Crash Dump Analysis

Process and Thread Startup in Vista

DATA (Dump Analysis + Trace Analysis) Facebook group
Please join the community of memory (dump) and trace analysis engineers. This group promotes scientific methods and memory dump-based worldview.

Twitter @ DumpAnalysis
You can now follow portal and blog news at DumpAnalysis on Twitter

LinkedIn Group Dr. Watson Enthusiasts
All about Dr. Watson errors and more. Get news, excerpts and progress reports about the forthcoming book The Science of Dr. Watson: An Illustrated History of Debugging (ISBN 978-1906717070)

2010 (0x7DA) - The Year of Dump Analysis
2011 (0x7DB) - 2020 (0x7E4) The Debugging Decade

If you looked at process dumps from Vista or did live debugging you might have noticed that there are no longer kernel32 functions BaseProcessStart on the main thread stack and BaseThreadStart on subsequent thread stacks. In Vista we have ntdll!_RtlUserThreadStart which calls kernel32!BaseThreadInitThunk for both main and secondary threads:

0:002> ~*k 0 Id: 13e8.1348 Suspend: 1 Teb: 7ffdf000 Unfrozen ChildEBP RetAddr 0009f8d8 77b7199a ntdll!KiFastSystemCallRet 0009f8dc 77b719cd USER32!NtUserGetMessage+0xc 0009f8f8 006b24e8 USER32!GetMessageW+0x33 0009f954 006c2588 calc!WinMain+0x278 0009f9e4 77603833 calc!_initterm_e+0x1a1 0009f9f0 779ea9bd kernel32!BaseThreadInitThunk+0xe 0009fa30 00000000 ntdll!_RtlUserThreadStart+0×23 1 Id: 13e8.534 Suspend: 1 Teb: 7ffde000 Unfrozen ChildEBP RetAddr 0236f9d8 77a106a0 ntdll!KiFastSystemCallRet 0236f9dc 776077d4 ntdll!NtWaitForSingleObject+0xc 0236fa4c 77607742 kernel32!WaitForSingleObjectEx+0xbe 0236fa60 006b4958 kernel32!WaitForSingleObject+0×12 0236fa78 77603833 calc!WatchDogThread+0×21 0236fa84 779ea9bd kernel32!BaseThreadInitThunk+0xe 0236fac4 00000000 ntdll!_RtlUserThreadStart+0×23 # 2 Id: 13e8.1188 Suspend: 1 Teb: 7ffdd000 Unfrozen ChildEBP RetAddr 0078fec8 77a3f0a9 ntdll!DbgBreakPoint 0078fef8 77603833 ntdll!DbgUiRemoteBreakin+0×3c 0078ff04 779ea9bd kernel32!BaseThreadInitThunk+0xe 0078ff44 00000000 ntdll!_RtlUserThreadStart+0×23

0:000> .asm no_code_bytes Assembly options: no_code_bytes 0:000> uf ntdll!_RtlUserThreadStart ... ... ... ntdll!_RtlUserThreadStart: 779ea996 push 14h 779ea998 push offset ntdll! ?? ::FNODOBFM::`string'+0xb6e (779ff108) 779ea99d call ntdll!_SEH_prolog4 (779f47d8) 779ea9a2 and dword ptr [ebp-4],0 779ea9a6 mov eax,dword ptr [ntdll!Kernel32ThreadInitThunkFunction (77a752a0)] 779ea9ab push dword ptr [ebp+0Ch] 779ea9ae test eax,eax 779ea9b0 je ntdll!_RtlUserThreadStart+0x32 (779c6326) ... ... ... 0:000> dds ntdll!Kernel32ThreadInitThunkFunction l1 77a752a0 77603821 kernel32!BaseThreadInitThunk

- Dmitry Vostokov -

Announcements

Coming Soon:

Debugging Notebook: Essential Concepts, WinDbg Commands and Tools

Crash Dump Analysis for System Administrators and Support Engineers

New Magazines:

Debugged! MZ/PE: MagaZine for/from Practicing Engineers

New Books:

Memory Dump Analysis Anthology, Volume 3

First Fault Software Problem Solving: A Guide for Engineers, Managers and Users

x64 Windows Debugging: Practical Foundations

Also available:

Windows Debugging: Practical Foundations

DLL List Landscape: The Art from Computer Memory Space

Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov

WinDbg: A Reference Poster and Learning Cards

Memory Dump Analysis Anthology, Volume 2

Memory Dump Analysis Anthology, Volume 1

New Children's Book:

Baby Turing

Memory Dump It

This entry was posted on Saturday, May 19th, 2007 at 10:47 am and is filed under Crash Dump Analysis, Debugging, Vista. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Process and Thread Startup in Vista

Leave a Reply