Windows updates on Windows 8.1 almost made my system unbootable

March 15, 2016

I  have an older  (Haswell based) X1 carbon which is running Windows 8.1. I was installing updates on it and after that the system wouldn’t boot and would keep getting to recovery loop. The system is bit lockered. I couldn’t get the system into safe mode or enable debugging. System restore had restore points as I seldom log into my local admin accounts and use mostly my domain  joined account. I tried the startup repair diagnosis and that didn’t find much either. So the system was pretty much unrecoverable. I went and looked at the SRtlogs (attached) and they pointed to a corrupt cng.sys binary. Sure enough it was reduced to 4 kb in size. I tried to patch it with a binary from another 8.1 system but that didn’t help. In the end I ran the sfc tool and that’s when I started seeing issues. Error from the tool:

“Error :There is a system repair pending which requires a reboot to complete. Restart windows and run sfc again”.

I researched the Windows community board which actually led to the diagnosis that there was a pending update which was for whatever reason causing the behavior and found the dism command below. Ran this and rebooted the system came back online.


dism.exe /image:C:\  /cleanup-image /revertpendingactions

The drive above could be D: or another one.  Check your system for the drive which has the Windows, Program Files etc directory to be sure.


If you get stuck in a loop with the message Windows couldn’t update the system… Try F8 to use restore point or try and reeboot before you reach the We cant install the update screen and this will cause recovery to be invoked. Happy fixing…

 I cant imagine non technical savvy user doing this…


Hope this helps!!



Windows 10 Power management

July 13, 2015

Win 10 scenarios covered

  • Battery Saver — For Better reporting accuracy, OEMs may need to run E3 micro benchmarks
  • Modern standby — Cheaper alternative to connected standby
  • Power scheme settings — Hibernate for CS systems
  • Project Centennial — Converting Win 32 apps to UWP apps

Battery Saver

  • New Windows 10 Shell option which shows battery consumers on the system at runtime
  • This uses a general model of the platform to indicate battery use
  • The accuracy of data is higher if OEM runs micro benchmarks on their platform or use the Maxim chip at an additional cost to the BOM





Modern Standby

Why does it matter?

  • CS hardware requirements do have a BOM adder(Storage and Network)
  • Modern standby allows for instant on
    •     S3 systems from telemetry may have twice as large S3 resume


MS_1 Ms2

  • Background activities (non network related) can still happen
    • Store apps activities
    • Reminders
    • Bth sync
                           Battery drain Hibernate timer OEM setting
Exceptional 9 days or longer battery life Use of Hibernate timer is optional
Ontrack 6 days or longer battery life Use of hibernate timer after 24 hrs is recommended

Modern Standby Implementation


Power management – Hibernate times

  • New Win10 Hibernate Settings for end user
    • Default is same as Win 8/8.1
    • Not to hibernate the system
    • Changing the setting allows the system to Hibernate while in CS
    • Criteria to set the Hibernate values


Lowering power consumption with UWP apps

Build 2015 – OpenSource, Partners, visual Studio, Cloud, IoT… Need I say more?

May 27, 2015

Build 2015 was full of treasures. Partnerships, open Source integration, Visual Studio, Azure, IoT were the big areas. New face of microsoft with a focus on open source and 3rd party support like github was a huge part of the Visual Studio suite.

There was so much of new stuff disclosed at the Conference. The Key notes(keynote1 and keynote2) gave an idea:

The big themes of the conference was developing apps for the Cloud and developing UAP apps with Visual Studio 2015 platform. You could download the preview version of the community one here.
It was clear that Microsoft had been listening to the developers and was beginning to integrate with open source tools. Azure was a big focus area where developers from a lot of SMB varying from insurance /accounting to gaming were looking at Azure as a potential platform. In the space of Big data Azure Data factory was an interesting talk about reuse patterns for Big Data with machine learning analysis built in step as part of the workflow.
Visual studio tools for converting iOS and Android apps to Windows apps was well received. It is surprising how many developing on iOS using Objective C and were delighted to hear cross platform support for Objective C. The new Visual Studio Code IDE has an intelisense rich environment to build Android apps was a welcomed by everyone. This should be a welcome change from the Android IDE’s such as h Eclipse or Android Development studio. Check the newest member of the Visual Studio family which is pretty lightweight and takes less than 60 Mb of space. vs Ide
Image below shows the power of the Visual Studio platform

universalwindows platform

Halo lens created a lot of buzz with developers being able to play with it. Lot of verticals such as education and Architecture. Gaming maybe next …
Big buzz events of the event were Halolens and support for Objective C and Java.
Visual Studio support of Open source software such as Alljoyn and Github and 3rd party software especially in the Big data space and its integration with Visual Studio was very well received.

Key takeaways from Builds

App. Gap between Windows Phone and IoS /Android will be bridged by project Astoria and Islandwood. This allows developers to port their existing IoS apps and Android Apps to Windows apps. There maybe restrictions on phone hardware needed to run such apps. This is great news for Windows Phone OEM’s.

Win32 apps to to UAP apps. with project continuum
This I think is one of the best messages not just for developers but also for OEMs to move their first and third party apps to UAP apps from Win32.
This was ISV’s can convert their Win 32 apps to UAP apps by using Project Centennial. The apps. can then be purchased using the Store. This helps the apps. to be more secure, less resource intensive and battery freidnly.

Edge the new browser – Better web experience
Key reason for using the browser is primarily around because it will work well with optimized sites, supports Cortana and many other gems such as Web extensions, pointer lock for shooter games and reading lists . IE due to compatibility reasons may not support but with forked code. This allows for edge supportability forked with IE compatibility. The best part is that Edge can launch IE for sites which are not compatible for example which need VB script.
Other things are distraction-free offline reading and built-in note-taking & sharing. Below is a comparison of Alaska airlines website on a mobile device.


Design for Win 10 by the user for the user
Please ask folks from outsider to join the insider program to get an early feel for Windows and provide feedback as the feedback is taken seriously including for UX. The builds with new features are flighted directly to the system.

One  Store

For those of you have written Windows apps for phone and desktop OS like me on Win 8.1. The experience can be nerve wrecking as you need to create 2 accounts one for Windows Phone and one for desktop. Duplicate everything from monetizing, geographies of release, price, screenshots and descriptions. I just saw a note from Microsoft for my store application called “SecureData”


Desktop :

There will be now one store, one submission and one process for everything. One does have the option to create multiple packages for OS or platform…


Win10 app migration

There will be now one store, one submission and one process for everything. One does have the option to create multiple packages for OS or platform…


Project Continuum

What is Continuum?

  • Two apps run simultaneously on two screens
  • Windows Apps transition seamlessly and look beautiful on any screen
  • Keyboard and mouse support

To make the application adaptive to any screen size understanding effective pixel is key. Effective pixel is independent of screen. Some terminology. More on that here:

display terminology

Think about how your app. Scales to the big screen. Scaling which depends on pixel density and viewing distance. There is no rule of thumb that a desktop has higher scale than a mobile phone. It is primarily dependent on pixel density and viewing density.


Some other cool features include using the other screen not just to mirror but to take advantage of the 2 screens simultaneously with multi screen API …


Some technologies to watch out for

Nano Server – Nano server doesn’t just remove features but is a self contained engine. Microsoft defines its Nano Server as a “headless, 64-bit only deployment option for Windows Server.” It’s like Server Core, except that it’s 20 times smaller. The compressed size or reduced server “footprint” brings a number of benefits, including fewer security vulnerabilities to address, reduced patch and reboot times, and scalability improvements.


  • 3d printing
  • IoT Maker movements – Raspberry Pi and Arduino

Lots of great talks on IoT. Some of the interesting ones given below.

IF you are considering buying parts for maker projects here is an interesting site.

Confidence invoking statements

Windows itself is evolving with feedback from Insider program. Instead of fixed set of design the design is evolving which appears to be by design and is sometimes misconstrued as instability.

The other comforting thing for developers is that the new browser edge which is a UAP was designed using the same tools as a developer would use for their own apps.

Summary of the key areas


Area Features
Universal App. Platform(UAP) platform Universal App. Platform offers the capability to write your app. Once and run it on all Windows Platforms starting with the Windows Embedded (Athens) to Mobile to Desktop to new Surface HubApps are coded to Universal App. Platform and not to the hardware platform or Operating Systems using Windows.Foundation.Metadata.Apiinformation. What that means is that applications shouldn’t be designed for Win 10 Mobile or Win 10 desktop etc This alleviates the need to code to least common denominator hardware they would be supporting
Visual Studio Visual Studio teams had a busy year with a lot of new features.. To name a few:·         Web Apps(JS etc),·         Android (Java)·         iOS(objective C),·         Open source integration(Git hub, Alljoin, Big data programming ),

·         Cloud apps,

·         Unit testing, perf.

·         New VS Code part editor part IDE

One $tore for all Windows Platforms One can now link apps meant for Windows Phone to Dekstop.1 submission for all, 1 certification but and 1 pricing. Typically the greatest common denominator if one has apps on both mobile and Desktop is chosen. The base price from is chosen from Windows (desktop), screen shots are chosen from both to give user flexibility, category is chosen from windows(desktop) etc…There is the option of having multiple packages for old OS 1 package. The dashboard is on is redesigned.

Some folks asked me about the sessions I attended and Below are the some sessions I found useful. These are not in any particular order and cover ranging topics from Azure, IoT, UX, Programming:

Sessions I found useful

Topic Link
Nano sever : A Cloud Optimized Windows Server for DevelopersMicrosoft defines its Nano Server as a “headless, 64-bit only deployment option for Windows Server.” It’s like Server Core, except that it’s 20 times smaller. The compressed size or reduced server “footprint” brings a number of benefits, including fewer security vulnerabilities to address, reduced patch and reboot times, and scalability improvements.To address the cloud, the GUI built into the server had to go. Instead, Nano Server gets managed using a remote GUI through a browser-based application. For instance, the presentation showed off a browser-based dev-ops program called Visual Studio Release Management. It doesn’t use Remote Desktop Protocol to remote into a server. Instead, it uses Core PowerShell scripts for management, along with Desired State Configuration, which is PowerShell’s push-pull configuration technology.
Porting Android apps using Astoria There are some hardware restrictions on the memory and disk space for such apps.
Project Centennial”: Converting your Classic Windows App (Win32, .Net, COM) to a Universal Windows App for Distribution in the Windows Store This allows Win32 apps to run in a container security. The app becomes a UWP app and hence can run on Xbox, Halo lens, Surface Hub etc.To help support Win32 apps which need Winsock, CreateThread() API’s these API’s will be available to UWP apps also. WMI, DAM, COM works just like Win32. Access to click once API’s lost after the first launch.Some features like active X deployment wont work etc.
Project Spartan”: Introducing the New Browser and Web App Platform for Windows 10 Key reason for using the browser is primarily around because it will work well with optimized sites, supports Cortana and many other gems such as Web extensions, pointer lock for shooter games and reading lists . IE due to compatibility reasons may not support but with forked code. This allows for edge supportability forked with IE compatibility. The best part is that Edge can launch IE for sites which are not compatible for example which need VB script.Other things are distraction-free offline reading and built-in note-taking & sharing. Below is a comparison of Alaska airlines website on a mobile device.
Windows Design for Developers: An Executive Panel Windows Insider program feedback has been taken into account for UX design for Win 10.One of the better talks I attended. This talk gave me a perspective on how much of Win 10 UX design is incorporating feedback from Windows Insiders Only slides
Optimizing Windows Apps for ContinuumEffort involved in letting applications working across multiple screens is very little especially for mobile. You can resize your application on desktop to test the look and feel on mobile.Some key concepts are effective pixel, pixel density and viewing distance etc. More here:
Building Rich, Contextually Aware Universal Windows Apps Using Sensors There is support for batching sensor request to save on power. Applications can use background triggers to detect things like user activity (like walking etc). There is also availability of sensor history data.Custom sensor can be easily added and apps. can use GUID to detect the device. Sensor simulators are available from Github to build and test applications.
Store: Deep Dive on Publishing Universal Windows Apps From now on there will be :·         one store for everything,·         one submission for all,·         one certification

Optional support for multiple packages for OS and platform are available.
Developing 3D Printing Apps and Services in Windows 10The 3d print space has many individual,  challenges with nonstart drivers, low print success rate, limitations on information exchange,  limitations in existing formats , formats not designed for 3d format.The 3mf consortium tries to solve some of these with open source, compact human readable. This will allow for repair capabilities API, plug and play, enable cloud printing. There will 3d builder inbox which will allow for visualizations and validation and repair. This removes the single highest barrier to entry removed.3d content is open for partners to develop. More details here:
API Contracts (or How I Learned to Stop Checking OS Versions and Love Feature Detection)Least Common Denominator API’s really suck,. Instead have adaptive apps which run on multiple platforms. Use the Windows.Foundation.Metadata.Apiinformation classes and methods to find out what features your app. Targets.

Some things I found useful to try

  1. Join and give feedback on Windows Insider – This feedback contributes to many things including UX design etc.
  1. Try Cortana – Scenarios such as weather, how much RAM do I Have?
  2. Try Project Spartan/Edge browser on your Nokia Phones and Desktop’s
  1. The build app. Was great to get the summary of all sessions in case you are curious on any developer topic. The app. Works on Windows, Android and iPhone platforms.
  2. INSTALL Visual Studio 2015 and VS Code

VS 2015-

VS Code –

Etc etc

Comparison of Developer conferences

In this competitive world it is difficult to not compare. I looked at the 3 of the more important key notes of developer conferences.

Build in my opinion had one of the best key notes. The Google key note was dull and lacked appeal, IoS on the other hand was not bad but Apple ecosystem is very limited compared to what Microsoft covers. Build had powerful demos and tremendous wow factor with Halolens especially. We will see more in a couple of weeks when Apple and Google 2015 conferences are held.


Overall I think Win 10 is going to be a great platform for at least a billion devices. So if you are a developer this present s great opportunity on writing all sort of apps. for so many different platforms…

Part 2 of this coming soon looking at more cool windows features …

Read the rest of this entry »

bulk copy data

May 5, 2015

the main goal of this blog is to focus on tools available for doing a bulk copy to a SQL server on windows.

Inserting sequentially –
Sqlcmd – it is a freat tol if you have the data on the machine hosting the SQL server. You can use it if you have the data on a network share but you run into issues with credentials.

BCP- It is a great tool but you need to understand the format files and the syntax of the command. Bcp is like a scripting language where the sepecial characters like “,”, “;” etc. are to be carefully monitored. Also, it is very fical when it comes to validity of source data. For eg: Data time format fields with hours or minutes or seconds not in the HH:MM:SS format will give you a lot of trouble. Missing leading 0’s can be cause of many an issue.

Debugging – Insert a field manually and get it using bcp out.

Hibernate and Hiberfile sizes

June 13, 2014

Windows reserves typically 75% of the Memory for Hiberfil.sys . This is normally enough after compression but maybe less especially if you use memory tools. The way to change hiberfile size is as follows :

powercfg /h /size

To turn off Hibernate use the following command:
powercfg /h off

Turning off hibernate in Windows8+ is:
1) No fast startup so impact on boot time
2) No way to save data if the battery reaches critical levels.
3) No way to save data on Thermal conditions

Decrypting wdf01000.sys interrupts with WPA

June 13, 2014

If you are trying to figure out which WDF driver is the source of all interrupts there is a way out. Since wdf01000.sys fields all interrupts and then calls the actual driver, it is difficult to figure out which driver caused the interrupts. Fortunately, there is a way out: You need to use the trace flags in the kernel – WDF_INTERRUPT and WDF_DPC. You can find all Kernel trace flags by the following command: “xperf -providers KF” .

You can trace as follows: ”

xperf -on diageasy+WDF_DPC+WDF_INTERRUPT+0x48000000+PROC_THREAD+LOADER+INTERRUPT+DPC+CSWITCH+TIMER+CLOCKINT -stackwalk TimerSetPeriodic+TimerSetOneShot+CSwitch+readythread+profile -clocktype perfcounter -buffersize 1024 -minbuffers 1024

xperf -d test.etl

Tidbits on technical interviewing

November 14, 2011

I have interviewed a lot of candidates for various roles within Microsoft. They range from college graduates to automation testers.
I broadly qualify them under 2 categories:
1) college hires for driver development
2) Automation using powershell
College Hires of Kernel/driver development
For college hires my interview style was to make sure I give them questions which ar not easily available off the internet. For that purpose I always used questions or challenging problems which I was working on at that time. Also, I tried to keep my questions consistent to compare candidates and since I knew the approaches and solutions pretty well.

One question I asked which was typical of what that candidate would be expected to do was to give the candidate a help guide for a particular kernel API and then showed a snippet of code and asked him to figure out what was that doing. For eg: Given the help page for “InterlockedCompareExchange” ass the candidate to figure out what some piece of code was doing. It normally is a good test of understanding of code and kernel concepts.

Some other areas which I would quiz on for kernel/driver development positions:
1) IRQL’s
2) Synchronisation primitives
3) C coding
4) Virtual memory

If the candidate got through my coding question I would give some logic puzzles to keep it interesting. More coding questions sometimes just makes the interview dull.

Categorie 2 – Automation code developemnt
Recently we had a need to hire someone who could help automate some tools. I have realised over time that on of the best skills for automation is not C# but powershell. With the cmdlets support working with powershell makes for really fast development time. It has the caveat of no type safety but is great for smaller projects which need to be developed quickly. The typical thingsin our probelm space were parsing input in .txt, .csv files etc reporting as html output etc
For eg: I saw that for a problem of finding all 3rd party exes under “program Files” folder it takes a person around 2-3 hrs to solve in C# given a developer with 5 yrs of experience. However consistently most candidates solved under 1 hr using powershell.

There are several such examples I came across.

My goals were to wait for the right candidates with a good mix of technical skills (powershell experience of more than 6 months) and good soft skills (self starter, sincere and detail oriented etc). I let the recruiters know to do their own filtering thus reducing the onus on me as the sheer number of candidate resumes I was getting was enormous.
One way i decided to save time was to have a phone screen prior to meeting the candidate face to face. This saved me immense amount of time. My phone screen was to give the candidate an introduction to the position followed by giving him a real world problem to solve using powershell. All problems were the ones that I encountered while trying to automate and i would give the candidate an hour to solve. Some examples:
1) Parsing and reporting question(phone screen):
Given a .txt file parse it and then generate an HTML report with some tables.
2) Simple question – good to give the hiring agency
Given a root path create folders with iteration numbers every time the script runs. For eg:
If the root is c:\test. The first time a script is invoked create C:\test\1\
If the script is invoked a second time, it should recognise that c:\test\1\ exists and create c:\test\2\ and so on.

Things to watch out for:
The code shouldn’t take more than 20 lines of powershell in the worst case
Easily tested by powershell .\.ps1

3) ) In person interview
Find all 3rd part exes (this is not literal but just omitting Windows or Microsoft in the folder or exe name was enouh) under program files etc.
Things to watch out for:
Program files under 64 bit system has 2 folders for program files. Try running the powershell script on your own machine and see if it works and shows the correct output.

I gave the candidates normally an hour and kept the time consistent to compare candidates. Also, the goal was to not only look at their problem solving capabilities but also ability to ask for clarifying questions. If the solution was not well formed I would give feedback and see if the candidate had the inclination to send me an improved solution. This also showered some light on the candidates sincerity to improve and take feedback besides communication.

In the face to face interview I would more whiteboarding and sometimes focus on other soft skills lile being detail oriented and creative . I also woudl ask at least one more member of the team to interview in case the candidate had to work with him and also to get another picture.

Hope this helps as it has helped me tremendously to hire some great candidates. They are worth it as the extra amount of time spent in picking the right candidates pays very rich dividends when it comes to explaing problems and finding solutions.

xperf tidbits

September 13, 2011

If you have a relatively large trace like 4gb+. you wil encounter opening those with xperfview. You may see error 0x800f007e. This is because you run out of VA space on 32bit sytetm. Try opening it on a 64 bit system.



Good video on Creating a bottable USB disk

Installation and Signing of filter drivers

August 29, 2011

My goal is to demystify and make the process of install of filter drivers simpler. I spent time in this blog describing install issues, driver signing and some miscellaneous topics like PCI express capabilities. I will go into more depths of bus and class filter drivers in my next blog. In this blog I tackle the issues of deploying, debugging, signing filter drivers and small tidbits on PCI express capability structure defined in the PCI spec. There are lots of general guidelines in the Windows Driver Kit(WDK) on how to write filter drivers.

The figure below shows types of filter drivers and where a filter driver can be in the device stack.

FIlter driver types

The toaster filter driver in the WDK is a good starting point: The toaster sample set is huge and shows how to write different types of filter drivers – upper/lower class, bus and device filter. The filter deriver I recently wrote was a PCI bus filter driver and a USB class filter. Among other things the challenge was debugging and installing it.

Class filter  – If you instantiate a CLASS filter, you do so for all devices in the CLASS. Thus, any new devices that are added in the filtered device class wind-up having the filter instantiated. More details here:

Bus filter drivers typically add value to a bus and are supplied by Microsoft or a system OEM. Bus filter drivers are optional. There can be any number of bus filter drivers for a bus. A bus filter driver could, for example, implement proprietary enhancements to standard bus hardware. For devices described by an ACPI BIOS, the power manager inserts a Microsoft-supplied ACPI filter (bus filter driver) above the bus driver for each such device. The ACPI filter carries out device power policy and powers on and off devices. The ACPI filter is transparent to other drivers and is not present on non-ACPI machines.

 Debugging the pci bus filter – USB is not a great means for debugging it as the USB controllers which are PCI devices didn’t do too well when my filter driver hit a bug. That’s why resorted to 1394 and serial. I all my initial development and debugging on a desktop with serial ports and then started testing on a laptop. Inf file The install is challenging in how you need to write the inf file and then how do you install the filter driver. The places where this inf differs from a regular function drivers inf is the key to specify whether this is an upper or lower filter. Since this is a PCI bus filter it has the needs and Include directive as well since it is dependent on the PCI bus driver. Note the driver is a boot start since it is a PCI bus filter. It also uses the System class.

The highlighted part in  bold below is the one unique to filter drivers.


Signature=”$WINDOWS NT$”







DefaultDestDir = 12


1 = %DiskId1%,,,””


PCIfilter.sys  = 1,,


; Install Section





%PCIfilter.DeviceDesc%=PCIfilter_Device, *PNP0A03

%PCIfilter.DeviceDesc%=PCIfilter_Device, *PNP0A08











;————– Service installation

; Function and filter driver for the bus




AddService = PCIfilter,, PCIfilter_Service_Inst

; ————– busupper Driver install section


DisplayName    = %PCIfilter.SVCDESC%

ServiceType    = 1               ; SERVICE_KERNEL_DRIVER

StartType      = 0               ; SERVICE_DEMAND_BOOT

ErrorControl   = 1               ; SERVICE_ERROR_NORMAL

ServiceBinary  = %12%\PCIfilter.sys

LoadOrderGroup = PnP Filter



MSFT = “Microsoft”

StdMfg = “(Standard system devices)”

DiskId1 = ” PCI  Bus
Installation Disk #1″

PCIfilter.SVCDESC = ” PCI Bus Upper Filter”

PCIfilter.DeviceDesc = ” PCI Bus filter”


devcon.exe install pcifilter.inf *PNP0A03

if the above fails

devcon.exe install pcifilter.inf *PNP0A08

NOTE: devcon.exe is a tool in  the Wdk

Conmmand line way to right click and install an inf

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 .\usbcfltr.inf


You will need to reboot the system after install.

Installation on 64 bit system

You will need to enable test signing to install the filter or sign it.

bcedit /set testsigning ON

Debugging inf issues in install

To do this we need to turn on the verbosity
levels in the Setup logs to look at the  Setupapidev.log .

The default value for log levels is  0x2000ff00

Turning the verbosity of logging

Setting SetupAPI Logging Levels

OSR’s link –

Checking all the classfilters

For the USB class filter I wrote this command is what I used. More information in devcon help

devcon classfilter usb lower

Uninstall a class filter

  • using devcon.exe

devcon -r classfilter usb lower !usbcfltr

  • Registry

Renaming the key in the registry. For eg: If the name of the service is
usbcfltr, look for that in the registry and rename it.

Device stack after install of PCI filter driver

This is how the device stack looked for :










                                                          PCI root port

The attachedDevice field in the DEVICE_OBJECT structure points to the guy above him in the stack.

Getting PDO from an FDO

This is a common operation for writing filter drivers.

You can send an IRP_MN_QUERY_DEVICE_RELATIONS type TargetDeviceRelation down the stack to get a
referenced pointer to the PDO.

Signing Drivers during
Development and Test (Windows Vista and Later)

The following link describes the steps involved.

The basic steps are outlined below with examples. Note the example  just show one way of doing it and not the only way. You will need the WDK installed to use the tools  for this.

  • Create a certificate called  testdriverfile

MakeCert -r -pe -ss PrivateCertStore -n “CN=testdriver” testdriverfile.cer

  • Copy all the files to a  folder which includes the .sys file, the inf file and any coinstallers like wdfcoinstaller01009.dll etc.
  • Sign the driver sys file

SignTool sign /a /v /s PrivateCertStore /n testdriver /t  .\cat\pcifilter.sys

  • Generate the catalogue  file.

Inf2Cat /v /driver:\signing\cat /os:7_X64

  • Sign the cat fileSignTool sign /a /v /s PrivateCertStore /n testdriver /t .\cat\
    • Install the certificate    on the test machine

    Certutil -addstore -f “Trusted Root Certification Authorities” testdriver.cer

    Also run this command on the 64 bit system to allow test

    bcedit /set testsigning ON

Miscellaneous tidbits  about PCI express capabilities

  • Format is capability _ptr  followed by capability_id
  • In the initial 255     bytes of the PCI space it uses 8 bytes for capability_ptr and 8 for capability_id
  • PCI express extended capability     region – After that it uses  16 bytes
    for capability_id and then  1 byte for version and then 15 bytes for capability_ptr
  • Last cap has the capability_ptr     field set to 0
  • Following capability pointers
    • Check status register – 0x6 bit 0x10 for cap ptr
    • Register 0xe gives the      type of PCI device type like Bridge, endpoint etc

Ring 0 debugging and Windbg – part 2

September 28, 2009

As promised earlier I am including some more savory Kernel debugging topics. Some of these scenarios are more corner case one-off ones.

  1. Virtual Machine (VM) debugging

Debugging a virtual machine 

You will need to enable debugging on the VM just like a regular OS. Also, you will need to set one of the COM Port(COM1 or Com2) as a named pipe (=\.\pipe\<com1| com2 |yourstring>). On the VM HOST OS you can type this to attach to the debuggee.

windbg [-y SymbolPath] -k com:pipe,port=\.\pipe\PipeName[,resets=0][,reconnect] 
 Virtual to virtual Machine debugging

This is the scenario where you use one VM running on the host to debug another VM running on the same host. This is interesting scenario and is useful in any scenario where you may have to reimage the host OS maybe in a lab. Environment.  I had to set this up for showing kernel debugging for KMDF at WinHEC.

This is how I did it:

  • Created a named pipe on COM1  as following on the VM acting as host/debugger


  • Created a named pipe on COM2 on the debuggee


When I tried this with COM1 port on the debugee VM I couldn’t get it to work but Named pipe on Com2 port worked for me. If you had a different experience please share it for others benefit.

Invoke the debugger on host VM as:

“Windbg –k com:port=com2”.


  1. Debugging Local/single mode debugging

In some cases you may not have access to another machine or you may want to look at some device state or read a global variable for a driver. In the absence of other applications  or tools one can use the local debugger. You will need to enable debugging the local machine on Vista and forward:

bcdedit /debug on

followed by a reboot. You can look at the documentation for how to edit the boot.ini file to do this on pre-vista OS.

Then you can begin debugging with the following command:

C:\> kd –kl

However, it has limited use. You can’t set break points or check call stacks.

You can use it for checking state of global variables in your drivers etc. You could also use it for trying out commands/ approaches when you don’t have another machine handy if you are going to visit a customer for example.

  1. I am stuck now what. How do I get my machine back?

At some point in your life just by law of averages J you will come across a system which is crashing regularly maybe even at boot that you can’t get any work done or even log on to the system. These are a few techniques you could use to get your system back.

Safe mode

Try booting safe mode. The set of drivers loaded in safe mode are a subset of the remaining drivers. Majority of times these are well tested critical boot  drivers. If you enabled verifier for all drivers. This is especially  useful if one of the non-safe mode drivers is failing hence doesn’t get loaded in safe mode.

In some cases (more of a driver developer /test/verification scenario) the non-safe mode driver maybe failing a verifier check if you enable verifier for all drivers on your machine maybe to debug a corruption problem.


System restore

System restore helps you restore your system to a previous state. A thing to note is that driver binaries are not rolled back. It can be useful as it primarily reverts the registry to a prior well known state. If the state the system is in, involved the registry directly or indirectly, this is a good option to try.

The scenario I discussed earlier  of enabling driver verifier to safe mode  drivers and one such driver barfing could get your system to not boot even in the safe mode. It is unfortunate but you could find even safe mode drivers sometimes fail verifier checks.

Driver Verifier saves state in the registry so by reverting the registry (with system restore) you can disable the verifier and claim your machine back perhaps temporarily since the offending driver is still on your system. If you are lucky there is an update waiting for you from the IHV/ISV which fixes the issue flagged by driver verifier.

BIOS and disabling devices

You also find most BIOSes have the option of disabling devices. If the offending driver is for hardware and you can figure out the name of the driver binary (from the BSOD)which is crashing you can try disabling it from the BIOS. For e.g.: This is useful for devices you couldn’t care more for like the finger print reader (unless you actually use it) which has a buggy driver. Once the driver is fixed  you can re-enable the device.

Kdfiles and Windbg

Kdfiles is an excellent way to change a boot driver or another driver especially if you are debugging/developing a driver. Windbg acts as a conduit for passing bits of the driver you need to change on to the target machine. It can be used for boot drivers as well except for windows vista.

For e.g.:

Kd> .kdfiles –m \systemroot\system32\driver.sys \myshare\checked\driver.sys

Crash dump

If all else fails and you desperately need a crash dump to pass on to the IHV for debugging. On windows 7, kernel crash dump which is good enough normally for debugging  is enabled by default.

F10 trick to edit the boot parameters passed to the kernel at boot time

If you forgot to enable kernel debugging with bcdedit you could always do it at boot time. Pressing F8 can give you the boot menu which has the option of enable debugging. There is another way of doing it however you need to have precision timing. You will need to add the following lines to the boot debug options after pressing the F10 key. The debug option doesn’t persist across a boot.

  • Serial  — “/debug /debugport=comX /baudrate=115200”
  • 1394  –  “/debug /debugport=1394 /channel=[1-63]”
  • USB –  “/debug /debugport=usb /targetname=String “


Getting a crash dump for a process without enabling the kernel debugger

If the machine is not booted in debug mode (local kd cannot be used) and you can’t enable debugging and reboot it in fears of losing the repro, then you could try the following:

kdbgctrl –td <pid> <file>

This will capture a driver dump with the hang that should contain the IRP information to see if any  thread in the  process is hung on an IRP. Kdbgctrl.exe is a tool from the debuggers packages.


Debugging over USB-serial converter

When you set a target to use a COM port for debugging, the debugging engine
takes over the port and drives it itself. This is why a COM port will no
longer appear in device manager when being used for debugging.  Let’s say now you want to  
use a port on a USB device. When the system first boots, that port do
not exist according to the system hardware. Therefore there is no such thing
as COMX, so it just doesn’t work. Ports on USB-Serial converters do not get
created until later on when the PNP manager loads the driver for the USB

The kernel drives the debug ports so if a driver is driving the debug port that won’t work.

So debugging over USB-serial converters doesn’t work.

Accessing the registry from Windbg

Won’t it be great if you could access the registry values from windbg. This way you could disable driver verifier through the debugger or set/unset some driver registry value. There are numerous scenarios which this could be handy. You can actually do this over windbg. Let me warn you that this may require a little poking and digging around as I show below.

The verifier stores its settings in the registry at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\VerifyDrivers

For more information refer
If we could access this from the debugger we could actually turn off verifier using windbg.

Before we dig into the registry I would recommend you to read the following article from Mark Russinovich which explains the internals of the registry:

 What is the system registry?

The registry holds system information, such as configuration data, for both hardware and software.  The registry is broken up into “Hives” which are registry files for parts of the registry.  For example, the Software hive is where the HKEY_LOCAL_MACHINE\Software information is kept.  The Hives are broken up into “Bins” and the Bins are broken up into “Cells” which hold the registry key and value data.    

The diagram below which is borrowed from the above article shows the layout of the registry.



How is this information managed?

The registry subsystem maintains the registry on a Hive basis.  That is how the registry keeps track of open registry files.  The open Hives in the system can be displayed by using the debugger extension “!reg hivelist”.

Below is an example output:

lkd> !reg hivelist


| HiveAddr |Stable Length|Stable Map|Volatile Length|Volatile Map|MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName


| 8bc0c2e8 |       1000  | 8bc0c364 |       1000    |  8bc0c4a0  |        0  |        0  |     0| 8bc0e000  | <UNKNOWN>

| 8bc1a5a0 |     dbb000  | 8bc22000 |      44000    |  8bc1a758  |        0  |        0  |     0| 8bc1c000  | SYSTEM

| 8bc3f678 |      14000  | 8bc3f6f4 |       7000    |  8bc3f830  |        0  |        0  |     0| 8bc48000  | <UNKNOWN>

| 8bd6d9d0 |      8f000  | 8bd6da4c |       1000    |  8bd6db88  |        0  |        0  |     0| 901cb000  | temRoot\System32\Config\DEFAULT

| 8bd811f8 |    3c85000  | 901a3000 |       3000    |  8bd813b0  |        0  |        0  |     0| 8bcdd000  | emRoot\System32\Config\SOFTWARE

| 8bd85008 |       6000  | 8bd85084 |          0    |  00000000  |        0  |        0  |     0| 8bd05000  | <UNKNOWN>

| 8bd87008 |       8000  | 8bd87084 |       1000    |  8bd871c0  |        0  |        0  |     0| 8bd8e000  | <UNKNOWN>

| 911f53e8 |      3e000  | 911f5464 |       a000    |  911f55a0  |        0  |        0  |     0| 95661000  | files\NetworkService\NTUSER.DAT

| 956e2798 |      3d000  | 956e2814 |          0    |  00000000  |        0  |        0  |     0| 956e3000  | rofiles\LocalService\NTUSER.DAT

| 9ec258b8 |     406000  | 9ec3d000 |       d000    |  9ec25a70  |        0  |        0  |     0| 9ec27000  | \??\D:\Users\vmanan\ntuser.dat

| a0003650 |     3b6000  | a0073000 |          0    |  00000000  |        0  |        0  |     0| a007b000  | \Microsoft\Windows\UsrClass.dat

| a89d0008 |     861000  | a89d8000 |          0    |  00000000  |        0  |        0  |     0| a89d2000  | Volume Information\Syscache.hve

| d1d0c3b0 |       b000  | d1d0c42c |          0    |  00000000  |        0  |        0  |     0| b0bc3000  | Device\HarddiskVolume1\Boot\BCD


Before we can access the registry, we need to know where to begin.  So we need the root block:

In the above case I pick the root block for the System Hive. Below I try and dump a few values under the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet1\Control\Session Manager\Memory Management\” key namely “SystemPages” 

lkd> !reg baseblock 8bc1a5a0

FileName :  SYSTEM


Sequence1:  84a7

Sequence2:  84a7

TimeStamp:  1ca3f22 34d2fd1c

Major    :  1

Minor    :  5



RootCell :  20    -> Index of the root cell

Length   :  dbb000

Cluster  :  1

CheckSum :  4bd3452c

Since everything in the registry is represented as a cell we look at the cell index of the root block to calculate the cell address. The Cell address is broken down to the map directory offset,  map table offset , and then block offset to access registry data.  The debugger extension !reg cellindex does this for us automatically. !reg cellindex is then used to get the cell address. 


lkd> !reg cellindex  8bc1a5a0 20

Map = 8bc22000 Type = 0 Table = 0 Block = 0 Offset = 20

MapTable     = 8bc23000

BlockAddress = 937d3000

pcell:  937d3024


The !reg subkeylist command can do this for you.  This breaks down the Key Node and does all the work.


lkd> !reg subkeylist 8bc1a5a0 937d3024

Dumping SubkeyList of Key <CMI-CreateHive{3FE9C764-973F-45AC-B646-C7564C5B6CAD}> :

SubKeyCount[Stable  ]: 0x7

SubKeyLists[Stable  ]: 0xaf1f30

SubKeyCount[Volatile]: 0x1

SubKeyLists[Volatile]: 0x80000178

[   7] Stable SubKeys:

[Idx]   [SubKeyAddr]    [SubKeyName]

[0]     937d3164        ControlSet001

[1]     937d3164        ControlSet001

[2]     937d3164        ControlSet001

[3]     937d3164        ControlSet001

[4]     937d3164        ControlSet001

[5]     937d3164        ControlSet001

[6]     937d3164        ControlSet001

[   1] Volatile SubKeys:

[Idx]   [SubKeyAddr]    [SubKeyName]

[0]     8bc31024        CurrentControlSet

 Use ‘!reg knode <SubKeyAddr>’ to dump the key

What the List points to depends on the number of values.  The registry uses an index mechanism to access the sub key data.  The type of index is determined from the type code.  Above 0x686c indicates this is a CM_KEY_HASH_LEAF.  Where the cell contains a hash of the key and the cell index of the key.   Another example is a CM_KEY_FAST_LEAF where the first four characters of the key name are used instead of a hash.  What is used depends on the version of the hive.  Also when there are many sub keys, the index can be a CM_KEY_INDEX_ROOT, which contains cell indexes which point to leafs. 

You’ll see that some hives are volatile and don’t have associated files. The system creates and manages these hives entirely in memory; the hives are therefore temporary in nature. The system creates volatile hives every time the system boots. An example of a volatile hive is the HKEY_LOCAL_MACHINE \HARDWARE hive, which stores information regarding physical devices and the devices’ assigned resources. Resource assignment and hardware detection occur every time the system boots, so not storing this data on disk is logical.

You can use the !reg subkeylist recursively till you hit a roadblock where you don’t see all the child keys showing up in which case we resort to manual means. Since we have CurrentControlSet1, lets try and o down to its child key “Control”.

lkd> !reg subkeylist 8bc1a5a0 937d3164

Dumping SubkeyList of Key <ControlSet001> :

SubKeyCount[Stable  ]: 0x5

SubKeyLists[Stable  ]: 0x2ccbb0

SubKeyCount[Volatile]: 0x0

SubKeyLists[Volatile]: 0xffffffff

[   5] Stable SubKeys:

[Idx]   [SubKeyAddr]    [SubKeyName]

[0]     937d3634        Control

[1]     937d3634        Control

[2]     937d3634        Control

[3]     937d3634        Control

[4]     937d3634        Control

[   0] Volatile SubKeys:

 Use ‘!reg knode <SubKeyAddr>’ to dump the key


Trying again recursively to dump the subkeys didn’t work as the debug extension dumped I only ACPI out of the 84 subkeys.


lkd> !reg subkeylist  8bc1a5a0 937d3634

Dumping SubkeyList of Key <Control> :

SubKeyCount[Stable  ]: 0x54

SubKeyLists[Stable  ]: 0x12a968

SubKeyCount[Volatile]: 0x3

SubKeyLists[Volatile]: 0x8001d930

[  84] Stable SubKeys:

[Idx]   [SubKeyAddr]    [SubKeyName]

[0]     93732884        ACPI

[1]     93732884        ACPI

[2]     93732884        ACPI

[3]     93732884        ACPI

[4]     93732884        ACPI

[5]     93732884        ACPI

[6]     93732884        ACPI

[7]     93732884        ACPI

[8]     93732884        ACPI

[9]     93732884        ACPI

[10]    93732884        ACPI

[11]    93732884        ACPI

[12]    93732884        ACPI

[13]    93732884        ACPI

[79]    93732884        ACPI

[80]    93732884        ACPI

[81]    93732884        ACPI

[82]    93732884        ACPI

[83]    93732884        ACPI

[   3] Volatile SubKeys:

[Idx]   [SubKeyAddr]    [SubKeyName]

[0]     8bc31484        hivelist

[1]     8bc31484        hivelist

[2]     8bc31484        hivelist

 Use ‘!reg knode <SubKeyAddr>’ to dump the key


Since I was interested in getting to the address of “Session Manager”, I decided to this manually. On my particular system I looked at the offset of the Session Manger and it was the 60th key in alphabetical order.

I took a guess that the keys are arranged alphabetically so if you have a rough idea you could use that information to get the key you are looking for you could calculate the offset. This alphabetical order offset as it is displayed in the registry doesn’t correlate to the offset in the key list but I guess I have been lucky most times in getting close.

Let me warn you that your mileage may vary but instead of going brute force and looking at every key this approach can be fast if you get lucky. So I looked at the offset 60. Each sub-key takes 8 bytes so it was simple math

Offset of Session Manger = Control key base address + offset to subkeys + (60+1) *8 bytes

Offset to subkeys with some hit and trial is 4.


lkd> dc 936a996c+0x4+0x1e8

936a9b58  00018e30 d9dc4f27 00101220 0041d336  0…’O.. …6.A.

936a9b68  0000c8e0 5f6aaac2 0012acd0 0001c805  ……j_……..

936a9b78  0012ad80 fc209d70 00281b80 bb4d8ce3  ….p. …(…M.

936a9b88  00281950 f964a859 000a4020 dfc3fe3c  P.(.Y.d. @..<…

936a9b98  00281a60 95e28f5b 000367d0 c0743deb  `.(.[….g…=t.

936a9ba8  000fdba8 3d165065 002fd5f0 70574717  ….eP.=../..GWp

936a9bb8  0013ebd0 25abb786 000988a8 0001d599  …….%……..

936a9bc8  000c4ba0 09d542e7 0003d048 2ed17f8e  .K…B..H…….


lkd> !reg cellindex  8bc1a5a0 00018e30

Map = 8bc22000 Type = 0 Table = 0 Block = 18 Offset = e30

MapTable     = 8bc23000

BlockAddress = 937bb000

pcell:  937bbe34


lkd> !reg knode 937bbe34


Name                 : Session Manager

ParentCell           : 0x630

Security             : 0xfc10 [cell index]

Class                : 0xffffffff [cell index]

Flags                : 0x20

MaxNameLen           : 0x2a

MaxClassLen          : 0x0

MaxValueNameLen      : 0x3c

MaxValueDataLen      : 0x2e

LastWriteTime        : 0x 1ca319c:0x2470026e

SubKeyCount[Stable  ]: 0xf

SubKeyLists[Stable  ]: 0xaf8c0

SubKeyCount[Volatile]: 0x0

SubKeyLists[Volatile]: 0xffffffff

ValueList.Count      : 0xe

ValueList.List       : 0x3b8db8


After I got to the Session Manager, to get to the “Memory Management” sub-key the same dilemma presented itself where only the first value was visible and the other sub-keys weren’t so I had to sub-key hunting again J.

lkd> !reg subkeylist 8bc1a5a0 937bbe34

Dumping SubkeyList of Key <Session Manager> :

SubKeyCount[Stable  ]: 0xf

SubKeyLists[Stable  ]: 0xaf8c0

SubKeyCount[Volatile]: 0x0

SubKeyLists[Volatile]: 0xffffffff

[  15] Stable SubKeys:

[Idx]   [SubKeyAddr]    [SubKeyName]

[0]     937bbe94        AppCompatCache

[1]     937bbe94        AppCompatCache

[2]     937bbe94        AppCompatCache

[3]     937bbe94        AppCompatCache

[4]     937bbe94        AppCompatCache

[5]     937bbe94        AppCompatCache

[6]     937bbe94        AppCompatCache

[7]     937bbe94        AppCompatCache

[8]     937bbe94        AppCompatCache

[9]     937bbe94        AppCompatCache

[10]    937bbe94        AppCompatCache

[11]    937bbe94        AppCompatCache

[12]    937bbe94        AppCompatCache

[13]    937bbe94        AppCompatCache

[14]    937bbe94        AppCompatCache

[   0] Volatile SubKeys:

 Use ‘!reg knode <SubKeyAddr>’ to dump the key


In this case at least the challenge was a little less since I was dealing with only 15 sub-keys instead of 84 earlier. So just like earlier first get the cell address of the subkey list.


lkd> !reg cellindex  8bc1a5a0 0xaf8c0

Map = 8bc22000 Type = 0 Table = 0 Block = af Offset = 8c0

MapTable     = 8bc23000

BlockAddress = 93724000

pcell:  937248c4


Now lets go through this list and use the offset of “Memory Management” sub-key which happens to be 11 on my particular system. By hit and trial I found that the correct offset was 0x54 bytes for “Memory management”.

lkd>  dc 937248c4+0x54

93724918  00098068 b76d431e 00040910 092eb60d  h….Cm………

93724928  00304c98 122bab7f 000af950 381a2f7e  .L0…+.P…~/.8

93724938  000af178 0001dd10 00000000 00000000  x……………

93724948  00000000 00000000 ffffffa0 00206b6e  …………nk .

93724958  03a3c1c6 01ca3ef7 00000000 00018e30  …..>……0…

93724968  00000000 00000001 ffffffff 80035830  …………0X..

93724978  00000007 000b0340 0000fc10 ffffffff  ….@………..

93724988  0000000a 00000000 00000010 00000246  …………F…


To confirm it lets calculate the cell address and check the knode.

lkd> !reg cellindex  8bc1a5a0 00098068

Map = 8bc22000 Type = 0 Table = 0 Block = 98 Offset = 68

MapTable     = 8bc23000

BlockAddress = 9373b000

pcell:  9373b06c


lkd> !reg knode 9373b06c


Name                 : Memory Management

ParentCell           : 0x18e30

Security             : 0x3a68c8 [cell index]

Class                : 0xffffffff [cell index]

Flags                : 0x20

MaxNameLen           : 0x24

MaxClassLen          : 0x0

MaxValueNameLen      : 0x30

MaxValueDataLen      : 0x2a

LastWriteTime        : 0x 1ca3ef7:0x 3a88487

SubKeyCount[Stable  ]: 0x2

SubKeyLists[Stable  ]: 0x2a0c48

SubKeyCount[Volatile]: 0x0

SubKeyLists[Volatile]: 0xffffffff

ValueList.Count      : 0xf

ValueList.List       : 0x303f70


What about Values?

Keynodes have values as well.  Now that we have got the actual sub-key we need to get the Value from the sub-key. This task is similar to sub-key hunting as each sub-key maintains a sub-key list and a value list.

Just like with subkeylist there is also a valuelist debugger extension

lkd> !reg valuelist  8bc1a5a0 9373b06c

Dumping ValueList of Key <Memory Management> :

[Idx]   [ValAddr]       [ValueName]

[   0]  9373b1a4        ClearPageFileAtShutdown

[   1]  9373b204        DisablePagingExecutive

[   2]  9373b374        LargeSystemCache

[   3]  9373b39c        NonPagedPoolQuota

[   4]  9373b3cc        NonPagedPoolSize

[   5]  9373b3f4        PagedPoolQuota

[   6]  9373b43c        PagedPoolSize

[   7]  9373b4e4        SecondLevelDataCache

[   8]  9373b53c        SessionPoolSize

[   9]  9373b564        SessionViewSize

[   a]  9373b514        SystemPages

[   b]  93724f9c        PagingFiles

[   c]  935077ec        PhysicalAddressExtension

[   d]  9cd4ffcc        IOPageLockLimit

[   e]  9cd0d434        ExistingPageFiles

 Use ‘!reg kvalue <ValAddr>’ to dump the value


lkd> !reg  kvalue 9373b514


Name      : SystemPages {compressed}

DataLength: 80000004

Data      : c3000  [cell index]

Type      : 4

In our case the value of SystemPages is 0xc300. You can dump the node address 9373b514 directly and change the value with “ed” command. The actual value is at offset 0x8.

lkd> dc 9373b514

9373b514  000b6b76 80000004 000c3000 00000004  vk…….0……

9373b524  00090001 74737953 61506d65 00736567  ….SystemPages.

9373b534  00098538 ffffffd8 000f6b76 80000004  8…….vk……

9373b544  00000004 00000004 00000001 73736553  …………Sess

9373b554  506e6f69 536c6f6f 00657a69 ffffffd8  ionPoolSize…..

9373b564  000f6b76 80000004 00000030 00000004  vk……0…….

9373b574  00000001 73736553 566e6f69 53776569  ….SessionViewS

9373b584  00657a69 ffffffe0 00086b76 00000042  ize…..vk..B…


Now you can change the value of SystemPages directly using “ed”.

lkd> ed 9373b514+0x8  <new value>

Just like with sub-keys sometimes the debugger extension may not show all the values in which case you could do it manually just like earlier. First lets get the cell address of the value list.

lkd> !reg cellindex  8bc1a5a0 0x303f70

Map = 8bc22000 Type = 0 Table = 1 Block = 103 Offset = f70

MapTable     = 8bc25000

BlockAddress = 934d0000

pcell:  934d0f74


Since our Value list had 15 values lets dump out all of them. Dumping all the Value offsets in the value list.

lkd> dc 934d0f74 l 0xf

934d0f74  000981a0 00098200 00098370 00098398  ……..p…….

934d0f84  000983c8 000983f0 00098438 000984e0  ……..8…….

934d0f94  00098538 00098560 00098510 000aff98  8…`………..

934d0fa4  002cc7e8 00c72fc8 00cb3430           ..,../..04..


The Value “SystemPages” is the last one of the 15 but with hit and trial I found that “SystemPages” in the Value list was not  close to offset 15 so it was pretty much manually poking around at each value offset. I found it at offset 11.

lkd> !reg  kvalue 9373b514


Name      : SystemPages {compressed}

DataLength: 80000004

Data      : c3000  [cell index]

Type      : 4