TiS General Support Troubleshooting

8/14/2019 TiS General Support Troubleshooting

1/13

Support Troubleshooting


2/13

Troubleshooting

Applications or the system sometimesexhibit mysterious bad performance

Most applications do a poor job of reporting

unexpected errors Locked, missing or corrupt files

Missing or corrupt registry data

Permissions problems

You might be plagued by the occasionalhard hang or bluescreen


3/13

Tools We Use

Sysinternals: www.microsoft.com/technet/sysinternals

Process Explorer process/thread viewer

Process Monitor file/registry/process/threadtracing

Debugging Tools for Windows:www.microsoft.com/whdc/devtools/debugging/Windbg

Windbg - application and kernel debugger

eFlow Logger


4/13

Process Explorer

Process Explorer is a Task Managerreplacement

You can literally replace Task Manager withOptions->Replace Task Manager

Hide-when-minimize to always have it handy Hover the mouse to see a tooltip showing the

process consuming the most CPU Open System Information graph to see CPU usage history

Graphs are time stamped with hover showing biggestconsumer at point in time

Also includes other activity such as I/O, kernelmemory limits


5/13

Process Monitor

Process Monitor is a real-time file, registry, process andthread monitor

It requires Windows 2000 SP4 w/Update Rollup 1, XP SP2 orhigher, Server 2003 SP1 or higher, Vista, or Server 2008(including 64-bit versions of Windows)

Enhancements over Filemon/Regmon include: More advanced filtering

Operation call stacks

Boot-time logging

Data mining views

Process tree to see short-lived processes When in doubt, run Process Monitor!

It will often show you the cause for error messages

It many times tells you what is causing sluggish performance


6/13

Processes and Threads

A process represents an instance of arunning program

Address space

Resources (e.g., open handles)

Security profile (token)

A thread is an execution context within aprocess

Unit of scheduling (threads run, processesdont run)

All threads in a process share the same per-process address space


7/13

Viewing Threads

Task Manager doesntshow thread details withina process

Process Explorer does on

Threads tab Displays thread details

such as ID, CPU usage,start time, state, priority

Click Module to get detailson module containingthread start address


8/13

Call Stacks

Sometimes a threadstart address doesnttell you what a thread isdoing

The stack might providea hint: The stack is a per-thread

region of memory thatrecords a history of

function nesting The bottom from

(Function 3) is where thethread will continueexecuting

Function 2

Function 1

Function 3


9/13

Viewing Call Stacks

Click Stack on the Threadstab to view a threads callstack Lists functions in reverse

chronological order Note that start address on

Threads tab is differentthan first function shown instack This is because all threads

created by Windows programsstart in a library function inKernel32.dll which calls theprogrammed start address


10/13

Associating Windows withProcesses

Task Manager can associate a window in its list with aprocess

But sometimes windows appear that are not in itsApplications list

Process Explorer has a window finder tool On tool bar, drag window finder icon over window and release

Process that owns thread that owns window is highlighted

Visual Studio Spy++ tool shows which thread owns awindow


11/13

Viewing Open Handles

Each process has a list of open objects Files, Registry keys, synchronization objects, TCP/UDP

ports

May be useful to query this list

Microsoft tools: XP/2003 have new Openfiles /query command

Only shows handles to open files not other non-file objects

Process Explorer and Sysinternals Handle canshow open handles without this flag Uses a device driver


12/13

Uses Of Handle View

Understand resources used by an application Files

Registry keys

Note: by default, shows named objects Click on Options->Show Unnamed Objects

Solve file locked errors Use the search feature to determine what process is

holding a file or directory open

Can even close an open files (be careful!)

View the state of synchronization objects(mutexes, semaphores, events)

Detect handle leaks using refresh differencehighlighting


13/13

!Combine it all with eFlow Logger

SysInternals tools with the eFlow Logger are a perfecttandem in order to troubleshoot and get to the root ofproblems.

It is always advised to have the eFlow Logger opened alongwith Process Explorer and Process Monitor with the severitylevel set to Info in order to get precise details of activities.

Documents

TiS General Support Troubleshooting