SmInfo: Inside Store Manager of Windows 7 and Windows 2008 R2 with Windd.

Store Manager (Sm*) is pretty new under Windows 7/Windows 2008 R2 kernel, this is a new management system to deal with both virtual and physical stores.
ReadyBoost (cache/files/logs, …) is one exemple.
Even through ReadyBoost had been firstly introduced into Windows Vista and Windows 2008 (Refer to Mark Russinovich writeup about Windows Vista Kernel for more information about ReadyBoost), Microsoft kernel developpers implemented ReadyBoost feature inside the Store Manager to make it more efficient.

In this blogpost, I am going to introduce a new WinDbg Extension called “sminfo” to retrieve information about the Store Manager from a Microsoft crash dump generated with Win[32/64]dd on a Windows 7 32-bits computer. (Thanks to Mark Wodrich for the help to use DML ;-))

Materials used are available here:

  • Windd utility from this link. Windd works on x86 and x64 architecture from Windows XP to Windows 7 (for the crash dump feature).
  • SmInfo Debugger Extension from this link. The following extension works only on x86 of Windows 7 and Windows 2008 R2 with Microsoft crash dumps and (local or remote) Kernel debugging.

Step 1# Plug a USB Key and tell to Windows that you want to use this USB drive as a ReadyBoost extension.
Step 2# Dump the physical memory into a Microsoft crashdump using the following command: “win32dd.exe /d /f readyboost.dmp”.

windd
Figure 1 – Windd [Click to enlarge]

Step 3# Open WinDbg, load crashdump, configure symbols, load sminfo extension.

windd
Figure 2 – Windbg + SmInfo [Click to enlarge]

0: kd> !sminfo
Store Manager (ReadyBoost) Debugger Extension – v0.1
Copyright (c) 2009, Matthieu Suiche http://www.msuiche.net
Windows 7 x86 and Windows 2008 R2 x86 ONLY

!sminfo CACHE – Enumerate caches and display corresponding information.
!sminfo LOG [cacheindex] – Display entries from cache.

Step 4# Have fun with !sminfo commands!

windd
Figure 3 – !sminfo CACHE [Click to enlarge]

windd
Figure 4 – !sminfo LOG [Click to enlarge]

windd
Figure 5 – !dml_proc [Click to enlarge]

As you can see, we can retrieve various information such as the file name, its size, cached pages and application list. So basically with this debugger extension you can have access to ReadyBoost log which can be helpful to troubleshoot your system.

Additional ressources
Developping Debugger Extensions – PDC Conference
The debugger extension – Several parts
MemInfo: Peer Inside Memory Manager Behavior on Windows Vista and Server 2008

PS. In February 2010, I will be in Washington D.C. to talk about Mac OS X Kernel internals and physical memory analysis at BlackHat. Description is available on BH website.

One thought on “SmInfo: Inside Store Manager of Windows 7 and Windows 2008 R2 with Windd.

Comments are closed.