flynn017

Well, as we all know, it's the first day of 2014 tomorrow; New Year's Day. I thought I would write a very quick blog post wishing all my readers a Happy New Year, just in case I don't have time tomorrow to write one up. Happy New Year !

Stop 0x116's and Stop 0x117's are largely the same bugcheck. There is also the Stop 0x119, which is related to the video scheduler causing problems. However, this blog post is going to look at the internals of Timeout Detection and Recovery and explain what this recovery process is, and how it may lead to a Stop 0x116 or Stop 0x117 bugcheck. Since Windows Vista, Microsoft has introduced a new feature called TDR (Timeout Detection and Recovery), which as the name suggests, enables drivers to recover from hardware time-outs instead of the system completely crashing. The GPU Scheduler firstly detects a graphics task is taking longer than it should, and goes to preempt this task and it's associated thread. If the GPU Scheduler is unable to complete or premept the task with the TDR Timeout period, then the GPU is considered to be frozen, and the preparation for recovery process begins. The GPU Scheduler then calls the DxgkDdiResetFromTimeout which informs the graphics driver th...

OllyDbg (V2.1) - This tool is mostly for examining malware and programs. I find the tool really useful, the Assembly is very good too, especially with tracing JMPs. Download - OllyDbg 2.0 Hook Analyser (2.6) - Able to view application crashes with more detail, and hook onto running processes for malware analysis and debugging. Download -  Hook Analyser Blog WinCheck (8.50) - Able to view Kernel Data Structures not available in WinDbg. Documentation - WinCheck Blog Download - WinCheck KernelMode.Info forum

This blog post is going to look at sharing memory, control areas and section objects, and how to view information about these mechanisms. Let's begin by looking at the general concept of sharing physical memory between two processes. Process A and Process B both wish to use the same resource, this could be a library or some other kind of object. The pages used to map the shared resource, do cause any conflicts between the two processes, since the processes retain their own private virtual address space, and furthermore the pages will be marked with protection flags such as copy on write and execute only. The sharing mechanism is mostly driven by a special object used by the Memory Manager called a Section Object. This may also be referred to as a File Mapping Object. Sections Objects are created by calling the CreateFileMapping function, and then using a file handle to back the Section Object to, or using the INVALID_HANDLE_VALUE flag to use a page file backed region. The reasonin...

This blog post is going to explain the fundamentals and the internals of Physical Address Extension (PAE) on Windows. Physical Address Extension PAE Mode enables x86 operating systems to be to address up to 64GB of Physical Memory (x86 processors), and 1,024GB on x64 when the processor is running in Legacy Mode, which is the same as running in x86 Protected Mode. The PDEs and PTEs are extended to 64-bits wide, and a extra layer is added called the Page Directory Pointer Table. The CR3 then points to the address of the this table instead of the Page Directory. We can check if a system has the PAE bit enabled by checking bit 5 within he CR4 Register. According to my dump file, my system has the PAE bit set. However, due to licensing restrictions set by Microsoft, my operating system will still not address any larger than 4GB of RAM due to compatibility issues with drivers. Additionally, when PAE has been enabled for x64 processors, then other features are also automatically enabled such ...

Okay, this going to be a very short blog post about the common problem with Kernel Memory Dumps not being saved, despite your efforts to following all the instructions listed in this Sysnative Tutorial , Windows still doesn't seem to be saving your Kernel Memory Dumps. So what's the problem? The answer lies within the registry. According to customer service feedback, many users were complaining about Kernel Memory Dumps using their hard drive space. For the average user, unless receiving support on a forum, then these Kernel Memory Dumps are valueless, as a result you will need to create a registry key called AlwaysKeepMemoryDump was created to address this issue. If this registry key is set to 1, then Kernel Memory Dumps will always be saved regardless. The highlighted key shows the maximum number of Minidumps which will be created. Reference: Kernel dump storage and clean up behavior in Windows 7

TLB Cache The TLB Cache is very much a key part for the necessary performance of Virtual to Physical Address Translation. It's main purpose is to improve the performance of Virtual Address Translation. All modern CPUs and their MMUs (Memory Management Units) support the use of the TLB. A important aspect to understand, is the difference between TLB Hit and TLB Miss. When a Virtual Address is accessed, and then looked up, the TLB Cache is checked first to see if the Virtual-Physical Address mapping is present and if so then a TLB Hit occurs. On the other hand, if the address isn't present, then a TLB Miss occurs and the MMU is forced to execute a Page Walk which is the process of looking through the Page Tables like discussed in my previous blog posts. Once, the Page Walk has completed and the physical address is found, then this information is loaded into the TLB Cache. If Page Walk is unsuccessful, then a Page Fault is raised, and the Virtual to Physical Address Mapping is cre...

All the pages resident in physical memory are manged by the PFN Database or Page Frame Number Database. The PFN is used to describe the page state of each page, and the number of references to this page. Page States The page states can be found in a enumeration called _MMLISTS: Zeroed - The page already is free and already contains 0's, or has been freed and being zeroed. Free - The page is free, but may still contain data since the Dirty bit could have not been set, therefore these pages are zeroed before being marked as a user page for user-mode processes. Standby - The page has been recently been removed from the working set of a process, and as a result is currently in Transition. The page hasn't been written to or modified since removal and transfer to the hard disk, but the PTE (Invalid) may still refer to the physical page. Modified - The page has been recently removed from the working set of a process, but has been written to and modified before it was written to th...

The second part is going to concern paging structure on x86 and x64, and how virtual memory addresses and physical memory addresses are mapped according to this structure. The third part will look at how physical memory is managed with the PFN database. Hardware PTEs and Paging Structure A virtual address on a x86 system, is divided into three different parts: Page Directory Index (10 bits); Page Table Index (10 Bits) and the Byte Index (12 bits). The above image shows their relationship in relation to the general page table structure. The Page Directory Index shows the address of the page table in which the desired PTE is located. The Page Table Index indicates the address of the PTE within the Page Table, and the Byte Index is used to find the correct physical page for which the PTE is mapped to. Before we go onto briefly explaining the x64 version, and going into greater depth about each part of the translation process, let's quickly discuss how to find the Page Directory addres...