Sami Laiho

BlackBelt Troubleshooting Windows 8.1

WHOAMI /ALL (about.me/samilaiho)

• MVP Windows Expert – IT Pro

• SpringBoard Technical Expert Panel member

• Senior Consultant @ Sovelto

• Senior Technical Fellow @ adminize.com

• Twitter: @samilaiho

Windows XP Deep Dive in 2001 by me

Projects

• www.wioski.com – Free replacement for SteadyState

• www.adminize.com – Getting rid of admin rights and provide onetime admin passwords

• www.getabrandnewpassword.com – Free and safe password cracker… I mean changer

• idealinfra.blogspot.com – My blog

You get gpedit.msc and we get…

Housekeeping

• I will give away one free course attendance as promised so leave your business card to participate Winner will be notified afterwards so be sure your card has your email address

• After the session I will stick around for questions and to give away a few T-shirts

Agenda• Baselines and tools for troubleshooting• Error messages• User accounts in troubleshooting• Prelogon diagnostics• Services• Processes and threads• Safemode etc. in Windows 8.1• BSOD in Windows 8.1

BASELINES

Baselines

• I always teach people that the logic in troubleshooting Windows is that there is no logic

• System vs. Boot partition

• System32 vs SysWOW64

• bowser vs browser

• AFD

• Hive

Tools• You always need at least:

• Sysinternals Tools• Sysinternals Suite or http://live.sysinternals.com/

• Debugging Tools• Not so much for debugging but for supporting Sysinternals

Tools• Message analyzer

• Windows 7/8 can capture traces without it with NETSH TRACE• Windows 8.1 is the fisrt to support remote network monitoring

ERROR DESCRIPTIONS

Error descriptions

• To be able to troubleshoot you need good error descriptions especially in Windows 8.1

Error description example

• ”My computer just broke” vs…

Tools for capturing errors

• Net helpmsg & winrm helpmsg

• Copy/Paste dialogs

• Snipping tool

• Windows + Print Screen

• PSR

DEMO – ERROR DESCRIPTIONS IN WINDOWS 8.1

Sami Laiho

USER ACCOUNTS IN TROUBLESHOOTING

SYSTEM vs Admin

• SYSTEM• Has more user privileges than Administrator (even

the Built in one)

• Doesn’t need to worry about policies

• Can see stuff Admin can’t

• Can stop processes Admin can’t

• Has a higher integrity level than Administrator

Mandatory Integrity Control

Mandatory Integrity Control to blaim?

• In Windows Vista+ if you don’t have access to a file and you are sure you should:

• 1. TAKEOWN.exe

• 2. iCacls /SetIntegrityLevel

Running as SYSTEM #1

PSEXEC –SID cmd.exe

Running as SYSTEM #2

DEMO – USING THE SYSTEM-ACCOUNT

Sami Laiho

PRELOGON DIAGNOSTICS

Basic info on logon?

• Event logs are a good start but to do BlackBelt troubleshooting you need:

• SYSTEM-account to diagnose what happens before logon

• Session 0 to diagnose what happens during logon

Building from the ground up - Prelogon

• What happens before logon and how to diagnose it• Slow logons, Startup script

problems, inability to logon…

• Windows has three accounts that never log off• SYSTEM, Local Service and

Network Service

DEMO – PRELOGON DIAGNOSTICS

Sami Laiho

More info on logon?

• If you need more info on your logon don’t forget Autoruns from Sysinternals

More info on logon?• If you need to dig even deeper use Windows

Performance Toolkit

BACKGROUND SERVICES

Background services

• Services not starting/running in Windows 8.1

• Basics: It’s a security issue or something else

• Security• Security log, Secpol.msc, Process Explorer, Process

Monitor

• Something else• Process Monitor

Process Monitor example

What a service can or cannot do

• You have to become a Service

• When you start referring to services as He or She you’re getting the point

Service accounts and user rights

• He/She can use three built in accounts

Service accounts have SIDs

• In Windows 8.1 they have a SID as well

• They become Security Principals

Service accounts have SIDs

DEMO – SERVICE PRIVILEGES

Sami Laiho

PROCESSES AND THREADS

Processes and threads• In Windows a process can’t really do anything

• Task Manager only shows processes…

• Threads can actually do something• Search engines probably know the answer to your question

so the real problem with them is noise• How to get rid of noise?

• Make your searches are more accurate • Make sure you get results from people who have at least a clue on

what they’re doing• Learn to diagnose threads instead of processes

Case – Hanged virtual machine

• VM totally stuck…

• Task manager looks like this

Case – Hanged virtual machine

• Task Manager shows that SYSTEM is causing the problem…

Case – Hanged virtual machine

• Process Explorer shows Threads!

Case – Hanged virtual machine

• Removed the virtual floppy because it was pointing to a nonexisting file

DEMO – PROCESSES VS THREADS

Sami Laiho

SAFEMODE ETC.

How to access boot options in Windows 8.1• Shift-Restart or

Same if you want to goto your UEFI!

Why is a PC working in Safemode?

• Safemode is configured in the registry

Semi-SafeMode – MSCONFIG & AUTORUNS

DEMO – USING AND MANIPULATING SAFE MODE

Sami Laiho

WINDOWS 8.1 BSOD

Changes in BSOD in Windows 8

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl

None 0x0

Complete memory dump 0x1

Kernel memory dump 0x2

Small memory dump 0x3

Automatic memory dump

0x7

Make sure you are able to crash when needed!

• http://support.microsoft.com/kb/244139

Basics of BSOD analysis

• Install Debugging tools• Set the systemwide variable _NT_SYMBOL_PATH

to SRV*C:\symbols*http://msdl.microsoft.com/download/symbols• http://support.microsoft.com/kb/311503

• Use WINDBGOpen Crash Dump or DaRT’s Memory Dump Analyzer

Please evaluate the session before you leave

Enroll to my free newsletter at: http://eepurl.com/F-GOj

T-Shirts? Be quick! Remember business cards!!