sami laiho - black belt troubleshooting windows 8.1
DESCRIPTION
TRANSCRIPT
![Page 1: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/1.jpg)
Sami Laiho
BlackBelt Troubleshooting Windows 8.1
![Page 2: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/2.jpg)
WHOAMI /ALL (about.me/samilaiho)
• MVP Windows Expert – IT Pro
• SpringBoard Technical Expert Panel member
• Senior Consultant @ Sovelto
• Senior Technical Fellow @ adminize.com
• Twitter: @samilaiho
![Page 3: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/3.jpg)
Windows XP Deep Dive in 2001 by me
![Page 4: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/4.jpg)
Projects
• www.wioski.com – Free replacement for SteadyState
• www.adminize.com – Getting rid of admin rights and provide onetime admin passwords
• www.getabrandnewpassword.com – Free and safe password cracker… I mean changer
• idealinfra.blogspot.com – My blog
![Page 5: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/5.jpg)
You get gpedit.msc and we get…
![Page 6: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/6.jpg)
Housekeeping
• I will give away one free course attendance as promised so leave your business card to participate Winner will be notified afterwards so be sure your card has your email address
• After the session I will stick around for questions and to give away a few T-shirts
![Page 7: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/7.jpg)
Agenda• Baselines and tools for troubleshooting• Error messages• User accounts in troubleshooting• Prelogon diagnostics• Services• Processes and threads• Safemode etc. in Windows 8.1• BSOD in Windows 8.1
![Page 8: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/8.jpg)
BASELINES
![Page 9: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/9.jpg)
Baselines
• I always teach people that the logic in troubleshooting Windows is that there is no logic
• System vs. Boot partition
• System32 vs SysWOW64
• bowser vs browser
• AFD
• Hive
![Page 10: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/10.jpg)
Tools• You always need at least:
• Sysinternals Tools• Sysinternals Suite or http://live.sysinternals.com/
• Debugging Tools• Not so much for debugging but for supporting Sysinternals
Tools• Message analyzer
• Windows 7/8 can capture traces without it with NETSH TRACE• Windows 8.1 is the fisrt to support remote network monitoring
![Page 11: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/11.jpg)
ERROR DESCRIPTIONS
![Page 12: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/12.jpg)
Error descriptions
• To be able to troubleshoot you need good error descriptions especially in Windows 8.1
![Page 13: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/13.jpg)
Error description example
• ”My computer just broke” vs…
![Page 14: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/14.jpg)
![Page 15: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/15.jpg)
Tools for capturing errors
• Net helpmsg & winrm helpmsg
• Copy/Paste dialogs
• Snipping tool
• Windows + Print Screen
• PSR
![Page 16: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/16.jpg)
DEMO – ERROR DESCRIPTIONS IN WINDOWS 8.1
Sami Laiho
![Page 17: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/17.jpg)
USER ACCOUNTS IN TROUBLESHOOTING
![Page 18: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/18.jpg)
SYSTEM vs Admin
• SYSTEM• Has more user privileges than Administrator (even
the Built in one)
• Doesn’t need to worry about policies
• Can see stuff Admin can’t
• Can stop processes Admin can’t
• Has a higher integrity level than Administrator
![Page 19: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/19.jpg)
Mandatory Integrity Control
![Page 20: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/20.jpg)
Mandatory Integrity Control to blaim?
• In Windows Vista+ if you don’t have access to a file and you are sure you should:
• 1. TAKEOWN.exe
• 2. iCacls /SetIntegrityLevel
![Page 21: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/21.jpg)
Running as SYSTEM #1
![Page 22: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/22.jpg)
PSEXEC –SID cmd.exe
Running as SYSTEM #2
![Page 23: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/23.jpg)
DEMO – USING THE SYSTEM-ACCOUNT
Sami Laiho
![Page 24: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/24.jpg)
PRELOGON DIAGNOSTICS
![Page 25: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/25.jpg)
Basic info on logon?
• Event logs are a good start but to do BlackBelt troubleshooting you need:
• SYSTEM-account to diagnose what happens before logon
• Session 0 to diagnose what happens during logon
![Page 26: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/26.jpg)
Building from the ground up - Prelogon
• What happens before logon and how to diagnose it• Slow logons, Startup script
problems, inability to logon…
• Windows has three accounts that never log off• SYSTEM, Local Service and
Network Service
![Page 27: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/27.jpg)
DEMO – PRELOGON DIAGNOSTICS
Sami Laiho
![Page 28: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/28.jpg)
More info on logon?
• If you need more info on your logon don’t forget Autoruns from Sysinternals
![Page 29: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/29.jpg)
More info on logon?• If you need to dig even deeper use Windows
Performance Toolkit
![Page 30: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/30.jpg)
![Page 31: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/31.jpg)
BACKGROUND SERVICES
![Page 32: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/32.jpg)
Background services
• Services not starting/running in Windows 8.1
• Basics: It’s a security issue or something else
• Security• Security log, Secpol.msc, Process Explorer, Process
Monitor
• Something else• Process Monitor
![Page 33: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/33.jpg)
Process Monitor example
![Page 34: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/34.jpg)
What a service can or cannot do
• You have to become a Service
• When you start referring to services as He or She you’re getting the point
![Page 35: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/35.jpg)
Service accounts and user rights
• He/She can use three built in accounts
![Page 36: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/36.jpg)
Service accounts have SIDs
• In Windows 8.1 they have a SID as well
• They become Security Principals
![Page 37: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/37.jpg)
Service accounts have SIDs
![Page 38: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/38.jpg)
DEMO – SERVICE PRIVILEGES
Sami Laiho
![Page 39: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/39.jpg)
PROCESSES AND THREADS
![Page 40: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/40.jpg)
Processes and threads• In Windows a process can’t really do anything
• Task Manager only shows processes…
• Threads can actually do something• Search engines probably know the answer to your question
so the real problem with them is noise• How to get rid of noise?
• Make your searches are more accurate • Make sure you get results from people who have at least a clue on
what they’re doing• Learn to diagnose threads instead of processes
![Page 41: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/41.jpg)
Case – Hanged virtual machine
• VM totally stuck…
• Task manager looks like this
![Page 42: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/42.jpg)
Case – Hanged virtual machine
• Task Manager shows that SYSTEM is causing the problem…
![Page 43: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/43.jpg)
Case – Hanged virtual machine
• Process Explorer shows Threads!
![Page 44: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/44.jpg)
Case – Hanged virtual machine
• Removed the virtual floppy because it was pointing to a nonexisting file
![Page 45: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/45.jpg)
DEMO – PROCESSES VS THREADS
Sami Laiho
![Page 46: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/46.jpg)
SAFEMODE ETC.
![Page 47: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/47.jpg)
How to access boot options in Windows 8.1• Shift-Restart or
Same if you want to goto your UEFI!
![Page 48: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/48.jpg)
Why is a PC working in Safemode?
• Safemode is configured in the registry
![Page 49: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/49.jpg)
Semi-SafeMode – MSCONFIG & AUTORUNS
![Page 50: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/50.jpg)
DEMO – USING AND MANIPULATING SAFE MODE
Sami Laiho
![Page 51: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/51.jpg)
WINDOWS 8.1 BSOD
![Page 52: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/52.jpg)
Changes in BSOD in Windows 8
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl
None 0x0
Complete memory dump 0x1
Kernel memory dump 0x2
Small memory dump 0x3
Automatic memory dump
0x7
![Page 53: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/53.jpg)
Make sure you are able to crash when needed!
• http://support.microsoft.com/kb/244139
![Page 54: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/54.jpg)
![Page 55: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/55.jpg)
Basics of BSOD analysis
• Install Debugging tools• Set the systemwide variable _NT_SYMBOL_PATH
to SRV*C:\symbols*http://msdl.microsoft.com/download/symbols• http://support.microsoft.com/kb/311503
• Use WINDBGOpen Crash Dump or DaRT’s Memory Dump Analyzer
![Page 56: Sami Laiho - Black belt troubleshooting windows 8.1](https://reader034.vdocuments.mx/reader034/viewer/2022050804/546f57c8b4af9f220c8b46bc/html5/thumbnails/56.jpg)
Please evaluate the session before you leave
Enroll to my free newsletter at: http://eepurl.com/F-GOj
T-Shirts? Be quick! Remember business cards!!