Comments on: Attached Processes https://www.dumpanalysis.org/blog/index.php/2010/06/11/attached-processes/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Wed, 06 May 2026 20:18:28 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2010/06/11/attached-processes/#comment-158832 Dmitry Vostokov Wed, 16 Jun 2010 21:05:08 +0000 https://www.dumpanalysis.org/blog/index.php/2010/06/11/attached-processes/#comment-158832 Here is an example when System process is attached (for system thread): THREAD 8827cdb0 Cid 0f64.2ef8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Unknown) KernelMode Non-Alertable 89562144 SynchronizationEvent IRP List: 897548c0: (0006,0094) Flags: 00000404 Mdl: 00000000 Not impersonating DeviceMap e1003880 Owning Process 89e264e8 Image: svchost.exe Attached Process 8a78c7e0 Image: System Wait Start TickCount 3705814 Ticks: 3365934 (0:14:36:32.718) Context Switch Count 424599 UserTime 00:00:00.000 KernelTime 00:00:03.578 Start Address termdd!_IcaDriverThread (0xf683a30c) Stack Init f40e2000 Current f40e1294 Base f40e2000 Limit f40df000 Call 0 Priority 10 BasePriority 10 PriorityDecrement 0 ChildEBP RetAddr f40e12ac 8083d26e nt!KiSwapContext+0x26 f40e12d8 8083dc5e nt!KiSwapThread+0x2e5 f40e1320 f5baa873 nt!KeWaitForSingleObject+0x346 f40e136c f5ba1965 tcpip!TCPCleanup+0xcf f40e13a8 8083fe13 tcpip!TCPDispatch+0x10c f40e13bc 80930b42 nt!IofCallDriver+0x45 f40e13ec 8092d5e0 nt!IopCloseFile+0x2ae f40e141c 8092d783 nt!ObpDecrementHandleCount+0xcc f40e1444 8092d6a7 nt!ObpCloseHandleTableEntry+0x131 f40e1488 8092d6f2 nt!ObpCloseHandle+0x82 f40e1498 8083387f nt!NtClose+0x1b f40e1498 8083acd4 nt!KiFastCallEntry+0xfc (TrapFrame @ f40e14a4) f40e1514 f6839c6c nt!ZwClose+0x11 f40e152c f43ce141 termdd!IcaZwClose+0x48 f40e1548 f43cc80a TDTCP!DeviceCancelIo+0xa1 f40e1558 f43cceb5 TDTCP!StackCancelIo+0x24 f40e1d90 f683a359 TDTCP!TdInputThread+0x25b f40e1dac 8092277b termdd!_IcaDriverThread+0x4d f40e1ddc 8083fb5f nt!PspSystemThreadStartup+0x2e 00000000 00000000 nt!KiThreadStartup+0x16 Here is an example when System process is attached (for system thread):

THREAD 8827cdb0 Cid 0f64.2ef8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Unknown) KernelMode Non-Alertable
89562144 SynchronizationEvent
IRP List:
897548c0: (0006,0094) Flags: 00000404 Mdl: 00000000
Not impersonating
DeviceMap e1003880
Owning Process 89e264e8 Image: svchost.exe
Attached Process 8a78c7e0 Image: System
Wait Start TickCount 3705814 Ticks: 3365934 (0:14:36:32.718)
Context Switch Count 424599
UserTime 00:00:00.000
KernelTime 00:00:03.578
Start Address termdd!_IcaDriverThread (0xf683a30c)
Stack Init f40e2000 Current f40e1294 Base f40e2000 Limit f40df000 Call 0
Priority 10 BasePriority 10 PriorityDecrement 0
ChildEBP RetAddr
f40e12ac 8083d26e nt!KiSwapContext+0×26
f40e12d8 8083dc5e nt!KiSwapThread+0×2e5
f40e1320 f5baa873 nt!KeWaitForSingleObject+0×346
f40e136c f5ba1965 tcpip!TCPCleanup+0xcf
f40e13a8 8083fe13 tcpip!TCPDispatch+0×10c
f40e13bc 80930b42 nt!IofCallDriver+0×45
f40e13ec 8092d5e0 nt!IopCloseFile+0×2ae
f40e141c 8092d783 nt!ObpDecrementHandleCount+0xcc
f40e1444 8092d6a7 nt!ObpCloseHandleTableEntry+0×131
f40e1488 8092d6f2 nt!ObpCloseHandle+0×82
f40e1498 8083387f nt!NtClose+0×1b
f40e1498 8083acd4 nt!KiFastCallEntry+0xfc (TrapFrame @ f40e14a4)
f40e1514 f6839c6c nt!ZwClose+0×11
f40e152c f43ce141 termdd!IcaZwClose+0×48
f40e1548 f43cc80a TDTCP!DeviceCancelIo+0xa1
f40e1558 f43cceb5 TDTCP!StackCancelIo+0×24
f40e1d90 f683a359 TDTCP!TdInputThread+0×25b
f40e1dac 8092277b termdd!_IcaDriverThread+0×4d
f40e1ddc 8083fb5f nt!PspSystemThreadStartup+0×2e
00000000 00000000 nt!KiThreadStartup+0×16

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2010/06/11/attached-processes/#comment-157587 Dmitry Vostokov Fri, 11 Jun 2010 15:29:45 +0000 https://www.dumpanalysis.org/blog/index.php/2010/06/11/attached-processes/#comment-157587 Great! I missed that post from your blog. Reading now Thanks, Dmitry Great! I missed that post from your blog. Reading now
Thanks,
Dmitry

]]> By: Scott https://www.dumpanalysis.org/blog/index.php/2010/06/11/attached-processes/#comment-157575 Scott Fri, 11 Jun 2010 14:27:21 +0000 https://www.dumpanalysis.org/blog/index.php/2010/06/11/attached-processes/#comment-157575 I covered a bit more detail on why these two fields exist and the differences in the debugger output depending on the target O/S version here: http://analyze-v.com/?p=234 -scott I covered a bit more detail on why these two fields exist and the differences in the debugger output depending on the target O/S version here:

http://analyze-v.com/?p=234

-scott

]]>