this chapter beyond the depth required to explain how the cache manager works. The programming interfaces to the cache manager are documented in the Windows Driver Kit (WDK). For more information about the WDK, see www.microsoft.com/whdc/devtools/wdk/default.mspx.

Source of Information : Microsoft Press Windows Internals 5th Edition

Read More

Shutdown

If someone is logged on and a process initiates a shutdown by calling the Windows Exit WindowsEx function, a message is sent to that session’s Csrss instructing it to perform the shutdown. Csrss in turn impersonates the caller and sends an RPC message to Winlogon, telling it to perform a system shutdown. Winlogon then impersonates the currently logged-on user (who might or might not have the same security context as the user who initiated the system shutdown) and calls ExitWindowsEx with some special internal flags. Again, this call causes a message to be sent to the Csrss process inside that session, requesting a system shutdown.

This time, Csrss sees that the request is from Winlogon and loops through all the processes in the logon session of the interactive user (again, not the user who requested a shutdown) in reverse order of their shutdown level. A process can specify a shutdown level, which indicates to the system when they want to exit with respect to other processes, by calling SetProcessShutdownParameters. Valid shutdown levels are in the range 0 through 1023, and the default level is 640. Explorer, for example, sets its shutdown level to 2 and Task Manager specifies 1. For each process that owns a top-level window, Csrss sends the WM_QUERYENDSESSION message to each thread in the process that has a Windows message loop. If the thread returns TRUE, the system shutdown can proceed. Csrss then sends the WM_ENDSESSION Windows message to the thread to request it to exit. Csrss waits the number of seconds defined in HKCU\Control Panel\Desktop\HungAppTimeout for the thread to exit. (The default is 5000 milliseconds.)

If the thread doesn’t exit before the timeout, Csrss fades out the screen and displays the hung-program screen. (You can disable this screen by changing the registry value HKCU\Control Panel\Desktop\AutoEndTasks to 1.) This screen indicates which programs are currently running and, if available, their current state. Windows indicates which program isn’t shutting down in a timely manner and gives the user a choice of either killing the process or aborting the shutdown. (There is no timeout on this screen, which means that a shutdown request could wait forever at this point.) Additionally, third-party applications can add their own specific information regarding state—for example, a virtualization product could display the number of actively running virtual machines.

If the thread does exit before the timeout, Csrss continues sending the WM_QUERYENDSESSION/ WM_ENDSESSION message pairs to the other threads in the process that own windows. Once all the threads that own windows in the process have exited, Csrss terminates the process and goes on to the next process in the interactive session.

If Csrss finds a console application, it invokes the console control handler by sending the CTRL_LOGOFF_EVENT event. (Only service processes receive the CTRL_SHUTDOWN_EVENT event on shutdown.) If the handler returns FALSE, Csrss kills the process. If the handler returns TRUE or doesn’t respond by the number of seconds defined by HKCU\Control Panel\Desktop\WaitToKillAppTimeout (the default is 20,000 milliseconds), Csrss displays the hung-program.

Next, Winlogon calls ExitWindowsEx to have Csrss terminate any COM processes that are part of the interactive user’s session.

At this point, all the processes in the interactive user’s session have been terminated. Wininit next calls ExitWindowsEx, which this time executes within the system process context. This causes Wininit to send a message to the Csrss part of session 0, where the services live. Csrss then looks at all the processes belonging to the system context and performs and sends the WM_QUERYENDSESSION/WM_ENDSESSION messages to GUI threads (as before). Instead of sending CTRL_LOGOFF_EVENT, however, it sends CTRL_ SHUTDOWN_EVENT to console applications that have registered control handlers. Note that the SCM is a console program that does register a control handler. When it receives the shutdown request, it in turn sends the service shutdown control message to all services that registered for shutdown notification.

Although Csrss performs the same timeouts as when it was terminating the user processes, it doesn’t display any dialog boxes and doesn’t kill any processes. (The registry values for the system process timeouts are taken from the default user profile.) These timeouts simply allow system processes a chance to clean up and exit before the system shuts down. Therefore, many system processes are in fact still running when the system shuts down, such as Smss, Wininit, Services, and Lsass.

Once Csrss has finished its pass notifying system processes that the system is shutting down, Winlogon finishes the shutdown process by calling the executive subsystem function NtShutdownSystem. This function calls the function PoSetSystemPowerState to orchestrate the shutdown of drivers and the rest of the executive subsystems (Plug and Play manager, power manager, executive, I/O manager, configuration manager, and memory manager).

For example, PoSetSystemPowerState calls the I/O manager to send shutdown I/O packets to all device drivers that have requested shutdown notification. This action gives device drivers a chance to perform any special processing their device might require before Windows exits. The stacks of worker threads are swapped in, the configuration manager flushes any modified registry data to disk, and the memory manager writes all modified pages containing file data back to their respective files. If the option to clear the paging file at shutdown is enabled, the memory manager clears the paging file at this time. The I/O manager is called a second time to inform the file system drivers that the system is shutting down. System shutdown ends in the power manager. The action the power manager takes depends on whether the user specified a shutdown, a reboot, or a power down.

Source of Information : Microsoft Press Windows Internals 5th Edition

Read More

Windows Resource Protection

To preserve the integrity of the many components involved in the boot process, as well as other critical Windows files, libraries, and applications, Windows implements a technology called Windows Resource Protection (WRP). WRP is implemented through access control lists (ACLs) that protect critical system files on the machine. It is also exposed through an API (located in \Windows\System32\Sfc.dll and \Windows\System32\Sfc_os.dll) that can be accessed by the Sfc.exe utility to manually check a file for corruption and restore it.

WRP will also protect entire critical folders if required, even locking down the folder so that it is inaccessible by administrators (without modifying the access control list on the folder). The only supported way to modify WRP-protected files is through the Windows Modules Installer service, which can run under the TrustedInstaller account. This service is used for the installation of patches, service packs, hotfixes, and Windows Update. This account has access to the various protected files and is trusted by the system (as its name implies) to modify critical files and replace them. WRP also protects critical registry keys, and it may even lock entire registry trees if all the values and subkeys are considered to be critical.

Unlike the previous incarnation of WRP, called WFP (Windows File Protection), this implementation does not make use of file and directory change notifications to prevent replacement of critical files. Instead, the ACL on protected files, directories, or registry keys is set so that only the TrustedInstaller account is able to modify or delete these files. Application developers can use the SfcIsFileProtected or SfcIsKeyProtected APIs to check whether a file or registry key is locked down.

For backward compatibility, certain installers are considered well-known—an application compatibility shim exists that will suppress the “access denied” error that certain installers would receive while attempting to modify WRP-protected resources. Instead, the installer receives a fake “success” code, but the modification isn’t made. This virtualization is similar to the User Access Control (UAC) virtualization technology, but it applies to write operations as well. It applies if the following are true:

• The application is a legacy application, meaning that it does not contain a manifest file compatible with Windows Vista or Windows Server 2008 with the requestedExecutionLevel value set.

• The application is trying to modify a WRP-protected resource (the file or registry key contains the TrustedInstaller SID).

• The application is being run under an administrator account (always true on systems with UAC enabled because of automatic installer program detection).

WRP copies files that are needed to restart Windows to the cache directory located at
\Windows\winsxs\Backup. Critical files that are not needed to restart Windows are not copied to the cache directory. The size of the cache directory and the list of files copied to the cache cannot be modified. To recover a file from the cache directory, you can use the System File Checker (Sfc.exe) tool, which can scan your system for modified protected files and restore them from a good copy.

Source of Information : Microsoft Press Windows Internals 5th Edition

Read More

Solving Common Boot Problems “Part II”

In some cases, multiple system files are deleted or become corrupt, so the repair process can involve multiple reboots and boot failures as you repair the files one by one. If you believe the system file corruption to be extensive, you should consider restoring the system from a backup image, such as one generated by Windows Vista CompletePC Backup or from a system restore point.

When you run Windows Backup (located in the System folder under Accessories on the Start menu), you can generate a CompletePC backup image, which includes all the files on the system and boot volumes, plus a floppy disk on which it stores information about the system’s disks and volumes. To restore a system from an ASR backup image, back up boot from the Windows setup media and press F2 when prompted. If you do not have a backup from which to restore, a last resort is to execute a Windows repair install: boot from the Windows setup media, and follow the wizard as if you were going to perform a new installation. The wizard will ask you whether you want to perform a repair or fresh install. When you tell it that you want to repair, Setup reinstalls all system files, leaving your application data and registry settings intact.


System Hive Corruption
• Symptoms If the System registry hive is missing or corrupted, Winload will display the
message “Windows could not start because the following file is missing or corrupt:
\WINDOWS\SYSTEM32\CONFIG\SYSTEM,” on a black screen after the BIOS POST.

• Causes The System registry hive, which contains configuration information necessary for the system to boot, has become corrupt or has been deleted.

• Resolution Boot into the Windows Recovery Environment, choose the Command Prompt option, and then execute the chkdsk command. If the problem is not corrected, obtain a backup of the System registry hive. Windows makes copies of the registry hives every 12 hours (keeping the immediately previous copy with a .OLD extension) in a folder called \Windows\System32\Config\RegBack, so copy the file named System to
\Windows\System32\Config.

If System Restore is enabled, you can often obtain a more recent backup of the registry hives, including the System hive; from the most recent restore point. You can choose System Restore from the Windows Recovery Environment to restore your registry from the last restore point.


Post–Splash Screen Crash or Hang
• Symptoms Problems that occur after the Windows splash screen displays, the desktop appears, or you log on fall into this category and can appear as a blue screen crash or a hang, where the entire system is frozen or the mouse cursor tracks the mouse but the system is otherwise unresponsive.

• Causes These problems are almost always a result of a bug in a device driver, but they can sometimes be the result of corruption of a registry hive other than the System hive.

• Resolution You can take several steps to try and correct the problem. The first thing you should try is the last known good configuration. Last known good (LKG), consists of the registry control set that was last used to boot the system successfully. Because a control set includes core system configuration and the device driver and services registration database, using a version that does not reflect changes or newly installed drivers or services might avoid the source of the problem. You access last known good by pressing the F8 key early in the boot process to access the same menu from which you can boot into safe mode.

When you boot into LKG, the system saves the control set that you are avoiding and labels it as the failed control set. You can leverage the failed control set in cases where LKG makes a system bootable to determine what was causing the system to fail to boot by exporting the contents of the current control set of the successful boot and the failed control set to .reg files. You do this by using the Regedit’s export functionality, which you access under the File menu:

1. Run Regedit, and select HKLM\SYSTEM\CurrentControlSet.

2. Select Export from the File menu, and save to a file named good.reg.

3. Open HKLM\SYSTEM\Select, read the value of Failed, and select the subkey named HKLM\SYSTEM\ControlXXX, where XXX is the value of Failed.

4. Export the contents of the control set to bad.reg.

5. Use WordPad (which is found under Accessories on the Start menu) to globally replace all instances of CurrentControlSet in good.reg with ControlSet.

6. Use WordPad to change all instances of ControlXXX (replacing XXX with the value of the Failed control set) in bad.reg with ControlSet.

7. Run Windiff from the Support Tools, and compare the two files.

The differences between a failed control set and a good one can be numerous, so you should focus your examination on changes beneath the Control subkey as well as under the Parameters subkeys of drivers and services registered in the Services subkey. Ignore changes made to Enum subkeys of driver registry keys in the Services branch of the control set.

If the problem you’re experiencing is caused by a driver or service that was present on the system since before the last successful boot, LKG will not make the system bootable. Similarly, if a problematic configuration setting changed outside the control set or was made before the last successful boot, LKG will not help. In those cases, the next option to try is safe mode (described earlier in this section). If the system boots successfully in safe mode and you know that particular driver was causing the normal boot to fail, you can disable the driver by using the Device Manager (accessible from the Hardware tab of the System Control Panel item). To do so, select the driver in question and choose Disable from the Action menu. If you recently updated the driver, and believe that the update introduced a bug, you can choose to roll back the driver to its previous version instead, also with the Device Manager. To restore a driver to its previous version, double-click on the device to open its Properties dialog box and click Roll Back Driver on the Driver tab.

On systems with System Restore enabled, an option when LKG fails is to roll back all system state (as defined by System Restore) to a previous point in time. Safe mode detects the existence of restore points, and when they are present it will ask you whether you want to log on to the installation to perform a manual diagnosis and repair or launch the System Restore Wizard. Using System Restore to make a system bootable again is attractive when you know the cause of a problem and want the repair to be automatic or when you don’t know the cause but do not want to invest time to determine the cause.

If System Restore is not an option or you want to determine the cause of a crash during the normal boot and the system boots successfully in safe mode, attempt to obtain a boot log from the unsuccessful boot by pressing F8 to access the special boot menu and choosing the boot logging option. Session Manager (\Windows\System32\Smss.exe) saves a log of the boot that includes a record of device drivers that the system loaded and chose not to load to \Windows\ntbtlog.txt, so you’ll obtain a boot log if the crash or hang occurs after Session Manager initializes. When you reboot into safe mode, the system appends new entries to the existing boot log. Extract the portions of the log file that refer to the failed attempt and safe-mode boots into separate files. Strip out lines that contain the text “Did not load driver”, and then compare them with a text comparison tool such as Windiff. One by one, disable the drivers that loaded during the normal boot but not in the safe-mode boot until the system boots successfully again. (Then reenable the drivers that were not responsible for the problem.)

If you cannot obtain a boot log from the normal boot (for instance, because the system is crashing before Session Manager initializes), if the system also crashes during the safe mode boot, or if a comparison of boot logs from the normal and safe-mode boots do not reveal any significant differences (for example, when the driver that’s crashing the normal boot starts after Session Manager initializes), the next tool to try is the Driver Verifier combined with crash dump analysis.

Source of Information : Microsoft Press Windows Internals 5th Edition

Read More

Solving Common Boot Problems “Part I”

This section describes problems that can occur during the boot process, describing their symptoms, causes, and approaches to solving them. To help you locate a problem that you might encounter, they are organized according to the place in the boot at which they occur. Note that for most of these problems, you should be able to simply boot into the Windows Recovery Environment and allow the Startup Repair tool to scan your system and perform any automated repair tasks.


MBR Corruption
• Symptoms A system that has Master Boot Record (MBR) corruption will execute the BIOS power-on self test (POST), display BIOS version information or OEM branding, switch to a black screen, and then hang. Depending on the type of corruption the MBR has experienced, you might see one of the following messages: “Invalid partition table,” “Error loading operating system,” or “Missing operating system.”

• Cause The MBR can become corrupt because of hard-disk errors, disk corruption as a result of a driver bug while Windows is running, or intentional scrambling as a result of a virus.

• Resolution Boot into the Windows Recovery Environment, choose the Command Prompt option, and then execute the bootrec /fixmbr command. This command replaces the executable code in the MBR.


Boot Sector Corruption
• Symptoms Boot sector corruption can look like MBR corruption, where the system hangs after BIOS POST at a black screen, or you might see the messages “A disk read error occurred,” “BOOTMGR is missing,” or “ BOOTMGR is compressed” displayed on a black screen.

• Cause The boot sector can become corrupt because of hard-disk errors, disk corruption as a result of a driver bug while Windows is running, or intentional scrambling as a result of a virus.

• Resolution Boot into the Windows Recovery Environment, choose the Command Prompt option, and then execute the bootrec /fixboot command. This command rewrites the boot sector of the volume that you specify. You should execute the command on both the system and boot volumes if they are different.


BCD Misconfiguration
• Symptom After BIOS POST, you’ll see a message that begins “Windows could not start because of a computer disk hardware configuration problem,” “Could not read from selected boot disk,” or “Check boot path and disk hardware.”

• Cause The BCD has been deleted, become corrupt, or no longer references the boot volume because the addition of a partition has changed the name of the volume.

• Resolution Boot into the Windows Recovery Environment, choose the Command Prompt option, and then execute the bootrec /scanos and bootrec /rebuildbcd commands.
These commands will scan each volume looking for Windows installations. When they discover an installation, they will ask you whether they should add it to the BCD as a boot option and what name should be displayed for the installation in the boot menu. For other kinds of BCD-related damage, you can also use Bcdedit.exe to perform tasks such as building a new BCD from scratch or cloning an existing good copy.


System File Corruption
• Symptoms There are several ways the corruption of system files—which include executables, drivers, or DLLs—can manifest. One way is with a message on a black screen after BIOS POST that says, “Windows could not start because the following file is missing or corrupt,” followed by the name of a file and a request to reinstall the file. Another way is with a blue screen crash during the boot with the text, “STOP: 0xC0000135 {Unable to Locate Component}.”

• Causes The volume on which a system file is located is corrupt or one or more system files have been deleted or become corrupt.

• Resolution Boot into the Windows Recovery Environment, choose the Command
Prompt option, and then execute the chkdsk command. Chkdsk will attempt to repair volume corruption. If Chkdsk does not report any problems, obtain a backup copy\ of the system file in question. One place to check is in the \Windows\winsxs\Backup directory, in which Windows places copies of many system files for access by Windows Resource Protection. (See the “Windows Resource Protection” sidebar.) If you cannot find a copy of the file there, see if you can locate a copy from another system in the network. Note that the backup file must be from the same service pack or hotfix as the file that you are replacing.

Source of Information : Microsoft Press Windows Internals 5th Edition

Read More