The First Evidence for Process Resurrection

Recently analyzed a process memory dump and noticed that it (up and running) survived system reboot :-)

0:000> version
Windows Vista Version 6000 MP (2 procs) Free x64
Product: WinNt, suite: SingleUserTS Personal
kernel32.dll version: 6.0.6000.16386 (vista_rtm.061101-2205)
Machine Name:
Debug session time: Tue Jul 12 16:53:07.000 2011 (UTC + 1:00)
System Uptime: 0 days 1:27:04.516
Process Uptime: 1 days 4:05:35.000
  Kernel time: 0 days 0:00:13.000
  User time: 0 days 0:00:04.000
[…]

I have a hypothesis how this could have happened. Interested in knowing yours. I’ll write mine later on.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

One Response to “The First Evidence for Process Resurrection”

  1. Marc Sherman Says:

    Maybe it uses the same magic as !vm (excessive non paged usage).

Leave a Reply

You must be logged in to post a comment.