4. Projects
• www.wioski.com – Free replacement for
SteadyState
• www.adminize.com – Getting rid of admin rights
and provide onetime admin passwords
• www.getabrandnewpassword.com – Free and
safe password cracker… I mean changer
• idealinfra.blogspot.com – My blog
6. Housekeeping
• I will give away one free course attendance
as promised so leave your business card to
participate Winner will be notified
afterwards so be sure your card has your
email address
• After the session I will stick around for
questions and to give away a few T-shirts
7. Agenda
•
•
•
•
•
•
•
•
Baselines and tools for troubleshooting
Error messages
User accounts in troubleshooting
Prelogon diagnostics
Services
Processes and threads
Safemode etc. in Windows 8.1
BSOD in Windows 8.1
9. Baselines
• I always teach people that the logic in
troubleshooting Windows is that there is no logic
•
•
•
•
•
System vs. Boot partition
System32 vs SysWOW64
bowser vs browser
AFD
Hive
10. Tools
• You always need at least:
• Sysinternals Tools
• Sysinternals Suite or http://live.sysinternals.com/
• Debugging Tools
• Not so much for debugging but for supporting Sysinternals
Tools
• Message analyzer
• Windows 7/8 can capture traces without it with NETSH TRACE
• Windows 8.1 is the fisrt to support remote network monitoring
18. SYSTEM vs Admin
• SYSTEM
• Has more user privileges than Administrator (even
the Built in one)
• Doesn’t need to worry about policies
• Can see stuff Admin can’t
• Can stop processes Admin can’t
• Has a higher integrity level than Administrator
20. Mandatory Integrity Control to blaim?
• In Windows Vista+ if you don’t have access to
a file and you are sure you should:
• 1. TAKEOWN.exe
• 2. iCacls /SetIntegrityLevel
25. Basic info on logon?
• Event logs are a good start but to do
BlackBelt troubleshooting you need:
• SYSTEM-account to diagnose what happens
before logon
• Session 0 to diagnose what happens during
logon
26. Building from the ground up - Prelogon
• What happens before logon
and how to diagnose it
• Slow logons, Startup script
problems, inability to
logon…
• Windows has three
accounts that never log off
• SYSTEM, Local Service and
Network Service
32. Background services
• Services not starting/running in Windows 8.1
• Basics: It’s a security issue or something else
• Security
• Security log, Secpol.msc, Process Explorer, Process
Monitor
• Something else
• Process Monitor
40. Processes and threads
• In Windows a process can’t really do anything
• Task Manager only shows processes…
• Threads can actually do something
• Search engines probably know the answer to your question
so the real problem with them is noise
• How to get rid of noise?
• Make your searches are more accurate
• Make sure you get results from people who have at least a clue on
what they’re doing
• Learn to diagnose threads instead of processes
41. Case – Hanged virtual machine
• VM totally stuck…
• Task manager looks like this
42. Case – Hanged virtual machine
• Task Manager
shows that
SYSTEM is causing
the problem…
43. Case – Hanged virtual machine
• Process Explorer shows Threads!
44. Case – Hanged virtual machine
• Removed the virtual floppy
because it was pointing to
a nonexisting file
52. Changes in BSOD in Windows 8
HKEY_LOCAL_MACHINESystemCurrentControlSet
ControlCrashControl
None
0x0
Complete memory dump 0x1
Kernel memory dump
Small memory dump
Automatic memory
dump
0x2
0x3
0x7
53. Make sure you are able to crash when
needed!
• http://support.microsoft.com/kb/244139
54.
55. Basics of BSOD analysis
• Install Debugging tools
• Set the systemwide variable _NT_SYMBOL_PATH
to
SRV*C:symbols*http://msdl.microsoft.com/dow
nload/symbols
• http://support.microsoft.com/kb/311503
• Use WINDBGOpen Crash Dump or DaRT’s
Memory Dump Analyzer
56. Please evaluate the session
before you leave
Enroll to my free newsletter at:
http://eepurl.com/F-GOj
T-Shirts? Be quick! Remember
business cards!!