SETUP INSTRUCTIONS FOR WINDOWS OS INTERNALS LABS

Send questions to daves@solsem.com

BASIC SETUP:

• Any supported 32-bit or 64-bit Windows installation (XP, Server 2003, Vista, or Server 2008)
• One computer can be shared by 2 students, but 1 per student is better
• The account that you will log into must be a member of the local administrators group
• NOTE: Labs are nondestructive (except one lab in the crash dump analysis section, which you can choose to skip during class), but can be done in a virtual machine if you prefer

TOOLS SETUP:

1. Install the Debugging Tools for Windows.
   
   Public location: http://www.microsoft.com/whdc/devtools/debugging/default.mspx
   Microsoft internal location: http://dbg (we advise using the latest released version)
    
2. Download and unzip the Sysinternals tools suite (this is a single zip file with the majority of the Sysinternals tools). The class notes assume they are unzipped to c:\sysint, but you can put them anywhere you choose:
   
   http://www.microsoft.com/technet/sysinternals/utilities/sysinternalssuite.mspx
    
3. Download and unzip to c:\sysint the Blue Screen Screen Saver (the one tool not included in the Sysinternals Tools Suite):
   
   http://www.microsoft.com/technet/sysinternals/Utilities/BlueScreen.mspx
    
4. Download and unzip to c:\sysint the tools that are referenced by the book Windows Internals:
   
   http://download.sysinternals.com/Files/Notmyfault.zip
   http://download.sysinternals.com/Files/Testlimit.zip
   http://download.sysinternals.com/Files/Accvio.zip
    
5. Download http://www.solsem.com/solsem.zip into c:\solsem (these are additional files and tools used for various demonstrations and labs)
    
6. Copy Kernrate.* from \Solsem\x86 or \Solsem\x64 to the Debugging Tools folder:
       Public install: %ProgramFiles%\Debugging Tools for Windows
       MS internal install: %SystemDrive%\Debuggers
   
7. If you are running Vista or later, download these tools by Alex Ionescu and unzip into c:\solsem (note: these tools do not run on XP or 2003):
       http://www.winsiderss.com/tools/meminfo/meminfo.zip - displays memory usage
       http://www.winsiderss.com/tools/sctagquery/sctagqry.zip - displays service tag
   
   
8. Download Dependency Walker from www.dependencywalker.com into c:\sysint (you may already have this tool on your system)
    
9. Go to the Startup and Recovery Settings (right click on Computer, click Advanced system settings, on Advanced Tab, click "Settings" under Startup and Recovery). Uncheck "Automatically restart" and make sure dump type is "Kernel memory dump" (not minidump).
   
   
10. Add a system-wide environment variable for the symbol path:
    
    
    1. Right click on My Computer->Properties, click on Advanced Tab
    2. Press Environment variables button
    3. Press "New" button under System Variables section and enter:
             Variable name: _NT_SYMBOL_PATH  (must be upper case)
             Value:
                  Non-Microsoft employees:
                        srv*c:\symbols*http://msdl.microsoft.com/download/symbols
                  Microsoft employees:
                        srv*c:\symbols*\\symbols\symbols
    
    Or on Vista/2008 you can use the new SETX command line command:
    
    Public symbol server:
      setx _NT_SYMBOL_PATH
         "srv*c:\symbols*http://msdl.microsoft.com/download/symbols" /M
    Microsoft-internal symbol server (for Microsoft employees):
      setx _NT_SYMBOL_PATH "srv*c:\symbols*\\symbols\symbols" /M

    NOTE! It is not necessary to download and install the symbols - please use the symbol server (configured above) to automatically download symbols as needed. For more information on symbols, see http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx (or for MS internal, http://dbg)

11. If XP 32-bit (5.1 kernel) or earlier, run Gflags (in the Debugging Tools folder) and enable pool tagging, press Apply, then OK, and reboot (not necessary for XP 64-bit, Server 2003, Vista, or Server 2008).
    
12. Enabled crash from keyboard (doesn't work with USB keyboards).
    
    Run one of two .REG files in Solsem.zip:
    - crashon-rightctrl-scrlk-scrlk.reg (default keystroke sequence: hold down right control button and press Scroll Lock twice)
    - crashon-right-alt-space-space.reg (alternate choice: hold down right ALT button and press space bar twice)
    
    For details, see this KB article.
     
13. Run \Solsem\Logonhlp.reg and copy \Solsem\Logonhlp.exe to \Windows\System32 (or whatever %Systemroot% is on your system)
    
    .
14. Please test in advance that you can perform local kernel debugging (requires the Debug privilege, normally granted to administrators). There is one odd case where enabling debugging still does not permit kernel debugging - try the workaround on Alex's blog.
    
    NOTE FOR SKYPE USERS: If you run a program the performs a user mode debug break (like like Skype does), your system will freeze - disable Skype from running automatically before you reboot in Debugging Mode.  There is a way to disable user mode exceptions from breaking into the kernel debugger, but it is broken (the bug has been reported).
    
    
    NOTE FOR SYSTEMS CONFIGURED WITH BITLOCKER ENCRYPTION:
    Please either disable Bitlocker for the class or bring your recovery key, since to boot in debugging mode (or last known good) with a system configured with Bitlocker requires entering the recovery key.
    
    NOTE TO MICROSOFT EMPLOYEES USING INTERNAL DEBUGGER BUILDS: If you are using an internal build of the debugger tools and are having problems getting local kernel debugging to work, please try using the latest released version and use the public symbols (vs the internal symbols).
    
    Steps to enable and test local kernel debugging:
    1. Vista/Server 2008: you must boot in Debugging Mode to perform local kernel debugging (fyi, this breaks MPEG2/DVD video playback - this is not a bug but is there to prevent getting around digital rights management by using the kernel debugger). To boot in debugging mode, you can either press F8 during the boot process and choose Debugging Mode from the list of advanced boot options or configure the system to boot automatically in debugging mode (either run MsConfig, click on the Boot tab, then click the Advanced Options button, then check Debug or from a command prompt type "bcdedit /debug ON").
    2. Run Windbg from the Debugging Tools (on Vista, make sure you run it elevated with administrative credentials if you have UAC enabled)
    3. Click on File->Kernel Debug, Click on Local tab & click OK
    4. If symbols are configured properly, a command window should open up
    5. Type "!process" at the "lkd>" prompt to make sure symbols are loaded and configured.  This should show information for the Windbg process that starts like this:
       
        
    6. OPTIONAL: Force the download of other kernel symbol files to your local symbol cache (typically c:\symbols) by typing ".reload /f" (if you are sure that you will have network connectivity during the class, you can skip this step and let the symbols download on demand as they are referenced during the class).
       
       NOTE: It is normal to get symbol loading errors for third party device drivers, as their symbols are not available on the symbol server.
        
15. Configure symbols for Process Explorer and Process Monitor
    
    Run Process Explorer and Process Monitor.  In both tools, click on Options->Configure Symbols.  Change the Dbghelp.dll path to reference the one in your Debugging Tools folder and make sure the symbol path is set (see step 10).  NOTE: you cannot use the Dbghelp.dll in \Windows\System32 as it does not support the symbol service; you must use the one in the Debugging Tools folder.
    
    An example configuration dialog (for a 64-bit system) using public symbols would be:
    
    
     
16. In the Process Explorer's list of processes, double click on the process called "System" (usually 4th in the list) and click on the Threads tab (there may be a delay while symbols are downloaded).
    
    When the list of threads are displayed, to confirm symbols were downloaded properly, sort by the Start Address column and scroll down until you see threads with start addresses in the form "ntoskrnl.exe!xxx" or ""ntkrnlpa.exe!xxx" - make sure you do NOT see any "+0x" after any of these entries.  This is an example of a correct output:
    
    
    
    If you see entries like "ntoskrnl.exe!yyyyyy+0xnnn" for most of the Ntoskrnl/Ntkrnlpa lines, then your symbols are not configured correctly. For example, this kind of display indicates kernel symbols are NOT correctly configured:
    
    
     
17. Finally, double click on several other processes to force the download of other user mode symbols: Explorer.exe, a few Svchost.exe processes, Csrss.exe, Winlogon.exe, etc.  The reason for doing this is to get a variety of other user mode .EXE symbol files cached on your machine for use during the class. After doing the above, you should see a number of subfolders under c:\symbols -- these folders contain symbols for the various images referenced.