Software Diagnostics Library

Crash Dump Analysis Patterns (Part 253)

Usually threads are Blocked waiting for synchronization objects or Active running threads. There is a different category of threads that appear blocked in user space but in fact may be doing a lot of invisible work (not visible from the dump type) in kernel space. We call such an analysis pattern System Call. Compare these thread Stack Traces from Stack Trace Collection:

# Call Site 00 ntdll!NtWaitForMultipleObjects 01 KERNELBASE!WaitForMultipleObjectsEx 02 user32!MsgWaitForMultipleObjectsEx 03 combase!ASTAWaitContext::KernelWait 04 combase!ASTAWaitContext::Wait 05 combase!CoMsgWaitInProcessEvents 06 Windows_UI!Windows::UI::Core::CDispatcher::WaitAndProcessMessages 07 Windows_UI!Windows::UI::Core::CDispatcher::ProcessEvents 08 Windows_UI_Xaml!CJupiterWindow::RunCoreWindowMessageLoop 09 Windows_UI_Xaml!CJupiterControl::RunMessageLoop 0a Windows_UI_Xaml!DirectUI::DXamlCore::RunMessageLoop 0b twinapi_appcore!Windows::ApplicationModel::Core::CoreApplicationView::Run [...] 0e kernel32!BaseThreadInitThunk 0f ntdll!RtlUserThreadStart

# Call Site 00 user32!NtUserCallNoParam 01 user32!MsgWaitForMultipleObjectsEx 02 combase!ASTAWaitContext::KernelWait 03 combase!ASTAWaitContext::Wait 04 combase!CoMsgWaitInProcessEvents 05 Windows_UI!Windows::UI::Core::CDispatcher::WaitAndProcessMessages 06 Windows_UI!Windows::UI::Core::CDispatcher::ProcessEvents 07 Windows_UI_Xaml!CJupiterWindow::RunCoreWindowMessageLoop 08 Windows_UI_Xaml!CJupiterControl::RunMessageLoop 09 Windows_UI_Xaml!DirectUI::DXamlCore::RunMessageLoop 0a twinapi_appcore!Windows::ApplicationModel::Core::CoreApplicationView::Run […] 0d kernel32!BaseThreadInitThunk 0e ntdll!RtlUserThreadStart

The first is traditionally waiting, but the other was waked up to process an input message and may be other blocked in kernel or doing some work there. In case of a doubt we can double check the last executed instruction (from the stack trace perspective):

# Child-SP RetAddr Call Site 00 000000b9`358bf068 00007ffd`3de0a3be user32!NtUserCallNoParam+0xa 01 000000b9`358bf070 00007ffd`3dbdc106 user32!MsgWaitForMultipleObjectsEx+0×15e […]

0:000> ub user32!NtUserCallNoParam+0xa user32!NtUserInvalidateRect: 00007ffd`3de1fc90 4c8bd1 mov r10,rcx 00007ffd`3de1fc93 b807100000 mov eax,1007h 00007ffd`3de1fc98 0f05 syscall 00007ffd`3de1fc9a c3 ret 00007ffd`3de1fc9b 0f1f440000 nop dword ptr [rax+rax] user32!NtUserCallNoParam: 00007ffd`3de1fca0 4c8bd1 mov r10,rcx 00007ffd`3de1fca3 b808100000 mov eax,1008h 00007ffd`3de1fca8 0f05 syscall

System Calls (especially discovered in unmanaged Execution Residue data and from Past Stack Traces reconstruction from raw stack regions and Historical Information) may aid in memory forensics (broadly speaking as reconstruction of past behaviour) in addition to System Objects.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This entry was posted on Saturday, November 25th, 2017 at 12:04 pm and is filed under Crash Dump Analysis, Crash Dump Patterns, x64 Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Crash Dump Analysis Patterns (Part 253)”

Dmitry Vostokov Says:
December 10th, 2018 at 8:09 pm
Another example from a hung process:

0:002> kc
# Call Site
00 ntdll!NtOpenKeyEx
01 KERNELBASE!LocalBaseRegOpenKey
02 KERNELBASE!RegOpenKeyExInternalW
03 KERNELBASE!RegOpenKeyExW
04 iertutil!SettingStore::CRegistryStore::OpenKeyRelative
05 iertutil!SettingStore::CKeyCache::OpenKey
06 iertutil!GetValue_Internal
[…]

You must be logged in to post a comment.

Crash Dump Analysis Patterns (Part 253)

One Response to “Crash Dump Analysis Patterns (Part 253)”

Leave a Reply