Crash Dump Analysis Patterns (Part 173)

Value Adding Process is a frequently observed pattern in terminal services environments when you see one or several process names listed in each session but not necessarily required. They are usually running to provide some user experience enhancements. In such cases if observed functional problems correspond to the purpose of running additional processes we might want to eliminate them for testing and troubleshooting purposes.

0: kd> !sprocess 12
Dumping Session 12

_MM_SESSION_SPACE fffff8800e5d5000
_MMSESSION        fffff8800e5d5b40
PROCESS fffffa8008d50b30
SessionId: 12  Cid: 0b04    Peb: 7fffffdc000  ParentCid: 1478
DirBase: 6bb77000  ObjectTable: fffff8a003f280b0  HandleCount: 158.
Image: csrss.exe

PROCESS fffffa80030c7060
SessionId: 12  Cid: 1a48    Peb: 7fffffd8000  ParentCid: 1478
DirBase: 0a33c000  ObjectTable: fffff8a003c46c00  HandleCount: 179.
Image: winlogon.exe

PROCESS fffffa8008250b30
SessionId: 12  Cid: 18c8    Peb: 7fffffdf000  ParentCid: 1a48
DirBase: 0350d000  ObjectTable: fffff8a0025b6840  HandleCount: 226.
Image: LogonUI.exe

PROCESS fffffa8008b00530
SessionId: 12  Cid: 1508    Peb: 7fffffdf000  ParentCid: 02f0
DirBase: 02f65000  ObjectTable: fffff8a003b7e530  HandleCount: 197.
Image: ExcitingFeatureX.exe

[...]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply