Hello
Your cart is empty. View / Checkout
United States Pricing
813-421-2951
Other Solutions

M50154

Win Internals for programmers

Microsoft Certified Technology Specialist (MCTS): Windows Internals M50154 70-660

Course Title: Win Internals for programmers

Course Code: M50154
Version: A
Level: 300
Duration: 5 Days

Course Overview

The Win Internals for programmers M50154 instructor-led training course has been designed to provide candidates with the necessary skills and knowledge required to develop, debug and troubleshoot low-level Windows applications. The course provides a detailed view of the Windows operating system architecture, its key components, undocumented interfaces and core interactions through the use of debugging utilities, inspection tools and exercises.

Target Audience

Candidates who should consider attending the M50154 Microsoft training course are systems programmers, device driver developers and other Win32 developers with at least 1 year of experience programming native applications for Windows.

Course Objectives

On successfully completing the M50154 course candidates will be able to:
  • Use debugging tools to troubleshoot user-mode and kernel-mode issues
  • Develop applications with a proper understanding of the Windows architecture
  • Appreciate the relationships between system components and their interactions with each other
  • Improve application performance by understanding how the system behaves internally

Course Prerequisites

Candidates attending the M50154 Microsoft training course should have a thorough understanding of Win32 programming (this is not a Win32 programming course) and a working knowledge of the C programming language. Candidates are also required to be familiar with the Windows operating system on a power-user level; operating systems concepts (multiprocessing, thread scheduling, virtual memory) is preferable but not a must and object-oriented programming paradigms which is preferable but not a must.

Testing and Certification

The M50154 Microsoft training course is the recommended preparation for the 70-513 TS: Windows Communication Foundation Development with Microsoft .NET Framework 4 exam.

Course Content

Module 1: Windows History and Characteristics

In this module candidates will learn how to approach the Windows operating system using various APIs including Win32, and the motivation, history and design goals of Windows.


Lessons:
  • The Evolution of Windows: Windows 1.0 through Windows Vista
  • Back to 1989: Windows NT Design Goals
  • Windows Versions and Editions
  • Windows Programming Interfaces: Win32, COM, .NET
Lab: Basic Win32 Concepts
  • Open questions on Win32 programming concepts
After completing this module, candidates will be able to:
  • Explain the primary differences between the various Windows versions and product editions
  • Appreciate the design goals of Windows NT as they are threaded into the Windows operating system
  • Understand the pros and cons of Windows programming interfaces

Module 2: Tools

In this module candidates will learn how to use troubleshooting, inspection and debugging tools to examine the internals of the operating system and troubleshoot Windows applications. This module exposes the tools only briefly - crash analysis is covered in Modules 13-14.


Lessons:
  • Sysinternals Tools - Process Explorer, Process Monitor
  • Resource Kit and Support Kit Tools
  • Debugging Tools for Windows
  • Understanding Debugging Symbols
  • Kernel Debuggers
Lab: Symbols, Process Explorer, and WinDbg
  • Setting up debugging symbols using environment variables
  • Configuring symbols in Process Explorer and inspecting thread stacks
  • First steps with WinDbg local kernel debugging
Lab: Virtual Kernel Debugging (Optional)
  • Setting up kernel debugging with a virtual machine as the target
After completing this module, candidates will be able to:
  • Use troubleshooting tools to understand why applications misbehave
  • Inspect the system`s inner workings through a kernel debugger
  • Configure debugging-related behaviour for user-mode applications

Module 3: System Architecture

In this module candidates will learn how to classify Windows system components and processes, how hard-wired system processes interact and what architectural decisions were made in the design of Windows.


Lessons:
  • Kernel-Mode vs. User-Mode Execution
  • Primary System Components
  • Types of User-Mode Processes
  • Hard-Wired System Processes
After completing this module, candidates will be able to:
  • Explain why the operating system and CPU provide the distinction between kernel-mode and user-mode execution privilege rings
  • Appreciate the relationships between the primary system components
  • Understand the purpose of each user-mode process type including system services, environment subsystems, and standard applications
  • Understand the importance of each hard-wired system processes and their relationship hierarchy

Module 4: Startup and Shutdown

In this module candidates will learn how to troubleshoot Windows start-up and shutdown and what components are involved in the start-up and shutdown process.


Lessons:
  • Windows Startup - from Setup to Shell
  • Windows Shutdown - Applications, Services and Drivers
After completing this module, candidates will be able to:
  • Troubleshoot the Windows start-up process, including boot configuration, start-up processes, last known good configuration and safe mode
  • Troubleshoot the Windows shutdown process, including unresponsive UI applications, unresponsive console applications and services and unresponsive drivers
  • Develop applications and services that integrate properly within the Windows start-up and shutdown process

Module 5: System Mechanisms

In this module candidates will learn how to use exception handling, interrupt dispatching, deferred procedure calls, asynchronous procedure calls and other kernel mechanisms properly.


Lessons:
  • Trap and Interrupt Dispatching
  • Interrupt Request Levels (IRQL)
  • Exception Handling in User-Mode and Kernel-Mode
  • Deferred Procedure Calls (DPC)
  • Asynchronous Procedure Calls (APC) in User-Mode and Kernel-Mode
  • The LPC Facility
  • System Worker Threads
Lab: Understanding System Mechanisms
  • Examining interrupt processing using the kernel profiler (kernrate.exe)
  • Using the Performance Monitor system performance data collector set to obtain statistics on DPCs, interrupts, network activity, file system access, and memory usage
  • Using the Reliability Monitor to analyse system stability, driver installations, application failures, and Windows failures
Lab: Using User-Mode APCs
  • Implementing a simple user-mode thread-pool using user-mode APCs to schedule work to idle threads
After completing this module, candidates will be able to:
  • Develop applications that handle and raise Win32 exceptions properly
  • Understand the various types of structured exception handling and when each should be used
  • Understand the implications of the IRQL on system stability and responsiveness
  • Use APCs for delayed asynchronous processing in user-mode applications
  • Develop applications that take advantage of LPC directly or indirectly to improve performance
  • Inspect the behaviour of various system mechanisms on a live system

Module 6: The Object Manager

In this module candidates will learn how to use Windows kernel objects through user-mode handles and how the operating system accesses resources and controls access to resources through the Object Manager.


Lessons:
  • Resource Management in the Operating System
  • Handles and Handle Tables
  • Creating, Naming, Sharing, and Duplicating Kernel Objects
  • Executive Object Types
Lab: Inspecting Objects
  • Using "object reference tracing" (GFlags) to inspect object creation
  • Using "maintain a list of objects for each type" (GFlags) to inspect live objects of a specific type
Lab: Listing Objects using NTDLL
  • Implementing a utility for listing open handles in a specified process using undocumented NTDLL APIs
After completing this module, candidates will be able to:
  • Create kernel objects and access them through handles
  • Develop applications that benefit from handle sharing and duplication
  • Understand the various types of kernel objects and how they can be used
  • Inspect handles and objects in a debugger

Module 7: Process and Thread Internals

In this module candidates will learn how to create operating system processes and threads and how to inspect their internal data structures in a kernel debugger.


Lessons:
  • Process Data Structures: Kernel, Executive, Environment Subsystem
  • Process Creation Flow
  • Thread Data Structures: Kernel, Executive, Environment Subsystem
  • Thread Creation Flow
Lab: Examining Processes and Threads
  • Determining whether a thread is a UI thread or not using the system service table pointer in the thread`s kernel data structure
After completing this module, candidates will be able to:
  • Understand the flow of process and thread creation
  • Inspect the behaviour of threads and processes on a system using a kernel debugger

Module 8: Thread Scheduling

In this module candidates will learn how to properly interact with the operating system with regard to thread creation, thread priorities and multiprocessing on a multi-processor system. This module focuses on priority boosts, quantum boosts, thread processor affinity and other specific optimisations for multi-processor scheduling.


Lessons:
  • Thread Scheduling in a Pre-emptive Multitasking Operating System
  • Thread Execution States and Transitions
  • Dispatcher Database
  • Quantum Length, Tuning, and Boosts
  • Thread Priority and Priority Boosts
  • Thread Scheduling on a Multi-Processor System
  • Thread CPU Affinity and Non-Uniform Memory Access (NUMA)
Lab: Demonstrating Thread Priority Boosts
  • Implementing an application that enjoys the foreground quantum boost
After completing this module, candidates will be able to:
  • Develop applications that make best use of CPU resources by creating threads, assigning thread priorities, and understanding thread priority boosts
  • Tune the system by changing the foreground quantum boost, the quantum length, and other parameters
  • Schedule threads for execution on multi-processor system and carefully assign CPU affinities to threads if necessary
  • Understand the implications of multi-processor CPU scheduling and NUMA considerations

Module 9: Synchronisation Mechanisms

In this module candidates will learn how to use synchronisation mechanisms to control thread execution and access to shared resources and how to diagnose deadlocks and other problems arising from the use of synchronisation mechanisms.


Lessons:
  • Concurrency and the Need for Synchronisation
  • Kernel Synchronisation: IRQL, Spinlocks and Queued Spinlocks
  • Executive Synchronisation: Dispatcher Objects and Wait Blocks
  • Waiting for and Signalling Dispatcher Objects
  • Tracing Dispatcher Objects and Wait Chain Traversal
Lab: Using Wait Chain Traversal
  • Implementing a simple deadlock diagnostic application using Wait Chain Traversal
After completing this module, candidates will be able to:
  • Choose the most appropriate synchronisation mechanism for the task
  • Appreciate how dispatcher objects become signalled
  • Trace through dispatcher objects and wait blocks in a kernel debugger
  • Use Wait Chain Traversal to diagnose deadlocks and wait chains in user-mode applications

Module 10: The Memory Manager

In this module candidates will learn how to interact with the Windows Memory Manager in order to allocate, reserve and commit memory, share memory between processes, protect memory and lock pages into physical memory.


Lessons:
  • Virtual Memory and Paging
  • Allocating Memory: Reserve, Commit, Heap
  • Address Space Layout: User-Mode and Kernel-Mode, 32-bit and 64-bit
  • Virtual Address Translation, Translation Look-Aside Buffer (TLB)
  • Protecting Memory
  • Locking Pages into Memory, Address Windowing Extensions (AWE)
  • System Memory Pools and Look-Aside Lists
  • Working Set Management: Fetch, Placement and Replacement Policies
  • Page Frame Number (PFN) Database
After completing this module, candidates will be able to:
  • Allocate memory using the most appropriate mechanism for the task, including reserving and committing memory on demand
  • Share memory between processes and protect memory from being read, written, or executed improperly
  • Allocate physical memory directly to overcome virtual memory limitations on 32-bit systems
  • Tune working set management for applications to achieve less paging and better performance

Module 11: The I/O System

In this module candidates will learn how to examine the various components comprising the Windows I/O system and briefly reviews the basic infrastructure of Windows device drivers, the power manager and the Plug-and-Play (PNP) manager.


Lessons:
  • The I/O Manager, Power Manager, and Plug-and-Play Manager
  • Device Driver Structure
  • I/O Data Structures: File Objects, Driver Object, Device Object
  • I/O Flow: I/O Request Packets
  • A Glimpse Towards Windows Driver Foundation (WDF)
After completing this module, candidates will be able to:
  • Examine I/O data structures to identify drivers, devices, and files
  • Trace the flow of I/O request packets through the I/O system
  • Appreciate the role of power management and Plug-and-Play in the Windows I/O system

Module 12: The Cache Manager

In this module candidates will learn how to use the Windows file system cache manager to achieve better performance for applications which rely heavily on the file system.


Lessons:
  • Operating System File Caching vs. CPU Caching
  • Cache Structure: Cache Control Blocks, Private Control Blocks
  • Cache Operation: Read and Write, Fast I/O
  • Controlling the Cache Manager: Hints to CreateFile
After completing this module, candidates will be able to:
  • Provide hints to the cache manager to achieve better performance for applications which rely on the file system
  • Understand the structure and operation of the file system cache and the fast I/O path

Module 13: User-Mode Debugging

In this module candidates will learn how to debug live user-mode applications and examine crash dumps or hang dumps obtained from user-mode applications.


Lessons:
  • Understanding the Role of Debugging Symbols
  • Generating Dump Files: Crash and Hang Scenarios
  • Debugging Application Crashes
  • Debugging Application Hangs and Deadlocks
Lab: User-Mode Dumps and Debugging
  • Analysing a simple crash in an application by generating and opening a crash dump
  • Detecting a deadlock condition between critical sections in the debugger
  • Pinpointing a problem with file system and registry access by an application
  • Predicting compatibility issues with future versions of Windows (Application Compatibility Toolkit)
  • Tracing through a handle misuse scenario
After completing this module, candidates will be able to:
  • Obtain dumps of running processes for later analysis in hang or crash scenarios
  • Debug common issues such as crashes, hangs, deadlocks and invalid handles

Module 14: Kernel-Mode Debugging

In this module candidates will learn how to debug kernel-mode dumps obtained from a crashed or hung Windows system.


Lessons:
  • Blue Screen of Death: When Does the Operating System Crash?
  • Manually Obtaining a Dump of the System
  • Debugging Crashes
  • Using Driver Verifier to Pinpoint Faulting Drivers
Lab: Kernel-Mode Dumps
  • Opening a minidump and finding the faulty driver
  • Crashing the system and finding the faulty driver using Driver Verifier to reproduce the problem
After completing this module, candidates will be able to:
  • Obtain dumps of the entire system for later analysis
  • Debug common crashes and understand the reasons for Windows crashes
  • Use Driver Verifier to detect faulty drivers

Module 15: What`s New in Windows Vista?

In this module candidates will learn how to use the new mechanisms introduced in Windows Vista and Windows Server 2008 to write robust, high-performance, reliable and manageable applications.


Lessons:
  • Application Restart and Recovery, Restart Manager
  • Kernel Transaction Manager: Transactional File System and Registry
  • I/O and Memory Management Improvements
  • Overview of Networking Changes
After completing this module, candidates will be able to:
  • Develop applications taking advantage of the new mechanisms introduced in Windows Vista and Windows Server 2008

Module 16: What`s Different in 64-Bit Windows?

In this module candidates will learn how to port 32-bit applications to 64-bit Windows, how to execute 32-bit and 64-bit applications side-by-side and how to take advantage of the 64-bit Intel/AMD processor architecture.


Lessons:
  • 64-Bit Processor Architecture (AMD64)
  • Windows on Windows 64 (WOW64) Architecture
  • File System and Registry Redirection and Virtualization
  • Performance Improvements on 64-Bit Windows
After completing this module, candidates will be able to:
  • Develop applications taking advantage of 64-bit Windows
  • Port existing 32-bit applications to 64-bit Windows or execute them natively using WOW64

Additional Reading

To help prepare for this class candidates are recommended to review the following resources:
  • Jeffrey Richter, "Programming Applications for Microsoft Windows, Microsoft Press (1999)
  • Jeffrey Richter, "Windows via C/C++," Microsoft Press (2007)
PLEASE NOTE: Every effort has been made to ensure the accuracy of all information contained herein. IT Help and Support Centre Ltd makes no warranty expressed or implied with respect to accuracy of this information, including price, product editorials or product specifications. IT Help and Support Centre Ltd or its suppliers shall not be liable for incidental, consequential or special damages arising from, or as a result of, any electronic transmission or the accuracy of the information contained herin, even if IT Help and Support Centre Ltd has been advised of the possibility of such damages. Product and manufacturer names are used only for the purpose of identification.
Privacy Statement Terms & Conditions