Crash Dump Analysis

Crash Dump Analysis Patterns (Part 31a)

Sponsored link: Memory Dump Analysis Services

I have already discussed Passive Thread pattern in user space. In this part I continue with kernel space and passive system threads that don’t run in any user process context. These threads belong to the so called System process, don’t have any user space stack and their full stack traces can be seen from the output of !process command (if not completely paged out):

1: kd> !process 0 ff System

or from system portion of !stacks 2 command.

Some system threads from that list belong to core OS functionality and are not passive (function offsets can vary for different OS versions and service packs):

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForSingleObject+0x5f5 nt!MmZeroPageThread+0×180 nt!Phase1Initialization+0xe nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForSingleObject+0x5f5 nt!MiModifiedPageWriter+0×59 nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForMultipleObjects+0x703 nt!MiMappedPageWriter+0xad nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForMultipleObjects+0x703 nt!KeBalanceSetManager+0×101 nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForSingleObject+0x5f5 nt!KeSwapProcessOrStack+0×44 nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForSingleObject+0x5f5 nt!EtwpLogger+0xdd nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForSingleObject+0x5f5 nt!KiExecuteDpc+0×198 nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForMultipleObjects+0x703 nt!CcQueueLazyWriteScanThread+0×73 nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForMultipleObjects+0x703 nt!ExpWorkerThreadBalanceManager+0×85 nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

Other threads belong to various worker queues (they can also be seen from !exqueue ff command output) and wait for data items to arrive (passive threads):

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeRemoveQueueEx+0x848 nt!ExpWorkerThread+0×104 nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x26 nt!KiSwapThread+0x2e5 nt!KeRemoveQueue+0x417 nt!ExpWorkerThread+0xc8 nt!PspSystemThreadStartup+0×2e nt!KiThreadStartup+0×16

Non-Exp system threads having Worker, Logging or Logger substrings in their function names are passive threads and wait for data too, for example:

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForMultipleObjects+0x703 nt!PfTLoggingWorker+0×81 nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForSingleObject+0x5f5 nt!EtwpLogger+0xdd nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeRemoveQueueEx+0x848 nt!KeRemoveQueue+0x21 rdpdr!RxpWorkerThreadDispatcher+0×6f nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeWaitForSingleObject+0x5f5 HTTP!UlpThreadPoolWorker+0×26c nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeRemoveQueueEx+0x848 nt!KeRemoveQueue+0x21 srv2!SrvProcWorkerThread+0×74 nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

nt!KiSwapContext+0x84 nt!KiSwapThread+0x125 nt!KeRemoveQueueEx+0x848 nt!KeRemoveQueue+0x21 srv!WorkerThread+0×90 nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

Any deviations in memory dump can raise suspicion like in the stack below for driver.sys

nt!KiSwapContext+0x26 nt!KiSwapThread+0x284 nt!KeWaitForSingleObject+0×346 nt!ExpWaitForResource+0xd5 nt!ExAcquireResourceExclusiveLite+0×8d nt!ExEnterCriticalRegionAndAcquireResourceExclusive+0×19 driver!ProcessItem+0×2f driver!DelayedWorker+0×27 nt!ExpWorkerThread+0×104 nt!PspSystemThreadStartup+0×5b nt!KiStartSystemThread+0×16

- Dmitry Vostokov @ DumpAnalysis.org -

Museum of Debugging and Memory Dumps

7/7/2010 - 8/8/2010 Annual Competition: Tell Your Windows Debugging Story

Crash and Hang Analysis Audit Service

CARE: Crash Analysis Report Environment

Crash Dump and Software Trace Analysis Training and Seminars

Access OpenTask Titles on Safari Books Online

DATA (Dump Analysis + Trace Analysis) Facebook group
Please join the community of memory (dump) and trace analysis engineers. This group promotes scientific methods and memory dump-based worldview.

Twitter @ DumpAnalysis
You can now follow portal and blog news at DumpAnalysis on Twitter

LinkedIn Group Dr. Watson Enthusiasts
All about Dr. Watson errors and more. Get news, excerpts and progress reports about the forthcoming book The Science of Dr. Watson: An Illustrated History of Debugging (ISBN 978-1906717070)

2010 (0x7DA) - The Year of Dump Analysis
2011 (0x7DB) - 2020 (0x7E4) The Debugging Decade

International Memory Analysts and Debuggers Day:
07.07 and/or 08.08 starting from The Year of Dump Analysis, 2010, 7DA

Announcements

Coming Soon:

Management Bits: An Anthology from Reductionist Manager

Crash Dump Analysis: Practical Foundations (Windows Edition, Systematic Software Fault Analysis Series)

Debugging Notebook: Essential Concepts, WinDbg Commands and Tools

Crash Dump Analysis for System Administrators and Support Engineers

New Magazines:

Debugged! MZ/PE: MagaZine for/from Practicing Engineers

New Books:

Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3

Memory Dump Analysis Anthology, Volume 3

First Fault Software Problem Solving: A Guide for Engineers, Managers and Users

x64 Windows Debugging: Practical Foundations

Also available:

Windows Debugging: Practical Foundations

DLL List Landscape: The Art from Computer Memory Space

Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov

WinDbg: A Reference Poster and Learning Cards

Memory Dump Analysis Anthology, Volume 2

Memory Dump Analysis Anthology, Volume 1

New Children's Book:

Baby Turing

Memory Dump It

This entry was posted on Tuesday, November 20th, 2007 at 12:51 pm and is filed under Crash Dump Analysis, Crash Dump Patterns. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Crash Dump Analysis Patterns (Part 31a)”

Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 83) Says:
April 14th, 2009 at 4:41 pm
[…] present and some are not suspicious because of their function or status, like Passive Threads or Passive System Threads. Going more fine-grained we can talk about components and their specific functions. For example, […]
Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 53) Says:
July 3rd, 2010 at 9:42 pm
[…] we introduce an icon for Passive System Thread (kernel space) […]

Crash Dump Analysis Patterns (Part 31a)

2 Responses to “Crash Dump Analysis Patterns (Part 31a)”

Leave a Reply