Comments on: Crash Dump Analysis Patterns (Part 181) https://www.dumpanalysis.org/blog/index.php/2012/10/01/crash-dump-analysis-patterns-part-181/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Tue, 05 May 2026 17:38:42 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2012/10/01/crash-dump-analysis-patterns-part-181/#comment-741729 Dmitry Vostokov Wed, 14 Dec 2016 15:42:58 +0000 https://www.dumpanalysis.org/blog/index.php/2012/10/01/crash-dump-analysis-patterns-part-181/#comment-741729 In case of many terminal sessions on Windows we can dump processes sorted by session via !sprocess -4 to spot Incomplete Sessions. In case of many terminal sessions on Windows we can dump processes sorted by session via !sprocess -4 to spot Incomplete Sessions.

]]> By: Marc Sherman https://www.dumpanalysis.org/blog/index.php/2012/10/01/crash-dump-analysis-patterns-part-181/#comment-565693 Marc Sherman Wed, 03 Oct 2012 13:40:05 +0000 https://www.dumpanalysis.org/blog/index.php/2012/10/01/crash-dump-analysis-patterns-part-181/#comment-565693 IIRC, I've seen them on live TS machines and they were definitely RDP as opposed to ICA. I believe I've also seen them in TS dumps (at least once for sure). IIRC, I’ve seen them on live TS machines and they were definitely RDP as opposed to ICA. I believe I’ve also seen them in TS dumps (at least once for sure).

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2012/10/01/crash-dump-analysis-patterns-part-181/#comment-564735 Dmitry Vostokov Tue, 02 Oct 2012 19:15:07 +0000 https://www.dumpanalysis.org/blog/index.php/2012/10/01/crash-dump-analysis-patterns-part-181/#comment-564735 If preallocation really happens this might be the case for RDP but not for ICA. Of course, when a user cannot connect or there is an error message or a hanging progress bar then we we should look at such incomplete session first. In real scenarious usually we see threads in session processes that are blocked in ALPC to session manager or terminal service or LSA, etc. Did you see prellocation in RDP dumps? What I know is that there are indeed a few listener threads in terminal service for incoming TS connections (but not processes in ICA, for example). I have seen less problem RDP complete dumps than ICA ones as former are usually sent to MS not to me :-) I'll check that indeed If preallocation really happens this might be the case for RDP but not for ICA. Of course, when a user cannot connect or there is an error message or a hanging progress bar then we we should look at such incomplete session first. In real scenarious usually we see threads in session processes that are blocked in ALPC to session manager or terminal service or LSA, etc.

Did you see prellocation in RDP dumps? What I know is that there are indeed a few listener threads in terminal service for incoming TS connections (but not processes in ICA, for example). I have seen less problem RDP complete dumps than ICA ones as former are usually sent to MS not to me :-) I’ll check that indeed

]]> By: Marc Sherman https://www.dumpanalysis.org/blog/index.php/2012/10/01/crash-dump-analysis-patterns-part-181/#comment-564425 Marc Sherman Tue, 02 Oct 2012 13:17:58 +0000 https://www.dumpanalysis.org/blog/index.php/2012/10/01/crash-dump-analysis-patterns-part-181/#comment-564425 I think TS also preallocates sessions to make logon faster. In that case I believe such a session would only have two processes: csrss.exe and winlogon.exe. I think TS also preallocates sessions to make logon faster. In that case I believe such a session would only have two processes: csrss.exe and winlogon.exe.

]]>