joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Windows 7 Kernel Enhancements

by @ 4:17 pm on 12/18/2009. Filed under tech

I found this to be an interesting article. I was really interested in the part about Heap Shimming via Fault Tolerant Heap (FTH). Of course my first thought was cool, how do you get a list of apps that this is being applied to. Up until today I had only found a command to clear the list of all apps and the event log showing events for the interceptions.


Looking around today I finally found this blog entry from the Performance Team that has some good info.

Looks like the apps that are being shimmed are maintained in the registry (of course ;o) at hklm\software\microsoft\fth\state. This is easy enough to script for folks so that enterprise customers that want to have an idea of apps in their environment that are having heap corruption issues that aren’t monitoring the event logs on the clients (does anyone do this???) can get the info.


G:\>reg query hklm\software\microsoft\fth

    MaximumMemoryPressurePercentage    REG_DWORD    0x50
    MaximumTrackedApplications    REG_DWORD    0x80
    CheckPointPeriod    REG_DWORD    0x2760
    MaximumDelayFreeOverheadInMBs    REG_DWORD    0x4
    RuleList    REG_MULTI_SZ    *;0;0;ntdll.dll;0;0;0xC0000005\0*;0;0;*;0;0;0xC0000374
    Enabled    REG_DWORD    0x1
    TicketValue    REG_DWORD    0x10
    CrashWindowInMinutes    REG_DWORD    0x3c
    ExclusionList    REG_MULTI_SZ    smss.exe\0csrss.exe\0wininit.exe\0services.exe\0lsass.exe\0lsm.exe\0svchost.exe\0winlogon.exe\0SLsvc.exe\0spoolsv.exe\0taskhost.exe
    MaximumAllocationOverheadInMBs    REG_DWORD    0x10
    MaximumTrackedProcesses    REG_DWORD    0x4
    CrashVelocity    REG_DWORD    0x3
    CheckPointTime    REG_DWORD    0xcd1b9fb


G:\>reg query hklm\software\microsoft\fth\state




Rating 3.00 out of 5

One Response to “Windows 7 Kernel Enhancements”

[joeware – never stop exploring… :) is proudly powered by WordPress.]