To troubleshoot Windows, you need to know the components. The architectural diagram below, identifies the major operating system components.The most important division is between

• user mode which is intended for application programs and
• kernel mode which is intended for the operating system.

In kernel mode, any computer instruction is possible, whereas in user mode, application programs are protected from each other. Instructions are restricted and programs are not allowed to directly access each others memory. If a user mode application violates these rules, it is shut down by Windows and Dr. Watson appears.

Dynamic Link Libraries

DLLs are a way to share program code and save memory. DLLs are libraries of executable code that can be shared my multiple programs. All versions of Windows have provided services with DLLs. The newest versions of Windows still implement the basic interfaces with the same 3 DLLs.

In previous versions of Windows, installation programs would update Windows DLLs. If an updated DLL was incompatible with an existing program, then that program would no longer work properly. Reverting back to the old DLL may make the new program fail. This situation is commonly referred to as DLL hell. Microsoft's solution to this is WFP Windows File Protection and Application compatibility mode.

Command Interpreters

Windows provides two command interpreters. COMMAND.COM should only be used to provide compatibility for legacy applications. Use CMD.EXE for processing normal commands. It has more functionality and it takes less system overhead.

Legacy is the nice word for old

DOS

To support each DOS application, Windows launches NTVDM.EXE to create a VDM, Virtual DOS Machine. Each DOS application has an associated NTVDM to provide a separate memory space and a separate queue for keyboard and mouse input. DOS applications use the normal DOS interfaces for services and hardware access and VDM delivers the results in the same manner as a real DOS machine.

Support for 16-bit applications can be disabled by disallowing access to the NTVDM.EXE file.

WIN16

To support 16-bit Windows applications, Windows launches WOWEXEC.EXE to emulate the 16-bit Windows 3.x environment.  WOWEXEC requires NTVDM.EXE. By default Windows runs all Win16 applications in one NTVDM.

To run a 16-bit application in its own separate memory space with an independent NTVDM, check the option in the Advanced Properties of the application shortcut as shown in the following dialog.

Keyboard Exercise

Launch COMMAND.COM and then use Task Manager to find the NTVDM process. If you launch an old Win16 16-bit Windows application, you will also see WOWEXEC as in the following dialog. Note how WOWEXEC and the Win16 winmin.exe are indented in the processes list.

Windows Management Instrumentation

WMI can provide detailed information on the internals of Windows, hardware, drivers, services, security, applications, processes, file systems, networks, etc.

WMI provides information in a tree structured namespace as shown in the following dialog. Microsoft provides an object interface to WMI so that script writers can get access to internal statistics.