Abridged dump, embedded comment, spiking thread, incorrect stack trace and top module: pattern cooperation
When loading a process user memory dump we recognized it as abridged and embedded comment pointed to a spiking thread:
Loading Dump File [ApplicationA_101212_165342.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available
Comment: '
*** procdump -c 60 -s 5 -n 3 ApplicationA.exe
*** Process exceeded 60% CPU for 5 seconds. Thread consuming CPU: 540 (0×21c)‘
This thread is already default:
0:005> ~
0 Id: c1c.c20 Suspend: 0 Teb: 7ffdf000 Unfrozen
1 Id: c1c.c44 Suspend: 0 Teb: 7ffde000 Unfrozen
2 Id: c1c.d34 Suspend: 0 Teb: 7ffdc000 Unfrozen
3 Id: c1c.d38 Suspend: 0 Teb: 7ffda000 Unfrozen
4 Id: c1c.d3c Suspend: 0 Teb: 7ffd9000 Unfrozen
. 5 Id: c1c.21c Suspend: 0 Teb: 7ffd8000 Unfrozen
6 Id: c1c.1c10 Suspend: 0 Teb: 7ffdd000 Unfrozen
7 Id: c1c.1678 Suspend: 0 Teb: 7ffd6000 Unfrozen
8 Id: c1c.cbc Suspend: 0 Teb: 7ffd5000 Unfrozen
9 Id: c1c.1754 Suspend: 0 Teb: 7ffaf000 Unfrozen
10 Id: c1c.c40 Suspend: 0 Teb: 7ffad000 Unfrozen
11 Id: c1c.1d24 Suspend: 0 Teb: 7ffd7000 Unfrozen
The stack trace looks incorrect:
0:005> kL
ChildEBP RetAddr
01abc4d8 6efba23d ntdll!KiFastSystemCallRet
WARNING: Stack unwind information not available. Following frames may be wrong.
01abc988 7c820833 ModuleB+0×2a23d
01abcbe4 7c8207f6 kernel32!GetVolumeNameForRoot+0×26
01abcc0c 7c82e6de kernel32!BasepGetVolumeNameForVolumeMountPoint+0×75
01abcc54 6efaf70b kernel32!GetVolumePathNameW+0×18a
01abccdc 6efbd1a6 ModuleB+0×1f70b
01abcce0 00000000 ModuleB+0×2d1a6
However, we see a 3rd party top module and advise to keep an eye on it:
0:005> lmt m ModuleB
start end module name
6ef90000 6efff000 ModuleB Wed Mar 10 20:18:21 2010
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -