Memory Leaks in Nonpaged Pool

Found this video on Youtube.  It's a good introduction to finding nonpaged pool memory leaks. This really isn't as much of a problem in Windows Server 2008 R2 and above, but good information here.

https://support.microsoft.com/en-us/kb/177415

How to Enable Procmon Boot Logging with Script

Scenario:

In order to use Procmon to log operations on boot up, you have to go to Options and then select Enable Boot Logging. Once you have done that, you can reboot your computer, logon to your computer, launch Procmon again, and then you can save the boot log.  There may be an occasion when you want to enable it on multiple machines using a script.  This is not something that you can do given the current command line arguments.

Using Analytic and Debug Logs

It's common for IT administrators to use the native Windows logs to search for problems.  Two of the most commonly used logs are the "System" and the "Application" logs.  However, not everyone takes advantage of the the other built in operational logs.  When you go to event viewer, you can expand "Applications and Services Logs" to reveal a vast array of logs. Many of them are empty, but many of them are capturing useful data that can help you discover what is going on with your computer.

For more information on what each of these logs and log types are visit this link https://technet.microsoft.com/en-us/library/cc722404.aspx

In this post, I want to talk about the analytic and debug logs.  The Windows Logs give you information across your system.  It will show you hardware events, system events, security events, application events, etc.  It will do this for all sorts of components and application.  The Applications and Services Logs will drill into individual components and report only on those.

Using NetSh to Capture Network Traces

Scenario

You have a client / server application that appears is running slowly and you suspect the issue is network related.  You want to capture a network trace from the client and the server at the same time, but you don't want to install Wireshark or Network Monitor on either machine.

Netsh Trace

In the above scenario, it is important to get a simultaneous network trace from the client and the server while the problem is occurring. Open an administrative command prompt on both the client and on the server.  Enter the following command into both prompts:

netsh trace start capture=yes

Then launch the application to reproduce the slowness,  If it takes a long time for the application to launch, then continue to capture until the application is fully launched.  If some functionality within the application is slow, then be sure to capture the entire period of slowness in your trace.

Once you have gathered the data you need, use the following command to stop the trace:

netsh trace stop

Your command line should look like the above command line.  Notice that, by default, the max size of the trace file will be 250MB, that it is a circular (will overwrite the oldest data once the file size reaches 250MB), and you can see that it will show you the path were the .etl trace will be stored.

How to Setup Alerts Using Perfmon

Scenario

Say you find that the CPU utilization on your computer or server keeps spiking, but it does so at random times.  If you are looking in task manager, you might be able to identify which process is responsible for the spikes.  Now say you want to be notified when these spikes occur.  You can actually use a built in Microsoft product to send alerts and or log events like this.

Microsoft Performance Monitor.

Using Microsoft's Performance Monitor, you can select counters such as "%Processor Time" or "Handle Count" and then trigger alerts based on these counters. Microsoft has a lot of counters that you can use so that you can monitor computer or server with a high degree of granularity.  Here is an example of the Processor Object containing counters for CPU usage: http://msdn.microsoft.com/en-us/library/ms804036.aspx. You can also monitor memory, disk usage, network usage, etc.

You can set up a data collector set that will allow you to be notified, for example, when a process reaches 60% User Time.  When you do this, you will receive an alert every time this threshold is met.

Unfortunately, while you can setup these alerts to be tripped when a counter reaches a threshold, you can't set it up to alert  you when, say the %Processor reaches X amount for Y duration.

How to Setup Performance Monitor Data Collector Sets to Monitor System Performance

Scenario

Are you having issues with the performance of your PC or server?  If so, you can use Microsoft's Performance Monitor to see performance trends over a period of time.  In this post, I will talk about how to collect the data you need in order to assess your issue. I will talk more about analysis of the data you collect in other posts.

Overall Steps for Data Collection

1. Create two DCS.
2. Start both DCS.
3. Wait for the performance issue to occur.
4. After you are sure that you captured data during the problem, stop the DCR.

We will be creating two separate data collector sets.  We will basically create two identical data collector sets.  The only difference between the two sets will be the polling interval.  Performance Monitor data collector sets poll data collectors providers at a whatever interval you specify.  We will set one of the intervals to 2 seconds and the other to 4 minutes.

Why would we do this?

In order to catch problems related to the CPU, we will need to poll at intervals no greater than 3 seconds.  For memory issues, we need the interval to be longer.  We will be creating circular logs which will overwrite the oldest data once they reach their size limit.  In the case of memory issues, we usually want to collect data over a period of days or even weeks.

Building a Basic Windows 7 Hardware Independent Image

This post should give you the basics in how to build a Windows 7 image that contains drivers for many different models.  Image creation can be fairly straight forward or it can be very involved depending on how much you want to customize it.

What you will need:

1. Windows 7 Installation CD / DVD
2. WAIK installed on your computer
3. A computer to build the image on (if you have VMWare or a HyperV server that would be better)
4. A USB flash drive large enough to hold your image and WinPE (8 gig drive is OK if your image is pretty thin, 16 gig drive should do it unless your image is really big)

Create Bootable USB with WinPE 3.0

There are endless things you can do with WinPE, but first you must learn to hold it in stillness.

What you will need:

1. Download WAIK from Microsoft and install it on your computer
2. USB Drive (should be at least 512MB)
3. Computer with Windows 7

First, let's create the WinPE files.

1. Go to Start > All Programs > Microsoft Windows AIK - then right click on "Deployment Tools Command Prompt" and select "Run as administrator".

2. At the command line type the following:  "copype x86 c:\winpex86" without the quotes of course.  This will copy the WinPE files to the location c:\winpex86.   If you need to create a 64bit WinPE boot image, then type the following:  "copype amd64 c:\winpex64".

3. Now copy the following file: C:\winpex86\winpe.wim  to the following folder  C:\winpex86\ISO\sources.  After you copy the file in that folder, rename "winpe.wim" to "boot.wim".

Outline for making a Hardware Independent XP Image

For anyone interested in building a hardware independent XP image, here is a quick outline on how to make one.

1. Install Windows XP Pro on a computer that has a multi-processor HAL.  You can determine if your computer is a multiprocessor by right clicking on "My Computer" and then clicking on "Manage".  Then go to "Device Manager" and expand "Computer".

2. Do NOT install third party drivers.

3. Collect drivers from all model desktops you will be supporting.  A good tool to extract drivers can be found here.  There are other utilities that you can use, but this is a good one you can use.  Once you have extracted the drivers from all model's put them all in a folder called "drivers".  This will go in your sysprep folder later on.