Comments on: Crash Dump Analysis Patterns (Part 13d) https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Sun, 17 May 2026 21:44:31 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-741698 Dmitry Vostokov Fri, 25 Mar 2016 21:45:28 +0000 https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-741698 According to Windows Internals we can set HKLM\S\CCS\C\Session Manager\TrackPtes key value to 1 and then see allocation history by using !sysptes 4 WinDbg command. According to Windows Internals we can set HKLM\S\CCS\C\Session Manager\TrackPtes key value to 1 and then see allocation history by using !sysptes 4 WinDbg command.

]]> By: Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 25) https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-144766 Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 25) Fri, 16 Apr 2010 14:13:03 +0000 https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-144766 [...] we introduce an icon for Insufficient Memory (PTE) [...] […] we introduce an icon for Insufficient Memory (PTE) […]

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-144331 Dmitry Vostokov Wed, 14 Apr 2010 18:56:02 +0000 https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-144331 I find this in many dumps and have a suspicion it is related to "orphaned" processes: HandleCount: 0 No active threads Thanks, Dmitry I find this in many dumps and have a suspicion it is related to “orphaned” processes:

HandleCount: 0
No active threads

Thanks,
Dmitry

]]> By: zagadeesh https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-143613 zagadeesh Mon, 12 Apr 2010 10:05:16 +0000 https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-143613 Dmitry, The following is a live KD, in VM we are observed 8000+ cmd.exe instances running on the context of system. My Question is how can an system uptime is 22 days and KernelTime is 700+ Days for that processor ? lkd> .time Debug session time: Mon Apr 12 06:07:15.797 2010 (GMT-4) System Uptime: 22 days 10:41:32.579 lkd> !process 00a4 Searching for Process with Cid == a4 Cid Handle table at e29a6000 with 10925 Entries in use PROCESS fb32cd88 SessionId: 0 Cid: 00a4 Peb: 7ffff000 ParentCid: 2ce0 DirBase: bff54960 ObjectTable: e3c046a0 HandleCount: 0. Image: cmd.exe VadRoot fcc99398 Vads 6 Clone 0 Private 4. Modified 0. Locked 0. DeviceMap e16008e8 Token e3ce6030 ElapsedTime 21 Days 14:20:04.071 UserTime 00:00:00.000 KernelTime 762 Days 03:42:46.250 QuotaPoolUsage[PagedPool] 6780 QuotaPoolUsage[NonPagedPool] 160 Working Set Sizes (now,min,max) (16, 50, 345) (64KB, 200KB, 1380KB) PeakWorkingSetSize 16 VirtualSize 1 Mb PeakVirtualSize 1 Mb PageFaultCount 9 MemoryPriority BACKGROUND BasePriority 10 CommitCharge 39 No active threads Dmitry,
The following is a live KD, in VM we are observed 8000+ cmd.exe instances running on the context of system.
My Question is how can an system uptime is 22 days and KernelTime is 700+ Days for that processor ?

lkd> .time
Debug session time: Mon Apr 12 06:07:15.797 2010 (GMT-4)
System Uptime: 22 days 10:41:32.579

lkd> !process 00a4
Searching for Process with Cid == a4
Cid Handle table at e29a6000 with 10925 Entries in use
PROCESS fb32cd88 SessionId: 0 Cid: 00a4 Peb: 7ffff000 ParentCid: 2ce0
DirBase: bff54960 ObjectTable: e3c046a0 HandleCount: 0.
Image: cmd.exe
VadRoot fcc99398 Vads 6 Clone 0 Private 4. Modified 0. Locked 0.
DeviceMap e16008e8
Token e3ce6030
ElapsedTime 21 Days 14:20:04.071
UserTime 00:00:00.000
KernelTime 762 Days 03:42:46.250
QuotaPoolUsage[PagedPool] 6780
QuotaPoolUsage[NonPagedPool] 160
Working Set Sizes (now,min,max) (16, 50, 345) (64KB, 200KB, 1380KB)
PeakWorkingSetSize 16
VirtualSize 1 Mb
PeakVirtualSize 1 Mb
PageFaultCount 9
MemoryPriority BACKGROUND
BasePriority 10
CommitCharge 39

No active threads

]]> By: Software Generalist » Blog Archive » Reading Notebook: 16-July-09 https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-86333 Software Generalist » Blog Archive » Reading Notebook: 16-July-09 Tue, 28 Jul 2009 17:38:03 +0000 https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-86333 [...] increaseuserva in BCD (p. 14) - this might get your terminal server installation into problems. See example of Insufficient Memory (PTE) pattern. [...] […] increaseuserva in BCD (p. 14) - this might get your terminal server installation into problems. See example of Insufficient Memory (PTE) pattern. […]

]]> By: Brad https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-19045 Brad Thu, 21 Feb 2008 03:03:17 +0000 https://www.dumpanalysis.org/blog/index.php/2008/02/04/crash-dump-analysis-patterns-part-13d/#comment-19045 You shoul see my new post on SYSPTES, they just fixed it so you can sue public symbols again: http://blogs.technet.com/brad_rutkowski/archive/2008/02/21/i-pte-the-fool-sysptes-4-works-in-vista-sp1-ws08.aspx You shoul see my new post on SYSPTES, they just fixed it so you can sue public symbols again:

http://blogs.technet.com/brad_rutkowski/archive/2008/02/21/i-pte-the-fool-sysptes-4-works-in-vista-sp1-ws08.aspx

]]>