Windows Server Troubleshooting - Architecture

Click here to start saving with ING DIRECT!

Home | Methodology | Architecture | Tools | Memory | Processor | Registry | File System | Network | Active Directory | Contents

Get the Book

Major Topics
Other Topics
File System
Active Directory
More Detail
Default Processes
Security Context
DLL hell

eXpert Genealogy

Memory from

2003-2006 Team Approach Limited
All rights reserved

To troubleshoot Windows, you need to know the components. The architectural diagram below, identifies the major operating system components.The most important division is between

  • user mode which is intended for application programs and
  • kernel mode which is intended for the operating system.

In kernel mode, any computer instruction is possible, whereas in user mode, application programs are protected from each other. Instructions are restricted and programs are not allowed to directly access each others memory. If a user mode application violates these rules, it is shut down by Windows and Dr. Watson appears.

NTVDM DOS Win16 Win32 subsystem Security subsystem POSIX / OS/2 subsystems Services

User Mode

Kernel Mode                           Executive Services

Cache Manager
File System Drivers
Network Drivers
Hardware Device Drivers
Object Manager Security Reference Monitor Process Manager Local Procedure Call Facility Virtual Memory Manager
Window Manager
Graphics Device Interface
Graphics Device Drivers
HAL Hardware Abstraction Layer

Dynamic Link Libraries

DLLs are a way to share program code and save memory. DLLs are libraries of executable code that can be shared my multiple programs. All versions of Windows have provided services with DLLs. The newest versions of Windows still implement the basic interfaces with the same 3 DLLs.

        1. GDI32.DLL        2. KERNEL32.DLL        3. USER32.DLL

In previous versions of Windows, installation programs would update Windows DLLs. If an updated DLL was incompatible with an existing program, then that program would no longer work properly. Reverting back to the old DLL may make the new program fail. This situation is commonly referred to as DLL hell. Microsoft's solution to this is WFP Windows File Protection and Application compatibility mode.

Command Interpreters

Windows provides two command interpreters. COMMAND.COM should only be used to provide compatibility for legacy applications. Use CMD.EXE for processing normal commands. It has more functionality and it takes less system overhead.

Interpreter Description
CMD.EXE Windows 32-bit command console

DOS 16-bit command console
  • Limited functionality
  • For legacy compatibility
  • Higher overhead from NTVDT.EXE
  • Can't close gracefully using a mouse
  • Use CMD.EXE instead

Legacy is the nice word for old


To support each DOS application, Windows launches NTVDM.EXE to create a VDM, Virtual DOS Machine. Each DOS application has an associated NTVDM to provide a separate memory space and a separate queue for keyboard and mouse input. DOS applications use the normal DOS interfaces for services and hardware access and VDM delivers the results in the same manner as a real DOS machine.

Support for 16-bit applications can be disabled by disallowing access to the NTVDM.EXE file.


To support 16-bit Windows applications, Windows launches WOWEXEC.EXE to emulate the 16-bit Windows 3.x environment.  WOWEXEC requires NTVDM.EXE. By default Windows runs all Win16 applications in one NTVDM.

To run a 16-bit application in its own separate memory space with an independent NTVDM, check the option in the Advanced Properties of the application shortcut as shown in the following dialog.

Keyboard Exercise

Launch COMMAND.COM and then use Task Manager to find the NTVDM process. If you launch an old Win16 16-bit Windows application, you will also see WOWEXEC as in the following dialog. Note how WOWEXEC and the Win16 winmin.exe are indented in the processes list.

Windows Management Instrumentation

WMI can provide detailed information on the internals of Windows, hardware, drivers, services, security, applications, processes, file systems, networks, etc.

WMI provides information in a tree structured namespace as shown in the following dialog. Microsoft provides an object interface to WMI so that script writers can get access to internal statistics.