Archive for the ‘Non-technical’ Category

We’re Hiring!

Friday, February 8th, 2013

For those who don’t know, I’m a Consulting Associate at OSR Open Systems Resources, Inc. We specialize in all things kernel mode on Windows, from file systems to device drivers to general Windows internals knowledge. If you come to work for us, you’ll get to work on all kinds of interesting projects in different ways (i.e. development, design, review, etc.). We also train students all over the world, which has its own fun and challenges.

I’m about to pass my 11 year anniversary here, so I think it’s a pretty great place to work and maybe you will too! Check out our job posting here:

And feel free to contact me if you have any questions.

Happy New Year! (Well, almost…)

Wednesday, December 28th, 2011

Another long span without a post and another apologetic post about the delay…Eventually I’ll learn my lesson and stop doing this :)

It’s certainly shaping up to be an exciting year. With the release of Windows 8 we’ll have kernel debugging and crash analysis in Visual Studio, another processor architecture to learn, and new releases of WinDBG. Should be LOTS of fodder for blog posts in the months to come and remove any excuse I may have for not updating.

Looking forward to another year interacting with all of you and learning some new things. As always, feel free to keep me honest by joining my network on LinkedIn or following me on Twitter.

Here’s to hoping everyone has a healthy and prosperous new year!


Strings Art

Friday, September 17th, 2010

Sometimes if I’m getting desperate and am running out of information from a dump file, I’ll run Strings on it and see if there are any interesting strings in the image. While I usually don’t know what I’m looking for when I start this excercise, generally what I find is fairly benign: machine names, URLs, PATH values, etc.

However, today I ran this on a dump from an application and I found art! A nice diversion from my normal activities:

And there were many others as well. This dump happened to come from a VPN application, so I suspect that these were put there on purpose to thwart someone from finding any interesting strings in their image. The idea being that if you put all kinds of bogus strings in your image then the amount of time it takes for someone to find an interesting string goes up. I guess we poor analysts are assumed guilty until proven innocent…


A couple of comments cleared up the mystery and it turned out to be nothing bad at all (I’m clearly too paranoid). From Paolo Bonzini:

Definitely looks like XPM. XPM format images are designed to be #included in C source code (!), which would explain why you have no double quotes. The \n at the end of each scan line would be an artifact of strings, which found a NUL terminator and started a new printable string.

Now on Twitter

Monday, August 23rd, 2010

If you want updates on new blog posts and other such trivia, follow Analyze -v on Twitter!

Dog days of Summer

Friday, July 23rd, 2010

Over two months since my last update! Guess I’ve been enjoying the Summer a bit too much…I plan on picking back up again in a couple of weeks when I’m back from vacation, until then look out for our upcoming issue of The NT Insider where I’ll be covering the details of DbgEng and writing your own debugger extensions.

A new appreciation for learning how to use WinDBG

Monday, February 1st, 2010

I’ve been working on something lately that requires me to debug a Cygwin built application. After spending the last 8 or so years using WinDBG as a debugger, I’ve taken for granted just how “obvious” the commands to do various things are. After struggling to even figure out how to get debug information compiled into the binary (which came after figuring out that a separate file with debug information wasn’t created for all builds!), I struggled to perform common tasks such as single stepping and displaying local variables. I often take for granted that the way to do these things in WinDBG is obvious since I’ve long forgotten what it was like to not know every command.

Definitely a good learning experience, sometimes it’s important to step back and remember what it was like to be a noob.

Happy New Year!

Friday, January 1st, 2010

Happy 2010 everyone! Hope it’s a healthy and prosperous year for us all.

Driver and Kernel Development MVP

Wednesday, July 1st, 2009

After eight years in the community, this is my first year being nominated and selected as a Microsoft MVP. Hope this year is as good as the last eight and thanks to those who nominated me!

My favorite bit in the system

Tuesday, June 30th, 2009

I don’t announce this in mixed company, but I do have a favorite bit in the system. My favorite bit by far is the DO_POWER_PAGABLE (dū pouər păga·ble) bit, which indicates whether or not your driver is pageable in the power path. It has nothing to do if whether or not your driver happens to be pagable.

Not only is DO_POWER_PAGABLE fun to say, it’s also fun to watch it grow as a spelling virus throughout the sample code, documentation, and news groups. For example, from the version of the CHM docs I have on my system at the moment:


Windows supports hot patching…

Sunday, June 28th, 2009

So why do I have to reboot when I get an IE update?