Last Updated: July 30, 2003

Introduction

This is the errata and updates page for the book Inside Microsoft Windows 2000, Third Edition, by David Solomon (of David Solomon Expert Seminars) and Mark Russinovich. If you have general feedback for us, find an inaccuracy, or have a suggestion for the next edition, please send e-mail to insidew2k@Sysinternals.com. We'll post corrections and tool updates to this page.

When is the next edition coming out?

We are currently working on the 4th edition, which will cover Windows XP, Windows Server 2003, and Windows 2000. It will be called Windows Internals, 4th edition, and should be out by Fall 2004.  

Inside the Book


This third edition of the Inside Windows NT series provides the most in-depth coverage of Windows NT technology yet, filling over 900 pages. The 50% increase in size over the previous edition is the result of the following additions:
  • New experiments that demonstrate key concepts and reveal internal behavior.
  • More detailed coverage of interrupt handling, security, file system drivers, and the I/O system.
  • Specifics on Windows 2000 updates of memory management, the cache manager, the object manager, security, the job object, and more.
  • Coverage of topics not included in the second edition, including networking, storage management, services, WMI, plug and play, power management, the registry, startup and shutdown, crashes, and terminal services support.
For the first time in the series, the third edition comes with a CD that contains the following:
  • LiveKd, a utility that lets you run any standard Microsoft kernel debugger (i386kd, Windbg, kd) on a live system. With LiveKd there's no need for a second computer or serial cable to run most of the experiements in the book. LiveKd is only available with this book.
  • KVarPerf, a performance monitor extension that lets you monitor in real-time the value of any kernel variable. KVarPerf has already been used to find a bug in Windows 2000! KVarPer is only available with this book
  • A copy of NTOSKRNL symbols for NT 4 SP1-6a and Windows 2000, with a copy of the Microsoft kernel debuggers.
  • A copy of the entire Sysinternals web site.
  • The eBook version of the book.
The book has a foreword by Jim Allchin, Group Vice President of Platforms at Microsoft, and a historical perspective by David Cutler, lead architect of Windows NT. Here's the book's table of contents:
  1. Introduction
  2. Architecture
  3. System Mechanisms
  4. Management Mechanisms
  5. Startup and Shutdown
  6. Processes, Threads and Jobs
  7. Memory Management
  1. Security
  2. I/O System
  3. Storage
  4. Cache Manager
  5. File Systems
  6. Networking
 

Ordering the Book

You can order the book from Amazon.com:

Order Inside Microsoft Windows 2000 from Amazon.com  

Tool Updates

LiveKd is now a free download (it was previously only available on the book CD-ROM).

Download the latest version of LiveKd (free download)
  • [July 16, 2002] LiveKd now works with Windows XP and the Microsoft symbol server

    Now you can run LiveKd on Windows XP. Although Kd and WinDbg have live debug capability on XP with the -kl switch, LiveKd supports more commands on a live system, such as !stacks.
  • [August 16, 2001] LiveKd reports a symbol mismatch even though the correct symbols are installed


    This corrects a bug where LiveKd would report that the symbols installed do not match the kernel version when they actually do.
  • [September 16, 2000] LiveKd causes crash when virus scanner on-access scanning is enabled


    • LiveKd has been reported to have incompatibilities with several virus scanners, including Computer Associate's Inoculan IT and Symantec's Norton Antivirus.
 

Errata

  • [August 24, 2001] "Interrupt vector", not "interrupt level"
    On page 100 the text "Thus, if a device uses interrupt level 5, its ISR executes at IRQL 22." should read "Thus, if a device uses interrupt number 5, its ISR executes at IRQL 22."
  • [July 6, 2001] LargePageMinimum correction
    On page 383 it states that the LargePageMinimum Registry value is interpreted in megabytes, when it is actually interpreted in pages. Also, the default value equals 128 MB, meaning that large pages are by default only used to map system virtual memory when there is less than or equal to 128 MB of physical memory present.
  • [February 12, 2001] Section, not Selection
    In stage 1 of Figure 6-5 on page 305 it should say, "Open EXE and create section object" instead of "selection object".
  • [February 12, 2001] CreateThread flow corrections
    On page 334, point 3d of the CreateThread flow should read "The thread's kernel stack is allocated."

    On page 335, in the point 6e of the CreateThread flow, the first sentence should say, "Finally, the main thread begins execution in user mode."
  • [September 27, 2000] Hash algorithm for local passwords not RC4
    In page 203 it says that the Recovery Console (RC) uses RC4 to hash the password a user enters and compare it with a hash in the SAM. In actuality, it hashes the password with MD5, uses the system key (Windows 2000 uses Syskey encryption to encrypt the SAM) to encrypt the hash with RC4, and then compares the encrypted hash with the encrypted hash stored in the SAM.
  • [September 27, 2000] Clarification on Winsock QOS APIs
    On page 842 it says that only applications with administrative privilege can use QOS when it should say that only applications with administrative privilege can manage QOS, including use functions like WSCInstallQOSTemplate.
  • [September 16, 2000] Quantum tool is not on CD
    Table 1-2 on page 18, which shows a list of tools for viewing Windows 2000 internals, incorrectly lists a tool named Quantum as being on the CD. A Quantum tool was originally planned for inclusion with the book, but was never written.
  • [September 16, 2000] APIC experiment description correction
    On page 95 the experiment entitled "Viewing the PIC and APIC" mistakenly describes the output of the !apic command as being from the "I/O APIC for processor 0". It should instead say "...so this is the local APIC for processor 0".
  • [September 5, 2000] LiveKd does not run from CD
    Although the readme.txt on the book's accompanying CD indicates that you can run LiveKd from the CD, you cannot. LiveKd reports an "access denied" error when it tries to create a simulated crash dump file.

    If you are running Windows 2000 SP0 you can easily run LiveKd by installing the \Debuggers directory from the CD to your hard drive, and then typing "livekd" in the install directory. If you are running Windows 2000 SP1 or a version of NT 4 then you can install the debuggers directory to your hard drive and type the following command from the install directory: "livekd -y <path to installed symbols>" (you do not need to specify the path to the symbols if you set the _NT_SYMBOL_PATH environment variable to refer to their location). Also see the LiveKd v1.01 patch in the Tools Update section above.



Back to Top