Windows Server 2008 R2 중요 업데이트 내용

아시는 것과 같이 Windows Server 2008 R2도 Monthly Rollup으로 제공되고 있으며 아래와 같은 중요 업데이트가 있었습니다.


August 16, 2016 — KB3179573

  • Improved performance on specific networks that have a high-bandwidth and low latency.


September 20, 2016 — KB3185278

  • Improved support for the Disk Cleanup tool to free up space by removing older Windows Updates after they are superseded by newer updates.
  • Addressed issue that causes mmc.exe to consume 100% of the CPU on one processor when trying to close the Exchange 2010 Exchange Management Console (EMC), after installing KB3125574.


May 9, 2017—KB4019264 (Monthly Rollup)

  • Addressed issue to improve the reliability of dual-controller storage systems.


September 12, 2017—KB4038777 (Monthly Rollup)

  • Addressed issue where a DNS server stops working and doesn't respond to DNS requests in Windows Server 2008 R2.


October 10, 2017—KB4041681 (Monthly Rollup)

  • Addressed issue in which Failover Cluster Manager incorrectly reports replication networks as down when they're actually online after installing KB3125574 or KB2937350.

감사합니다.



아래와 같은 질문을 받았습니다.

Windows Server 2012 R2 에 만들어져 있는 계정의 암호가 만료되는 경우 RDP로 접속이 안 되는 현상이 있습니다. 콘솔로는 접속이 안 되는 상태에서 어떻게 조치해야 할까요?

Windows Server 2008 R2에서 Windows Server 2012로 RDP 접속을 할 때는 패스워드 변경 창이 나타나서 정상적으로 변경을 진행한 후 접속을 하였으나 Windows Server 2012에서 Windows Server 2012로 접속을 하려고 할때는 오류가 발생하였습니다.


답변은 아래와 같습니다.

Windows Server 2012 에서 암호가 만료된 상태에서 RDP 연결을 하는 경우 암호 변경창이 뜨니 않은 것이 디자인 입니다.

Network Level Authentication 이 기본적으로 Enable 되어 있기 때문에 발생하는 것으로 Domain 환경이 아니고 콘솔에 접속할 수 없는 환경이라면 NLA를 Disable 하여 이 문제를 피할 수 있습니다.

우선 로그온을 할 수 있도록 하는 것은 클라이언트에서 mstsc를 실행한 후 연결 정보를 입력한 후 옵션 표시를 한 후 연결 설정을 저장하여 Server.rdp 파일을 만들고 가장 아래쪽에 enablecredsspsupport:i:0 을 설정하여 명시적으로 Disable 하는 것입니다.


감사합니다.



오늘은 최근에 핫한 이슈인 CPU 이슈를 다뤄 보고자 합니다.


제가 쓴 글이 Microsoft의 공식 입장은 아니기 때문에 참조 정도로 사용하시고 직접 해당 내용들을 Microsoft 문서에서 읽어 보시기를 권해 드립니다.


이번 이슈는 Intel CPU때문에 더 이슈가되기는 하였지만 실제로는 거의 모든 CPU에 해당하는 이슈입니다.

이번 블로그에서는 다른 CPU와 다른 OS에 대해서는 이야기는 하지 않고 Windows 에 대한 이야기만 하고자 합니다.


제가 정리한 내용은 아래와 같습니다.

  • 1월 3일에 나온 Windows 패치는 Variant 1,3 (Spectre, Meltdown)에 대응하는 패치가 나온 것이다.
  • 1월 3일에 나온 Windows 패치 중 Variant 2에 대한 것은 Intel microcode, HW 의 Firmware가 패치 되어야 하지만 현재 Intel과 HW 의 패치는 제거 되었다
  • 1월 3일 패치는 일부 백신 제품과 충돌 이슈가 있어 백신을 업데이트하여 백신에서 QualityCompat 레지스트리 키를 설정한 경우에만 자동 업데이트를 통해서 받을 수 있다. 수동 업데이트의 경우에는 해당 레지스트리키 설정 여부와 관계 없이 설치 가능하다.
  • 패치를 설치 하는 것만으로 기능이 Enable 되는 것이 아니고 FeatureSettingsOverride, FeatureSettingsOverrideMask 레지스트리 키를 설정해야 Enable 된다.
  • Variant 2에 대한 이슈가 발생하여 Microsoft 에서 KB4078130를 발표 하였으며 이 것은 파일을 변경시키는 패치가 아니고 FeatureSettingsOverride와 FeatureSettingsOverrideMask 레지스트리 키를 변경하여 Variant 2에 대한 기능을 Disable 하는 것이다.
  • Variant 2에 대해서 Intel의 방식과 성능을 개선할 수 있다는 Google이 제안한 새로운 방법이 있는데 아직 Windows 에서는 Google 방식을 사용할지 공식 언급된 것은 없다.
  • Spectre 에 대해서는 인텔 방식과 구글 방식 모두 완벽하게 방어를 할 수 있는 것은 아니다. CPU 아키텍처가 바뀌어야 한다.
  • 성능 이슈는 해당 서버가 어떠한 워크 로드를 가지고 있느냐에 따라서 달라지고 OS Version에 따라서 달라질 수 있기 때문에 직접 테스트 해보는 것이 좋다.
  • SQL Server의 경우 믿을 수 없는 코드 (CLR, R, Python 등)이 실행될 수 있으므로 패치가 나왔다.
  • IE도 믿을 수 없는 코드가 실행될 수 있으므로 패치가 나왔다.
  • Hyper-V의 경우 Host에 MinVmVersionForCpuBasedMitigations 레지스티 키를 설정해야 적용되며 VM을 Cold boot 해야 한다.

감사합니다.







Mex Extension 명령 중 프로세스의 정보를 보여주는 !Mex.p 에 대해서 알아보도록 하겠습니다.


우선 !Mex.p의 사용법을 확인하기 위해서 /help를 사용해 보았습니다.


0: kd> !mex.p /help

Failed converting value '/help' to System.UInt64 for argument "Process Address" (internal name = processAddress)

!p - Displays process details


Usage:

    !p [-t] [-z] [-p <PID>] [<Process Address>] 

        -t|-threads        : Show Threads

        -z                 : Show Terminated (zombie) threads

        -p|-pid <PID>      : Finds a process via its Process ID (PID)

        Process Address    : Address of _EPROCESS Object


    !p 

        !p with no params assumes current implicit process (set with .process)


    !p [-?|-h] 

        -?|-h|-help    : Display this help text


Note: In usermode, you may not specify a PID of process Address, only the current process can be displayed

Keywords: process, pid

Current Owner: mexfeedback



Mex는 파라미터로 PID나 Process Address를 받아서 Process의 상세 정보를 출력 합니다. 그럼 Explorer의 정보를 확인하기 위해 아래 명령을 사용하여 Explorere의 Prcess Address를 확인하도록 합니다.



0: kd> !process 0 0 explorer.exe

PROCESS ffffe00100fda900

    SessionId: 1  Cid: 0c8c    Peb: 7ff66a125000  ParentCid: 0db8

    DirBase: 119a35000  ObjectTable: ffffc001ce3e1c80  HandleCount: <Data Not Accessible>

    Image: explorer.exe



Explorer의 주소는 ffffe00100fda900 로 확인 되었고 Process Address 파라미터를 사용하여 !Mex.p를 실행 합니다.



0: kd> !mex.p ffffe00100fda900

Name         Address                  Ses PID          Parent       PEB              Create Time                Mods Handle Thrd User Name

============ ======================== === ============ ============ ================ ========================== ==== ====== ==== ================

explorer.exe ffffe00100fda900 (E|K|O)   1 c8c (0n3212) db8 (0n3512) 00007ff66a125000 07-10-2017 08:39:08.606 오전  184      0   47 MyPC\admin


Command Line: C:\Windows\Explorer.EXE


Memory Details:


    VM   Peak Work Set  Commit Size PP Quota NPP Quota

    ==== ==== ========= =========== ======== =========

    2 TB 2 TB 145.94 MB    58.53 MB  1.34 MB   91.5 KB


Explorer's main thread


Show LPC Port information for process


Show Threads: Unique Stacks    !mex.listthreads (!lt) ffffe00100fda900    !process ffffe00100fda900 7



실행 결과 이름, 주소, Session, PID, 부모 process, PEB, Create Time, Module 수, Handle 수 Thread 수 그리고 사용자 이름이 출력 됩니다.

프로세스의 메모리에 대한 정보가 추가로 출력 됩니다. Windows 운영체제에 추가된 보안 기능 때문에 VM이 2TB로 보입니다.

그리고 몇가지 링크가 출력되는데 Process의 상세 정보를 개별 명령을 입력해서 확인할 필요 없이 간단하게 링크를 클릭해서 결과를 확인할 수 있습니다.



0: kd> !mex.lt ffffe00100fda900

Process      PID Thread             Id State        Time Reason

============ === ================ ==== ======= ========= =============

explorer.exe c8c ffffe00101344080  fe8 Waiting   42s.937 WrUserRequest

explorer.exe c8c ffffe001014d6080  cc4 Waiting    1s.640 WrUserRequest

explorer.exe c8c ffffe00100666080  fac Waiting 6m:30.718 UserRequest

explorer.exe c8c ffffe00101522080  a54 Waiting 1m:08.265 UserRequest

explorer.exe c8c ffffe00101534700  198 Waiting 6m:30.718 UserRequest

explorer.exe c8c ffffe00101536800  3d8 Waiting 6m:03.656 UserRequest

explorer.exe c8c ffffe00101545080  418 Waiting     765ms UserRequest

explorer.exe c8c ffffe00101542800  410 Waiting     765ms UserRequest

explorer.exe c8c ffffe0010154a080  40c Waiting 6m:30.718 UserRequest

explorer.exe c8c ffffe0010155b080  31c Waiting 3m:58.531 UserRequest

explorer.exe c8c ffffe001014f9880  d94 Waiting 1m:20.468 WrQueue

explorer.exe c8c ffffe00101516080  ddc Waiting 6m:30.718 UserRequest

explorer.exe c8c ffffe0010151c080  d40 Waiting   42s.937 UserRequest

explorer.exe c8c ffffe00101564080  d34 Waiting 1m:17.968 UserRequest

explorer.exe c8c ffffe0010155c080 1004 Waiting 3m:21.046 WrUserRequest

explorer.exe c8c ffffe0010155e080 1018 Waiting 6m:30.718 UserRequest

explorer.exe c8c ffffe00101568080 1020 Waiting 1m:17.968 UserRequest

explorer.exe c8c ffffe00101573080 1034 Waiting 1m:17.968 UserRequest

explorer.exe c8c ffffe00101574080 1038 Waiting 1m:17.968 UserRequest

explorer.exe c8c ffffe00101575080 103c Waiting   42s.937 UserRequest

explorer.exe c8c ffffe00101578080 1040 Waiting 1m:17.984 UserRequest

explorer.exe c8c ffffe0010157a080 1044 Waiting 6m:30.718 WrUserRequest

explorer.exe c8c ffffe0010157c080 1050 Waiting 2m:04.281 UserRequest

explorer.exe c8c ffffe0010157d080 1054 Waiting 1m:58.546 WrUserRequest

explorer.exe c8c ffffe00101586080 1060 Waiting 1m:17.984 WrUserRequest

explorer.exe c8c ffffe00101598500 1068 Waiting   12s.843 UserRequest

explorer.exe c8c ffffe001015ae080 1080 Waiting 3m:58.593 UserRequest

explorer.exe c8c ffffe001015b5080 1088 Waiting 1m:17.968 WrUserRequest

explorer.exe c8c ffffe000ffb25080 11d0 Waiting 6m:30.718 UserRequest

explorer.exe c8c ffffe0010014b080 11e4 Waiting 6m:30.718 WrQueue

explorer.exe c8c ffffe001020b8080  f94 Waiting   42s.937 WrUserRequest

explorer.exe c8c ffffe000ff760080  360 Waiting 3m:21.187 UserRequest

explorer.exe c8c ffffe00107423880 1578 Waiting 1m:17.968 UserRequest

explorer.exe c8c ffffe00107cba380  c48 Waiting 1m:17.968 UserRequest

explorer.exe c8c ffffe00109594080 1744 Waiting     765ms UserRequest

explorer.exe c8c ffffe00109cd6880  ba4 Waiting   53s.171 UserRequest

explorer.exe c8c ffffe0010af95880 12e8 Waiting 6m:30.718 UserRequest

explorer.exe c8c ffffe0010aad1080 1714 Waiting 1m:17.984 UserRequest

explorer.exe c8c ffffe0010b1e1880 1640 Waiting   18s.265 WrQueue

explorer.exe c8c ffffe000ffe232c0  ca8 Waiting   42s.937 UserRequest

explorer.exe c8c ffffe0010b114880 148c Waiting   18s.265 WrQueue

explorer.exe c8c ffffe000ffe98880  d10 Waiting   42s.937 WrQueue

explorer.exe c8c ffffe001025f0080  b08 Waiting     765ms WrQueue

explorer.exe c8c ffffe001019d1240  3dc Waiting   13s.796 WrQueue

explorer.exe c8c ffffe00101932880  a5c Waiting   42s.937 WrQueue

explorer.exe c8c ffffe0010b1e8880  6b4 Waiting   18s.843 WrQueue

explorer.exe c8c ffffe0010abba780  f68 Waiting   42s.937 WrQueue


Thread Count: 47



위의 결과는 Mex의 list thread 명령의 출력으로 각 Thread의 주소, TID, Thread 상태, Wait 상태로 전환된지 얼마나 지났는지, 그리고 Wait 상태로 전환된 이유에 대한 설명을 출력 합니다.



0: kd> !mex.fems -s Explorer!.*WinMain !mex.t

Process                         Thread                       CID       TEB              UserTime KernelTime ContextSwitches Wait Reason      Time State   COM-Initialized

explorer.exe (ffffe00100fda900) ffffe00101344080 (E|K|W|R|V) c8c.fe8   00007ff66a12e000   5s.641    11s.984          939044 WrUserRequest 42s.937 Waiting APTKIND_APARTMENTTHREADED (STA)


WaitBlockList:

    Object           Type                 Other Waiters

    ffffe001005352f0 SynchronizationEvent             0


Priority:

    Current Base Decrement ForegroundBoost IO Page

    10      8    0         0               0  5


# Child-SP         Return           Call Site

0 ffffd000215846b0 fffff801feaa5f1e nt!KiSwapContext+0x76

1 ffffd000215847f0 fffff801feaa5999 nt!KiSwapThread+0x14e

2 ffffd00021584890 fffff801feaa4f60 nt!KiCommitThreadWait+0x129

3 ffffd00021584910 fffff96000180288 nt!KeWaitForMultipleObjects+0x3a0

4 ffffd000215849c0 fffff9600017b361 win32k!xxxRealSleepThread+0x278

5 ffffd00021584a80 fffff96000259bcf win32k!xxxSleepThread+0xc1

6 ffffd00021584ad0 fffff801feb6bab3 win32k!NtUserWaitMessage+0x20

7 ffffd00021584b00 00007ffd8399104a nt!KiSystemServiceCopyEnd+0x13

8 00000000008ff358 00007ffd821a1527 USER32!NtUserWaitMessage+0xa

9 00000000008ff360 00007ffd82356b7d SHELL32!CDesktopBrowser::_MessageLoop+0x112

a 00000000008ff3f0 00007ff66ac08498 SHELL32!SHDesktopMessageLoop+0x3d

b 00000000008ff420 00007ff66abe8c21 Explorer!wWinMain+0x5f4

c 00000000008ff710 00007ffd81fa13d2 Explorer!CApplicationUsageTracker::OnPowerBroadcastMessage+0x334

d 00000000008ff7e0 00007ffd846854e4 KERNEL32!BaseThreadInitThunk+0x22

e 00000000008ff810 0000000000000000 ntdll!RtlUserThreadStart+0x34


Explorer 의 Main Thread를 확인하는 링크를 클릭하여 나온 결과 입니다. GUI를 가진 프로세스는 WinMain 이라는 Entry 함수를 가지는데 Mex에서는 각 Thread의 Stack을 확인하여 WinMain 함수를 가진 Thread를 찾고 정보를 출력 합니다. GUI를 가진 Process가 "응답 없음" 상태가 되는 경우 Message 처리를 하지 못하는 것인데 이 경우 WinMain Thread가 어떤 동작을 하고 있는지 확인해서 원인을 찾을 수 있습니다. 



0: kd> !kdexts.alpc /lpp ffffe00100fda900


Ports created by the process ffffe00100fda900:


ffffe001014fab00('OLE68D95701484F75BAC07FBACD02B9') 0, 5 connections

ffffe00101505e40 0 ->ffffe001014f2bb0 0 ffffe000ffda2080('svchost.exe')

ffffe001015474a0 0 ->ffffe00101547910 0 ffffe000ffd736c0('svchost.exe')

ffffe001015ac7f0 0 ->ffffe001015aca20 0 ffffe000fffe3900('svchost.exe')

ffffe001091b5e40 0 ->ffffe00101fdba80 0 ffffe001091e3300('dllhost.exe')

ffffe001012e3780 0 ->ffffe0010a9b0e40 0 ffffe00101fca900('rdpclip.exe')


Ports the process ffffe00100fda900 is connected to:


ffffe000fffaa330 0 -> ffffe000fe6fdda0('ApiPort') 0 ffffe000ffcde080('csrss.exe')

ffffe000ffd4edb0 0 -> ffffe000fffe8900('ThemeApiPort') 0 ffffe000fe6a5900('svchost.exe')

ffffe000ffb494c0 0 -> ffffe000ffdbc1e0('LSMApi') 20 ffffe000ffd736c0('svchost.exe')

ffffe001014c7570 0 -> ffffe000ffd608a0('lsasspirpc') 0 ffffe000ffd4c900('lsass.exe')

ffffe001015059e0 0 -> ffffe000ffd9a8c0('epmapper') 0 ffffe000ffda2080('svchost.exe')

ffffe00101508e40 0 -> ffffe000fffcee40('DwmApiPort') 0 ffffe000ffdd8840('dwm.exe')

ffffe00101537070 0 -> ffffe000ffd78c10('ntsvcs') 38 ffffe000ffcae900('services.exe')

ffffe00101549c70 0 -> ffffe000fef70070('PdcPort') 0 ffffe000fe69d040('System')

ffffe001015415b0 0 -> ffffe000ffd9c090('actkernel') 0 ffffe000ffd736c0('svchost.exe')

ffffe00101555e40 0 -> ffffe000fef70070('PdcPort') 0 ffffe000fe69d040('System')

ffffe00101527d70 0 -> ffffe001001b7e40('FontCachePort') 0 ffffe000fffe3900('svchost.exe')

ffffe001013d7cd0 0 -> ffffe000ffda89e0('umpo') 0 ffffe000ffd736c0('svchost.exe')

ffffe000ffdafe40 0 -> ffffe000fef70070('PdcPort') 0 ffffe000fe69d040('System')

ffffe000ffd80660 0 -> ffffe001014e5c80('webcache_{7329ea82-0845-4e4c-bd18-02b67ac065cc}_S-1-5-21-2726512140-888677503-3125549036-1001') 0 ffffe001014d4900('dllhost.exe')

ffffe000ffd1be40 0 -> ffffe000ffb22090('OLE9F792F2B42A5C2F467737E8AEF83') 0 ffffe001014d4900('dllhost.exe')

ffffe000ffcb7a30 0 -> ffffe000fffcee40('DwmApiPort') 0 ffffe000ffdd8840('dwm.exe')

ffffe001014fb840 0 -> ffffe000fffe5e40('OLE613E2E13198237E01302C92BBC53') 0 ffffe000fffe3900('svchost.exe')

ffffe001014c9cf0 0 -> ffffe000fffc7e40('eventlog') 30 ffffe000fe6a7900('svchost.exe')

ffffe00101526a30 0 -> ffffe000fef70070('PdcPort') 0 ffffe000fe69d040('System')

ffffe001015cc380 0 -> ffffe001015eca50('msctf.serverDefault1') 0 ffffe000fe73e080('taskhostex.exe')

ffffe001016193d0 0 -> ffffe001015eca50('msctf.serverDefault1') 0 ffffe000fe73e080('taskhostex.exe')

ffffe0010161ca50 0 -> ffffe001015eca50('msctf.serverDefault1') 0 ffffe000fe73e080('taskhostex.exe')

ffffe0010161a770 0 -> ffffe001015eca50('msctf.serverDefault1') 0 ffffe000fe73e080('taskhostex.exe')

ffffe0010165a070 0 -> ffffe001015eca50('msctf.serverDefault1') 0 ffffe000fe73e080('taskhostex.exe')

ffffe00101608e40 0 -> ffffe000fe9a82c0('SessEnvPrivateRpc') 0 ffffe000fe6a5900('svchost.exe')

ffffe001096c76b0 0 -> ffffe001015eca50('msctf.serverDefault1') 0 ffffe000fe73e080('taskhostex.exe')

ffffe001096658d0 0 -> ffffe001090c32b0('OLE2B514DB3A33CF461692869C92314') 0 ffffe001091e3300('dllhost.exe')

ffffe0010afd4700 0 -> ffffe00100b4c1a0('TermSrvApi') 0 ffffe000fe9c3640('svchost.exe')

ffffe0010ac22e40 0 -> ffffe001015eca50('msctf.serverDefault1') 0 ffffe000fe73e080('taskhostex.exe')

ffffe001093a46b0 0 -> ffffe000ffd944b0('OLE6FAB873CEB8A01A900BB6C89EA7E') 0 ffffe00101fca900('rdpclip.exe')

ffffe00100f51660 0 -> ffffe00100e50090('OLE5BB8085653D110B414538A51314E') 0 ffffe001019f3900('TSTheme.exe')



Process의 LPC 정보를 나열 하는 링크를 클릭한 결과 입니다. LPC는 Local Procedure Call 로 간단히 이야기 하면 Process 간에 통신을 하는것입니다. Explorer 프로세스가 만든 Port에 connect 되어 있는 Process와 Explorer 가 connect 한 Process의 상태를 확인할 수 있습니다.



0: kd> !us -p ffffad8ad052a080

1 thread [stats]: ffffad8ad0528080

    fffff801f79f52f6 nt!KiSwapContext+0x76

    fffff801f78b7a9a nt!KiSwapThread+0x16a

    fffff801f78b7461 nt!KiCommitThreadWait+0x101

    fffff801f78b6d78 nt!KeWaitForSingleObject+0x2b8

    fffffbb43e64d6f8 win32kfull!xxxRealSleepThread+0x2d8

    fffffbb43e64d377 win32kfull!xxxSleepThread2+0x97

    fffffbb43e6e4242 win32kfull!NtUserWaitMessage+0x42

    fffff801f79fb413 nt!KiSystemServiceCopyEnd+0x13

    00007ffc14211204 0x7ffc14211204


1 thread [stats]: ffffad8ad22ac080

    fffff801f79f52f6 nt!KiSwapContext+0x76

    fffff801f78b7a9a nt!KiSwapThread+0x16a

    fffff801f78b7461 nt!KiCommitThreadWait+0x101

    fffff801f78b56b7 nt!KeWaitForMultipleObjects+0x217

    fffffbb43e64d6f8 win32kfull!xxxRealSleepThread+0x2d8

    fffffbb43e64d377 win32kfull!xxxSleepThread2+0x97

    fffffbb43e6509c9 win32kfull!xxxRealInternalGetMessage+0x919

    fffffbb43e64df5c win32kfull!NtUserGetMessage+0x8c

    fffff801f79fb413 nt!KiSystemServiceCopyEnd+0x13

    00007ffc14211144 0x7ffc14211144


4 threads [stats]: ffffad8ad0677080 ffffad8ad0a8d080 ffffad8ad0a8e080 ffffad8ad0a95700

    fffff801f79f52f6 nt!KiSwapContext+0x76

    fffff801f78b7a9a nt!KiSwapThread+0x16a

    fffff801f78b7461 nt!KiCommitThreadWait+0x101

    fffff801f78b6d78 nt!KeWaitForSingleObject+0x2b8

    fffff801f7d0cdb8 nt!NtWaitForSingleObject+0xf8

    fffff801f79fb413 nt!KiSystemServiceCopyEnd+0x13

    00007ffc177b5424 0x7ffc177b5424


5 threads [stats]: ffffad8ad0688080 ffffad8acdfe3080 ffffad8ad09f3080 ffffad8ad1b0a700 ffffad8ad061f080

    fffff801f79f52f6 nt!KiSwapContext+0x76

    fffff801f78b7a9a nt!KiSwapThread+0x16a

    fffff801f78b7461 nt!KiCommitThreadWait+0x101

    fffff801f78b6d78 nt!KeWaitForSingleObject+0x2b8

    fffff801f7d0c7d1 nt!ObWaitForMultipleObjects+0x2c1

    fffff801f7d0c4d9 nt!NtWaitForMultipleObjects+0xf9

    fffff801f79fb413 nt!KiSystemServiceCopyEnd+0x13

    00007ffc177b5ef4 0x7ffc177b5ef4


7 threads [stats]: ffffad8ad1de1080 ffffad8ad0aa6080 ffffad8ad05dd080 ffffad8acdfcd080 ffffad8acce87080 ffffad8ad08a3080 ffffad8acd0b8700

    fffff801f79f52f6 nt!KiSwapContext+0x76

    fffff801f78b7a9a nt!KiSwapThread+0x16a

    fffff801f78b7461 nt!KiCommitThreadWait+0x101

    fffff801f78b6d78 nt!KeWaitForSingleObject+0x2b8

    fffffbb43e64d6f8 win32kfull!xxxRealSleepThread+0x2d8

    fffffbb43e64d377 win32kfull!xxxSleepThread2+0x97

    fffffbb43e6509c9 win32kfull!xxxRealInternalGetMessage+0x919

    fffffbb43e64df5c win32kfull!NtUserGetMessage+0x8c

    fffff801f79fb413 nt!KiSystemServiceCopyEnd+0x13

    00007ffc14211144 0x7ffc14211144


10 threads [stats]: ffffad8acccfa700 ffffad8ad06fc080 ffffad8ac8ed1700 ffffad8ad15f0080 ffffad8ad0365080 ffffad8ad085c700 ffffad8ad0a63080 ffffad8ad0354080 ffffad8ace0ee080 ffffad8ad2736080

    fffff801f79f52f6 nt!KiSwapContext+0x76

    fffff801f78b7a9a nt!KiSwapThread+0x16a

    fffff801f78b7461 nt!KiCommitThreadWait+0x101

    fffff801f78b6d78 nt!KeWaitForSingleObject+0x2b8

    fffff801f789f104 nt!KiSchedulerApc+0x304

    fffff801f78b94fe nt!KiDeliverApc+0x23e

    fffff801f79f39a3 nt!KiApcInterrupt+0xc3

    fffff801f7cc0405 nt!PspUserThreadStartup+0x35

    fffff801f79f5a86 nt!KiStartUserThread+0x16

    fffff801f79f5a00 nt!KiStartUserThreadReturn

    00007ffc17780d30 0x7ffc17780d30


22 threads [stats]: ffffad8ad4141080 ffffad8ad412d040 ffffad8acba56080 ffffad8ad06a5080 ffffad8ad249b080 ffffad8ad09f6700 ffffad8ad1b8c700 ffffad8ace697080 ffffad8acba54080 ffffad8ad40a1080 ...

    fffff801f79f52f6 nt!KiSwapContext+0x76

    fffff801f78b7a9a nt!KiSwapThread+0x16a

    fffff801f78b7461 nt!KiCommitThreadWait+0x101

    fffff801f78b62e8 nt!KeRemoveQueueEx+0x238

    fffff801f78b5dfd nt!IoRemoveIoCompletion+0x8d

    fffff801f78b4beb nt!NtWaitForWorkViaWorkerFactory+0x30b

    fffff801f79fb413 nt!KiSystemServiceCopyEnd+0x13

    00007ffc177b8c34 0x7ffc177b8c34


30 threads [stats]: ffffad8ad06a1080 ffffad8ad08bc280 ffffad8ad09f4080 ffffad8ad06a6080 ffffad8acd02c080 ffffad8acba60080 ffffad8ad02b1080 ffffad8acba68080 ffffad8ad11c5700 ffffad8ad06643c0 ...

    fffff801f79f52f6 nt!KiSwapContext+0x76

    fffff801f78b7a9a nt!KiSwapThread+0x16a

    fffff801f78b7461 nt!KiCommitThreadWait+0x101

    fffff801f78b56b7 nt!KeWaitForMultipleObjects+0x217

    fffff801f7d0c7d1 nt!ObWaitForMultipleObjects+0x2c1

    fffff801f7d0c4d9 nt!NtWaitForMultipleObjects+0xf9

    fffff801f79fb413 nt!KiSystemServiceCopyEnd+0x13

    00007ffc177b5ef4 0x7ffc177b5ef4


8 stack(s) with 80 threads displayed (100 Total threads)

20 stack(s) were not displayed because we could not switch to thread context, or stack trace was empty


!us 명령은 흥미로운 Mex 명령 입니다. 디버깅을 하다보면 반복되는 콜스택이 화면 전체를 채워버리는 경우를 많이 보았을 것 입니다. 커널스택에서 Thread가 Wait 상태에 들어가면 ObWaitForMultipleObjects 함수를 호출하는 콜스택이 반복적으로 보이게 됩니다. 이 경우 !us 명령은 아주 유용합니다.

!us 는 반복적으로 보이는 콜스택은 1번만 보여주고 각 Thread의 address를 출력하여 어떤 Thread 들이 동일한 콜스택을 보이고 있는지 보여 줍니다.


!Mex.p 명령을 통해서 나오는 출력들을 사용해서 많은 정보를 확인할 수 있는데 각 Case study에 대해서는 나중에 설명하도록 하겠습니다.

'Debugging' 카테고리의 다른 글

Windows Server 2003 BugCheck 0x7E  (0) 2019.01.26
System Hang 분석  (0) 2018.11.24
Symbol Server 설정 (공유, HTTP)  (0) 2018.03.04
[디버거 명령]!Mex.p  (0) 2017.09.25
[디버깅 명령]!mex.help  (0) 2017.09.24

WinDbg Extension들은 .help 라는 명령을 모두 가지고 있어 해당 Extension에 어떤 명령이 있는지 그리고 어떻게 사용할 수 있는지 보여줍니다.


Mex extension에서 .help 라는 명령이 있어 어떤 명령들이 있는지 알 수 있습니다.

0: kd> !mex.help
Mex External 3.0.0.7172 Loaded!
Mex currently has 255 extensions available.  Please specify a keyword to search.
Or browse by category:

All PowerShell[6] SystemCenter[3] Networking[12] Process[5] Mex[2] Kernel[27] DotNet[32] Decompile[15] Utility[40] Thread[27] Binaries[6] General[22] 

너무 많은 명령들이 있기 때문에 Process를 클릭해보면 아래와 같이 Process에 해당하는 명령만 자세히 설명해 줍니다.

0: kd> !mex.help -cat 'Process'
Command                 Description                              Category
======================= ======================================== ========
conhost          (!con) Displays console host (conhost.exe) info Process
ldap                    Displays LDAP client or server details   Process
mappeddrives (!mdrives) Displays mapped drives                   Process
mheap                   A DML'd version of !heap.                Process
p                       Displays process details                 Process

한단계 더 자세히 들어가 보면 process의 상세한 정보를 보여주는 !mex.p 명령에 대해서 아래와 같이 설명하고 있습니다.


0: kd> !mex.p -?
!p - Displays process details

Usage:
    !p [-t] [-z] [-p <PID>] [<Process Address>] 
        -t|-threads        : Show Threads
        -z                 : Show Terminated (zombie) threads
        -p|-pid <PID>      : Finds a process via its Process ID (PID)
        Process Address    : Address of _EPROCESS Object

    !p 
        !p with no params assumes current implicit process (set with .process)

    !p [-?|-h] 
        -?|-h|-help    : Display this help text

Note: In usermode, you may not specify a PID of process Address, only the current process can be displayed
Keywords: process, pid
Current Owner: mexfeedback


'Debugging' 카테고리의 다른 글

Windows Server 2003 BugCheck 0x7E  (0) 2019.01.26
System Hang 분석  (0) 2018.11.24
Symbol Server 설정 (공유, HTTP)  (0) 2018.03.04
[디버거 명령]!Mex.p  (0) 2017.09.25
[디버깅 명령]!mex.help  (0) 2017.09.24

 

NetApp의 Snap Manager도 Windows User Dump를 수집해야 하는 경우가 있는것 같네요
  How to generate a user memory dump on Windows
  https://kb.netapp.com/support/index?page=content&id=1011501&actp=RSS


제가 Azure Service 중 관심을 가지고 있는 OMS에 대한 Deep dive 한 동영상 자료 입니다.
  Deeper dive into Microsoft Operations Management Suite Part 1
  http://www.virtuallycloud9.com/index.php/2016/05/deeper-dive-into-microsoft-operations-management-suite-part-1/
  Deeper dive into Microsoft Operations Management Suite Part 2
  http://www.virtuallycloud9.com/index.php/2016/05/deeper-dive-into-microsoft-operations-management-suite-part-2/

 

OMS의 Backup 에 대한 글입니다.
  A tour of Operations Management Suite: Backup
  https://blogs.technet.microsoft.com/systemcenter/2016/05/04/a-tour-of-operations-management-suite-backup/

 

VM agent 가 communication이 안 될경우 Azure VM backup이 실패할 수 있다고 합니다.
  Azure VM Backup fails: Could not communicate with the VM agent for snapshot status - Snapshot VM sub task timed out
  https://azure.microsoft.com/en-us/documentation/articles/backup-azure-troubleshoot-vm-backup-fails-snapshot-timeout/

 

Windows Server 2016 TP의 NIC 와 Switch Embedded Teaming 관련 user guide가 새로 나왔습니다.
  New Windows Server 2016 Technical Preview NIC and Switch Embedded Teaming User Guide for Download
  https://blogs.technet.microsoft.com/wsnetdoc/2016/05/03/new-windows-server-2016-technical-preview-nic-and-switch-  embedded-teaming-user-guide-for-download/

 

이번 Windows Server 2016에서도 Hyper-V 관련 기능이 cluter에 추가되었네요. Host를 재부팅하면 각 host 간에 VM을 골고루 배분해준다고 합니다.
  Failover Cluster Node Fairness in Windows Server 2016
  https://blogs.msdn.microsoft.com/clustering/2016/04/29/failover-cluster-node-fairness-in-windows-server-2016/

 

Failover Cluster 에서 failover를 빠르게 하기 위한 tip을 공유 합니다.
  Speeding Up Failover Tips-n-Tricks
  https://blogs.msdn.microsoft.com/clustering/2016/04/29/speeding-up-failover-tips-n-tricks/

 

IIS에 이어서 Node.js 도 Nano Server에서 사용할 수 있다고 합니다.
  Node.js on Nano Server
  https://blogs.technet.microsoft.com/nanoserver/2016/05/04/node-js-on-nano-server/

 

S2D를 물리 장비 없이 Azure 의 VM을 사용해서 테스트 해볼 수 있다고 합니다.
  Storage Spaces Direct in Azure (TP5)
  https://blogs.technet.microsoft.com/filecab/2016/05/05/s2dazuretp5/

 

Windows Server 2008 R2에 update를 설치할 때 오래 걸리는 이슈를 해결하는 방법 입니다
  Updates taking a long time to install in Windows Server 2008 R2
  https://blogs.technet.microsoft.com/askcore/2016/05/06/updates-taking-a-long-time-to-install-in-windows-server-2008-r2/

 

Hyper-V 네트워크 가상화에서 Tenant Virtual Network을 관리하는 방법에 대한 글입니다.
  Manage Tenant Virtual Networks
  https://technet.microsoft.com/en-us/library/mt703757%28v=ws.12%29.aspx?f=255&MSPPError=-2147217396

 

SDN 에서 RAS Gateway을 구성하는 가이드 입니다.
  RAS Gateway Deployment Architecture
  https://technet.microsoft.com/en-us/library/mt693394(v=ws.12).aspx
  Add a Virtual Gateway to a Tenant Virtual Network
  https://technet.microsoft.com/en-us/library/mt703763(v=ws.12).aspx
  What's New in RAS Gateway
  https://technet.microsoft.com/en-us/library/mt693393(v=ws.12).aspx

'blogs update' 카테고리의 다른 글

Dtrace가 Windows에 도입 되었습니다.  (0) 2018.10.10
[2016-05-09]Blog 정리  (0) 2016.05.09
[2016-02-11]Blog update  (0) 2016.02.11
[2016-01-31]Blog update  (0) 2016.01.31
[2016-01-21]Blogs update  (0) 2016.01.21

4월 26일자 Hotfix 리스트 입니다.

 

 

 

LSASS fails and returns a "0xc0000005" error when you run "Full Import" on AAD Connect against a Windows Server 2012 R2 DC
https://support.microsoft.com/en-us/kb/3145339

 

Connection to Oracle database fails when you use Microsoft ODBC or OLE DB Driver for Oracle or Microsoft DTC in Windows
https://support.microsoft.com/en-us/kb/3147071?sd=rss&spid=16796

 

Windows Azure VMs don't recover from a network outage and data corruption issues occur
https://support.microsoft.com/en-us/kb/3137061

 

BitLocker can't encrypt drives because of service crashes in svchost.exe process in Windows 7 or Windows Server 2008 R2
https://support.microsoft.com/en-us/kb/3133977

 

"0x00000024" Stop error in FsRtlNotifyFilterReportChange and copy file may fail in Windows
https://support.microsoft.com/en-us/kb/3121255

 

Reliability and scalability improvements in TCP/IP for Windows 8.1 and Windows Server 2012 R2
https://support.microsoft.com/en-us/kb/3149157

 

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update: April 2014
https://support.microsoft.com/en-us/kb/2919355

 

WMI service crashes randomly in Windows Server 2012 R2 or Windows Server 2012
https://support.microsoft.com/en-us/kb/3146604

 

WMI query doesn't work in Windows Server 2012 R2 or Windows Server 2012
https://support.microsoft.com/en-us/kb/3103616

 

iSCSI target service crashes randomly in Windows Server 2012 R2
https://support.microsoft.com/en-us/kb/3146621

 

LSASS deadlocks cause Windows Server 2012 R2 or Windows Server 2012 not to respond
https://support.microsoft.com/en-us/kb/3125424

 

Various network and computer issues occur when TCP ephemeral ports are exhausted in Windows 8 or Windows Server 2012
https://support.microsoft.com/en-us/kb/3014399

 

"Directory service is busy" error when you rename a domain-joined computer on a Windows Server 2012 R2 DC
https://support.microsoft.com/en-us/kb/3152220

 

High network usage after you implement file screening on a Windows Server 2012 R2-based Work Folders sync server
https://support.microsoft.com/en-us/kb/3148217

 

Wbengine.exe crashes when you run a backup on a GPT formatted drive in Windows Server 2012
https://support.microsoft.com/en-us/kb/3146600

 

RDS redirected resources showing degraded performance in Windows 8.1 or Windows Server 2012 R2
https://support.microsoft.com/en-us/kb/3146978

 

Cluster service fails when shutting down or data deduplication fails with "Drive is locked" in Windows Server 2012 R2
https://support.microsoft.com/en-us/kb/3143777

 

Loading DNS zones takes a long time on a Windows Server 2008 R2-based DNS server
https://support.microsoft.com/en-us/kb/3145126

감사합니다.

 

svxp tag

Nonpaged pool memory leak occurs in a Windows Server 2012 R2-based failover cluster
https://support.microsoft.com/en-us/kb/3130939?sd=rss&spid=17383
Article ID: 3130939 - Last Review: 03/08/2016 19:38:00 - Revision: 3.0
This article describes a memory leak issue that occurs in the svhdxflt.sys filter driver in Windows Server 2012 R2. The leak occurs against nonpaged pool with the svxp tag. You can fix this issue by using the update in this article. Before you install this update, see the Prerequisites and the Restart requirement section.

Failover Clustering & Hyper-V 관련 Hotfix 모음 입니다.

Windows Server 2012 
  Recommended hotfixes and updates for Windows Server 2012-based failover clusters
  https://support.microsoft.com/en-us/kb/2784261 

 

Creating multiple File Server resources in one group may not work correctly in a Windows Server 2012 Failover Cluster
  https://support.microsoft.com/en-us/kb/2993295

 

  Starting or Live Migrating Hyper-V virtual machines may fail with error 0x80070569 on

Windows Server 2012-based computers
  https://support.microsoft.com/en-us/kb/2779204

 

  Stop error 0x9E and failover cluster can't come online in Windows Server 2012
  https://support.microsoft.com/en-us/kb/3130902

 

 

Windows Server 2012 and Windows Server 2012 R2
  Hyper-V virtual machines cannot be connected to sometimes when TCP connections reconnect in Windows
https://support.microsoft.com/en-us/kb/2972254
Article ID: 2972254 - Last Review: 03/10/2016 08:04:00 - Revision: 8.0
  This issue occurs when a TCP connection breaks and then reconnects. A TCP acknowledgement is not received in the node-to-node communication on a Windows Server 2012 R2 failover cluster, and the node that does not receive the TCP acknowledgement is removed from the active failover cluster membership. Error 5023 is logged in the cluster.log file of the node that is removed from the active failover cluster membership. For example, the following error 5023 is logged in the cluster.log file on the   FC-NODE2 node that corresponds to the previous System log:
00000b7c.00001254::Date-Time WARN [PULLER FC-NODE2] ReadObject failed with GracefulClose(1226)' because of 'channel to remote endpoint fe80::####:####:####:####%##:~49256~ is closed'.
00000b7c.00000fa8::Date-Time ERR [CORE] mscs::NodeObject::OnMessageReceived:

(5023)' because of 'Can't remove sent messages from an empty sent messages queue.'
00000b7c.00000fa8::Date-Time ERR [NODE] Node 8: Error processing message from n1, starting Regroup.

Notefe80::####:####:####:####%## represents the hexadecimal number that represents an IPv6 address.  

 

Stop error code 0xD1, 0x139, or 0x3B and cluster nodes go down in Windows Server 2012 R2 or Windows Server 2012
https://support.microsoft.com/en-us/kb/3055343
  Article ID: 3055343 - Last Review: 03/08/2016 19:13:00 - Revision: 6.0
  Issue 1
  When you delete network interfaces on a server that is running Windows Server 2012   R2 or Windows Server 2012, you experience random and intermittent crashes on the system, and you also receive one of the following Stop error messages:
  •0xD1: DRIVER_IRQL_NOT_LESS_OR_EQUAL
  •0X139: KERNEL_SECURITY_CHECK_FAILURE
  •0x3B: SYSTEM_SERVICE_EXCEPTION
  Issue 2
  Some cluster nodes that are running Windows Server 2012 R2 or Windows Server 2012 go down because of the corruption in NDIS and netcfg.

 

  Hyper-V integration components update for Windows virtual machines that are running on a Windows 10-based host
  https://support.microsoft.com/en-us/kb/3063109 

 

Cluster service stops during the VSS backup in a Windows Server 2012 R2 or Windows Server 2012-based Hyper-V cluster 
  https://support.microsoft.com/en-us/kb/3090343

 

 

Windows Server 2012 R2
  A virtual machine that is running on Windows Server 2012 R2 may not start
  https://support.microsoft.com/en-us/kb/2962295

 

  Disk resource does not come online in Windows Server 2012 R2 or Windows Server 2008 R2-based failover cluster
  https://support.microsoft.com/en-us/kb/3033918
  Article ID: 3033918 - Last Review: 03/11/2016 03:55:00 - Revision: 4.0
  Assume that a disk resource name contains unauthorized file system characters, such as colon (:) or backslash (\), in a Windows Server 2012 R2 or Windows Server 2008 R2-based failover cluster, and the disk becomes dirty. In this situation, the chkdsk command does not run as expected, and the disk resource cannot come online.

  Stop Error "0x0000007E" occurs in a Windows Server 2012 R2-based Hyper-V cluster
  https://support.microsoft.com/en-us/kb/3063000

 

Cluster validation fails in the "Validate Simultaneous Failover" test in a Windows Server 2012 R2-based failover cluster
https://support.microsoft.com/en-us/kb/3091057
Article ID: 3091057 - Last Review: 03/11/2016 06:33:00 - Revision: 3.0
When you run failover cluster validation, the validation may fail during the storage validation tests. It may occur by using Validate a Configuration Wizard from Failover Cluster Manager or by initiating validation that uses the "Test-Cluster" PowerShell cmdlet. 

 

 

Windows 10

Hy  A multi-site failover cluster goes into a split brain situation in Windows Server 2012 R2 
  https://support.microsoft.com/en-us/kb/3123593

 

Hyper-V integration components update for Windows virtual machines that are running on a Windows 10-based host

https://support.microsoft.com/en-us/kb/3063109?sd=rss&spid=16796
Article ID: 3063109 - Last Review: 03/11/2016 01:56:00 - Revision: 4.0
Issue 1
Consider the following scenario:
•You connect a VM to a virtual switch that uses a physical adapter.
•You enable the single root I/O virtualization (SR-IOV) option in Virtual Switch Manager.
•You disable the physical adapter on the Hyper-V guest while network I/O is running in the VM.
In this scenario, the VM crashes.
Issue 2
The current Write Ahead Logging (WAL) implementation incorrectly assumes that the Virtual Hard Disk (VHD) ownership never changes. However, the ownership does change in multiple VM group replication in a shared VHD scenario

 

 

System crashes with Stop error 0x00000139 in Windows 8.1 and Windows Server 2012 R2
https://support.microsoft.com/en-us/kb/3130896?sd=rss&spid=16796
This issue occurs when one or more computers on the network try to connect to a shared printer by using the Server Message Block version 1 (SMBv1) protocol. In this situation, the file server crashes with a Stop error message that looks something like this:
STOP: 0x00000139 (Parameter1, Parameter2, Parameter3, Parameter4)

+ Recent posts