Archive for September 28th, 2010

Reading Notebook: 20-September-10

Tuesday, September 28th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

I/O Completion Ports (pp. 592 - 598) - my own architectural investigation from a complete memory dump perspective: http://www.dumpanalysis.org/blog/index.php/2007/11/27/understanding-io-completion-ports/

Lock contention (p. 594) - some patterns: http://www.dumpanalysis.org/blog/index.php/2010/09/21/contention-patterns/

Concurrency value may exceed concurrently limit for I/O CP (p. 595)

KeRemoveQueueEx (p. 596) - see also Passive System Thread pattern: http://www.dumpanalysis.org/blog/index.php/2007/11/20/crash-dump-analysis-patterns-part-31a/

I/O priority queues and strategies for IRP (p. 599) - priority fields in _EPROCESS and _ETHREAD structures from x64 W2K8 R2:

1: kd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb              : _KPROCESS
[...]
+0x438 DefaultIoPriority : Pos 27, 3 Bits
[...]

1: kd> dt _ETHREAD
ntdll!_ETHREAD
+0x000 Tcb              : _KTHREAD
[...]
+0x448 ThreadIoPriority : Pos 10, 3 Bits
[...]

Driver Verifier (pp. 604 - 606) - see also Instrumentation Information pattern: http://www.dumpanalysis.org/blog/index.php/2010/09/27/crash-dump-analysis-patterns-part-107/ 

WDF book (p. 607) - there is also another book coming soon: http://www.dumpanalysis.org/blog/index.php/2010/08/19/windows-7-device-driver-book/

Listing KMDF drivers (p. 608) - here’s the output from x64 W2K8 R2 system:

1: kd> !wdfkd.wdfldr
LoadedModuleList      0xfffff8800115a2d8
----------------------------------
LIBRARY_MODULE  fffffa8003bc8d10
Version       v1.9 build(7600)
Service       \Registry\Machine\System\CurrentControlSet\Services\Wdf01000
ImageName     Wdf01000.sys
ImageAddress  0xfffff880010ae000
ImageSize     0xa4000
Associated Clients: 10

  ImageName      Version    WdfGlobals         FxGlobals          ImageAddress       ImageSize
peauth.sys     v1.7(6001) 0xfffffa8004bf6510 0xfffffa8004bf63c0 0xfffff88004600000 0x000a6000
monitor.sys    v1.9(7600) 0xfffffa80048f55d0 0xfffffa80048f5480 0xfffff88003752000 0x0000e000
umbus.sys      v1.9(7600) 0xfffffa8004371160 0xfffffa8004371010 0xfffff88002db0000 0x00012000
CompositeBus.sys v1.9(7600) 0xfffffa8004440800 0xfffffa80044406b0 0xfffff88002a45000 0x00010000
HDAudBus.sys   v1.7(6001) 0xfffffa80043c9160 0xfffffa80043c9010 0xfffff88002b48000 0x00024000
intelppm.sys   v1.9(7600) 0xfffffa8004271dd0 0xfffffa8004271c80 0xfffff88002ab0000 0x00016000
cdrom.sys      v1.9(7600) 0xfffffa80041f3fc0 0xfffffa80041f3e70 0xfffff88001400000 0x0002a000
vmstorfl.sys   v1.5(6000) 0xfffffa80040129e0 0xfffffa8004012890 0xfffff88001750000 0x00010000
msisadrv.sys   v1.9(7600) 0xfffffa8003ebb910 0xfffffa8003ebb7c0 0xfffff880012c6000 0x0000a000
vdrvroot.sys   v1.9(7600) 0xfffffa8003d3fa00 0xfffffa8003d3f8b0 0xfffff88001262000 0x0000d000
----------------------------------
Total: 1 library loaded

Extension of device extension extension into object context in KMDF (pp. 611 - 612)

UMDF reflectors (p. 617)

WUDFHost.exe (p. 618) - here’s its stack trace collection from x64 W2K8 R2 after I inserted an USB flash drive and attached WinDbg non-invasilvely:

0:000> ~*k

.  0  Id: 58c.12f4 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0018f988 000007fe`fd8510ac ntdll!ZwWaitForSingleObject+0xa
00000000`0018f990 00000000`ff3bba44 KERNELBASE!WaitForSingleObjectEx+0x9c
00000000`0018fa30 00000000`ff3b8ce7 WUDFHost!CLpcNotification::Run+0x1c
00000000`0018fa60 00000000`ff3d2cb1 WUDFHost!wmain+0xc7b
00000000`0018fc60 00000000`7746f56d WUDFHost!ConvertStringSidToSidW+0x19b
00000000`0018fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0018fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   1  Id: 58c.1304 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00c4f918 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00c4f920 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00c4f990 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00c4f9e0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00c4fa70 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00c4fc20 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00c4fc70 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00c4fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00c4fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   2  Id: 58c.6e8 Suspend: 1 Teb: 000007ff`fffda000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00dfe988 000007fe`fd853ef8 ntdll!NtQueryAttributesFile+0xa
00000000`00dfe990 000007fe`f3be9970 KERNELBASE!GetFileAttributesW+0x78
00000000`00dfea30 000007fe`f27ce8c9 WpdFs!COperationGetFastBasicProperties::OnImpersonate+0x1c0
00000000`00dfea70 000007fe`f3be9734 WUDFx!CWdfIoRequest::Impersonate+0x151
00000000`00dfeae0 000007fe`f3bda26b WpdFs!COperationGetFastBasicProperties::Invoke+0x2c4
00000000`00dfeb50 000007fe`f3bd8837 WpdFs!WpdObjectProperties::GetValues+0x3f7
00000000`00dfecd0 000007fe`f3bd8344 WpdFs!WpdObjectProperties::OnGetValues+0x10b
00000000`00dfed50 000007fe`f3bcf974 WpdFs!WpdObjectProperties::DispatchWpdMessage+0x1a0
00000000`00dfee10 000007fe`f3bcd51a WpdFs!WpdBaseDriver::DispatchWpdMessage+0x4c0
00000000`00dfef60 000007fe`f3bcdd6c WpdFs!CQueue::ProcessWpdMessage+0x29a
00000000`00dff010 000007fe`f27bf610 WpdFs!CQueue::OnDeviceIoControl+0x494
00000000`00dff160 000007fe`f27c0b5a WUDFx!CWdfIoQueue::SubmitRequest+0x358
00000000`00dff1f0 000007fe`f27c0955 WUDFx!CWdfIoQueue::DispatchRequestToDriver+0x86
00000000`00dff240 000007fe`f27bff83 WUDFx!CWdfIoQueue::DispatchEvents+0x3cd
00000000`00dff2b0 000007fe`f27b61b5 WUDFx!CWdfIoQueue::QueueRequest+0x2c3
00000000`00dff300 000007fe`f27b6f20 WUDFx!CWdfDevice::DispatchRequest+0x149
00000000`00dff350 00000000`ff3ccbb6 WUDFx!CWdfDevice::DeviceControl+0x1a8
00000000`00dff3c0 00000000`ff3c2f92 WUDFHost!CWudfIoIrp::Dispatch+0x13e
00000000`00dff420 00000000`ff3bad47 WUDFHost!CWudfDeviceStack::Forward+0x41a
00000000`00dff490 000007fe`fb87da6a WUDFHost!CLpcNotification::Message+0xd9b
00000000`00dff6c0 000007fe`fb87c848 WUDFPlatform!WdfLpcPort::ProcessMessage+0x3be
00000000`00dff760 000007fe`fb87b299 WUDFPlatform!WdfLpcCommPort::ProcessMessage+0x214
00000000`00dff7b0 000007fe`fb87b900 WUDFPlatform!WdfLpcConnPort::ProcessMessage+0xf9
00000000`00dff830 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x178
00000000`00dff880 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00dff8b0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00dff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   3  Id: 58c.2e4 Suspend: 1 Teb: 000007ff`fffd8000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00d7f5e8 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00d7f5f0 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00d7f660 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00d7f6b0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00d7f740 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00d7f8f0 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00d7f940 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00d7f970 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00d7f9a0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   4  Id: 58c.12b4 Suspend: 1 Teb: 000007ff`fffd6000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00f8fa58 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00f8fa60 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00f8fad0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00f8fb20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00f8fbb0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00f8fd60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00f8fdb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00f8fde0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00f8fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   5  Id: 58c.106c Suspend: 1 Teb: 000007ff`fffd3000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00f0f958 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00f0f960 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00f0f9d0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00f0fa20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00f0fab0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00f0fc60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00f0fcb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00f0fce0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00f0fd10 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   6  Id: 58c.8fc Suspend: 1 Teb: 000007ff`fffae000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0136f8c8 00000000`7758c95e USER32!NtUserGetMessage+0xa
00000000`0136f8d0 000007fe`f3bd26e5 USER32!GetMessageW+0x34
00000000`0136f900 00000000`7746f56d WpdFs!CDiskNotifier::NotificationThreadWorker+0x245
00000000`0136fa50 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0136fa80 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   7  Id: 58c.520 Suspend: 1 Teb: 000007ff`fffac000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0152f6f8 00000000`77689bd7 ntdll!ZwWaitForMultipleObjects+0xa
00000000`0152f700 00000000`7746f56d ntdll!EtwTraceMessageVa+0xe07
00000000`0152f9a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0152f9d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   8  Id: 58c.89c Suspend: 1 Teb: 000007ff`fffaa000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`012df9b8 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`012df9c0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`012dfcc0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`012dfcf0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   9  Id: 58c.1394 Suspend: 1 Teb: 000007ff`fffa8000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0140f498 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0140f4a0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0140f7a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0140f7d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  10  Id: 58c.1294 Suspend: 1 Teb: 000007ff`fffa6000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0182f758 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0182f760 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0182fa60 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0182fa90 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  11  Id: 58c.a98 Suspend: 1 Teb: 000007ff`fffa4000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0170f708 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0170f710 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0170fa10 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0170fa40 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  12  Id: 58c.121c Suspend: 1 Teb: 000007ff`fffa2000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0179fd68 000007fe`fd851203 ntdll!NtDelayExecution+0xa
00000000`0179fd70 000007fe`fe2cea00 KERNELBASE!SleepEx+0xb3
00000000`0179fe10 000007fe`fe2d2046 ole32!CROIDTable::WorkerThreadLoop+0x10
00000000`0179fe40 000007fe`fe2d358a ole32!CRpcThread::WorkerLoop+0x1e
00000000`0179fe80 00000000`7746f56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a
00000000`0179feb0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0179fee0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Reading Notebook: 20-September-10

Tuesday, September 28th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

I/O Completion Ports (pp. 592 - 598) - my own architectural investigation from a complete memory dump perspective: http://www.dumpanalysis.org/blog/index.php/2007/11/27/understanding-io-completion-ports/

Lock contention (p. 594) - some patterns: http://www.dumpanalysis.org/blog/index.php/2010/09/21/contention-patterns/

Concurrency value may exceed concurrently limit for I/O CP (p. 595)

KeRemoveQueueEx (p. 596) - see also Passive System Thread pattern: http://www.dumpanalysis.org/blog/index.php/2007/11/20/crash-dump-analysis-patterns-part-31a/

I/O priority queues and strategies for IRP (p. 599) - priority fields in _EPROCESS and _ETHREAD structures from x64 W2K8 R2:

1: kd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb              : _KPROCESS
[...]
+0x438 DefaultIoPriority : Pos 27, 3 Bits
[...]

1: kd> dt _ETHREAD
ntdll!_ETHREAD
+0x000 Tcb              : _KTHREAD
[...]
+0x448 ThreadIoPriority : Pos 10, 3 Bits
[...]

Driver Verifier (pp. 604 - 606) - see also Instrumentation Information pattern: http://www.dumpanalysis.org/blog/index.php/2010/09/27/crash-dump-analysis-patterns-part-107/ 

WDF book (p. 607) - there is also another book coming soon: http://www.dumpanalysis.org/blog/index.php/2010/08/19/windows-7-device-driver-book/

Listing KMDF drivers (p. 608) - here’s the output from x64 W2K8 R2 system:

1: kd> !wdfkd.wdfldr
LoadedModuleList      0xfffff8800115a2d8
----------------------------------
LIBRARY_MODULE  fffffa8003bc8d10
Version       v1.9 build(7600)
Service       \Registry\Machine\System\CurrentControlSet\Services\Wdf01000
ImageName     Wdf01000.sys
ImageAddress  0xfffff880010ae000
ImageSize     0xa4000
Associated Clients: 10

  ImageName      Version    WdfGlobals         FxGlobals          ImageAddress       ImageSize
peauth.sys     v1.7(6001) 0xfffffa8004bf6510 0xfffffa8004bf63c0 0xfffff88004600000 0x000a6000
monitor.sys    v1.9(7600) 0xfffffa80048f55d0 0xfffffa80048f5480 0xfffff88003752000 0x0000e000
umbus.sys      v1.9(7600) 0xfffffa8004371160 0xfffffa8004371010 0xfffff88002db0000 0x00012000
CompositeBus.sys v1.9(7600) 0xfffffa8004440800 0xfffffa80044406b0 0xfffff88002a45000 0x00010000
HDAudBus.sys   v1.7(6001) 0xfffffa80043c9160 0xfffffa80043c9010 0xfffff88002b48000 0x00024000
intelppm.sys   v1.9(7600) 0xfffffa8004271dd0 0xfffffa8004271c80 0xfffff88002ab0000 0x00016000
cdrom.sys      v1.9(7600) 0xfffffa80041f3fc0 0xfffffa80041f3e70 0xfffff88001400000 0x0002a000
vmstorfl.sys   v1.5(6000) 0xfffffa80040129e0 0xfffffa8004012890 0xfffff88001750000 0x00010000
msisadrv.sys   v1.9(7600) 0xfffffa8003ebb910 0xfffffa8003ebb7c0 0xfffff880012c6000 0x0000a000
vdrvroot.sys   v1.9(7600) 0xfffffa8003d3fa00 0xfffffa8003d3f8b0 0xfffff88001262000 0x0000d000
----------------------------------
Total: 1 library loaded

Extension of device extension extension into object context in KMDF (pp. 611 - 612)

UMDF reflectors (p. 617)

WUDFHost.exe (p. 618) - here’s its stack trace collection from x64 W2K8 R2 after I inserted an USB flash drive and attached WinDbg non-invasilvely:

0:000> ~*k

.  0  Id: 58c.12f4 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0018f988 000007fe`fd8510ac ntdll!ZwWaitForSingleObject+0xa
00000000`0018f990 00000000`ff3bba44 KERNELBASE!WaitForSingleObjectEx+0x9c
00000000`0018fa30 00000000`ff3b8ce7 WUDFHost!CLpcNotification::Run+0x1c
00000000`0018fa60 00000000`ff3d2cb1 WUDFHost!wmain+0xc7b
00000000`0018fc60 00000000`7746f56d WUDFHost!ConvertStringSidToSidW+0x19b
00000000`0018fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0018fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   1  Id: 58c.1304 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00c4f918 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00c4f920 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00c4f990 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00c4f9e0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00c4fa70 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00c4fc20 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00c4fc70 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00c4fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00c4fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   2  Id: 58c.6e8 Suspend: 1 Teb: 000007ff`fffda000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00dfe988 000007fe`fd853ef8 ntdll!NtQueryAttributesFile+0xa
00000000`00dfe990 000007fe`f3be9970 KERNELBASE!GetFileAttributesW+0x78
00000000`00dfea30 000007fe`f27ce8c9 WpdFs!COperationGetFastBasicProperties::OnImpersonate+0x1c0
00000000`00dfea70 000007fe`f3be9734 WUDFx!CWdfIoRequest::Impersonate+0x151
00000000`00dfeae0 000007fe`f3bda26b WpdFs!COperationGetFastBasicProperties::Invoke+0x2c4
00000000`00dfeb50 000007fe`f3bd8837 WpdFs!WpdObjectProperties::GetValues+0x3f7
00000000`00dfecd0 000007fe`f3bd8344 WpdFs!WpdObjectProperties::OnGetValues+0x10b
00000000`00dfed50 000007fe`f3bcf974 WpdFs!WpdObjectProperties::DispatchWpdMessage+0x1a0
00000000`00dfee10 000007fe`f3bcd51a WpdFs!WpdBaseDriver::DispatchWpdMessage+0x4c0
00000000`00dfef60 000007fe`f3bcdd6c WpdFs!CQueue::ProcessWpdMessage+0x29a
00000000`00dff010 000007fe`f27bf610 WpdFs!CQueue::OnDeviceIoControl+0x494
00000000`00dff160 000007fe`f27c0b5a WUDFx!CWdfIoQueue::SubmitRequest+0x358
00000000`00dff1f0 000007fe`f27c0955 WUDFx!CWdfIoQueue::DispatchRequestToDriver+0x86
00000000`00dff240 000007fe`f27bff83 WUDFx!CWdfIoQueue::DispatchEvents+0x3cd
00000000`00dff2b0 000007fe`f27b61b5 WUDFx!CWdfIoQueue::QueueRequest+0x2c3
00000000`00dff300 000007fe`f27b6f20 WUDFx!CWdfDevice::DispatchRequest+0x149
00000000`00dff350 00000000`ff3ccbb6 WUDFx!CWdfDevice::DeviceControl+0x1a8
00000000`00dff3c0 00000000`ff3c2f92 WUDFHost!CWudfIoIrp::Dispatch+0x13e
00000000`00dff420 00000000`ff3bad47 WUDFHost!CWudfDeviceStack::Forward+0x41a
00000000`00dff490 000007fe`fb87da6a WUDFHost!CLpcNotification::Message+0xd9b
00000000`00dff6c0 000007fe`fb87c848 WUDFPlatform!WdfLpcPort::ProcessMessage+0x3be
00000000`00dff760 000007fe`fb87b299 WUDFPlatform!WdfLpcCommPort::ProcessMessage+0x214
00000000`00dff7b0 000007fe`fb87b900 WUDFPlatform!WdfLpcConnPort::ProcessMessage+0xf9
00000000`00dff830 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x178
00000000`00dff880 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00dff8b0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00dff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   3  Id: 58c.2e4 Suspend: 1 Teb: 000007ff`fffd8000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00d7f5e8 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00d7f5f0 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00d7f660 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00d7f6b0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00d7f740 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00d7f8f0 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00d7f940 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00d7f970 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00d7f9a0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   4  Id: 58c.12b4 Suspend: 1 Teb: 000007ff`fffd6000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00f8fa58 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00f8fa60 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00f8fad0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00f8fb20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00f8fbb0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00f8fd60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00f8fdb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00f8fde0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00f8fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   5  Id: 58c.106c Suspend: 1 Teb: 000007ff`fffd3000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00f0f958 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00f0f960 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00f0f9d0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00f0fa20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00f0fab0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00f0fc60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00f0fcb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00f0fce0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00f0fd10 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   6  Id: 58c.8fc Suspend: 1 Teb: 000007ff`fffae000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0136f8c8 00000000`7758c95e USER32!NtUserGetMessage+0xa
00000000`0136f8d0 000007fe`f3bd26e5 USER32!GetMessageW+0x34
00000000`0136f900 00000000`7746f56d WpdFs!CDiskNotifier::NotificationThreadWorker+0x245
00000000`0136fa50 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0136fa80 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   7  Id: 58c.520 Suspend: 1 Teb: 000007ff`fffac000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0152f6f8 00000000`77689bd7 ntdll!ZwWaitForMultipleObjects+0xa
00000000`0152f700 00000000`7746f56d ntdll!EtwTraceMessageVa+0xe07
00000000`0152f9a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0152f9d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   8  Id: 58c.89c Suspend: 1 Teb: 000007ff`fffaa000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`012df9b8 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`012df9c0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`012dfcc0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`012dfcf0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   9  Id: 58c.1394 Suspend: 1 Teb: 000007ff`fffa8000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0140f498 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0140f4a0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0140f7a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0140f7d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  10  Id: 58c.1294 Suspend: 1 Teb: 000007ff`fffa6000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0182f758 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0182f760 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0182fa60 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0182fa90 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  11  Id: 58c.a98 Suspend: 1 Teb: 000007ff`fffa4000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0170f708 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0170f710 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0170fa10 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0170fa40 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  12  Id: 58c.121c Suspend: 1 Teb: 000007ff`fffa2000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0179fd68 000007fe`fd851203 ntdll!NtDelayExecution+0xa
00000000`0179fd70 000007fe`fe2cea00 KERNELBASE!SleepEx+0xb3
00000000`0179fe10 000007fe`fe2d2046 ole32!CROIDTable::WorkerThreadLoop+0x10
00000000`0179fe40 000007fe`fe2d358a ole32!CRpcThread::WorkerLoop+0x1e
00000000`0179fe80 00000000`7746f56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a
00000000`0179feb0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0179fee0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Icons for Memory Dump Analysis Patterns (Part 76)

Tuesday, September 28th, 2010

Today we introduce an icon for Dispatch Level Spin pattern:

B/W

Color

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Bugtation No.125

Tuesday, September 28th, 2010

Who’s your BOSS (Basic Operating Support System)?

I report to Memory……………………………………………………….

Dmitry Vostokov

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -