Windows debugging made easy

At this year's TechEd, Microsoft fellow Mark Russinovich makes Windows debugging look easy--and fun

When it comes to debugging hard-to-diagnose software and operating-system problems, there is no set recipe. Rather debugging is all about "having the right tools and knowing how to use them," advised Microsoft technical fellow Mark Russinovich at the close of the Microsoft TechEd conference, held this week in Atlanta.

Among the highlights of each year's TechEd conference are the technology demonstrations. Smart Microsoft and partner engineers walk attendees through how to use some new technology in a step-by-step process, making it seem easy -- or even fun -- to deploy.

And one of the most popular demonstrations over the past few years has been Russinovich's "Cases of the Unexplained," in which he shows how he and others tracked down hard-to-pinpoint errors in Windows deployments.

This year, of course, was no exception. Before a packed auditorium, Russinovich debugged a number of tricky problems using only a handful of free tools, many created by Russinovich himself, including Process Explorer and Process Monitor. He borrowed many examples in his presentation from his blog, where he collects user stories of tough problems.

In the cases Russinovich demonstrated, the root causes of the misbehaving systems were not readily obvious. This was especially true of software that, he noted, when it crashes, offers little instruction about its downfall. "Programs do a bad job of telling what went wrong," he said. Yet he showed that it is possible to carefully track the symptom of the problem back to the cause.

One example Russinovich dubbed "the case of the slow website." This example was submitted to Russinovich by a system administrator from an unnamed company. The organization's users were complaining of slow performance of some internal Web pages. The admin tracked all the Web pages to a single server, then ran Process Explorer, which shows all the processes on a server, and how much memory and CPU resources each thread of a process is consuming.

The admin identified one thread that was hogging more than a quarter of the server's resources. Doing a Web search, he found that the related process belonged to a Windows management driver that, in turn, communicated with the server chassis' management controller provided by the server manufacturer. The two components were having difficulty in communicating, so the communication between them spiked.

The difficulty turned out to be that the blade server was not slotted into the rack appropriately. The user reseated the server chassis and the server quickly returned to delivering its Web pages speedily.

Another problem came not from misbehaving equipment or software, but rather from user behavior. "This case came into the Microsoft Exchange support team," Russinovich said.

Users complained that Microsoft Exchange would periodically delay responding for up to 30 seconds. Microsoft requested the customer to log the server performance using Performance Monitor, which showed periodic spikes in CPU utilization. Using ProcDump, a Microsoft engineer created a script that would capture all the process information whenever processor usage went above a certain threshold.

Looking through the results, the engineer found an Exchange search function was consuming many of the cycles. The sluggishness was caused by the fact that a number of users had humongous mailboxes, which when they searched through them, would spike the server load. The admin instructed the users to reduce the size of their mailboxes, or organize them better. As a result of such tidying up on the users' part, server performance improved.

In a third case, Russinovich's wife had complained that the Windows Photo Gallery would hang after showing a movie. The bug was particularly annoying to her, as she was showing friends some home movies. A friend of hers even quipped, "This never happens with a Mac."

Russinovich reran the Photo Gallery software while capturing all the processes in Process Monitor. "When in doubt run Process Monitor," he advised. He matched the time of the hang with all the processes running at that time. While most of the processes were routine, he found an unusual system call, ironically enough, to an Apple QuickTime object, which was the source of program hang. "Sure enough, it was from that company that doesn't know how to write Windows software," he joked.

Russinovich also showed the audience how to rid a machine of a bad case of malware. This example also came from a user submission, detailing how the infected computer had a particularly thorough piece of malware that blocked all attempts to run any sort of diagnostic, anti-virus or system administration tools.

One way around the block, Russinovich advised, consisted of running another program he had written called Desktops, which lets the user set up four virtual desktops for the computer. The user can then switch among the desktops, each of which ran independently of the others. While not a diagnostic tool per se, Desktops could be used to repair the malware-riddled computer. The malware monitored any activity on the main desktop, but it was unaware of the other desktops, one of which Russinovich used to run anti-virus tools.

Finally, no debugging session would be complete without diagnosing the infamous Windows Blue Screen of Death (BSOD) error. Despite the severity of the problem, "It is incredibly easy to do crash analysis" on a BSOD, he said. Russinovich explained that such a crash happens when something goes wrong within the operating system's kernel memory space, such as a device driver that tries to access memory allotted to another program. Because Windows' first priority is "to protect data," it will shut down as soon as a program acts outside allotted memory space, he said.

After a system crash, Microsoft will offer an analysis upon reboot of the machine, which can point to drivers that need to be updated or other fixes. Even if this help message proves unhelpful, the administrator can check for the crash dump file that Windows produces when it crashes, Russinovich said. This is either found in the Windows directory, or in a subdirectory called Minidump. A program called Windows Debugger can examine the file and provide more information about what possibly caused the crash.

The presentation "makes you want to go home and crash your computer," one attendee said afterward.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftoperating systemssoftwareWindowsWindows 7diagnosticssystem managementUtilitiesWindows desktopTECH ED

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?