I found this to be an interesting article. I was really interested in the part about Heap Shimming via Fault Tolerant Heap (FTH). Of course my first thought was cool, how do you get a list of apps that this is being applied to. Up until today I had only found a command to clear the list of all apps and the event log showing events for the interceptions.
Looking around today I finally found this blog entry from the Performance Team that has some good info.
Looks like the apps that are being shimmed are maintained in the registry (of course ;o) at hklm\software\microsoft\fth\state. This is easy enough to script for folks so that enterprise customers that want to have an idea of apps in their environment that are having heap corruption issues that aren’t monitoring the event logs on the clients (does anyone do this???) can get the info.
G:\>reg query hklm\software\microsoft\fth
MaximumMemoryPressurePercentage REG_DWORD 0x50
MaximumTrackedApplications REG_DWORD 0x80
CheckPointPeriod REG_DWORD 0x2760
MaximumDelayFreeOverheadInMBs REG_DWORD 0x4
RuleList REG_MULTI_SZ *;0;0;ntdll.dll;0;0;0xC0000005\0*;0;0;*;0;0;0xC0000374
Enabled REG_DWORD 0x1
TicketValue REG_DWORD 0x10
CrashWindowInMinutes REG_DWORD 0x3c
ExclusionList REG_MULTI_SZ smss.exe\0csrss.exe\0wininit.exe\0services.exe\0lsass.exe\0lsm.exe\0svchost.exe\0winlogon.exe\0SLsvc.exe\0spoolsv.exe\0taskhost.exe
MaximumAllocationOverheadInMBs REG_DWORD 0x10
MaximumTrackedProcesses REG_DWORD 0x4
CrashVelocity REG_DWORD 0x3
CheckPointTime REG_DWORD 0xcd1b9fb
G:\>reg query hklm\software\microsoft\fth\state