Defrag Tools (HD) - Channel 9

de Microsoft

Episodios

Defrag Tools #202 - InfoSec with Paula Januszkiewicz

por Microsoft

In this episode of Defrag Tools, Paula Januszkiewicz from CQURE, joins us to discuss Information Security (InfoSec).

We talk about what InfoSec is, how to get started, what the role entails, and how the profession is evolving.

Twitter: @PaulaCqure

Paula on Channel 9 

Defrag Tools #201 - Game Show Part 2

por Microsoft

The celebrate the 200th episode of Defrag Tools, three Microsoft Legends join us in the Channel 9 Studios, with a live studio audience, for a Game Show!

Questions range from campus trivia, all the way through to obscure command switches.

Raymond Chen, KC Lemson and Larry Osterman have all been at Microsoft for decades and have many stories to tell... so many that we needed two parts. So you don't have to wait, both parts are available for binging straight away!

Raymond Chen

KC Lemson

Larry Osterman

Defrag Tools #200 - Game Show Part 1

por Microsoft

The celebrate the 200th episode of Defrag Tools, three Microsoft Legends join us in the Channel 9 Studios, with a live studio audience, for a Game Show!

Questions range from campus trivia, all the way through to obscure command switches.

Raymond Chen, KC Lemson and Larry Osterman have all been at Microsoft for decades and have many stories to tell... so many that we needed two parts. So you don't have to wait, both parts are available for binging straight away!

Raymond Chen

KC Lemson

Larry Osterman

Defrag Tools #199 - Desktop App Assure

por Microsoft

In this episode of Defrag Tools, Chris Jackson, the "App Compat Guy" (@appcompatguy), joins us to discuss Windows Desktop App Assure - a program for eligible customers and partners to access FastTrack Specialists who provide advisory and remediation guidance on deploying Windows 10 and Office 365 ProPlus - notably Application Compatibility.

We delve into some examples that the program has diagnosed and show some of the tools the specialists (and yourselves) can use to determine the root cause.

Defrag Tools #198 - AaronLocker

por Microsoft

In this episode of Defrag Tools, Aaron Margosis joins us to discuss AaronLocker - a set of scripts that help you configure AppLocker. AppLocker restricts application execution, auditing or protecting your system from unwanted/malicious software.

We delve into the abilities of AppLocker, what the AaronLocker scripts automate, and see what it looks like when an application is blocked..

Defrag Tools #197 - Windows Defender ATP

por Microsoft

In this episode of Defrag Tools, Chris Jackson, the "App Compat Guy" (@appcompatguy), joins us to discuss Windows Defender Advanced Threat Protection (ATP) - a unified platform for preventative protection, post-breach detection, automated investigation, and response.

Defender ATP can be used to automatically investigate alerts and remediate complex threats in minutes.

We delve into the Windows Defender Security Center, and perform Kusto queries to discover security events for the associated enterprise. Star a trial here.

Defrag Tools #196 - Windows Defender Application Guard

por Microsoft

In this episode of Defrag Tools, we discuss Windows Defender Application Guard, a great security feature in the Edge browser which allows you to easily run browser sessions in a virtual machine.

Defrag Tools #195 - Console Command Favorites

por Microsoft

In this episode of Defrag Tools, we geek out on our favorite Command Prompt commands.

Command covered:

where.exe - Where

Shows where a executable/script is on the PATH environment variable

  • where notepad.exe

ipconfig.exe - IP Configuration

IP Address Configuration - Basic

  • ipconfig

IP Address Configuration - Advanced/All

  • ipconfig /all

IP Address Renewal/Reset

  • ipconfig /flushdns
  • ipconfig /release
  • ipconfig /renew
  • ipconfig /registerdns

findstr.exe - Find String

  • /s - Sub Directories
  • /n - Line Number
  • /p - Search Pattern. e.g. Foo*Bar to match: Footastic Barcode
  • /c - Escaped characters. e.g. /c:"\"Foo\" Bar" to find the text: "Foo" Bar

Contact us at defragtools@microsoft.com and/or @defragtools

Defrag Tools #194 - Windows Upgrade - Application and Device Inventory Files

por Microsoft

In this episode of Defrag Tools, we continue talking about the Windows Upgrade Log files.

We delve into the Application and Device Inventory Files, that describe application compatibility issues between OS Releases.

The logs pre/post upgrade can be found in:

  • \$Windows.~bt\sources\panther
  • \$Windows.~bt\Sources\Rollback
  • \Windows\Panther
  • \Windows\Panther\NewOS

You can review the logs manually, or use SetupDiag.

Contact us at defragtools@microsoft.com and/or @defragtools

Defrag Tools #193 - Windows Upgrade Logs

por Microsoft

In this episode of Defrag Tools, we talk about the Windows Upgrade Log files.

The "Panther" logs track the installation of a Windows Upgrade. The logs contain Information, Warnings and Errors. Not all errors are fatal, the trick is to look at only the (last) fatal error if an upgrade fails.

The logs pre/post upgrade can be found in:

  • \$Windows.~bt\sources\panther
  • \$Windows.~bt\Sources\Rollback
  • \Windows\Panther
  • \Windows\Panther\NewOS

You can review the logs manually, or use SetupDiag.

In the next episode, we'll dive deep into the logs when there is an application migration issue.

Contact us at defragtools@microsoft.com and/or @defragtools

Defrag Tools #192 - Windows Update and Windows Upgrade

por Microsoft

In this episode of Defrag Tools, we talk about Windows Update and Windows Setup. We describe the different technologies, what each does to download the software, prepare the installation, and finish the installation.

In the next episode, we'll dive deep into the logs, showing you how to troubleshoot an installation issue.

 

Defrag Tools #191 - HRESULT Error Codes

por Microsoft

In this episode of Defrag Tools, we talk about HRESULT based Error Codes. The 32bits in the HRESULT have meanings, allowing the reader to gain additional insights into the error.

Of note:

The 32nd bit (the top bit) indicates if an error occurred or not. This is why errors are 0x8xxxxxxx.
The 16-26 bits are the Facility - the originating API (Win32, CLR, XAML, etc.).
The 0-15 bits are the (Error) Code.

Common NULL Facility Error Codes

NameDescriptionValue
S_OKOperation successful0x00000000
S_FALSEOperation successful but returned no results0x00000001
E_ABORTOperation aborted0x80004004
E_FAILUnspecified failure0x80004005
E_NOINTERFACENo such interface supported0x80004002
E_NOTIMPLNot implemented0x80004001
E_POINTERPointer that is not valid0x80004003
E_UNEXPECTEDUnexpected failure0x8000FFFF

Common Win32 Facility Error Codes

These are built by passing a System Error Code to HRESULT_FROM_WIN32

NameDescriptionValue
E_ACCESSDENIEDGeneral access denied error0x80070005
E_HANDLEHandle that is not valid0x80070006
E_INVALIDARGOne or more arguments are not valid0x80070057
E_OUTOFMEMORYFailed to allocate necessary memory0x8007000E

Related Links:

HRESULT
HRESULT Facility – By Value
HRESULT Facility – By Name

Defrag Tools #190 - Performance Power Slider

por Microsoft

In this episode of Defrag Tools, Chad Beeder is joined by Jorge Novillo and Ojasvi Choudhary to discuss the Performance Power Slider in Windows 10. We discuss how it works, how hardware partners can customize it, and how users can adjust some of its settings.

Related Links:

  • Overview & how to customize the default Perf Power Slider position

Timeline:

[00:00] Overview of the Performance Power Slider
[02:54] Performance Power Slider on AC and DC power
[04:02] Requirements to view the Performance Power Slider
[04:49] Behind the scenes of the Performance Power Slider
[07:22] Querying the custom processor settings
[09:13] Power throttling user controls
[14:14] How OEMs can customize the Performance Power Slider
[19:25] Questions? Email us at defragtools@microsoft.com

Defrag Tools #189 - Inside Show

por Microsoft

Announcing the Inside Show, the show that takes you inside Windows!

Inside covers Windows Features, Windows Internals, Exception Codes, Bugcheck Codes and Debugger Commands. Each episode is just 5 minutes, with no specific order between episodes. Watch the Welcome video!

For longer topics (15-30min), we'll continue to cover them on Defrag Tools in 1 or more parts.

Email questions, comments and requests to InsideShow@microsoft.com and DefragTools@microsoft.com

Defrag Tools #188 - Cyber Monday - What tech to buy?

por Microsoft

In this episode of Defrag Tools, Chad Beeder and Andrew Richards talk about what tech you could buy on Cyber Monday.

We talk about USB Sticks, USB Cables, MicroSD Readers, International Power Adapters, Charging Stations, UPS Backup, Network Testers, Memory Sticks, Disk Drives, Drive adapters, Xbox Live, Xbox Game Pass, ... and many more things.

For Intel Product Specs (to determine supported RAM, etc.), refer to http://ark.intel.com

(Apologies for Andrew's poor voice)

Defrag Tools #187 - Ninjacat Unicorn

por Microsoft

In this episode of Defrag Tools, Chad Beeder and Andrew Richards talk to Marc Goodner and Reid Borsuk about the maker community at Microsoft, and the cool Ninjacat statue they built. Make sure to watch to the end to see all of its, shall we say... special features!

 

Defrag Tools #186 - Time Travel Debugging - Advanced

por Microsoft

In this episode of Defrag Tools, Andrew Richards is joined by JCAB (Juan Carlos Arevalo Baeza) and Jordi Mola from the Windows Debugger team to demonstrate some more advanced usage of a new feature of WinDbg Preview: Time Travel Debugging (TTD).

Related Links:

WinDbg Preview (download from Microsoft Store)
Time Travel Debugging Overview (Online documentation)
Debugging Tools for Windows Blog
Time Travel Debugging FAQ

Timeline:
[00:00] Introductions
[01:07] Seeing a memory corruption crash in the Chakra Core when running a script. Difficult to debug!
[05:33] Now reproduce the same crash while recording a Time Travel Debugging trace
[07:06] Looking at the TTD trace with unoptimized code
[07:55] Use the !events command to list interesting events and exceptions in the trace and jump to them
[11:43] Found the corrupt memory, step backwards to figure out where it came from.
[13:15] Identifying the memory location containing a bad value with dx command, and setting a data breakpoint (with ba) to see who previously wrote to it.
[17:37] Getting closer. Keep following the trail backwards...
[19:29] Found where the bad value came from!
[21:08] Another use case: Find where a value is bad and track it back from there with a binary search (use !tt with a percentage value to jump to locations in the trace)
[22:09] Second demo: Looking at the same crash but with optimized production code.
[25:09] Exceptions will be hit when running the trace either forward or backward.
[26:54] To give feedback on WinDbg Preview, use the Feedback Hub.

 

Defrag Tools #185 - Time Travel Debugging - Introduction

por Microsoft

In this episode of Defrag Tools, Chad Beeder is joined by James Pinkerton and Ivette Carreras to introduce a new feature of WinDbg Preview: Time Travel Debugging (TTD).

Related Links:

WinDbg Preview (download from Microsoft Store)
Time Travel Debugging Overview (Online documentation)
Debugging Tools for Windows Blog
Time Travel Debugging FAQ

Timeline:
[00:00] Introductions
[00:54] Introducing Time Travel Debugging (TTD)
[05:06] Tracing
[07:33] Debugging Forwards
[09:23] Debugging Backwards!
[13:31] Data is available
[17:20] Great for Customer Support
[19:11] Email us at defragtools@microsoft.com

Defrag Tools #183 - WinDbg Preview Part 2

por Microsoft

In this episode of Defrag Tools, Chad Beeder is joined by Nickolay Ratchev and Tim Misiak to show off some features of WinDbg Preview, a new version of the WinDbg tool.

Also see our previous episode, if you missed it: Defrag Tools #182 - WinDbg Preview Part 1

Related Links:

WinDbg Preview (download from Microsoft Store)
Documentation for WinDbg Preview (Dev Center)
Announcement blog post

Timeline:

[00:00] Welcome and introductions
[00:42] Recent targets - every debugging session is saved for easy access next time
[01:44] New features of the locals window and watch window: Use LINQ expressions
[03:22] Model window allows different views (i.e. grid)
[04:05] Demo: Use a NatVis script to modify how data is shown in the Model window. JavaScript supported as well.
[06:00] New interactions between windows, new features in Command window... better copy & paste
[08:15] Right-click to search on MSDN
[08:58] Use the Feedback Hub for bug reports and feature requests!

Defrag Tools #182 - WinDbg Preview Part 1

por Microsoft

In this episode of Defrag Tools, Chad Beeder is joined by Tim Misiak and Andy Luhrs to introduce WinDbg Preview, a new version of the WinDbg tool.

Also see our followup episode: Defrag Tools #183 - WinDbg Preview Part 2

Related Links:

WinDbg Preview (download from Microsoft Store)
Documentation for WinDbg Preview (Dev Center)
Announcement blog post

Timeline:

[00:00] Welcome and introductions
[00:32] All new shell, and it's available as a Store app
[01:17] Yes, all your old debugging commands and extensions still work
[02:06] New features enabled by the debugger data model (for more on this topic, see Defrag Tools Episode #138 and Episode #139)
[03:24] Use the Feedback Hub to help us make it better
[04:17] All new UI. (Ribbon, relaunch recent sessions, new windowing system, dark theme)
[07:05] Watch window, locals window, etc., can all use the new debugger data model
[08:13] New script window - makes it easy to write NatVis and JavaScript visualizations
[08:50] WinDbg Preview is a work in progress! Expect frequent updates.

Defrag Tools #181 - System Power Report

por Microsoft

In this episode of Defrag Tools, Chad Beeder and Andrew Richards are joined by Paresh Maisuria from the Windows Kernel Power team and Zach Holmes from the Fundamentals team to talk about System Power Report, a new feature in Windows 10 Creators Update.

Related links:
Defrag Tools #168 - Powercfg Sleep Study (older version of this tool)
Defrag Tools #157 - Energy Estimation Engine (E3) (the framework used for estimating power usage)

Timeline:

[00:00] Welcome and introductions
[00:30] This is an updated and expanded version of a feature previously called Sleep Study. Now it covers everything related to power, not just details of modern standby states.
[02:55] You can still run it with powercfg /sleepstudy (for backwards compatibility) - but the new command is powercfg /systempowerreport, or powercfg /spr
[04:08] Opening up the generated report - lots more data than in the old Sleep Study report.
[05:32] Looking an active session: How much battery power was used, and by what? What was the screen brightness? Which apps used the most power?
[09:40] Why some power usage gets attributed to "Unknown"
[15:00] Unlike the old Sleep Study report, the System Power Report even gives useful info on traditional standby (S3) systems.
[16:40] Looking at a standby session: You can tell why a system went into standby, and why it woke up. Also lots of other stats, like how long it took to hibernate, etc.
[20:27] The report also contains an "expert tab" which contains data about the battery design capacity, current capacity, and health
[23:18] Bugchecks are also logged in the report (including the parameters).
[24:35] Still has all the details on a modern standby system (like in the old Sleep Study report). But enhanced. Now we have better instrumentation to track why a system got woken from standby.
[27:58] Of interest to OEMs and hardware engineers: We track power usage data for the SoC (System on a Chip) subsystems. Can give you the first indication of where to look further if power usage is too high.

Email us at defragtools@microsoft.com

Defrag Tools #180 - Active Memory Dump

por Microsoft

In this episode of Defrag Tools, Graham McIntyre joins Andrew Richards and Chad Beeder to talk about the new Active Memory Dump type. This new kernel dump size replaces the Complete Memory Dump type, and although much smaller, is equally as useful.

 

Defrag Tools #179 - Manually Generating a Crash Dump

por Microsoft

In this episode of Defrag Tools, Andrew Richards and Chad Beeder walk through the process of manually creating a full memory dump via the keyboard. This is useful when you want to capture the state of the operating system. For example, to debug a hang.

Resources:

Forcing a System Crash from the Keyboard 

Registry files (.reg) demonstrated in this episode are on the Defrag Tools OneDrive share (ManualCrashRegistrySettings.zip)

PCI Express Dump Switch Card (if you need to use the NMI method)

PCIe NMI card

Timeline:

[00:00] Welcome and Intro
[00:57] When would you need to manually force a crash dump?
[02:42] Typically you'll want to get a Complete Memory Dump
[05:57] ...which also requires you to set a large enough page file on the C: drive (RAM size plus some additional)
[08:00] Setting up manual crash dump via CrashOnCtrlScroll (if your keyboard has a ScrollLock key)
[13:20] Discussion of keyboards and keyboard scan codes. The old Peter Norton "pink shirt" book still comes through for this!
Keyboard Scan Codes
[16:55] Once you know the scan code, you can use the Dump1Keys and Dump2Key registry settings to choose your own keyboard combo. Make sure not to use CrashOnCtrlScroll at the same time!
[25:04] The big guns: If a system is hung badly enough that keyboard crash doesn't work, you can try CrashOnNMI. Usually requires special hardware like a PCIe NMI card.
[28:34] Looking at the memory dump we just created. Bugcheck 0xE2: MANUALLY_INITIATED_CRASH

Defrag Tools #178 - Sysinternals ProcDump v9.0

por Microsoft

In this episode of Defrag Tools, Andrew Richards and Chad Beeder talk about the new features of Sysinternals ProcDump v9.0

Multiple Dumps per trigger in multiple Dump Sizes:

  • -mm Write a 'Mini' dump file. (default) Includes the Process, Thread, Module, Handle and Address Space info
  • -ma Write a 'Full' dump file. Includes All the Image, Mapped and Private memory
  • -mp Write a 'MiniPlus' dump file. Includes all Private memory and all Read/Write Image or Mapped memory. To minimize size, the largest Private memory area over 512MB is excluded. A memory area is defined as the sum of same-sized memory allocations. The dump is as detailed as a Full dump but 10%-75% the size. Note: CLR processes are dumped as Full (-ma) due to debugging limitations
  • -mc Write a 'Custom' dump file. Include memory defined by the specified MINIDUMP_TYPE mask (Hex). -md Write a 'Callback' dump file. Include memory defined by the MiniDumpWriteDump callback routine named MiniDumpCallbackRoutine of the specified DLL
  • -mk Also write a 'Kernel' dump file. Includes the kernel stacks of the threads in the process. OS doesn't support a kernel dump (-mk) when using a clone (-r). When using multiple dump sizes, a kernel dump is taken for each dump size

Kernel Dump Support:

Complete Thread Stack – Kernel & User

  • Open the User and Kernel Dumps in separate debuggers
  • Match the TIDs from the User Dump, with the TIDs from the Kernel Dump, to get the entire stack
  • Awesome tool for hang debugging!

Debugging the Kernel Dump

  • Dump includes the kernel stack (memory) of every thread in the process (Running, Ready or Idle)
  • Dump has the Process PID and each Thread TID. There is no PEB or TEB information.
  • View the Kernel Call Stack for each Thread in the Process:

!process -1 17

Debugging the User Dump

  • View the User Call Stack for each Thread in the Process (e.g.):

~*k
!pde.deep