Our Publications
Introduction
On this page you'll find a bibliography of our publications. In addition, you'll find the upcoming schedule of topics that will be covered in Mark's Windows IT Pro Magazine (formerly Windows 2000 Magazine and Windows NT Magazine) column, Internals (formerly NT Internals), and a section on column errata. Where applicable, the article title will link to the on-line version of the text.
The Sysinternals Newsletter
Mark writes the Sysinternals e-mail newsletter, which comes out approximately every month and a half. The Sysinternals newsletter keeps you abreast of new tools, articles and source code at Sysinternals, plus it provides you unique information on Windows internals that you won't find anywhere else. If you subscribe you get immeditate access to all the back issues.
Sign up and see a list of back issues here.
Windows Internals, 4th Edition
Mark has coauthored Windows Internals, 4th Edition (MS Press) with Dave Solomon. This definitive work on the internals of Windows 2000, Windows XP and Windows Server 2003 covers a slew of topics not included in previous editions, including the boot process, services, registry internals, WMI, the storage subsystem, file systems, and more.
Visit the Winternals Internals page for updates and errata.
Power Tools Column
All Windows IT Pro Magazine articles over 4 issues old are on-line. Newer articles are available on-line to subscribers only (this is Windows IT Pro Magazine's policy, as they own the copyright on my columns).
Internals Column
All Windows IT Pro Magazine articles over 4 issues old are on-line. Newer articles are available on-line to subscribers only (this is Windows IT Pro Magazine's policy, as they own the copyright on my columns).
| February '01 | Inside Crash Dump Analysis |
| Winter '00 | Inside Windows 2000 NTFS, Part 2 |
| November '00 | Inside Windows 2000 NTFS, Part 1 |
| July '00 | Inside Windows Services, Part 2 |
| June '00 | Inside Windows Services, Part 1 |
| April '00 | Inside Storage Management, Part 2 |
| March '00 | Inside Storage Management, Part 1 |
| February '00 | Inside Windows Management Interface |
| December '99 | Inside Win2K Scalability Enhancements, Part 2 |
| November '99 | Inside Win2K Scalability Enhancements, Part 1 |
| October '99 | Inside Win2K Reliability Enhancements, Part 3 |
| September '99 | Inside Win2K Reliability Enhancements, Part 2 |
| August '99 | Inside Win2K Reliability Enhancements, Part 1 |
| July '99 | Inside EFS, Part 2 |
| June '99 | Inside EFS, Part 1 |
| May '99 | Registry Internals |
| March '99 | Inside NT Networking |
| February '99 | Inside NT Utilities |
| January '99 | Inside the Boot Process, Part 2 |
| November '98 | Inside the Boot Process, Part 1 |
| October '98 | Inside the Cache Manager |
| September '98 | Inside Memory Management, Part 2 |
| August '98 | Inside Memory Management, Part 1 |
| July '98 | Inside Microsoft Terminal Server (Hydra) |
| June '98 | Inside Security, Part 2 |
| May '98 | Inside Security, Part 1 |
| April '98 | Inside NT Architecture, Part 2 |
| March '98 | Inside NT Architecture, Part 1 |
| February '98 | Inside Microsoft Cluster Server (Wolfpack) |
| January '98 | Inside NTFS |
| December '97 | Inside the Blue Screen |
| November '97 | Inside Interrupt Handling |
| October '97 | Inside the Object Manager |
| September '97 | Inside On-Access Virus Scanners |
| August '97 | Inside the Scheduler, Part 2 |
| July '97 | Inside the Scheduler, Part 1 |
| May '97 | Inside Disk Defragmenting |
Internals Column Errata
Inside the Windows NT Scheduler, Part 2
In the column I state that by default threads do not have ideal processors. However, all threads are assigned an ideal processor. The first thread of a process is assigned an ideal processor that is randomly chosen for it. Subsequent threads are assigned ideal processors by cycling through the processors in the system. The thread migrations exhibited due to soft-affinity are actually due to the scheduler trying to keep threads on their arbitrarily assigned ideal processors, rather than on the last CPU they ran on. Note that the Win32 API SetThreadIdealProcessor can be used to override the random selection.
The paragraph describing KiReadyThread says that it schedules a thread on a CPU if the thread has a priority equal to or higher than the thread currently executing on the CPU. The priority of the executing thread must actually be lower than the thread's in question.
Inside the Boot Process, Part 2
The Last Known Good control set is not committed until after all services have successfully initialized and a user successfully logs in. When a user logs in the Winlogon program calls out to the logon interface (GINA) to perform processing of the request, and Microsoft's default GINA, MSGINA, checks to see if all services have finished initializing - if so, it requests that the Service Control Manager mark the current control set as the 'last known good'. If the services have not finished initializing at the time a user logs in, the Service Control Manager notes that a user has logged in and updates the 'last known good' after the services are done initializing.
Articles
Windows IT Pro Magazine articles are available on-line only to subscribers.
- Unearthing Rootkits, by Mark Russinovich, Windows IT Pro Magazine, July 2005
Mark goes inside rootkits, software technologies used to hide malicious software
- The Memory Optimization Hoax, by Mark Russinovich, Windows and .NET Magazine, January 2004
Mark debunks the class of self-proclaimed "RAM optimization" products.
- Windows XP: Kernel Improvements Create a More Robust, Powerful, and Scalable OS, by Mark Russinovich and David Solomon, MSDN Magazine, December 2001
Find out how Windows XP improves on the Windows 2000 kernel with changes in the kernel and supporting kernel services.
- High-Performance Memory-Based Web Servers: Kernel and User-Space Performance, by P. Joubert, R. King, R. Neves, M. Russinovich, and J. Tracey, Proceedings of the 2001 USENIX Anual Technical Conference, Boston, MA, June 28, 2001
Learn about the innovative in-kernel Web server acceleration technology Mark helped develop when he worked at IBM Research.
- "Inside the Windows 2000 Kernel," by Mark Russinovich, Windows NT Magazine, Winter 1999.
I take you on a tour of changes to the NT kernel Microsoft made going from NT 4 to Win2K. Topics I cover include scalability, power management, plug-and-play and the file systems.
- "Linux and the Enterprise," by Mark Russinovich, Windows NT Magazine, April 1999.
Learn about limitations in the implementation of the Linux 2.2 kernel that will prevent it from competing with commercial UNIXs and Windows NT on enterprise-class workloads.
- "Windows NT and VMS: The Rest of the Story," by Mark Russinovich, Windows NT Magazine, December 1998.
This article describes NT's VMS legacy and how Digital reacted to the fact that Windows NT's kernel so strongly resembles that of VMS.
- "NT vs UNIX: Is One Substantially Better than the Other?," by Mark Russinovich, Windows NT Magazine, December 1998.
The architecture and kernel subsystem design and functionality of Windows NT and UNIX are compared. In order to answer the question of which is better, the results of industry standard benchmarks for NT and UNIX are presented. An article with surprises for everyone.
- "NT Rollout Options," by Mark Russinovich, Windows NT Magazine, June 1998.
Both unattended setup and cloning are discussed in this article. The issues caused by duplicate SIDs that result from cloning are described in detail, and Microsoft's official stance on cloning is presented.
- "Inside the Windows NT Registry," by Mark Russinovich, Windows NT Magazine, April 1997.
This article describes the organization of the Registry, discusses what is stored in each root key and their subkeys, and points out a few Registry tricks.
- "Examining the Windows NT File System," by M. Russinovich and B. Cogswell, Dr. Dobb's Journal, February 1997.
Filemon is presented in this article, which also presents the basics of the NT I/O manager and how file systems interface with it.
- "Windows NT System Call Hooking," by M. Russinovich and B. Cogswell, Dr. Dobb's Journal, January 1997.
Regmon is presented in this article, and it describes how NTRegmon uses a technique we came up with, kernel-mode system call hooking, to watch all Registry activity.
- "Inside the Difference Between Windows NT Workstation and Windows NT Server," by M. Russinovich, Windows NT Magazine, November 1996.
The definitive article describing the differences between the two flavors of NT. Mark was the technical source behind O'Reilly and Associates disclosure in September 1996 that, contrary to some of Microsoft's claims, Server and Workstation share the same code base.
- "Inside the Windows 95 Registry," by M. Russinovich and B. Cogswell, Windows Developer's Journal, October 1996.
Regmon is presented in this article, which also describes the overall layout of the Windows 95 Registry.
- "NTFSDOS Poses Little Security Threat," by M. Russinovich and B. Cogswell, Windows NT Magazine, September 1996.
Our view on how NTFSDOS does not "break" NT security, but rather highlights the need for physical security.
- "Inside SoftRAM 95," by M. Russinovich, B. Cogswell, and A. Schulman, Dr. Dobb's Journal, August 1996.
Mark broke the story on SoftRAM 95 (published by Syncronys Softcorp.), the second best selling Windows product of 1995 (behind Windows 95 Upgrade), showing the world it was a fraud. This article goes inside the program to expose its deceit.
- "Replay for Concurrent Non-Deterministic Shared Memory Applications," by M. Russinovich and B. Cogswell, Proceedings of ACM Conference on Programming Language Design and Implementation", May 1996.
This academic paper presents a technique we developed to efficiently replay a class of programs that traditionally required much more expensive (in space and time) and intrusive methods to enable identical re-execution. Replay techniques are used in fault tolerance and debugging applications.
- "Examining VxD Service Hooking," by M. Russinovich and B. Cogswell, Dr. Dobb's Journal, May 1996.
VCMon (VCache Monitor) is presented in this article as an example of the kinds of visibility VxD service hooking can provide.
- "Journaling and Playback for Windows 95," by M. Russinovich and B. Cogswell, Dr. Dobb's Journal, March 1996.
Windows 95 introduced new VxD services that enable a VxD to record and play-back keyboard and mouse input at the lowest level. Ctrl2Cap is another example of this feature.
- "Examining the Windows 95 Layered File System," by M. Russinovich and B. Cogswell, Dr. Dobb's Journal, Dec. 1995
Here we present a Windows 95 VSD that hooks all physical disk I/O and presents it ala Filemon. We also discuss the organization of the Windows 95 disk I/O subsystem.
Back to Top
