《深入理解Windows操作系统》笔记1
C:\Program Files>cd "Debugging Tools for Windows (x86)"
C:\Program Files\Debugging Tools for Windows (x86)>dir
驱动器 C 中的卷没有标签。
卷的序列号是 18F6-A188
C:\Program Files\Debugging Tools for Windows (x86) 的目录
2012-02-02 14:24 <DIR> .
2012-02-02 14:24 <DIR> ..
2012-02-02 14:24 <DIR> 1394
2009-08-24 14:38 71,168 adplus.doc
2010-02-01 12:27 97,040 adplus.exe
2010-02-01 12:27 29,056 adplusext.dll
2010-02-01 12:27 80,656 adplusmanager.exe
2009-08-24 14:38 2,068 adplusmanager.exe.config
2010-02-01 12:27 200,530 adplus_old.vbs
2010-02-01 12:27 36,736 agestore.exe
2010-02-01 12:27 17,168 breakin.exe
2010-02-01 12:27 364,816 cdb.exe
2012-02-02 14:24 <DIR> clr10
2010-02-01 12:27 32,128 convertstore.exe
2010-02-01 12:27 112,512 dbengprx.exe
2010-02-01 12:27 3,557,648 dbgeng.dll
2010-02-01 12:27 1,213,200 dbghelp.dll
2010-02-01 12:27 39,184 dbgrpc.exe
2010-02-01 12:27 32,528 dbgsrv.exe
2010-02-01 12:27 151,824 dbh.exe
2010-01-08 11:07 326,336 debugger.chi
2010-01-08 11:07 5,117,792 debugger.chm
2010-02-01 12:27 419,088 decem.dll
2009-08-24 14:38 56,832 dml.doc
2010-02-01 12:27 20,864 dumpchk.exe
2010-02-01 12:27 19,840 dumpexam.exe
2010-02-01 12:27 145,168 gflags.exe
2010-02-01 12:27 362,768 i386kd.exe
2010-02-01 12:27 362,768 ia64kd.exe
2010-02-01 12:27 376,080 kd.exe
2010-02-01 12:27 34,576 kdbgctrl.exe
2010-02-01 12:27 170,256 kdsrv.exe
2009-08-24 14:38 1,196,032 kernel_debugging_tutorial.doc
2010-02-01 12:27 34,064 kill.exe
2009-09-18 11:35 10,237 license.txt
2010-02-01 12:27 80,768 list.exe
2010-02-01 12:27 28,944 logger.exe
2010-02-01 12:27 211,328 logviewer.exe
2010-02-01 12:27 365,328 ntsd.exe
2010-02-01 12:27 23,312 pdbcopy.exe
2010-02-01 12:08 2,819 redist.txt
2010-01-28 21:21 12,615 relnotes.txt
2010-02-01 12:27 69,504 remote.exe
2010-02-01 12:27 25,360 rtlist.exe
2012-02-02 14:24 <DIR> sdk
2012-02-02 14:24 <DIR> srcsrv
2010-02-01 12:27 92,944 srcsrv.dll
2010-02-01 12:27 30,992 symbolcheck.dll
2010-02-01 12:27 80,144 symchk.exe
2012-02-02 14:24 <DIR> symproxy
2010-02-01 12:27 131,856 symsrv.dll
2009-08-24 14:38 1 symsrv.yes
2010-02-01 12:27 145,168 symstore.exe
2012-02-02 14:24 <DIR> themes
2010-02-01 12:27 47,376 tlist.exe
2012-02-02 14:24 <DIR> triage
2010-02-01 12:27 143,232 umdh.exe
2012-02-02 14:24 <DIR> usb
2010-02-01 12:27 139,136 usbview.exe
2010-02-01 12:27 74,512 vmdemux.exe
2012-02-02 14:24 <DIR> w2kchk
2012-02-02 14:24 <DIR> w2kfre
2010-02-01 12:27 532,752 windbg.exe
2012-02-02 14:24 <DIR> winext
2012-02-02 14:24 <DIR> winxp
51 个文件 16,929,054 字节
14 个目录 153,558,147,072 可用字节
C:\Program Files\Debugging Tools for Windows (x86)>tlist.exe /t
System Process (0)
System (4)
smss.exe (460)
csrss.exe (516)
winlogon.exe (1172)
services.exe (1216)
ati2evxx.exe (1388) ATI video bios poller
svchost.exe (1420)
svchost.exe (1536)
svchost.exe (1656)
svchost.exe (1676)
svchost.exe (1728)
acs.exe (1764)
inetinfo.exe (1856)
sqlservr.exe (1880)
sqlwriter.exe (2032)
alg.exe (700)
msiexec.exe (3664)
lsass.exe (1228)
ati2evxx.exe (1616) ATI video bios poller client
explorer.exe (1000) Program Manager
RTHDCPL.EXE (1192)
Probe2.exe (1372) PC Probe II
aaCenter.exe (2500) aacenter
TWCU.exe (1276) TP-LINK 无线客户端应用程序 - 当前配置文件:默认值 - TP-LINK Wi
reless USB Adapter
ctfmon.exe (1460)
DTLite.exe (1468) DAEMON Tools Agent window
WINWORD.EXE (3952) windows - Microsoft Word
cmd.exe (2600) 命令提示符 - tlist.exe /t
tlist.exe (1100)
windbg.exe (2412) Local kernel - WinDbg:6.12.0002.633 X86
MOM.exe (1436) .NET-BroadcastEventWindow.2.0.0.0.33c0d9d.0
CCC.exe (3748)
conime.exe (2512)
C:\Program Files\Debugging Tools for Windows (x86)>
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Connected to Windows XP 2600 x86 compatible target at (Thu Feb 2 14:26:16.171 2012 (UTC + 8:00)), ptr64 FALSE
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720
Debug session time: Thu Feb 2 14:26:16.343 2012 (UTC + 8:00)
System Uptime: 0 days 0:25:11.890
X64 用户进程空间:8TB,系统空间 6657GB
Itanium 用户进程空间:7TB,系统空间 6144GB
C:\Program Files\Support Tools>qslice
启动线程查看器,该软件位于Windows2000资源工具包中,XP下需要单独下载安装
C:\Program Files\Support Tools>
C:\Program Files\Support Tools>mstsc.exe
启动远程连接
Windows 2000 professional 不支持终端会话
Windows XP professional 支持1个终端会话
Windows 2000 Server 和 Windows Server 2003 支持2个并发的远程连接,以上版本如企业版支持多个连接,并且可以配置为终端服务器
在Windows XP中使用键盘 Win+L 组合键可以快速切换用户,原来的进程等信息均保存在系统中
Windows XP/2003 使用16位宽度的unicode编码,而不是8位asci码,在此之前的windows版本,其亚洲和中东语言版本是美国欧洲核心版本的一个扩展,因此其windows API是一个超集,和原有的版本不同,因此需要在app层面单独构建语言包。而从windows 2000开始使用全球统一的语言包了。API也调用一样了
内核调试所需的符号文件必须做到完全匹配。
C:\>livekd
LiveKd v5.0 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2010 Mark Russinovich and Ken Johnson
Symbols are not configured. Would you like LiveKd to set the _NT_SYMBOL_PATH
directory to reference the Microsoft symbol server so that symbols can be
obtained automatically? (y/n) y
Enter the folder to which symbols download (default is c:\symbols):
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
http://msdl.microsoft.com/download/symbols 不支持web访问,仅支持终端内核调试访问
windows支持2种多处理器系统:超线程和NUMA非一致性的内存结构。HT超线程是intel的技术,一个物理处理器上提供多个逻辑处理器,每个逻辑处理器有其自己的状态,执行引擎和芯片上的L1,L2,L3等高速缓存共享。
NUMA是将处理器作为更小的单元节点,使用全部的内存
处理器许可:注册表:HKLM\SYSEM\CCS\Contorl\session\manager\licensedprocessors
在64bitwindows上,没有PAE内核。也就是Windows2000的介质下\I386\UNIPROC\WINSRV。DLL文件,表示单处理器版本,在XP和2003中去掉了
检查正在运行的ntoskrnl版本:
1、 检查事件查看器中事件ID为6009的日志
2、 在引导的注册表中检查HKLM\SYSRTEM\CCS\Control\session manger\memory managerment\physical address Extrension 如果是1,则从PAE引导,也就是单处理器
3、 C:\WINDOWS\system32>ntoskrnl.exeC:\WINDOWS\system32\ntoskrnl.exe 应用程序无法在 Win32 模式中运行。
版本 |
支持的CPU |
支持的物理内存GB |
||
windows 2000 professional |
2 |
4 |
||
windows 2000 server |
4 |
4 |
||
windows 2000 advanced server |
8 |
8 |
||
windows 2000 datacenter |
32 |
64 |
||
32位的支持CPU |
32位的物理内存支持 |
64位的CPU |
64位内存 |
|
windows xp home |
1 |
4 |
无 |
无 |
windows XP professional |
2 |
4 |
2 |
128 |
windows 2003 standard |
4 |
4 |
无 |
无 |
windows 2003 enterprise |
8 |
32 |
8 |
64 |
windows 2003 datacenter |
32 |
64 |
64 |
1024 |
奇怪吧,windows XP 64bit 的内存支持比 windows 2003 企业版64bit 还要高!!!
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Connected to Windows XP 2600 x86 compatible target at (Fri Feb 3 12:11:08.218 2012 (UTC + 8:00)), ptr64 FALSE
Symbol search path is: C:\WINDOWS\Symbols;srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720
Debug session time: Fri Feb 3 12:11:08.484 2012 (UTC + 8:00)
System Uptime: 0 days 0:28:38.160
lkd> dt nt!_*
ntkrpamp!_LIST_ENTRY
ntkrpamp!_IMAGE_NT_HEADERS
ntkrpamp!_IMAGE_FILE_HEADER
ntkrpamp!_IMAGE_OPTIONAL_HEADER
ntkrpamp!_LARGE_INTEGER
ntkrpamp!__unnamed
ntkrpamp!_ULARGE_INTEGER
ntkrpamp!__unnamed
ntkrpamp!_LUID
ntkrpamp!_KAPC
ntkrpamp!_KTHREAD
ntkrpamp!_SINGLE_LIST_ENTRY
ntkrpamp!_KSPIN_LOCK_QUEUE_NUMBER
ntkrpamp!_KPRCB
ntkrpamp!_KPROCESSOR_STATE
ntkrpamp!_KSPIN_LOCK_QUEUE
ntkrpamp!_KNODE
ntkrpamp!_PP_LOOKASIDE_LIST
ntkrpamp!_KPRCB
ntkrpamp!_KDPC
ntkrpamp!_FX_SAVE_AREA
ntkrpamp!_PROCESSOR_POWER_STATE
ntkrpamp!_SLIST_HEADER
ntkrpamp!_NPAGED_LOOKASIDE_LIST
ntkrpamp!_GENERAL_LOOKASIDE
ntkrpamp!_PAGED_LOOKASIDE_LIST
ntkrpamp!_FAST_MUTEX
ntkrpamp!_PP_NPAGED_LOOKASIDE_NUMBER
ntkrpamp!_POOL_TYPE
ntkrpamp!_EX_RUNDOWN_REF
ntkrpamp!_EX_FAST_REF
ntkrpamp!_EX_PUSH_LOCK
ntkrpamp!_EX_PUSH_LOCK_WAIT_BLOCK
ntkrpamp!_KEVENT
ntkrpamp!_EX_PUSH_LOCK_CACHE_AWARE
ntkrpamp!_ETHREAD
ntkrpamp!_TERMINATION_PORT
ntkrpamp!_CLIENT_ID
ntkrpamp!_KSEMAPHORE
ntkrpamp!_PS_IMPERSONATION_INFORMATION
ntkrpamp!_DEVICE_OBJECT
ntkrpamp!_EPROCESS
ntkrpamp!_KPROCESS
ntkrpamp!_HANDLE_TABLE
ntkrpamp!_EJOB
ntkrpamp!_EPROCESS_QUOTA_BLOCK
ntkrpamp!_PAGEFAULT_HISTORY
ntkrpamp!_HARDWARE_PTE
ntkrpamp!_PEB
ntkrpamp!_SE_AUDIT_PROCESS_CREATION_INFO
ntkrpamp!_MMSUPPORT
ntkrpamp!_OBJECT_ATTRIBUTES
ntkrpamp!_UNICODE_STRING
ntkrpamp!_OBJECT_TYPE
ntkrpamp!_ERESOURCE
ntkrpamp!_OBJECT_TYPE_INITIALIZER
ntkrpamp!_OBJECT_HANDLE_INFORMATION
ntkrpamp!_DISPATCHER_HEADER
ntkrpamp!_KAPC_STATE
ntkrpamp!_KWAIT_BLOCK
ntkrpamp!_KQUEUE
ntkrpamp!_KTIMER
ntkrpamp!_KTRAP_FRAME
ntkrpamp!_FNSAVE_FORMAT
ntkrpamp!_FXSAVE_FORMAT
ntkrpamp!__unnamed
ntkrpamp!_MMPTE
ntkrpamp!_MMPTE_HIGHLOW
ntkrpamp!_MMPTE_HARDWARE
ntkrpamp!_MMPTE_PROTOTYPE
ntkrpamp!_MMPTE_SOFTWARE
ntkrpamp!_MMPTE_TRANSITION
ntkrpamp!_MMPTE_SUBSECTION
ntkrpamp!_MMPTE_LIST
ntkrpamp!__unnamed
ntkrpamp!_MEMORY_CACHING_TYPE
ntkrpamp!_MI_PFN_CACHE_ATTRIBUTE
ntkrpamp!_EXCEPTION_RECORD64
ntkrpamp!_EXCEPTION_RECORD32
ntkrpamp!_DBGKM_EXCEPTION64
ntkrpamp!_DBGKM_EXCEPTION32
ntkrpamp!_DBGKD_LOAD_SYMBOLS64
ntkrpamp!_DBGKD_LOAD_SYMBOLS32
ntkrpamp!_DBGKD_READ_MEMORY64
ntkrpamp!_DBGKD_READ_MEMORY32
ntkrpamp!_DBGKD_WRITE_MEMORY64
ntkrpamp!_DBGKD_WRITE_MEMORY32
ntkrpamp!_DBGKD_WRITE_BREAKPOINT64
ntkrpamp!_DBGKD_WRITE_BREAKPOINT32
ntkrpamp!_DBGKD_READ_WRITE_IO64
ntkrpamp!_DBGKD_READ_WRITE_IO32
ntkrpamp!_DBGKD_READ_WRITE_IO_EXTENDED64
ntkrpamp!_DBGKD_READ_WRITE_IO_EXTENDED32
ntkrpamp!_DBGKD_SET_SPECIAL_CALL32
ntkrpamp!_DBGKD_SET_SPECIAL_CALL64
ntkrpamp!_DBGKD_SET_INTERNAL_BREAKPOINT32
ntkrpamp!_DBGKD_SET_INTERNAL_BREAKPOINT64
ntkrpamp!_DBGKD_GET_INTERNAL_BREAKPOINT64
ntkrpamp!_DBGKD_GET_INTERNAL_BREAKPOINT32
ntkrpamp!_DBGKD_MANIPULATE_STATE64
ntkrpamp!_DBGKD_GET_CONTEXT
ntkrpamp!_DBGKD_SET_CONTEXT
ntkrpamp!_DBGKD_RESTORE_BREAKPOINT
ntkrpamp!_DBGKD_CONTINUE
ntkrpamp!_DBGKD_CONTINUE2
ntkrpamp!_DBGKD_QUERY_SPECIAL_CALLS
ntkrpamp!_DBGKD_GET_VERSION64
ntkrpamp!_DBGKD_BREAKPOINTEX
ntkrpamp!_DBGKD_READ_WRITE_MSR
ntkrpamp!_DBGKD_SEARCH_MEMORY
ntkrpamp!_DBGKD_GET_SET_BUS_DATA
ntkrpamp!_DBGKD_FILL_MEMORY
ntkrpamp!_DBGKD_QUERY_MEMORY
ntkrpamp!__unnamed
ntkrpamp!_DBGKD_MANIPULATE_STATE32
ntkrpamp!_DBGKD_GET_VERSION32
ntkrpamp!__unnamed
ntkrpamp!_VACB
ntkrpamp!_SHARED_CACHE_MAP
ntkrpamp!__unnamed
ntkrpamp!_FILE_OBJECT
ntkrpamp!_MBCB
ntkrpamp!_CACHE_MANAGER_CALLBACKS
ntkrpamp!_CACHE_UNINITIALIZE_EVENT
ntkrpamp!_PRIVATE_CACHE_MAP
ntkrpamp!_VACB_LEVEL_REFERENCE
ntkrpamp!_HEAP_ENTRY
ntkrpamp!_HEAP
ntkrpamp!_HEAP_TAG_ENTRY
ntkrpamp!_HEAP_UCR_SEGMENT
ntkrpamp!_HEAP_UNCOMMMTTED_RANGE
ntkrpamp!_HEAP_SEGMENT
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_HEAP_PSEUDO_TAG_ENTRY
ntkrpamp!_HEAP_LOCK
ntkrpamp!_HEAP_SUBSEGMENT
ntkrpamp!_HEAP_USERDATA_HEADER
ntkrpamp!_HEAP_USERDATA_HEADER
ntkrpamp!_INTERLOCK_SEQ
ntkrpamp!_HMAP_TABLE
ntkrpamp!_HMAP_ENTRY
ntkrpamp!_OBJECT_SYMBOLIC_LINK
ntkrpamp!_POOL_BLOCK_HEAD
ntkrpamp!_POOL_HEADER
ntkrpamp!_LDR_DATA_TABLE_ENTRY
ntkrpamp!_VI_DEADLOCK_GLOBALS
ntkrpamp!_VI_DEADLOCK_NODE
ntkrpamp!_PF_SCENARIO_TYPE
ntkrpamp!_THERMAL_INFORMATION
ntkrpamp!_SECTION_OBJECT
ntkrpamp!_SEGMENT_OBJECT
ntkrpamp!_POWER_STATE
ntkrpamp!_SYSTEM_POWER_STATE
ntkrpamp!_DEVICE_POWER_STATE
ntkrpamp!_WMI_LOGGER_CONTEXT
ntkrpamp!_WMI_LOGGER_MODE
ntkrpamp!_GUID
ntkrpamp!_SECURITY_CLIENT_CONTEXT
ntkrpamp!_TRACE_ENABLE_FLAG_EXTENSION
ntkrpamp!_KMUTANT
ntkrpamp!_WMI_BUFFER_HEADER
ntkrpamp!_CONTROL_AREA
ntkrpamp!_SUBSECTION
ntkrpamp!_LARGE_CONTROL_AREA
ntkrpamp!_MMSECTION_FLAGS
ntkrpamp!_MMSUBSECTION_FLAGS
ntkrpamp!_SEGMENT
ntkrpamp!__unnamed
ntkrpamp!_EVENT_COUNTER
ntkrpamp!_HANDLE_TRACE_DEBUG_INFO
ntkrpamp!_MMSUPPORT_FLAGS
ntkrpamp!_MMWSL
ntkrpamp!_EX_WORK_QUEUE
ntkrpamp!_EPROCESS_QUOTA_ENTRY
ntkrpamp!_UNICODE_STRING
ntkrpamp!_PS_JOB_TOKEN_FILTER
ntkrpamp!_IO_COUNTERS
ntkrpamp!_SID_AND_ATTRIBUTES
ntkrpamp!_LUID_AND_ATTRIBUTES
ntkrpamp!_MM_DRIVER_VERIFIER_DATA
ntkrpamp!_VPB
ntkrpamp!_SECTION_OBJECT_POINTERS
ntkrpamp!_IO_COMPLETION_CONTEXT
ntkrpamp!_CALL_HASH_ENTRY
ntkrpamp!_CM_VIEW_OF_FILE
ntkrpamp!_KLOCK_QUEUE_HANDLE
ntkrpamp!_MMLISTS
ntkrpamp!_DEFERRED_WRITE
ntkrpamp!_HIVE_LIST_ENTRY
ntkrpamp!_CMHIVE
ntkrpamp!_SECURITY_IMPERSONATION_LEVEL
ntkrpamp!_DEVICE_NODE
ntkrpamp!_PO_DEVICE_NOTIFY
ntkrpamp!_PNP_DEVNODE_STATE
ntkrpamp!_IRP
ntkrpamp!_CM_RESOURCE_LIST
ntkrpamp!_IO_RESOURCE_REQUIREMENTS_LIST
ntkrpamp!_INTERFACE_TYPE
ntkrpamp!_DEVICE_RELATIONS
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_RTL_CRITICAL_SECTION
ntkrpamp!__unnamed
ntkrpamp!_KPCR
ntkrpamp!_NT_TIB
ntkrpamp!_KIDTENTRY
ntkrpamp!_KGDTENTRY
ntkrpamp!_KTSS
ntkrpamp!_MMCOLOR_TABLES
ntkrpamp!_PHYSICAL_MEMORY_RUN
ntkrpamp!_MMPFN
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_MMPFNENTRY
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_MM_SESSION_SPACE
ntkrpamp!_MM_SESSION_SPACE_FLAGS
ntkrpamp!__unnamed
ntkrpamp!_MM_PAGED_POOL_INFO
ntkrpamp!_MMWSLE
ntkrpamp!_MMSESSION
ntkrpamp!_DRIVER_OBJECT
ntkrpamp!_POOL_DESCRIPTOR
ntkrpamp!_PEB_LDR_DATA
ntkrpamp!_RTL_USER_PROCESS_PARAMETERS
ntkrpamp!_PEB_FREE_BLOCK
ntkrpamp!_HEAP_FREE_ENTRY
ntkrpamp!_OWNER_ENTRY
ntkrpamp!_IO_RESOURCE_LIST
ntkrpamp!_CM_FULL_RESOURCE_DESCRIPTOR
ntkrpamp!_CM_PARTIAL_RESOURCE_LIST
ntkrpamp!_CM_CACHED_VALUE_INDEX
ntkrpamp!_CELL_DATA
ntkrpamp!__unnamed
ntkrpamp!_WNODE_HEADER
ntkrpamp!_WMI_CLIENT_CONTEXT
ntkrpamp!_WMI_BUFFER_STATE
ntkrpamp!_KiIoAccessMap
ntkrpamp!_DEVICE_OBJECT_POWER_EXTENSION
ntkrpamp!_POWER_CHANNEL_SUMMARY
ntkrpamp!_SYSTEM_POWER_POLICY
ntkrpamp!_POP_THERMAL_ZONE
ntkrpamp!_POP_ACTION_TRIGGER
ntkrpamp!_X86_DBGKD_CONTROL_SET
ntkrpamp!_DBGKD_ANY_CONTROL_SET
ntkrpamp!_PROCESSOR_POWER_POLICY
ntkrpamp!_PROCESSOR_POWER_POLICY_INFO
ntkrpamp!_IMAGE_DOS_HEADER
ntkrpamp!_HEAP_VIRTUAL_ALLOC_ENTRY
ntkrpamp!_HEAP_ENTRY_EXTRA
ntkrpamp!_RTL_ATOM_TABLE
ntkrpamp!_RTL_HANDLE_TABLE
ntkrpamp!_RTL_ATOM_TABLE_ENTRY
ntkrpamp!_IMAGE_ROM_OPTIONAL_HEADER
ntkrpamp!_KWAIT_REASON
ntkrpamp!_HHIVE
ntkrpamp!_CM_KEY_SECURITY_CACHE_ENTRY
ntkrpamp!_CM_KEY_CONTROL_BLOCK
ntkrpamp!_WORK_QUEUE_ITEM
ntkrpamp!_CM_CELL_REMAP_BLOCK
ntkrpamp!_HANDLE_TRACE_DB_ENTRY
ntkrpamp!_HBASE_BLOCK
ntkrpamp!_RTL_BITMAP
ntkrpamp!_DUAL
ntkrpamp!_PROCESS_WS_WATCH_INFORMATION
ntkrpamp!_CM_PARTIAL_RESOURCE_DESCRIPTOR
ntkrpamp!_DRIVER_EXTENSION
ntkrpamp!_FAST_IO_DISPATCH
ntkrpamp!_MMFREE_POOL_ENTRY
ntkrpamp!_IO_TIMER
ntkrpamp!_WAIT_CONTEXT_BLOCK
ntkrpamp!__unnamed
ntkrpamp!_KDEVICE_QUEUE
ntkrpamp!_DEVOBJ_EXTENSION
ntkrpamp!_BITMAP_RANGE
ntkrpamp!_KUSER_SHARED_DATA
ntkrpamp!_KSYSTEM_TIME
ntkrpamp!_KSYSTEM_TIME
ntkrpamp!_NT_PRODUCT_TYPE
ntkrpamp!_ALTERNATIVE_ARCHITECTURE_TYPE
ntkrpamp!_GENERIC_MAPPING
ntkrpamp!_OBJECT_DUMP_CONTROL
ntkrpamp!_OB_OPEN_REASON
ntkrpamp!_ACCESS_STATE
ntkrpamp!_SECURITY_QUALITY_OF_SERVICE
ntkrpamp!_SECURITY_OPERATION_CODE
ntkrpamp!_OBJECT_NAME_INFORMATION
ntkrpamp!__unnamed
ntkrpamp!_LARGE_INTEGER
ntkrpamp!_EXCEPTION_REGISTRATION_RECORD
ntkrpamp!_MMVAD_LONG
ntkrpamp!_MMVAD
ntkrpamp!_MMVAD_FLAGS
ntkrpamp!__unnamed
ntkrpamp!_MMVAD_FLAGS2
ntkrpamp!__unnamed
ntkrpamp!_MMADDRESS_LIST
ntkrpamp!__unnamed
ntkrpamp!_MMBANKED_SECTION
ntkrpamp!_MMEXTEND_INFO
ntkrpamp!__unnamed
ntkrpamp!_MMVIEW
ntkrpamp!_MEMORY_CACHING_TYPE_ORIG
ntkrpamp!_EXCEPTION_DISPOSITION
ntkrpamp!_EXCEPTION_RECORD
ntkrpamp!_CONTEXT
ntkrpamp!_POOL_TRACKER_BIG_PAGES
ntkrpamp!_VI_DEADLOCK_RESOURCE
ntkrpamp!_VI_DEADLOCK_THREAD
ntkrpamp!_FLOATING_SAVE_AREA
ntkrpamp!_IMAGE_DATA_DIRECTORY
ntkrpamp!_PCI_PDO_EXTENSION
ntkrpamp!_PCI_MJ_DISPATCH_TABLE
ntkrpamp!_PCI_SLOT_NUMBER
ntkrpamp!_PCI_FDO_EXTENSION
ntkrpamp!_PCI_LOCK
ntkrpamp!_PCI_PMC
ntkrpamp!_HMAP_DIRECTORY
ntkrpamp!_OBJECT_HEADER
ntkrpamp!_OBJECT_CREATE_INFORMATION
ntkrpamp!_QUAD
ntkrpamp!_SECURITY_DESCRIPTOR
ntkrpamp!_ACL
ntkrpamp!_RTLP_RANGE_LIST_ENTRY
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_OBJECT_HEADER_CREATOR_INFO
ntkrpamp!_HEAP_STOP_ON_VALUES
ntkrpamp!_HEAP_STOP_ON_TAG
ntkrpamp!_KEXECUTE_OPTIONS
ntkrpamp!_MODE
ntkrpamp!_IO_RESOURCE_DESCRIPTOR
ntkrpamp!_RTL_CRITICAL_SECTION_DEBUG
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_PCI_BUS_INTERFACE_STANDARD
ntkrpamp!_BUS_HANDLER
ntkrpamp!_PCI_COMMON_CONFIG
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_SYSPTES_HEADER
ntkrpamp!_KDEVICE_QUEUE_ENTRY
ntkrpamp!_IO_ALLOCATION_ACTION
ntkrpamp!_CM_KEY_HASH
ntkrpamp!_CM_NAME_CONTROL_BLOCK
ntkrpamp!_CM_KEY_SECURITY_CACHE
ntkrpamp!_CACHED_CHILD_LIST
ntkrpamp!_CM_INDEX_HINT_BLOCK
ntkrpamp!_PI_RESOURCE_ARBITER_ENTRY
ntkrpamp!_ARBITER_INTERFACE
ntkrpamp!_MDL
ntkrpamp!__unnamed
ntkrpamp!_IO_STATUS_BLOCK
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_IO_STACK_LOCATION
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_IMAGE_SECTION_HEADER
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_POP_TRIGGER_WAIT
ntkrpamp!_FILE_BASIC_INFORMATION
ntkrpamp!_FILE_STANDARD_INFORMATION
ntkrpamp!_FILE_NETWORK_OPEN_INFORMATION
ntkrpamp!_COMPRESSED_DATA_INFO
ntkrpamp!_ETIMER
ntkrpamp!_POLICY_AUDIT_EVENT_TYPE
ntkrpamp!_PM_SUPPORT
ntkrpamp!_MMWSLENTRY
ntkrpamp!__unnamed
ntkrpamp!_EXCEPTION_POINTERS
ntkrpamp!_CURDIR
ntkrpamp!_RTL_DRIVE_LETTER_CURDIR
ntkrpamp!_u
ntkrpamp!_VI_DEADLOCK_RESOURCE_TYPE
ntkrpamp!_MMPFNLIST
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_OBJECT_HEADER_NAME_INFO
ntkrpamp!_OBJECT_DIRECTORY
ntkrpamp!_KINTERRUPT
ntkrpamp!_KINTERRUPT_MODE
ntkrpamp!_TOKEN_CONTROL
ntkrpamp!_PCI_ARBITER_INSTANCE
ntkrpamp!_PCI_INTERFACE
ntkrpamp!_ARBITER_INSTANCE
ntkrpamp!_MMPAGING_FILE
ntkrpamp!_MMMOD_WRITER_MDL_ENTRY
ntkrpamp!_BUS_EXTENSION_LIST
ntkrpamp!_PI_BUS_EXTENSION
ntkrpamp!_PCI_MN_DISPATCH_TABLE
ntkrpamp!_PCI_DISPATCH_STYLE
ntkrpamp!_PCI_COMMON_EXTENSION
ntkrpamp!_MEMORY_TYPE
ntkrpamp!_OBJECT_DIRECTORY_ENTRY
ntkrpamp!_DEVICE_MAP
ntkrpamp!_HEAP_LOOKASIDE
ntkrpamp!_ARBITER_ACTION
ntkrpamp!_ARBITER_PARAMETERS
ntkrpamp!_CALL_PERFORMANCE_DATA
ntkrpamp!_MMWSLE_HASH
ntkrpamp!_STRING
ntkrpamp!__unnamed
ntkrpamp!_SECTION_IMAGE_INFORMATION
ntkrpamp!__unnamed
ntkrpamp!_PRIVATE_CACHE_MAP_FLAGS
ntkrpamp!_RTL_HANDLE_TABLE_ENTRY
ntkrpamp!_POP_IDLE_HANDLER
ntkrpamp!_TOKEN
ntkrpamp!_TOKEN_SOURCE
ntkrpamp!_SEP_AUDIT_POLICY
ntkrpamp!_TOKEN_TYPE
ntkrpamp!_SECURITY_TOKEN_PROXY_DATA
ntkrpamp!_SECURITY_TOKEN_AUDIT_DATA
ntkrpamp!_TEB
ntkrpamp!_ACTIVATION_CONTEXT_STACK
ntkrpamp!_GDI_TEB_BATCH
ntkrpamp!_Wx86ThreadState
ntkrpamp!_TEB_ACTIVE_FRAME
ntkrpamp!_PCI_HEADER_TYPE_0
ntkrpamp!_PCI_HEADER_TYPE_1
ntkrpamp!_PCI_HEADER_TYPE_2
ntkrpamp!__unnamed
ntkrpamp!_HEAP_FREE_ENTRY_EXTRA
ntkrpamp!_POOL_TRACKER_TABLE
ntkrpamp!_PS_QUOTA_TYPE
ntkrpamp!_flags
ntkrpamp!_PHYSICAL_MEMORY_DESCRIPTOR
ntkrpamp!_IMAGE_DEBUG_DIRECTORY
ntkrpamp!_GUID
ntkrpamp!_INTERFACE
ntkrpamp!__unnamed
ntkrpamp!_MMMOD_WRITER_LISTHEAD
ntkrpamp!_POP_POWER_ACTION
ntkrpamp!_POP_SHUTDOWN_BUG_CHECK
ntkrpamp!_POP_DEVICE_SYS_STATE
ntkrpamp!_POP_HIBER_CONTEXT
ntkrpamp!_LPCP_MESSAGE
ntkrpamp!_PORT_MESSAGE
ntkrpamp!_MMVAD_SHORT
ntkrpamp!_SECURITY_SUBJECT_CONTEXT
ntkrpamp!_INITIAL_PRIVILEGE_SET
ntkrpamp!_PRIVILEGE_SET
ntkrpamp!__unnamed
ntkrpamp!_PNP_DEVICE_EVENT_ENTRY
ntkrpamp!_PNP_VETO_TYPE
ntkrpamp!_PLUGPLAY_EVENT_BLOCK
ntkrpamp!_PNP_DEVICE_EVENT_LIST
ntkrpamp!_KSPECIAL_REGISTERS
ntkrpamp!_SECURITY_DESCRIPTOR_RELATIVE
ntkrpamp!_RTL_RANGE_LIST
ntkrpamp!_ARBITER_ORDERING_LIST
ntkrpamp!_ARBITER_ALLOCATION_STATE
ntkrpamp!_ARBITER_CONFLICT_INFO
ntkrpamp!_RTL_RANGE
ntkrpamp!_BUS_DATA_TYPE
ntkrpamp!_SUPPORTED_RANGES
ntkrpamp!_PO_DEVICE_NOTIFY_ORDER
ntkrpamp!_POP_DEVICE_POWER_IRP
ntkrpamp!_MMSYSTEM_PTE_POOL_TYPE
ntkrpamp!_CM_NAME_HASH
ntkrpamp!_PROXY_CLASS
ntkrpamp!_HANDLE_TABLE_ENTRY
ntkrpamp!_HANDLE_TABLE_ENTRY_INFO
ntkrpamp!_LPCP_PORT_OBJECT
ntkrpamp!_LPCP_PORT_QUEUE
ntkrpamp!_POOL_HACKER
ntkrpamp!_IO_SECURITY_CONTEXT
ntkrpamp!__unnamed
ntkrpamp!_NAMED_PIPE_CREATE_PARAMETERS
ntkrpamp!__unnamed
ntkrpamp!_MAILSLOT_CREATE_PARAMETERS
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_FILE_INFORMATION_CLASS
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_FSINFOCLASS
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_SCSI_REQUEST_BLOCK
ntkrpamp!__unnamed
ntkrpamp!_FILE_GET_QUOTA_INFORMATION
ntkrpamp!__unnamed
ntkrpamp!_DEVICE_RELATION_TYPE
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_DEVICE_CAPABILITIES
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_DEVICE_USAGE_NOTIFICATION_TYPE
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_POWER_SEQUENCE
ntkrpamp!__unnamed
ntkrpamp!_POWER_STATE_TYPE
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_MI_VERIFIER_POOL_HEADER
ntkrpamp!_MI_VERIFIER_DRIVER_ENTRY
ntkrpamp!_CM_KEY_BODY
ntkrpamp!_CM_NOTIFY_BLOCK
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_IA64_DBGKD_CONTROL_SET
ntkrpamp!_AMD64_DBGKD_CONTROL_SET
ntkrpamp!_ARBITER_ORDERING
ntkrpamp!_LPCP_NONPAGED_PORT_QUEUE
ntkrpamp!_DUMP_STACK_CONTEXT
ntkrpamp!_PO_MEMORY_RANGE_ARRAY
ntkrpamp!_PO_HIBER_PERF
ntkrpamp!_TEB_ACTIVE_FRAME_CONTEXT
ntkrpamp!_TEB_ACTIVE_FRAME_CONTEXT
ntkrpamp!_SID
ntkrpamp!_DUMP_INITIALIZATION_CONTEXT
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_IO_CLIENT_EXTENSION
ntkrpamp!_FS_FILTER_CALLBACKS
ntkrpamp!_SID_IDENTIFIER_AUTHORITY
ntkrpamp!_SUPPORTED_RANGE
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_VI_POOL_ENTRY
ntkrpamp!_SEP_AUDIT_POLICY_CATEGORIES
ntkrpamp!_SEP_AUDIT_POLICY_OVERLAY
ntkrpamp!_PLUGPLAY_EVENT_CATEGORY
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_ADAPTER_OBJECT
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_ARBITER_LIST_ENTRY
ntkrpamp!_ARBITER_ALTERNATIVE
ntkrpamp!_PO_NOTIFY_ORDER_LEVEL
ntkrpamp!_FS_FILTER_CALLBACK_DATA
ntkrpamp!_CM_KEY_NODE
ntkrpamp!_CM_KEY_VALUE
ntkrpamp!_CM_KEY_SECURITY
ntkrpamp!_CM_KEY_INDEX
ntkrpamp!_CM_BIG_DATA
ntkrpamp!__unnamed
ntkrpamp!_FS_FILTER_PARAMETERS
ntkrpamp!_VI_POOL_ENTRY_INUSE
ntkrpamp!_DESCRIPTOR
ntkrpamp!_CHILD_LIST
ntkrpamp!_CM_KEY_REFERENCE
ntkrpamp!_ARBITER_REQUEST_SOURCE
ntkrpamp!_ARBITER_RESULT
ntkrpamp!__unnamed
ntkrpamp!__unnamed
ntkrpamp!_FS_FILTER_SECTION_SYNC_TYPE
ntkrpamp!__unnamed
ntkrpamp!__unnamed
lkd> dt nt!_kinterrupt
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x004 InterruptListEntry : _LIST_ENTRY
+0x00c ServiceRoutine : Ptr32 unsigned char
+0x010 ServiceContext : Ptr32 Void
+0x014 SpinLock : Uint4B
+0x018 TickCount : Uint4B
+0x01c ActualLock : Ptr32 Uint4B
+0x020 DispatchAddress : Ptr32 void
+0x024 Vector : Uint4B
+0x028 Irql : UChar
+0x029 SynchronizeIrql : UChar
+0x02a FloatingSave : UChar
+0x02b Connected : UChar
+0x02c Number : Char
+0x02d ShareVector : UChar
+0x030 Mode : _KINTERRUPT_MODE
+0x034 ServiceCount : Uint4B
+0x038 DispatchCount : Uint4B
+0x03c DispatchCode : [106] Uint4B
确认一下是否运行的windows版本是debug版本
需要使用WMI的win32_OperationSystem 类的debug属性来获得
编写脚本 osversion.vbs
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colOSes = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
For Each objOS in colOSes
Wscript.Echo "Computer Name: " & objOS.CSName
Wscript.Echo "Caption: " & objOS.Caption 'Name
Wscript.Echo "Version: " & objOS.Version 'Version & build
Wscript.Echo "Build Number: " & objOS.BuildNumber 'Build
Wscript.Echo "Build Type: " & objOS.BuildType
Wscript.Echo "OS Type: " & objOS.OSType
Wscript.Echo "Other Type Description: " & objOS.OtherTypeDescription
WScript.Echo "Service Pack: " & objOS.ServicePackMajorVersion & "." & _
objOS.ServicePackMinorVersion
Next
C:\Documents and Settings\jamin\桌面>cscript osversion.vbs
Microsoft (R) Windows Script Host Version 5.7
版权所有(C) Microsoft Corporation 1996-2001。保留所有权利。
Computer Name: AMD6000
Caption: Microsoft Windows XP Professional
Version: 5.1.2600
Build Number: 2600
Build Type: Multiprocessor Free
OS Type: 18
Other Type Description:
Service Pack: 3.0
原文链接: http://blog.csdn.net/jaminwm/article/details/7229716