1. Sami Laiho
BlackBelt Troubleshooting
Windows 8.1

2. WHOAMI /ALL (about.me/samilaiho)
•
•
•
•
•
MVP Windows Expert – IT Pro
SpringBoard Technical Expert Panel member
Senior Consultant @ Sovelto
Senior Technical Fellow @ adminize.com
Twitter: @samilaiho

3. Windows XP Deep Dive in 2001 by me

4. Projects
• www.wioski.com – Free replacement for
SteadyState
• www.adminize.com – Getting rid of admin rights
and provide onetime admin passwords
• www.getabrandnewpassword.com – Free and
safe password cracker… I mean changer
• idealinfra.blogspot.com – My blog

5. You get gpedit.msc and we get…

6. Housekeeping
• I will give away one free course attendance
as promised so leave your business card to
participate  Winner will be notified
afterwards so be sure your card has your
email address
• After the session I will stick around for
questions and to give away a few T-shirts

7. Agenda
•
•
•
•
•
•
•
•
Baselines and tools for troubleshooting
Error messages
User accounts in troubleshooting
Prelogon diagnostics
Services
Processes and threads
Safemode etc. in Windows 8.1
BSOD in Windows 8.1

8. BASELINES

9. Baselines
• I always teach people that the logic in
troubleshooting Windows is that there is no logic
•
•
•
•
•
System vs. Boot partition
System32 vs SysWOW64
bowser vs browser
AFD
Hive

10. Tools
• You always need at least:
• Sysinternals Tools
• Sysinternals Suite or http://live.sysinternals.com/
• Debugging Tools
• Not so much for debugging but for supporting Sysinternals
Tools
• Message analyzer
• Windows 7/8 can capture traces without it with NETSH TRACE
• Windows 8.1 is the fisrt to support remote network monitoring

11. ERROR DESCRIPTIONS

12. Error descriptions
• To be able to troubleshoot you need good
error descriptions especially in Windows 8.1

13. Error description example
• ”My computer just broke” vs…

15. Tools for capturing errors
•
•
•
•
•
Net helpmsg & winrm helpmsg
Copy/Paste dialogs
Snipping tool
Windows + Print Screen
PSR

16. Sami Laiho
DEMO – ERROR DESCRIPTIONS
IN WINDOWS 8.1

17. USER ACCOUNTS IN
TROUBLESHOOTING

18. SYSTEM vs Admin
• SYSTEM
• Has more user privileges than Administrator (even
the Built in one)
• Doesn’t need to worry about policies
• Can see stuff Admin can’t
• Can stop processes Admin can’t
• Has a higher integrity level than Administrator

19. Mandatory Integrity Control

20. Mandatory Integrity Control to blaim?
• In Windows Vista+ if you don’t have access to
a file and you are sure you should:
• 1. TAKEOWN.exe
• 2. iCacls /SetIntegrityLevel

21. Running as SYSTEM #1

22. Running as SYSTEM #2
PSEXEC –SID cmd.exe

23. Sami Laiho
DEMO – USING THE SYSTEMACCOUNT

24. PRELOGON DIAGNOSTICS

25. Basic info on logon?
• Event logs are a good start but to do
BlackBelt troubleshooting you need:
• SYSTEM-account to diagnose what happens
before logon
• Session 0 to diagnose what happens during
logon

26. Building from the ground up - Prelogon
• What happens before logon
and how to diagnose it
• Slow logons, Startup script
problems, inability to
logon…
• Windows has three
accounts that never log off
• SYSTEM, Local Service and
Network Service

27. Sami Laiho
DEMO – PRELOGON
DIAGNOSTICS

28. More info on logon?
• If you need more
info on your logon
don’t forget
Autoruns from
Sysinternals

29. More info on logon?
• If you need to dig even deeper use Windows
Performance Toolkit

31. BACKGROUND SERVICES

32. Background services
• Services not starting/running in Windows 8.1
• Basics: It’s a security issue or something else
• Security
• Security log, Secpol.msc, Process Explorer, Process
Monitor
• Something else
• Process Monitor

33. Process Monitor example

34. What a service can or cannot do
• You have to become a Service
• When you start referring to services as He or
She you’re getting the point

35. Service accounts and user rights
• He/She can use three built in accounts

36. Service accounts have SIDs
• In Windows 8.1 they have a SID as well
• They become Security Principals

37. Service accounts have SIDs

38. Sami Laiho
DEMO – SERVICE PRIVILEGES

39. PROCESSES AND THREADS

40. Processes and threads
• In Windows a process can’t really do anything
• Task Manager only shows processes…
• Threads can actually do something
• Search engines probably know the answer to your question
so the real problem with them is noise
• How to get rid of noise?
• Make your searches are more accurate
• Make sure you get results from people who have at least a clue on
what they’re doing
• Learn to diagnose threads instead of processes

41. Case – Hanged virtual machine
• VM totally stuck…
• Task manager looks like this

42. Case – Hanged virtual machine
• Task Manager
shows that
SYSTEM is causing
the problem…

43. Case – Hanged virtual machine
• Process Explorer shows Threads!

44. Case – Hanged virtual machine
• Removed the virtual floppy
because it was pointing to
a nonexisting file 

45. Sami Laiho
DEMO – PROCESSES VS
THREADS

46. SAFEMODE ETC.

47. How to access boot options in
Windows 8.1
• Shift-Restart or
Same if you want
to goto your
UEFI!

48. Why is a PC working in Safemode?
• Safemode is configured in the registry

49. Semi-SafeMode – MSCONFIG &
AUTORUNS

50. Sami Laiho
DEMO – USING AND MANIPULATING
SAFE MODE

51. WINDOWS 8.1 BSOD

52. Changes in BSOD in Windows 8
HKEY_LOCAL_MACHINESystemCurrentControlSet
ControlCrashControl
None
0x0
Complete memory dump 0x1
Kernel memory dump
Small memory dump
Automatic memory
dump
0x2
0x3
0x7

53. Make sure you are able to crash when
needed!
• http://support.microsoft.com/kb/244139

55. Basics of BSOD analysis
• Install Debugging tools
• Set the systemwide variable _NT_SYMBOL_PATH
to
SRV*C:symbols*http://msdl.microsoft.com/dow
nload/symbols
• http://support.microsoft.com/kb/311503
• Use WINDBGOpen Crash Dump or DaRT’s
Memory Dump Analyzer

56. Please evaluate the session
before you leave

Enroll to my free newsletter at:
http://eepurl.com/F-GOj
T-Shirts? Be quick! Remember
business cards!!