Crash Dump Analysis Patterns (Part 141)
Sometimes, it is useful to know how much time ago a thread was created in order to understand when other behavioral patterns possibly started to appear. For example, in user process memory dumps with saved thread time information we can see using !runaway WinDbg extension command or using .ttime command. Looking at a stack trace collection we notice a thread blocked in LPC call:
0:000> ~40 kc
Call Site
ntdll!NtAlpcSendWaitReceivePort
rpcrt4!LRPC_CCALL::SendReceive
rpcrt4!NdrpClientCall3
rpcrt4!NdrClientCall3
[...]
kernel32!BaseThreadInitThunk
ntdll!RtlUserThreadStart
We are interested when all this started because we want to compare with other coupled process memory dumps saved at different times:
0:000> !runaway f
User Mode Time
[...]
Kernel Mode Time
Thread Time
[...]
Elapsed Time
Thread Time
0:8ac 4 days 11:42:14.484
1:8b4 4 days 11:42:14.296
[...]
35:868 4 days 10:18:48.255
36:73ec 0 days 15:55:31.938
37:c0bc 0 days 10:36:53.447
38:782c 0 days 0:02:01.683
39:5864 0 days 0:00:52.236
40:5ffc 0 days 0:00:02.565
0:000> ~40s
ntdll!NtAlpcSendWaitReceivePort+0xa:
00000000`76d3ff0a c3 ret
0:040> .ttime
Created: Tue Jun 14 15:15:28.444 2011
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
0:040> .time
Debug session time: Tue Jun 14 15:15:31.000 2011
System Uptime: 4 days 11:43:21.389
Process Uptime: 4 days 11:42:15.000
Kernel time: 0 days 0:00:10.000
User time: 0 days 0:04:22.000
We call this pattern Thread Age. We see that our blocked thread had only recently started compared to other threads and actually started after other dumps were saved when we look at their debug session time.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -