Defrag Tools: #22 - WinDbg - Memory Kernel Mode

[Nytro]

[h=1]Defrag Tools: #22 - WinDbg - Memory Kernel Mode[/h]By: Larry Larsen, Andrew Richards, Chad Beeder

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer.

This installment goes over the commands used to show the memory used in a kernel mode debug session. We cover these commands:

• !vm
  
• !vm 1
  
• !memusage 8
  
• !poolused 2
  
• !poolused 4
  
• !poolfind <tag>
  
• !pool <addr>
  
• !pool <addr> 2
  
• !pte
  

Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.

Resources:

Microsoft Windows SDK for Windows 7 and .NET Framework 4

Sysinternals LiveKD

Sysinternals RAMMap

Timeline:

[00:45] - Sysinternals LiveKD debug of the machine

[01:47] - Virtual Memory summary (!vm 1)

[05:10] - Sysinternals LiveKD live kernel dump (livekd.exe -m -o kernel.dmp)

[09:30] - Sysinternals RAMMap

[11:10] - Memory List summary (!memusage 8)

[16:15] - Pool Usage by Non-Paged Pool (!poolused 2)

[20:16] - Pool Tags (c:\debuggers\triage\pooltag.txt)

[28:06] - Pool Usage by Paged Pool (!poolused 4)

[29:27] - Pool issues lead to Bugchecks

[34:00] - Find Pool by Address (!pool <addr>)

[36:05] - Find Pool by Tag (!poolfind <tag>)

[40:30] - Page Table Entry (PTE) and Page Frame Number (PFN) (!pte <addr>)

[42:45] - Sometimes it is a physical hardware failure

Video: Defrag Tools: #22 - WinDbg - Memory Kernel Mode | Defrag Tools | Channel 9