Crash Dump Analysis Patterns (Part 199)
Processes with one thread like Notepad are rare. Such a process is always suspicious especially if it is a service or belongs to a complex product. We call such a pattern One-Thread Process. Usually this happens when all other threads terminated and the remaining thread is blocked in some wait chain. For example, this process has a thread which is blocked in an ALPC request to itself (the same process):
0: kd> !process fffffa8013ed9b30 ff
PROCESS fffffa8013ed9b30
SessionId: 0 Cid: 44b4 Peb: 7fffffd8000 ParentCid: 0114
DirBase: 2da448000 ObjectTable: fffff8a01948c670 HandleCount: 660.
Image: ServiceA.exe
VadRoot fffffa801356dd10 Vads 398 Clone 0 Private 5795. Modified 204253. Locked 0.
DeviceMap fffff8a000008340
Token fffff8a01b546060
ElapsedTime 01:32:37.622
UserTime 00:00:01.421
KernelTime 00:00:01.578
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (1525, 50, 345) (6100KB, 200KB, 1380KB)
PeakWorkingSetSize 7607
VirtualSize 178 Mb
PeakVirtualSize 182 Mb
PageFaultCount 752709
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 8043
THREAD fffffa8012caab50 Cid 44b4.4f70 Teb: 000007fffff5a000 Win32Thread: 0000000000000000 WAIT: (WrLpcReply) KernelMode Non-Alertable
fffffa8012caaf18 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff8a0194d4780 : queued at port fffffa8012911c80 : owned by process fffffa8013ed9b30
IRP List:
fffffa8013923300: (0006,0118) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap fffff8a000008340
Owning Process fffffa8013ed9b30 Image: ServiceA.exe
Attached Process N/A Image: N/A
Wait Start TickCount 139828 Ticks: 347372 (0:01:30:27.687)
Context Switch Count 7380
UserTime 00:00:00.031
KernelTime 00:00:04.890
Win32 Start Address ServiceA (0×00000001401156e0)
Stack Init fffff88014c9ddb0 Current fffff88014c9c6b0
Base fffff88014c9e000 Limit fffff88014c98000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`14c9c6f0 fffff800`01873652 nt!KiSwapContext+0×7a
fffff880`14c9c830 fffff800`01884a9f nt!KiCommitThreadWait+0×1d2
fffff880`14c9c8c0 fffff800`0189f04f nt!KeWaitForSingleObject+0×19f
fffff880`14c9c960 fffff800`01b919f6 nt!AlpcpSignalAndWait+0×8f
fffff880`14c9ca10 fffff800`01b910f0 nt!AlpcpReceiveSynchronousReply+0×46
fffff880`14c9ca70 fffff800`01b9519d nt!AlpcpProcessSynchronousRequest+0×33d
fffff880`14c9cbb0 fffff800`01b95276 nt!LpcpRequestWaitReplyPort+0×9c
fffff880`14c9cc10 fffff800`0187ced3 nt!NtRequestWaitReplyPort+0×76
fffff880`14c9cc60 fffff800`01879490 nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`14c9cc60)
fffff880`14c9cdf8 fffff880`05c31050 nt!KiServiceLinkage
fffff880`14c9ce70 fffff880`045ce005 ModuleA+0×12468
[…]
fffff880`14c9da10 fffff800`01b9d3b6 nt!IopXxxControlFile+0×607
fffff880`14c9db40 fffff800`0187ced3 nt!NtDeviceIoControlFile+0×56
fffff880`14c9dbb0 00000000`76d8138a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`14c9dc20)
00000000`082af028 000007fe`fd366cf6 ntdll!NtDeviceIoControlFile+0xa
00000000`082af030 00000000`76c2683f KERNELBASE!TlsGetValue+0×1a36
00000000`082af0a0 00000001`4019d38c kernel32!DeviceIoControlImplementation+0×7f
[…]
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -