Object names and waiting threads
Sometimes we have threads waiting for synchronization objects like events and it is good to know their names or vice versa because it might give some clues to whether the particular thread and object are relevant for the problem. For example, we have a thread from !process 0 ff WinDbg command applied to a complete memory dump:
THREAD 86047968 Cid 01e8.04d4 Teb: 7ffaa000 Win32Thread: 00000000 WAIT: (Unknown) UserMode Non-Alertable
8604b750 NotificationEvent
86013070 NotificationEvent
Not impersonating
DeviceMap e1007d00
Owning Process 86014ba0 Image: winlogon.exe
Wait Start TickCount 997 Ticks: 788709 (0:03:25:23.578)
Context Switch Count 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address USERENV!NotificationThread (0×76929dd9)
Start Address kernel32!BaseThreadStartThunk (0×77e617ec)
Stack Init f5d48000 Current f5d47914 Base f5d48000 Limit f5d45000 Call 0
Priority 10 BasePriority 10 PriorityDecrement 0
Kernel stack not resident.
ChildEBP RetAddr
f5d4792c 8082ffb7 nt!KiSwapContext+0×25
f5d47944 808282b0 nt!KiSwapThread+0×83
f5d47978 80930d34 nt!KeWaitForMultipleObjects+0×320
f5d47bf4 80930e96 nt!ObpWaitForMultipleObjects+0×202
f5d47d48 80883908 nt!NtWaitForMultipleObjects+0xc8
f5d47d48 7c8285ec nt!KiFastCallEntry+0xf8
00f1fec0 7c827cfb ntdll!KiFastSystemCallRet
00f1fec4 77e6202c ntdll!NtWaitForMultipleObjects+0xc
00f1ff6c 77e62fbe kernel32!WaitForMultipleObjectsEx+0×11a
00f1ff88 76929e35 kernel32!WaitForMultipleObjects+0×18
00f1ffb8 77e64829 USERENV!NotificationThread+0×5f
00f1ffec 00000000 kernel32!BaseThreadStart+0×34
or we switched to winlogon.exe process and we are inspecting this thread:
kd> .process 86014ba0
Implicit process is now 86014ba0
kd> .reload /user
Loading User Symbols
kd> .thread 86047968
Implicit thread is now 86047968
kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
f5d4792c 8082ffb7 86047968 ffdff120 00002700 nt!KiSwapContext+0x25
f5d47944 808282b0 86047968 00000002 00000000 nt!KiSwapThread+0x83
f5d47978 80930d34 00000002 f5d47aac 00000001 nt!KeWaitForMultipleObjects+0×320
f5d47bf4 80930e96 00000002 f5d47c1c 00000001 nt!ObpWaitForMultipleObjects+0×202
f5d47d48 80883908 00000002 00f1ff10 00000001 nt!NtWaitForMultipleObjects+0xc8
f5d47d48 7c8285ec 00000002 00f1ff10 00000001 nt!KiFastCallEntry+0xf8
00f1fec0 7c827cfb 77e6202c 00000002 00f1ff10 ntdll!KiFastSystemCallRet
00f1fec4 77e6202c 00000002 00f1ff10 00000001 ntdll!NtWaitForMultipleObjects+0xc
00f1ff6c 77e62fbe 00000002 769cd34c 00000000 kernel32!WaitForMultipleObjectsEx+0×11a
00f1ff88 76929e35 00000002 769cd34c 00000000 kernel32!WaitForMultipleObjects+0×18
00f1ffb8 77e64829 00000000 00000000 00000000 USERENV!NotificationThread+0×5f
00f1ffec 00000000 76929dd9 00000000 00000000 kernel32!BaseThreadStart+0×34
kd> dd f5d47aac l2
f5d47aac 8604b750 86013070
WinDbg !object command will show names for named synchronization objects:
kd> !object 8604b750
Object: 8604b750 Type: (86598990) Event
ObjectHeader: 8604b738 (old version)
HandleCount: 1 PointerCount: 2
kd> !object 86013070
Object: 86013070 Type: (86598990) Event
ObjectHeader: 86013058 (old version)
HandleCount: 10 PointerCount: 18
Directory Object: e19b61c0 Name: userenv: Machine Group Policy has been applied
We see that one object is named and related to group policies. The same technique can be applied in reverse. For example, we want to find which thread is waiting for 85efb848 event:
kd> !object \BaseNamedObjects
Object: e19b61c0 Type: (865cab50) Directory
ObjectHeader: e19b61a8 (old version)
HandleCount: 75 PointerCount: 259
Directory Object: e10012c8 Name: BaseNamedObjects
Hash Address Type Name
---- ------- ---- ----
...
...
...
861697f0 Event COM+ Tracker Push Event
85f6fbb0 Event WMI_ProcessIdleTasksComplete
85efb848 Event VMwareToolsServiceEvent
…
…
…
Looking at threads from !process 0 ff command we find that VMwareService.exe uses it:
THREAD 8633bd40 Cid 0664.0680 Teb: 7ffde000 Win32Thread: 00000000 WAIT: (Unknown) UserMode Alertable
85efb848 SynchronizationEvent
8633bdb8 NotificationTimer
Not impersonating
DeviceMap e1007d00
Owning Process 862fa938 Image: VMwareService.exe
Wait Start TickCount 789703 Ticks: 3 (0:00:00:00.046)
Context Switch Count 120485
UserTime 00:00:00.093
KernelTime 00:00:00.062
Win32 Start Address ADVAPI32!ScSvcctrlThreadA (0×77f65e70)
Start Address kernel32!BaseThreadStartThunk (0×77e617ec)
Stack Init f5cc8000 Current f5cc7914 Base f5cc8000 Limit f5cc5000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0
ChildEBP RetAddr
f5cc792c 8082ffb7 nt!KiSwapContext+0×25
f5cc7944 808282b0 nt!KiSwapThread+0×83
f5cc7978 80930d34 nt!KeWaitForMultipleObjects+0×320
f5cc7bf4 80930e96 nt!ObpWaitForMultipleObjects+0×202
f5cc7d48 80883908 nt!NtWaitForMultipleObjects+0xc8
f5cc7d48 7c8285ec nt!KiFastCallEntry+0xf8
00a5fe4c 7c827cfb ntdll!KiFastSystemCallRet
00a5fe50 77e6202c ntdll!NtWaitForMultipleObjects+0xc
00a5fef8 0040158e kernel32!WaitForMultipleObjectsEx+0×11a
WARNING: Stack unwind information not available. Following frames may be wrong.
00a5ff18 00402390 VMwareService+0×158e
00a5ff84 00402f5a VMwareService+0×2390
00a5ffa4 77f65e91 VMwareService+0×2f5a
00a5ffb8 77e64829 ADVAPI32!ScSvcctrlThreadW+0×21
00a5ffec 00000000 kernel32!BaseThreadStart+0×34
!object command is equivalent to WinObj tool and allows to inspect Windows Object Manager namespace that existed at the time when a memory dump was saved. Here is the root directory from my x64 Vista workstation:
lkd> !object \
Object: fffff880000056c0 Type: (fffffa800183fde0) Directory
ObjectHeader: fffff88000005690 (old version)
HandleCount: 0 PointerCount: 50
Directory Object: 00000000 Name: \
Hash Address Type Name
---- ------- ---- ----
01 fffff88000005510 Directory ObjectTypes
03 fffffa80047574e0 Event NETLOGON_SERVICE_STARTED
05 fffff8800156fb00 SymbolicLink SystemRoot
06 fffff880018bfeb0 Directory Sessions
07 fffffa800448eb90 ALPC Port MmcssApiPort
08 fffff8800000a060 Directory ArcName
09 fffff88000081e10 Directory NLS
fffffa80047523c0 ALPC Port XactSrvLpcPort
10 fffffa8004504e60 ALPC Port ThemeApiPort
fffff880018efce0 Directory Windows
fffff88000007bd0 Directory GLOBAL??
fffffa8004199de0 Event LanmanServerAnnounceEvent
fffffa80043027d0 Event DSYSDBG.Debug.Trace.Memory.2a4
11 fffff8800189feb0 Directory RPC Control
13 fffffa8003ed6490 Event EFSInitEvent
14 fffffa8002746bd0 Device clfs
fffff88000fb6b10 -
15 fffffa8003dd5060 ALPC Port SeRmCommandPort
fffffa80040c7210 Event CsrSbSyncEvent
16 fffff880000052e0 SymbolicLink DosDevices
fffffa8004626c70 Device Cdfs
17 fffff8800471c210 Directory KnownDlls32
fffffa8004770490 ALPC Port AELPort
fffffa8004342680 Event EFSSrvInitEvent
18 fffff8800000a2b0 Key \REGISTRY
fffffa8004851900 ALPC Port WindowsErrorReportingServicePort
19 fffff88004732380 Directory BaseNamedObjects
21 fffff88000072d00 Directory UMDFCommunicationPorts
fffffa8004182120 ALPC Port SmSsWinStationApiPort
fffffa8003ddbe60 Event UniqueInteractiveSessionIdEvent
22 fffff88000875a00 Directory KnownDlls
fffffa8003ece330 Device FatCdrom
fffffa8003a16720 Device Fat
23 fffff88000005120 Directory KernelObjects
fffff88000081ab0 Directory FileSystem
fffffa8002a5f620 Device Ntfs
26 fffff88000007300 Directory Callback
fffffa80042e14c0 ALPC Port SeLsaCommandPort
28 fffff880000095f0 Directory Security
29 fffffa8004574e60 ALPC Port UxSmsApiPort
30 fffff88000013060 Directory Device
fffffa8004342700 Event EFSSmbInitEvent
32 fffffa8004342260 ALPC Port LsaAuthenticationPort
34 fffffa8003dd7e60 ALPC Port SmApiPort
fffff88004bf5080 Section LsaPerformance
fffffa8003f65160 Event UniqueSessionIdEvent
36 fffff88000081c60 Directory Driver
fffffa8004308c00 Event SAM_SERVICE_STARTED
We can inspect any directory or object, for example:
lkd> !object \FileSystem
Object: fffff88000081ab0 Type: (fffffa800183fde0) Directory
ObjectHeader: fffff88000081a80 (old version)
HandleCount: 0 PointerCount: 31
Directory Object: fffff880000056c0 Name: FileSystem
Hash Address Type Name
---- ------- ---- ----
02 Unable to read directory entry at fffff88004d46ca0
03 fffffa80041a9bc0 Driver mrxsmb20
04 fffffa8004371450 Driver luafv
11 fffffa8003e3b530 Driver rdbss
fffffa8003c6e470 Device CdfsRecognizer
12 fffffa800261c300 Device UdfsDiskRecognizer
fffffa8003c6e680 Driver Fs_Rec
13 fffffa8002626e70 Driver Msfs
15 fffffa8003edc7e0 Driver DfsC
16 fffffa8004640e70 Driver cdfs
17 fffffa800410ed90 Driver srvnet
19 fffffa80046f9420 Driver srv
fffffa800468cc90 Driver MRxDAV
fffff88000072eb0 Directory Filters
21 fffffa80046be400 Driver bowser
fffffa8001c92c40 Driver FltMgr
22 fffffa800261cc40 Device FatCdRomRecognizer
23 fffffa8002756e70 Driver Ntfs
24 fffffa8003dc0530 Driver Npfs
fffffa80027abd20 Driver Mup
fffffa80018476a0 Driver RAW
27 fffffa8003f04270 Driver fastfat
28 fffffa8002745060 Driver FileInfo
31 fffffa800261ce50 Device FatDiskRecognizer
33 fffffa80046c4650 Driver srv2
fffffa8003eaf470 Driver NetBIOS
fffffa800261ca30 Device ExFatRecognizer
34 fffffa8003ce3610 Driver SRTSP
35 fffffa800261c060 Device UdfsCdRomRecognizer
- Dmitry Vostokov @ DumpAnalysis.org -