Crash Dump Analysis Patterns (Part 280)
Wednesday, March 9th, 2022Black Box analysis pattern generalizes from the undocumented WinDbg commands !blackbox* to external system information included in process memory dump files which is accessible via .dumpdebug command.
2: kd> !blackboxpnp
PnpActivityId : {00000000-0000-0000-0000-000000000000}
PnpActivityTime : 132804247587428354
PnpEventInformation: 3
PnpEventInProgress : 0
PnpProblemCode : 24
PnpVetoType : 0
DeviceId : SW\{96E080C7-143C-11D1-B40F-00A0C9223196}\{3C0D501A-140B-11D1-B40F-00A0C9223196}
VetoString
Searching the registry we can find that it corresponds to “@ksfilter.inf,%mskssrv.devicedesc%;Microsoft Streaming Service Proxy”. Such commands may be used in conjunction with Historical Information (such as unloaded modules) and Execution Residue analysis patterns to check the last activities.
Other commands include !blackboxbsd and !blackboxntfs.
In process memory dump we may see information from a system the dump came from:
0:000> .dumpdebug
[...]
Stream 10: type SystemMemoryInfoStream (21), size 000001EC, RVA 00002288
Revision : 1
Flags : 0xf
BasicInfo
TimerResolution : 156,250
PageSize : 0x1000
NumberOfPhysicalPages : 4,173,065
LowestPhysicalPageNumber : 0x1
HighestPhysicalPageNumber : 0x46f7ff
AllocationGranularity : 0x10000
MinimumUserModeAddress : 0x10000
MaximumUserModeAddress : 0x7ffffffeffff
ActiveProcessorsAffinityMask : 0xff
NumberOfProcessors : 8
FileCacheInfo
CurrentSize : 514,248,704
PeakSize : 661,852,160
PageFaultCount : 19,464,228
MinimumWorkingSet : 0x100
MaximumWorkingSet : 0x100000000
CurrentSizeIncludingTransitionInPages : 1,327,191
PeakSizeIncludingTransitionInPages : 2,152,355
TransitionRePurposeCount : 8,923,412
Flags : 0
BasicPerfInfo
AvailablePages : 1,536,323
CommittedPages : 4,085,165
CommitLimit : 6,396,880
PeakCommitment : 4,850,269
PerfInfo
IdleProcessTime : 8,086,699,531,250
IoReadTransferCount : 97,860,850,993
IoWriteTransferCount : 55,567,419,561
IoOtherTransferCount : 9,725,039,400
IoReadOperationCount : 55,137,206
IoWriteOperationCount : 39,605,057
IoOtherOperationCount : 82,693,846
AvailablePages : 1,536,323
CommittedPages : 4,085,165
CommitLimit : 6,396,880
PeakCommitment : 4,850,269
CommitLimit : 6,396,880
PageFaultCount : 485,407,430
CopyOnWriteCount : 4,789,295
TransitionCount : 203,364,433
CacheTransitionCount : 0
DemandZeroCount : 275,205,178
PageReadCount : 9,363,018
PageReadIoCount : 1,641,521
CacheReadCount : 0
CacheIoCount : 0
DirtyPagesWriteCount : 295,086
DirtyWriteIoCount : 1,186
MappedPagesWriteCount : 425,398
MappedWriteIoCount : 5,656
PagedPoolPages : 231,590
NonPagedPoolPages : 155,982
PagedPoolAllocs : 0
PagedPoolFrees : 0
NonPagedPoolAllocs : 0
NonPagedPoolFrees : 0
FreeSystemPtes : 16,697,739
ResidentSystemCodePage : 4,175
TotalSystemDriverPages : 15,235
TotalSystemCodePages : 2
NonPagedPoolLookasideHits : 0
PagedPoolLookasideHits : 0
AvailablePagedPoolPages : 12,670,812
ResidentSystemCachePage : 125,549
ResidentPagedPoolPage : 220,095
ResidentSystemDriverPage : 13,012
CcFastReadNoWait : 0
CcFastReadWait : 13,492,886
CcFastReadResourceMiss : 0
CcFastReadNotPossible : 326,025
CcFastMdlReadNoWait : 0
CcFastMdlReadWait : 0
CcFastMdlReadResourceMiss : 0
CcFastMdlReadNotPossible : 0
CcMapDataNoWait : 0
CcMapDataWait : 77,200,777
CcMapDataNoWaitMiss : 0
CcMapDataWaitMiss : 391,734
CcPinMappedDataCount : 13,827,443
CcPinReadNoWait : 2,442
CcPinReadWait : 7,295,776
CcPinReadNoWaitMiss : 1,842,225
CcPinReadWaitMiss : 104,160
CcCopyReadNoWait : 720,327
CcCopyReadWait : 14,332,510
CcCopyReadNoWaitMiss : 73,632
CcCopyReadWaitMiss : 828,820
CcMdlReadNoWait : 0
CcMdlReadWait : 7,430
CcMdlReadNoWaitMiss : 0
CcMdlReadWaitMiss : 0
CcReadAheadIos : 1,577,774
CcLazyWriteIos : 737,095
CcLazyWritePages : 4,455,123
CcDataFlushes : 1,687,345
CcDataPages : 9,178,586
ContextSwitches : 690,599,392
FirstLevelTbFills : 0
SecondLevelTbFills : 0
SystemCalls : 2,382,592,584
CcTotalDirtyPages : 25,337
CcDirtyPageThreshold : 187,360
ResidentAvailablePages : 3,502,801
SharedCommittedPages : 693,491
Stream 11: type ProcessVmCountersStream (22), size 00000098, RVA 00002474
Revision : 2
Process Counters
PageFaultCount : 216,205
PeakWorkingSetSize : 0xdaa6000
WorkingSetSize : 0x160f000
QuotaPeakPagedPoolUsage : 0xfa0f8
QuotaPagedPoolUsage : 0xe8e88
QuotaPeakNonPagedPoolUsage : 0x22258
QuotaNonPagedPoolUsage : 0x180d8
PagefileUsage : 0xe6c000
PeakPagefileUsage : 0xcd67000
PeakVirtualSize : 0x201162a5000
VirtualSize : 0x20111ade000
PrivateUsage : 0xe6c000
PrivateWorkingSetSize : 0xb000
SharedCommitUsage : 0x1f2000
Job Counters
JobSharedCommitUsage : 0x72c000
JobPrivateCommitUsage : 0x71bc9000
JobPeakPrivateCommitUsage : 0x861ac000
JobPrivateCommitLimit : 0
JobTotalCommitLimit : 0
[...]
Other memory acquisition tools may write additional information in memory dump files. The difference between this analysis pattern and Paratext is that the latter involves additional files.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -