Windows Internals and Advanced Troubleshooting

If you like Sysinternals, the book Windows Internals, or want to learn more about Windows NT/2000/XP/2003 internals, including what's coming in Vista, then you'll want to attend the only scheduled seminars where both Dave Solomon and Mark Russinovich, the authors of Windows Internals, deliver our 5-day hands-on (bring your own laptop) Windows Internals and Advanced Troubleshooting seminar. Plus, all registrations include a 1-year free digital subscription to Windows IT Pro Magazine.

For groups of 20 or more, you can have this (or our other classes) delivered on site at your company location. Contact seminars@solsem.com for more information. You may also be interested in our self-paced interactive training video.

2006 Schedule:

San Francisco, September 18-22, 2006

Price: $2750 if paid 4 weeks in advance, otherwise $2900
Class logistics (location, schedule, laptop setup, and discount hotel room information)

Cancellation Policy
Fees are fully refundable up to two weeks prior to seminar date. Cancellations less than two weeks prior to seminar date are subject to a 50% cancellation fee. Cancellations without notice are responsible for the full seminar fee.

For questions, email pubsem@solsem.com or call 1-800-492-4898 (+1 860-355-9029 outside the USA).

Description

As an IT professional deploying and supporting Windows servers and workstations, you need to be able to dig beneath the surface when things go wrong. Having an understanding of the internals of the kernel and knowing how to use advanced troubleshooting tools will help you deal with problems such as malware/spyware identification and removal, performance issues, and blue screens. Understanding the internals can help programmers to better take advantage of the Windows platform, as well as provide advanced debugging techniques.

Gain this valuable knowlege by attending this deep 5 day hands-on technical class by Mark Russinovich and David Solomon, authors of Windows Internals 4th edition (Microsoft Press) and its previous editions Inside Windows 2000 and Inside Windows NT. Developed with full access to the Windows operating system source code and development team, you'll be getting the real "inside story".

Topics covered include :

Internals of key kernel components including thread scheduling, memory management, security, registry, and I/O manager
Vista kernel changes
Multiprocessor support
64-bit support
Understanding interrupt activity & time accounting
Troubleshooting process-related problems (Process Explorer, Windbg)
Rootkits
Identifying and disinfecting malware
Troubleshooting I/O problems with Filemon & Regmon
Understanding memory usage
Troubleshooting memory problems (process & system memory leaks)
Understanding the system boot process
Troubleshooting boot, startup, and logon problemsD
Dealing with hung systems
Basic crash dump (blue screen) analysis

With this information you will be able to:

Be able to identify each running process on the system
Understand the true meaning behind the key system performance counters
Diagnose & deal with process & system memory leaks
Size your page file appropriately
Perform basic blue screen analysis
Solve issues preventing your system from booting

NOTE: The class covers all recent versions of Windows, including Windows 2000, Windows XP, Windows Server 2003, and Vista.

For reference purposes each student receives a copy of the instructor's book Windows Internals and a printed copy of all slides.

Hands-On

Enjoy rolling up your sleeves and getting your hands dirty? This class incorporates hands-on labs which include experiments that allow students to gain practical experience delving into Windows OS internals and troubleshooting system problems. The tools used include the Microsoft Kernel Debugger, tools from Sysinternals.com as well as other Microsoft support tool sets.For public classes, each student must bring their own laptop (see setup instructions).

Unlike most hands-on classes there are no schedule "lab periods". Instead, the labs in this class are "continuous" throughout all 5 days - after the instructor explains a topic, the students will go use the appropriate tool to explore that area.

Customer Quotes

Acclaimed author and Windows Server expert Mark Minasi said after attending: "Administrators have to constantly answer questions like 'what IS that program in Task Manager, where did it come from and can I get rid of it safely?' or 'why is my computer so slow?' or an old favorite, 'how large should my pagefile be?' I got the answers to those questions and am putting what I've learned to work immediately. In my experience, the best seminars all leave you delighted and wishing for more, and yours did..."

Edwin van Mierlo, Senior Engineer at a Fortune 500 company, said this after the September 2005 seminar in San Francisco: "I must say that from all courses/seminars I have been to in my professional career, this is now the absolute number one, in regards to content, format, pace, and technology depth. I for sure will be applying these techniques to my daily routine and it already changed the way I troubleshoot some of the problems which I am facing daily."

Here's a sampling of other many positive comments provided by students that attended past seminars:

"I wish I had taken this years ago"
"The information given in this class should be required for all Windows engineers/administrators."
"The seminar was more worthwhile overall than all other seminars I've taken to date."
"Every Microsoft consultant should take this course." (by a Microsoft employee)
"This course holds the key to undertanding Win2K."
"After my MCSE studies I thought I knew Windows 2000. The tools and insights I have gained will save me countless hours running my network and troubleshooting. I can't wait to get back and tackle some of those annoying 'why did it do that?' problems."
"Should be required training for anyone responsible for NT/W2K/XP software development, administration, or design."

Outline

Introduction
- History
- Windows XP Kernel Changes
- Windows 2003 Server Kernel Changes
- Workstation vs. Server
- Checked build
Tools Overview
System Architecture
- Process Execution Context
- Kernel Mode Components
- (Executive, Kernel, HAL)
- Environment Subsystems
- Handles & Objects
- System Service Dispatching
- Interrupts & DPCs
- System Threads
- System Processes
Security
- Security Ratings
- Security Components
- Object Protection
- Auditing, Impersonation and Privileges
- Identifying and disinfecting Malware
- Rootkits
Registry
- Registry Use
- Registry Logical Structure
- Registry Physical Structure
- Profiles
Processes, Threads and Thread Scheduling
- Process, thread and job data structures
- Process startup and exit
- Priority Spectrum
- Thread scheduling algorithms
- Priority Adjustments
- Multiprocessing considerations
- Troubleshooting process problems with Task Manager, Process Explorer, Strings, PS Tools, and Autoruns
- Troubleshooting application and system problems with Filemon & Regmon

I/O System
- I/O System Components
- Driver Installation
- Types of Drivers
- Driver Operation
- Plug-and-Play Manager
- Power Manager
Memory Management
- Address Space Layouts (2GB, 3GB, 64-bit)
- Extended Addressing Services
- Page File Details
- Virtual Address Translation
- Page Faults
- Working Set Management
- Physical Memory Management
Cache Manager
- Cache Virtual Structure
- Cache Size
- Cache Operation
Startup and Shutdown
- Boot Process
- Prefetch
- Logon Process
- Shutdown
- System Restore
- Last Known Good
- Safe Mode
- Recovery Console
Crash Dump Analysis
- Why does the system crash?
- Configuring crash dumps
- Crash dump analysis tools
- Automated analysis
- On-line Crash Analysis
- Advanced debugging techniques

Prerequisites

Attendees should be familiar with basic operating system principles, such as virtual memory, multitasking, processes & threads, file systems, etc. and have experience administering or developing on Windows.