Sami Laiho - Black belt troubleshooting windows 8.1

3,099 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,099
On SlideShare
0
From Embeds
0
Number of Embeds
2,100
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sami Laiho - Black belt troubleshooting windows 8.1

  1. 1. Sami Laiho BlackBelt Troubleshooting Windows 8.1
  2. 2. WHOAMI /ALL (about.me/samilaiho) • • • • • MVP Windows Expert – IT Pro SpringBoard Technical Expert Panel member Senior Consultant @ Sovelto Senior Technical Fellow @ adminize.com Twitter: @samilaiho
  3. 3. Windows XP Deep Dive in 2001 by me
  4. 4. Projects • www.wioski.com – Free replacement for SteadyState • www.adminize.com – Getting rid of admin rights and provide onetime admin passwords • www.getabrandnewpassword.com – Free and safe password cracker… I mean changer • idealinfra.blogspot.com – My blog
  5. 5. You get gpedit.msc and we get…
  6. 6. Housekeeping • I will give away one free course attendance as promised so leave your business card to participate  Winner will be notified afterwards so be sure your card has your email address • After the session I will stick around for questions and to give away a few T-shirts
  7. 7. Agenda • • • • • • • • Baselines and tools for troubleshooting Error messages User accounts in troubleshooting Prelogon diagnostics Services Processes and threads Safemode etc. in Windows 8.1 BSOD in Windows 8.1
  8. 8. BASELINES
  9. 9. Baselines • I always teach people that the logic in troubleshooting Windows is that there is no logic • • • • • System vs. Boot partition System32 vs SysWOW64 bowser vs browser AFD Hive
  10. 10. Tools • You always need at least: • Sysinternals Tools • Sysinternals Suite or http://live.sysinternals.com/ • Debugging Tools • Not so much for debugging but for supporting Sysinternals Tools • Message analyzer • Windows 7/8 can capture traces without it with NETSH TRACE • Windows 8.1 is the fisrt to support remote network monitoring
  11. 11. ERROR DESCRIPTIONS
  12. 12. Error descriptions • To be able to troubleshoot you need good error descriptions especially in Windows 8.1
  13. 13. Error description example • ”My computer just broke” vs…
  14. 14. Tools for capturing errors • • • • • Net helpmsg & winrm helpmsg Copy/Paste dialogs Snipping tool Windows + Print Screen PSR
  15. 15. Sami Laiho DEMO – ERROR DESCRIPTIONS IN WINDOWS 8.1
  16. 16. USER ACCOUNTS IN TROUBLESHOOTING
  17. 17. SYSTEM vs Admin • SYSTEM • Has more user privileges than Administrator (even the Built in one) • Doesn’t need to worry about policies • Can see stuff Admin can’t • Can stop processes Admin can’t • Has a higher integrity level than Administrator
  18. 18. Mandatory Integrity Control
  19. 19. Mandatory Integrity Control to blaim? • In Windows Vista+ if you don’t have access to a file and you are sure you should: • 1. TAKEOWN.exe • 2. iCacls /SetIntegrityLevel
  20. 20. Running as SYSTEM #1
  21. 21. Running as SYSTEM #2 PSEXEC –SID cmd.exe
  22. 22. Sami Laiho DEMO – USING THE SYSTEMACCOUNT
  23. 23. PRELOGON DIAGNOSTICS
  24. 24. Basic info on logon? • Event logs are a good start but to do BlackBelt troubleshooting you need: • SYSTEM-account to diagnose what happens before logon • Session 0 to diagnose what happens during logon
  25. 25. Building from the ground up - Prelogon • What happens before logon and how to diagnose it • Slow logons, Startup script problems, inability to logon… • Windows has three accounts that never log off • SYSTEM, Local Service and Network Service
  26. 26. Sami Laiho DEMO – PRELOGON DIAGNOSTICS
  27. 27. More info on logon? • If you need more info on your logon don’t forget Autoruns from Sysinternals
  28. 28. More info on logon? • If you need to dig even deeper use Windows Performance Toolkit
  29. 29. BACKGROUND SERVICES
  30. 30. Background services • Services not starting/running in Windows 8.1 • Basics: It’s a security issue or something else • Security • Security log, Secpol.msc, Process Explorer, Process Monitor • Something else • Process Monitor
  31. 31. Process Monitor example
  32. 32. What a service can or cannot do • You have to become a Service • When you start referring to services as He or She you’re getting the point
  33. 33. Service accounts and user rights • He/She can use three built in accounts
  34. 34. Service accounts have SIDs • In Windows 8.1 they have a SID as well • They become Security Principals
  35. 35. Service accounts have SIDs
  36. 36. Sami Laiho DEMO – SERVICE PRIVILEGES
  37. 37. PROCESSES AND THREADS
  38. 38. Processes and threads • In Windows a process can’t really do anything • Task Manager only shows processes… • Threads can actually do something • Search engines probably know the answer to your question so the real problem with them is noise • How to get rid of noise? • Make your searches are more accurate • Make sure you get results from people who have at least a clue on what they’re doing • Learn to diagnose threads instead of processes
  39. 39. Case – Hanged virtual machine • VM totally stuck… • Task manager looks like this
  40. 40. Case – Hanged virtual machine • Task Manager shows that SYSTEM is causing the problem…
  41. 41. Case – Hanged virtual machine • Process Explorer shows Threads!
  42. 42. Case – Hanged virtual machine • Removed the virtual floppy because it was pointing to a nonexisting file 
  43. 43. Sami Laiho DEMO – PROCESSES VS THREADS
  44. 44. SAFEMODE ETC.
  45. 45. How to access boot options in Windows 8.1 • Shift-Restart or Same if you want to goto your UEFI!
  46. 46. Why is a PC working in Safemode? • Safemode is configured in the registry
  47. 47. Semi-SafeMode – MSCONFIG & AUTORUNS
  48. 48. Sami Laiho DEMO – USING AND MANIPULATING SAFE MODE
  49. 49. WINDOWS 8.1 BSOD
  50. 50. Changes in BSOD in Windows 8 HKEY_LOCAL_MACHINESystemCurrentControlSet ControlCrashControl None 0x0 Complete memory dump 0x1 Kernel memory dump Small memory dump Automatic memory dump 0x2 0x3 0x7
  51. 51. Make sure you are able to crash when needed! • http://support.microsoft.com/kb/244139
  52. 52. Basics of BSOD analysis • Install Debugging tools • Set the systemwide variable _NT_SYMBOL_PATH to SRV*C:symbols*http://msdl.microsoft.com/dow nload/symbols • http://support.microsoft.com/kb/311503 • Use WINDBGOpen Crash Dump or DaRT’s Memory Dump Analyzer
  53. 53. Please evaluate the session before you leave  Enroll to my free newsletter at: http://eepurl.com/F-GOj T-Shirts? Be quick! Remember business cards!!

×