Reading Notebook: 12-May-10
Thursday, May 13th, 2010Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
SAS -> winlogon.exe starts LogonUI.exe (p. 455) - Here are winlogon.exe threads on x64 W2K8 R2 before SAS:
THREAD fffffa8003cf7060 Cid 01d0.01d4 Teb: 000007fffffdd000 Win32Thread: fffff900c00df900 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8004991c90 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8003cf65a0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 8831 Ticks: 21731 (0:00:05:39.005)
Context Switch Count 424 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:00.015
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff36ec08)
Stack Init fffff88003595db0 Current fffff88003595900
Base fffff88003596000 Limit fffff8800358c000 Call 0
Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr Call Site
fffff880`03595940 fffff800`01ac3752 nt!KiSwapContext+0x7a
fffff880`03595a80 fffff800`01ac58af nt!KiCommitThreadWait+0x1d2
fffff880`03595b10 fffff800`01db7db2 nt!KeWaitForSingleObject+0x19f
fffff880`03595bb0 fffff800`01abb853 nt!NtWaitForSingleObject+0xb2
fffff880`03595c20 00000000`77bafefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03595c20)
00000000`0018f778 000007fe`fdc910ac ntdll!NtWaitForSingleObject+0xa
00000000`0018f780 00000000`ff3619ad KERNELBASE!WaitForSingleObjectEx+0x79
00000000`0018f820 00000000`ff3616e8 winlogon!SignalManagerWaitForSignal+0x135
00000000`0018f860 00000000`ff36b8b0 winlogon!StateMachineRun+0x404
00000000`0018fb80 00000000`ff36ed85 winlogon!WinMain+0x13a3
00000000`0018fcf0 00000000`77a5f56d winlogon!I_WMsgkSendMessage+0x252
00000000`0018fdb0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd
00000000`0018fde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa800498a060 Cid 01d0.0320 Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa800497bef0 SynchronizationTimer
fffffa8004988060 SynchronizationTimer
fffffa8004bfe2a0 NotificationEvent
fffffa8003c783b0 SynchronizationEvent
fffffa8003c78310 SynchronizationEvent
fffffa8003c78450 SynchronizationEvent
fffffa80049894c0 SynchronizationTimer
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8003cf65a0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 19271 Ticks: 11291 (0:00:02:56.140)
Context Switch Count 16
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x0000000077b79a90)
Stack Init fffff88004006db0 Current fffff88004005fd0
Base fffff88004007000 Limit fffff88004001000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`04006010 fffff800`01ac3752 nt!KiSwapContext+0x7a
fffff880`04006150 fffff800`01abfc4b nt!KiCommitThreadWait+0x1d2
fffff880`040061e0 fffff800`01db8ecf nt!KeWaitForMultipleObjects+0x271
fffff880`04006490 fffff800`01db97d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`04006960 fffff800`01abb853 nt!NtWaitForMultipleObjects+0xe5
fffff880`04006bb0 00000000`77bb046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04006c20)
00000000`0139f848 00000000`77b79bd7 ntdll!NtWaitForMultipleObjects+0xa
00000000`0139f850 00000000`77a5f56d ntdll!TppWaiterpThread+0x14d
00000000`0139faf0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd
00000000`0139fb20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa8004ed7060 Cid 01d0.0a58 Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa800489ac20 QueueObject
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8003cf65a0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 27861 Ticks: 2701 (0:00:00:42.135)
Context Switch Count 4
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000077b78f00)
Stack Init fffff88003555db0 Current fffff880035557d0
Base fffff88003556000 Limit fffff88003550000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`03555810 fffff800`01ac3752 nt!KiSwapContext+0x7a
fffff880`03555950 fffff800`01ac71c1 nt!KiCommitThreadWait+0x1d2
fffff880`035559e0 fffff800`01db89d7 nt!KeRemoveQueueEx+0x301
fffff880`03555a90 fffff800`01acc996 nt!IoRemoveIoCompletion+0x47
fffff880`03555b20 fffff800`01abb853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`03555c20 00000000`77bb17ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03555c20)
00000000`00dcfa18 00000000`77b7914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`00dcfa20 00000000`77a5f56d ntdll!TppWorkerThread+0x2c9
00000000`00dcfd20 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd
00000000`00dcfd50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
Here are main threads from both processes on x64 W2K8 R2 after SAS (I brought change password dialog):
THREAD fffffa8004888770 Cid 01c0.01c4 Teb: 000007fffffde000 Win32Thread: fffff900c00d9c30 WAIT: (UserRequest) UserMode Non-Alertable
fffffa80049c25c0 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa80048879d0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250)
Context Switch Count 3202 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.218
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ffc2ec08)
Stack Init fffff880031acdb0 Current fffff880031ac900
Base fffff880031ad000 Limit fffff880031a7000 Call 0
Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`031ac940 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`031aca80 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2
fffff880`031acb10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0x19f
fffff880`031acbb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2
fffff880`031acc20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`031acc20)
00000000`0023f398 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa
00000000`0023f3a0 00000000`ffc219ad KERNELBASE!WaitForSingleObjectEx+0x79
00000000`0023f440 00000000`ffc216e8 winlogon!SignalManagerWaitForSignal+0x135
00000000`0023f480 00000000`ffc2b8b0 winlogon!StateMachineRun+0x404
00000000`0023f7a0 00000000`ffc2ed85 winlogon!WinMain+0x13a3
00000000`0023f910 00000000`76bdf56d winlogon!I_WMsgkSendMessage+0x252
00000000`0023f9d0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0023fa00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa80049ba060 Cid 01c0.0304 Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa80049b87e0 SynchronizationTimer
fffffa80049b4650 SynchronizationTimer
fffffa8004e81e20 NotificationEvent
fffffa8004edcbf0 SynchronizationEvent
fffffa8004edcb50 SynchronizationEvent
fffffa8004edcc90 SynchronizationEvent
fffffa80049b8670 SynchronizationTimer
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa80048879d0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34428081 Ticks: 238645 (0:01:02:02.885)
Context Switch Count 175
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90)
Stack Init fffff88004193db0 Current fffff88004192fd0
Base fffff88004194000 Limit fffff8800418e000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr Call Site
fffff880`04193010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`04193150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`041931e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`04193490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`04193960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`04193bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04193c20)
00000000`00d2fb38 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa
00000000`00d2fb40 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d
00000000`00d2fde0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`00d2fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa8005b8e810 Cid 01c0.12d4 Teb: 000007fffffdc000 Win32Thread: fffff900c37a6250 WAIT: (WrLpcReply) UserMode Non-Alertable
fffffa8005b8ebd0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff8a00c87e750 : queued at port fffffa800661ec60 : owned by process fffffa8005f442b0
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa80048879d0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250)
Context Switch Count 150 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00)
Stack Init fffff88006c8edb0 Current fffff88006c8e620
Base fffff88006c8f000 Limit fffff88006c87000 Call 0
Priority 14 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`06c8e660 fffff800`01ad6752 nt!KiSwapContext+0×7a
fffff880`06c8e7a0 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2
fffff880`06c8e830 fffff800`01aedbef nt!KeWaitForSingleObject+0×19f
fffff880`06c8e8d0 fffff800`01dd6a36 nt!AlpcpSignalAndWait+0×8f
fffff880`06c8e980 fffff800`01dd49c0 nt!AlpcpReceiveSynchronousReply+0×46
fffff880`06c8e9e0 fffff800`01dd1f3b nt!AlpcpProcessSynchronousRequest+0×33d
fffff880`06c8eb00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0×1ab
fffff880`06c8ebb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`06c8ec20)
00000000`0103f298 000007fe`fea8aa76 ntdll!ZwAlpcSendWaitReceivePort+0xa
00000000`0103f2a0 000007fe`feb2cb64 RPCRT4!LRPC_CCALL::SendReceive+0×156
00000000`0103f360 000007fe`feb2cd55 RPCRT4!NdrpClientCall3+0×244
00000000`0103f620 00000000`ffc24979 RPCRT4!NdrClientCall3+0xf2
00000000`0103f9b0 00000000`ffc4e781 winlogon!WluiRequestCredentials+0×71
00000000`0103fa20 00000000`ffc21d04 winlogon!WLGeneric_Request_Change_Credz_Execute+0xa5
00000000`0103fa90 00000000`76df0fb4 winlogon!StateMachineWorkerCallback+0×7f
00000000`0103fac0 00000000`76df4b1f ntdll!TppWorkpExecuteCallback+0xa4
00000000`0103fb20 00000000`76bdf56d ntdll!TppWorkerThread+0×6c9
00000000`0103fe20 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0103fe50 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
THREAD fffffa8006480640 Cid 01c0.131c Teb: 000007fffffd9000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa80042479a0 QueueObject
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa80048879d0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664380 Ticks: 2346 (0:00:00:36.597)
Context Switch Count 2
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff8800715ddb0 Current fffff8800715d7d0
Base fffff8800715e000 Limit fffff88007158000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0715d810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0715d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`0715d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`0715da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`0715db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`0715dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0715dc20)
00000000`010bf908 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`010bf910 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`010bfc10 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`010bfc40 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa8005916290 Cid 01c0.0c04 Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa80042479a0 QueueObject
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa80048879d0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250)
Context Switch Count 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff88007126db0 Current fffff880071267d0
Base fffff88007127000 Limit fffff88007121000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`07126810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`07126950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`071269e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`07126a90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`07126b20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`07126c20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07126c20)
00000000`009cfaa8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`009cfab0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`009cfdb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`009cfde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
We now see the new thread fffffa8005b8e810 waiting for an ALPC message fffff8a00c87e750:
0: kd> !alpc /m fffff8a00c87e750
Message @ fffff8a00c87e750
MessageID : 0x0534 (1332)
CallbackID : 0x14152C5 (21058245)
SequenceNumber : 0x00000006 (6)
Type : LPC_REQUEST
DataLength : 0x0060 (96)
TotalLength : 0x0088 (136)
Canceled : No
Release : No
ReplyWaitReply : No
Continuation : Yes
OwnerPort : fffffa80065696c0 [ALPC_CLIENT_COMMUNICATION_PORT]
WaitingThread : fffffa8005b8e810
QueueType : ALPC_MSGQUEUE_PENDING
QueuePort : fffffa800661ec60 [ALPC_CONNECTION_PORT]
QueuePortOwnerProcess : fffffa8005f442b0 (LogonUI.exe)
ServerThread : fffffa8005a9b2a0
QuotaCharged : No
CancelQueuePort : 0000000000000000
CancelSequencePort : 0000000000000000
CancelSequenceNumber : 0×00000000 (0)
ClientContext : 00000000003f5b30
ServerContext : 0000000000000000
PortContext : 00000000015e2640
CancelPortContext : 0000000000000000
SecurityData : 0000000000000000
View : 0000000000000000
The server thread is fffffa8005a9b2a0 and is owned by LogonUI.exe. Here are all threads in that process where I highlighted credential providers:
THREAD fffffa8005f47b60 Cid 06d0.13e0 Teb: 000007fffffde000 Win32Thread: fffff900c1d6ec30 WAIT: (UserRequest) UserMode Non-Alertable
fffffa80065be260 SynchronizationEvent
fffffa8005bf6240 SynchronizationEvent
fffffa8005bcbc70 SynchronizationEvent
fffffa80052a9dc0 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34666693 Ticks: 33 (0:00:00:00.514)
Context Switch Count 722 LargeStack
UserTime 00:00:00.171
KernelTime 00:00:00.140
Win32 Start Address LogonUI!wWinMainCRTStartup (0x00000000ffb45c58)
Stack Init fffff88004911db0 Current fffff88004910fd0
Base fffff88004912000 Limit fffff88004908000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`04911010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`04911150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`049111e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`04911490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`04911960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`04911bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04911c20)
00000000`001bf708 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`001bf710 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`001bf810 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`001bf8a0 000007fe`fae19ecd USER32!RealMsgWaitForMultipleObjectsEx+0x12a
00000000`001bf940 000007fe`fae19d8e DUser!CoreSC::DUIMsgWaitForMultipleObjectsEx+0x17c
00000000`001bf9f0 00000000`76cf9079 DUser!MphMsgWaitForMultipleObjectsEx+0x7a
00000000`001bfa30 000007fe`fb8e407b USER32!MsgWaitForMultipleObjectsEx+0x37
00000000`001bfa70 000007fe`fb8e4f6c authui!CLogonFrame::DoModal+0×67
00000000`001bfaf0 000007fe`fb8e50cf authui!CLogonUI_CreateThenDoModalThenDestroy+0×299
00000000`001bfb50 00000000`ffb454df authui!CLogonUI::DoModal+0×73
00000000`001bfb80 00000000`ffb45ae6 LogonUI!wWinMain+0xfb
00000000`001bfbe0 00000000`76bdf56d LogonUI!ParseCommandLineToStringArrayLocalAlloc+0×33a
00000000`001bfca0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`001bfcd0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
THREAD fffffa8006595720 Cid 06d0.1158 Teb: 000007fffffdc000 Win32Thread: fffff900c35105f0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8005cad160 SynchronizationEvent
fffffa8005618d30 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664381 Ticks: 2345 (0:00:00:36.582)
Context Switch Count 2 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address msvcrt!endthreadex (0x000007feff0573fc)
Stack Init fffff88005638db0 Current fffff88005637fd0
Base fffff88005639000 Limit fffff88005632000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`05638010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`05638150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`056381e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`05638490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`05638960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`05638bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05638c20)
00000000`00eaf4d8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`00eaf4e0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`00eaf5e0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`00eaf670 000007fe`fae114e6 USER32!RealMsgWaitForMultipleObjectsEx+0x12a
00000000`00eaf710 000007fe`fae116b2 DUser!CoreSC::Wait+0x62
00000000`00eaf760 000007fe`fae205dd DUser!CoreSC::xwProcessNL+0xed
00000000`00eaf7d0 000007fe`fae20500 DUser!GetMessageExA+0x7b
00000000`00eaf820 000007fe`ff0542bf DUser!ResourceManager::SharedThreadProc+0xe8
00000000`00eaf8b0 000007fe`ff057459 msvcrt!endthreadex+0x47
00000000`00eaf8e0 00000000`76bdf56d msvcrt!endthreadex+0xe0
00000000`00eaf910 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`00eaf940 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa8006646060 Cid 06d0.1174 Teb: 000007fffffda000 Win32Thread: fffff900c397bc30 WAIT: (UserRequest) UserMode Non-Alertable
fffffa80059522e0 SynchronizationEvent
fffffa80061cf2d0 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664855 Ticks: 1871 (0:00:00:29.187)
Context Switch Count 101 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:00.015
Win32 Start Address authui!CCredentialProviderThread::_sThreadProc (0x000007fefb8e51c0)
Stack Init fffff880057addb0 Current fffff880057acfd0
Base fffff880057ae000 Limit fffff880057a6000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`057ad010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`057ad150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`057ad1e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`057ad490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`057ad960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`057adbb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`057adc20)
00000000`02c5f9b8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`02c5f9c0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`02c5fac0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`02c5fb50 00000000`76cf905a USER32!RealMsgWaitForMultipleObjectsEx+0x12a
00000000`02c5fbf0 000007fe`febdb46a USER32!MsgWaitForMultipleObjectsEx+0x46
00000000`02c5fc30 000007fe`fecfa542 ole32!CCliModalLoop::BlockFn+0xc2
00000000`02c5fc80 000007fe`fb8e4bc1 ole32!CoWaitForMultipleHandles+0x102
00000000`02c5fd90 000007fe`fb8e4a4a authui!InternalCoWaitForSingleHandle+0×31
00000000`02c5fdd0 000007fe`fb8e51c9 authui!CCredentialProviderThread::_vThreadProc+0xbf
00000000`02c5fe10 00000000`76bdf56d authui!CCredentialProviderThread::_sThreadProc+0×9
00000000`02c5fe40 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02c5fe70 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
THREAD fffffa8005a9b2a0 Cid 06d0.1248 Teb: 000007fffffd4000 Win32Thread: fffff900c397b850 WAIT: (UserRequest) UserMode Non-Alertable
fffffa800559c800 NotificationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250)
Context Switch Count 12 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00)
Stack Init fffff88005871db0 Current fffff88005871900
Base fffff88005872000 Limit fffff8800586b000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`05871940 fffff800`01ad6752 nt!KiSwapContext+0×7a
fffff880`05871a80 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2
fffff880`05871b10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0×19f
fffff880`05871bb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2
fffff880`05871c20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`05871c20)
00000000`02aee898 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa
00000000`02aee8a0 000007fe`fb8e4586 KERNELBASE!WaitForSingleObjectEx+0×79
00000000`02aee940 000007fe`fb8e891c authui!InternalWaitForSingleObject+0×26
00000000`02aee980 000007fe`fb8e8ac4 authui!WPP_SF_qqddd+0×157d
00000000`02aee9e0 000007fe`fea7c7f5 authui!WluirRequestCredentials+0×44
00000000`02aeea20 000007fe`feb2b62e RPCRT4!Invoke+0×65
00000000`02aeeaa0 000007fe`fea74070 RPCRT4!Ndr64StubWorker+0×61b
00000000`02aef060 000007fe`fea79c24 RPCRT4!NdrServerCallAll+0×40
00000000`02aef0b0 000007fe`fea79d86 RPCRT4!DispatchToStubInCNoAvrf+0×14
00000000`02aef0e0 000007fe`fea7c44b RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×146
00000000`02aef200 000007fe`fea7c38b RPCRT4!RPC_INTERFACE::DispatchToStub+0×9b
00000000`02aef240 000007fe`fea7c322 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0×5b
00000000`02aef2c0 000007fe`fea7a11d RPCRT4!LRPC_SCALL::DispatchRequest+0×422
00000000`02aef3a0 000007fe`fea87ddf RPCRT4!LRPC_SCALL::HandleRequest+0×20d
00000000`02aef4d0 000007fe`fea87995 RPCRT4!LRPC_ADDRESS::ProcessIO+0×3bf
00000000`02aef610 00000000`76dfb43b RPCRT4!LrpcIoComplete+0xa5
00000000`02aef6a0 00000000`76df923f ntdll!TppAlpcpExecuteCallback+0×26b
00000000`02aef730 00000000`76bdf56d ntdll!TppWorkerThread+0×3f8
00000000`02aefa30 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02aefa60 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
THREAD fffffa8005941a10 Cid 06d0.0f10 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa800663a9a0 SynchronizationTimer
fffffa8005881650 SynchronizationTimer
fffffa8006577ef0 SynchronizationTimer
fffffa8005a93bd0 NotificationEvent
fffffa80063f6450 SynchronizationEvent
fffffa80058fe4c0 SynchronizationEvent
fffffa80064c0290 SynchronizationEvent
fffffa8004e49e90 NotificationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664421 Ticks: 2305 (0:00:00:35.958)
Context Switch Count 11
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90)
Stack Init fffff88006946db0 Current fffff88006945fd0
Base fffff88006947000 Limit fffff88006941000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`06946010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`06946150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`069461e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`06946490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`06946960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`06946bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06946c20)
00000000`02dbf718 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa
00000000`02dbf720 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d
00000000`02dbf9c0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02dbf9f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa80056de060 Cid 06d0.0ba8 Teb: 000007fffffac000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa8005f7d3e0 QueueObject
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664389 Ticks: 2337 (0:00:00:36.457)
Context Switch Count 5
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff8800569ddb0 Current fffff8800569d7d0
Base fffff8800569e000 Limit fffff88005698000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0569d810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0569d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`0569d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`0569da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`0569db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`0569dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0569dc20)
00000000`035cfbb8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`035cfbc0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`035cfec0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`035cfef0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa8005ccfa10 Cid 06d0.03a0 Teb: 000007fffffd8000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa8005f7d3e0 QueueObject
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664420 Ticks: 2306 (0:00:00:35.973)
Context Switch Count 7
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff8800459bdb0 Current fffff8800459b7d0
Base fffff8800459c000 Limit fffff88004596000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0459b810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0459b950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`0459b9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`0459ba90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`0459bb20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`0459bc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0459bc20)
00000000`02e5f8c8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`02e5f8d0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`02e5fbd0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02e5fc00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa800662a800 Cid 06d0.0a54 Teb: 000007fffffaa000 Win32Thread: 0000000000000000 WAIT: (DelayExecution) UserMode Non-Alertable
fffffa800662aad8 Semaphore Limit 0x2
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664389 Ticks: 2337 (0:00:00:36.457)
Context Switch Count 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ole32!CRpcThreadCache::RpcWorkerThreadEntry (0x000007fefebf3570)
Stack Init fffff8800568fdb0 Current fffff8800568f970
Base fffff88005690000 Limit fffff8800568a000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0568f9b0 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0568faf0 fffff800`01ad8e56 nt!KiCommitThreadWait+0x1d2
fffff880`0568fb80 fffff800`01dcacee nt!KeDelayExecutionThread+0x186
fffff880`0568fbf0 fffff800`01ace853 nt!NtDelayExecution+0x59
fffff880`0568fc20 00000000`76e301fa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0568fc20)
00000000`0371fa68 000007fe`fd081203 ntdll!NtDelayExecution+0xa
00000000`0371fa70 000007fe`febeea00 KERNELBASE!SleepEx+0xab
00000000`0371fb10 000007fe`febf2046 ole32!CROIDTable::WorkerThreadLoop+0x10
00000000`0371fb40 000007fe`febf358a ole32!CRpcThread::WorkerLoop+0x1e
00000000`0371fb80 00000000`76bdf56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a
00000000`0371fbb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0371fbe0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa80063a4490 Cid 06d0.0ca0 Teb: 000007fffffa8000 Win32Thread: fffff900c1fffc30 WAIT: (WrLpcReceive) UserMode Non-Alertable
fffffa80063a4850 Semaphore Limit 0x1
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664404 Ticks: 2322 (0:00:00:36.223)
Context Switch Count 11 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address MSCTF!CCtfServerPort::StaticServerThread (0x000007fefe959274)
Stack Init fffff88005b30db0 Current fffff88005b30750
Base fffff88005b31000 Limit fffff88005b2a000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`05b30790 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`05b308d0 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2
fffff880`05b30960 fffff800`01dcf329 nt!KeWaitForSingleObject+0x19f
fffff880`05b30a00 fffff800`01dd0a37 nt!AlpcpReceiveMessagePort+0x189
fffff880`05b30a60 fffff800`01dd1f76 nt!AlpcpReceiveMessage+0x2d4
fffff880`05b30b00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0x1e6
fffff880`05b30bb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05b30c20)
00000000`0390e7b8 000007fe`fe9426a9 ntdll!ZwAlpcSendWaitReceivePort+0xa
00000000`0390e7c0 000007fe`fe959417 MSCTF!CCtfServerPort::ServerLoop+0x16c
00000000`0390f8e0 000007fe`fe959296 MSCTF!CCtfServerPort::ServerThread+0x15b
00000000`0390fc20 00000000`76bdf56d MSCTF!CCtfServerPort::StaticServerThread+0x28
00000000`0390fc50 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0390fc80 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa800489eb60 Cid 06d0.13b8 Teb: 000007fffffa6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8005833be0 NotificationEvent
fffffa8005a03ad0 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664421 Ticks: 2305 (0:00:00:35.958)
Context Switch Count 19
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address SmartcardCredentialProvider!I_ReaderMonitorThreadProc (0x000007feed747028)
Stack Init fffff88005894db0 Current fffff88005893fd0
Base fffff88005895000 Limit fffff8800588f000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`05894010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`05894150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`058941e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`05894490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`05894960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`05894bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05894c20)
00000000`02d1f948 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`02d1f950 00000000`76bcf190 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`02d1fa50 000007fe`ed746b84 kernel32!WaitForMultipleObjects+0xb0
00000000`02d1fae0 000007fe`ed747059 SmartcardCredentialProvider!I_ReaderMonitorWorker+0×9c
00000000`02d1fb80 00000000`76bdf56d SmartcardCredentialProvider!I_ReaderMonitorThreadProc+0×31
00000000`02d1fbc0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02d1fbf0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
So according to memory dump analysis pattern terminology these 2 processes are strongly coupled and this fact can be used for analysis logon problems in terminal services environments: http://www.dumpanalysis.org/blog/index.php/2007/09/26/crash-dump-analysis-patterns-part-28/
intrauser isolation (p. 459)
file object security (p. 460) - here is an example from x64 W2K8 R2:
0: kd> !handle
[...]
0008: Object: fffffa800658e070 GrantedAccess: 00100020 Entry: fffff8a00445d020
Object: fffffa800658e070 Type: (fffffa8003c0dde0) File
ObjectHeader: fffffa800658e040 (new version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \DL\Notmyfault\exe\x64\Release {HarddiskVolume2}
[…]
001c: Object: fffffa8005f44ee0 GrantedAccess: 001f0003 (Protected) Entry: fffff8a00445d070
Object: fffffa8005f44ee0 Type: (fffffa8003c00570) Event
ObjectHeader: fffffa8005f44eb0 (new version)
HandleCount: 1 PointerCount: 2
[…]
0: kd> dt _OBJECT_TYPE fffffa8003c0dde0
ntdll!_OBJECT_TYPE
+0x000 TypeList : _LIST_ENTRY [ 0xfffffa80`03c0dde0 - 0xfffffa80`03c0dde0 ]
+0x010 Name : _UNICODE_STRING "File"
+0x020 DefaultObject : 0x00000000`00000098
+0x028 Index : 0x1c ''
+0x02c TotalNumberOfObjects : 0x5645
+0x030 TotalNumberOfHandles : 0x89e
+0x034 HighWaterNumberOfObjects : 0x5baf
+0x038 HighWaterNumberOfHandles : 0x8b5
+0×040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0×0b0 TypeLock : _EX_PUSH_LOCK
+0×0b8 Key : 0×656c6946
+0×0c0 CallbackList : _LIST_ENTRY [ 0xfffffa80`03c0dea0 - 0xfffffa80`03c0dea0 ]
0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c0dde0+40
ntdll!_OBJECT_TYPE_INITIALIZER
+0x000 Length : 0x70
+0x002 ObjectTypeFlags : 0x11 ''
+0x002 CaseInsensitive : 0y1
+0x002 UnnamedObjectsOnly : 0y0
+0x002 UseDefaultObject : 0y0
+0x002 SecurityRequired : 0y0
+0x002 MaintainHandleCount : 0y1
+0x002 MaintainTypeList : 0y0
+0x002 SupportsObjectCallbacks : 0y0
+0x004 ObjectTypeCode : 1
+0x008 InvalidAttributes : 0x130
+0x00c GenericMapping : _GENERIC_MAPPING
+0x01c ValidAccessMask : 0x1f01ff
+0x020 RetainAccess : 0
+0x024 PoolType : 0 ( NonPagedPool )
+0x028 DefaultPagedPoolCharge : 0x400
+0x02c DefaultNonPagedPoolCharge : 0x180
+0x030 DumpProcedure : (null)
+0x038 OpenProcedure : (null)
+0x040 CloseProcedure : 0xfffff800`01de6890 void nt!IopCloseFile+0
+0x048 DeleteProcedure : 0xfffff800`01de6610 void nt!IopDeleteFile+0
+0x050 ParseProcedure : 0xfffff800`01df7370 long nt!IopParseFile+0
+0×058 SecurityProcedure : 0xfffff800`01db7130 long nt!IopGetSetSecurityObject+0
+0×060 QueryNameProcedure : 0xfffff800`01db7470 long nt!IopQueryName+0<>
+0×068 OkayToCloseProcedure : (null)
0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c00570+40
ntdll!_OBJECT_TYPE_INITIALIZER
+0x000 Length : 0x70
+0x002 ObjectTypeFlags : 0 ''
+0x002 CaseInsensitive : 0y0
+0x002 UnnamedObjectsOnly : 0y0
+0x002 UseDefaultObject : 0y0
+0x002 SecurityRequired : 0y0
+0x002 MaintainHandleCount : 0y0
+0x002 MaintainTypeList : 0y0
+0x002 SupportsObjectCallbacks : 0y0
+0x004 ObjectTypeCode : 2
+0x008 InvalidAttributes : 0x100
+0x00c GenericMapping : _GENERIC_MAPPING
+0x01c ValidAccessMask : 0x1f0003
+0x020 RetainAccess : 0
+0x024 PoolType : 0 ( NonPagedPool )
+0x028 DefaultPagedPoolCharge : 0
+0x02c DefaultNonPagedPoolCharge : 0x70
+0x030 DumpProcedure : (null)
+0x038 OpenProcedure : (null)
+0x040 CloseProcedure : (null)
+0x048 DeleteProcedure : (null)
+0x050 ParseProcedure : (null)
+0×058 SecurityProcedure : 0xfffff800`01d97070 long nt!SeDefaultObjectMethod+0
+0×060 QueryNameProcedure : (null)
+0×068 OkayToCloseProcedure : (null)
SID = SVAS*-RID, S-Version-Authority-Subauthority*-RelativeID (pp. 461 - 462)
PsGetSid (p. 463)
Administrator SID = Machine SID + ‘-500′ (p. 463) - here’s my test (real computer name has been changed to COMPUTER):
C:\PsTools>PsGetSid COMPUTER
PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
SID for COMPUTER\COMPUTER:
S-1-5-21-30...49-19...94-15...96
C:\PsTools>PsGetSid S-1-5-21-30...49-19...94-15...96-500
PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
Account for COMPUTER\S-1-5-21-30...49-19...94-15...96-500:
User: COMPUTER\Administrator
