Defrag Tools with Andrew Richards and Chad Beeder
In this episode of Defrag Tools, Paula Januszkiewicz from CQURE, joins us to discuss Information Security (InfoSec).We talk about what InfoSec is, how to get started, what the role entails, and how the profession is evolving.Twitter: @PaulaCqurePaula on Channel 9
The celebrate the 200th episode of Defrag Tools, three Microsoft Legends join us in the Channel 9 Studios, with a live studio audience, for a Game Show!Questions range from campus trivia, all the way through to obscure command switches.Raymond Chen, KC Lemson and Larry Osterman have all been at Microsoft for decades and have many stories to tell... so many that we needed two parts. So you don't have to wait, both parts are available for binging straight away!Episode #200 - Game Show Part 1Episode #201 - Game Show Part 2Raymond ChenThe Old New ThingChannel 9KC LemsonMicrosoft Life@kclemsonLarry OstermanWebLogChannel 9@osterman
The celebrate the 200th episode of Defrag Tools, three Microsoft Legends join us in the Channel 9 Studios, with a live studio audience, for a Game Show!Questions range from campus trivia, all the way through to obscure command switches.Raymond Chen, KC Lemson and Larry Osterman have all been at Microsoft for decades and have many stories to tell... so many that we needed two parts. So you don't have to wait, both parts are available for binging straight away!Episode #200 - Game Show Part 1Episode #201 - Game Show Part 2Raymond ChenThe Old New ThingChannel 9KC LemsonMicrosoft Life@kclemsonLarry OstermanWebLogChannel 9@osterman
In this episode of Defrag Tools, Chris Jackson, the "App Compat Guy" (@appcompatguy), joins us to discuss Windows Desktop App Assure - a program for eligible customers and partners to access FastTrack Specialists who provide advisory and remediation guidance on deploying Windows 10 and Office 365 ProPlus - notably Application Compatibility.We delve into some examples that the program has diagnosed and show some of the tools the specialists (and yourselves) can use to determine the root cause.Desktop App Assure - https://aka.ms/DesktopAppAssureSysinternals Process MonitorLUA Buglight 2.3Brad Anderson's announcement on Channel 9 Endpoint ZoneChris on Channel9
In this episode of Defrag Tools, Aaron Margosis joins us to discuss AaronLocker - a set of scripts that help you configure AppLocker. AppLocker restricts application execution, auditing or protecting your system from unwanted/malicious software.We delve into the abilities of AppLocker, what the AaronLocker scripts automate, and see what it looks like when an application is blocked..AaronLocker - Application whitelisting with “AaronLocker”Aaron's Blog - Aaron Margosis' Non-Admin, App-Compat and Sysinternals WebLogAaron on Channel9 - https://channel9.msdn.com/Events/Speakers/aaron-margosis
In this episode of Defrag Tools, Chris Jackson, the "App Compat Guy" (@appcompatguy), joins us to discuss Windows Defender Advanced Threat Protection (ATP) - a unified platform for preventative protection, post-breach detection, automated investigation, and response.Defender ATP can be used to automatically investigate alerts and remediate complex threats in minutes.We delve into the Windows Defender Security Center, and perform Kusto queries to discover security events for the associated enterprise. Star a trial here.Example Queries - https://github.com/Microsoft/windowsDefenderATP-Hunting-Queries/ATP Blog - https://techcommunity.microsoft.com/t5/What-s-New/bd-p/WDATPNewChris on Channel9 - https://channel9.msdn.com/Events/Speakers/Chris-Jackson
In this episode of Defrag Tools, we discuss Windows Defender Application Guard, a great security feature in the Edge browser which allows you to easily run browser sessions in a virtual machine.
In this episode of Defrag Tools, we geek out on our favorite Command Prompt commands.Command covered:where.exe - WhereShows where a executable/script is on the PATH environment variablewhere notepad.exeipconfig.exe - IP ConfigurationIP Address Configuration - BasicipconfigIP Address Configuration - Advanced/Allipconfig /allIP Address Renewal/Resetipconfig /flushdnsipconfig /releaseipconfig /renewipconfig /registerdnsfindstr.exe - Find String/s - Sub Directories/n - Line Number/p - Search Pattern. e.g. Foo*Bar to match: Footastic Barcode/c - Escaped characters. e.g. /c:""Foo" Bar" to find the text: "Foo" BarContact us at defragtools@microsoft.com and/or @defragtools
In this episode of Defrag Tools, we continue talking about the Windows Upgrade Log files.We delve into the Application and Device Inventory Files, that describe application compatibility issues between OS Releases.The logs pre/post upgrade can be found in:$Windows.~btsourcespanther$Windows.~btSourcesRollbackWindowsPantherWindowsPantherNewOSYou can review the logs manually, or use SetupDiag.Contact us at defragtools@microsoft.com and/or @defragtools
In this episode of Defrag Tools, we talk about the Windows Upgrade Log files.The "Panther" logs track the installation of a Windows Upgrade. The logs contain Information, Warnings and Errors. Not all errors are fatal, the trick is to look at only the (last) fatal error if an upgrade fails.The logs pre/post upgrade can be found in:$Windows.~btsourcespanther$Windows.~btSourcesRollbackWindowsPantherWindowsPantherNewOSYou can review the logs manually, or use SetupDiag.In the next episode, we'll dive deep into the logs when there is an application migration issue.Contact us at defragtools@microsoft.com and/or @defragtools
In this episode of Defrag Tools, we talk about Windows Update and Windows Setup. We describe the different technologies, what each does to download the software, prepare the installation, and finish the installation.In the next episode, we'll dive deep into the logs, showing you how to troubleshoot an installation issue.
In this episode of Defrag Tools, we talk about HRESULT based Error Codes. The 32bits in the HRESULT have meanings, allowing the reader to gain additional insights into the error.Of note:The 32nd bit (the top bit) indicates if an error occurred or not. This is why errors are 0x8xxxxxxx.The 16-26 bits are the Facility - the originating API (Win32, CLR, XAML, etc.).The 0-15 bits are the (Error) Code.Common NULL Facility Error CodesNameDescriptionValueS_OKOperation successful0x00000000S_FALSEOperation successful but returned no results0x00000001E_ABORTOperation aborted0x80004004E_FAILUnspecified failure0x80004005E_NOINTERFACENo such interface supported0x80004002E_NOTIMPLNot implemented0x80004001E_POINTERPointer that is not valid0x80004003E_UNEXPECTEDUnexpected failure0x8000FFFFCommon Win32 Facility Error CodesThese are built by passing a System Error Code to HRESULT_FROM_WIN32NameDescriptionValueE_ACCESSDENIEDGeneral access denied error0x80070005E_HANDLEHandle that is not valid0x80070006E_INVALIDARGOne or more arguments are not valid0x80070057E_OUTOFMEMORYFailed to allocate necessary memory0x8007000ERelated Links:HRESULTHRESULT Facility – By ValueHRESULT Facility – By Name
In this episode of Defrag Tools, Chad Beeder is joined by Jorge Novillo and Ojasvi Choudhary to discuss the Performance Power Slider in Windows 10. We discuss how it works, how hardware partners can customize it, and how users can adjust some of its settings.Related Links:Overview & how to customize the default Perf Power Slider positionMicrosoft DocsPerf Power Slider Knob 1 – Processor TuningProcessor Power Management TuningPerformance Energy Preference TuningPerf Power Slider Knob 2 – Power Throttling background appsApp developers can define power throttling levels using the SetProcessInformation functionWindows blogHow to customize fan speeds, thermals, or other power settings for each slider positionINF AddPowerSetting DirectiveWinHEC Fall 2017 Power Lab (exercise 2D)Timeline:[00:00] Overview of the Performance Power Slider[02:54] Performance Power Slider on AC and DC power[04:02] Requirements to view the Performance Power Slider[04:49] Behind the scenes of the Performance Power Slider[07:22] Querying the custom processor settings[09:13] Power throttling user controls[14:14] How OEMs can customize the Performance Power Slider[19:25] Questions? Email us at defragtools@microsoft.com
Announcing the Inside Show, the show that takes you inside Windows!Inside covers Windows Features, Windows Internals, Exception Codes, Bugcheck Codes and Debugger Commands. Each episode is just 5 minutes, with no specific order between episodes. Watch the Welcome video!For longer topics (15-30min), we'll continue to cover them on Defrag Tools in 1 or more parts.Email questions, comments and requests to InsideShow@microsoft.com and DefragTools@microsoft.com
In this episode of Defrag Tools, Chad Beeder and Andrew Richards talk about what tech you could buy on Cyber Monday.We talk about USB Sticks, USB Cables, MicroSD Readers, International Power Adapters, Charging Stations, UPS Backup, Network Testers, Memory Sticks, Disk Drives, Drive adapters, Xbox Live, Xbox Game Pass, ... and many more things.For Intel Product Specs (to determine supported RAM, etc.), refer to http://ark.intel.com(Apologies for Andrew's poor voice)
In this episode of Defrag Tools, Chad Beeder and Andrew Richards talk to Marc Goodner and Reid Borsuk about the maker community at Microsoft, and the cool Ninjacat statue they built. Make sure to watch to the end to see all of its, shall we say... special features!
In this episode of Defrag Tools, Andrew Richards is joined by JCAB (Juan Carlos Arevalo Baeza) and Jordi Mola from the Windows Debugger team to demonstrate some more advanced usage of a new feature of WinDbg Preview: Time Travel Debugging (TTD).Related Links:WinDbg Preview (download from Microsoft Store)Time Travel Debugging Overview (Online documentation)Debugging Tools for Windows BlogTime Travel Debugging FAQTimeline:[00:00] Introductions[01:07] Seeing a memory corruption crash in the Chakra Core when running a script. Difficult to debug![05:33] Now reproduce the same crash while recording a Time Travel Debugging trace[07:06] Looking at the TTD trace with unoptimized code[07:55] Use the !events command to list interesting events and exceptions in the trace and jump to them[11:43] Found the corrupt memory, step backwards to figure out where it came from.[13:15] Identifying the memory location containing a bad value with dx command, and setting a data breakpoint (with ba) to see who previously wrote to it.[17:37] Getting closer. Keep following the trail backwards...[19:29] Found where the bad value came from![21:08] Another use case: Find where a value is bad and track it back from there with a binary search (use !tt with a percentage value to jump to locations in the trace)[22:09] Second demo: Looking at the same crash but with optimized production code.[25:09] Exceptions will be hit when running the trace either forward or backward.[26:54] To give feedback on WinDbg Preview, use the Feedback Hub.
In this episode of Defrag Tools, Chad Beeder is joined by James Pinkerton and Ivette Carreras to introduce a new feature of WinDbg Preview: Time Travel Debugging (TTD).Related Links:WinDbg Preview (download from Microsoft Store)Time Travel Debugging Overview (Online documentation)Debugging Tools for Windows BlogTime Travel Debugging FAQTimeline:[00:00] Introductions[00:54] Introducing Time Travel Debugging (TTD)[05:06] Tracing[07:33] Debugging Forwards[09:23] Debugging Backwards![13:31] Data is available[17:20] Great for Customer Support[19:11] Email us at defragtools@microsoft.com
In this episode of Defrag Tools, we continue our series on the new WinDbg Preview. Andrew Richards is joined by Bill Messmer to talk about the updated scripting engine.Related Links:WinDbg Preview (download from Microsoft Store)Documentation for WinDbg Preview (Dev Center)Announcement blog postRelated Episodes:Defrag Tools #138 - Debugging - 'dx' Command Part 1Defrag Tools #139 - Debugging - 'dx' Command Part 2Defrag Tools #169 - Debugging Tools For Windows TeamDefrag Tools #170 - Debugger - JavaScript ScriptingDefrag Tools #182 - WinDbg Preview Part 1Defrag Tools #183 - WinDbg Preview Part 2
In this episode of Defrag Tools, Chad Beeder is joined by Nickolay Ratchev and Tim Misiak to show off some features of WinDbg Preview, a new version of the WinDbg tool.Also see our previous episode, if you missed it: Defrag Tools #182 - WinDbg Preview Part 1Related Links:WinDbg Preview (download from Microsoft Store)Documentation for WinDbg Preview (Dev Center)Announcement blog postTimeline:[00:00] Welcome and introductions[00:42] Recent targets - every debugging session is saved for easy access next time[01:44] New features of the locals window and watch window: Use LINQ expressions[03:22] Model window allows different views (i.e. grid)[04:05] Demo: Use a NatVis script to modify how data is shown in the Model window. JavaScript supported as well.[06:00] New interactions between windows, new features in Command window... better copy & paste[08:15] Right-click to search on MSDN[08:58] Use the Feedback Hub for bug reports and feature requests!
In this episode of Defrag Tools, Chad Beeder is joined by Tim Misiak and Andy Luhrs to introduce WinDbg Preview, a new version of the WinDbg tool.Also see our followup episode: Defrag Tools #183 - WinDbg Preview Part 2Related Links:WinDbg Preview (download from Microsoft Store)Documentation for WinDbg Preview (Dev Center)Announcement blog postTimeline:[00:00] Welcome and introductions[00:32] All new shell, and it's available as a Store app[01:17] Yes, all your old debugging commands and extensions still work[02:06] New features enabled by the debugger data model (for more on this topic, see Defrag Tools Episode #138 and Episode #139)[03:24] Use the Feedback Hub to help us make it better[04:17] All new UI. (Ribbon, relaunch recent sessions, new windowing system, dark theme)[07:05] Watch window, locals window, etc., can all use the new debugger data model[08:13] New script window - makes it easy to write NatVis and JavaScript visualizations[08:50] WinDbg Preview is a work in progress! Expect frequent updates.
In this episode of Defrag Tools, Chad Beeder and Andrew Richards are joined by Paresh Maisuria from the Windows Kernel Power team and Zach Holmes from the Fundamentals team to talk about System Power Report, a new feature in Windows 10 Creators Update.Related links:Defrag Tools #168 - Powercfg Sleep Study (older version of this tool)Defrag Tools #157 - Energy Estimation Engine (E3) (the framework used for estimating power usage)Timeline:[00:00] Welcome and introductions[00:30] This is an updated and expanded version of a feature previously called Sleep Study. Now it covers everything related to power, not just details of modern standby states.[02:55] You can still run it with powercfg /sleepstudy (for backwards compatibility) - but the new command is powercfg /systempowerreport, or powercfg /spr[04:08] Opening up the generated report - lots more data than in the old Sleep Study report.[05:32] Looking an active session: How much battery power was used, and by what? What was the screen brightness? Which apps used the most power?[09:40] Why some power usage gets attributed to "Unknown"[15:00] Unlike the old Sleep Study report, the System Power Report even gives useful info on traditional standby (S3) systems.[16:40] Looking at a standby session: You can tell why a system went into standby, and why it woke up. Also lots of other stats, like how long it took to hibernate, etc.[20:27] The report also contains an "expert tab" which contains data about the battery design capacity, current capacity, and health[23:18] Bugchecks are also logged in the report (including the parameters).[24:35] Still has all the details on a modern standby system (like in the old Sleep Study report). But enhanced. Now we have better instrumentation to track why a system got woken from standby.[27:58] Of interest to OEMs and hardware engineers: We track power usage data for the SoC (System on a Chip) subsystems. Can give you the first indication of where to look further if power usage is too high.Email us at defragtools@microsoft.com
In this episode of Defrag Tools, Graham McIntyre joins Andrew Richards and Chad Beeder to talk about the new Active Memory Dump type. This new kernel dump size replaces the Complete Memory Dump type, and although much smaller, is equally as useful.
In this episode of Defrag Tools, Andrew Richards and Chad Beeder walk through the process of manually creating a full memory dump via the keyboard. This is useful when you want to capture the state of the operating system. For example, to debug a hang.Resources:Forcing a System Crash from the Keyboard Registry files (.reg) demonstrated in this episode are on the Defrag Tools OneDrive share (ManualCrashRegistrySettings.zip)PCI Express Dump Switch Card (if you need to use the NMI method)Timeline:[00:00] Welcome and Intro[00:57] When would you need to manually force a crash dump?[02:42] Typically you'll want to get a Complete Memory Dump[05:57] ...which also requires you to set a large enough page file on the C: drive (RAM size plus some additional)[08:00] Setting up manual crash dump via CrashOnCtrlScroll (if your keyboard has a ScrollLock key)[13:20] Discussion of keyboards and keyboard scan codes. The old Peter Norton "pink shirt" book still comes through for this![16:55] Once you know the scan code, you can use the Dump1Keys and Dump2Key registry settings to choose your own keyboard combo. Make sure not to use CrashOnCtrlScroll at the same time![25:04] The big guns: If a system is hung badly enough that keyboard crash doesn't work, you can try CrashOnNMI. Usually requires special hardware like a PCIe NMI card.[28:34] Looking at the memory dump we just created. Bugcheck 0xE2: MANUALLY_INITIATED_CRASH
In this episode of Defrag Tools, Andrew Richards and Chad Beeder talk about the new features of Sysinternals ProcDump v9.0Multiple Dumps per trigger in multiple Dump Sizes:-mm Write a 'Mini' dump file. (default) Includes the Process, Thread, Module, Handle and Address Space info-ma Write a 'Full' dump file. Includes All the Image, Mapped and Private memory-mp Write a 'MiniPlus' dump file. Includes all Private memory and all Read/Write Image or Mapped memory. To minimize size, the largest Private memory area over 512MB is excluded. A memory area is defined as the sum of same-sized memory allocations. The dump is as detailed as a Full dump but 10%-75% the size. Note: CLR processes are dumped as Full (-ma) due to debugging limitations-mc Write a 'Custom' dump file. Include memory defined by the specified MINIDUMP_TYPE mask (Hex). -md Write a 'Callback' dump file. Include memory defined by the MiniDumpWriteDump callback routine named MiniDumpCallbackRoutine of the specified DLL-mk Also write a 'Kernel' dump file. Includes the kernel stacks of the threads in the process. OS doesn't support a kernel dump (-mk) when using a clone (-r). When using multiple dump sizes, a kernel dump is taken for each dump sizeKernel Dump Support:Complete Thread Stack – Kernel & UserOpen the User and Kernel Dumps in separate debuggersMatch the TIDs from the User Dump, with the TIDs from the Kernel Dump, to get the entire stackAwesome tool for hang debugging!Debugging the Kernel DumpDump includes the kernel stack (memory) of every thread in the process (Running, Ready or Idle)Dump has the Process PID and each Thread TID. There is no PEB or TEB information.View the Kernel Call Stack for each Thread in the Process: !process -1 17 Debugging the User DumpView the User Call Stack for each Thread in the Process (e.g.): ~*k !pde.deep
© 2020-2025 Ivy Podcast Discovery LLC
