I like to take a close look at what's going on inside Windows. To that end, I consider WinDbg my best tool.
I write WinDbg script codes (WinDbg applications) almost every day. Each output tells me that Windows is just like ecosystem. Its world wags on as our daily world does. How do you analyze the kernel? _FILE_OBJECT is the best place to start from!
0:000> $$><d:\\windbg\\app_handletable\\fileobject_1.txt
Closing open log file d:\windbg\log_objecttable\fileobject_0.log
Opened log file 'd:\windbg\log_objecttable\fileobject_1_426.log'
Attach will occur on next execution
Unable to read head of debugger data list
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Symbol search path is: SRV*C:\OSSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Kernel base = 0x804d9000 PsLoadedModuleList = 0x8055d1c0
Debug session time: Mon Apr 27 17:05:21.889 2009 (GMT+9)
System Uptime: 0 days 9:40:13.459
Target Process is notepad.exe
00000001/00000080
KeyedEvent
00000002/00000080
Directory
00000003/00000080
Key
00000004/00000080
File
struct _FILE_OBJECT * 0xffbc6b80
+0x000 Type : 5
+0x002 Size : 112
+0x004 DeviceObject : 0x81314e30 _DEVICE_OBJECT
+0x008 Vpb : 0x813612c0 _VPB
+0x00c FsContext : 0xe1669810
+0x010 FsContext2 : 0xe2c881e0
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0x1 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0x1 ''
+0x02a SharedWrite : 0x1 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x40002
+0x030 FileName : _UNICODE_STRING "\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83"
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
00000005/00000080
Directory
00000006/00000080
Port
00000007/00000080
Semaphore
00000008/00000080
Semaphore
00000009/00000080
Directory
0000000A/00000080
Mutant
0000000B/00000080
Key
0000000C/00000080
WindowStation
0000000D/00000080
Event
0000000E/00000080
Desktop
0000000F/00000080
WindowStation
00000010/00000080
Semaphore
00000011/00000080
File
struct _FILE_OBJECT * 0x81202790
+0x000 Type : 5
+0x002 Size : 112
+0x004 DeviceObject : 0x81314e30 _DEVICE_OBJECT
+0x008 Vpb : 0x813612c0 _VPB
+0x00c FsContext : 0xe1669810
+0x010 FsContext2 : 0xe2c70478
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0x1 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0x1 ''
+0x02a SharedWrite : 0x1 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x40002
+0x030 FileName : _UNICODE_STRING "\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83"
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
00000012/00000080
Event
00000013/00000080
Semaphore
[---]
[---]
eax=00000000 ebx=003b0000 ecx=0007f2c8 edx=7c94e514 esi=0007f2c8 edi=00000000
eip=7c9500e8 esp=0007f038 ebp=0007f258 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlAllocateHeap+0x24:
7c9500e8 0b4310 or eax,dword ptr [ebx+10h] ds:0023:003b0010=00000000
Detached
Copyright©Takashi Toyota 2004-
2010
Today is 2010-09-08.