Cluster computing

Tuesday, May 21, 2013

Nltk classifier modules
The nltk decision tree module. This is a classifier model. A decision tree comprises of non-terminal nodes for conditions on feature values and the terminal nodes for the labels. The tree evaluates to a label for a given token.
The module requires feature names and labeled feature sets. Different thresholds such as for depth cut off, entropy cut off and support cut off can also be specified. Entropy refers to degree of randomness or variations in the results while support refers to the number of feature sets used for evaluation.

The term feature is used to refer to some property of an unlabeled token. Typically a token is a word from a text that we have not seen before. If the text is seen before and has already been labeled, it is a training set. Training set helps train our model so that we can pick the labels better for the tokens we encounter. As an example, the proper nouns for names may be labeled male or female. We start with a large collection of already tagged names, we call training data. We build a model where we say if the name ends with a certain set of suffixes, the name is that of a male. Then we run our model on the training data to see how accurate we were and we adjust our model to improve our accuracy. Next we can run our model on a test data. If a name from the test data is labeled by this model as a male, we know its likelihood to be correct.

The property of labeled tokens are also helpful. We call these as joint-features and we distinguish it from the feature we just talked about by referring to the latter as input-features. So joint-features belong to training data and input-features belong to test data. For some classifiers such as the maxent classifier we refer to these as features and contexts respectively. The maxent stands for maximum entropy model where joint-features are required to have numeric values and input-features are mapped to a set of joint-features.

There are other types of classifiers as well. For example, the mallet package uses the external mallet machine learning package. The megam module uses the external megam maxent optimization package. The naïve Bayes module is a module that assigns probability for a label. The P(label/features) is computed as P(label) * P(features/label) / P(features). The 'naive' assumption is that all features are independent. The positivenaivebayes module is a variant of the Bayes classifier

that performs binary classification based on two complementary classes where we have labeled examples only for one of the classes. The there are classifiers based exclusively on the corpus that they are trained on. The rte_classify module is a simple classifier for the RTE corpus. It calculates the overlap in words and named entities between text and hypothesis. Most of the classifiers discussed are built on top of the scikit machine learning library.

Nltk cluster package
This module contains a number of basic clustering algorithms . Clustering is unsupervised machine learning to group similar items with a large collection There are the k-means clustering, E-M clustering and a group average agglomerative clustering. The K-means clustering starts with the k arbitrary chosen means and assigns each vector to the cluster with the closest mean. The centroid of the cluster is recalculated as the means of each cluster. The process is repeated until the clusters stabilize. This may converge to a local maximum so this method is repeated for other random initial means and the most common occurring output is chosen. The Gaussian EM clustering starts with k arbitrarily chosen means, prior probabilities and co-variance matrices which forms the parameters for the Gaussian source. The membership probabilities is then calculated for each vector in each of the clusters - this is the E-step. The parameters are then updated in the M-step using the maximum likelihood estimate from the clustering membership probabilities. This process continues until the likelihood of the data does not significantly increase. The GAAC clustering starts with each of the N vectors as singleton clusters and then iteratively merges pairs of clusters which have the closest centroids. This continues until there is only one cluster. The order of merges is useful in finding the membership of a given number of clusters because earlier merges are lower than the depth c in the resulting tree.

Usage of WixSharp to build MSI for installing and uninstalling applications.
WixSharp makes it easy to author the logic for listing all the dependencies of your application for deployment. It converts the C# code to wxs file which in turn is compiled to build the MSI. There are a wide variety of samples in the WixSharp toolkit. Some of them require very few lines to be written for a wide variety of deployment time actions. The appeal in using such libraries is to be able to get the task done sooner with few lines of code. The earlier way of writing and editing WXS file was error prone and tedious.

Monday, May 20, 2013

nifty way to find file format

Here's something I found on the internet. If you wanted know the file format and there is little or no documentation of the proprietary format, you can look up the header of the file and other data structures with the corresponding symbols from kernel PDB file. You don't need the source to look up format.
There are tools that can render the information in the PDB to be navigated through the UI. This is possible via the DIA SDKs. The format of PDB files is also not open hence their access is via debugger sdk. The SDK is available via COM. So you may have to register the DIA dll.
The debuggers make a local cache of the symbols when requested and they download the symbols from the symbol server, so you can expect the PDB to be made available to you by the debugger in the directory you specify.
If you look at the kernel PDB, you will find the structures we are looking for, start with the name MINIDUMP and these can be walked from the header onwards.
To find the stack trace, we follow the header to the directory or stream for the exception and read the exception record and address where the exception occurred. Both of these are given in the MINIDUMP_EXCEPTION data structure. The exception stream also gives the thread context. The context gives the processor specific register data. When we dump the stack pointer, we get the stack trace. We resolve the symbols of the stack trace with the pdbs either explicitly through DIA or implicitly through the managed mdbgeng library of debugger sdk. The minidump actually has all the information in the file itself. For example, you can list all the loaded modules with the mindump module list as well as the mindump module structures. Module name, function name, line number and stack frame are available via IMAGEHLP data structures. The various types of streams in the minidump are :
Thread list stream given by the MINIDUMP_THREAD_LIST structure
Module list stream given by the MINIDUMP_MODULE_LIST structure
Memory list stream given by the MINIDUMP_MEMORY_LIST structure
Exception stream given by the MINIDUMP_EXCEPTION_STREAM structure
System Info stream given by the MINIDUMP_SYSTEM_INFO structure
ThreadExList stream given by the MINIDUMP_THREAD_EX_LIST structure
Memory64 list stream given by the MINIDUMP_MEMORY64_LIST structure
Comment stream
Handle Data stream given by the MINIDUMP_HANDLE_DATA_STREAM structure
Function table stream given by the MINIDUMP_FUNCTION_TABLE structure
Unloaded module list stream given by the MINIDUMP_UNLOADED_MODULE_LIST structure
Misc Info List stream given by the MINIDUMP_MISC_INFO structure
Thread Info List stream given by the MINIDUMP_THREAD_INFO_LIST structure
Handle operation list stream given by the MINIDUMP_HANDLE_OPERATION_LIST structure
For diagnostics, we may choose to display messages to the output or error stream. More features can be built into the tool that retrieves the stack trace from the dump. This can be done in an extensible manner where tool runs a set of commands from the user by way of command line. Internally we can have a command pattern to implement the different debugger like functionalities of the tool. Also the tool can be deployed via MSI. This ensures cleanliness during install and uninstall.

Sunday, May 19, 2013

Review : Paper on comparision of document clustering techniques by Steinbach, Karypis and Kumar from Univerity of Minnesota.
This paper compares k-means clustering methods to hierarchical clustering methods. The paper suggests that bisecting k-means technique is better than the standard k-means technique which is in turn better than hierarchical techniques.
Hierarchical clustering has quadratic time complexity where as K-means have a time complexity that's linear. There are mixed approaches too.
There are two metrics used for cluster quality analysis. Entropy is one which provides a measure of goodness for single level clusters. F-measure is the other which measures the effectiveness of hierarchical clustering.
The bisecting k-means clustering is explained as follows:
Step 1 pick a cluster to split
Step 2 find two clusters using the basic k-means algorithm
Step 3 Repeat step 2 for a fixed number of times and take the split that produces the clustering with the highest overall similarity
Step 4 Repeat step 1, 2 and 3 until the desired number of clusters are reached.
Splitting the largest cluster also works.

Agglomerative hierarchical clustering have the following variations:
1) Intra cluster similarity : This hierarchical clustering looks at the similarity of all documents in the cluster to the centroid where the similarity distance is given as the sum of cosines. The pair of clusters that when merged leads to smallest decrease in similarity.

2) Centroid similarity technique: This works in a similar way but it takes the similarity distance as the cosine between the centroids of the two clusters.

3) The UPGMA scheme is based on the cluster similarity measure which takes the sum of the cosine distances between two documents of different clusters divided by the product of the sizes of their clusters,.

An explanation is given for why the agglomerative hierarchical clustering performs poorly when compared with bisecting k-means that mentions that the former puts documents of the same class in the same cluster and this is done early on and generally not reversed.

Saturday, May 18, 2013

IPSEC

I was going to be posting on text indexing but I will make a post on IPSEC before that.

IPSEC is a suite of protocols for securing network connections. IP packets are authenticated and encrypted for the duration of a session. A variety of protocols can be used for authentication and encryption. It provides several controls for network connections and is generally better organized than many other networking protocols. This is an end to end IP connectivity between two endpoints that are either host to host, network to network or network to host.
The IPSec suite is an open standard. It uses the following protocols to perform various operations.
Authentication headers (AH): This guarantees that the sender of IP packets is who the packet says it is from and that the packet has not been tampered with. This prevents spoofing and replay attacks. This is achieved by computing a hash value called the Integrity Check Value and a sequence number. The sequence number helps to use a sliding window to determine the packets that are old and can be discarded.
Encapsulating Security Payloads (ESP): This provides confidentiality protection of packets. It supports both encryption and authentication configurations for direct IP connectivity as well as tunnel based connectivity. A tunnel is used to describe communication between two endpoints over a public network such that two endpoints can talk to each other without letting any of the other hosts on the public network know. A common example is when people connect to their office from home. This is implemented by slapping on another IP header over the original. This way the public network routes the packets based on the first header but the source and destination look at the inner IP packets to know that the packets are from each other. ESP unlike AH does not support integrity and authentication for the entire IP Packet.
Security Association This is the group of algorithms and parameters such as keys that is being used to encrypt and authenticate a particular flow in one direction. A pair of security associations is required to secure bidirectional traffic. These groupings are well organized and policies are enforced using a policy agent.
There are two modes of transport for IPSEC depending on host to host configuration or those involving network tunnels and are referred to as the transport mode and tunnel mode respectively.
In the transport mode, only the payload of the IP packet is usually encrypted or authenticated and the IP header is preserved. The limitation of this mode is that the IP addresses cannot be translated when the authentication header is used as it will invalidate the hash value.
In the tunnel mode, an entire IP packet is encrypted and/or authenticated because it is encapsulated into a new IP packet with a header.
The algorithms used for encrypting the packets include SHA1 for integrity protection and authenticity and Triple DES and AES for confidentiality. The key negotiation for authentication is usually included with the IPSEC implementation from a vendor.
IPSEC implementation in earlier windows was a standalone component separate from windows firewall. This has changed since. IPSEC lets you author in more generic terms a set of rules and settings that define the security policies of your network and are implemented by each and every host on your network. You author these IPSEC policy settings as well as the individual policy or rules with IP filters and filter actions. IP filters define a set of IP traffic.
For example, a computer on the intranet can have the following rules: allow connections with resource servers, allow connections with other intranet computers, but deny connections to everyone else. These are authored as inbound and outbound rules. Filters are evaluated based on weights. The weights are decided based on source IP address, subnet mask, destination IP address, subnet mask , IP protocol, source port, destination port. The source destination IP address port pairs identify a connection. Along with the filters and filter actions, you can also define the authentication methods such as Kerberos, Active Directory or certificate based.
The policies are written for the domain system and are retrieved by the policy agent running on the host computers that want to communicate. These policies are passed to the IKE module which determines the authentication mechanism from negotiation settings of IPSEC, determines the secret key, and the protection of direct and tunnel mode traffic. These are then passed as SA parameters to the IPSEC drivers use these to protect the traffic. Since the IPSEC driver sits below the application and TCP/IP network stack, it handles all IP traffic.
After the policies are created, they can be assigned to different AD domains, sites and organizational units thus giving you the flexibility to define the scope for your rules and removing the redundancy from having to repeat the rules on each host. Local IP sec policies are overridden by domain based IPsec policies and so on.

Friday, May 17, 2013

Dump file format 2 (blog post continued)

Extracting the stack trace is different from resolving the stack trace function pointers with symbols. For the extraction part, we read from dump files from external sources. For the resolution part, we read symbols from mostly internal sources unless otherwise provided. The latter can happen offline. There is support via debugger interface access sdk (DIA) and somewhat more generally with the debugger client sdk that gets shipped with debugging tools from windows. The latter has an interface in C# as opposed to the COM based interface of DIA. There is also more debugging features available via the debugging sdk.
The debugging sdk assembly (mdbgeng) requires full trust. When redistributing a package with this assembly, it's probably better to register it to the global assembly cache or use with NuGet. For the most part, we want to focus on preliminary analysis of dumps using streams.
Also we could provide APIs for the functionalities we write, so that any client, powershell or standalone executable can call these.
API design could consider a subset of the debugger sdk as appropriate. The two main methods we are interested in are GetStackTraceFromStream and OutputStackTrace.
The APIs could additionally consider methods for retrieving bucket information, timestamps, and additional details such as the system information on which the dump occurred.
The powershell implementation of these APIs are enabled via appropriate attribute on the methods mentioned above.
Exception handling and return values are limited to very few meaningful messages.
Also, deployment of a standalone tool for this can be MSI based so that install and uninstall is easy. The MSI can be generated with libraries such as WixSharp.

Next blog post will continue on text indexing methods.

Thursday, May 16, 2013

Dump file format

Dump file format
Dump file have specific formats that help in debugging. For example, they store the system information and exception record as the first few fields of data that they carry and hence at calculatable offsets from the start of the file. The exception record has the exception which produced the dump. It also has additional information such as the exception code which gives the bucket under which this exception falls such as access violation, array bounds exceeded, divide by zero, invalid operation, overflow or underflow, invalid operation etc. Exception records can be chained together to provide additional information on nested exceptions. Exception Address gives the address at which the exception occurred and used for stack trace.
Exceptions are not always on the first thread. Hence a display of the stack trace at the first thread may not capture the exception that triggered the dump. This is obtained with another command on the debugger by name .ecxr. This sets the context to that of the exception and then the stack trace command gives the desired stack trace. The stack trace can be manually displayed with dd command on ebp or esp register after .ecxr. This can then be resolved against symbols to display function names.
The dump file does not look for threads. The system information directory and exception record directory precede all other data. Hence the look up of the exception address is easier. The exception directory is followed by the exception record and the context of the thread. Additional thread info structures can follow next in n * field info data structure.
Dump filters relative virtual addresses (RVA) to point to the data member within the file. These are offsets from the start of the file. The format specifies a set of directories that point to the data. Each directory specifies the following, the data type, the data size and the RVA to the location of data in the dump file. The file layout consists of a header that gives information on the version, signature, number of directories and RVA. This is followed by a set of directories each of which points to data in the dump data section. The data sections follow this list of directories. The first two data sections are reserved for system information and exception stream.
Dump files can be of more than one type. They are categorized by their sizes and are enumerated as context dumps, system dumps, complete dumps in the order of increasing size. The context dumps range in size from 4Kb- 64Kb, the system dumps range from 64 Kb - several MB and the complete dumps store the entire physical memory and the 64Kb. The context dumps carry information such as exception that initiated the crash, context record of faulting thread, Module list and thread list although these are restricted to the faulting ones, callstack of faulting thread, 64 bytes of memory above and below the instruction pointer and the stack memory dump of the faulting thread that can fit in the 64KB limit. The other types of dump includes these same essential information but include the complete list of all modules, threads, and more memory dumps around the instruction pointers and stack. When the entire heap is included in the dump file, there is plenty of debugging information to even discern the values of local variables on the stack. However, that increases the size of the dumps considerably.
Dump file bucketing refers to grouping of dump files that arose from similar crashes such as those from a common code defect. These can include variables like the application name, version and timestamp, the owner application name, version and timestamp, the module name, version and timestamp, and the offset into the module. Bucketing helps to determine the priority and severity of the associated code defect.
Dump file structures indicate how to navigate the file for specific information. These are well documented and essentially refer to using RVAs to find information. There are specific structures that represent thread call stack frames.
Note reading the dump file is a forward only operation and hence streams can be used with dump files to retrieve the stack trace.

User Mini Dump File: Only registers, stack and portions of memory are available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
Windows 8 Version 9200 MP (8 procs) Free x64
Product: WinNt, suite: SingleUserTS
Built by: 6.2.9200.16384 (win8_rtm.120725-1247)
Machine Name:
Debug session time: Tue Apr 30 18:37:57.000 2013 (UTC - 7:00)
System Uptime: not available
Process Uptime: 0 days 0:00:45.000
.............................
----- User Mini Dump Analysis
MINIDUMP_HEADER:
Version         A793 (62F0)
NumberOfStreams 10
Flags           1105
                0001 MiniDumpWithDataSegs
                0004 MiniDumpWithHandleData
                0100 MiniDumpWithProcessThreadData
                1000 MiniDumpWithThreadInfo
Streams:
Stream 0: type ThreadListStream (3), size 00000094, RVA 00000410
3 threads
RVA 00000414, ID 38, Teb:000007F7BC25E000
RVA 00000444, ID 3FFC, Teb:000007F7BC25C000
RVA 00000474, ID 3828, Teb:000007F7BC25A000
Stream 1: type ThreadInfoListStream (17), size 000000CC, RVA 000004A4
RVA 000004B0, ID 38
RVA 000004F0, ID 3FFC
RVA 00000530, ID 3828
Stream 2: type ModuleListStream (4), size 00000C40, RVA 00000570
29 modules
RVA 00000574, 000007f7`bd1c0000 - 000007f7`bd2cb000: 'C:\Windows\System32\calc
.exe', 8160
RVA 000005E0, 000007f8`c31d0000 - 000007f8`c338e000: 'C:\Windows\System32\ntdl
l.dll', 140
RVA 0000064C, 000007f8`c29d0000 - 000007f8`c2b06000: 'C:\Windows\System32\kern
el32.dll', 140
RVA 000006B8, 000007f8`c0240000 - 000007f8`c0333000: 'C:\Windows\System32\KERN
ELBASE.dll', 140
RVA 00000724, 000007f8`c10c0000 - 000007f8`c23a4000: 'C:\Windows\System32\shel
l32.dll', 140
RVA 00000790, 000007f8`c2530000 - 000007f8`c2580000: 'C:\Windows\System32\shlw
api.dll', 140
RVA 000007FC, 000007f8`c2c50000 - 000007f8`c2df0000: 'C:\Windows\WinSxS\amd64_
microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9200.16384_none_72771d4ecc1c3a4d\
GdiPlus.dll', 140
RVA 00000868, 000007f8`c2580000 - 000007f8`c265e000: 'C:\Windows\System32\adva
pi32.dll', 140
RVA 000008D4, 000007f8`c2b80000 - 000007f8`c2c43000: 'C:\Windows\System32\olea
ut32.dll', 140
RVA 00000940, 000007f8`be9e0000 - 000007f8`beac6000: 'C:\Windows\System32\uxth
eme.dll', 140
RVA 000009AC, 000007f8`c2660000 - 000007f8`c27de000: 'C:\Windows\System32\ole3
2.dll', 140
RVA 00000A18, 000007f8`ba1b0000 - 000007f8`ba419000: 'C:\Windows\WinSxS\amd64_
microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16384_none_418c2a697
189c07f\comctl32.dll', 140
RVA 00000A84, 000007f8`c0e20000 - 000007f8`c0f6c000: 'C:\Windows\System32\user
32.dll', 140
RVA 00000AF0, 000007f8`c0ce0000 - 000007f8`c0e20000: 'C:\Windows\System32\rpcr
t4.dll', 140
RVA 00000B5C, 000007f8`ba5b0000 - 000007f8`ba5d0000: 'C:\Windows\System32\winm
m.dll', 140
RVA 00000BC8, 000007f8`c2890000 - 000007f8`c29d0000: 'C:\Windows\System32\gdi3
2.dll', 140
RVA 00000C34, 000007f8`c1010000 - 000007f8`c10b5000: 'C:\Windows\System32\msvc
rt.dll', 140
RVA 00000CA0, 000007f8`c0670000 - 000007f8`c0820000: 'C:\Windows\System32\comb
ase.dll', 140
RVA 00000D0C, 000007f8`c0f70000 - 000007f8`c0fb8000: 'C:\Windows\System32\sech
ost.dll', 140
RVA 00000D78, 000007f8`ba040000 - 000007f8`ba072000: 'C:\Windows\System32\WINM
MBASE.dll', 140
RVA 00000DE4, 000007f8`c0fd0000 - 000007f8`c1009000: 'C:\Windows\System32\imm3
2.dll', 140
RVA 00000E50, 000007f8`c30b0000 - 000007f8`c31c4000: 'C:\Windows\System32\msct
f.dll', 140
RVA 00000EBC, 000007f8`ba420000 - 000007f8`ba5aa000: 'C:\Windows\System32\Wind
owsCodecs.dll', 140
RVA 00000F28, 000007f8`bb410000 - 000007f8`bb431000: 'C:\Windows\System32\dwma
pi.dll', 140
RVA 00000F94, 000007f8`bffb0000 - 000007f8`bffba000: 'C:\Windows\System32\CRYP
TBASE.dll', 140
RVA 00001000, 000007f8`bff50000 - 000007f8`bffac000: 'C:\Windows\System32\bcry
ptPrimitives.dll', 1c0
RVA 0000106C, 000007f8`c05d0000 - 000007f8`c0666000: 'C:\Windows\System32\clbc
atq.dll', 140
RVA 000010D8, 000007f8`b9b30000 - 000007f8`b9b99000: 'C:\Windows\System32\olea
cc.dll', 140
RVA 00001144, 000007f8`bf250000 - 000007f8`bf2e6000: 'C:\Windows\System32\SHCo
re.dll', 140
Stream 3: type MemoryListStream (5), size 00000354, RVA 00002D5D
53 memory ranges
range#    RVA      Address             Size
       0 000030B1    000007f8`bffb5000   00000000`00000730
       1 000037E1    00000043`da3f0860   00000000`00002000
       2 000057E1    00000043`da3f2bf0   00000000`00000028
       3 00005809    00000043`da3f8c80   00000000`00000008
       4 00005811    00000043`da3f94e0   00000000`00000010
       5 00005821    000007f8`c2572000   00000000`000014a0
       6 00006CC1    00000043`da3fc320   00000000`00000008
       7 00006CC9    00000043`da3fc770   00000000`00000410
       8 000070D9    000007f8`c0e21e3a   00000000`00000100
       9 000071D9    00000043`da4005c0   00000000`00000010
      10 000071E9    00000043`da400620   00000000`00000010
      11 000071F9    000007f8`c2ae1000   00000000`00001920
      12 00008B19    000007f8`c0ff9000   00000000`00001120
      13 00009C39    00000043`da415310   00000000`00000410
      14 0000A049    000007f8`b9b84000   00000000`00002eec
      15 0000CF35    00000043`da446cb0   00000000`00000008
      16 0000CF3D    00000043`da446d70   00000000`00000018
      17 0000CF55    00000043`da446db0   00000000`00000008
      18 0000CF5D    00000043`da44a760   00000000`00000410
      19 0000D36D    000007f8`c1939000   00000000`00000009
      20 0000D376    000007f8`c2975000   00000000`00003d28
      21 0001109E    000007f8`c27aa000   00000000`0000234a
      22 000133E8    000007f8`beaa7000   00000000`00003490
      23 00016878    000007f8`c0ebd000   00000000`00001ac9
      24 00018341    000007f8`c2617000   00000000`000048c6
      25 0001CC07    000007f8`c109e000   00000000`00004bda
      26 000217E1    00000043`da31d7d8   00000000`00002828
      27 00024009    000007f8`c07e4000   00000000`00006e08
      28 0002AE11    000007f8`c3308000   00000000`0000a1d0
      29 00034FE1    000007f8`c2dc4000   00000000`00001c38
      30 00036C19    000007f8`c0654000   00000000`00005790
      31 0003C3A9    000007f8`c316c000   00000000`00001d10
      32 0003E0B9    000007f8`c2dd8000   00000000`00003164
      33 0004121D    000007f8`ba3a6000   00000000`000041c8
      34 000453E5    000007f7`bd259000   00000000`0000517c
      35 0004A561    000007f8`ba588000   00000000`000039d0
      36 0004DF31    000007f8`c2c2c000   00000000`00002204
      37 00050135    00000043`df44f8c8   00000000`00000738
      38 0005086D    000007f8`ba3cc000   00000000`000055b8
      39 00055E25    000007f7`bc254000   00000000`00000388
      40 000561AD    000007f8`bf2d1000   00000000`00001080
      41 0005722D    000007f7`bc25a000   00000000`00006000
      42 0005D22D    000007f8`bf2e0000   00000000`00000009
      43 0005D236    000007f8`c0313000   00000000`00003176
      44 000603AC    000007f8`ba5c4000   00000000`00001694
      45 00061A40    000007f8`c18a4000   00000000`0000e4ac
      46 0006FEEC    000007f8`c0fac000   00000000`00002a08
      47 000728F4    000007f8`bb423000   00000000`00003420
      48 00075D14    000007f8`ba068000   00000000`00002050
      49 00077D64    000007f8`c31d311b   00000000`00000100
      50 00077E64    00000043`deb9f998   00000000`00000668
      51 000784CC    000007f8`c0dfc000   00000000`00001adb
      52 00079FA7    000007f8`bffa4000   00000000`00000ce8
Total memory: 77bde
Stream 4: type SystemInfoStream (7), size 00000038, RVA 00000098
ProcessorArchitecture   0009 (PROCESSOR_ARCHITECTURE_AMD64)
ProcessorLevel          0006
ProcessorRevision       2A07
NumberOfProcessors      08
MajorVersion            00000006
MinorVersion            00000002
BuildNumber             000023F0 (9200)
PlatformId              00000002 (VER_PLATFORM_WIN32_NT)
CSDVersionRva           000011B0
                            Length: 0
Product: WinNt, suite: SingleUserTS
Stream 5: type MiscInfoStream (15), size 00000340, RVA 000000D0
Stream 6: type HandleDataStream (12), size 00000EE8, RVA 0007BB39
95 descriptors, header size is 16, descriptor size is 40
    Handle(0000000000000004,"Directory","\KnownDlls")
    Handle(0000000000000008,"File","")
    Handle(000000000000000C,"File","")
    Handle(0000000000000010,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\SESSION MANAGER")
    Handle(0000000000000014,"ALPC Port","")
    Handle(0000000000000018,"File","")
    Handle(000000000000001C,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\Nls\Sorting\Versions")
    Handle(0000000000000020,"Key","\REGISTRY\MACHINE")
    Handle(0000000000000000,"","")
    Handle(0000000000000028,"Event","")
    Handle(000000000000002C,"Event","")
    Handle(0000000000000030,"Event","")
    Handle(0000000000000034,"Event","")
    Handle(0000000000000038,"Event","")
    Handle(000000000000003C,"Event","")
    Handle(0000000000000000,"","")
    Handle(0000000000000044,"Directory","\Sessions\1\BaseNamedObjects")
    Handle(0000000000000000,"","")
    Handle(000000000000004C,"Event","")
    Handle(0000000000000050,"WindowStation","\Sessions\1\Windows\WindowStations\
WinSta0")
    Handle(0000000000000054,"Desktop","\Default")
    Handle(0000000000000058,"WindowStation","\Sessions\1\Windows\WindowStations\
WinSta0")
    Handle(000000000000005C,"File","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000080,"Semaphore","")
    Handle(0000000000000084,"Semaphore","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(00000000000000C4,"Section","")
    Handle(00000000000000C8,"Event","")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(00000000000000D4,"Event","")
    Handle(00000000000000D8,"Key","\REGISTRY\USER\S-1-5-21-2127521184-1604012920
-1887927527-1877126_CLASSES")
    Handle(0000000000000000,"","")
    Handle(00000000000000E0,"ALPC Port","")
    Handle(00000000000000E4,"Key","\REGISTRY\USER\S-1-5-21-2127521184-1604012920
-1887927527-1877126")
    Handle(00000000000000E8,"Section","\Windows\Theme3392824991")
    Handle(00000000000000EC,"Section","\Sessions\1\Windows\Theme2414463033")
    Handle(0000000000000000,"","")
    Handle(0000000000000000,"","")
    Handle(00000000000000F8,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\Nls\Locale")
    Handle(00000000000000FC,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\Nls\Locale\Alternate Sorts")
    Handle(0000000000000100,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\Nls\Language Groups")
    Handle(0000000000000104,"File","")
    Handle(0000000000000108,"Section","")
    Handle(000000000000010C,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\Nls\Sorting\Ids")
    Handle(0000000000000110,"Event","")
    Handle(0000000000000114,"Thread","")
    Handle(0000000000000118,"Event","")
    Handle(000000000000011C,"Mutant","")
    Handle(0000000000000000,"","")
    Handle(0000000000000124,"Event","")
    Handle(0000000000000128,"Event","")
    Handle(000000000000012C,"Event","")
    Handle(0000000000000130,"Event","")
    Handle(0000000000000134,"Event","")
    Handle(0000000000000000,"","")
    Handle(000000000000013C,"Section","\BaseNamedObjects\__ComCatalogCache__")
    Handle(0000000000000140,"File","")
    Handle(0000000000000144,"Key","\REGISTRY\USER\S-1-5-21-2127521184-1604012920
-1887927527-1877126_CLASSES")
    Handle(0000000000000000,"","")
    Handle(000000000000014C,"Event","\KernelObjects\MaximumCommitCondition")
    Handle(0000000000000150,"Key","\REGISTRY\MACHINE\SOFTWARE\Microsoft\WindowsR
untime\CLSID")
    Handle(0000000000000154,"Key","\REGISTRY\MACHINE\SOFTWARE\Classes\Activatabl
eClasses\CLSID")
    Handle(0000000000000158,"Section","\BaseNamedObjects\__ComCatalogCache__")
    Handle(000000000000015C,"Mutant","\Sessions\1\BaseNamedObjects\MSCTF.Asm.Mut
exDefault1")
    Handle(0000000000000160,"Key","\REGISTRY\USER\S-1-5-21-2127521184-1604012920
-1887927527-1877126_CLASSES")
    Handle(0000000000000164,"Event","")
    Handle(0000000000000168,"Event","")
    Handle(000000000000016C,"Thread","")
    Handle(0000000000000170,"Timer","")
    Handle(0000000000000174,"Event","")
    Handle(0000000000000000,"","")
    Handle(0000000000000184,"Section","\Sessions\1\BaseNamedObjects\windows_shel
l_global_counters")
Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
Stream 8: type UnusedStream (0), size 00000000, RVA 00000000
Stream 9: type UnusedStream (0), size 00000000, RVA 00000000

Windows 8 Version 9200 MP (8 procs) Free x64
Product: WinNt, suite: SingleUserTS
Built by: 6.2.9200.16384 (win8_rtm.120725-1247)
Machine Name:
Debug session time: Tue Apr 30 18:37:57.000 2013 (UTC - 7:00)
System Uptime: not available
Process Uptime: 0 days 0:00:45.000
Kernel time: 0 days 0:00:00.000
User time: 0 days 0:00:00.000
*** WARNING: Unable to verify timestamp for user32.dll
*** ERROR: Module load completed but symbols could not be loaded for user32.dll
PEB at 000007f7bc254000
Unable to load image C:\Windows\System32\ntdll.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntdll.dll
*** ERROR: Module load completed but symbols could not be loaded for ntdll.dll
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information. Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: ntdll!_PEB                                    ***
***                                                                   ***
*************************************************************************
error 3 InitTypeRead( nt!_PEB at 000007f7bc254000)...
Finished dump check