Frequently Asked Interview Questions for Windows Administrator Role
1. What is a memory leak?
Memory leaks are class of bugs where the application fails to release memory when no longer needed. A memory leak occurs when a process allocates memory from the paged or nonpaged pools but does not free the memory. As a result, these limited pools of memory are depleted over time, causing Windows to slow down. If memory is completely depleted, failures may result.
2. What tools are used to check memory leak?
- Performance Monitor and Resource Monitor are part of Windows Server /client OS and can monitor and graph resource use over time
- The latest version of Application Verifier can diagnose heap leaks on Windows
- UMDH, which is part of the Debugging Tools for Windows, analyzes the heap memory allocations for a given process and can help find leaks and other unusual usage patterns
- Xperf is a sophisticated performance analysis tool with support for heap allocation traces
- CRT (C Run-Time) Debug Heap tracks heap allocations and can help build your heap debugging features.
- Microsoft’s DebugDiag (Memory Pressure Analyzer)
3. How to use Umdh.exe to find memory leaks (Umdhtools.exe)?
The user-mode dump heap (UMDH) utility works with the operating system to analyze Windows heap allocations for a specific process. This utility, and the other tools associated with it, are primarily targeted for legacy Windows versions.
4. How performance monitor is used to check memory leak?
Performance Monitor can be used to determine whether a leak exists. If you suspect that a particular application or service is causing a memory leak, investigate the memory use of your applications using the following counters:
- Memory\Available Bytes reports available bytes; its value tends to fall during a memory leak.
- Memory\Committed Bytes reports the private bytes committed to processes; its value tends to rise during a memory leak.
- Process( process_name )\Private Bytes reports bytes allocated exclusively for a specific process; its value tends to rise for a leaking process.
- Process( process_name )\Working Set reports the shared and private bytes allocated to a process; its value tends to rise for a leaking process.
- Process( process_name )\Page Faults/sec reports the total number of faults (hard and soft faults) caused by a process; its value tends to rise for a leaking process.
- Process( process_name )\Page File Bytes reports the size of the paging file; its value tends to rise during a memory leak.
- Process ( process_name )\Handle Count reports the number of handles that an application opened for objects it creates. Handles are used by programs to identify resources they must access. The value of this counter tends to rise during a memory leak; however, you cannot rule out a leak simply because this counter's value is stable.
Monitor these counters over a period ranging from two hours to a few days. Logging is recommended, both because of the overhead of monitoring multiple instances of the Process counters and because leaks tend to manifest themselves slowly.
Although any leak is serious, memory leaks are of particular concern when they involve the nonpaged pool. Many system services allocate memory from the nonpaged pool because they need to reference it when processing an interrupt and cannot take a page fault at that time. To identify whether or not a leak affects the nonpaged pool, include the following counters in your monitoring:
Memory \ Pool Nonpaged Bytes
Memory \ Pool Nonpaged Allocs
Process(process_name)\ Pool Nonpaged Bytes
5. What are Kernel-mode and User-mode memory leak?
User-mode memory leaks are always located in pageable pool and cause both the Pool Paged Bytes counter and the page file Usage counter to increase steadily over time. Kernel-mode memory leaks usually deplete nonpaged pool, causing the Pool Nonpaged Bytes to counter to increase, although pageable memory can be affected as well. Occasionally these counters may show false positives because an application is caching data.
6. What is Virtual Memory and how it is different from a Paging?
Virtual memory is a memory management technique that is implemented using both hardware and software. It maps memory addresses used by a program, called virtual addresses, into physical addresses in computer memory.
Paging is a memory management scheme by which a computer stores and retrieves data from secondary storage (HDD) for use in the main memory (RAM). In this scheme, the operating system retrieves data from secondary storage in same-size blocks called pages. Paging is an important part of virtual memory implementations in modern operating systems, using secondary storage to let programs exceed the size of available physical memory.
7. What is a Page File?
RAM is a limited resource, whereas, for most practical purposes, virtual memory is unlimited. There can be many processes, and each process has its own 2 GB of private virtual address space. When the memory being used by all the existing processes exceeds the available RAM, the operating system moves pages (4-KB pieces) of one or more virtual address spaces to the computer’s hard disk. This frees that RAM frame for other uses. In Windows systems, these “paged out” pages are stored in one or more files (Pagefile.sys files) in the root of a partition.
8. What is the paged pool and non-paged pool?
The memory manager component of Windows creates the following memory pools that the system uses to allocate memory: nonpaged pool and paged pool. Both memory pools are located in the region of the address space that is reserved for the system and mapped into the virtual address space of each process.
The nonpaged pool consists of virtual memory addresses that are guaranteed to reside in physical memory as long as the corresponding kernel objects are allocated.
The paged pool consists of virtual memory that can be paged in and out of the system. To improve performance, systems with a single processor have three paged pools, and multiprocessor systems have five paged pools.
9. What is a memory dump?
A memory dump is a process in which the contents of memory are displayed and stored in case of an application or system crash. Memory dump helps software developers and system administrators to diagnose, identify, and resolve the problem that led to an application or system failure. After memory dump, the computer is generally unavailable or inaccessible until it’s rebooted. Memory dump can also be caused by a memory leak when the system is out of memory and can no longer continue its operations.
A memory dump is also known as a core dump (UNIX) and a blue screen of death (BSOD) in Windows-based computers.
10. What are the different types of memory dump?
Windows supports various memory dump formats:
Kernel-mode dumps
- Complete Memory Dump: It contains full physical memory for the target system.
- Kernel Memory Dump: It contains all the memory in use by the kernel at the time of the crash.
- Small Memory Dump: It contains various information such as the stop code, parameters, list of loaded device drivers, etc.
User-mode memory dumps
- Full User-Mode Dumps: includes the entire memory space of a process
- Minidumps: includes only selected parts of the memory associated with a process.
(64 KB for 32 bit OS and 128 KB for 64 bit OS)
11. How to analyze the BSOD crash dump?
We can use the Windows Debugger (WinDbg.exe) tool or the Kernel Debugger (KD.exe) tool to read small memory dump files. WinDbg.exe and KD.exe are included with the latest version of the Debugging Tools for Windows SDK.
Steps:
- Create and capture the memory dump associated with the BSOD you are trying to troubleshoot.
- Install and configure WinDbg.exe and the Symbols path to the correct Symbols folder.
- Use WinDbg.exe to Debug and analyze the screen dump, and then get to the root cause of the problem.
12. Where to find dump files?
C:\Windows\Minidump\minidump.dmp or <date-and-time>.dmp
13. Where to find the ntlogon.log file?
C:\Windows\debug
14. What are the different remote management tools?
Integrated Lights-Out (iLO) is a remote server management processor embedded on the system boards of HP ProLiant and Blade servers that allows controlling and monitoring of HP servers from a remote location. HP iLO Management is a powerful tool that provides multiple ways to configure, update, monitor, and run servers remotely. The embedded iLO management card has its own network connection and IP address to which server administrators can connect via Domain Name System (DNS)/Dynamic Host Configuration Protocol (DHCP) or through a separate dedicated management network. iLO provides a remote Web-based console, which can be used to administer the server remotely. The iLO port is an Ethernet port, which can be enabled through the ROM-Based Setup Utility (RBSU). The iLO management tool allows a user to perform the following actions on the server remotely:
- Power on and power off the server.
- Restart the server.
- Monitor the server, regardless of the state of the server’s operating system.
- Measure power usage.
- Apply patches, firmware updates, and critical virus updates through virtual media and virtual folders.
- Access system event logs and the HP Integrated Management Log.
Dell Remote Access Controllers (DRAC) and the Integrated Dell Remote Access Controllers come in a different version where a new (i)DRAC version is often linked to a new generation of PowerEdge servers. iDRAC, where the "i" is for integrated as the hardware part is now often integrated on the motherboard of the server. The standard version of iDRAC the software/hardware is piggy-backed onto one of the server's onboard network interfaces using a unique IP address. When the optional "Enterprise" version of iDRAC has been enabled, it is connected to its own "iDRAC" network interface.
The integrated Dell Remote Access Controller (iDRAC) with Lifecycle Controller is embedded management in every Dell PowerEdge™ server. The data it provides helps you deploy, update, monitor, and maintain Dell servers with no need for any additional software to be installed. This means that you get more essential management tasks done faster, your overall server availability increases and your operational expenses diminish. The Dell iDRAC works regardless of the operating system or hypervisor because it’s embedded within each server from the factory.
IBM Remote supervisor adapter (RSA) is the out-of-band management interface card optional on most IBM x86-based server machines under the IBM System x brand. Remote management is independent of the status of the managed server.
Other IBM remote management tools are:
- Blade Center Advanced Management Module (BCAMM)
- Advanced Systems Management Processor (ASMP)
- Integrated Management Module (IMM)