I found this to be an interesting article. I was really interested in the part about Heap Shimming via Fault Tolerant Heap (FTH). Of course my first thought was cool, how do you get a list of apps that this is being applied to. Up until today I had only found a command to clear the list of all apps and the event log showing events for the interceptions.
Looking around today I finally found this blog entry from the Performance Team that has some good info.
Looks like the apps that are being shimmed are maintained in the registry (of course ;o) at hklm\software\microsoft\fth\state. This is easy enough to script for folks so that enterprise customers that want to have an idea of apps in their environment that are having heap corruption issues that aren’t monitoring the event logs on the clients (does anyone do this???) can get the info.
G:\>reg query hklm\software\microsoft\fth
MaximumMemoryPressurePercentage REG_DWORD 0×50
MaximumTrackedApplications REG_DWORD 0×80
CheckPointPeriod REG_DWORD 0×2760
MaximumDelayFreeOverheadInMBs REG_DWORD 0×4
RuleList REG_MULTI_SZ *;0;0;ntdll.dll;0;0;0xC0000005\0*;0;0;*;0;0;0xC0000374
Enabled REG_DWORD 0×1
TicketValue REG_DWORD 0×10
CrashWindowInMinutes REG_DWORD 0x3c
ExclusionList REG_MULTI_SZ smss.exe\0csrss.exe\0wininit.exe\0services.exe\0lsass.exe\0lsm.exe\0svchost.exe\0winlogon.exe\0SLsvc.exe\0spoolsv.exe\0taskhost.exe
MaximumAllocationOverheadInMBs REG_DWORD 0×10
MaximumTrackedProcesses REG_DWORD 0×4
CrashVelocity REG_DWORD 0×3
CheckPointTime REG_DWORD 0xcd1b9fb
G:\>reg query hklm\software\microsoft\fth\state