INT235 - Windows Internals and Performance Toolkit Workshop

This seminar combines our Core Windows Internals seminar with in-depth coverage of the Windows Performance Toolkit, with extensive hands-on labs.

The Performance Toolkit is invaluable for nearly all Windows professionals, but requires in-depth knowledge of the operating system to use effectively. We use a tightly integrated approach to present Windows internals theory and then put the theory to immediate use in analyzing realistic scenarios and problems. 

Level: Intermediate
Audience:

Applications developers; systems software developers; device driver developers; system administrators; system integrators; hardware OEMs; I.T. support personnel

Description:

This workshop brings our flagship Core Windows Internals seminar together with a series of practical exercises featuring the Windows Performance Toolkit. 

The Windows Performance Toolkit is a freely available tool from Microsoft and has gained considerable acclaim in recent years. It consists primarily of the Windows Performance Recorder (WPR), which can record “trace” data (selected from tens of thousands of counters and trace points implemented by over 1,100 operating system components), and the Windows Performance Analyzer (WPA), which displays the collected trace information graphically.

Windows professionals can benefit from WPT in a great many ways. Both I.T. professionals  and developers can use the toolkit to troubleshoot memory leaks, identify code that uses excessive CPU, determine the causes of various latencies, and so on. By “developers” we include all types: kernel mode, user mode, managed code of all varieties, base Windows APIs, PowerShell, scripting, kernel drivers…

These techniques can be applied both to applications and drivers written locally and to those from Microsoft or third parties. Code developed within your organization can furthermore be instrumented with tracing calls, which greatly increases the effectiveness of the Performance Toolkit. For developers, the tracing facility can also be a valuable tool for debugging complex problems. A lot of tools will tell you what’s running in the system; the WPT is usually the only thing that can quickly tell you why something isn’t running when it’s supposed to be.

The Windows Performance Toolkit is extremely flexible and powerful, but like most such tools it requires expert-level knowledge to use effectively. Specifically, it requires extensive, in-depth, and current knowledge of Windows internals – both to select appropriate data for collection (from the tens of thousands of items that are available) and to interpret the resulting traces.

Accordingly, we will examine all of the major components of the operating system. We’ll show how the system “hosts” various types of applications, services, and other code, which components of Windows provide and manage various resources and functions (such as CPU time, I/O, memory, etc.), and how various types of “managed” code are supported.

In each functional area of the system we will describe the event-tracing “providers” that can provide information about their activities, the most useful “profile” selections for collecting traces, and the meanings of the code module names and routine names that will appear in the WPA traces. Finally, lab problems using WPT will use this information to examine and analyze the dynamic behavior of that area of the system, in various scenarios.

The SysInternals tools, several of Windows’ built-in utilities, and the Windows debugging tools will also be presented and used, both as aids to understanding the internals principles and as analysis tools for problem situations.

Topics:
  • Introduction and orientation
    • Tools preview (built in tools; Sysinternals tools; debugging tools)
    • Introduction to Windows Performance Toolkit (WPT) and Event Tracing for Windows (ETW)
  • Program execution environment
    • Processes and threads
    • Sessions and jobs
    • Types of applications (Win32, .net, WinRT, UWP, etc.)
    • Kernel vs. user mode
    • 32- and 64-bit address spaces
    • User mode memory management – stacks, heaps, reserved and committed memory, mapped memory
    • Service processes
  • Environment subsystems
    • API sets
    • The UWP sandbox
    • Calling OS functions from applications
    • Support for managed code
  • Kernel mode components and mechanisms
    • Executive, kernel, and HAL
    • Objects, handles, and security (access controls)
    • Registry internals and implementation
    • Kernel mode execution environment
    • Interrupt handling and deferred procedure calls (DPCs)
    • Kernel mode stack
    • Kernel memory pools
    • IRQLs
    • System (kernel) threads
  • Thread scheduling
    • Scheduler overview
    • Thread priorities and priority policies
    • Thread scheduling states and transitions
    • Preemption, timeslicing, and waiting
    • CPU time accounting
    • Priority adjustments
    • Hyperthreading and multicore issues
    • NUMA optimization
  • Memory management
    • Virtual memory concepts
    • Virtual address translation
    • Memory size limits
    • Page faults, page files, and memory mapped files
    • Per-process physical memory management (working set management)
    • System-wide physical memory management
  • I/O subsystem and device driver architecture
    • Input/Output APIs
    • I/O subsystem; device driver control flow
    • File system drivers and storage (disk) driver stack
    • Storage performance enhancements (SuperFetch, ReadyBoost, ReadyDrive)
  • System startup sequence
    • Key system processes
  • Windows Performance Toolkit: Advanced Topics
    • Advanced collection options with XPERF
    • Customizing WPR with XML profile files
    • Hidden trace providers
    • Custom Event Tracing providers (WPP and ETW messages from user and kernel mode code)
Prerequisites:

Experience using, administering, or developing for Windows, and familiarity with basic operating system concepts.

Operating systems supported:

This seminar primarily addresses Windows 7 through Windows 10 and Windows Server 2016. Most of the material is applicable to earlier versions of Windows. Earlier versions can be specifically addressed upon request.

Durations and formats: 5 days with labs
Labs:

This seminar includes a series of guided experiments. Learners are instructed to run various programs that will induce or exercise the system behaviors or problems being discussed, and will then use the appropriate system monitoring tools to view the behavior and understand the causes of any problems.

Examples of specific types of problems and scenarios the labs will address include:

  • Slow boot analysis
  • Identifying user mode and kernel mode CPU users
  • I/O throughput issues (disk and network)
  • Thread scheduling and latency issues
  • Graphics performance bottlenecks
  • Memory leaks (user and kernel mode)
  • Excessive RAM usage, excessive hard page faults; etc.
  • Performance of background services (web server, file server, etc.)
  • Power state transition analysis (why the system isn’t going to sleep, or deep enough sleep; why a device isn’t powering down)