zodiacon / windowsinternals Goto Github PK

Windows Internals Book 7th edition Tools

License: MIT License

C++ 21.16% C 78.84%

windowsinternals's Introduction

Windows Internals Book 7th Edition Tools

The Windows Internals book, 7th edition Part 1, uses many tools to demonstrate various features of the Windows operating system. Most are from Sysinternals (http://www.sysinternals.com) and built-in tools. But some tools were written by Alex Ionescu and myself and used in the book; these are be published here with full source code.

Please note that these tools were NOT written by or endorsed by Microsoft. They are provided "as is" without any warranties or guarantees. For all I know, they might format your hard drive or even the entire World Wide Web. :) Use at your own risk!

windowsinternals's People

Contributors

Stargazers

Watchers

Forkers

m0n0ph1 ttred wasseresser louwangzhiyuy embix tracesrc alphonsetai hoangcuongflp heruix enascimento jinyu00 adolfoeliazat brianwrf sasqwatch jeperez supersam84 chickfilaonsunday techlord-rce johnhubcr 3453-315h dreamermx kakagapo paulogeneses captincook h0k5 whb224117 slpcat eau-u4f jerry-bond 258625232 snollyg0st3r codeabyss yottayuan rootjacker coolboy4me etheaven sezginakman jack51706 ajblane jackbro shiningheart dragon307 songbei6 hksuki ohio813 sp4rrovv evildiamond marcosd4h cupertinodude xmoezzz dougmack cosogor moha19 vaginessa kgv bill1316 alchemycyberblaze jkloop45 jarlob fingerleakers tralivali1234 rkornmeyer quikilr cxmlg zhaozhongshu jk-ayaan limkokholefork chjhaijiang heikipikker vonbluebaugh loca1h0st herculesrance fcccode ggulgun kexuwang snow-summer xydoublez mor8 merryyang wax100628 bb33bb atitx garsha codegear1982 tolismoure lzq123218 numiame marianapapava stanzhengdev gbatson her0r0cket ajgappmark xiewanjing ja3eschien timvuon y11en deelmind amohanta mrragava jdesktop

windowsinternals's Issues

How to "escape" the system-wide CPU set?

Thanks for a great book Pavel, and for sharing code samples. I'm interested in using CPU Sets to dedicate certain CPU cores to real-time signal processing tasks.

I've played a bit with CpuSet.exe based on the instructions in Windows Internals 7th ed. Part 1, and have successfully managed to change the system-wide CPU set. Changing the CPU set for a given process also works, but only within the system-wide CPU set. This means that I'm not able to reproduce "EXPERIMENT: CPU sets" in the book where CPU 0 is dedicated to the CPUSTRESS process.

Any advise on how to configure a process to "escape" the system-wide CPU set, so that it can get dedicated CPU cores?

Not sure if it's relevant, but I'm running Win10 Pro version 1903 (64bit) build 18362.267.

ctrl2cap

Hi zodiacon,
Please see a question regarding wininternal tool, specifically ctrl2cap. Is there a way to modify the tool to convert "~" to another character. Default behavior is to convert "CAPS LOCK" to "Left CONTROL"?
Thanks.
Regards,
aagarwal584

awesome

so great ,thanks

Having compiled releases

Hello @zodiacon

Do you mind adding compiled release in github ?

Thanks/

SlPolicy typo

Hello,

The SlPolicy tool has a typo in SiPolicy.cpp on line 107.

"SShell" should be "Shell" for the query to succeed (tested on RS2).

Thanks for a cool utility 👍

Windows Kernel Error

Hello,
I writing simple driver for your book, and have error with

DriverObject->MajorFunction[IRP_MJ_CREATE] = PriorityBoosterCreateClose;

Visual Studio2019 says, that NTSTATUS no equal PDRIVER_DISPATCH

Why?

I write
DriverObject->MajorFunction[IRP_MJ_CREATE] = (PDRIVER_DISPATCH)PriorityBoosterCreateClose;

But is it right way?

meminfo crashing on WIndows 10 1903

meminfo is crashing at "Initializing PFN database.
it just quit no done or error message.

event log:
Faulting application name: MemInfo.exe, version: 0.0.0.0, time stamp: 0x5c57bd17
Faulting module name: MemInfo.exe, version: 0.0.0.0, time stamp: 0x5c57bd17
Exception code: 0xc0000005
Fault offset: 0x0000000000001fce
Faulting process id: 0x23b8
Faulting application start time: 0x01d54620e00d49fd
Faulting application path: C:\Users\ghisl\Desktop\MemInfo.exe
Faulting module path: C:\Users\ghisl\Desktop\MemInfo.exe
Report Id: 2fd25e31-09ed-4a65-9d3b-dc8f2221dec4
Faulting package full name:
Faulting package-relative application ID:

MemInfo.exe -a Access violation

(62ac.3cd0): Access violation - code c0000005 (!!! second chance !!!)
*** WARNING: Unable to verify checksum for D:\git\personal\zodiacon\WindowsInternals\x64\Debug\MemInfo.exe
MemInfo!PfiInitializePfnDatabase+0x29e:
00007ff602563c8e 48894808 mov qword ptr [rax+8],rcx ds:000001cbb7b54008=????????????????
0:000> kv

Child-SP RetAddr : Args to Child : Call Site

00 000000700b4ff560 00007ff602565441 : 00007ff602570658 00007ff60256ee40 000000700b4ff688 000000700b4ff6b0 : MemInfo!PfiInitializePfnDatabase+0x29e [D:\git\personal\zodiacon\WindowsInternals\MemInfo\MemInfo.cpp @ 223]
01 000000700b4ff850 00007ff602566479 : 0000071800000002 000001cbb45e6d80 0000000000000000 00007ff602567acd : MemInfo!main+0x401 [D:\git\personal\zodiacon\WindowsInternals\MemInfo\MemInfo.cpp @ 1024]
02 000000700b4ffc70 00007ff60256631e : 00007ff60256e000 00007ff60256e220 0000000000000000 0000000000000000 : MemInfo!invoke_main+0x39 [d:\A01_work\12\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 79]
03 000000700b4ffcc0 00007ff6025661de : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : MemInfo!__scrt_common_main_seh+0x12e [d:\A01_work\12\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
04 000000700b4ffd30 00007ff60256650e : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : MemInfo!__scrt_common_main+0xe [d:\A01_work\12\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 331]
05 000000700b4ffd60 00007ff9ddcc7034 : 000000700b3db000 0000000000000000 0000000000000000 0000000000000000 : MemInfo!mainCRTStartup+0xe [d:\A01_work\12\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp @ 17]
06 000000700b4ffd90 00007ff9df9a2651 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x14
07 000000700b4ffdc0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
0:000> dv
j = 0x0022f600ccefc36c PfnOffset = 0 BadPfn = 0 i = 0 SuperfetchInfo = struct _SUPERFETCH_INFORMATION Pfn1 = 0x000001cbb7b54000
BitMapBuffer = 0x000001cbb45f0370 PfnDbStart = 0x000001cbb46e2040
PfnCount = 0x22f600
Node = 0x000000700b4ff720 k = 0x22f6a1 ResultLength = 0 Status = 0n-858993460 0:000> dt Pfn1 Local var @ 0x700b4ff608 Type _MMPFN_IDENTITY* 0x000001cbb7b54000
+0x000 u1 : _MMPFN_IDENTITY::
+0x008 PageFrameIndex : ??
+0x010 u2 : _MMPFN_IDENTITY::
Memory read error 000001cbb7b54008
0:000> r
rax=000001cbb7b54000 rbx=0000000000000000 rcx=0022f600ccefc36c
rdx=00000000000117b0 rsi=00007ff6025736d8 rdi=00007ff6025736c8
rip=00007ff602563c8e rsp=000000700b4ff560 rbp=000000700b4ff580
r8=000001cbb45f0370 r9=00000000ffffffff r10=0000000000000000
r11=000000700b4ff101 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200
MemInfo!PfiInitializePfnDatabase+0x29e:
00007ff602563c8e 48894808 mov qword ptr [rax+8],rcx ds:000001cbb7b54008=????????????????
0:000> dq rax+8
000001cbb7b54008 ???????????????? ???????????????? 000001cbb7b54018 ???????????????? ????????????????
000001cbb7b54028 ???????????????? ???????????????? 000001cbb7b54038 ???????????????? ????????????????
000001cbb7b54048 ???????????????? ???????????????? 000001cbb7b54058 ???????????????? ????????????????
000001cbb7b54068 ???????????????? ???????????????? 000001cbb7b54078 ???????????????? ????????????????

[UwpList] packageName always empty

Hi!

when getting the package name in DisplayProcessInfo
after auto error = ::GetPackageFullName(...);

should check error == ERROR_INSUFFICIENT_BUFFER instead of ERROR_SUCCESS
the name unique_ptr should be declared before the if scope, or else it goes out of scope, and packageName will be a dangling pointer

UwpList - BuildCapabilityMap parser bug

Hello,

The BuildCapabilityMap function in the UwpList project fails to parse the caps.txt file.

The .gitattributes file for this repository specifies "text=auto" and Github defaults to LF (\n) line endings for text files - this causes the BuildCapabilityMap function to fail parsing the caps.txt file since the line endings were changed from CRLF (\r\n) to LF (\n) when the code was committed.

You will need to change the BuildCapabilityMap function, line 150 from:
auto cr = ::strstr(caps, "\r\n");
To:
auto cr = ::strstr(caps, "\n");

And line 168 from:
caps = cr + 2;
To:
caps = cr + 1;

Otherwise anyone downloading the UwpList project won't be able to use it properly.

Since these are all Windows based tools and files, I highly suggest changing the .gitattributes file to use "text=crlf" and just re-commit the code to save time and prevent future issues.

[UwpList] handling caps.txt line feed encoding

in UwpList.cpp in BuildCapabilityMap
string name(caps, cr - 1); assumes \r\n line feed but after getting sources, it was \n only.

Thus string name(caps, cr-1); creates a truncated string, as cr points at the last string char, and not one past it.

I suggest adding if (*(cr - 1) == '\r') cr--; and then string name(caps, cr); to be line feed agnostic.

this also makes sense with if (*cr == '\r') cr++; later, as it can't be both \n and '\r'.

builds

How about attaching builds to release tags or a hint in the README that downloads of the builds are available here? :-)