Your cart is empty. View / Checkout
United States Cisco SMARTnet Pricing
Other Solutions


Win Internals for IT

Microsoft Certified Technology Specialist (MCTS): Windows Internals M50155 70-660

Course Title: Win Internals for IT

Course Code: M50155
Version: A
Level: 300
Duration: 5 Days

Course Overview

The Win Internals for IT M50155 instructor-led training course has been designed to provide candidates with the necessary skills and knowledge required to debug and troubleshoot low-level Windows applications. The course provides a detailed view of the Windows operating system architecture, its key components, undocumented interfaces and core interactions through the use of debugging utilities, inspection tools and exercises.

Target Audience

Candidates who should consider attending the M50155 Microsoft training course are escalation and support engineers with substantial experience administering and troubleshooting applications and systems on Windows.

Course Objectives

On successfully completing the M50155 course candidates will be able to:
  • Use debugging tools to troubleshoot user-mode and kernel-mode issues
  • Appreciate the relationships between system components and their interactions with each other
  • Improve application performance by understanding how the system behaves internally

Course Prerequisites

Candidates attending the M50155 Microsoft training course should be familiar with the Windows operating system on a power-user level and operating systems concepts (multiprocessing, thread scheduling, virtual memory) is preferable but not a must. Candidates are also required to have a working knowledge of the C or C++ programming language - exempt from Modules 1-2 of the course and proficiency in Win32 programming - exempt from Modules 3-4 of the course.

Testing and Certification

The M50155 Microsoft training course is the recommended preparation for the 70-660 TS: Windows Internals exam.

Course Content

Module 1: Computer Architecture Refreshment

In this module candidates will learn how the modern computer is constructed and how programmes execute on this computer architecture.

  • Computer Architecture: CPU, Registers, Cache, Memory, Input and Output Devices
  • Just Enough Assembly Language to Get By
  • Programme Execution Model: Compilation, Linkage, Loading, Execution
After completing this module, candidates will be able to:
  • Explain the various components of which a modern computer is comprised
  • Describe the execution model of a programme

Module 2: C Programming Basics

In this module candidates will learn how to develop programmes in the C programming language and exposes concepts such as variables, data structures, stack vs. heap allocation and function execution.

  • Variables and Data Structures
  • Functions and Stack: Calling Functions
  • Dynamic Memory Allocation
Lab: Computer Architecture and C Programming
  • Calling functions
  • Tracing through assembly code
After completing this module, candidates will be able to:
  • Analyse and explain simple programmes in the C programming language
  • Understand the concept of complex data structures, dynamic memory allocation and function execution
  • Read basic procedures in x86 assembly language

Module 3: Windows History and Characteristics

In this module candidates will learn how to approach the Windows operating system using various APIs including Win32, and the motivation, history and design goals of Windows.

  • The Evolution of Windows: Windows 1.0 through Windows Vista
  • Back to 1989: Windows NT Design Goals
  • Windows Versions and Editions
  • Windows Programming Interfaces: Win32, COM, .NET
After completing this module, candidates will be able to:
  • Explain the primary differences between the various Windows versions and product editions
  • Appreciate the design goals of Windows NT as they are threaded into the Windows operating system
  • Understand the pros and cons of Windows programming interfaces

Module 4: Win32 Programming Primer

In this module candidates will learn how the operating system implements windows, message passing between windows, kernel objects and handles, processes and threads and synchronisation mechanism. This module also serves as an exposition to provide a common ground for examining system internals.

  • Introduction to Win32 API Paradigms
  • Windows and Window Procedures
  • Message Loops and Window Messages
  • Kernel Objects and Handles
  • Creating, Using and Sharing Objects
  • Processes and Threads
  • Synchronisation Mechanisms
  • Structured Exception Handling
  • An Introduction to NT File System (NTFS)
  • Dynamic Link Libraries (DLLs) and Loading
  • Inter-Process Communication
Lab: Basic Win32 Concepts
  • Theoretical questions about Win32 basic concepts
After completing this module, candidates will be able to:
  • Describe Win32 APIs and understand how to properly use them
  • Understand basic concepts in the Win32 programming model

Module 5: Tools

In this module candidates will learn how to use troubleshooting, inspection and debugging tools to examine the internals of the operating system and troubleshoot Windows applications. This module exposes the tools only briefly - crash analysis is covered in Modules 15-16.

  • Sysinternals Tools - Process Explorer, Process Monitor
  • Resource Kit and Support Kit Tools
  • Debugging Tools for Windows
  • Understanding Debugging Symbols
  • Kernel Debuggers
Lab: Symbols, Process Explorer and WinDbg
  • Setting up debugging symbols using environment variables
  • Configuring symbols in Process Explorer and inspecting thread stacks
  • First steps with WinDbg local kernel debugging
Lab: Virtual Kernel Debugging (Optional)
  • Setting up kernel debugging with a virtual machine as the target
After completing this module, candidates will be able to:
  • Use troubleshooting tools to understand why applications misbehave
  • Inspect the system`s inner workings through a kernel debugger
  • Configure debugging-related behaviour for user-mode applications

Module 6: System Architecture

In this module candidates will learn how to classify Windows system components and processes, how hard-wired system processes interact and what architectural decisions were made in the design of Windows.

  • Kernel-Mode vs. User-Mode Execution
  • Primary System Components
  • Types of User-Mode Processes
  • Hard-Wired System Processes
After completing this module, candidates will be able to:
  • Explain why the operating system and CPU provide the distinction between kernel-mode and user-mode execution privilege rings
  • Appreciate the relationships between the primary system components
  • Understand the purpose of each user-mode process type including system services, environment subsystems and standard applications
  • Understand the importance of each hard-wired system processes and their relationship hierarchy

Module 7: Startup and Shutdown

In this module candidates will learn how to troubleshoot Windows start-up and shutdown and what components are involved in the start-up and shutdown process.

  • Windows Startup - from Setup to Shell
  • Windows Shutdown - Applications, Services and Drivers
After completing this module, candidates will be able to:
  • Troubleshoot the Windows start-up process, including boot configuration, start-up processes, last known good configuration and safe mode
  • Troubleshoot the Windows shutdown process, including unresponsive UI applications, unresponsive console applications and services and unresponsive drivers

Module 8: System Mechanisms

In this module candidates will learn how to use exception handling, interrupt dispatching, deferred procedure calls, asynchronous procedure calls and other kernel mechanisms properly.

  • Trap and Interrupt Dispatching
  • Interrupt Request Levels (IRQL)
  • Exception Handling in User-Mode and Kernel-Mode
  • Deferred Procedure Calls (DPC)
  • Asynchronous Procedure Calls (APC) in User-Mode and Kernel-Mode
  • The LPC Facility
  • System Worker Threads
Lab: Understanding System Mechanisms
  • Examining interrupt processing using the kernel profiler (kernrate.exe)
  • Using the Performance Monitor system performance data collector set to obtain statistics on DPCs, interrupts, network activity, file system access and memory usage
  • Using the Reliability Monitor to analyse system stability, driver installations, application failures and Windows failures
After completing this module, candidates will be able to:
  • Understand the various types of structured exception handling and when each should be used
  • Understand the implications of the IRQL on system stability and responsiveness
  • Use APCs for delayed asynchronous processing in user-mode applications
  • Inspect the behaviour of various system mechanisms on a live system

Module 9: Process and Thread Internals

In this module candidates will learn how to create operating system processes and threads and how to inspect their internal data structures in a kernel debugger.

  • Process Data Structures: Kernel, Executive, Environment Subsystem
  • Process Creation Flow
  • Thread Data Structures: Kernel, Executive, Environment Subsystem
  • Thread Creation Flow
Lab: Examining Processes and Threads
  • Determining whether a thread is a UI thread or not using the system service table pointer in the thread`s kernel data structure
After completing this module, candidates will be able to:
  • Understand the flow of process and thread creation
  • Inspect the behaviour of threads and processes on a system using a kernel debugger

Module 10: Thread Scheduling

In this module candidates will learn how to properly interact with the operating system with regard to thread creation, thread priorities and multiprocessing on a multi-processor system. The module focuses on priority boosts, quantum boosts, thread processor affinity and other specific optimisations for multi-processor scheduling.

  • Thread Scheduling in a Pre-emptive Multitasking Operating System
  • Thread Execution States and Transitions
  • Dispatcher Database
  • Quantum Length, Tuning and Boosts
  • Thread Priority and Priority Boosts
  • Thread Scheduling on a Multi-Processor System
  • Thread CPU Affinity and Non-Uniform Memory Access (NUMA)
After completing this module, candidates will be able to:
  • Tune the system by changing the foreground quantum boost, the quantum length and other parameters
  • Schedule threads for execution on multi-processor system and carefully assign CPU affinities to threads if necessary
  • Understand the implications of multi-processor CPU scheduling and NUMA considerations

Module 11: Synchronisation Mechanisms

In this module candidates will learn how to use synchronisation mechanisms to control thread execution and access to shared resources, and how to diagnose deadlocks and other problems arising from the use of synchronisation mechanisms.

  • Concurrency and the Need for Synchronisation
  • Kernel Synchronisation: IRQL, Spinlocks and Queued Spinlocks
  • Executive Synchronisation: Dispatcher Objects and Wait Blocks
  • Waiting for and Signalling Dispatcher Objects
  • Tracing Dispatcher Objects and Wait Chain Traversal
After completing this module, candidates will be able to:
  • Choose the most appropriate synchronisation mechanism for the task
  • Appreciate how dispatcher objects become signalled
  • Trace through dispatcher objects and wait blocks in a kernel debugger
  • Use Wait Chain Traversal to diagnose deadlocks and wait chains in user-mode applications

Module 12: The Memory Manager

In this module candidates will learn how to interact with the Windows Memory Manager in order to allocate, reserve and commit memory, share memory between processes, protect memory and lock pages into physical memory.

  • Virtual Memory and Paging
  • Allocating Memory: Reserve, Commit, Heap
  • Address Space Layout: User-Mode and Kernel-Mode , 32-bit and 64-bit
  • Virtual Address Translation, Translation Look-Aside Buffer (TLB)
  • Protecting Memory
  • Locking Pages into Memory, Address Windowing Extensions (AWE)
  • System Memory Pools and Look-Aside Lists
  • Working Set Management: Fetch, Placement and Replacement Policies
  • Page Frame Number (PFN) Database
After completing this module, candidates will be able to:
  • Allocate memory using the most appropriate mechanism for the task, including reserving and committing memory on demand
  • Share memory between processes and protect memory from being read, written or executed improperly
  • Allocate physical memory directly to overcome virtual memory limitations on 32-bit systems
  • Tune working set management for applications to achieve less paging and better performance

Module 13: The I/O System

In this module candidates will learn how to examine the various components comprising the Windows I/O system and briefly reviews the basic infrastructure of Windows device drivers, the power manager and the Plug-and-Play (PNP) manager.

  • The I/O Manager, Power Manager and Plug-and-Play Manager
  • Device Driver Structure
  • I/O Data Structures: File Objects, Driver Object, Device Object
  • I/O Flow: I/O Request Packets
  • A Glimpse Towards Windows Driver Foundation (WDF)
After completing this module, candidates will be able to:
  • Examine I/O data structures to identify drivers, devices and files
  • Trace the flow of I/O request packets through the I/O system
  • Appreciate the role of power management and Plug-and-Play in the Windows I/O system

Module 14: The Cache Manager

In this module candidates will learn how to use the Windows file system cache manager to achieve better performance for applications which rely heavily on the file system.

  • Operating System File Caching vs. CPU Caching
  • Cache Structure: Cache Control Blocks, Private Control Blocks
  • Cache Operation: Read and Write, Fast I/O
  • Controlling the Cache Manager: Hints to CreateFile
After completing this module, candidates will be able to:
  • Provide hints to the cache manager to achieve better performance for applications which rely on the file system
  • Understand the structure and operation of the file system cache and the fast I/O path

Module 15: User-Mode Debugging

In this module candidates will learn how to debug live user-mode applications and examine crash dumps or hang dumps obtained from user-mode applications.

  • Understanding the Role of Debugging Symbols
  • Generating Dump Files: Crash and Hang Scenarios
  • Debugging Application Crashes
  • Debugging Application Hangs and Deadlocks
Lab: User-Mode Dumps and Debugging
  • Analysing a simple crash in an application by generating and opening a crash dump
  • Detecting a deadlock condition between critical sections in the debugger
  • Pinpointing a problem with file system and registry access by an application
  • Predicting compatibility issues with future versions of Windows (Application Compatibility Toolkit)
  • Tracing through a handle misuse scenario
After completing this module, candidates will be able to:
  • Obtain dumps of running processes for later analysis in hang or crash scenarios
  • Debug common issues such as crashes, hangs, deadlocks and invalid handles

Module 16: Kernel-Mode Debugging

In this module candidates will learn how to debug kernel-mode dumps obtained from a crashed or hung Windows system.

  • Blue Screen of Death: When Does the Operating System Crash?
  • Manually Obtaining a Dump of the System
  • Debugging Crashes
  • Using Driver Verifier to Pinpoint Faulting Drivers
Lab: Kernel-Mode Dumps
  • Opening a minidump and finding the faulty driver
  • Crashing the system and finding the faulty driver using Driver Verifier to reproduce the problem
After completing this module, candidates will be able to:
  • Obtain dumps of the entire system for later analysis
  • Debug common crashes and understand the reasons for Windows crashes
  • Use Driver Verifier to detect faulty drivers

Module 17: What`s Different in 64-Bit Windows?

In this module candidates will learn how to port 32-bit applications to 64-bit Windows, how to execute 32-bit and 64-bit applications side-by-side and how to take advantage of the 64-bit Intel/AMD processor architecture.

  • 64-Bit Processor Architecture (AMD64)
  • Windows on Windows 64 (WOW64) Architecture
  • File System and Registry Redirection and Virtualization
  • Performance Improvements on 64-Bit Windows
After completing this module, candidates will be able to:
  • Port existing 32-bit applications to 64-bit Windows or execute them natively using WOW64
  • Troubleshoot common issues with 32-bit applications on 64-bit Windows

Additional Reading

To help prepare for this class, candidates are recommended to review the following resources:
  • Andrew S. Tanenbaum, "Structured Computer Organisation," Prentice Hall (1998)
  • Jeffrey Richter, "Programming Applications for Microsoft Windows," Microsoft Press (1999)
  • Jeffrey Richter, "Windows via C/C++," Microsoft Press (2007)
PLEASE NOTE: Every effort has been made to ensure the accuracy of all information contained herein. IT Help and Support Centre Ltd makes no warranty expressed or implied with respect to accuracy of this information, including price, product editorials or product specifications. IT Help and Support Centre Ltd or its suppliers shall not be liable for incidental, consequential or special damages arising from, or as a result of, any electronic transmission or the accuracy of the information contained herin, even if IT Help and Support Centre Ltd has been advised of the possibility of such damages. Product and manufacturer names are used only for the purpose of identification.

This Website is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, Cisco IOS, Cisco Systems, the Cisco Systems logo, and Networking Academy are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this web site are the property of their respective owners.
Privacy Statement Terms & Conditions