Inside Show - Channel 9

The Windows-X menu provides a rich launch experience into the troubleshooting tools of Windows, including Power Options, Event Viewer, System (also Win-Pause), Device Manager, Network Connections, Disk Management, Computer Management and Command Prompts. Each entry is (quickly) reviewed.

The defaults for WinDbg (font, window layout, etc.) can be set by running WinDbg without a dump file. You configure your preferred look-and-feel and then use File | Save Workspace. We go over our preferences, of note, the colorization of output, and the rendering of tabs as 4 spaces.

The (Windows) Event Viewer shows the event of the system. The "Windows Logs" section contains (of note) the Application, Security and System logs - which have existed since Windows NT 3.1. Event Tracing for Windows (ETW) providers are displayed in the "Applications and Services Log" tree. Logging for individual components can be view, enabled/disabled - and are a great place to start troubleshooting a component.

The (Windows) Task Manager allows a user to view the performance of the system. It contains views that show the overall performance, and the performance per Package/Process. It also shows the currently logged on Users and Services of the computer. These can be controlled by an Administrator.

The (Windows) Device Manager allows a user to view the hardware on the computer. You can use it to installed/update/remove the drivers for the device. The devices can be viewed by Type (e.g. Display adapter, Network adapter, etc.) or Connection (the tree of buses that activates the device).

The !teb extension displays a formatted view of the information in the thread environment block (TEB). The TEB contains information such as the Stack Memory Limits and Last Error/Status Codes.

The !peb extension displays a formatted view of the information in the process environment block (PEB). The PEB contains information such as Process Name, Module List, Environment Variables, Command Line, and many more process level things.

Commands to display Bugcheck Secondary Dump Data. Microsoft Docs: .enumtag (Enumerate Secondary Callback Data)!pde.tagsBugCheckSecondaryDumpDataCallback routine!ext.blackbox*!sysinfo smbios!sysinfo registers

The 32bits in an HRESULT error code have meanings, allowing the reader to gain additional insights into the error. Of note: The 32nd bit (the top bit) indicates if an error occurred or not. This is why errors are 0x8xxxxxxx.The 16-26 bits are the Facility - the originating API (Win32, CLR, XAML, etc.).The 0-15 bits are the (Error) Code. Common NULL Facility Error Codes NameDescriptionValueS_OKOperation successful0x00000000S_FALSEOperation successful but returned no results0x00000001E_ABORTOperation aborted0x80004004E_FAILUnspecified failure0x80004005E_NOINTERFACENo such interface supported0x80004002E_NOTIMPLNot implemented0x80004001E_POINTERPointer that is not valid0x80004003E_UNEXPECTEDUnexpected failure0x8000FFFFCommon Win32 Facility Error Codes These are built by passing a System Error Code to HRESULT_FROM_WIN32 NameDescriptionValueE_ACCESSDENIEDGeneral access denied error0x80070005E_HANDLEHandle that is not valid0x80070006E_INVALIDARGOne or more arguments are not valid0x80070057E_OUTOFMEMORYFailed to allocate necessary memory0x8007000ERelated Links: HRESULTHRESULT Facility – By ValueHRESULT Facility – By Name

An Execute Access Violation occurs when the application attempts to execute code from a memory address that is invalid. To be valid, the memory page must have a valid state, protection and type. The memory must be in the MEM_COMMIT state. The memory can be of any type; MEM_IMAGE, MEM_MAPPED or MEM_PRIVATE. The vast majority is MEM_IMAGE. MEM_PRIVATE is used for Just-in-Time (JIT) code - the main example being JavaScript. The protection of the memory must be PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY. The vast majority is PAGE_EXECUTE_READ. PAGE_EXECUTE_READWRITE and PAGE_EXECUTE_WRITECOPY are rare and can be considered dangerous, as code can be modified (injected). To view the state, protection and type of the address, use !address Be sure to reference the current values; not the allocation valuesEach memory page region (minimum 4K) tracks both the initial protection value at allocation, and the current protection value, as set by the VirtualProtect family of functions.The violation is detected by the processor via Data Execution Protection. The memory address may be invalid because of one of these common scenarios: Stack Corruption - the return address of a call is pushed on the stack. Local variables are next to this location. If a local has a buffer overrun, the return address is corrupted.DLL Reference Counting - the address was valid, but is now being accessed after the DLL has been unloadedBit-Flip - RAM (hardware) issue where one or more bits have flipped (rare)Additional Resources: Inside - Access ViolationInside - Access Violation C0000005 - Read or WriteInside - Windows SDKMSDN - Memory Protection ConstantsMSDN - MEMORY_BASIC_INFORMATION structureMSDN - Data Execution Protection