Software Diagnostics Library

Reading Notebook: 16-June-10

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Local security policy audit (pp. 511 - 512) - I used in the past to recommend process audit to track process launch sequences for debugging purposes

Access tokens have separate ACL (pp. 512 - 513)

MSV1_0 - local authentication package (p. 513)

Default credential providers authui.dll amd SmartcardCredentialProvider.dll (p. 514) - Here are stack traces from x64 LogonUI.exe:

THREAD fffffa8013dde9d0 Cid 0238.04f8 Teb: 000007fffffd7000 Win32Thread: fffff900c0679d50 WAIT: (UserRequest) UserMode Non-Alertable fffffa8013ddee60 SynchronizationEvent fffffa8013dde810 SynchronizationEvent Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa80296ecae0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 26019 Ticks: 402642 (0:01:44:41.255) Context Switch Count 170 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.046 Win32 Start Address authui!CCredentialProviderThread::_sThreadProc (0x000007fefc6d151c) Stack Init fffffa6008efadb0 Current fffffa6008efa230 Base fffffa6008efb000 Limit fffffa6008ef5000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 2 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffffa60`08efa270 fffff800`01a6b9fa nt!KiSwapContext+0x7f fffffa60`08efa3b0 fffff800`01a712db nt!KiSwapThread+0x13a fffffa60`08efa420 fffff800`01cd160e nt!KeWaitForMultipleObjects+0x2eb fffffa60`08efa4a0 fffff800`01cd1c53 nt!ObpWaitForMultipleObjects+0x26e fffffa60`08efa960 fffff800`01a69233 nt!NtWaitForMultipleObjects+0xe2 fffffa60`08efabb0 00000000`778c72ca nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`08efac20) 00000000`0211f978 00000000`7769bc03 ntdll!ZwWaitForMultipleObjects+0xa 00000000`0211f980 00000000`777ce2b5 kernel32!WaitForMultipleObjectsEx+0x10b 00000000`0211fa90 00000000`777ce32e USER32!RealMsgWaitForMultipleObjectsEx+0x129 00000000`0211fb30 000007fe`fe4fb196 USER32!MsgWaitForMultipleObjectsEx+0x46 00000000`0211fb70 000007fe`fe608d42 ole32!CCliModalLoop::BlockFn+0xb6 00000000`0211fbb0 000007fe`fc6d07ad ole32!CoWaitForMultipleHandles+0x102 00000000`0211fcb0 000007fe`fc6d15d4 authui!InternalCoWaitForSingleHandle+0x31 00000000`0211fcf0 000007fe`fc6d1525 authui!CCredentialProviderThread::_vThreadProc+0xa0 00000000`0211fd30 00000000`7769be3d authui!CCredentialProviderThread::_sThreadProc+0x9 00000000`0211fd60 00000000`778a6a51 kernel32!BaseThreadInitThunk+0xd 00000000`0211fd90 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8013e48060 Cid 0238.0610 Teb: 000007fffffa0000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable fffffa8013e4ab50 NotificationEvent fffffa8013e425b0 SynchronizationEvent Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa80296ecae0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 13245 Ticks: 415416 (0:01:48:00.531) Context Switch Count 29 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address SmartcardCredentialProvider!I_ReaderMonitorThreadProc (0x000007fefc481db0) Stack Init fffffa6009181db0 Current fffffa6009181230 Base fffffa6009182000 Limit fffffa600917c000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 2 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffffa60`09181270 fffff800`01a6b9fa nt!KiSwapContext+0x7f fffffa60`091813b0 fffff800`01a712db nt!KiSwapThread+0x13a fffffa60`09181420 fffff800`01cd160e nt!KeWaitForMultipleObjects+0x2eb fffffa60`091814a0 fffff800`01cd1c53 nt!ObpWaitForMultipleObjects+0x26e fffffa60`09181960 fffff800`01a69233 nt!NtWaitForMultipleObjects+0xe2 fffffa60`09181bb0 00000000`778c72ca nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`09181c20) 00000000`045efa48 00000000`7769bc03 ntdll!ZwWaitForMultipleObjects+0xa 00000000`045efa50 00000000`77691aa1 kernel32!WaitForMultipleObjectsEx+0x10b 00000000`045efb60 000007fe`fc4819bb kernel32!WaitForMultipleObjects+0x11 00000000`045efba0 000007fe`fc481de1 SmartcardCredentialProvider!I_ReaderMonitorWorker+0x8f 00000000`045efc30 00000000`7769be3d SmartcardCredentialProvider!I_ReaderMonitorThreadProc+0x31 00000000`045efc70 00000000`778a6a51 kernel32!BaseThreadInitThunk+0xd 00000000`045efca0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Win32k.sys sends keyboard messages to LogonUI.exe via RPC (p. 514)

Secondary authentication providers in LogonUI.exe, SSON (p. 515)

wininit.exe is for session 0 legacy GUI processes (p. 516)

Raw input thread (p. 516) - here’re 3 kinds of csrss.exe (different IRPs):

session 0 (no IRP)

THREAD fffffa8013a7d980 Cid 02ec.0338 Teb: 000007fffffae000 Win32Thread: fffff900c00da010 WAIT: (WrUserRequest) KernelMode Alertable fffffa8013665d00 SynchronizationEvent fffffa8013037df0 NotificationTimer fffffa8013665c80 SynchronizationTimer fffff80001bb9f60 NotificationEvent Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa8029668710 Image: csrss.exe Attached Process N/A Image: N/A Wait Start TickCount 428616 Ticks: 45 (0:00:00:00.702) Context Switch Count 317 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x000007fefde7c3b0) Stack Init fffffa6002c33db0 Current fffffa6002c33890 Base fffffa6002c34000 Limit fffffa6002c2e000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`02c338d0 fffff800`01a6b9fa nt!KiSwapContext+0x7f fffffa60`02c33a10 fffff800`01a712db nt!KiSwapThread+0x13a fffffa60`02c33a80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0x2eb fffffa60`02c33b00 fffff960`00068317 win32k!RawInputThread+0x79c fffffa60`02c33bc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0x67 fffffa60`02c33bf0 fffff800`01a69233 win32k!NtUserCallNoParam+0x36 fffffa60`02c33c20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`02c33c20) 00000000`002afd98 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa 00000000`002afda0 00000000`778e2f6c winsrv!StartCreateSystemThreads+0x19 00000000`002afdd0 00000000`00000000 ntdll!RtlUserThreadStart+0x29

session 1 (console, keyboard IRP)

THREAD fffffa80296821d0 Cid 0324.0370 Teb: 000007fffffd3000 Win32Thread: fffff900c00e33b0 WAIT: (WrUserRequest) KernelMode Alertable fffffa80137c6430 SynchronizationEvent fffffa802967fc30 NotificationTimer fffffa8029680360 SynchronizationTimer fffffa802967f970 SynchronizationEvent IRP List: fffffa802968b2e0: (0006,03a0) Flags: 00060970 Mdl: 00000000 fffffa802960d4c0: (0006,03a0) Flags: 00060970 Mdl: 00000000 fffffa8012ec7470: (0006,03a0) Flags: 00060970 Mdl: 00000000 Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa8029672c10 Image: csrss.exe Attached Process N/A Image: N/A Wait Start TickCount 428605 Ticks: 56 (0:00:00:00.873) Context Switch Count 24934 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0×000007fefde7c3b0) Stack Init fffffa6008bd0db0 Current fffffa6008bd0890 Base fffffa6008bd1000 Limit fffffa6008bcb000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`08bd08d0 fffff800`01a6b9fa nt!KiSwapContext+0×7f fffffa60`08bd0a10 fffff800`01a712db nt!KiSwapThread+0×13a fffffa60`08bd0a80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0×2eb fffffa60`08bd0b00 fffff960`00068317 win32k!RawInputThread+0×79c fffffa60`08bd0bc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0×67 fffffa60`08bd0bf0 fffff800`01a69233 win32k!NtUserCallNoParam+0×36 fffffa60`08bd0c20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`08bd0c20) 00000000`014afab8 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa 00000000`014afac0 00000000`778e2f6c winsrv!StartCreateSystemThreads+0×19 00000000`014afaf0 00000000`00000000 ntdll!RtlUserThreadStart+0×29

15: kd> !irp fffffa802968b2e0 Irp is active with 7 stacks 7 is current (= 0xfffffa802968b560) No Mdl: System buffer=fffffa8029688790: Thread fffffa80296821d0: Irp stack trace. cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ 3, 0] 0 1 fffffa8013703ce0 fffffa8029687670 00000000-00000000 pending \Driver\kbdclass Args: 00000078 00000000 00000000 00000000

15: kd> !irp fffffa802960d4c0 Irp is active with 10 stacks 10 is current (= 0xfffffa802960d818) No Mdl: System buffer=fffffa8029681010: Thread fffffa80296821d0: Irp stack trace. cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ 3, 0] 0 1 fffffa801392ace0 fffffa8029686880 00000000-00000000 pending \Driver\kbdclass Args: 00000078 00000000 00000000 00000000

15: kd> !irp fffffa8012ec7470 Irp is active with 3 stacks 3 is current (= 0xfffffa8012ec75d0) No Mdl: System buffer=fffffa8029687010: Thread fffffa80296821d0: Irp stack trace. cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ 3, 0] 0 1 fffffa8013722060 fffffa8029680200 00000000-00000000 pending \Driver\kbdclass Args: 00000078 00000000 00000000 00000000

session N (terminal services, termdd IRP)

THREAD fffffa80168fbac0 Cid 175c.533c Teb: 000007fffffae000 Win32Thread: fffff900c018d010 WAIT: (WrUserRequest) KernelMode Alertable fffffa8015355e70 SynchronizationEvent fffffa8016442950 NotificationTimer fffffa80156f9f70 SynchronizationTimer fffffa8016967a50 SynchronizationEvent IRP List: fffffa801501ba30: (0006,0118) Flags: 00060900 Mdl: 00000000 Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa802b33ac10 Image: csrss.exe Attached Process N/A Image: N/A Wait Start TickCount 428641 Ticks: 20 (0:00:00:00.312) Context Switch Count 32238 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.218 Win32 Start Address winsrv!StartCreateSystemThreads (0×000007fefde7c3b0) Stack Init fffffa601ccdbdb0 Current fffffa601ccdb890 Base fffffa601ccdc000 Limit fffffa601ccd6000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`1ccdb8d0 fffff800`01a6b9fa nt!KiSwapContext+0×7f fffffa60`1ccdba10 fffff800`01a712db nt!KiSwapThread+0×13a fffffa60`1ccdba80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0×2eb fffffa60`1ccdbb00 fffff960`00068317 win32k!RawInputThread+0×79c fffffa60`1ccdbbc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0×67 fffffa60`1ccdbbf0 fffff800`01a69233 win32k!NtUserCallNoParam+0×36 fffffa60`1ccdbc20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`1ccdbc20) 00000000`0137f878 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa 00000000`0137f880 00000000`778e2f6c winsrv!StartCreateSystemThreads+0×19 00000000`0137f8b0 00000000`00000000 ntdll!RtlUserThreadStart+0×29

15: kd> !irp fffffa801501ba30 Irp is active with 1 stacks 1 is current (= 0xfffffa801501bb00) No Mdl: No System Buffer: Thread fffffa80168fbac0: Irp stack trace. cmd flg cl Device File Completion-Context >[ 3, 0] 0 1 fffffa801370adb0 fffffa801705ef20 00000000-00000000 pending \Driver\TermDD Args: 00000078 00000000 00000000 00000000

Half-hash caching of passwords (p. 517)

logonsessions tool (pp. 519 - 520)

This entry was posted on Friday, June 18th, 2010 at 9:29 am and is filed under Notes on Windows Internals, Reading Notebook. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

You must be logged in to post a comment.

Reading Notebook: 16-June-10

Leave a Reply