INT235 - Windows Internals and Performance Analysis Workshop

Offered as a public seminar in Vienna, Austria, May 13-17, 2019!

This seminar combines our Core Windows Internals seminar with in-depth coverage of the Windows Performance Toolkit, all presented with extensive hands-on labs.

Level: Intermediate

Applications developers; systems software developers; device driver developers; system administrators; system integrators; hardware OEMs; other I.T. support personnel


This workshop combines our flagship Core Windows Internals seminar with a series of practical exercises featuring the Windows Performance Toolkit, along with Windows’ built-in tools and the famous SysInternals tools and utilities.

The Windows Performance Toolkit is a freely available package from Microsoft and has gained considerable acclaim in recent years. It lets you record “trace” data (selected by you from tens of thousands of counters and trace points implemented by over 1,100 operating system components), and then summarizes and displays the collected trace information graphically.

You can use the toolkit to troubleshoot memory leaks, identify code that uses excessive CPU, determine the causes of various latencies, and so on. Problems can be isolated to the names of the routines invoking the code that’s using the resources. System administrators as well as developers of all types (from batch scripts to kernel mode drivers) can benefit from these highly detailed analyses.

IT pros can use the performance toolkit to determine the reasons for system slowdowns and “thrashing.” In many cases, small adjustments to hardware or workload, as suggested by Performance Toolkit results, can extend the useful life of your Windows systems—allowing you to postpone expensive platform replacements, sometimes by a year or more.

Performance analysis can be applied both to applications and drivers written locally and to those from Microsoft or third parties. Code developed within your organization can furthermore be instrumented with tracing calls, which greatly increases the effectiveness of the Performance Toolkit. For developers, the tracing facility can also be a valuable tool for debugging complex timing or sequencing problems.

A lot of tools will tell you what’s running in the system; the WPT is usually the only thing that can often quickly tell you why something isn’t running, or isn’t running fast enough, when it should be.

The Windows Performance Toolkit is extremely flexible and powerful, but like most such tools it requires expert-level knowledge to use effectively. Specifically, it requires extensive, in-depth, and current knowledge of Windows internals – both to select appropriate data for collection (from the tens of thousands of items that are available) and to interpret the resulting traces.

Accordingly, we will cover all of the “Core Windows Internals” topics, including all of the major components of the operating system. We’ll show how the system “hosts” various types of applications, services, and other code, which components of Windows provide and manage various resources and functions (such as CPU time, I/O, memory, etc.), and how various types of “managed” code are supported.

In each functional area of the system we will describe the event-tracing “providers” that can provide information about their activities, the most useful “profile” selections for collecting traces, and the meanings of the code module names and routine names that commonly appear in the WPA traces. Finally, lab problems using WPT will use this information to examine and analyze the dynamic behavior of that area of the system, in various scenarios.

The SysInternals tools, several of Windows’ built-in utilities, and the Windows debugging tools will also be presented and used, both as aids to understanding the internals principles and as analysis tools for problem situations.

Finally, we’ll present a brief example of code using the Windows TraceLogging API. This API allows both user mode applications and kernel mode drivers to generate trace events, far more easily than earlier interfaces.

  • Introduction and orientation
    • Tools preview (built in tools; Sysinternals tools; debugging tools)
    • Introduction to Windows Performance Toolkit (WPT) and Event Tracing for Windows (ETW)
  • Program execution environment
    • Processes and threads
    • Sessions and jobs
    • Types of applications (Win32, .net, WinRT, UWP, etc.)
    • Kernel vs. user mode
    • 32- and 64-bit address spaces
    • User mode memory management – stacks, heaps, reserved and committed memory, mapped memory
    • Service processes
  • Environment subsystems
    • API sets
    • The UWP sandbox
    • Calling OS functions from applications
    • Support for managed code
  • Kernel mode components and mechanisms
    • Executive, kernel, and HAL
    • Objects, handles, and security (access controls)
    • Registry internals and implementation
    • Kernel mode execution environment
    • Interrupt handling and deferred procedure calls (DPCs)
    • Kernel mode stack
    • Kernel memory pools
    • IRQLs
    • System (kernel) threads
  • Thread scheduling
    • Scheduler overview
    • Thread priorities and priority policies
    • Thread scheduling states and transitions
    • Preemption, timeslicing, and waiting
    • CPU time accounting
    • Priority adjustments
    • Hyperthreading and multicore issues
    • NUMA optimization
  • Memory management
    • Virtual memory concepts
    • Virtual address translation
    • Memory size limits
    • Page faults, page files, and memory mapped files
    • Per-process physical memory management (working set management)
    • System-wide physical memory management
  • I/O subsystem and device driver architecture
    • Input/Output APIs
    • I/O subsystem; device driver control flow
    • File system drivers and storage (disk) driver stack
    • Storage performance enhancements (SuperFetch, ReadyBoost, ReadyDrive)
  • System startup sequence
    • Key system processes
  • Windows Performance Toolkit: Advanced Topics
    • Advanced collection options with XPERF
    • Customizing WPR with XML profile files
    • Hidden trace providers
    • Custom Event Tracing providers (WPP and ETW messages from user and kernel mode code)
    • Using the TraceLogging API

Experience using, administering, or developing for Windows, and familiarity with basic operating system concepts.

Operating systems supported:

This seminar primarily addresses Windows 7 through Windows 10 and Windows Server 2008 through 2019. Most of the material is applicable to earlier versions of Windows. Earlier versions can be specifically addressed upon request.

Durations and formats: 5 days with labs

This seminar includes a series of guided experiments. Learners are instructed to run various programs that will induce or exercise the system behaviors or problems being discussed, and will then use the appropriate system monitoring tools to view the behavior and understand the causes of any problems.

Examples of specific types of problems and scenarios the labs will address include:

  • Slow boot analysis
  • Identifying user mode and kernel mode CPU users
  • I/O throughput issues (disk and network)
  • Thread scheduling and latency issues
  • Graphics performance bottlenecks
  • Memory leaks (user and kernel mode)
  • Excessive RAM usage, excessive hard page faults; etc.
  • Performance of background services (web server, file server, etc.)
  • Power state transition analysis (why the system isn’t going to sleep, or deep enough sleep; why a device isn’t powering down)