DOCSLIB.ORG

Windows Performance Troubleshooting and Analysis Daniel Pearson David Solomon Expert Seminars Daniel Pearson

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Windows Performance Troubleshooting and Analysis Daniel Pearson David Solomon Expert Seminars Daniel Pearson • Started working with Windows NT 3.51 • Three years at Digital Equipment Corporation • Supporting Intel and Alpha systems running Windows NT • Seven years at Microsoft • Senior Escalation Lead in Windows base team • Worked in the Mobile Internet sustained engineering team • Instructor for David Solomon, co-author of the Windows Internals book series Agenda • Components of performance analysis • Understanding the tools for troubleshooting and analyzing performance issues • Troubleshooting CPU and memory issues using various Windows tools * Portions of this session are based on material developed by Mark Russinovich and David Solomon Components of Performance Analysis • Event Tracing for Windows • Core component of the operating system • Kernel mode data structures • Used to store information about the system and system objects that can be read by various tools • e.g. dt nt!_KTHREAD KernelTime • CPU performance monitoring events • Refer to the Intel 64 and IA-32 Architectures Software Developer‟s Manual • http://developer.intel.com/products/processor/manuals Event Tracing for Windows • Built in to the system • High performance, low overhead and scalable • 2.5% CPU usage for a sustained rate of 10,000 events/sec on a 2 GHz CPU1 • Operations throughout the system that are of interest to performance are fully instrumented • e.g. process and thread activity, registry I/O, disk I/O 1. Milirud, Michael. 2008. Windows Performance Analysis: Using Windows Performance Tools. Presented at Microsoft's WinHEC conference, November 5-7, Los Angeles, CA. Event Tracing for Windows • Uses a buffering and logging mechanism implemented in the kernel • Per-processor buffers that are written to disk by an asynchronous writer thread • Ability to enable and disable tracing dynamically • Supports a managed code provider Sysinternals Utilities Sysinternals Utilities • Process Explorer • Useful for displaying which files, registry keys and other objects processes have open and which DLLs they have loaded • Process Monitor • Useful for showing real-time file system, registry and process & thread activity • Available for download from the TechNet site • http://technet.microsoft.com/sysinternals Resource Monitor Resource Monitor • Included with Windows Vista and greatly enhanced in Windows 7 and Windows Server 2008 R2 • Allows the viewing of CPU, memory, disk and network resources as well as handles and modules in real time • Ability to end, suspend and resume processes as well as to start, stop and restart Windows services • Useful for identifying the highest resource consumers by individual resource type, e.g. CPU • Able to list the wait chain tree of a process to determine if a process is waiting on another Using Resource Monitor Performance Monitor Performance Monitor • Queries performance counters that measure system state or activity • Current values are read at specific intervals • Performance counters are included in the operating system and can be included as part of applications • Able to collect event trace data from trace providers that report actions or events • Can combine multiple trace providers into a single session • Configuration information can be collected from registry keys at a specific time or interval Using Performance Monitor Windows Performance Analyzer Windows Performance Analyzer • Part of the Windows Performance Toolkit • Support for both x86, x64, and IA64 architectures • Consists of three primary programs • xperf.exe • Used for controlling tracing and processing trace data • xbootmgr.exe • Automates on and off state transitions and captures traces during those transitions • xperfview.exe • A graphical trace visualization tool to represent data in the form of interactive graphs and summary tables Windows Performance Analyzer • Primarily uses the Event Tracing for Windows infrastructure built in to the system • Can be enabled or disabled at any time without requiring a system or process restart • Supports symbol decoding, sample profiling, and recording of call stacks on kernel events • Designed to be used during automation • All the functions of the tools are available via the command line tool xperf.exe Support for Earlier Systems • The Windows Performance Toolkit will fail to install on Windows XP and on Windows Server 2003 although data collection is supported • Copy xperf.exe and perfctrl.dll • Trace analysis is only supported on Windows Vista and later systems Capturing a Performance Trace • Kernel options divided into two parts • Kernel Flags • Identified by the use of uppercase characters • e.g. PROC_THREAD, LOADER, PROFILE • Kernel Groups • Indentified by the use of title case characters • e.g. Base, Diag, Latency, FileIO • Kernel Groups are made up of a collection of Kernel Flags • e.g. SysProf = PROC_THREAD+LOADER+PROFILE • Flags and groups are separated by the „+‟ token • e.g. xperf.exe -on FileIO+DISK_IO_INIT Merging of Performance Trace Data • Traces can be copied to another system for analysis • The trace file should be “merged” on the collection system before analysis to include additional system information • xperf -d trace.etl System and symbol information Trace Merged trace Kernel trace XPerf Using the Windows Performance Toolkit Understanding CPU Activity • Windows uses 32 priority levels 31 • The system implements a preemptive, priority driven scheduler Real time • Priority adjustments can be applied to threads in the “dynamic” range 16 • At least one runnable thread with the 15 highest priority will be running Dynamic 0 Context Switching • A switch from one thread to another is known as a context switch • Switching involves saving the hardware state of a thread and restoring the state of another • When a thread is scheduled, that thread‟s context switch count is also incremented • The context switch count represents how often a thread begins running, not how long it ran Time Accounting Quirks • Looking at total CPU time for each process may not reveal where the system has spent its time • CPU time accounting is driven by an interrupt timer which is set by the Hardware Abstraction Layer • Usually at either 10 or 15 msec intervals • Thread execution and context switches that happen between clock intervals are not accounted for • e.g. a thread runs and enters a wait before the clock fires • Thus threads may run but never get charged Time Accounting Prior to Windows Vista • Windows accounted for CPU time based on the interval clock timer • Thread quantum expiration was not always fair • A thread might get almost no turn • Threads were also charged for interrupts that occurred while they were running Idle Idle T1 T2 T2 Time Accounting Since Windows Vista • Windows Vista and later reads the Time Stamp Counter during every context switch • The actual CPU cycles consumed are charged to a thread • Any interrupt time is not charged to the interrupted thread • Allows for more accurate quantum accounting • A thread gets at least one turn and at most will be given one turn plus an additional tick Idle Idle T1 T1 T2 Troubleshooting High CPU Utilization Understanding Memory Management • Windows provides two system memory pools • Nonpaged Pool and Paged Pool • Used for system wide persistent data • Prior to Windows Vista, pool sizes were a function of memory size and whether or not the system was configured as a server or a workstation • Windows Vista introduced the concept of a dynamic system address space Dynamic System Address Space • In 32-bit Windows Vista and later, virtual memory is assigned as needed • Permits larger paged, nonpaged, and session pools • Components still cannot exceed 2 GB on 32-bit systems • On 64-bit systems, address space regions are configured to their current maximum limits for all memory sizes Troubleshooting Memory Leaks Additional Information • Windows Internals 5th edition • Windows Performance Analysis Developer Center • http://msdn.microsoft.com/performance • Windows Server Performance Team Blog • http://blogs.technet.com/winserverperformance • Ask the Performance Team Blog • http://blogs.technet.com/askperf Additional Information • David Solomon Expert Seminars offers training on Windows Internals both as public and private workshops and public webinars via the Internet • Currently scheduled up and coming classes • Public workshop in London, April 12th – April 16th • Public webinar, April 26th & April 28th • Public workshop in New York, May 3rd – May 7th • Public workshop in San Francisco, November 8th – November 12th • Visit http://www.solsem.com for further course descriptions and up to date information .
Recommended publications
  • Process Explorer V16.05 (1.07 MB)

    Process Explorer V16.05 (1.07 MB)

    United States (English) Sign in Windows Sysinternals Search TechNet with Bing Home Learn Downloads Community Windows Sysinternals > Downloads > Process Utilities > Process Explorer Utilities Process Explorer Download Sysinternals Suite Utilities Index Download Process Explorer v16.05 (1.07 MB) File and Disk Utilities By Mark Russinovich Run Process Explorer now from Networking Utilities Published: March 10, 2015 Live.Sysinternals.com Process Utilities Download Process Explorer Runs on: Security Utilities (1.07 MB) System Information Utilities Rate: Client: Windows XP and higher (Including IA64). Miscellaneous Utilities Server: Windows Server 2003 and higher (Including Share this content IA64). Additional Introduction Installation Resources Ever wondered which program has a particular file or directory open? Now Simply run Process Explorer (procexp.exe). Forum you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. The help file describes Process Explorer operation and Site Blog usage. If you have problems or questions please visit The Process Explorer display consists of two sub-windows. The top window the Sysinternals Process Explorer Forum. Sysinternals Learning always shows a list of the currently active processes, including the names of Mark's Webcasts their owning accounts, whereas the information displayed in the bottom Mark's Blog window depends on the mode that Process Explorer is in: if it is in handle Learn More mode you'll see the handles that the process selected in the top window has Software License opened; if Process Explorer is in DLL mode you'll see the DLLs and memory- Here are some other handle and DLL viewing tools and Licensing FAQ mapped files that the process has loaded.
  • P 240/1 Process Control on Windows

    P 240/1 Process Control on Windows

    P240.qxp_June 2018 03/05/2018 22:16 Page 41 Process Control on Windows P 240/1 Optimise and Stabilise Your Windows System by Taking Control of Your Processes Using the information given in this article you will be able to: Investigate exactly what processes are using your PC’s processor and memory, Optimise the performance of your system with perfect process management, Find and close Trojans, viruses and other suspicious processes. You’ve probably come across messages from Windows telling you that an application is no longer responding, and wondered exactly what is happening in the background on your Windows system. The egg timer icon or a little blue circle usually appear, the hard drive grinds away and you wait for what seems like an eternity for Windows to do something. When this happens, it usually indicates that Windows is performing tasks in the background. You can take a look at the list of the processes that are running on your system, but they usually have cryptic names which makes it difficult to work out exactly what is going on. However, if a program or service doesn’t run in a stable way, or you suspect that a virus or Trojan may be doing damage to your system, then you can’t avoid checking which processes are running. In this article I will show you the most important processes that Windows runs internally, and the tasks you need to perform in order to maintain your processes and take control of your system. • Check the Hidden Tasks Your Windows System is Running .................
  • Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals

    Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals

    Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals - www.sysinternals.com Process Explorer is an advanced process management utility that picks up where Task Manager leaves off. It will show you detailed information about a process including its icon, command-line, full image path, memory statistics, user account, security attributes, and more. When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open. A search capability enables you to track down a process that has a resource opened, such as a file, directory or Registry key, or to view the list of processes that have a DLL loaded. The Process Explorer display consists of two sub-windows. The top always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window, which you can close, depends on the mode that Process Explorer is in: if it is in handle mode you will see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you will see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. You can obtain equivalent command-line tools, Handle and ListDLLs, at the Sysinternals Web site.
  • Copyrighted Material

    Copyrighted Material

    Index Numerics Address Resolution Protocol (ARP), 1052–1053 admin password, SOHO network, 16-bit Windows applications, 771–776, 985, 1011–1012 900, 902 Administrative Tools window, 1081–1083, 32-bit (x86) architecture, 124, 562, 769 1175–1176 64-bit (x64) architecture, 124, 562, 770–771 administrative tools, Windows, 610 administrator account, 1169–1170 A Administrators group, 1171 ADSL (Asynchronous Digital Subscriber Absolute Software LoJack feature, 206 Line), 1120 AC (alternating current), 40 Advanced Attributes window, NTFS AC adapters, 311–312, 461, 468–469 partitions, 692 Accelerated Graphics Port (AGP), 58 Advanced Computing Environment (ACE) accelerated video cards (graphics initiative, 724 accelerator cards), 388 Advanced Confi guration and Power access points, wireless, 996, 1121 Interface (ACPI) standard, 465 access time, hard drive, 226 Advanced Graphics Port (AGP) card, access tokens, 1146–1147 391–392 Account Operators group, 1172 Advanced Graphics Port (AGP) port, 105 ACE (Advanced Computing Environment) Advanced Host Controller Interface (AHCI), initiative, 724 212–213 ACPI (Advanced Confi guration and Power Advanced Micro Devices (AMD), 141–144 Interface) standard, 465 Advanced Packaging Tool (APT), 572 Action Center, 1191–1192 Advanced Power Management (APM) Active Directory Database, 1145–1146, 1183 standard, 465 active heat sink, 150 Advanced Programmable Interrupt active matrix display, LCD (thin-fi lm Controller (APIC), 374 transistor (TFT) display), 470 Advanced RISC Computing Specifi cation active partition, 267,
  • Product Name User Guide

    Product Name User Guide

    Smart-X Software Solutions Core Configurator User guide _______________________________________________________________ SmartX Software Solutions Core Configurator User Guide Table of content: WELCOME 4 FEATURES AND CAPABILITIES 5 MORE SYSTEM MANAGEMENT TOOLS 6 REQUIREMENTS 8 LICENSING AND INSTALLATION 8 EVALUATION VERSION LIMITATION 8 INSTALLATION 8 INSTALLING CORECONFIG ON WINDOWS 7 / 2008 R2 BETA VERSIONS 9 LICENSING 10 WORKING WITH CORE CONFIGURATOR 11 שגיאה! הסימניה אינה מוגדרת. CORE CONFIGURATOR MAIN SCREEN – 32 BIT HOW IT WORKS 11 CORE CONFIGURATOR MAIN SCREEN – 64 BIT 12 ACTIVATION SCREEN 13 HOW IT WORKS: 13 DISPLAY SETTINGS 14 HOW IT WORKS 14 TIME ZONE 15 HOW IT WORKS 15 REMOTE DESKTOP 16 HOW IT WORKS 16 ACCOUNT MANAGEMENT 17 HOW IT WORKS 17 FIREWALL 18 HOW IT WORKS 18 WINRM 19 HOW IT WORKS 19 NETWORKING 20 HOW IT WORKS 21 COMPUTER NAME 22 HOW IT WORKS 22 FEATURES 23 HOW IT WORKS 23 BACKUP PERFORMANCE 24 DCPROMO 25 HOW IT WORKS 26 AUTOMATIC UPDATES 27 HOW IT WORKS 29 REGIONAL LANGUAGES 30 HOW IT WORKS 30 REGISTRY EDITOR 31 2 SmartX Software Solutions Core Configurator User Guide HOW IT WORKS 31 TASK MANAGER 32 HOW IT WORKS 32 SERVICE 33 HOW IT WORKS 33 SYSTEM INFO 34 SHOW COMMANDS 35 3 SmartX Software Solutions Core Configurator User Guide Chapter 1 Welcome Welcome to Smart-X. Thank you for choosing Core Configurator™, one of the top tools developed by Smart-X Software Solutions expert team in an effort to optimize your everyday work. Core Configurator helps you manage your system efficiently, effortlessly and productively. This chapter describes the features and capabilities of Core Configurator, and lists additional tools in the same field that can help optimize your work environment.
  • Windows Tool Reference

    Windows Tool Reference

    AppendixChapter A1 Windows Tool Reference Windows Management Tools This appendix lists sets of Windows management, maintenance, configuration, and monitor- ing tools that you may not be familiar with. Some are not automatically installed by Windows Setup but instead are hidden away in obscure folders on your Windows Setup DVD or CD- ROM. Others must be downloaded or purchased from Microsoft. They can be a great help in using, updating, and managing Windows. We’ll discuss the following tool kits: ■ Standard Tools—Our pick of handy programs installed by Windows Setup that we think are unappreciated and not well-enough known. ■ Support Tools—A set of useful command-line and GUI programs that can be installed from your Windows Setup DVD or CD-ROM. ■ Value-Added Tools—Several more sets of utilities hidden away on the Windows Setup CD-ROM. ■ Windows Ultimate Extras and PowerToys for XP—Accessories that can be downloaded for free from microsoft.com. The PowerToys include TweakUI, a program that lets you make adjustments to more Windows settings than you knew existed. ■ Resource Kits—A set of books published by Microsoft for some versions of Windows that includes a CD-ROM containing hundreds of utility programs. What you may not have known is that in some cases you can download the Resource Kit program toolkits with- out purchasing the books. ■ Subsystem for UNIX-Based Applications (SUA)—A package of network services and command-line tools that provide a nearly complete UNIX environment. It can be installed only on Windows Vista Ultimate and Enterprise, and Windows Server 2003.
  • Copyrighted Material

    Copyrighted Material

    Index rootkits, 629–631 Numerics Security settings, 625–627 0day exploits/worms, 602–603, 677 troubleshooting in, 206–207 3D Text screen saver, 240 activating Windows 7 3d Traceroute, 458 overview, 60 4:3 aspect ratio, 780 process, 60–63 16:9 aspect ratio, 780–781 Windows Activation Technologies, 32-bit version, 43–44 63–64 64-bit version, 43–44 active desktop, 35–36 802.11b protocol, 755 ActiveX, security issues, 499 802.11g protocol, 755 Activities icon, 589 802.11n protocol, 755 adapter, network, 737–738, 757–758 Adblock Plus add-on, 524 Add a List of All Burned Files setting, 335 A Add to Calendar menu item, 552 Add Pictures and Video to the DVD AAC (Advanced Audio Coding) fi les, window, 419 177, 351 Add Search Providers page, 467 Accelerators, 497–498 address bar access points, wireless (WAPs) Internet Explorer, 473 defi ned, 729, 753 Windows Media Player, 312 overview, 757–758 Adjust Color icon, 394 accounts, user administrator account, 118–119 adding, 124–125 Adobe Flash, 505 logging on, 116–117 ADSL (asymmetric digital subscriber overview, 115–116 line), 451 password reset disk, 130 Advanced Audio Coding (AAC) fi les, settings, changing, 126–130 177, 351 switching, 130–131 Advanced Boot options, 136–138 types of Advanced Research Project Agency administrator, 118–119 (ARPA), 444 Guest, 125–126 COPYRIGHTEDAdvanced MATERIAL Search overview, 118 Google, 537–539 selecting appropriate, 119–121 Windows 7, 282–284 standard, 118 adware, 16 User Account Control, 121–124 Aero Glass interface, 33–34 Acquire Licenses setting, 309 Aero Peek,
  • Windows Rootkit Analysis Report

    Windows Rootkit Analysis Report

    Windows Rootkit Analysis Report HBGary Contract No: NBCHC08004 SBIR Data Rights November 2008 Page 1 Table of Contents Introduction ................................................................................................................................... 4 Clean Monitoring Tool Logs......................................................................................................... 5 Clean System PSList ................................................................................................................. 5 Clean System Process Explorer ................................................................................................ 6 Vanquish......................................................................................................................................... 7 PSList Vanquish ........................................................................................................................ 7 Vanquish Process Monitor (Process Start – Exit) .................................................................. 8 Process Explorer Thread Stack Vanquish .............................................................................. 8 Process Monitor Events Vanquish ........................................................................................... 9 Vanquish Log File (Created by rootkit, placed in root directory “C:”) ............................. 21 Process Explorer Memory Strings Vanquish ........................................................................ 23 NTIllusion....................................................................................................................................
  • Malware Hunting with the Sysinternals Tools

    Malware Hunting with the Sysinternals Tools

    SESSION ID: HTA-T07R Malware Hunting with the Sysinternals Tools Mark Russinovich CTO, Microsoft Azure Microsoft @markrussinovich #RSAC #RSAC “When combining the results from all four AV engines, less than 40% of the binaries were detected.” Source: CAMP: Content-Agnostic Malware Protection Proceedings of 20th Annual Network & Distributed System Security Symposium https://www.cs.jhu.edu/~moheeb/aburajab-ndss-13.pdf #RSAC #RSAC #RSAC About this Talk Learn about Sysinternals tools and techniques for analyzing and cleaning malware Professional antimalware analysis requires years of deep training But even for professionals, Sysinternals tools can prove useful Analyzing: Understanding the impact of malware Can be used to understand malware operation Generates road map for cleaning infestations Cleaning: Removing an infestation of a compromised system Attempting a clean can also reveal more information about malware’s operation #RSAC Malware Cleaning Steps Disconnect from network Identify malicious processes and drivers Terminate identified processes Identify and delete malware autostarts Delete malware files Reboot and repeat #RSAC #RSAC What Are You Looking For? Investigate processes that… …have no icon …have no description or company name …unsigned Microsoft images …live in Windows directory or user profile …are packed …include strange URLs in their strings …have open TCP/IP endpoints …host suspicious DLLs or services #RSAC What About Task Manager? Task Manager provides little information about images that are running
  • Monitor and Maintain a Multi-User Networked Operating System 114053

    Monitor and Maintain a Multi-User Networked Operating System 114053

    Monitor and maintain a multi-user networked operating system 114053 PURPOSE OF THE UNIT STANDARD This unit standard is intended To provide proficient knowledge of the areas covered For those working in, or entering the workplace in the area of Data Communications & Networking People credited with this unit standard are able to: Monitor the performance of a multi-user networked operating system Resolve problems with a multi-user networked operating system Maintain a multi-user networked operating system. The performance of all elements is to a standard that allows for further learning in this area. LEARNING ASSUMED TO BE IN PLACE AND RECOGNITION OF PRIOR LEARNING The credit value of this unit is based on a person having prior knowledge and skills to: Install and configure a multi-user networked operating system. Module 4 – Operating system support skills Author: LEARNER MANUAL Rel Date: 27/01/2018 Rev Date: 01/06/2023 Doc Ref: 48573 LM Mod 4 v-1 PAGE 55 INDEX Competence Requirements Page Unit Standard 114053 alignment index Here you will find the different outcomes explained which you need to be 57 proved competent in, in order to complete the Unit Standard 114053. Unit Standard 114053 59 Monitor the performance of a multi-user networked operating system 62 Resolve problems with a multi-user networked operating system 68 Maintain a multi-user networked operating system 84 Self-assessment Once you have completed all the questions after being facilitated, you need to check the progress you have made. If you feel that you are competent in the areas mentioned, you may tick the blocks, if however you feel that you 94 require additional knowledge, you need to indicate so in the block below.
  • Dan's Motorcycle Windows Commands

    Dan's Motorcycle Windows Commands

    1 Complete List of Run Commands in Windows XP, Vista, 7, 8 & 8.1 ¶ People can get stuck if they are attacked with viruses or in any way can’t access different Applications in Windows. Sometimes it gets difficult to find the commands to start the applications directly. Knowing the Run Command for a program in different Windows versions can be very useful. if you’d like to start a program from a script file or if you only have access to a command line interface this can be helpful. For example, If you have Microsoft Word installed (Any version of Microsoft Office®) rather then searching or clicking the start icon, locating the Microsoft Office folder and then clicking the Microsoft Word. You can use the Windows Run Box instead to access the application directly. Just Click Start and Click Run or press "Window Key + R" and type "Winword" and press enter, Microsoft Word will open immediately. Here is a, hopefully, Complete list of RUN Commands in Windows XP, Vista, 7, 8 and 8.1 for your quick and easy access. Description of Applications Run Command 32-bit ODBC driver under 64-bit platform = C:\windows\sysWOW64\ odbcad32.exe 64 bit ODBC driver under 64-bit platform = C:\windows\system32\ odbcad32.exe Accessibility Controls access.cpl Accessibility Options control access.cpl Accessibility Wizard accwiz Copyright © 1999-2016 dansmc.com. All rights reserved. Adapter Troubleshooter (Vista/Win7) AdapterTroubleshooter 2 Add Features to Windows 8 Win8 windowsanytimeupgradeui Add Hardware Wizard Win8 hdwwiz Add New Hardware Wizard hdwwiz.cpl Add/Remove
  • MARK RUSSINOVICH Chief Technology Officer Microsoft Azure

    MARK RUSSINOVICH Chief Technology Officer Microsoft Azure

    MARK RUSSINOVICH is the CTO of Microsoft Azure. He was a co-founder of software producers Winternals before it was acquired by Microsoft in 2006. Russinovich earned his B.S. in computer engineering from Carnegie Mellon Uni- versity in 1989 and M.S. in computer cngineering from Rensselaer Polytechnic Institute. He later returned to CMU, and received a Ph.D. in computer engineer-ing on Application-transparent fault manage- ment in 1994, under the supervision of Zary Segall. From 1994 through early 1996 Russinovich was a research associate with the University of Oregon's computer science department and then joined NuMega Technologies as a developer, working on performance monitoring software for Window NT. In 1996, he and Bryce Cogswell cofounded Winternals Software, where Russinovich served as Chief Software Architect, and the web site sysinternals.com, where he wrote and published dozens of popular Windows administration and diagnostic utilities in- cludeing Autoruns, Filemon, Regmon, Process Explorer, TCPView, and RootkitRevealer among many others. In 1997 he worked as a consulting associate at OSR Open Systems Resources, Inc. and then joined IBM's Thomas J. Watson Research Center as a research staff member, re- searching operating system support for Web server acceleration and serving as an oper- ating systems expert. Russinovich joined Microsoft in 2006, when it acquired Most existing blockchain protocols fail to meet several key enterprise requirements, including Winternals Software. con-fidentiality, acceptable transaction throughput and latency, computational efficiency (e.g. In his role as an author, he is a regular energy costs for proof-of-work consensus), and effective governance.