《深入理解Windows操作系统》笔记1

C:\ProgramFiles>cd"DebuggingToolsforWindows(x86)"

C:\ProgramFiles\DebuggingToolsforWindows(x86)>dir

驱动器C中的卷没有标签。

卷的序列号是18F6-A188

C:\ProgramFiles\DebuggingToolsforWindows(x86)的目录

2012-02-0214:24

.

2012-02-0214:24

..

2012-02-0214:24

1394

2009-08-2414:3871,168adplus.doc

2010-02-0112:2797,040adplus.exe

2010-02-0112:2729,056adplusext.dll

2010-02-0112:2780,656adplusmanager.exe

2009-08-2414:382,068adplusmanager.exe.config

2010-02-0112:27200,530adplus_old.vbs

2010-02-0112:2736,736agestore.exe

2010-02-0112:2717,168breakin.exe

2010-02-0112:27364,816cdb.exe

2012-02-0214:24

clr10

2010-02-0112:2732,128convertstore.exe

2010-02-0112:27112,512dbengprx.exe

2010-02-0112:273,557,648dbgeng.dll

2010-02-0112:271,213,200dbghelp.dll

2010-02-0112:2739,184dbgrpc.exe

2010-02-0112:2732,528dbgsrv.exe

2010-02-0112:27151,824dbh.exe

2010-01-0811:07326,336debugger.chi

2010-01-0811:075,117,792debugger.chm

2010-02-0112:27419,088decem.dll

2009-08-2414:3856,832dml.doc

2010-02-0112:2720,864dumpchk.exe

2010-02-0112:2719,840dumpexam.exe

2010-02-0112:27145,168gflags.exe

2010-02-0112:27362,768i386kd.exe

2010-02-0112:27362,768ia64kd.exe

2010-02-0112:27376,080kd.exe

2010-02-0112:2734,576kdbgctrl.exe

2010-02-0112:27170,256kdsrv.exe

2009-08-2414:381,196,032kernel_debugging_tutorial.doc

2010-02-0112:2734,064kill.exe

2009-09-1811:3510,237license.txt

2010-02-0112:2780,768list.exe

2010-02-0112:2728,944logger.exe

2010-02-0112:27211,328logviewer.exe

2010-02-0112:27365,328ntsd.exe

2010-02-0112:2723,312pdbcopy.exe

2010-02-0112:082,819redist.txt

2010-01-2821:2112,615relnotes.txt

2010-02-0112:2769,504remote.exe

2010-02-0112:2725,360rtlist.exe

2012-02-0214:24

sdk

2012-02-0214:24

srcsrv

2010-02-0112:2792,944srcsrv.dll

2010-02-0112:2730,992symbolcheck.dll

2010-02-0112:2780,144symchk.exe

2012-02-0214:24

symproxy

2010-02-0112:27131,856symsrv.dll

2009-08-2414:381symsrv.yes

2010-02-0112:27145,168symstore.exe

2012-02-0214:24

themes

2010-02-0112:2747,376tlist.exe

2012-02-0214:24

triage

2010-02-0112:27143,232umdh.exe

2012-02-0214:24

usb

2010-02-0112:27139,136usbview.exe

2010-02-0112:2774,512vmdemux.exe

2012-02-0214:24

w2kchk

2012-02-0214:24

w2kfre

2010-02-0112:27532,752windbg.exe

2012-02-0214:24

winext

2012-02-0214:24

winxp

51个文件16,929,054字节

14个目录153,558,147,072可用字节

C:\ProgramFiles\DebuggingToolsforWindows(x86)>tlist.exe/t

SystemProcess(0)

System(4)

smss.exe(460)

csrss.exe(516)

winlogon.exe(1172)

services.exe(1216)

ati2evxx.exe(1388)ATIvideobiospoller

svchost.exe(1420)

svchost.exe(1536)

svchost.exe(1656)

svchost.exe(1676)

svchost.exe(1728)

acs.exe(1764)

inetinfo.exe(1856)

sqlservr.exe(1880)

sqlwriter.exe(2032)

alg.exe(700)

msiexec.exe(3664)

lsass.exe(1228)

ati2evxx.exe(1616)ATIvideobiospollerclient

explorer.exe(1000)ProgramManager

RTHDCPL.EXE(1192)

Probe2.exe(1372)PCProbeII

aaCenter.exe(2500)aacenter

TWCU.exe(1276)TP-LINK无线客户端应用程序-当前配置文件:默认值-TP-LINKWi

relessUSBAdapter

ctfmon.exe(1460)

DTLite.exe(1468)DAEMONToolsAgentwindow

WINWORD.EXE(3952)windows-MicrosoftWord

cmd.exe(2600)命令提示符-tlist.exe/t

tlist.exe(1100)

windbg.exe(2412)Localkernel-WinDbg:6.12.0002.633X86

MOM.exe(1436).NET-BroadcastEventWindow.2.0.0.0.33c0d9d.0

CCC.exe(3748)

conime.exe(2512)

C:\ProgramFiles\DebuggingToolsforWindows(x86)>

Microsoft(R)WindowsDebuggerVersion6.12.0002.633X86

Copyright(c)MicrosoftCorporation.Allrightsreserved.

ConnectedtoWindowsXP2600x86compatibletargetat(ThuFeb214:26:16.1712012(UTC+8:00)),ptr64FALSE

Symbolsearchpathis:***Invalid***

****************************************************************************

*Symbolloadingmaybeunreliablewithoutasymbolsearchpath.*

*Use.symfixtohavethedebuggerchooseasymbolpath.*

*Aftersettingyoursymbolpath,use.reloadtorefreshsymbollocations.*

****************************************************************************

Executablesearchpathis:

*********************************************************************

*Symbolscannotbeloadedbecausesymbolpathisnotinitialized.*

**

*TheSymbolPathcanbesetby:*

*usingthe_NT_SYMBOL_PATHenvironmentvariable.*

*usingthe-yargumentwhenstartingthedebugger.*

*using.sympathand.sympath+*

*********************************************************************

***ERROR:Symbolfilecouldnotbefound.Defaultedtoexportsymbolsforntkrpamp.exe-

*******************************************************************************

WARNING:Localkerneldebuggingrequiresbootingwithkernel

debuggingsupport(/debugorbcdedit-debugon)toworkoptimally.

*******************************************************************************

WindowsXPKernelVersion2600(ServicePack3)MP(2procs)Freex86compatible

Product:WinNt,suite:TerminalServerSingleUserTS

Builtby:2600.xpsp.080413-2111

MachineName:

Kernelbase=0x804d8000PsLoadedModuleList=0x8055e720

Debugsessiontime:ThuFeb214:26:16.3432012(UTC+8:00)

SystemUptime:0days0:25:11.890

X64用户进程空间:8TB,系统空间6657GB

Itanium用户进程空间:7TB,系统空间6144GB

C:\ProgramFiles\SupportTools>qslice

启动线程查看器,该软件位于Windows2000资源工具包中,XP下需要单独下载安装

C:\ProgramFiles\SupportTools>

C:\ProgramFiles\SupportTools>mstsc.exe

启动远程连接

Windows2000professional不支持终端会话

WindowsXPprofessional支持1个终端会话

Windows2000ServerWindowsServer2003支持2个并发的远程连接,以上版本如企业版支持多个连接,并且可以配置为终端服务器

WindowsXP中使用键盘Win+L组合键可以快速切换用户,原来的进程等信息均保存在系统中

WindowsXP/2003使用16位宽度的unicode编码,而不是8asci码,在此之前的windows版本,其亚洲和中东语言版本是美国欧洲核心版本的一个扩展,因此其windowsAPI是一个超集,和原有的版本不同,因此需要在app层面单独构建语言包。而从windows2000开始使用全球统一的语言包了。API也调用一样了

内核调试所需的符号文件必须做到完全匹配。

C:\>livekd

LiveKdv5.0-Executekd/windbgonalivesystem

Sysinternals-www.sysinternals.com

Copyright(C)2000-2010MarkRussinovichandKenJohnson

Symbolsarenotconfigured.WouldyoulikeLiveKdtosetthe_NT_SYMBOL_PATH

directorytoreferencetheMicrosoftsymbolserversothatsymbolscanbe

obtainedautomatically?(y/n)y

Enterthefoldertowhichsymbolsdownload(defaultisc:\symbols):

Symbolsearchpathis:srv*c:\Symbols*http://msdl.microsoft.com/download/symbols

http://msdl.microsoft.com/download/symbols不支持web访问,仅支持终端内核调试访问

windows支持2种多处理器系统:超线程和NUMA非一致性的内存结构。HT超线程是intel的技术,一个物理处理器上提供多个逻辑处理器,每个逻辑处理器有其自己的状态,执行引擎和芯片上的L1L2,L3等高速缓存共享。

NUMA是将处理器作为更小的单元节点,使用全部的内存

处理器许可:注册表:HKLM\SYSEM\CCS\Contorl\session\manager\licensedprocessors

64bitwindows上,没有PAE内核。也就是Windows2000的介质下\I386\UNIPROC\WINSRVDLL文件,表示单处理器版本,在XP2003中去掉了

检查正在运行的ntoskrnl版本:

1、检查事件查看器中事件ID6009的日志

2、在引导的注册表中检查HKLM\SYSRTEM\CCS\Control\sessionmanger\memorymanagerment\physicaladdressExtrension如果是1,则从PAE引导,也就是单处理器

3、C:\WINDOWS\system32>ntoskrnl.exeC:\WINDOWS\system32\ntoskrnl.exe应用程序无法在Win32模式中运行。

版本

支持的CPU

支持的物理内存GB

windows2000professional

2

4

windows2000server

4

4

windows2000advancedserver

8

8

windows2000datacenter

32

64

32位的支持CPU

32位的物理内存支持

64位的CPU

64位内存

windowsxphome

1

4

windowsXPprofessional

2

4

2

128

windows2003standard

4

4

windows2003enterprise

8

32

8

64

windows2003datacenter

32

64

64

1024

奇怪吧,windowsXP64bit的内存支持比windows2003企业版64bit还要高!!!

Microsoft(R)WindowsDebuggerVersion6.12.0002.633X86

Copyright(c)MicrosoftCorporation.Allrightsreserved.

ConnectedtoWindowsXP2600x86compatibletargetat(FriFeb312:11:08.2182012(UTC+8:00)),ptr64FALSE

Symbolsearchpathis:C:\WINDOWS\Symbols;srv*c:\Symbols*http://msdl.microsoft.com/download/symbols

Executablesearchpathis:

*******************************************************************************

WARNING:Localkerneldebuggingrequiresbootingwithkernel

debuggingsupport(/debugorbcdedit-debugon)toworkoptimally.

*******************************************************************************

WindowsXPKernelVersion2600(ServicePack3)MP(2procs)Freex86compatible

Product:WinNt,suite:TerminalServerSingleUserTS

Builtby:2600.xpsp.080413-2111

MachineName:

Kernelbase=0x804d8000PsLoadedModuleList=0x8055e720

Debugsessiontime:FriFeb312:11:08.4842012(UTC+8:00)

SystemUptime:0days0:28:38.160

lkd>dtnt!_*

ntkrpamp!_LIST_ENTRY

ntkrpamp!_IMAGE_NT_HEADERS

ntkrpamp!_IMAGE_FILE_HEADER

ntkrpamp!_IMAGE_OPTIONAL_HEADER

ntkrpamp!_LARGE_INTEGER

ntkrpamp!__unnamed

ntkrpamp!_ULARGE_INTEGER

ntkrpamp!__unnamed

ntkrpamp!_LUID

ntkrpamp!_KAPC

ntkrpamp!_KTHREAD

ntkrpamp!_SINGLE_LIST_ENTRY

ntkrpamp!_KSPIN_LOCK_QUEUE_NUMBER

ntkrpamp!_KPRCB

ntkrpamp!_KPROCESSOR_STATE

ntkrpamp!_KSPIN_LOCK_QUEUE

ntkrpamp!_KNODE

ntkrpamp!_PP_LOOKASIDE_LIST

ntkrpamp!_KPRCB

ntkrpamp!_KDPC

ntkrpamp!_FX_SAVE_AREA

ntkrpamp!_PROCESSOR_POWER_STATE

ntkrpamp!_SLIST_HEADER

ntkrpamp!_NPAGED_LOOKASIDE_LIST

ntkrpamp!_GENERAL_LOOKASIDE

ntkrpamp!_PAGED_LOOKASIDE_LIST

ntkrpamp!_FAST_MUTEX

ntkrpamp!_PP_NPAGED_LOOKASIDE_NUMBER

ntkrpamp!_POOL_TYPE

ntkrpamp!_EX_RUNDOWN_REF

ntkrpamp!_EX_FAST_REF

ntkrpamp!_EX_PUSH_LOCK

ntkrpamp!_EX_PUSH_LOCK_WAIT_BLOCK

ntkrpamp!_KEVENT

ntkrpamp!_EX_PUSH_LOCK_CACHE_AWARE

ntkrpamp!_ETHREAD

ntkrpamp!_TERMINATION_PORT

ntkrpamp!_CLIENT_ID

ntkrpamp!_KSEMAPHORE

ntkrpamp!_PS_IMPERSONATION_INFORMATION

ntkrpamp!_DEVICE_OBJECT

ntkrpamp!_EPROCESS

ntkrpamp!_KPROCESS

ntkrpamp!_HANDLE_TABLE

ntkrpamp!_EJOB

ntkrpamp!_EPROCESS_QUOTA_BLOCK

ntkrpamp!_PAGEFAULT_HISTORY

ntkrpamp!_HARDWARE_PTE

ntkrpamp!_PEB

ntkrpamp!_SE_AUDIT_PROCESS_CREATION_INFO

ntkrpamp!_MMSUPPORT

ntkrpamp!_OBJECT_ATTRIBUTES

ntkrpamp!_UNICODE_STRING

ntkrpamp!_OBJECT_TYPE

ntkrpamp!_ERESOURCE

ntkrpamp!_OBJECT_TYPE_INITIALIZER

ntkrpamp!_OBJECT_HANDLE_INFORMATION

ntkrpamp!_DISPATCHER_HEADER

ntkrpamp!_KAPC_STATE

ntkrpamp!_KWAIT_BLOCK

ntkrpamp!_KQUEUE

ntkrpamp!_KTIMER

ntkrpamp!_KTRAP_FRAME

ntkrpamp!_FNSAVE_FORMAT

ntkrpamp!_FXSAVE_FORMAT

ntkrpamp!__unnamed

ntkrpamp!_MMPTE

ntkrpamp!_MMPTE_HIGHLOW

ntkrpamp!_MMPTE_HARDWARE

ntkrpamp!_MMPTE_PROTOTYPE

ntkrpamp!_MMPTE_SOFTWARE

ntkrpamp!_MMPTE_TRANSITION

ntkrpamp!_MMPTE_SUBSECTION

ntkrpamp!_MMPTE_LIST

ntkrpamp!__unnamed

ntkrpamp!_MEMORY_CACHING_TYPE

ntkrpamp!_MI_PFN_CACHE_ATTRIBUTE

ntkrpamp!_EXCEPTION_RECORD64

ntkrpamp!_EXCEPTION_RECORD32

ntkrpamp!_DBGKM_EXCEPTION64

ntkrpamp!_DBGKM_EXCEPTION32

ntkrpamp!_DBGKD_LOAD_SYMBOLS64

ntkrpamp!_DBGKD_LOAD_SYMBOLS32

ntkrpamp!_DBGKD_READ_MEMORY64

ntkrpamp!_DBGKD_READ_MEMORY32

ntkrpamp!_DBGKD_WRITE_MEMORY64

ntkrpamp!_DBGKD_WRITE_MEMORY32

ntkrpamp!_DBGKD_WRITE_BREAKPOINT64

ntkrpamp!_DBGKD_WRITE_BREAKPOINT32

ntkrpamp!_DBGKD_READ_WRITE_IO64

ntkrpamp!_DBGKD_READ_WRITE_IO32

ntkrpamp!_DBGKD_READ_WRITE_IO_EXTENDED64

ntkrpamp!_DBGKD_READ_WRITE_IO_EXTENDED32

ntkrpamp!_DBGKD_SET_SPECIAL_CALL32

ntkrpamp!_DBGKD_SET_SPECIAL_CALL64

ntkrpamp!_DBGKD_SET_INTERNAL_BREAKPOINT32

ntkrpamp!_DBGKD_SET_INTERNAL_BREAKPOINT64

ntkrpamp!_DBGKD_GET_INTERNAL_BREAKPOINT64

ntkrpamp!_DBGKD_GET_INTERNAL_BREAKPOINT32

ntkrpamp!_DBGKD_MANIPULATE_STATE64

ntkrpamp!_DBGKD_GET_CONTEXT

ntkrpamp!_DBGKD_SET_CONTEXT

ntkrpamp!_DBGKD_RESTORE_BREAKPOINT

ntkrpamp!_DBGKD_CONTINUE

ntkrpamp!_DBGKD_CONTINUE2

ntkrpamp!_DBGKD_QUERY_SPECIAL_CALLS

ntkrpamp!_DBGKD_GET_VERSION64

ntkrpamp!_DBGKD_BREAKPOINTEX

ntkrpamp!_DBGKD_READ_WRITE_MSR

ntkrpamp!_DBGKD_SEARCH_MEMORY

ntkrpamp!_DBGKD_GET_SET_BUS_DATA

ntkrpamp!_DBGKD_FILL_MEMORY

ntkrpamp!_DBGKD_QUERY_MEMORY

ntkrpamp!__unnamed

ntkrpamp!_DBGKD_MANIPULATE_STATE32

ntkrpamp!_DBGKD_GET_VERSION32

ntkrpamp!__unnamed

ntkrpamp!_VACB

ntkrpamp!_SHARED_CACHE_MAP

ntkrpamp!__unnamed

ntkrpamp!_FILE_OBJECT

ntkrpamp!_MBCB

ntkrpamp!_CACHE_MANAGER_CALLBACKS

ntkrpamp!_CACHE_UNINITIALIZE_EVENT

ntkrpamp!_PRIVATE_CACHE_MAP

ntkrpamp!_VACB_LEVEL_REFERENCE

ntkrpamp!_HEAP_ENTRY

ntkrpamp!_HEAP

ntkrpamp!_HEAP_TAG_ENTRY

ntkrpamp!_HEAP_UCR_SEGMENT

ntkrpamp!_HEAP_UNCOMMMTTED_RANGE

ntkrpamp!_HEAP_SEGMENT

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_HEAP_PSEUDO_TAG_ENTRY

ntkrpamp!_HEAP_LOCK

ntkrpamp!_HEAP_SUBSEGMENT

ntkrpamp!_HEAP_USERDATA_HEADER

ntkrpamp!_HEAP_USERDATA_HEADER

ntkrpamp!_INTERLOCK_SEQ

ntkrpamp!_HMAP_TABLE

ntkrpamp!_HMAP_ENTRY

ntkrpamp!_OBJECT_SYMBOLIC_LINK

ntkrpamp!_POOL_BLOCK_HEAD

ntkrpamp!_POOL_HEADER

ntkrpamp!_LDR_DATA_TABLE_ENTRY

ntkrpamp!_VI_DEADLOCK_GLOBALS

ntkrpamp!_VI_DEADLOCK_NODE

ntkrpamp!_PF_SCENARIO_TYPE

ntkrpamp!_THERMAL_INFORMATION

ntkrpamp!_SECTION_OBJECT

ntkrpamp!_SEGMENT_OBJECT

ntkrpamp!_POWER_STATE

ntkrpamp!_SYSTEM_POWER_STATE

ntkrpamp!_DEVICE_POWER_STATE

ntkrpamp!_WMI_LOGGER_CONTEXT

ntkrpamp!_WMI_LOGGER_MODE

ntkrpamp!_GUID

ntkrpamp!_SECURITY_CLIENT_CONTEXT

ntkrpamp!_TRACE_ENABLE_FLAG_EXTENSION

ntkrpamp!_KMUTANT

ntkrpamp!_WMI_BUFFER_HEADER

ntkrpamp!_CONTROL_AREA

ntkrpamp!_SUBSECTION

ntkrpamp!_LARGE_CONTROL_AREA

ntkrpamp!_MMSECTION_FLAGS

ntkrpamp!_MMSUBSECTION_FLAGS

ntkrpamp!_SEGMENT

ntkrpamp!__unnamed

ntkrpamp!_EVENT_COUNTER

ntkrpamp!_HANDLE_TRACE_DEBUG_INFO

ntkrpamp!_MMSUPPORT_FLAGS

ntkrpamp!_MMWSL

ntkrpamp!_EX_WORK_QUEUE

ntkrpamp!_EPROCESS_QUOTA_ENTRY

ntkrpamp!_UNICODE_STRING

ntkrpamp!_PS_JOB_TOKEN_FILTER

ntkrpamp!_IO_COUNTERS

ntkrpamp!_SID_AND_ATTRIBUTES

ntkrpamp!_LUID_AND_ATTRIBUTES

ntkrpamp!_MM_DRIVER_VERIFIER_DATA

ntkrpamp!_VPB

ntkrpamp!_SECTION_OBJECT_POINTERS

ntkrpamp!_IO_COMPLETION_CONTEXT

ntkrpamp!_CALL_HASH_ENTRY

ntkrpamp!_CM_VIEW_OF_FILE

ntkrpamp!_KLOCK_QUEUE_HANDLE

ntkrpamp!_MMLISTS

ntkrpamp!_DEFERRED_WRITE

ntkrpamp!_HIVE_LIST_ENTRY

ntkrpamp!_CMHIVE

ntkrpamp!_SECURITY_IMPERSONATION_LEVEL

ntkrpamp!_DEVICE_NODE

ntkrpamp!_PO_DEVICE_NOTIFY

ntkrpamp!_PNP_DEVNODE_STATE

ntkrpamp!_IRP

ntkrpamp!_CM_RESOURCE_LIST

ntkrpamp!_IO_RESOURCE_REQUIREMENTS_LIST

ntkrpamp!_INTERFACE_TYPE

ntkrpamp!_DEVICE_RELATIONS

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_RTL_CRITICAL_SECTION

ntkrpamp!__unnamed

ntkrpamp!_KPCR

ntkrpamp!_NT_TIB

ntkrpamp!_KIDTENTRY

ntkrpamp!_KGDTENTRY

ntkrpamp!_KTSS

ntkrpamp!_MMCOLOR_TABLES

ntkrpamp!_PHYSICAL_MEMORY_RUN

ntkrpamp!_MMPFN

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_MMPFNENTRY

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_MM_SESSION_SPACE

ntkrpamp!_MM_SESSION_SPACE_FLAGS

ntkrpamp!__unnamed

ntkrpamp!_MM_PAGED_POOL_INFO

ntkrpamp!_MMWSLE

ntkrpamp!_MMSESSION

ntkrpamp!_DRIVER_OBJECT

ntkrpamp!_POOL_DESCRIPTOR

ntkrpamp!_PEB_LDR_DATA

ntkrpamp!_RTL_USER_PROCESS_PARAMETERS

ntkrpamp!_PEB_FREE_BLOCK

ntkrpamp!_HEAP_FREE_ENTRY

ntkrpamp!_OWNER_ENTRY

ntkrpamp!_IO_RESOURCE_LIST

ntkrpamp!_CM_FULL_RESOURCE_DESCRIPTOR

ntkrpamp!_CM_PARTIAL_RESOURCE_LIST

ntkrpamp!_CM_CACHED_VALUE_INDEX

ntkrpamp!_CELL_DATA

ntkrpamp!__unnamed

ntkrpamp!_WNODE_HEADER

ntkrpamp!_WMI_CLIENT_CONTEXT

ntkrpamp!_WMI_BUFFER_STATE

ntkrpamp!_KiIoAccessMap

ntkrpamp!_DEVICE_OBJECT_POWER_EXTENSION

ntkrpamp!_POWER_CHANNEL_SUMMARY

ntkrpamp!_SYSTEM_POWER_POLICY

ntkrpamp!_POP_THERMAL_ZONE

ntkrpamp!_POP_ACTION_TRIGGER

ntkrpamp!_X86_DBGKD_CONTROL_SET

ntkrpamp!_DBGKD_ANY_CONTROL_SET

ntkrpamp!_PROCESSOR_POWER_POLICY

ntkrpamp!_PROCESSOR_POWER_POLICY_INFO

ntkrpamp!_IMAGE_DOS_HEADER

ntkrpamp!_HEAP_VIRTUAL_ALLOC_ENTRY

ntkrpamp!_HEAP_ENTRY_EXTRA

ntkrpamp!_RTL_ATOM_TABLE

ntkrpamp!_RTL_HANDLE_TABLE

ntkrpamp!_RTL_ATOM_TABLE_ENTRY

ntkrpamp!_IMAGE_ROM_OPTIONAL_HEADER

ntkrpamp!_KWAIT_REASON

ntkrpamp!_HHIVE

ntkrpamp!_CM_KEY_SECURITY_CACHE_ENTRY

ntkrpamp!_CM_KEY_CONTROL_BLOCK

ntkrpamp!_WORK_QUEUE_ITEM

ntkrpamp!_CM_CELL_REMAP_BLOCK

ntkrpamp!_HANDLE_TRACE_DB_ENTRY

ntkrpamp!_HBASE_BLOCK

ntkrpamp!_RTL_BITMAP

ntkrpamp!_DUAL

ntkrpamp!_PROCESS_WS_WATCH_INFORMATION

ntkrpamp!_CM_PARTIAL_RESOURCE_DESCRIPTOR

ntkrpamp!_DRIVER_EXTENSION

ntkrpamp!_FAST_IO_DISPATCH

ntkrpamp!_MMFREE_POOL_ENTRY

ntkrpamp!_IO_TIMER

ntkrpamp!_WAIT_CONTEXT_BLOCK

ntkrpamp!__unnamed

ntkrpamp!_KDEVICE_QUEUE

ntkrpamp!_DEVOBJ_EXTENSION

ntkrpamp!_BITMAP_RANGE

ntkrpamp!_KUSER_SHARED_DATA

ntkrpamp!_KSYSTEM_TIME

ntkrpamp!_KSYSTEM_TIME

ntkrpamp!_NT_PRODUCT_TYPE

ntkrpamp!_ALTERNATIVE_ARCHITECTURE_TYPE

ntkrpamp!_GENERIC_MAPPING

ntkrpamp!_OBJECT_DUMP_CONTROL

ntkrpamp!_OB_OPEN_REASON

ntkrpamp!_ACCESS_STATE

ntkrpamp!_SECURITY_QUALITY_OF_SERVICE

ntkrpamp!_SECURITY_OPERATION_CODE

ntkrpamp!_OBJECT_NAME_INFORMATION

ntkrpamp!__unnamed

ntkrpamp!_LARGE_INTEGER

ntkrpamp!_EXCEPTION_REGISTRATION_RECORD

ntkrpamp!_MMVAD_LONG

ntkrpamp!_MMVAD

ntkrpamp!_MMVAD_FLAGS

ntkrpamp!__unnamed

ntkrpamp!_MMVAD_FLAGS2

ntkrpamp!__unnamed

ntkrpamp!_MMADDRESS_LIST

ntkrpamp!__unnamed

ntkrpamp!_MMBANKED_SECTION

ntkrpamp!_MMEXTEND_INFO

ntkrpamp!__unnamed

ntkrpamp!_MMVIEW

ntkrpamp!_MEMORY_CACHING_TYPE_ORIG

ntkrpamp!_EXCEPTION_DISPOSITION

ntkrpamp!_EXCEPTION_RECORD

ntkrpamp!_CONTEXT

ntkrpamp!_POOL_TRACKER_BIG_PAGES

ntkrpamp!_VI_DEADLOCK_RESOURCE

ntkrpamp!_VI_DEADLOCK_THREAD

ntkrpamp!_FLOATING_SAVE_AREA

ntkrpamp!_IMAGE_DATA_DIRECTORY

ntkrpamp!_PCI_PDO_EXTENSION

ntkrpamp!_PCI_MJ_DISPATCH_TABLE

ntkrpamp!_PCI_SLOT_NUMBER

ntkrpamp!_PCI_FDO_EXTENSION

ntkrpamp!_PCI_LOCK

ntkrpamp!_PCI_PMC

ntkrpamp!_HMAP_DIRECTORY

ntkrpamp!_OBJECT_HEADER

ntkrpamp!_OBJECT_CREATE_INFORMATION

ntkrpamp!_QUAD

ntkrpamp!_SECURITY_DESCRIPTOR

ntkrpamp!_ACL

ntkrpamp!_RTLP_RANGE_LIST_ENTRY

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_OBJECT_HEADER_CREATOR_INFO

ntkrpamp!_HEAP_STOP_ON_VALUES

ntkrpamp!_HEAP_STOP_ON_TAG

ntkrpamp!_KEXECUTE_OPTIONS

ntkrpamp!_MODE

ntkrpamp!_IO_RESOURCE_DESCRIPTOR

ntkrpamp!_RTL_CRITICAL_SECTION_DEBUG

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_PCI_BUS_INTERFACE_STANDARD

ntkrpamp!_BUS_HANDLER

ntkrpamp!_PCI_COMMON_CONFIG

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_SYSPTES_HEADER

ntkrpamp!_KDEVICE_QUEUE_ENTRY

ntkrpamp!_IO_ALLOCATION_ACTION

ntkrpamp!_CM_KEY_HASH

ntkrpamp!_CM_NAME_CONTROL_BLOCK

ntkrpamp!_CM_KEY_SECURITY_CACHE

ntkrpamp!_CACHED_CHILD_LIST

ntkrpamp!_CM_INDEX_HINT_BLOCK

ntkrpamp!_PI_RESOURCE_ARBITER_ENTRY

ntkrpamp!_ARBITER_INTERFACE

ntkrpamp!_MDL

ntkrpamp!__unnamed

ntkrpamp!_IO_STATUS_BLOCK

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_IO_STACK_LOCATION

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_IMAGE_SECTION_HEADER

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_POP_TRIGGER_WAIT

ntkrpamp!_FILE_BASIC_INFORMATION

ntkrpamp!_FILE_STANDARD_INFORMATION

ntkrpamp!_FILE_NETWORK_OPEN_INFORMATION

ntkrpamp!_COMPRESSED_DATA_INFO

ntkrpamp!_ETIMER

ntkrpamp!_POLICY_AUDIT_EVENT_TYPE

ntkrpamp!_PM_SUPPORT

ntkrpamp!_MMWSLENTRY

ntkrpamp!__unnamed

ntkrpamp!_EXCEPTION_POINTERS

ntkrpamp!_CURDIR

ntkrpamp!_RTL_DRIVE_LETTER_CURDIR

ntkrpamp!_u

ntkrpamp!_VI_DEADLOCK_RESOURCE_TYPE

ntkrpamp!_MMPFNLIST

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_OBJECT_HEADER_NAME_INFO

ntkrpamp!_OBJECT_DIRECTORY

ntkrpamp!_KINTERRUPT

ntkrpamp!_KINTERRUPT_MODE

ntkrpamp!_TOKEN_CONTROL

ntkrpamp!_PCI_ARBITER_INSTANCE

ntkrpamp!_PCI_INTERFACE

ntkrpamp!_ARBITER_INSTANCE

ntkrpamp!_MMPAGING_FILE

ntkrpamp!_MMMOD_WRITER_MDL_ENTRY

ntkrpamp!_BUS_EXTENSION_LIST

ntkrpamp!_PI_BUS_EXTENSION

ntkrpamp!_PCI_MN_DISPATCH_TABLE

ntkrpamp!_PCI_DISPATCH_STYLE

ntkrpamp!_PCI_COMMON_EXTENSION

ntkrpamp!_MEMORY_TYPE

ntkrpamp!_OBJECT_DIRECTORY_ENTRY

ntkrpamp!_DEVICE_MAP

ntkrpamp!_HEAP_LOOKASIDE

ntkrpamp!_ARBITER_ACTION

ntkrpamp!_ARBITER_PARAMETERS

ntkrpamp!_CALL_PERFORMANCE_DATA

ntkrpamp!_MMWSLE_HASH

ntkrpamp!_STRING

ntkrpamp!__unnamed

ntkrpamp!_SECTION_IMAGE_INFORMATION

ntkrpamp!__unnamed

ntkrpamp!_PRIVATE_CACHE_MAP_FLAGS

ntkrpamp!_RTL_HANDLE_TABLE_ENTRY

ntkrpamp!_POP_IDLE_HANDLER

ntkrpamp!_TOKEN

ntkrpamp!_TOKEN_SOURCE

ntkrpamp!_SEP_AUDIT_POLICY

ntkrpamp!_TOKEN_TYPE

ntkrpamp!_SECURITY_TOKEN_PROXY_DATA

ntkrpamp!_SECURITY_TOKEN_AUDIT_DATA

ntkrpamp!_TEB

ntkrpamp!_ACTIVATION_CONTEXT_STACK

ntkrpamp!_GDI_TEB_BATCH

ntkrpamp!_Wx86ThreadState

ntkrpamp!_TEB_ACTIVE_FRAME

ntkrpamp!_PCI_HEADER_TYPE_0

ntkrpamp!_PCI_HEADER_TYPE_1

ntkrpamp!_PCI_HEADER_TYPE_2

ntkrpamp!__unnamed

ntkrpamp!_HEAP_FREE_ENTRY_EXTRA

ntkrpamp!_POOL_TRACKER_TABLE

ntkrpamp!_PS_QUOTA_TYPE

ntkrpamp!_flags

ntkrpamp!_PHYSICAL_MEMORY_DESCRIPTOR

ntkrpamp!_IMAGE_DEBUG_DIRECTORY

ntkrpamp!_GUID

ntkrpamp!_INTERFACE

ntkrpamp!__unnamed

ntkrpamp!_MMMOD_WRITER_LISTHEAD

ntkrpamp!_POP_POWER_ACTION

ntkrpamp!_POP_SHUTDOWN_BUG_CHECK

ntkrpamp!_POP_DEVICE_SYS_STATE

ntkrpamp!_POP_HIBER_CONTEXT

ntkrpamp!_LPCP_MESSAGE

ntkrpamp!_PORT_MESSAGE

ntkrpamp!_MMVAD_SHORT

ntkrpamp!_SECURITY_SUBJECT_CONTEXT

ntkrpamp!_INITIAL_PRIVILEGE_SET

ntkrpamp!_PRIVILEGE_SET

ntkrpamp!__unnamed

ntkrpamp!_PNP_DEVICE_EVENT_ENTRY

ntkrpamp!_PNP_VETO_TYPE

ntkrpamp!_PLUGPLAY_EVENT_BLOCK

ntkrpamp!_PNP_DEVICE_EVENT_LIST

ntkrpamp!_KSPECIAL_REGISTERS

ntkrpamp!_SECURITY_DESCRIPTOR_RELATIVE

ntkrpamp!_RTL_RANGE_LIST

ntkrpamp!_ARBITER_ORDERING_LIST

ntkrpamp!_ARBITER_ALLOCATION_STATE

ntkrpamp!_ARBITER_CONFLICT_INFO

ntkrpamp!_RTL_RANGE

ntkrpamp!_BUS_DATA_TYPE

ntkrpamp!_SUPPORTED_RANGES

ntkrpamp!_PO_DEVICE_NOTIFY_ORDER

ntkrpamp!_POP_DEVICE_POWER_IRP

ntkrpamp!_MMSYSTEM_PTE_POOL_TYPE

ntkrpamp!_CM_NAME_HASH

ntkrpamp!_PROXY_CLASS

ntkrpamp!_HANDLE_TABLE_ENTRY

ntkrpamp!_HANDLE_TABLE_ENTRY_INFO

ntkrpamp!_LPCP_PORT_OBJECT

ntkrpamp!_LPCP_PORT_QUEUE

ntkrpamp!_POOL_HACKER

ntkrpamp!_IO_SECURITY_CONTEXT

ntkrpamp!__unnamed

ntkrpamp!_NAMED_PIPE_CREATE_PARAMETERS

ntkrpamp!__unnamed

ntkrpamp!_MAILSLOT_CREATE_PARAMETERS

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_FILE_INFORMATION_CLASS

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_FSINFOCLASS

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_SCSI_REQUEST_BLOCK

ntkrpamp!__unnamed

ntkrpamp!_FILE_GET_QUOTA_INFORMATION

ntkrpamp!__unnamed

ntkrpamp!_DEVICE_RELATION_TYPE

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_DEVICE_CAPABILITIES

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_DEVICE_USAGE_NOTIFICATION_TYPE

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_POWER_SEQUENCE

ntkrpamp!__unnamed

ntkrpamp!_POWER_STATE_TYPE

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_MI_VERIFIER_POOL_HEADER

ntkrpamp!_MI_VERIFIER_DRIVER_ENTRY

ntkrpamp!_CM_KEY_BODY

ntkrpamp!_CM_NOTIFY_BLOCK

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_IA64_DBGKD_CONTROL_SET

ntkrpamp!_AMD64_DBGKD_CONTROL_SET

ntkrpamp!_ARBITER_ORDERING

ntkrpamp!_LPCP_NONPAGED_PORT_QUEUE

ntkrpamp!_DUMP_STACK_CONTEXT

ntkrpamp!_PO_MEMORY_RANGE_ARRAY

ntkrpamp!_PO_HIBER_PERF

ntkrpamp!_TEB_ACTIVE_FRAME_CONTEXT

ntkrpamp!_TEB_ACTIVE_FRAME_CONTEXT

ntkrpamp!_SID

ntkrpamp!_DUMP_INITIALIZATION_CONTEXT

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_IO_CLIENT_EXTENSION

ntkrpamp!_FS_FILTER_CALLBACKS

ntkrpamp!_SID_IDENTIFIER_AUTHORITY

ntkrpamp!_SUPPORTED_RANGE

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_VI_POOL_ENTRY

ntkrpamp!_SEP_AUDIT_POLICY_CATEGORIES

ntkrpamp!_SEP_AUDIT_POLICY_OVERLAY

ntkrpamp!_PLUGPLAY_EVENT_CATEGORY

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_ADAPTER_OBJECT

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_ARBITER_LIST_ENTRY

ntkrpamp!_ARBITER_ALTERNATIVE

ntkrpamp!_PO_NOTIFY_ORDER_LEVEL

ntkrpamp!_FS_FILTER_CALLBACK_DATA

ntkrpamp!_CM_KEY_NODE

ntkrpamp!_CM_KEY_VALUE

ntkrpamp!_CM_KEY_SECURITY

ntkrpamp!_CM_KEY_INDEX

ntkrpamp!_CM_BIG_DATA

ntkrpamp!__unnamed

ntkrpamp!_FS_FILTER_PARAMETERS

ntkrpamp!_VI_POOL_ENTRY_INUSE

ntkrpamp!_DESCRIPTOR

ntkrpamp!_CHILD_LIST

ntkrpamp!_CM_KEY_REFERENCE

ntkrpamp!_ARBITER_REQUEST_SOURCE

ntkrpamp!_ARBITER_RESULT

ntkrpamp!__unnamed

ntkrpamp!__unnamed

ntkrpamp!_FS_FILTER_SECTION_SYNC_TYPE

ntkrpamp!__unnamed

ntkrpamp!__unnamed

lkd>dtnt!_kinterrupt

+0x000Type:Int2B

+0x002Size:Int2B

+0x004InterruptListEntry:_LIST_ENTRY

+0x00cServiceRoutine:Ptr32unsignedchar

+0x010ServiceContext:Ptr32Void

+0x014SpinLock:Uint4B

+0x018TickCount:Uint4B

+0x01cActualLock:Ptr32Uint4B

+0x020DispatchAddress:Ptr32void

+0x024Vector:Uint4B

+0x028Irql:UChar

+0x029SynchronizeIrql:UChar

+0x02aFloatingSave:UChar

+0x02bConnected:UChar

+0x02cNumber:Char

+0x02dShareVector:UChar

+0x030Mode:_KINTERRUPT_MODE

+0x034ServiceCount:Uint4B

+0x038DispatchCount:Uint4B

+0x03cDispatchCode:[106]Uint4B

确认一下是否运行的windows版本是debug版本

需要使用WMIwin32_OperationSystem类的debug属性来获得

编写脚本osversion.vbs

strComputer="."

SetobjWMIService=GetObject("winmgmts:"_

&"{impersonationLevel=impersonate}!\\"&strComputer&"\root\cimv2")

SetcolOSes=objWMIService.ExecQuery("Select*fromWin32_OperatingSystem")

ForEachobjOSincolOSes

Wscript.Echo"ComputerName:"&objOS.CSName

Wscript.Echo"Caption:"&objOS.Caption'Name

Wscript.Echo"Version:"&objOS.Version'Version&build

Wscript.Echo"BuildNumber:"&objOS.BuildNumber'Build

Wscript.Echo"BuildType:"&objOS.BuildType

Wscript.Echo"OSType:"&objOS.OSType

Wscript.Echo"OtherTypeDescription:"&objOS.OtherTypeDescription

WScript.Echo"ServicePack:"&objOS.ServicePackMajorVersion&"."&_

objOS.ServicePackMinorVersion

Next

C:\DocumentsandSettings\jamin\桌面>cscriptosversion.vbs

Microsoft(R)WindowsScriptHostVersion5.7

版权所有(C)MicrosoftCorporation1996-2001。保留所有权利。

ComputerName:AMD6000

Caption:MicrosoftWindowsXPProfessional

Version:5.1.2600

BuildNumber:2600

BuildType:MultiprocessorFree

OSType:18

OtherTypeDescription:

ServicePack:3.0



你可能感兴趣的:(《深入理解Windows操作系统》笔记1)