Objectives After completing this lab, you will be able to: Configure a Windows-based computer to create a complete memory dump Enable CrashOnCtrlScroll and use it to blue screen your computer Use basic debugger commands like !analyze -v and lm v m [module] to get information about a blue screen from a kernel mode memory dump Set up a live kernel mode debugging session Set breakpoints in a live kernel debug Note This lab focuses on the concepts in this module and as a result may not comply with Microsoft security recommendations. Prerequisites Before working on this lab, you must have: Completed the Windows Architecture lab exercises Installed the Debugging Tools for Windows Completed the Symbols and Debugging Tools lab exercises
Tasks
1.
Detailed steps
a.
Determine if you have a PS/2 keyboard or a USB keyboard. Find out from the Instructor if you will be doing Exercise 4a or 4b
Exercise 2 is configuring CrashOnCtrlScroll. If you have a USB keyboard, you can still set the registry key, but it will not work at the end of the lab. Exercise 4a involves connecting the live kernel debugger via serial cable. Virtual PC image via named pipe.
2.
a.
It is unlikely that your classroom will be equipped to support both of these exercises. Verify with your instructor which variation of this exercise you should complete.
Scenario
In all versions of Windows server operating systems, creating a complete memory dump when a blue screen occurs is the default option on computers with two gigabytes of RAM or less. Windows Workstations default to creating only a small memory dump (mini-dump).
Tasks
1.
Detailed steps
a.
Click on the Start button. Double click on the icon for System.
a. In the System Properties window, select the Advanced tab. b. Under Startup and Recovery Options, click the Settings button. c. In the Startup and Recovery Options window, review the current
a.
Verify that the boxes are checked for Write an event to the system event log and Automatically restart. information box.
Verify that the Dump file path is %SystemRoot%\MEMORY.DMP Click Ok to close the Startup and Recovery window Still on the Advanced tab of the System Properties window, click the Settings button in the Performance section. Find the Virtual Memory section and click the Change button. Write down the initial page file size on the C: drive. It should be larger than the current amount of RAM. Click Ok to close the Virtual Memory window. Click Ok to close the Performance Options window. Navigate to My Computer Verify that the free space is greater that the amount of RAM
d. Verify that the box is checked for Overwrite any existing file. e. 4.
a.
a.
Scenario
When you need to test changes made to the Windows recovery settings, CrashOnCtrlScroll allows you to generate a blue screen and test the recovery settings without waiting for a problem to occur. CrashOnCtrlScroll is also useful for creating memory dumps of servers that are not responsive. Because you are able to cause a blue screen, you can use this feature to capture a dump file with information about the state of your computer when it is not responding.
Tasks
1.
Detailed steps
a.
Open regedit.exe.
Click on the Start button and click Run. NOTE: On Windows 2000 use regedt32.exe instead.
Click Ok. In Registry Editor, expand HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ i8042prt \ Parameters In Parameters you should already see values for PollingIterations, PollingIterationsMaximum, and ResendIterations. DWORD value.
c.
For the name of the new value, type CrashOnCtrlScroll Double click on the value you just created and set it to 1 Click Ok.
Shut down and restart your computer. While holding down the Control key on the RIGHT side of your keyboard, press the Scroll Lock key twice. This will cause a blue screen crash. After your computer restarts, log in to Windows.
a.
Scenario
Memory1.dmp, Memory2.dmp, and Memory3.dmp are located in the folder C:\LabFiles\Module 04 Kernel Mode Troubleshooting\Blue Screen examples. You will perform initial analysis on these memory dumps. Based on what you have learned this far in the workshop, try to form an action plan to continue troubleshooting the issue. For your convenience, each dump has an accompanying solution.txt file which contains a log of the debugger commands used to diagnose these crashes, and a brief description of root cause at the end of the file.
Tasks
1.
Detailed steps
a.
Open WinDbg.
Click on the Start button. Debugging Tools for Windows and click WinDbg to launch the Windows Debugger. From the File drop-down menu, select Open Crash Dump. 04 Kernel Mode Troubleshooting\Blue Screen examples
2. Open Memory1.dmp.
a.
Choose Memory1.dmp and click Open. When prompted to save the Workspace Information, click No. View your current symbol path with the command: .sympath Symbol search path is:
.sympath
a.
.symfix c:\symbols
a.
Set your symbol path to the Microsoft Internet Symbol Server with the command: .symfix c:\symbols
NOTE: If your lab computer does not have access to the Internet, substitute the following command instead to manually set your symbol path to a local share configured for this workshop: .sympath srv*c:\symbols*c:\LabFiles\Symbols
8.
.sympath
a.
View your new symbol path with the command: .sympath Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/downlo
9.
.reload
a. a.
Now that your symbol path is set correctly, reload your symbols with the command: .reload Review the output you receive from the command: !analyze -v
10. !analyze -v
d. What modules were on the stack that faulted? 11. lm v m [module name] 12. Research a. a.
Get as much information as you can about the drivers on the stack that faulted with the command: lm v m [module name] Given the information you now have from the memory dump, consider the following information about each of the memory dumps as you are working on them. MEMORY1.DMP Problem Description: The user says someone from IT made some changes to his computers registry and was still working on his computer when the blue screen occurred. The IT staff member did not explain what she was doing to the users computer. The user wants to be sure his computer will not blue screen again while he is working. MEMORY2.DMP Problem Description: The user reports that she recently updated drivers for several pieces of hardware in her computer. Her video card, her sound card, her network card, and a TV tuner card. She suspects that one of these updated drivers caused the problem but wants to know which one. MEMORY3.DMP Problem Description: The user reports that he has not changed anything since he installed a new USB device two weeks ago, and he has not had any problems since then. Yesterday he unplugged the USB device and his computer blue screened. Because the computer blue screened almost immediately after he unplugged the USB device, he suspects that the device may have caused the crash, but he would like you to analyze the memory dump and see if you can tell if the driver was involved. The user is skeptical because this device was installed two weeks ago and this is the first time he has seen this problem.
b. Search the Internet for more information. 13. Create an Action Plan a.
Based on your analysis of the memory dump and your research, why do you believe the computer blue screened? MEMORY1: ______________________________________________ _________________________________________________________ _________________________________________________________ MEMORY2: ______________________________________________ _________________________________________________________ _________________________________________________________ MEMORY3: ______________________________________________ _________________________________________________________ _________________________________________________________
Scenario
As we discussed in the kernel mode module, it is sometimes necessary to connect the kernel debugger do debug a live system instead of a memory dump. This lab requires that you pair up with a partner at the computer next to you, and you must both have at least one physical, 9-pin serial port on each machine and a null modem cable.
Tasks
1.
Detailed steps
a.
Designate one computer as the TARGET and the other will be the HOST.
All of the steps in this lab will specify that they are to be performed on the TARGET, the HOST, or on BOTH computers. which of you will be the TARGET computer and which will be the HOST computer.
b. Between yourself and the person at the computer next to you, decide
computers.
3. Configuring boot.ini on the a.
On BOTH computers: connect the null modem cable to COM1 on each computer. Perform the following tasks on the TARGET computer only. If you see the file boot.ini in the root of the C: drive, skip ahead to step j. Tools drop-down menu and select Folder Options.
TARGET computer
d. If you do not see the boot.ini file in the root of the C: drive, go to the e. f. g.
Click on the View tab. Select the radio button for Show hidden files and folders. Uncheck the box for Hide extensions of known file types files (Recommended). After unchecking this you will receive a warning, click Yes.
h. Scroll down and uncheck the box for Hide protected operating system
i. j.
Click Ok to apply your changes and close the Folder Options window. In the root of the C: drive, find the file boot.ini. Right click on it and select Properties. Click Ok to close the boot.ini Properties window. in Notepad.
k. On the General tab, clear the check box for Attributes: Read-only. l.
m. In the root of the C: drive, double click on boot.ini. This file should open n. In the Format drop-down menu, be sure Word Wrap is not checked. o.
You should only have one ARC path at the end of your boot.ini that starts with multi(0)disk(0) If you have more than one ARC path, ask
original path and the new last line will be a backup option.
r. s. t.
Edit the original ARC path. Add the following switches to the end of the line: /debug /debugport=COM1 Save the boot.ini file and close it. When the computer starts back up you should receive a boot menu. Be sure to boot to the option that says [Debugger Enabled]. Do not continue until after the TARGET computer finishes rebooting. Perform the following tasks on the HOST computer only. Navigate to All Programs Debugging Tools for Windows and click WinDbg to launch the Windows Debugger. On the COM tab, enter the Baud Rate: 57600 On the COM tab, enter the Port: COM1 Click Ok to start kernel debugging. WinDbg will return the following output: Opened \\.\COM1 Waiting to reconnect In the Debug drop-down menu, choose Break. information about the TARGET computer should start to be displayed in the windbg command window.
u. /baudrate=57600 v.
j.
a.
Once you are broken in TARGET computer should freeze completely. You will not be able to do anything on the TARGET while the debugger is broken in. This might take a few minutes. On the HOST computer, hit the Enter key. NOTE:Do not close windbg ! Closing windbg on the HOST computer will not free the TARGET computer if the debugger is broken in.
Scenario
As we discussed in the kernel mode module, it is sometimes necessary to connect the kernel debugger do debug a live system instead of a memory dump. This lab requires that you have either Microsoft Virtual PC 2004, Microsoft Virtual Server 2005, or Microsoft Virtual Server 2005 R2 with a guest operating system that is either Windows 2000, Windows XP, or Windows Server 2003.
Tasks
1.
Detailed steps
a.
All of the steps in this lab will specify that they are to be performed on the TARGET, the HOST, or on BOTH computers. and the Virtual Server Host computer is also the debugger HOST computer.
b. For the purposes of this exercise, the Virtual Machine is the TARGET
a.
Perform the following tasks on the TARGET computer only. If you see the file boot.ini in the root of the C: drive, skip ahead to step j. Tools drop-down menu and select Folder Options.
TARGET computer
d. If you do not see the boot.ini file in the root of the C: drive, go to the e. f. g.
Click on the View tab. Select the radio button for Show hidden files and folders. Uncheck the box for Hide extensions of known file types files (Recommended). After unchecking this you will receive a warning, click Yes.
h. Scroll down and uncheck the box for Hide protected operating system
i. j.
Click Ok to apply your changes and close the Folder Options window. In the root of the C: drive, find the file boot.ini. Right click on it and select Properties. Click Ok to close the boot.ini Properties window. in Notepad.
k. On the General tab, clear the check box for Attributes: Read-only. l.
m. In the root of the C: drive, double click on boot.ini. This file should open n. In the Format drop-down menu, be sure Word Wrap is not checked. o.
You should only have one ARC path at the end of your boot.ini that starts with multi(0)disk(0) If you have more than one ARC path, stop ask the instructor for further instructions.
p. Copy the whole last line of boot.ini (the ARC path). This will be similar
10
original path and the new last line will be a backup option.
r. s. t.
Edit the original ARC path. Add the following switches to the end of the line: /debug /debugport=COM1 Save the boot.ini file and close it. Turn off the TARGET Virtual Machine and leave it off for now. Use these steps ONLY if you are using Microsoft Virtual PC 2004. Click the Settings button. Select the radio button for Named pipe: In the box type: \\.\pipe\WindowsCPM Click Ok to close the Settings window. When the computer boots you should receive a boot menu. Be sure to boot to the option that says [Debugger Enabled]. Use these steps ONLY if you are using Microsoft Virtual Server 2005. Navigate to All Programs Administration Website Microsoft Virtual Server Virtual Server
u. /baudrate=57600 v.
w. Shut down the TARGET Virtual Machine. x. 3. Mapping the Virtual COM a.
h. Start (turn on) the TARGET Virtual Machine. i. 4. Mapping the Virtual COM a.
d. Locate the TARGET Virtual Machine you will debug in the list of
machines and float the mouse over its machine name so the menu appears. Click the link to Edit Configuration.
e. f. g.
In the Virtual Machines Configuration, click the like for COM ports. Under COM port 1, click the radio button for Named pipe:. In the text box for Named pipe:, type the pipe name: \\.\pipe\WindowsCPM On the Virtual Machine Status page, start (turn on) the TARGET Virtual Machine. When the computer boots you should receive a boot menu. Be sure to boot to the option that says [Debugger Enabled]. Perform the following tasks on the HOST computer only. Navigate to All Programs Accessories Command Prompt
Lab: Kernel Mode WinDbg will return the following output: Opened \\.\COM1 Waiting to reconnect In the Debug drop-down menu, choose Break.
11
f.
g.
information about the TARGET computer should start to be displayed in the windbg command window.
6. The TARGET Virtual a.
Once you are broken in TARGET Virtual Machine should freeze completely. You will not be able to do anything on the TARGET while the debugger is broken in.This can take a few minutes. On the HOST computer, hit the Enter key. NOTE: Do not close windbg! Closing windbg on the HOST computer will not free the TARGET computer if the debugger is broken in.
12
Scenario
In Exercise 4 you connected the kernel debugger from a HOST computer to a live TARGET computer or virtual machine. You will now use that live debugging session to set a breakpoint on a function on the TARGET. The breakpoint you set will be on tcpip!ICMPEchoRequest, which is the function the TCPIP.SYS driver uses to send ICMP Echo requests (aka. to send pings). Once this breakpoint is set on the TARGET computer, you will log into it and send a ping to another computer on the network. The debugger will break on this function. NOTE: This lab requires access to the Microsoft Internet Symbol Server to work correctly.
Tasks
1.
Detailed steps
a.
In WinDbg on the kernel mode debugging HOST computer from Exercise 4, go to the Debug drop-down menu and select Break.
.sympath
a.
View your current symbol path with the command: .sympath Symbol search path is:
.symfix c:\symbols
a.
Set your symbol path to the Microsoft Internet Symbol Server with the command: .symfix c:\symbols NOTE: For this exercise to work correctly, you must have access to the Microsoft Internet Symbol Server.
4.
.sympath
a.
View your new symbol path with the command: .sympath Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/downlo
5. 6.
.reload !process 0 0
a. a.
Now that your symbol path is set correctly, reload your symbols with the command: .reload Dump the list of running processes with the debugger command: !process 0 0 System process: **** NT ACTIVE PROCESS DUMP **** PROCESS 812719e8 SessionId: none Cid:0004 Peb:00000000 DirBase: 00039000 ObjectTable: e1000b58 HandleCount: 306
b. Look at the very top of the list for the PROCESS address for the
13
The address you want to copy is the one right after the word PROCESS. In the example above, you would use 812719e8. Use the .process command with the address you copied from the previous step.
.process [ADDRESS]
a.
.reload
a.
The previous command changed out process context. Without getting too deep into the meaning of the context, it does mean we need to do a .reload. Use the x command to examine the symbols for tcpip.sys, checking for all functions that have ICMP in their name. tcpip!ICMPEchoRequest tcpip!SendICMPIPSecErr tcpip!SendICMPErr tcpip!SendICMPMsg
9.
x tcpip!*ICMP*
a.
a. a.
Use the bp [module!function] command to set the breakpoint: bp tcpip!ICMPEchoRequest List all breakpoints to confirm your breakpoint was set with the command: bl 0 e fc3b7108 0001 (0001) tcpip!ICMPEchoRequest
Start the TARGET machine running again with the command: g a PING command.
b. The TARGET machine will now run normally until a user tries to send 13. Send a ping from the a.
On the running TARGET computer or Virtual Machine, log in locally. In the Run command, type cmd.exe and click Ok. 127.0.0.1.
d. From the command prompt, use the ping command to ping the IP e. 14. .reload 15. k 200 16. Review the stack 17. bc * 18. g 19. Close WinDbg a. a. a. a. a. a.
The TARGET computer should immediately freeze and the HOST debugger should indicate that Breakpoint 0 was hit. After hitting the breakpoint, reload symbols again with the .reload command. View the thread stack trace that hit the breakpoint with the command: k200 You should be able to follow the stack all the way down past ping!main. Clear the breakpoint with the command: bc * Let the TARGET computer start running again with the command: g Close windbg on the HOST computer.