Exam Profile MCTS 70-660: Windows Internals

Date: Oct 4, 2012

This article profiles the Windows Internals exam (MCTS 70-660), which is meant to be taken by engineers, developers, or IT staff who works with Windows at a level that requires Windows Internals knowledge. Pearson IT Certification provides a variety of exam preparation tools to help our customers in their quest for certification. As part of our service to you, we have developed this Exam Profile series. Each profile is developed based on the testing experience of one of our trainers or authors. You won’t get exact questions or answers, but you will get a real feel for the exam. Each profile describes question forms, trouble spots, hints for exam preparation, and recommendations for additional study resources. Find out what you can expect to see on the exam and how you can better prepare for it.

The 70-660 exam is meant to be taken by engineers, developers, or IT staff who works with Windows at a level that requires Windows Internals knowledge. Candidates for this exam are typically in the upper echelon of the technical staff at their companies. These individuals typically hold such positions as escalation engineer, technical lead, and software design engineer. Their level of knowledge spans products both inside and outside the Microsoft Corporation. These individuals are involved in resolving problems that require deep understanding of Windows Internals rather than problems about planning and infrastructure development or how to use or configure a product that runs on Windows.

After you pass Exam 70-660: TS: Windows Internals, you complete the requirements for the Microsoft Certified Technology Specialist (MCTS): Windows Internals certification.

Exam Details

Number of Questions: Approximately 45 questions (Since Microsoft does not publish this information, the number of exam questions may change without notice.)
Types of Questions: This test format is multiple choice and multiple choice multiple answer.
Passing Score: 700

This passing score does not mean that you must answer 70 percent of the items correctly in order to pass the exam. The actual percentage varies from exam to exam and may be more or less than 70 percent. There is no penalty for guessing. No points are deducted for incorrect answers. If a question specifies that you must choose multiple correct answers, you must choose the exact number of correct answers specified in the question in order to earn a point for that item. Some of the questions on the exam may not count toward the calculation of your score. Microsoft will often throw a question in that is meant to gather data that will help them improve the exam.

Time Limit: 120 minutes
How to Register: Prometric.com

Trouble Spots

As with any exam, it will vary from person to person as to what is deemed to be difficult. Be sure you are familiar with each of the topics in the exam objectives listed below.

A process is an executing instance of an application. For example, when you double-click the Microsoft Excel icon, a process is started that runs Word. A thread is a path of execution within a process and a process can contain multiple threads. When you start Excel, the operating system creates a process and begins executing the primary thread of that process.
Plug and Play (PnP) was developed by Microsoft for its Windows 95 and later operating systems that gives users the ability to plug a device into a computer and have the computer recognize the device without user intervention. For instance, if you plug a printer into a computer via a USB port, Windows will recognize that you have plugged in a device. If Windows can find a suitable driver for the device, it will install it automatically.
The user-mode dump heap (UMDH) utility works with the operating system to analyze Windows heap allocations for a specific process. If you think that you are experiencing a memory leak, the UMDH is a utility that dumps information about the heap allocations of a process. The UMDH utility is included with the Debugging Tools for Windows products.
Performance Monitor is used to examine how programs running on your computer affect its performance; both in real time and by collecting log data for later analysis. Performance Monitor uses performance counters, which are measurements of system state or activity. Windows Performance Monitor requests the current value of performance counters at specified time intervals.
WinDbg is a multipurposed debugger for Microsoft Windows that can be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death.

Preparation Hints

Review the Exam Objectives below and make sure that you are familiar with them. The Microsoft Windows Internals exam is designed for those who have experience in this environment. Always check the Microsoft site for the specific exam you are going to take. In this instance, the site is http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-660.

There are many web sites and blogs that can help you to research topics, but be careful to fully research the information you read. It is not advisable to try to find sites that list questions and answers for several reasons. First, you don’t know if you will be asked a specific question and second, the answers given in a blog may be inaccurate and third, you need to understand the information to adequately prepare.

When taking the exam, read each question carefully. Microsoft is notorious for adding a lot of unneeded information in their questions. Make sure that when you click on a choice, that it is really marked. Be careful clicking anywhere on the screen. I found that by inadvertently clicking near the scroll bar on the right of the screen, I actually changed an answer. You get a single piece of paper and a marker for writing. You can use a small amount of time before you even start the exam to make notes once you enter the test area. Sometimes there is even a questionnaire at the beginning of the test that does not count against your test time. You can even use this time to write down notes, facts, tables or other information by taking your time between answers.

Recommended Study Resources

Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (Pro Developer) by David A. Solomon and Mark E. Russinovich

UCertify

Microsoft also has recommended classroom training:

50155A: Win Internals for IT (5 Days)
50154A: Win Internals for programmers (5 Days)

Exam Objectives

The exam objectives are broken up into six different categories. This exam validates in depth technical skills in the area of Windows Internals, which include troubleshooting operating systems that are not performing as expected or applications that are not working correctly, identifying code defects, and developing and debugging applications that run unmanaged code or that are tightly integrated with the operating system, such as Microsoft SQL Server, third party applications, antivirus software, and device drivers.

The percentages indicate the relative weight of each major topic area on the exam. The higher the percentage, the more questions you are likely to see on that content area on the exam.

The objectives for Exam 70-660 as stated by Microsoft are as follows:

Identifying Architectural Components (16%)

Identify memory types and mechanisms.

This objective may include but is not limited to: nonpaged vs. paged; memory descriptor lists; physical memory vs. logical memory; address translation; heap memory.

Identify I/O mechanisms.

This objective may include but is not limited to: Plug and play; IRQL levels; I/O request packets (IRPs); I/O manager; device stacks; filter drivers; timers

Identify subsystems.

This objective may include but is not limited to: Object manager; cache manager; process manager; memory manager; security reference monitor

Identify processor functions and architecture.

This objective may include but is not limited to: Interrupts; processor affinity; system service calls; 64-bit vs. 32-bit

Identify process and threads.

This objective may include but is not limited to: Process environment block (PEB); thread environment block (TEB); thread scheduling, states and priority

Designing Solutions (15%)

Optimize a system for its drivers.

This objective may include but is not limited to: driver signing; identifying filter drivers; timers and deferred procedure calls (DPCs); system worker threads; Driver Verifier

Design applications.

This objective may include but is not limited to: Application Verifier; gflags; kernel mode vs. user mode threads; structured exception handling (SEH); memory mapped files; authentication mechanisms; synchronization primitives

Deploy compatible applications.

This objective may include but is not limited to: Application Verifier; Application Compatibility Toolkit (ACT); gflags

Identify optimal I/O models for applications.

This objective may include but is not limited to: synchronous vs. asynchronous I/O; I/O completion ports; multithreaded applications

Monitoring Windows (14%)

Monitor I/O latency.

This objective may include but is not limited to: Perfmon; disk I/O; application performance; device I/O

Monitor I/O throughput.

This objective may include but is not limited to: filter drivers; cache manager; xperf; kernrate

Monitor memory usage.

This objective may include but is not limited to: nonpaged vs paged pool; user memory vs. kernel memory; debugging memory leaks; memory corruption; heap corruption

Monitor CPU utilization.

This objective may include but is not limited to: thread time; kernel vs. user time; thread states; Perfmon; WinDbg; Xperf; Kernrate

Monitor handled and unhandled exceptions.

This objective may include but is not limited to: Adplus; Dr Watson; Windows Error Reporting (WER); default post-mortem debuggers; exception handling

Analyzing User Mode (18%)

Analyze heap leaks.

This objective may include but is not limited to: UMDH (User-mode dump heap); user mode stack tracing; WinDbg; Application Verifier; Gflags; Perfmon

Analyze heap corruption.

This objective may include but is not limited to: Page heap; WinDbg; Application Verifier; Gflags

Handle leaks.

This objective may include but is not limited to: Procmon (Process Monitor); Perfmon; WinDbg; htrace; Process Explorer; Handle.exe

Resolve image load issues.

This objective may include but is not limited to: Tlist; loader snaps; dll dependencies; application manifests; 64-bit applications vs. 32-bit applications; tasklist

Analyze services and host processes.

This objective may include but is not limited to: sc.exe; services; service dependencies; service isolation; services startup types; service registry entries

Analyze cross-process application calls.

This objective may include but is not limited to: RPC; LPC; shared memory; named pipes; process startup; winsock

Analyze the modification of executables at runtime.

This objective may include but is not limited to: WinDbg; image corruption; detours; hot patches

Analyze GUI performance issues.

This objective may include but is not limited to: spy++; message queues; Application Verifier; TraceTools; ATL Trace; Task Manager

Analyzing Kernel Mode (19%)

Find and identify objects in object manager namespaces and identify the objects’ attributes.

This objective may include but is not limited to: Winobj.exe; symbolic links; object namespace; security descriptors; global namespace; device objects; file objects; object manager; semaphores

Analyze Plug and Play (PnP) device failure.

This objective may include but is not limited to: removal failures; global device list; WinDbg; device adds and removes; power handling

Analyze pool corruption.

This objective may include but is not limited to: Driver Verifier; WinDbg; pool tags; Poolmon; guard pages

Analyze pool leaks.

This objective may include but is not limited to: WinDbg; poolmon; Driver Verifier; crash dump analysis; paged and nonpaged pool; cache trimming

Isolate the root cause of S state failure.

This objective may include but is not limited to: System power states and transitions; power IRP handling

Analyze kernel mode CPU utilization.

This objective may include but is not limited to: kernrate.exe; WinDbg; deadlocks; Performance monitoring; event tracing

Debugging Windows (18%)

Debug memory.

This objective may include but is not limited to: Heap; pool; virtual memory vs. physical memory; stack; analyzing crash dumps and user dumps

Identify a pending I/O.

This objective may include but is not limited to: WinDbg; deadlocks; I/O manager; IRP processing

Identify a blocking thread.

This objective may include but is not limited to: thread state; locks; synchronization objects

Identify a runaway thread.

This objective may include but is not limited to: thread priorities; processor affinity; Perfmon; kernrate

Debug kernel crash dumps.

This objective may include but is not limited to: WinDbg; DPCs; Assembler; forcing kernel crash dumps; trap processing; register usage; call stack composition (prolog/epilog); processes vs. threads

Debug user crash dumps.

This objective may include but is not limited to: dump types; forcing user crash dumps; gflags; system resource utilization (CPU, disk, network; memory)

Set up the debugger.

This objective may include but is not limited to: WinDbg; physical connection (USB, rs-232, 1394); boot.ini; bcdedit; remoting; NMI; debugging system processes

Where to Go from Here

After you pass the Microsoft Windows Internals (70-660) exam, you may want to take Exam 70-685: Pro: Windows 7, Enterprise Desktop Support Technician.