Icons for Memory Dump Analysis Patterns (Part 39)
Friday, May 14th, 2010Today we introduce an icon for Missing Thread pattern:
B/W
Color
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Archive for May, 2010
Reading Notebook: 12-May-10
Thursday, May 13th, 2010Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
SAS -> winlogon.exe starts LogonUI.exe (p. 455) - Here are winlogon.exe threads on x64 W2K8 R2 before SAS:
THREAD fffffa8003cf7060 Cid 01d0.01d4 Teb: 000007fffffdd000 Win32Thread: fffff900c00df900 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8004991c90 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8003cf65a0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 8831 Ticks: 21731 (0:00:05:39.005)
Context Switch Count 424 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:00.015
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff36ec08)
Stack Init fffff88003595db0 Current fffff88003595900
Base fffff88003596000 Limit fffff8800358c000 Call 0
Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr Call Site
fffff880`03595940 fffff800`01ac3752 nt!KiSwapContext+0x7a
fffff880`03595a80 fffff800`01ac58af nt!KiCommitThreadWait+0x1d2
fffff880`03595b10 fffff800`01db7db2 nt!KeWaitForSingleObject+0x19f
fffff880`03595bb0 fffff800`01abb853 nt!NtWaitForSingleObject+0xb2
fffff880`03595c20 00000000`77bafefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03595c20)
00000000`0018f778 000007fe`fdc910ac ntdll!NtWaitForSingleObject+0xa
00000000`0018f780 00000000`ff3619ad KERNELBASE!WaitForSingleObjectEx+0x79
00000000`0018f820 00000000`ff3616e8 winlogon!SignalManagerWaitForSignal+0x135
00000000`0018f860 00000000`ff36b8b0 winlogon!StateMachineRun+0x404
00000000`0018fb80 00000000`ff36ed85 winlogon!WinMain+0x13a3
00000000`0018fcf0 00000000`77a5f56d winlogon!I_WMsgkSendMessage+0x252
00000000`0018fdb0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd
00000000`0018fde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa800498a060 Cid 01d0.0320 Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa800497bef0 SynchronizationTimer
fffffa8004988060 SynchronizationTimer
fffffa8004bfe2a0 NotificationEvent
fffffa8003c783b0 SynchronizationEvent
fffffa8003c78310 SynchronizationEvent
fffffa8003c78450 SynchronizationEvent
fffffa80049894c0 SynchronizationTimer
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8003cf65a0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 19271 Ticks: 11291 (0:00:02:56.140)
Context Switch Count 16
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x0000000077b79a90)
Stack Init fffff88004006db0 Current fffff88004005fd0
Base fffff88004007000 Limit fffff88004001000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`04006010 fffff800`01ac3752 nt!KiSwapContext+0x7a
fffff880`04006150 fffff800`01abfc4b nt!KiCommitThreadWait+0x1d2
fffff880`040061e0 fffff800`01db8ecf nt!KeWaitForMultipleObjects+0x271
fffff880`04006490 fffff800`01db97d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`04006960 fffff800`01abb853 nt!NtWaitForMultipleObjects+0xe5
fffff880`04006bb0 00000000`77bb046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04006c20)
00000000`0139f848 00000000`77b79bd7 ntdll!NtWaitForMultipleObjects+0xa
00000000`0139f850 00000000`77a5f56d ntdll!TppWaiterpThread+0x14d
00000000`0139faf0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd
00000000`0139fb20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa8004ed7060 Cid 01d0.0a58 Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa800489ac20 QueueObject
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8003cf65a0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 27861 Ticks: 2701 (0:00:00:42.135)
Context Switch Count 4
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000077b78f00)
Stack Init fffff88003555db0 Current fffff880035557d0
Base fffff88003556000 Limit fffff88003550000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`03555810 fffff800`01ac3752 nt!KiSwapContext+0x7a
fffff880`03555950 fffff800`01ac71c1 nt!KiCommitThreadWait+0x1d2
fffff880`035559e0 fffff800`01db89d7 nt!KeRemoveQueueEx+0x301
fffff880`03555a90 fffff800`01acc996 nt!IoRemoveIoCompletion+0x47
fffff880`03555b20 fffff800`01abb853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`03555c20 00000000`77bb17ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03555c20)
00000000`00dcfa18 00000000`77b7914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`00dcfa20 00000000`77a5f56d ntdll!TppWorkerThread+0x2c9
00000000`00dcfd20 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd
00000000`00dcfd50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
Here are main threads from both processes on x64 W2K8 R2 after SAS (I brought change password dialog):
THREAD fffffa8004888770 Cid 01c0.01c4 Teb: 000007fffffde000 Win32Thread: fffff900c00d9c30 WAIT: (UserRequest) UserMode Non-Alertable
fffffa80049c25c0 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa80048879d0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250)
Context Switch Count 3202 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.218
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ffc2ec08)
Stack Init fffff880031acdb0 Current fffff880031ac900
Base fffff880031ad000 Limit fffff880031a7000 Call 0
Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`031ac940 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`031aca80 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2
fffff880`031acb10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0x19f
fffff880`031acbb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2
fffff880`031acc20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`031acc20)
00000000`0023f398 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa
00000000`0023f3a0 00000000`ffc219ad KERNELBASE!WaitForSingleObjectEx+0x79
00000000`0023f440 00000000`ffc216e8 winlogon!SignalManagerWaitForSignal+0x135
00000000`0023f480 00000000`ffc2b8b0 winlogon!StateMachineRun+0x404
00000000`0023f7a0 00000000`ffc2ed85 winlogon!WinMain+0x13a3
00000000`0023f910 00000000`76bdf56d winlogon!I_WMsgkSendMessage+0x252
00000000`0023f9d0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0023fa00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa80049ba060 Cid 01c0.0304 Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa80049b87e0 SynchronizationTimer
fffffa80049b4650 SynchronizationTimer
fffffa8004e81e20 NotificationEvent
fffffa8004edcbf0 SynchronizationEvent
fffffa8004edcb50 SynchronizationEvent
fffffa8004edcc90 SynchronizationEvent
fffffa80049b8670 SynchronizationTimer
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa80048879d0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34428081 Ticks: 238645 (0:01:02:02.885)
Context Switch Count 175
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90)
Stack Init fffff88004193db0 Current fffff88004192fd0
Base fffff88004194000 Limit fffff8800418e000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr Call Site
fffff880`04193010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`04193150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`041931e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`04193490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`04193960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`04193bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04193c20)
00000000`00d2fb38 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa
00000000`00d2fb40 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d
00000000`00d2fde0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`00d2fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa8005b8e810 Cid 01c0.12d4 Teb: 000007fffffdc000 Win32Thread: fffff900c37a6250 WAIT: (WrLpcReply) UserMode Non-Alertable
fffffa8005b8ebd0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff8a00c87e750 : queued at port fffffa800661ec60 : owned by process fffffa8005f442b0
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa80048879d0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250)
Context Switch Count 150 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00)
Stack Init fffff88006c8edb0 Current fffff88006c8e620
Base fffff88006c8f000 Limit fffff88006c87000 Call 0
Priority 14 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`06c8e660 fffff800`01ad6752 nt!KiSwapContext+0×7a
fffff880`06c8e7a0 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2
fffff880`06c8e830 fffff800`01aedbef nt!KeWaitForSingleObject+0×19f
fffff880`06c8e8d0 fffff800`01dd6a36 nt!AlpcpSignalAndWait+0×8f
fffff880`06c8e980 fffff800`01dd49c0 nt!AlpcpReceiveSynchronousReply+0×46
fffff880`06c8e9e0 fffff800`01dd1f3b nt!AlpcpProcessSynchronousRequest+0×33d
fffff880`06c8eb00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0×1ab
fffff880`06c8ebb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`06c8ec20)
00000000`0103f298 000007fe`fea8aa76 ntdll!ZwAlpcSendWaitReceivePort+0xa
00000000`0103f2a0 000007fe`feb2cb64 RPCRT4!LRPC_CCALL::SendReceive+0×156
00000000`0103f360 000007fe`feb2cd55 RPCRT4!NdrpClientCall3+0×244
00000000`0103f620 00000000`ffc24979 RPCRT4!NdrClientCall3+0xf2
00000000`0103f9b0 00000000`ffc4e781 winlogon!WluiRequestCredentials+0×71
00000000`0103fa20 00000000`ffc21d04 winlogon!WLGeneric_Request_Change_Credz_Execute+0xa5
00000000`0103fa90 00000000`76df0fb4 winlogon!StateMachineWorkerCallback+0×7f
00000000`0103fac0 00000000`76df4b1f ntdll!TppWorkpExecuteCallback+0xa4
00000000`0103fb20 00000000`76bdf56d ntdll!TppWorkerThread+0×6c9
00000000`0103fe20 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0103fe50 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
THREAD fffffa8006480640 Cid 01c0.131c Teb: 000007fffffd9000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa80042479a0 QueueObject
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa80048879d0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664380 Ticks: 2346 (0:00:00:36.597)
Context Switch Count 2
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff8800715ddb0 Current fffff8800715d7d0
Base fffff8800715e000 Limit fffff88007158000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0715d810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0715d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`0715d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`0715da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`0715db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`0715dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0715dc20)
00000000`010bf908 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`010bf910 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`010bfc10 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`010bfc40 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa8005916290 Cid 01c0.0c04 Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa80042479a0 QueueObject
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa80048879d0 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250)
Context Switch Count 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff88007126db0 Current fffff880071267d0
Base fffff88007127000 Limit fffff88007121000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`07126810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`07126950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`071269e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`07126a90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`07126b20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`07126c20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07126c20)
00000000`009cfaa8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`009cfab0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`009cfdb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`009cfde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
We now see the new thread fffffa8005b8e810 waiting for an ALPC message fffff8a00c87e750:
0: kd> !alpc /m fffff8a00c87e750
Message @ fffff8a00c87e750
MessageID : 0x0534 (1332)
CallbackID : 0x14152C5 (21058245)
SequenceNumber : 0x00000006 (6)
Type : LPC_REQUEST
DataLength : 0x0060 (96)
TotalLength : 0x0088 (136)
Canceled : No
Release : No
ReplyWaitReply : No
Continuation : Yes
OwnerPort : fffffa80065696c0 [ALPC_CLIENT_COMMUNICATION_PORT]
WaitingThread : fffffa8005b8e810
QueueType : ALPC_MSGQUEUE_PENDING
QueuePort : fffffa800661ec60 [ALPC_CONNECTION_PORT]
QueuePortOwnerProcess : fffffa8005f442b0 (LogonUI.exe)
ServerThread : fffffa8005a9b2a0
QuotaCharged : No
CancelQueuePort : 0000000000000000
CancelSequencePort : 0000000000000000
CancelSequenceNumber : 0×00000000 (0)
ClientContext : 00000000003f5b30
ServerContext : 0000000000000000
PortContext : 00000000015e2640
CancelPortContext : 0000000000000000
SecurityData : 0000000000000000
View : 0000000000000000
The server thread is fffffa8005a9b2a0 and is owned by LogonUI.exe. Here are all threads in that process where I highlighted credential providers:
THREAD fffffa8005f47b60 Cid 06d0.13e0 Teb: 000007fffffde000 Win32Thread: fffff900c1d6ec30 WAIT: (UserRequest) UserMode Non-Alertable
fffffa80065be260 SynchronizationEvent
fffffa8005bf6240 SynchronizationEvent
fffffa8005bcbc70 SynchronizationEvent
fffffa80052a9dc0 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34666693 Ticks: 33 (0:00:00:00.514)
Context Switch Count 722 LargeStack
UserTime 00:00:00.171
KernelTime 00:00:00.140
Win32 Start Address LogonUI!wWinMainCRTStartup (0x00000000ffb45c58)
Stack Init fffff88004911db0 Current fffff88004910fd0
Base fffff88004912000 Limit fffff88004908000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`04911010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`04911150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`049111e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`04911490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`04911960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`04911bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04911c20)
00000000`001bf708 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`001bf710 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`001bf810 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`001bf8a0 000007fe`fae19ecd USER32!RealMsgWaitForMultipleObjectsEx+0x12a
00000000`001bf940 000007fe`fae19d8e DUser!CoreSC::DUIMsgWaitForMultipleObjectsEx+0x17c
00000000`001bf9f0 00000000`76cf9079 DUser!MphMsgWaitForMultipleObjectsEx+0x7a
00000000`001bfa30 000007fe`fb8e407b USER32!MsgWaitForMultipleObjectsEx+0x37
00000000`001bfa70 000007fe`fb8e4f6c authui!CLogonFrame::DoModal+0×67
00000000`001bfaf0 000007fe`fb8e50cf authui!CLogonUI_CreateThenDoModalThenDestroy+0×299
00000000`001bfb50 00000000`ffb454df authui!CLogonUI::DoModal+0×73
00000000`001bfb80 00000000`ffb45ae6 LogonUI!wWinMain+0xfb
00000000`001bfbe0 00000000`76bdf56d LogonUI!ParseCommandLineToStringArrayLocalAlloc+0×33a
00000000`001bfca0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`001bfcd0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
THREAD fffffa8006595720 Cid 06d0.1158 Teb: 000007fffffdc000 Win32Thread: fffff900c35105f0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8005cad160 SynchronizationEvent
fffffa8005618d30 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664381 Ticks: 2345 (0:00:00:36.582)
Context Switch Count 2 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address msvcrt!endthreadex (0x000007feff0573fc)
Stack Init fffff88005638db0 Current fffff88005637fd0
Base fffff88005639000 Limit fffff88005632000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`05638010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`05638150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`056381e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`05638490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`05638960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`05638bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05638c20)
00000000`00eaf4d8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`00eaf4e0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`00eaf5e0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`00eaf670 000007fe`fae114e6 USER32!RealMsgWaitForMultipleObjectsEx+0x12a
00000000`00eaf710 000007fe`fae116b2 DUser!CoreSC::Wait+0x62
00000000`00eaf760 000007fe`fae205dd DUser!CoreSC::xwProcessNL+0xed
00000000`00eaf7d0 000007fe`fae20500 DUser!GetMessageExA+0x7b
00000000`00eaf820 000007fe`ff0542bf DUser!ResourceManager::SharedThreadProc+0xe8
00000000`00eaf8b0 000007fe`ff057459 msvcrt!endthreadex+0x47
00000000`00eaf8e0 00000000`76bdf56d msvcrt!endthreadex+0xe0
00000000`00eaf910 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`00eaf940 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa8006646060 Cid 06d0.1174 Teb: 000007fffffda000 Win32Thread: fffff900c397bc30 WAIT: (UserRequest) UserMode Non-Alertable
fffffa80059522e0 SynchronizationEvent
fffffa80061cf2d0 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664855 Ticks: 1871 (0:00:00:29.187)
Context Switch Count 101 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:00.015
Win32 Start Address authui!CCredentialProviderThread::_sThreadProc (0x000007fefb8e51c0)
Stack Init fffff880057addb0 Current fffff880057acfd0
Base fffff880057ae000 Limit fffff880057a6000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`057ad010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`057ad150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`057ad1e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`057ad490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`057ad960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`057adbb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`057adc20)
00000000`02c5f9b8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`02c5f9c0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`02c5fac0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`02c5fb50 00000000`76cf905a USER32!RealMsgWaitForMultipleObjectsEx+0x12a
00000000`02c5fbf0 000007fe`febdb46a USER32!MsgWaitForMultipleObjectsEx+0x46
00000000`02c5fc30 000007fe`fecfa542 ole32!CCliModalLoop::BlockFn+0xc2
00000000`02c5fc80 000007fe`fb8e4bc1 ole32!CoWaitForMultipleHandles+0x102
00000000`02c5fd90 000007fe`fb8e4a4a authui!InternalCoWaitForSingleHandle+0×31
00000000`02c5fdd0 000007fe`fb8e51c9 authui!CCredentialProviderThread::_vThreadProc+0xbf
00000000`02c5fe10 00000000`76bdf56d authui!CCredentialProviderThread::_sThreadProc+0×9
00000000`02c5fe40 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02c5fe70 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
THREAD fffffa8005a9b2a0 Cid 06d0.1248 Teb: 000007fffffd4000 Win32Thread: fffff900c397b850 WAIT: (UserRequest) UserMode Non-Alertable
fffffa800559c800 NotificationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250)
Context Switch Count 12 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00)
Stack Init fffff88005871db0 Current fffff88005871900
Base fffff88005872000 Limit fffff8800586b000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`05871940 fffff800`01ad6752 nt!KiSwapContext+0×7a
fffff880`05871a80 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2
fffff880`05871b10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0×19f
fffff880`05871bb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2
fffff880`05871c20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`05871c20)
00000000`02aee898 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa
00000000`02aee8a0 000007fe`fb8e4586 KERNELBASE!WaitForSingleObjectEx+0×79
00000000`02aee940 000007fe`fb8e891c authui!InternalWaitForSingleObject+0×26
00000000`02aee980 000007fe`fb8e8ac4 authui!WPP_SF_qqddd+0×157d
00000000`02aee9e0 000007fe`fea7c7f5 authui!WluirRequestCredentials+0×44
00000000`02aeea20 000007fe`feb2b62e RPCRT4!Invoke+0×65
00000000`02aeeaa0 000007fe`fea74070 RPCRT4!Ndr64StubWorker+0×61b
00000000`02aef060 000007fe`fea79c24 RPCRT4!NdrServerCallAll+0×40
00000000`02aef0b0 000007fe`fea79d86 RPCRT4!DispatchToStubInCNoAvrf+0×14
00000000`02aef0e0 000007fe`fea7c44b RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×146
00000000`02aef200 000007fe`fea7c38b RPCRT4!RPC_INTERFACE::DispatchToStub+0×9b
00000000`02aef240 000007fe`fea7c322 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0×5b
00000000`02aef2c0 000007fe`fea7a11d RPCRT4!LRPC_SCALL::DispatchRequest+0×422
00000000`02aef3a0 000007fe`fea87ddf RPCRT4!LRPC_SCALL::HandleRequest+0×20d
00000000`02aef4d0 000007fe`fea87995 RPCRT4!LRPC_ADDRESS::ProcessIO+0×3bf
00000000`02aef610 00000000`76dfb43b RPCRT4!LrpcIoComplete+0xa5
00000000`02aef6a0 00000000`76df923f ntdll!TppAlpcpExecuteCallback+0×26b
00000000`02aef730 00000000`76bdf56d ntdll!TppWorkerThread+0×3f8
00000000`02aefa30 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02aefa60 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
THREAD fffffa8005941a10 Cid 06d0.0f10 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa800663a9a0 SynchronizationTimer
fffffa8005881650 SynchronizationTimer
fffffa8006577ef0 SynchronizationTimer
fffffa8005a93bd0 NotificationEvent
fffffa80063f6450 SynchronizationEvent
fffffa80058fe4c0 SynchronizationEvent
fffffa80064c0290 SynchronizationEvent
fffffa8004e49e90 NotificationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664421 Ticks: 2305 (0:00:00:35.958)
Context Switch Count 11
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90)
Stack Init fffff88006946db0 Current fffff88006945fd0
Base fffff88006947000 Limit fffff88006941000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`06946010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`06946150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`069461e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`06946490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`06946960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`06946bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06946c20)
00000000`02dbf718 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa
00000000`02dbf720 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d
00000000`02dbf9c0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02dbf9f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa80056de060 Cid 06d0.0ba8 Teb: 000007fffffac000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa8005f7d3e0 QueueObject
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664389 Ticks: 2337 (0:00:00:36.457)
Context Switch Count 5
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff8800569ddb0 Current fffff8800569d7d0
Base fffff8800569e000 Limit fffff88005698000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0569d810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0569d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`0569d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`0569da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`0569db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`0569dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0569dc20)
00000000`035cfbb8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`035cfbc0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`035cfec0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`035cfef0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa8005ccfa10 Cid 06d0.03a0 Teb: 000007fffffd8000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa8005f7d3e0 QueueObject
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664420 Ticks: 2306 (0:00:00:35.973)
Context Switch Count 7
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff8800459bdb0 Current fffff8800459b7d0
Base fffff8800459c000 Limit fffff88004596000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0459b810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0459b950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`0459b9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`0459ba90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`0459bb20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`0459bc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0459bc20)
00000000`02e5f8c8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`02e5f8d0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`02e5fbd0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02e5fc00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa800662a800 Cid 06d0.0a54 Teb: 000007fffffaa000 Win32Thread: 0000000000000000 WAIT: (DelayExecution) UserMode Non-Alertable
fffffa800662aad8 Semaphore Limit 0x2
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664389 Ticks: 2337 (0:00:00:36.457)
Context Switch Count 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ole32!CRpcThreadCache::RpcWorkerThreadEntry (0x000007fefebf3570)
Stack Init fffff8800568fdb0 Current fffff8800568f970
Base fffff88005690000 Limit fffff8800568a000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0568f9b0 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0568faf0 fffff800`01ad8e56 nt!KiCommitThreadWait+0x1d2
fffff880`0568fb80 fffff800`01dcacee nt!KeDelayExecutionThread+0x186
fffff880`0568fbf0 fffff800`01ace853 nt!NtDelayExecution+0x59
fffff880`0568fc20 00000000`76e301fa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0568fc20)
00000000`0371fa68 000007fe`fd081203 ntdll!NtDelayExecution+0xa
00000000`0371fa70 000007fe`febeea00 KERNELBASE!SleepEx+0xab
00000000`0371fb10 000007fe`febf2046 ole32!CROIDTable::WorkerThreadLoop+0x10
00000000`0371fb40 000007fe`febf358a ole32!CRpcThread::WorkerLoop+0x1e
00000000`0371fb80 00000000`76bdf56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a
00000000`0371fbb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0371fbe0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa80063a4490 Cid 06d0.0ca0 Teb: 000007fffffa8000 Win32Thread: fffff900c1fffc30 WAIT: (WrLpcReceive) UserMode Non-Alertable
fffffa80063a4850 Semaphore Limit 0x1
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664404 Ticks: 2322 (0:00:00:36.223)
Context Switch Count 11 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address MSCTF!CCtfServerPort::StaticServerThread (0x000007fefe959274)
Stack Init fffff88005b30db0 Current fffff88005b30750
Base fffff88005b31000 Limit fffff88005b2a000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`05b30790 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`05b308d0 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2
fffff880`05b30960 fffff800`01dcf329 nt!KeWaitForSingleObject+0x19f
fffff880`05b30a00 fffff800`01dd0a37 nt!AlpcpReceiveMessagePort+0x189
fffff880`05b30a60 fffff800`01dd1f76 nt!AlpcpReceiveMessage+0x2d4
fffff880`05b30b00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0x1e6
fffff880`05b30bb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05b30c20)
00000000`0390e7b8 000007fe`fe9426a9 ntdll!ZwAlpcSendWaitReceivePort+0xa
00000000`0390e7c0 000007fe`fe959417 MSCTF!CCtfServerPort::ServerLoop+0x16c
00000000`0390f8e0 000007fe`fe959296 MSCTF!CCtfServerPort::ServerThread+0x15b
00000000`0390fc20 00000000`76bdf56d MSCTF!CCtfServerPort::StaticServerThread+0x28
00000000`0390fc50 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0390fc80 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
THREAD fffffa800489eb60 Cid 06d0.13b8 Teb: 000007fffffa6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8005833be0 NotificationEvent
fffffa8005a03ad0 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa8005f442b0 Image: LogonUI.exe
Attached Process N/A Image: N/A
Wait Start TickCount 34664421 Ticks: 2305 (0:00:00:35.958)
Context Switch Count 19
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address SmartcardCredentialProvider!I_ReaderMonitorThreadProc (0x000007feed747028)
Stack Init fffff88005894db0 Current fffff88005893fd0
Base fffff88005895000 Limit fffff8800588f000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`05894010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`05894150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`058941e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`05894490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`05894960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`05894bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05894c20)
00000000`02d1f948 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`02d1f950 00000000`76bcf190 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`02d1fa50 000007fe`ed746b84 kernel32!WaitForMultipleObjects+0xb0
00000000`02d1fae0 000007fe`ed747059 SmartcardCredentialProvider!I_ReaderMonitorWorker+0×9c
00000000`02d1fb80 00000000`76bdf56d SmartcardCredentialProvider!I_ReaderMonitorThreadProc+0×31
00000000`02d1fbc0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02d1fbf0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
So according to memory dump analysis pattern terminology these 2 processes are strongly coupled and this fact can be used for analysis logon problems in terminal services environments: http://www.dumpanalysis.org/blog/index.php/2007/09/26/crash-dump-analysis-patterns-part-28/
intrauser isolation (p. 459)
file object security (p. 460) - here is an example from x64 W2K8 R2:
0: kd> !handle
[...]
0008: Object: fffffa800658e070 GrantedAccess: 00100020 Entry: fffff8a00445d020
Object: fffffa800658e070 Type: (fffffa8003c0dde0) File
ObjectHeader: fffffa800658e040 (new version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \DL\Notmyfault\exe\x64\Release {HarddiskVolume2}
[…]
001c: Object: fffffa8005f44ee0 GrantedAccess: 001f0003 (Protected) Entry: fffff8a00445d070
Object: fffffa8005f44ee0 Type: (fffffa8003c00570) Event
ObjectHeader: fffffa8005f44eb0 (new version)
HandleCount: 1 PointerCount: 2
[…]
0: kd> dt _OBJECT_TYPE fffffa8003c0dde0
ntdll!_OBJECT_TYPE
+0x000 TypeList : _LIST_ENTRY [ 0xfffffa80`03c0dde0 - 0xfffffa80`03c0dde0 ]
+0x010 Name : _UNICODE_STRING "File"
+0x020 DefaultObject : 0x00000000`00000098
+0x028 Index : 0x1c ''
+0x02c TotalNumberOfObjects : 0x5645
+0x030 TotalNumberOfHandles : 0x89e
+0x034 HighWaterNumberOfObjects : 0x5baf
+0x038 HighWaterNumberOfHandles : 0x8b5
+0×040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0×0b0 TypeLock : _EX_PUSH_LOCK
+0×0b8 Key : 0×656c6946
+0×0c0 CallbackList : _LIST_ENTRY [ 0xfffffa80`03c0dea0 - 0xfffffa80`03c0dea0 ]
0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c0dde0+40
ntdll!_OBJECT_TYPE_INITIALIZER
+0x000 Length : 0x70
+0x002 ObjectTypeFlags : 0x11 ''
+0x002 CaseInsensitive : 0y1
+0x002 UnnamedObjectsOnly : 0y0
+0x002 UseDefaultObject : 0y0
+0x002 SecurityRequired : 0y0
+0x002 MaintainHandleCount : 0y1
+0x002 MaintainTypeList : 0y0
+0x002 SupportsObjectCallbacks : 0y0
+0x004 ObjectTypeCode : 1
+0x008 InvalidAttributes : 0x130
+0x00c GenericMapping : _GENERIC_MAPPING
+0x01c ValidAccessMask : 0x1f01ff
+0x020 RetainAccess : 0
+0x024 PoolType : 0 ( NonPagedPool )
+0x028 DefaultPagedPoolCharge : 0x400
+0x02c DefaultNonPagedPoolCharge : 0x180
+0x030 DumpProcedure : (null)
+0x038 OpenProcedure : (null)
+0x040 CloseProcedure : 0xfffff800`01de6890 void nt!IopCloseFile+0
+0x048 DeleteProcedure : 0xfffff800`01de6610 void nt!IopDeleteFile+0
+0x050 ParseProcedure : 0xfffff800`01df7370 long nt!IopParseFile+0
+0×058 SecurityProcedure : 0xfffff800`01db7130 long nt!IopGetSetSecurityObject+0
+0×060 QueryNameProcedure : 0xfffff800`01db7470 long nt!IopQueryName+0<>
+0×068 OkayToCloseProcedure : (null)
0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c00570+40
ntdll!_OBJECT_TYPE_INITIALIZER
+0x000 Length : 0x70
+0x002 ObjectTypeFlags : 0 ''
+0x002 CaseInsensitive : 0y0
+0x002 UnnamedObjectsOnly : 0y0
+0x002 UseDefaultObject : 0y0
+0x002 SecurityRequired : 0y0
+0x002 MaintainHandleCount : 0y0
+0x002 MaintainTypeList : 0y0
+0x002 SupportsObjectCallbacks : 0y0
+0x004 ObjectTypeCode : 2
+0x008 InvalidAttributes : 0x100
+0x00c GenericMapping : _GENERIC_MAPPING
+0x01c ValidAccessMask : 0x1f0003
+0x020 RetainAccess : 0
+0x024 PoolType : 0 ( NonPagedPool )
+0x028 DefaultPagedPoolCharge : 0
+0x02c DefaultNonPagedPoolCharge : 0x70
+0x030 DumpProcedure : (null)
+0x038 OpenProcedure : (null)
+0x040 CloseProcedure : (null)
+0x048 DeleteProcedure : (null)
+0x050 ParseProcedure : (null)
+0×058 SecurityProcedure : 0xfffff800`01d97070 long nt!SeDefaultObjectMethod+0
+0×060 QueryNameProcedure : (null)
+0×068 OkayToCloseProcedure : (null)
SID = SVAS*-RID, S-Version-Authority-Subauthority*-RelativeID (pp. 461 - 462)
PsGetSid (p. 463)
Administrator SID = Machine SID + ‘-500′ (p. 463) - here’s my test (real computer name has been changed to COMPUTER):
C:\PsTools>PsGetSid COMPUTER
PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
SID for COMPUTER\COMPUTER:
S-1-5-21-30...49-19...94-15...96
C:\PsTools>PsGetSid S-1-5-21-30...49-19...94-15...96-500
PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
Account for COMPUTER\S-1-5-21-30...49-19...94-15...96-500:
User: COMPUTER\Administrator
Icons for Memory Dump Analysis Patterns (Part 38)
Thursday, May 13th, 2010Today we introduce an icon for Memory Leak (.NET heap) pattern:
B/W
Color
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Icons for Memory Dump Analysis Patterns (Part 37)
Wednesday, May 12th, 2010Today we introduce an icon for Memory Leak (process heap) pattern:
B/W
Color
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Icons for Memory Dump Analysis Patterns (Part 36)
Tuesday, May 11th, 2010Today we introduce an icon for Waiting Thread Time (user dumps) pattern:
B/W
Color
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Trace Analysis Patterns (Part 23)
Monday, May 10th, 2010This pattern is similar to No Component Symbols memory analysis pattern and is called No Trace Metafile:
# Module PID TID Time Message
21372 \src\dllA 2968 5476 3:55:10.004 Calling foo()
21373 Unknown 2968 5476 3:55:10.004 ????? Unknown( 27): GUID=1EF56EBD-A7FC-4892-8DBA-00AD813F8A24 (No Format Information found).
21374 Unknown 2968 5476 3:55:10.004 ????? Unknown( 27): GUID=1EF56EBD-A7FC-4892-8DBA-00AD813F8A24 (No Format Information found).
21375 Unknown 2968 5476 3:55:10.004 ????? Unknown( 27): GUID=1EF56EBD-A7FC-4892-8DBA-00AD813F8A24 (No Format Information found).
21376 Unknown 2968 5476 3:55:10.004 ????? Unknown( 28): GUID=1EF56EBD-A7FC-4892-8DBA-00AD813F8A24 (No Format Information found).
21377 Unknown 2968 5476 3:55:10.004 ????? Unknown( 23): GUID=1EF56EBD-A7FC-4892-8DBA-00AD813F8A24 (No Format Information found).
21378 \src\dllA 2968 5476 3:55:10.004 Calling bar()
In some case when we don’t have TMF files it is possible to detect broad behavioral patterns such as:
By looking at Thread of Activity we can also sometimes infer the possible component name based on surrounding trace messages with present TMF files, escpecially when we have source code access. For example, in the trace above it can be dllA or any other module that foo function calls.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Icons for Memory Dump Analysis Patterns (Part 35)
Monday, May 10th, 2010Today we introduce an icon for Waiting Thread Time (kernel dumps) pattern:
B/W
Color
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Software Behavior Patterns (Part 1)
Monday, May 10th, 2010My drive to generalization led me to place an adornment on the portal to highlight the fact that memory and software trace analysis patterns are under an umbrella of general software behaviour patterns:
http://www.dumpanalysis.org/Software-Behavior-Patterns-Headline
In the forthcoming post series I plan to write about similarities between these two branches and also provide pattern examples from non-Windows platforms. All this material will provide the foundation for the forthcoming book Software Behavior: A Guide to Systematic Analysis (ISBN: 978-1906717162).
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
MDAAV1-3 Color Supplement has been published!
Monday, May 10th, 2010Previously announced book is now available on Amazon:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
On God and Miracles
Sunday, May 9th, 2010Memoidealism explains God as Inaccessible Memory (Memory Region A on the picture below). It means that Memory Region B doesn’t have pointers that point outside of it. In other words, all operating fields of Region B pointers are in Region B. However, Region A can have pointers pointing to Region B and modify it, effectively producing a miracle as perceived by Region B. In other words, some perception field links of Region B pointers may come from outside. You can object that Region B can have deeper pointers by making their memory locations bigger (from N-bit to 2*N-bit for example) but Memory may not be flat, discrete and bit-like. For one possible Christian interpretation we can replace Region B with the heavens and the earth (Genesis 1.1) and replace Region A with God-Creator (note also that in Memorianity Memory creates memories [notes on memoidealism 1.10]).
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Crash Dump Analysis Patterns (Part 98)
Saturday, May 8th, 2010Sometimes when a high number of interrupts is reported but there are no signs of an interrupt storm or pending DPCs in a memory dump file it is useful to search for Hardware Activity in running and / or suspected threads. This can be done by examining execution residue left on a thread raw stack. Although found driver activity might not be related to reported problems it can be a useful start for driver elimination procedure for the general recommendation to check drivers for any updates. Here is an example of a thread raw stack with a network card doing “Scatter-Gather” DMA (more extensive example is coming in a separate pattern cooperation case study):
1: kd> !thread
THREAD f7732090 Cid 0000.0000 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 1
Not impersonating
Owning Process 8089db40 Image: Idle
Attached Process N/A Image: N/A
Wait Start TickCount 0 Ticks: 24437545 (4:10:03:56.640)
Context Switch Count 75624870
UserTime 00:00:00.000
KernelTime 4 Days 08:56:05.125
Stack Init f78b3000 Current f78b2d4c Base f78b3000 Limit f78b0000 Call 0
Priority 0 BasePriority 0 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f3b30c5c 00000000 00000000 00000000 00000000 LiveKdD+0x1c07
1: kd> dds f78b0000 f78b3000
f78b0000 00000000
f78b0004 00000000
f78b0008 00000000
f78b000c 00000000
f78b0010 00000000
[...]
f78b2870 8b3de0d0
f78b2874 80887b75 nt!KiFlushTargetSingleTb+0xd
f78b2878 8b49032c
f78b287c 00000000
f78b2880 2d003202
f78b2884 00000000
f78b2888 00000000
f78b288c 2d003202
f78b2890 8b490302
f78b2894 f78b28a4
f78b2898 80a61456 hal!KfLowerIrql+0x62
f78b289c 2d00320a
f78b28a0 00000000
f78b28a4 8b3de0d0
f78b28a8 8b3e3730
f78b28ac 00341eb0
f78b28b0 f78b2918
f78b28b4 f63fbf78 NetworkAdapterA!SendWithScatterGather+0×318
f78b28b8 8b3de0d0
f78b28bc 8b341eb0
f78b28c0 f78b28d4
f78b28c4 00000000
f78b28c8 80a5f3c0 hal!KfAcquireSpinLock
f78b28cc 00000000
f78b28d0 8b3de0d0
f78b28d4 00000000
f78b28d8 8b3de0d0
f78b28dc 8b3eb730
f78b28e0 005a7340
f78b28e4 f78b294c
f78b28e8 f63fbf78 NetworkAdapterA!SendWithScatterGather+0×318
f78b28ec 8b3de0d0
f78b28f0 8a5a7340
f78b28f4 f78b2908
f78b28f8 00000000
f78b28fc 8b3de0d0
f78b2900 8b0f5158
f78b2904 001e2340
f78b2908 f78b2970
f78b290c f63fbf78 NetworkAdapterA!SendWithScatterGather+0×318
f78b2910 8b3de0d0
f78b2914 8b1e2340
f78b2918 f78b292c
f78b291c 00000000
f78b2920 80a5f3c0 hal!KfAcquireSpinLock
f78b2924 00000000
f78b2928 8b3de0d0
f78b292c 00000000
f78b2930 8b3eb700
f78b2934 00000000
f78b2938 00000000
f78b293c 00000000
f78b2940 00000000
f78b2944 00000000
f78b2948 00000000
f78b294c 0a446aa2
f78b2950 f78b29b8
f78b2954 8b0f5158
f78b2958 8b01ce10
f78b295c 00000001
f78b2960 8b3de0d0
f78b2964 80a5f302 hal!HalpPerfInterrupt+0×32
f78b2968 00000001
f78b296c 8b3de0d0
f78b2970 80a5f302 hal!HalpPerfInterrupt+0×32
f78b2974 8b3de302
f78b2978 f78b2988
f78b297c 80a61456 hal!KfLowerIrql+0×62
f78b2980 80a5f3c0 hal!KfAcquireSpinLock
f78b2984 8b3de302
f78b2988 f78b29a4
f78b298c 80a5f44b hal!KfReleaseSpinLock+0xb
f78b2990 f63fbbbf NetworkAdapterA!SendPackets+0×1b3
f78b2994 8a446a90
f78b2998 8b0e8ab0
f78b299c 00000000
f78b29a0 008b29d0
f78b29a4 f78b29bc
f78b29a8 f7163790 NDIS!ndisMProcessSGList+0×90
f78b29ac 8b3de388
f78b29b0 f78b29d0
f78b29b4 00000001
f78b29b8 00000000
f78b29bc f78b29e8
f78b29c0 80a60147 hal!HalBuildScatterGatherList+0×1c7
f78b29c4 8b0e89b0
f78b29c8 00000000
f78b29cc 8a44cde8
f78b29d0 8b1e2340
f78b29d4 8a446aa2
f78b29d8 8b026ca0
f78b29dc 8b1e2340
f78b29e0 8b0e8ab0
f78b29e4 8b0e8ab0
f78b29e8 f78b2a44
f78b29ec f716369f NDIS!ndisMAllocSGList+0xda
f78b29f0 8a44cde8
f78b29f4 8b0e89b0
f78b29f8 8a446a70
f78b29fc 00000000
f78b2a00 00000036
f78b2a04 f7163730 NDIS!ndisMProcessSGList
f78b2a08 8b1e2340
f78b2a0c 00000000
f78b2a10 8a44cde8
f78b2a14 00000218
f78b2a18 8b1e2308
f78b2a1c 00000103
f78b2a20 8b0e8ab0
f78b2a24 8a446a70
f78b2a28 8a44cde8
f78b2a2c 00000036
f78b2a30 8b0e8ab0
f78b2a34 00000036
f78b2a38 00000000
f78b2a3c 00000000
f78b2a40 029a9e02
f78b2a44 f78b2a60
f78b2a48 f71402ff NDIS!ndisMSendX+0×1dd
f78b2a4c 8b490310
f78b2a50 8b1e2340
f78b2a54 8a446a70
f78b2a58 8a9a9e02
f78b2a5c 8a9a9e02
f78b2a60 f78b2a88
f78b2a64 f546c923 tcpip!ARPSendData+0×1a9
f78b2a68 8b3e76c8
f78b2a6c 8b1e2340
f78b2a70 8a9a9ea8
f78b2a74 8b490310
f78b2a78 80888b00 nt!RtlBackoff+0×68
f78b2a7c 8a446a70
f78b2a80 8a446aa2
f78b2a84 8a446a70
f78b2a88 f78b2ab4
f78b2a8c f546ba5d tcpip!ARPTransmit+0×112
f78b2a90 8b490310
f78b2a94 8b1e2340
f78b2a98 8a9a9ea8
f78b2a9c 00000103
f78b2aa0 8a446a70
f78b2aa4 00000000
f78b2aa8 8b342398
f78b2aac 8a47e1f8
f78b2ab0 8b1e2340
f78b2ab4 f78b2bf0
f78b2ab8 f546c4fc tcpip!_IPTransmit+0×866
f78b2abc 8a9a9ebc
f78b2ac0 f78b2b02
f78b2ac4 00000001
[…]
We also do a sanity check for coincidental symbols:
1: kd> ub f63fbf78
NetworkAdapterA!SendWithScatterGather+0x304:
f63fbf64 push eax
f63fbf65 push edi
f63fbf66 push esi
f63fbf67 mov dword ptr [ebp-44h],ecx
f63fbf6a mov dword ptr [ebp-3Ch],ecx
f63fbf6d mov dword ptr [ebp-34h],ecx
f63fbf70 mov dword ptr [ebp-2Ch],ecx
f63fbf73 call NetworkAdapterA!PacketRetrieveNicActions (f63facd2)
1: kd> ub f63fbbbf
NetworkAdapterA!SendPackets+0x190:
f63fbb9c cmp dword ptr [esi+0Ch],2
f63fbba0 jl NetworkAdapterA!SendPackets+0x19e (f63fbbaa)
f63fbba2 mov dword ptr [ecx+3818h],eax
f63fbba8 jmp NetworkAdapterA!SendPackets+0x1a4 (f63fbbb0)
f63fbbaa mov dword ptr [ecx+438h],eax
f63fbbb0 mov dl,byte ptr [esi+2BCh]
f63fbbb6 mov ecx,dword ptr [ebp+8]
f63fbbb9 call dword ptr [NetworkAdapterA!_imp_KfReleaseSpinLock (f640ca18)]
1: kd> ub 80a60147
hal!HalBuildScatterGatherList+0x1b0:
80a60130 je hal!HalBuildScatterGatherList+0x1b9 (80a60139)
80a60132 mov dword ptr [eax+4],1
80a60139 push dword ptr [ebp+20h]
80a6013c push eax
80a6013d mov eax,dword ptr [ebp+0Ch]
80a60140 push dword ptr [eax+14h]
80a60143 push eax
80a60144 call dword ptr [ebp+1Ch]
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Crash Dump Analysis Patterns (Part 38b)
Friday, May 7th, 2010This is a variation of Hooked Functions pattern for kernel space. In addition to trampoline patching we also see a modified service table:
0: kd> !chkimg -lo 50 -d !nt -v
Searching for module with expression: !nt
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\mss\ntkrnlmp.exe\4B7A8E62280000\ntkrnlmp.exe
No range specified
Scanning section: .text
Size: 625257
Range to scan: 80801000-80899a69
808373e3-808373e9 7 bytes - nt!KeAcquireQueuedSpinLockAtDpcLevel+1b
[ f7 41 04 01 00 00 00:e9 00 0d b2 76 cc cc ]
8083e6c8-8083e6cb 4 bytes - nt!KiServiceTable+440 (+0×72e5)
[ 98 4e 98 80:d0 66 e9 f4 ]
80840605-8084060a 6 bytes - nt!KxFlushEntireTb+9 (+0×1f3d)
[ ff 15 1c 10 80 80:e9 a5 7a b1 76 cc ]
Total bytes compared: 625257(100%)
Number of errors: 17
Scanning section: MISYSPTE
Size: 1906
Range to scan: 8089a000-8089a772
Total bytes compared: 1906(100%)
Number of errors: 0
Scanning section: POOLMI
Size: 7868
Range to scan: 8089b000-8089cebc
Total bytes compared: 7868(100%)
Number of errors: 0
Scanning section: POOLCODE
Size: 7754
Range to scan: 8089d000-8089ee4a
Total bytes compared: 7754(100%)
Number of errors: 0
Scanning section: PAGE
Size: 1097281
Range to scan: 808bc000-809c7e41
Total bytes compared: 1097281(100%)
Number of errors: 0
Scanning section: PAGELK
Size: 63633
Range to scan: 809c8000-809d7891
Total bytes compared: 63633(100%)
Number of errors: 0
Scanning section: PAGEWMI
Size: 7095
Range to scan: 809ef000-809f0bb7
Total bytes compared: 7095(100%)
Number of errors: 0
Scanning section: PAGEKD
Size: 16760
Range to scan: 809f1000-809f5178
Total bytes compared: 16760(100%)
Number of errors: 0
Scanning section: PAGEHDLS
Size: 7508
Range to scan: 809f7000-809f8d54
Total bytes compared: 7508(100%)
Number of errors: 0
17 errors : !nt (808373e3-8084060a)
0: kd> dds 8083e6c8
8083e6c8 f4e966d0 DriverA+0×20d8
8083e6cc 80983436 nt!NtUnloadKey2
8083e6d0 809837b5 nt!NtUnloadKeyEx
8083e6d4 8091cec8 nt!NtUnlockFile
8083e6d8 80805d80 nt!NtUnlockVirtualMemory
8083e6dc 80937630 nt!NtUnmapViewOfSection
8083e6e0 808e7154 nt!NtVdmControl
8083e6e4 809c6ba3 nt!NtWaitForDebugEvent
8083e6e8 8092dc24 nt!NtWaitForMultipleObjects
8083e6ec 8092ccf4 nt!NtWaitForSingleObject
8083e6f0 809c132f nt!NtWaitHighEventPair
8083e6f4 809c12c3 nt!NtWaitLowEventPair
8083e6f8 80925c8d nt!NtWriteFile
8083e6fc 80901790 nt!NtWriteFileGather
8083e700 8091214c nt!NtWriteRequestData
8083e704 8093e63b nt!NtWriteVirtualMemory
8083e708 80822751 nt!NtYieldExecution
8083e70c 808c7c46 nt!NtCreateKeyedEvent
8083e710 8093eee3 nt!NtOpenKeyedEvent
8083e714 809c1ee8 nt!NtReleaseKeyedEvent
8083e718 809c2183 nt!NtWaitForKeyedEvent
8083e71c 809a610b nt!NtQueryPortInformationProcess
8083e720 809a6123 nt!NtGetCurrentProcessorNumber
8083e724 809a1849 nt!NtWaitForMultipleObjects32
8083e728 90909090
8083e72c 1c0d3b90
8083e730 0f8089f1
8083e734 037aaa85
8083e738 00c1f700
8083e73c 0fffff00
8083e740 037a9e85
8083e744 9090c300
0: kd> u 808373e3
nt!KeAcquireQueuedSpinLockAtDpcLevel+0×1b:
808373e3 jmp DriverB+0×10e8 (f73580e8)
808373e8 int 3
808373e9 int 3
808373ea je nt!KeAcquireQueuedSpinLockAtDpcLevel+0×12 (808373da)
808373ec pause
808373ee jmp nt!KeAcquireQueuedSpinLockAtDpcLevel+0×1b (808373e3)
nt!KeReleaseInStackQueuedSpinLockFromDpcLevel:
808373f0 lea ecx,[ecx]
nt!KeReleaseQueuedSpinLockFromDpcLevel:
808373f2 mov eax,ecx
0: kd> u 80840605
nt!KxFlushEntireTb+0×9:
80840605 jmp DriverB+0×10af (f73580af)
8084060a int 3
8084060b mov byte ptr [ebp-1],al
8084060e mov ebx,offset nt!KiTbFlushTimeStamp (808a7100)
80840613 mov ecx,dword ptr [nt!KiTbFlushTimeStamp (808a7100)]
80840619 test cl,1
8084061c jne nt!KxFlushEntireTb+0×19 (8082cd8d)
80840622 mov eax,ecx
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Icons for Memory Dump Analysis Patterns (Part 34)
Friday, May 7th, 2010Today we introduce an icon for Truncated Dump pattern:
B/W
Color
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
HP uses StressPrinters for driver stress testing
Thursday, May 6th, 2010Some recent news about StressPrinters tool designed according to Tool Façade DebugWare pattern:
“HP tests its print drivers with the StressPrinters tool provided by Citrix to simulate a user logon where multiple printers are autocreated concurrently.”
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Icons for Memory Dump Analysis Patterns (Part 33)
Thursday, May 6th, 2010Today we introduce an icon for Managed Code Exception pattern:
B/W
Color
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Basic Software PLOTs (Part 0)
Thursday, May 6th, 2010Befind every trace and its messages is source code:
Borrowing the acronym PLOT (Program Lines of Trace) we now try to discern basic source code patterns that give rise to simple message patterns in software traces. There are only a few distinct PLOTs and the ability to mentally map trace statements to source code is crucial to software trace reading and comprehension. More about that in subsequent parts. More complex message patterns (for example, specific message blocks or correlated messages) arise from supportable and maintainable realizations of architectural, design and implementation patterns and will be covered in another post series.
I was thinking about acronym SLOT (Source Lines of Trace) but decided to use PLOT because it metaphorically bijects into literary theory and narrative plots.
Forthcoming CDF and ETW Software Trace Analysis: Practical Foundations
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org
PLOT (Debugging Slang, Part 10)
Wednesday, May 5th, 2010PLOT - Program Lines of Trace - the source code lines behind trace messages
Examples: What a plot do we have here! The struggle against the monster database component and endless voyages across space boundaries.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org
Icons for Memory Dump Analysis Patterns (Part 32)
Wednesday, May 5th, 2010Today we introduce an icon for Stack Overflow (user mode) pattern:
B/W
Color
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Icons for Memory Dump Analysis Patterns (Part 31)
Tuesday, May 4th, 2010Today we introduce an icon for Stack Overflow (kernel mode) pattern:
B/W
Color
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Forthcoming Book CDF and ETW Software Trace Analysis: Practical Foundations
Monday, May 3rd, 2010Modern pattern-driven software trace analysis on Microsoft and Citrix platforms urgently requires a practical guide and OpenTask plans to publish this summer the following book in both Practical Foundations and Systematic Software Fault Analysis series:
- Title: Citrix Common Diagnostic Facility (CDF) and Microsoft Event Tracing for Windows (ETW) Software Trace Analysis: Practical Foundations
- Author: Dmitry Vostokov
- Publisher: Opentask (August 2010)
- Language: English
- Product Dimensions: 22.86 x 15.24
- ISBN: 1906717176
- ISBN-13: 978-1906717179
- Paperback: 200 pages
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -