Microsoft 50155 Training 70-660
Win Internals for IT
Microsoft Certified Technology Specialist (MCTS): Windows Internals M50155 70-660
Course Title: Win Internals for IT
Course Code: M50155
Version: A
Level: 300
Duration: 5 Days
Course Overview
The Win Internals for IT M50155 instructor-led training course has been designed to provide candidates with the necessary skills and knowledge required to debug and troubleshoot low-level Windows applications. The course provides a detailed view of the Windows operating system architecture, its key components, undocumented interfaces and core interactions through the use of debugging utilities, inspection tools and exercises.Target Audience
Candidates who should consider attending the M50155 Microsoft training course are escalation and support engineers with substantial experience administering and troubleshooting applications and systems on Windows.Course Objectives
On successfully completing the M50155 course candidates will be able to:- Use debugging tools to troubleshoot user-mode and kernel-mode issues
- Appreciate the relationships between system components and their interactions with each other
- Improve application performance by understanding how the system behaves internally
Course Prerequisites
Candidates attending the M50155 Microsoft training course should be familiar with the Windows operating system on a power-user level and operating systems concepts (multiprocessing, thread scheduling, virtual memory) is preferable but not a must. Candidates are also required to have a working knowledge of the C or C++ programming language - exempt from Modules 1-2 of the course and proficiency in Win32 programming - exempt from Modules 3-4 of the course.Testing and Certification
The M50155 Microsoft training course is the recommended preparation for the 70-660 TS: Windows Internals exam.Course Content
Module 1: Computer Architecture RefreshmentIn this module candidates will learn how the modern computer is constructed and how programmes execute on this computer architecture.
Lessons:
- Computer Architecture: CPU, Registers, Cache, Memory, Input and Output Devices
- Just Enough Assembly Language to Get By
- Programme Execution Model: Compilation, Linkage, Loading, Execution
- Explain the various components of which a modern computer is comprised
- Describe the execution model of a programme
Module 2: C Programming Basics
In this module candidates will learn how to develop programmes in the C programming language and exposes concepts such as variables, data structures, stack vs. heap allocation and function execution.
Lessons:
- Variables and Data Structures
- Functions and Stack: Calling Functions
- Dynamic Memory Allocation
- Calling functions
- Tracing through assembly code
- Analyse and explain simple programmes in the C programming language
- Understand the concept of complex data structures, dynamic memory allocation and function execution
- Read basic procedures in x86 assembly language
Module 3: Windows History and Characteristics
In this module candidates will learn how to approach the Windows operating system using various APIs including Win32, and the motivation, history and design goals of Windows.
Lessons:
- The Evolution of Windows: Windows 1.0 through Windows Vista
- Back to 1989: Windows NT Design Goals
- Windows Versions and Editions
- Windows Programming Interfaces: Win32, COM, .NET
- Explain the primary differences between the various Windows versions and product editions
- Appreciate the design goals of Windows NT as they are threaded into the Windows operating system
- Understand the pros and cons of Windows programming interfaces
Module 4: Win32 Programming Primer
In this module candidates will learn how the operating system implements windows, message passing between windows, kernel objects and handles, processes and threads and synchronisation mechanism. This module also serves as an exposition to provide a common ground for examining system internals.
Lessons:
- Introduction to Win32 API Paradigms
- Windows and Window Procedures
- Message Loops and Window Messages
- Kernel Objects and Handles
- Creating, Using and Sharing Objects
- Processes and Threads
- Synchronisation Mechanisms
- Structured Exception Handling
- An Introduction to NT File System (NTFS)
- Dynamic Link Libraries (DLLs) and Loading
- Inter-Process Communication
- Theoretical questions about Win32 basic concepts
- Describe Win32 APIs and understand how to properly use them
- Understand basic concepts in the Win32 programming model
Module 5: Tools
In this module candidates will learn how to use troubleshooting, inspection and debugging tools to examine the internals of the operating system and troubleshoot Windows applications. This module exposes the tools only briefly - crash analysis is covered in Modules 15-16.
Lessons:
- Sysinternals Tools - Process Explorer, Process Monitor
- Resource Kit and Support Kit Tools
- Debugging Tools for Windows
- Understanding Debugging Symbols
- Kernel Debuggers
- Setting up debugging symbols using environment variables
- Configuring symbols in Process Explorer and inspecting thread stacks
- First steps with WinDbg local kernel debugging
- Setting up kernel debugging with a virtual machine as the target
- Use troubleshooting tools to understand why applications misbehave
- Inspect the system`s inner workings through a kernel debugger
- Configure debugging-related behaviour for user-mode applications
Module 6: System Architecture
In this module candidates will learn how to classify Windows system components and processes, how hard-wired system processes interact and what architectural decisions were made in the design of Windows.
Lessons:
- Kernel-Mode vs. User-Mode Execution
- Primary System Components
- Types of User-Mode Processes
- Hard-Wired System Processes
- Explain why the operating system and CPU provide the distinction between kernel-mode and user-mode execution privilege rings
- Appreciate the relationships between the primary system components
- Understand the purpose of each user-mode process type including system services, environment subsystems and standard applications
- Understand the importance of each hard-wired system processes and their relationship hierarchy
Module 7: Startup and Shutdown
In this module candidates will learn how to troubleshoot Windows start-up and shutdown and what components are involved in the start-up and shutdown process.
Lessons:
- Windows Startup - from Setup to Shell
- Windows Shutdown - Applications, Services and Drivers
- Troubleshoot the Windows start-up process, including boot configuration, start-up processes, last known good configuration and safe mode
- Troubleshoot the Windows shutdown process, including unresponsive UI applications, unresponsive console applications and services and unresponsive drivers
Module 8: System Mechanisms
In this module candidates will learn how to use exception handling, interrupt dispatching, deferred procedure calls, asynchronous procedure calls and other kernel mechanisms properly.
Lessons:
- Trap and Interrupt Dispatching
- Interrupt Request Levels (IRQL)
- Exception Handling in User-Mode and Kernel-Mode
- Deferred Procedure Calls (DPC)
- Asynchronous Procedure Calls (APC) in User-Mode and Kernel-Mode
- The LPC Facility
- System Worker Threads
- Examining interrupt processing using the kernel profiler (kernrate.exe)
- Using the Performance Monitor system performance data collector set to obtain statistics on DPCs, interrupts, network activity, file system access and memory usage
- Using the Reliability Monitor to analyse system stability, driver installations, application failures and Windows failures
- Understand the various types of structured exception handling and when each should be used
- Understand the implications of the IRQL on system stability and responsiveness
- Use APCs for delayed asynchronous processing in user-mode applications
- Inspect the behaviour of various system mechanisms on a live system
Module 9: Process and Thread Internals
In this module candidates will learn how to create operating system processes and threads and how to inspect their internal data structures in a kernel debugger.
Lessons:
- Process Data Structures: Kernel, Executive, Environment Subsystem
- Process Creation Flow
- Thread Data Structures: Kernel, Executive, Environment Subsystem
- Thread Creation Flow
- Determining whether a thread is a UI thread or not using the system service table pointer in the thread`s kernel data structure
- Understand the flow of process and thread creation
- Inspect the behaviour of threads and processes on a system using a kernel debugger
Module 10: Thread Scheduling
In this module candidates will learn how to properly interact with the operating system with regard to thread creation, thread priorities and multiprocessing on a multi-processor system. The module focuses on priority boosts, quantum boosts, thread processor affinity and other specific optimisations for multi-processor scheduling.
Lessons:
- Thread Scheduling in a Pre-emptive Multitasking Operating System
- Thread Execution States and Transitions
- Dispatcher Database
- Quantum Length, Tuning and Boosts
- Thread Priority and Priority Boosts
- Thread Scheduling on a Multi-Processor System
- Thread CPU Affinity and Non-Uniform Memory Access (NUMA)
- Tune the system by changing the foreground quantum boost, the quantum length and other parameters
- Schedule threads for execution on multi-processor system and carefully assign CPU affinities to threads if necessary
- Understand the implications of multi-processor CPU scheduling and NUMA considerations
Module 11: Synchronisation Mechanisms
In this module candidates will learn how to use synchronisation mechanisms to control thread execution and access to shared resources, and how to diagnose deadlocks and other problems arising from the use of synchronisation mechanisms.
Lessons:
- Concurrency and the Need for Synchronisation
- Kernel Synchronisation: IRQL, Spinlocks and Queued Spinlocks
- Executive Synchronisation: Dispatcher Objects and Wait Blocks
- Waiting for and Signalling Dispatcher Objects
- Tracing Dispatcher Objects and Wait Chain Traversal
- Choose the most appropriate synchronisation mechanism for the task
- Appreciate how dispatcher objects become signalled
- Trace through dispatcher objects and wait blocks in a kernel debugger
- Use Wait Chain Traversal to diagnose deadlocks and wait chains in user-mode applications
Module 12: The Memory Manager
In this module candidates will learn how to interact with the Windows Memory Manager in order to allocate, reserve and commit memory, share memory between processes, protect memory and lock pages into physical memory.
Lessons:
- Virtual Memory and Paging
- Allocating Memory: Reserve, Commit, Heap
- Address Space Layout: User-Mode and Kernel-Mode , 32-bit and 64-bit
- Virtual Address Translation, Translation Look-Aside Buffer (TLB)
- Protecting Memory
- Locking Pages into Memory, Address Windowing Extensions (AWE)
- System Memory Pools and Look-Aside Lists
- Working Set Management: Fetch, Placement and Replacement Policies
- Page Frame Number (PFN) Database
- Allocate memory using the most appropriate mechanism for the task, including reserving and committing memory on demand
- Share memory between processes and protect memory from being read, written or executed improperly
- Allocate physical memory directly to overcome virtual memory limitations on 32-bit systems
- Tune working set management for applications to achieve less paging and better performance
Module 13: The I/O System
In this module candidates will learn how to examine the various components comprising the Windows I/O system and briefly reviews the basic infrastructure of Windows device drivers, the power manager and the Plug-and-Play (PNP) manager.
Lessons:
- The I/O Manager, Power Manager and Plug-and-Play Manager
- Device Driver Structure
- I/O Data Structures: File Objects, Driver Object, Device Object
- I/O Flow: I/O Request Packets
- A Glimpse Towards Windows Driver Foundation (WDF)
- Examine I/O data structures to identify drivers, devices and files
- Trace the flow of I/O request packets through the I/O system
- Appreciate the role of power management and Plug-and-Play in the Windows I/O system
Module 14: The Cache Manager
In this module candidates will learn how to use the Windows file system cache manager to achieve better performance for applications which rely heavily on the file system.
Lessons:
- Operating System File Caching vs. CPU Caching
- Cache Structure: Cache Control Blocks, Private Control Blocks
- Cache Operation: Read and Write, Fast I/O
- Controlling the Cache Manager: Hints to CreateFile
- Provide hints to the cache manager to achieve better performance for applications which rely on the file system
- Understand the structure and operation of the file system cache and the fast I/O path
Module 15: User-Mode Debugging
In this module candidates will learn how to debug live user-mode applications and examine crash dumps or hang dumps obtained from user-mode applications.
Lessons:
- Understanding the Role of Debugging Symbols
- Generating Dump Files: Crash and Hang Scenarios
- Debugging Application Crashes
- Debugging Application Hangs and Deadlocks
- Analysing a simple crash in an application by generating and opening a crash dump
- Detecting a deadlock condition between critical sections in the debugger
- Pinpointing a problem with file system and registry access by an application
- Predicting compatibility issues with future versions of Windows (Application Compatibility Toolkit)
- Tracing through a handle misuse scenario
- Obtain dumps of running processes for later analysis in hang or crash scenarios
- Debug common issues such as crashes, hangs, deadlocks and invalid handles
Module 16: Kernel-Mode Debugging
In this module candidates will learn how to debug kernel-mode dumps obtained from a crashed or hung Windows system.
Lessons:
- Blue Screen of Death: When Does the Operating System Crash?
- Manually Obtaining a Dump of the System
- Debugging Crashes
- Using Driver Verifier to Pinpoint Faulting Drivers
- Opening a minidump and finding the faulty driver
- Crashing the system and finding the faulty driver using Driver Verifier to reproduce the problem
- Obtain dumps of the entire system for later analysis
- Debug common crashes and understand the reasons for Windows crashes
- Use Driver Verifier to detect faulty drivers
Module 17: What`s Different in 64-Bit Windows?
In this module candidates will learn how to port 32-bit applications to 64-bit Windows, how to execute 32-bit and 64-bit applications side-by-side and how to take advantage of the 64-bit Intel/AMD processor architecture.
Lessons:
- 64-Bit Processor Architecture (AMD64)
- Windows on Windows 64 (WOW64) Architecture
- File System and Registry Redirection and Virtualization
- Performance Improvements on 64-Bit Windows
- Port existing 32-bit applications to 64-bit Windows or execute them natively using WOW64
- Troubleshoot common issues with 32-bit applications on 64-bit Windows
Additional Reading
To help prepare for this class, candidates are recommended to review the following resources:- Andrew S. Tanenbaum, "Structured Computer Organisation," Prentice Hall (1998)
- Jeffrey Richter, "Programming Applications for Microsoft Windows," Microsoft Press (1999)
- Jeffrey Richter, "Windows via C/C++," Microsoft Press (2007)
