Software Diagnostics Library

DPC Stack Collection is yet another area to mine for Execution Residue and Rough Stack Traces. Some DPC Stacks may be visible in Stack Trace Collections such as from CPUs.

Each CPU has a DPC stack for execution of queued DPCs. We can get its base stack region address from the corresponding _KPRCB structure for each CPU. The stack region limit can be calculated from the KeKernelStackSize Module Variable:

0: kd> dd nt!KeKernelStackSize L1
fffff800`e27c4028 00007000

0: kd> !dpcs
CPU Type KDPC Function
0: Normal : 0xffffc9019b313400 0xfffff8008b6b31b0 igdkmd64

0: kd> !prcb 0
PRCB for Processor 0 at fffff8006ff97180:
Current IRQL — 0
Threads– Current ffffc901ad242040 Next 0000000000000000 Idle fffff800e27d1640
Processor Index 0 Number (0, 0) GroupSetMember 1
Interrupt Count — 06278469
Times — Dpc 0000b229 Interrupt 0000b897
Kernel 00d11420 User 000b6650

0: kd> dt nt!_KPRCB fffff8006ff97180 DpcStack
+0×38a0 DpcStack : 0xfffff800`745b1fb0 Void

0: kd> dpS 0xfffff800`745b1fb0-7000 L7000/8
fffff800`e1ba7e6c nt!RtlpHpLfhSlotAllocateSlow+0×484
fffff800`e26ee9c0 nt!ExPoolState+0×86940
fffff800`e1a3ecb4 nt!ExAllocateHeapPool+0×2134
fffff800`e1800000 nt!RtlCompressBufferProcs
fffff800`e236a196 nt!ExFreePoolWithTag+0×4c6
fffff800`e2369189 nt!ExAllocatePool2+0×99
fffff800`e1b9e0ba nt!AuthzBasepEvaluateExpression+0×3a
fffff800`e1b9c1a0 nt!AuthzBasepEvaluateAceCondition+0×2a0
fffff800`e1b9b649 nt!SepNormalAccessCheck+0×589
fffff800`e1b9a852 nt!SepAccessCheck+0×2c2
fffff800`e26ee9c0 nt!ExPoolState+0×86940
fffff800`e1a3ecb4 nt!ExAllocateHeapPool+0×2134
fffff800`7400e5d8 LXCORE!VfsFileGetPathString+0×114
fffff800`e1d022ee nt!qsort+0×3be
fffff800`e26ee9c0 nt!ExPoolState+0×86940
fffff800`e1a3ecb4 nt!ExAllocateHeapPool+0×2134
fffff800`e1800000 nt!RtlCompressBufferProcs
fffff800`e236a196 nt!ExFreePoolWithTag+0×4c6
fffff800`e2638a00 nt!MiSystemPartition
fffff800`e1b7166f nt!MmDeleteKernelStack+0×22f
fffff800`e1b7235b nt!KiExpandKernelStackAndCalloutOnStackSegment+0×31b
fffff800`75464450 NETIO!ArbitrateAndEnforceCallout
fffff800`e1aeef4c nt!KiExpandKernelStackAndCalloutSwitchStack+0×17c
fffff800`75464450 NETIO!ArbitrateAndEnforceCallout
fffff800`e1aeeca3 nt!KeExpandKernelStackAndCalloutInternal+0×33
fffff800`75464450 NETIO!ArbitrateAndEnforceCallout
fffff800`75282d7e ndis!NdisAcquireRWLockRead+0×2e
fffff800`e1aeec5d nt!KeExpandKernelStackAndCalloutEx+0×1d
fffff800`7544a27d NETIO!UpdateLayerClassifyStat+0×19d
fffff800`e2638a00 nt!MiSystemPartition
fffff800`e1b7166f nt!MmDeleteKernelStack+0×22f
fffff800`754a6000 NETIO!WPP_GLOBAL_Control
fffff800`e1b2db6f nt!KeSetEvent+0×10f
fffff800`786a3faa Ndu!NduUpdateProcessEnergyContext+0×6a
fffff800`786ab8c9 Ndu!NduUpdateInterfaceTimeStatsEntryList+0×149
fffff800`e1bf167c nt!ExFreeToLookasideListEx+0×4c
fffff800`786a1aee Ndu!NduUpdateInterfacePowerContext+0×1be
fffff800`786a38ff Ndu!NduDeleteNblContext+0×9f
fffff800`e1800000 nt!RtlCompressBufferProcs
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`75260642 ndis!NdisFSendNetBufferListsComplete+0×32
fffff800`75419b30 NETIO!WfpNblInfoDestroyIfUnused+0xf0
fffff800`8b732bc2 igdkmd64+0×392bc2
fffff800`752a7557 ndis!NdisFreeMemory+0×17
fffff800`8b73113c igdkmd64+0×39113c
fffff800`8b48f165 igdkmd64+0xef165
fffff800`8b57aeaa igdkmd64+0×1daeaa
fffff800`8b73113c igdkmd64+0×39113c
fffff800`8b5f3ad9 igdkmd64+0×253ad9
fffff800`8b48f165 igdkmd64+0xef165
fffff800`8b4778d3 igdkmd64+0xd78d3
fffff800`8b625db3 igdkmd64+0×285db3
fffff800`e1ae3a2f nt!KiSelectProcessorToPreempt+0xff
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`8b467e79 igdkmd64+0xc7e79
fffff800`8b7355ad igdkmd64+0×3955ad
fffff800`8b73a25a igdkmd64+0×39a25a
fffff800`8b732bc2 igdkmd64+0×392bc2
fffff800`8b732d0c igdkmd64+0×392d0c
fffff800`8b731209 igdkmd64+0×391209
fffff800`8b6c1081 igdkmd64+0×321081
fffff800`8b6a54ac igdkmd64+0×3054ac
fffff800`8b6cccec igdkmd64+0×32ccec
fffff800`8b6c0390 igdkmd64+0×320390
fffff800`8b6b3577 igdkmd64+0×313577
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`e1b3143c nt!KeAcquireSpinLockAtDpcLevel+0×1c
fffff800`786a406a Ndu!NduUpdateProcessEnergyContext+0×12a
fffff800`7525b85d ndis!ndisFreeToLookasideList+0×5d
fffff800`786ab8c9 Ndu!NduUpdateInterfaceTimeStatsEntryList+0×149
fffff800`7525b645 ndis!NdisFreeNetBufferList+0xa5
fffff800`786a1aee Ndu!NduUpdateInterfacePowerContext+0×1be
fffff800`75451260 NETIO!NetioFreeNetBufferAndNetBufferList+0×10
fffff800`e1b3143c nt!KeAcquireSpinLockAtDpcLevel+0×1c
fffff800`786a406a Ndu!NduUpdateProcessEnergyContext+0×12a
fffff800`7569b5dc tcpip!TcpTcbSendDatagramsComplete+0×9c
fffff800`7525b85d ndis!ndisFreeToLookasideList+0×5d
fffff800`7525b645 ndis!NdisFreeNetBufferList+0xa5
fffff800`75451260 NETIO!NetioFreeNetBufferAndNetBufferList+0×10
fffff800`75514e63 fwpkclnt!FwppNetBufferListAssociateContext+0×153
fffff800`75611fb1 tcpip!TcpSendDatagramsComplete+0xd1
fffff800`786a2f9f Ndu!NduHandleNblContextRemoved+0×1b3
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`75611ee0 tcpip!TcpSendDatagramsComplete
fffff800`75419dd4 NETIO!NetioDereferenceNetBufferListChain+0×174
fffff800`75512f51 fwpkclnt!FwppNetBufferListEventNotify+0×1a1
fffff800`7571ca2d tcpip!FlSendNetBufferListChainComplete+0×6d
fffff800`7527258b ndis!ndisMSendCompleteNetBufferListsInternal+0×25b
fffff800`7551342f fwpkclnt!FwpsNetBufferListRetrieveContext0+0×4f
fffff800`91054a30 bridge+0×4a30
fffff800`786a251e Ndu!NduFindOrAssociateNblContext+0×6e
fffff800`75287472 ndis!NdisMSendNetBufferListsComplete+0×5c2
fffff800`786a2b2d Ndu!NduOutboundMacClassifyProcessSingleNbl+0×5d
fffff800`786a2961 Ndu!NduOutboundMacClassify+0×181
fffff800`754a6000 NETIO!WPP_GLOBAL_Control
fffff800`75434553 NETIO!ProcessCallout2+0×163
fffff800`78016d00 nwifi!Dot11SendNBComplete+0×170
fffff800`75463246 NETIO!KfdClassify2+0xbb6
fffff800`7527258b ndis!ndisMSendCompleteNetBufferListsInternal+0×25b
fffff800`e1eaeb31 nt!HvcallpExtendedFastHypercall+0×51
fffff800`e1ae040b nt!HvcallFastExtended+0×13b
fffff800`75272330 ndis!ndisMSendCompleteNetBufferListsInternal
fffff800`e1ae0903 nt!HvlFlushRangeListTb+0×353
fffff800`8ad0b2cd wdiwifi!CPort::CompletePendingCancelSendsOrHaltJobs+0xdd
fffff800`8adea5f0 wdiwifi!WPP_de984c7e04793f3292dfaa0cae396821_Traceguids
fffff800`e1aee810 nt!EtwpReserveTraceBuffer+0×310
fffff800`e1aee810 nt!EtwpReserveTraceBuffer+0×310
fffff800`e1aed852 nt!EtwpTraceMessageVa+0×7f2
fffff800`8abae2d8 mrvlpcie8897+0×2e2d8
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8abae1af mrvlpcie8897+0×2e1af
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8abb7c74 mrvlpcie8897+0×37c74
fffff800`73ee2e1a WppRecorder!WppAutoLogTrace+0×31a
fffff800`e1c6b43e nt!WmiTraceMessage+0×1e
fffff800`e1800000 nt!RtlCompressBufferProcs
fffff800`e236a196 nt!ExFreePoolWithTag+0×4c6
fffff800`e1c6b43e nt!WmiTraceMessage+0×1e
fffff800`8ad05493 wdiwifi!WPP_RECORDER_SF_DDD+0xbf
fffff800`8ad184da wdiwifi!operator delete+0×1a
fffff800`73ee2e1a WppRecorder!WppAutoLogTrace+0×31a
fffff800`8acaf8f0 mrvlpcie8897+0×12f8f0
fffff800`8abad86d mrvlpcie8897+0×2d86d
fffff800`8acaf8f0 mrvlpcie8897+0×12f8f0
fffff800`8ab8facb mrvlpcie8897+0xfacb
fffff800`e1c3e85a nt!DbgPrint+0×5a
fffff800`8acaf8f0 mrvlpcie8897+0×12f8f0
fffff800`8abc4510 mrvlpcie8897+0×44510
fffff800`8acaf8f0 mrvlpcie8897+0×12f8f0
fffff800`8ab8fdad mrvlpcie8897+0xfdad
fffff800`e1eba502 nt! ?? ::FNODOBFM::`string’+0×2
fffff800`8abb000d mrvlpcie8897+0×3000d
fffff800`8abc4510 mrvlpcie8897+0×44510
fffff800`8acaf8f0 mrvlpcie8897+0×12f8f0
fffff800`8ab883d6 mrvlpcie8897+0×83d6
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8ab9311b mrvlpcie8897+0×1311b
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8abb7c40 mrvlpcie8897+0×37c40
fffff800`8abaf470 mrvlpcie8897+0×2f470
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8adea5e0 wdiwifi!WPP_fabfc031111e31c4b597567128b91120_Traceguids
fffff800`8ad0832b wdiwifi!CTxMgr::AddNBLToTxQueue+0×2bb
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`8ad06051 wdiwifi!CTxMgr::ServiceQueues+0×1c1
fffff800`75518cc8 fwpkclnt!FwpiGetValueFromClassifyContext+0×38
fffff800`8adfd040 wdiwifi!WPP_RECORDER_INITIALIZED
fffff800`8ad06599 wdiwifi!CPort::SendNetBufferLists+0×129
fffff800`786a2015 Ndu!NduInboundMacClassify+0×355
fffff800`8adea5f0 wdiwifi!WPP_de984c7e04793f3292dfaa0cae396821_Traceguids
fffff800`754a6000 NETIO!WPP_GLOBAL_Control
fffff800`75434553 NETIO!ProcessCallout2+0×163
fffff800`75463246 NETIO!KfdClassify2+0xbb6
fffff800`e26ee9c0 nt!ExPoolState+0×86940
fffff800`e1a3ecb4 nt!ExAllocateHeapPool+0×2134
fffff800`7527bfff ndis!ndisInvokeNextSendHandler+0×23f
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`e1a3cb12 nt!ExpAllocatePoolWithTagFromNode+0×52
fffff800`e2369189 nt!ExAllocatePool2+0×99
fffff800`e23690b4 nt!ExAllocatePoolWithTag+0xa4
fffff800`e1c4ea7d nt!ExAllocatePoolEx+0xd
fffff800`e2369189 nt!ExAllocatePool2+0×99
fffff800`e1bef072 nt!ExAllocateFromLookasideListEx+0×152
fffff800`91055984 bridge+0×5984
fffff800`9105dd94 bridge+0xdd94
fffff800`75451dc4 NETIO!PplpGenericAllocateFunction+0×14
fffff800`e1beef35 nt!ExAllocateFromLookasideListEx+0×15
fffff800`e1a8f495 nt!ObfReferenceObjectWithTag+0×25
fffff800`e23690b4 nt!ExAllocatePoolWithTag+0xa4
fffff800`75416008 NETIO!WfpNblInfoAlloc+0×58
fffff800`e1a8eace nt!ObfReferenceObject+0xe
fffff800`75514e63 fwpkclnt!FwppNetBufferListAssociateContext+0×153
fffff800`e1a3ecb4 nt!ExAllocateHeapPool+0×2134
fffff800`75514cc7 fwpkclnt!FwpsNetBufferListAssociateContext1+0×77
fffff800`786b42d8 Ndu!NduWfpCalloutProviderGuid
fffff800`786a1280 Ndu!NduNblNotifyCallback
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`786a2613 Ndu!NduFindOrAssociateNblContext+0×163
fffff800`75273918 ndis!NdisFIndicateReceiveNetBufferLists+0×68
fffff800`786a1280 Ndu!NduNblNotifyCallback
fffff800`754a6000 NETIO!WPP_GLOBAL_Control
fffff800`75988200 wfplwfs!L2NativeIsNetBufferListPermitted+0×2d0
fffff800`759897b3 wfplwfs!L2InspectNetBufferListsFast+0×183
fffff800`75463246 NETIO!KfdClassify2+0xbb6
fffff800`7609e7f3 afd!AFDETW_TRACESENDMSG+0×8f
fffff800`e2369189 nt!ExAllocatePool2+0×99
fffff800`75288882 ndis!NdisAcquireReadWriteLock+0×62
fffff800`91055a73 bridge+0×5a73
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`9105662a bridge+0×662a
fffff800`91057920 bridge+0×7920
fffff800`91057db5 bridge+0×7db5
fffff800`752888d3 ndis!NdisAcquireReadWriteLock+0xb3
fffff800`910543b0 bridge+0×43b0
fffff800`91054448 bridge+0×4448
fffff800`75988260 wfplwfs!LwfLowerRecvNetBufferLists
fffff800`75276dc1 ndis!NdisMIndicateReceiveNetBufferLists+0×1941
fffff800`7525b678 ndis!NdisFreeNetBufferList+0xd8
fffff800`786a38ff Ndu!NduDeleteNblContext+0×9f
fffff800`75419dd4 NETIO!NetioDereferenceNetBufferListChain+0×174
fffff800`756b95c0 tcpip!UdpSendMessagesDatagramsComplete
fffff800`786804d5 NdisImPlatform!implatUpdateInStatisticsCounters+0×235
fffff800`e1bf2146 nt!HalpApicRequestInterrupt+0×96
fffff800`e1b5141c nt!HalpInterruptSendIpi+0xac
fffff800`e1cf553c nt!KiSetProcessorIdle_LockFree+0×2b8
fffff800`e1ae22f8 nt!KiHeteroSelectIdleProcessorFromSubNode+0×308
fffff800`7867f6c7 NdisImPlatform!implatReceiveNetBufferLists+0×1f7
fffff800`e1ae9a0b nt!KiComputeThreadQos+0xfb
fffff800`e1bf2146 nt!HalpApicRequestInterrupt+0×96
fffff800`e1b5141c nt!HalpInterruptSendIpi+0xac
fffff800`e1cf553c nt!KiSetProcessorIdle_LockFree+0×2b8
fffff800`e1ae22f8 nt!KiHeteroSelectIdleProcessorFromSubNode+0×308
fffff800`e1ae9a0b nt!KiComputeThreadQos+0xfb
fffff800`e1dda677 nt!PpmEventTraceCoreParkingSelection+0×197
fffff800`e1b50cfc nt!KiExitDispatcher+0×4c
fffff800`e1cf277c nt!PpmParkComputeUnparkMask+0xa2c
fffff800`e1bb2241 nt!KiIntSteerCalculatePriorityDistribution+0×201
fffff800`e1bb361d nt!KiIntSteerLogMask+0×55
fffff800`e270f7b0 nt!KiIntTrackRootList
fffff800`e1bb3699 nt!KiIntSteerLogProc+0×5d
fffff800`e270f7b0 nt!KiIntTrackRootList
fffff800`e1bb37e3 nt!KiIntSteerCalculateDistribution+0×103
fffff800`e1bb32c3 nt!KeIntSteerPeriodic+0×17f
fffff800`e1bb2ed8 nt!PpmParkSteerInterrupts+0×5e8
fffff800`e1b335a4 nt!EtwpLogKernelEvent+0×2f4
fffff800`e270b0a8 nt!PpmPerfPolicyLock+0×8
fffff800`e1b2db6f nt!KeSetEvent+0×10f
fffff800`e270b0ac nt!PpmPerfPolicyLock+0xc
fffff800`e1be8f10 nt!PpmCheckMakeupSkippedChecks
fffff800`e1be9040 nt!PpmPerfReadFeedback
fffff800`e1be9177 nt!PpmReleaseLock+0×1b
fffff800`e1b32bc6 nt!KiExecuteAllDpcs+0xdc6
fffff800`e2709dc0 nt!PpmCheckDpc
fffff800`e1a0cfb9 nt!KiNormalPriorityReadyScan+0×2b9
fffff800`e1be8e00 nt!PpmCheckRun
fffff800`e1a0c228 nt!KiRetireDpcList+0×668
fffff800`e1bb4180 nt!PpmPerfAction
fffff800`e1be8e00 nt!PpmCheckRun
fffff800`e1eac3c5 nt!KxSwapStacksAndRetireDpcList+0×5

0: kd> !prcb 1
PRCB for Processor 1 at ffff84014911c180:
Current IRQL — 0
Threads– Current ffffc901a7d580c0 Next 0000000000000000 Idle ffffc9019375f040
Processor Index 1 Number (0, 1) GroupSetMember 2
Interrupt Count — 057d181c
Times — Dpc 00005ae1 Interrupt 000072cb
Kernel 00cf00e2 User 000d7983

0: kd> dt nt!_KPRCB ffff84014911c180 DpcStack
+0×38a0 DpcStack : 0xffffa206`68e47fb0 Void

0: kd> dpS 0xffffa206`68e47fb0-7000 L7000/8
fffff800`e1adfa8f nt!MiFlushTbList+0×35f
fffff800`e1b0b02c nt!MiGetPage+0×8dc
fffff800`e1b158c5 nt!MiFlushTbAsNeeded+0×265
fffff800`e1a636e0 nt!MiAssignNonPagedPoolPte+0×110
fffff800`e2638180 nt!MiState+0xb940
fffff800`e1a63fcb nt!MiReturnExcessPoolCommit+0×27
fffff800`e1a631c6 nt!MiCommitPoolMemory+0×1b6
fffff800`e1a62c6b nt!RtlpHpEnvAllocVA+0×22b
fffff800`e1e9fb70 nt!HvlEndSystemInterrupt
fffff800`e1c20b6a nt!HalPerformEndOfInterrupt+0×1a
fffff800`e1ea6feb nt!KiInterruptDispatchNoLockNoEtw+0×5b
fffff800`e2638180 nt!MiState+0xb940
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`e1bac123 nt!RtlpHpAllocVA+0xd7
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`e1e9fb70 nt!HvlEndSystemInterrupt
fffff800`8b732bc2 igdkmd64+0×392bc2
fffff800`e1ae3a2f nt!KiSelectProcessorToPreempt+0xff
fffff800`8b73113c igdkmd64+0×39113c
fffff800`8b48f165 igdkmd64+0xef165
fffff800`8b57aeaa igdkmd64+0×1daeaa
fffff800`e27cfbc0 nt!ExNode0
fffff800`e2615740 nt!KiInitialNodeStructures+0×40
fffff800`e1ae3a2f nt!KiSelectProcessorToPreempt+0xff
fffff800`e27cfbc0 nt!ExNode0
fffff800`e1bf2146 nt!HalpApicRequestInterrupt+0×96
fffff800`e27cfbc0 nt!ExNode0
fffff800`e1b5141c nt!HalpInterruptSendIpi+0xac
fffff800`e1cf553c nt!KiSetProcessorIdle_LockFree+0×2b8
fffff800`e1ae22f8 nt!KiHeteroSelectIdleProcessorFromSubNode+0×308
fffff800`e1ae5cff nt!KiUpdateSoftParkElectionStatisticsOnInsertion+0×16f
fffff800`e1ae9a0b nt!KiComputeThreadQos+0xfb
fffff800`e1b51124 nt!KiProcessThreadWaitList+0×224
fffff800`e1beef35 nt!ExAllocateFromLookasideListEx+0×15
fffff800`786a1aee Ndu!NduUpdateInterfacePowerContext+0×1be
fffff800`786aa0b4 Ndu!PplpGenericAllocateFunction+0×14
fffff800`e1b2db6f nt!KeSetEvent+0×10f
fffff800`e1b3143c nt!KeAcquireSpinLockAtDpcLevel+0×1c
fffff800`786a406a Ndu!NduUpdateProcessEnergyContext+0×12a
fffff800`7525b85d ndis!ndisFreeToLookasideList+0×5d
fffff800`7525b645 ndis!NdisFreeNetBufferList+0xa5
fffff800`75451260 NETIO!NetioFreeNetBufferAndNetBufferList+0×10
fffff800`75611fb1 tcpip!TcpSendDatagramsComplete+0xd1
fffff800`786a2f9f Ndu!NduHandleNblContextRemoved+0×1b3
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`75611ee0 tcpip!TcpSendDatagramsComplete
fffff800`75419dd4 NETIO!NetioDereferenceNetBufferListChain+0×174
fffff800`75512f51 fwpkclnt!FwppNetBufferListEventNotify+0×1a1
fffff800`7571ca2d tcpip!FlSendNetBufferListChainComplete+0×6d
fffff800`7527258b ndis!ndisMSendCompleteNetBufferListsInternal+0×25b
fffff800`91054a30 bridge+0×4a30
fffff800`75272330 ndis!ndisMSendCompleteNetBufferListsInternal
fffff800`75287472 ndis!NdisMSendNetBufferListsComplete+0×5c2
fffff800`75260993 ndis!NdisFSendNetBufferListsComplete+0×383
fffff800`7867fe70 NdisImPlatform!implatSendNetBufferListsComplete+0×1a0
fffff800`78016d00 nwifi!Dot11SendNBComplete+0×170
fffff800`7527258b ndis!ndisMSendCompleteNetBufferListsInternal+0×25b
fffff800`7615aff9 vwififlt!FilterSendNetBufferListsCompleteWDI+0xd9
fffff800`75272330 ndis!ndisMSendCompleteNetBufferListsInternal
fffff800`75287472 ndis!NdisMSendNetBufferListsComplete+0×5c2
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`8ad0b2cd wdiwifi!CPort::CompletePendingCancelSendsOrHaltJobs+0xdd
fffff800`8adea5f0 wdiwifi!WPP_de984c7e04793f3292dfaa0cae396821_Traceguids
fffff800`8ad09710 wdiwifi!CTxMgr::CompleteNdisNbl+0×250
fffff800`8adfd040 wdiwifi!WPP_RECORDER_INITIALIZED
fffff800`8b48f0c8 igdkmd64+0xef0c8
fffff800`8b48f0c8 igdkmd64+0xef0c8
fffff800`8adea5e0 wdiwifi!WPP_fabfc031111e31c4b597567128b91120_Traceguids
fffff800`8adfd040 wdiwifi!WPP_RECORDER_INITIALIZED
fffff800`8ad07570 wdiwifi!CTxMgr::TxTransferCompleteInd+0×2f0
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`73de6345 Wdf01000!imp_WdfSpinLockRelease+0×95 [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 180]
fffff800`73de6345 Wdf01000!imp_WdfSpinLockRelease+0×95 [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 180]
fffff800`8abab1d3 mrvlpcie8897+0×2b1d3
fffff800`73de62b0 Wdf01000!imp_WdfSpinLockRelease [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 159]
fffff800`8ab94257 mrvlpcie8897+0×14257
fffff800`73de62b0 Wdf01000!imp_WdfSpinLockRelease [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 159]
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8abac585 mrvlpcie8897+0×2c585
fffff800`786a2d6b Ndu!NduIsL2MediaTypeWan+0×3b
fffff800`8b625db3 igdkmd64+0×285db3
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8aba71db mrvlpcie8897+0×271db
fffff800`754a6000 NETIO!WPP_GLOBAL_Control
fffff800`8ab93f3e mrvlpcie8897+0×13f3e
fffff800`75463246 NETIO!KfdClassify2+0xbb6
fffff800`8b6ce960 igdkmd64+0×32e960
fffff800`8b6cfdf2 igdkmd64+0×32fdf2
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`8ab93e4a mrvlpcie8897+0×13e4a
fffff800`e1beef35 nt!ExAllocateFromLookasideListEx+0×15
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`73de6345 Wdf01000!imp_WdfSpinLockRelease+0×95 [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 180]
fffff800`8ab8c4f4 mrvlpcie8897+0xc4f4
fffff800`73de62b0 Wdf01000!imp_WdfSpinLockRelease [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 159]
fffff800`8adea5e0 wdiwifi!WPP_fabfc031111e31c4b597567128b91120_Traceguids
fffff800`73e18d40 Wdf01000!imp_WdfMemoryGetBuffer+0×60 [minkernel\wdf\framework\shared\core\fxmemorybufferapi.cpp @ 204]
fffff800`8ab8f1ca mrvlpcie8897+0xf1ca
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`73de6345 Wdf01000!imp_WdfSpinLockRelease+0×95 [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 180]
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`73de6345 Wdf01000!imp_WdfSpinLockRelease+0×95 [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 180]
fffff800`8ab92a47 mrvlpcie8897+0×12a47
fffff800`8ab87de2 mrvlpcie8897+0×7de2
fffff800`73de62b0 Wdf01000!imp_WdfSpinLockRelease [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 159]
fffff800`8ab9311b mrvlpcie8897+0×1311b
fffff800`73de62b0 Wdf01000!imp_WdfSpinLockRelease [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 159]
fffff800`8adea5e0 wdiwifi!WPP_fabfc031111e31c4b597567128b91120_Traceguids
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`8ad06051 wdiwifi!CTxMgr::ServiceQueues+0×1c1
fffff800`8adfd040 wdiwifi!WPP_RECORDER_INITIALIZED
fffff800`8ad06599 wdiwifi!CPort::SendNetBufferLists+0×129
fffff800`8adea5f0 wdiwifi!WPP_de984c7e04793f3292dfaa0cae396821_Traceguids
fffff800`7527eac1 ndis!ndisWdmSetBusyAsync+0×101
fffff800`8adfd040 wdiwifi!WPP_RECORDER_INITIALIZED
fffff800`8ad05c30 wdiwifi!MPWrapperSendNetBufferLists+0×160
fffff800`8ad05ad0 wdiwifi!MPWrapperSendNetBufferLists
fffff800`75280dc2 ndis!ndisMSendNBLToMiniportInternal+0×122
fffff800`8ad05ad0 wdiwifi!MPWrapperSendNetBufferLists
fffff800`76158ab3 vwififlt!FilterSendNetBufferListsWDI+0×1c3
fffff800`75280c80 ndis!ndisMSendNBLToMiniport
fffff800`75280c8e ndis!ndisMSendNBLToMiniport+0xe
fffff800`75988620 wfplwfs!LwfLowerSendNetBufferLists
fffff800`7527bf92 ndis!ndisInvokeNextSendHandler+0×1d2
fffff800`7525feed ndis!NdisFSendNetBufferLists+0×3bd
fffff800`759897b3 wfplwfs!L2InspectNetBufferListsFast+0×183
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`753325f2 ndis!NdisSendNetBufferLists+0xc1372
fffff800`78014750 nwifi!FilterSendNetBufferLists
fffff800`8b78c622 igdkmd64+0×3ec622
fffff800`759887e8 wfplwfs!LwfLowerSendNetBufferLists+0×1c8
fffff800`910581d1 bridge+0×81d1
fffff800`910559c5 bridge+0×59c5
fffff800`9105dd94 bridge+0xdd94
fffff800`e1adfa8f nt!MiFlushTbList+0×35f
fffff800`7867f394 NdisImPlatform!implatPrepareForSendNetBufferLists+0xec
fffff800`7867fc52 NdisImPlatform!implatSendNetBufferLists+0×182
fffff800`9105ce01 bridge+0xce01
fffff800`7867fad0 NdisImPlatform!implatSendNetBufferLists
fffff800`75280dc2 ndis!ndisMSendNBLToMiniportInternal+0×122
fffff800`9105d4ae bridge+0xd4ae
fffff800`e1b0b02c nt!MiGetPage+0×8dc
fffff800`7867fad0 NdisImPlatform!implatSendNetBufferLists
fffff800`e1b158c5 nt!MiFlushTbAsNeeded+0×265
fffff800`e1a636e0 nt!MiAssignNonPagedPoolPte+0×110
fffff800`e2638180 nt!MiState+0xb940
fffff800`e1a63fcb nt!MiReturnExcessPoolCommit+0×27
fffff800`e1a631c6 nt!MiCommitPoolMemory+0×1b6
fffff800`e1a62c6b nt!RtlpHpEnvAllocVA+0×22b
fffff800`e2638180 nt!MiState+0xb940
fffff800`e1bac123 nt!RtlpHpAllocVA+0xd7
fffff800`e1babdb7 nt!RtlpHpVaMgrCtxQuery+0×4b
fffff800`e1bab920 nt!RtlpHpSegMgrCommit+0×228
fffff800`e1ae3a2f nt!KiSelectProcessorToPreempt+0xff
fffff800`e1bf2146 nt!HalpApicRequestInterrupt+0×96
fffff800`e1ba7e6c nt!RtlpHpLfhSlotAllocateSlow+0×484
fffff800`e27cfbc0 nt!ExNode0
fffff800`e1b5141c nt!HalpInterruptSendIpi+0xac
fffff800`e1cf553c nt!KiSetProcessorIdle_LockFree+0×2b8
fffff800`e1ae22f8 nt!KiHeteroSelectIdleProcessorFromSubNode+0×308
fffff800`e1ae5cbc nt!KiUpdateSoftParkElectionStatisticsOnInsertion+0×12c
fffff800`e1ae9a0b nt!KiComputeThreadQos+0xfb
fffff800`e1dda677 nt!PpmEventTraceCoreParkingSelection+0×197
fffff800`e1b51124 nt!KiProcessThreadWaitList+0×224
fffff800`e1b50cfc nt!KiExitDispatcher+0×4c
fffff800`e1cf277c nt!PpmParkComputeUnparkMask+0xa2c
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`e1bb2241 nt!KiIntSteerCalculatePriorityDistribution+0×201
fffff800`e1bb361d nt!KiIntSteerLogMask+0×55
fffff800`e270f7b0 nt!KiIntTrackRootList
fffff800`e1bb3699 nt!KiIntSteerLogProc+0×5d
fffff800`e270f7b0 nt!KiIntTrackRootList
fffff800`e1bb37e3 nt!KiIntSteerCalculateDistribution+0×103
fffff800`e1bb32c3 nt!KeIntSteerPeriodic+0×17f
fffff800`e1bb2ed8 nt!PpmParkSteerInterrupts+0×5e8
fffff800`e1c594e9 nt!HvlUpdatePerformanceStateCountersForLp+0×79
fffff800`776b2781 intelppm!PerfHvReadFeedback+0×61
fffff800`e1cf553c nt!KiSetProcessorIdle_LockFree+0×2b8
fffff800`e1ae22f8 nt!KiHeteroSelectIdleProcessorFromSubNode+0×308
fffff800`e1a0afa5 nt!KiUpdateThreadQosGroupingSummaries+0×75
fffff800`e1a0a927 nt!KiCommitRescheduleContextEntry+0×1e7
fffff800`e27d1183 nt!KiInitialSharedReadyQueue+0×243
fffff800`e1ae9a0b nt!KiComputeThreadQos+0xfb
fffff800`e1b3673a nt!KiDeferredReadySingleThread+0×29fa
fffff800`e1a0f077 nt!PpmUpdatePerformanceFeedback+0×3b7
fffff800`e1b51006 nt!KiProcessThreadWaitList+0×106
fffff800`e1b335a4 nt!EtwpLogKernelEvent+0×2f4
fffff800`e1b2db6f nt!KeSetEvent+0×10f
fffff800`e1bb7182 nt!PopQueueTargetDpc+0xee
fffff800`e1b32bc6 nt!KiExecuteAllDpcs+0xdc6
fffff800`e1bb6680 nt!PopExecuteProcessorCallback
fffff800`e1bb6680 nt!PopExecuteProcessorCallback
fffff800`e1a0c228 nt!KiRetireDpcList+0×668
fffff800`e1bb6680 nt!PopExecuteProcessorCallback
fffff800`e1eac3c5 nt!KxSwapStacksAndRetireDpcList+0×5

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Interrupt Stack Collection is another area to mine for Execution Residue and Rough Stack Traces. Some Interrupt Stacks may be visible in Stack Trace Collections such as from CPUs. In addition to Stack Overflow double fault stack region, we also have debug, NMI, and machine check interrupt stack 6Kb regions:

6: kd> !idt

Dumping IDT: ffffbd014d6b1000

00: fffff806f53ad100 nt!KiDivideErrorFaultShadow
01: fffff806f53ad180 nt!KiDebugTrapOrFaultShadow Stack = 0xFFFFBD014D6B59D0
02: fffff806f53ad240 nt!KiNmiInterruptShadow Stack = 0xFFFFBD014D6B57D0
03: fffff806f53ad2c0 nt!KiBreakpointTrapShadow
04: fffff806f53ad340 nt!KiOverflowTrapShadow
05: fffff806f53ad3c0 nt!KiBoundFaultShadow
06: fffff806f53ad440 nt!KiInvalidOpcodeFaultShadow
07: fffff806f53ad4c0 nt!KiNpxNotAvailableFaultShadow
08: fffff806f53ad540 nt!KiDoubleFaultAbortShadow Stack = 0xFFFFBD014D6B53D0
09: fffff806f53ad5c0 nt!KiNpxSegmentOverrunAbortShadow
0a: fffff806f53ad640 nt!KiInvalidTssFaultShadow
0b: fffff806f53ad6c0 nt!KiSegmentNotPresentFaultShadow
0c: fffff806f53ad740 nt!KiStackFaultShadow
0d: fffff806f53ad7c0 nt!KiGeneralProtectionFaultShadow
0e: fffff806f53ad840 nt!KiPageFaultShadow
10: fffff806f53ad8c0 nt!KiFloatingErrorFaultShadow
11: fffff806f53ad940 nt!KiAlignmentFaultShadow
12: fffff806f53ad9c0 nt!KiMcheckAbortShadow Stack = 0xFFFFBD014D6B55D0
13: fffff806f53adac0 nt!KiXmmExceptionShadow
[…]

These stacks are different for each CPU. It is also possible to get these stack bases from TSS:

6: kd> ~0s

0: kd> !pcr
KPCR for Processor 0 at fffff80680079000:
Major 1 Minor 1
NtTib.ExceptionList: fffff8068743efb0
NtTib.StackBase: fffff8068743d000
NtTib.StackLimit: 0000000000000000
NtTib.SubSystemTib: fffff80680079000
NtTib.Version: 0000000080079180
NtTib.UserPointer: fffff80680079870
NtTib.SelfTib: 00000060414a8000

SelfPcr: 0000000000000000
Prcb: fffff80680079180
Irql: 0000000000000000
IRR: 0000000000000000
IDR: 0000000000000000
InterruptMode: 0000000000000000
IDT: 0000000000000000
GDT: 0000000000000000
TSS: 0000000000000000

CurrentThread: ffffa80b0c8240c0
NextThread: 0000000000000000
IdleThread: fffff806f57d0640

DpcQueue:

0: kd> dt nt!_KPCR fffff80680079000
nt!_KPCR
+0×000 NtTib : _NT_TIB
+0×000 GdtBase : 0xfffff806`8743efb0 _KGDTENTRY64
+0×008 TssBase : 0xfffff806`8743d000 _KTSS64
+0×010 UserRsp : 0
+0×018 Self : 0xfffff806`80079000 _KPCR
+0×020 CurrentPrcb : 0xfffff806`80079180 _KPRCB
+0×028 LockArray : 0xfffff806`80079870 _KSPIN_LOCK_QUEUE
+0×030 Used_Self : 0×00000060`414a8000 Void
+0×038 IdtBase : 0xfffff806`8743c000 _KIDTENTRY64
+0×040 Unused : [2] 0
+0×050 Irql : 0 ”
+0×051 SecondLevelCacheAssociativity : 0×10 ”
+0×052 ObsoleteNumber : 0 ”
+0×053 Fill0 : 0 ”
+0×054 Unused0 : [3] 0
+0×060 MajorVersion : 1
+0×062 MinorVersion : 1
+0×064 StallScaleFactor : 0×840
+0×068 Unused1 : [3] (null)
+0×080 KernelReserved : [15] 0
+0×0bc SecondLevelCacheSize : 0×800000
+0×0c0 HalReserved : [16] 0×7de29000
+0×100 Unused2 : 0
+0×108 KdVersionBlock : (null)
+0×110 Unused3 : (null)
+0×118 PcrAlign1 : [24] 0

0: kd> dt nt!_KTSS64 0xfffff806`8743d000
nt!_KTSS64
+0×000 Reserved0 : 0
+0×004 Rsp0 : 0xfffff806`87440200
+0×00c Rsp1 : 0
+0×014 Rsp2 : 0
+0×01c Ist : [8] 0
+0×05c Reserved1 : 0
+0×064 Reserved2 : 0
+0×066 IoMapBase : 0×68

0: kd> dps 0xfffff806`8743d000+1c L8
fffff806`8743d01c 00000000`00000000
fffff806`8743d024 fffff806`874403d0
fffff806`8743d02c fffff806`874405d0
fffff806`8743d034 fffff806`874407d0
fffff806`8743d03c fffff806`874409d0
fffff806`8743d044 00000000`00000000
fffff806`8743d04c 00000000`00000000
fffff806`8743d054 00000000`00000000

0: kd> !idt 2

Dumping IDT: fffff8068743c000

02: fffff806f53ad240 nt!KiNmiInterruptShadow Stack = 0xFFFFF806874407D0

These stack base values may be transition stack values. In such a case, a redirection is required:

0: kd> dps fffff806`874407d0 L4
fffff806`874407d0 fffff806`80079000
fffff806`874407d8 fffff806`87471fe0
fffff806`874407e0 fffff806`80079000
fffff806`874407e8 00000004`237bf002

0: kd> dpS fffff806`87471fe0+20-6000 L6000/8
fffff806`f4dcd566 nt!KiSaveProcessorState+0xb6
fffff806`f4dc588a nt!KiFreezeTargetExecution+0×1ba
fffff806`f4db72ea nt!KiCheckForFreezeExecution+0×2a
fffff806`f4dbb242 nt!KiProcessNMI+0×52
fffff806`f4eb0fc2 nt!KxNmiInterrupt+0×82
fffff806`f4dcd124 nt!KiMcheckFastForward+0×64

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Terminated threads are not listed in unmanaged space Stack Trace Collections. In kernel space, we may notice them if we expect N kernel threads but see less like Missing Threads in user space. If we see less kernel threads in a process context then, definitely, user space counterparts to Dual Stack Traces are missing (but we may still recover Hidden Stacks). Sometimes, using appropriate extensions, like SwishDbgExt, we can see terminated threads based on exit time:

0: kd> !ms_process /pid 0x250 /threads
[...]
| 0x0250 | 0x02a0 | 0x00007FFC858FE680 | winsrvext!TerminalServerRequestThread | 13/11/2021 22:14:28 | 00/00/ 0 00:00:00 |
| 0×0250 | 0×02a4 | 0×00007FFC858F2710 | winsrvext!GdiAddInitialFontsThread | 13/11/2021 22:14:28 | 13/11/2021 22:14:29 |
| 0×0250 | 0×02a8 | 0×00007FFC858F3430 | winsrvext!NotificationThread | 13/11/2021 22:14:28 | 00/00/ 0 00:00:00 |
[…]

If we get thread ids from some Paratext, we can directly check if the thread is terminated or not:

0: kd> !thread -t 2a4 3f
THREAD ffffc38c3040e080 Cid 0250.02a4 Teb: 0000000000000000 Win32Thread: 0000000000000000 TERMINATED
Not impersonating
DeviceMap ffffac8a0423d290
Owning Process ffffc38c30880140 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 1282 Ticks: 10674 (0:00:02:46.781)
Context Switch Count 1192 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.078
Win32 Start Address winsrvext!GdiAddInitialFontsThread (0×00007ffc858f2710)
Stack Init 0000000000000000 Current ffffbe8295331670
Base ffffbe8295332000 Limit ffffbe829532c000 Call 0000000000000000
Priority 14 BasePriority 13 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffffbe82`953316b0 fffffc57`1e5ba085 0×4
ffffbe82`953316b8 fffff806`6255f501 0xfffffc57`1e5ba085
ffffbe82`953316c0 000002ac`02048e80 nt!PspThreadFromTicket+0×51
ffffbe82`953316f0 ffffffff`ffffffff 0×000002ac`02048e80
ffffbe82`953316f8 ffffbe82`95331b60 0xffffffff`ffffffff
ffffbe82`95331700 ffffbe82`953319a0 0xffffbe82`95331b60
ffffbe82`95331708 fffff806`62136778 0xffffbe82`953319a0
ffffbe82`95331710 fffff806`62138fdc nt!IoRemoveIoCompletion+0×98
ffffbe82`95331830 fffff806`62227b75 nt!NtWaitForWorkViaWorkerFactory+0×39c
ffffbe82`95331a70 00000000`00000000 nt!KiSystemServiceCopyEnd+0×25

Please note that in case of Incorrect Stack Trace we can get Rough Stack Trace or try to reconstruct the one manually from Execution Residue:

0: kd> dpS ffffbe829532c000 ffffbe8295332000
fffff806`6210aeb4 nt!MiGetPerfectColorHeadPage+0×94
fffff806`624e9fa2 nt!PspGetContext+0×2e2
fffff806`62a54e00 nt!MiSystemPartition
fffff806`624e9aba nt!PspGetSetContextInternal+0×3aa
fffff806`624e9aba nt!PspGetSetContextInternal+0×3aa
fffff806`621090b1 nt!MiAddWorkingSetEntries+0×451
fffff806`62108965 nt!MiAllocateWsle+0×295
fffff806`62a54e00 nt!MiSystemPartition
fffff806`62107eac nt!MiCompletePrivateZeroFault+0×77c
fffff806`62a54e00 nt!MiSystemPartition
fffff806`62107315 nt!MiResolvePrivateZeroFault+0×1a5
fffff806`62105c28 nt!MiResolveDemandZeroFault+0×298
fffff806`62a54e00 nt!MiSystemPartition
fffff806`621290cc nt!MiDispatchFault+0×2ac
fffff806`6221db3d nt!PspGetSetContextSpecialApc+0×6d
fffff806`624ea5fd nt!PspSetContextThreadInternal+0×16d
fffff806`624e9083 nt!PspInitializeThunkContext+0×28f
00007ffc`884b6870 ntdll!TppWorkerThread
00007ffc`884a4830 ntdll!RtlUserThreadStart
fffff806`620d58e4 nt!EtwpEventWriteFull+0×3f4
fffff806`620d58e4 nt!EtwpEventWriteFull+0×3f4
fffff806`61e0f808 nt!ThreadWorkOnBehalfUpdate
fffff806`6221d818 nt!SwapContext+0×4d8
fffff806`6221d056 nt!KiSwapContext+0×76
fffff806`62132457 nt!KiSwapThread+0×3a7
fffff806`61e0f808 nt!ThreadWorkOnBehalfUpdate
fffff806`61e0f808 nt!ThreadWorkOnBehalfUpdate
fffff806`62134309 nt!KiCommitThreadWait+0×159
fffff806`62136d66 nt!KeRemoveQueueEx+0×2b6
fffff806`6255f501 nt!PspThreadFromTicket+0×51
fffff806`62136778 nt!IoRemoveIoCompletion+0×98
fffff806`6256d901 nt!ObpReferenceObjectByHandleWithTag+0×231
fffff806`6256d6be nt!ObReferenceObjectByHandle+0×2e
fffff806`62138fdc nt!NtWaitForWorkViaWorkerFactory+0×39c
fffff806`62227b75 nt!KiSystemServiceCopyEnd+0×25
fffff806`62227b75 nt!KiSystemServiceCopyEnd+0×25
00007ffc`88546f14 ntdll!NtWaitForWorkViaWorkerFactory+0×14

Such Historical Information may help in the reconstruction of past system behavior.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Sometimes, we are interested in Past Processes, processes that ran in the past to suggest troubleshooting hints. Some may still be present as Zombie Processes and information about some may be present as control areas of the the previously mapped files (even if there are no mapped views at the moment):

1: kd> !memusage
...
Control Valid Standby Dirty Shared Locked PageTables name
…
ffffbe0c8b47f460 0 148 0 0 0 0 mapped_file( WerFault.exe )
…

1: kd> !ca ffffbe0c8b47f460 4
...
\Windows\System32\WerFault.exe

No mapped views.

This analysis pattern is different from Hidden Process where the process is still running or at least its image is still mapped to memory.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Most Execution Residue traces in memory dumps are not explicitly temporal (see Special and General Trace and Log Analysis) but may be ordered by some space coordinate, such as memory addresses or page frame numbers. Furthermore, virtual space can be further subdivided into places such as modules and physical space may be restructured into places such as processes. Simple space trace of some data value can be constructed using Value References analysis pattern. These and higher structural space trace constructs can be named as a general Place Trace analysis pattern illustrated in this diagram:

Memory attributes, such as page protection, or derived attributes from memory contents can also be considered as Place Trace data. Sometimes, time ordering can be reconstructed by looking at time information for place containers, for example, elapsed process time or ordering in the process list, or thread order and times for stack region thread owners.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Windows processes may contain Execution Residue such as ASCII window class names in mapped memory regions pointing to other running processes (perhaps as a result of Hooksware). For example, calc.exe process memory dump saved on my Windows 10 notebook “knows” about Visio and WinDbg windows that were opened at that time:

0:000> s-a 0 L?FFFFFFFFFFFFFFFF "VISIOA"
00000015`42c6bdd0 56 49 53 49 4f 41 00 00-00 00 00 00 00 00 00 00 VISIOA.............

0:000> s-a 0 L?FFFFFFFFFFFFFFFF "WinDbg"
00000015`42d19720 57 69 6e 44 62 67 46 72-61 6d 65 43 6c 61 73 73 WinDbgFrameClass

This may be useful for some troubleshooting scenarios, for example, pointing to processes which are known for their problematic behavior or Special Processes. Of course, we assume that those windows or classes were genuine, not faked. We call this analysis pattern Window Hint similar to Environment Hint and Module Hint analysis patterns.

Going deeper, we can dump strings from the whole region limiting the output to the strings with length more than 5:

0:000> !address 00000015`42d19720

Usage:                  <unknown>
Base Address:           00000015`42b20000
End Address:            00000015`42d3a000
Region Size:            00000000`0021a000 (   2.102 MB)
State:                  00001000          MEM_COMMIT
Protect:                00000002          PAGE_READONLY
Type:                   00040000          MEM_MAPPED
Allocation Base:        00000015`42b20000
Allocation Protect:     00000002          PAGE_READONLY

Content source: 1 (target), length: 208e0

0:000> s-[l5]sa 00000015`42b20000 00000015`42d3a000
00000015`42b20a60  “#32769″
00000015`42b20cc0  “Message”
00000015`42b20f40  “#32774″
00000015`42b21060  “#32772″
00000015`42b21510  “Ghost”
00000015`42b215e0  “LivePreview”
00000015`42b216f0  “UserAdapterWindowClass”
00000015`42b21ce0  “MSCTFIME Composition”
00000015`42b222a0  “#32772″
00000015`42b22390  “#32772″
00000015`42b22460  “RichEdit20W”
00000015`42b22530  “RichEdit20A”
00000015`42b22600  “ToolbarWindow32″
00000015`42b226e0  “tooltips_class32″
00000015`42b227c0  “msctls_statusbar32″
00000015`42b228a0  “SysListView32″
00000015`42b22980  “SysHeader32″
00000015`42b22a50  “SysTabControl32″
00000015`42b22b30  “SysTreeView32″
00000015`42b22c10  “msctls_trackbar32″
00000015`42b22cf0  “msctls_updown32″
00000015`42b22dd0  “msctls_progress32″
00000015`42b22eb0  “msctls_hotkey32″
00000015`42b22f8f  “‘SysAnimate32″
00000015`42b230f0  “SysIPAddress32″
00000015`42b231d0  “ReBarWindow32″
00000015`42b232b0  “ComboBoxEx32″
00000015`42b23390  “SysMonthCal32″
00000015`42b23470  “SysDateTimePick32″
00000015`42b23550  “DropDown”
00000015`42b23620  “SysLink”
00000015`42b236f0  “SysPager”
00000015`42b23960  “msctls_netaddress”

[...]

00000015`42d175e0  "OutlookFbThreadWnd"
00000015`42d19720  "WinDbgFrameClass"
00000015`42d19750  "DockClass"
00000015`42d19770  "GhostClass"
00000015`42d19a30  "ATL:00007FF60D792730"
00000015`42d1a0f0  "MSCTFIME Composition"
00000015`42d1a4af  "%OleMainThreadWndClass"
00000015`42d1be10  "CicMarshalWndClass"
00000015`42d1c0e0  "VSyncHelper-00000040EC4CA5F0-1f8"
00000015`42d1c100  "8855daf"
00000015`42d1c190  "URL Moniker Notification Window"
00000015`42d1c390  "UserAdapterWindowClass"
00000015`42d1d080  "@>zG#"
00000015`42d1dcaf  "!VSyncHelper-00000040D60C5850-1e"
00000015`42d1dccf  "ef0477df"
00000015`42d20d50  "VSyncHelper-00000040F39C5650-1f0"
00000015`42d20d70  "313c5a0"
00000015`42d250d0  "#32770"
00000015`42d250f0  "URL Moniker Notification Window"
00000015`42d29270  "VSyncHelper-00000079321C32E0-1f2"
00000015`42d29290  "fb11f8c"
00000015`42d2a1d0  "MSCTFIME Composition"
00000015`42d2a480  "CicMarshalWndClass"
00000015`42d2ac80  "MSCTFIME Composition"
00000015`42d2b8d0  "ShockwaveFlashFullScreen"
00000015`42d2bbb8  "P?U!\"
00000015`42d2c690  "Xaml_WindowedPopupClass"
00000015`42d30a10  "ShockwaveFlashFullScreen"
00000015`42d30b50  "MSCTFIME UI"
00000015`42d30b90  "WinBaseClass"
00000015`42d3441f  "!Alternate Owner"
00000015`42d34460  "ShockwaveFlashFullScreen"
00000015`42d344a0  "ATL:00007FF60D792530"
00000015`42d34a50  "SysAnimate32"
00000015`42d34a7f  "'ComboBoxEx32"
00000015`42d34ed0  "tooltips_class32"
00000015`42d34f00  "msctls_statusbar32"
00000015`42d35e70  "RawInputClass"
00000015`42d36a10  "SysTabControl32"
00000015`42d38650  "CicMarshalWndClass"
00000015`42d38eb0  "#32772"
00000015`42d3951f  "!VSyncHelper-000000C9DA06CD10-1f"
00000015`42d3953f  "110e8d16"

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

The availability of direct dump modification raises the possibility of Tampered Dumps. These are memory dumps specifically modified to alter structural and behavioural diagnostic patterns, for example, to suppress certain module involvement or introduce fictitious past objects and interaction traces such as Execution Residue and Module Hints. There can be 2 types of such artefacts: strong tampering with new or altered information completely integrated into memory fabric and weak tampering to confuse inexperienced software support engineers and memory forensics analysts.

For example, in one such experimental process memory dump we see Exception Stack Trace pointing to a problem in calc module:

0:003> k
Child-SP RetAddr Call Site
00000000`0244e858 000007fe`fd061430 ntdll!NtWaitForMultipleObjects+0xa
00000000`0244e860 00000000`76ec1723 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`0244e960 00000000`76f3b5e5 kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`0244e9f0 00000000`76f3b767 kernel32!WerpReportFaultInternal+0x215
00000000`0244ea90 00000000`76f3b7bf kernel32!WerpReportFault+0x77
00000000`0244eac0 00000000`76f3b9dc kernel32!BasepReportFault+0x1f
00000000`0244eaf0 00000000`77153398 kernel32!UnhandledExceptionFilter+0x1fc
00000000`0244ebd0 00000000`770d85c8 ntdll! ?? ::FNODOBFM::`string'+0x2365
00000000`0244ec00 00000000`770e9d2d ntdll!_C_specific_handler+0x8c
00000000`0244ec70 00000000`770d91cf ntdll!RtlpExecuteHandlerForException+0xd
00000000`0244eca0 00000000`77111248 ntdll!RtlDispatchException+0x45a
00000000`0244f380 00000000`ffdbdb27 ntdll!KiUserExceptionDispatch+0×2e
00000000`0244fab0 00000000`76eb59ed calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244faf0 00000000`770ec541 kernel32!BaseThreadInitThunk+0xd
00000000`0244fb20 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

The default analysis command (!analyse -v) diagnoses “stack corruption”:

FAULTING_IP:
kernel32!UnhandledExceptionFilter+1fc
00000000`76f3b9dc 448bf0 mov r14d,eax

EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0000000076f3b9dc (kernel32!UnhandledExceptionFilter+0x00000000000001fc)
ExceptionCode: 0244e9f0
ExceptionFlags: 00000000
NumberParameters: 0

DEFAULT_BUCKET_ID: STACK_CORRUPTION

PRIMARY_PROBLEM_CLASS: STACK_CORRUPTION

BUGCHECK_STR: APPLICATION_FAULT_STACK_CORRUPTION

IP_ON_HEAP: 8d483674c33bfffa
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

UNALIGNED_STACK_POINTER: 0000000076f3b767

STACK_TEXT:
00000000`00000000 00000000`00000000 calc!CTimedCalc::WatchDogThread+0x0

FOLLOWUP_IP:
calc!CTimedCalc::WatchDogThread+0
00000000`ffd92254 48895c2408 mov qword ptr [rsp+8],rbx

Stored Exception resembles signs of Local Buffer Overflow (segment register values and CPU flags have suspiciously invalid values, possibly Lateral Damage):

0:003> .ecxr
rax=0000000000000000 rbx=0000000000000001 rcx=000000000244ec30
rdx=000000000244ec30 rsi=0100000000000080 rdi=0000000000000158
rip=0000000076f3b9dc rsp=0000000076f3b767 rbp=0000000000000000
r8=0000000000000000 r9=ffffffffffffffff r10=0000000076f3b7bf
r11=000000000244ec30 r12=0000000000000001 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na pe nc
cs=0000 ss=0000 ds=0266 es=0000 fs=0000 gs=0154 efl=00000000
kernel32!UnhandledExceptionFilter+0×1fc:
00000000`76f3b9dc 448bf0 mov r14d,eax

0:003> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
00000000`76f3b767 8d483674`c33bfffa kernel32!UnhandledExceptionFilter+0x1fc
00000000`76f3b847 5aa3e800`05bfac0d 0x8d483674`c33bfffa
00000000`76f3b84f ebffcf83`48ccfff9 0x5aa3e800`05bfac0d
00000000`76f3b857 8348c000`0409ba27 0xebffcf83`48ccfff9
00000000`76f3b85f 54dfe8cf`8b48ffcf 0x8348c000`0409ba27
00000000`76f3b867 4c02778d`db33fff9 0x54dfe8cf`8b48ffcf
00000000`76f3b86f 4c000000`e024a48b 0x4c02778d`db33fff9
00000000`76f3b877 ffcf8348`04ebeb8b 0x4c000000`e024a48b
00000000`76f3b87f fffc59e9`e8cc8b49 0xffcf8348`04ebeb8b
00000000`76f3b887 42e9c78b`0775c73b 0xfffc59e9`e8cc8b49
00000000`76f3b88f fffa6fa9`e8000003 0x42e9c78b`0775c73b
00000000`76f3b897 32e9c033`0774c33b 0xfffa6fa9`e8000003
00000000`76f3b89f fa7f3d8d`4c000003 0x32e9c033`0774c33b
00000000`76f3b8a7 de15ffcf`8b490006 0xfa7f3d8d`4c000003
00000000`76f3b8af f9370d8b`4800000e 0xde15ffcf`8b490006
00000000`76f3b8b7 000014a1`15ff0006 0xf9370d8b`4800000e
00000000`76f3b8bf 840fc33b`48f08b4c 0x000014a1`15ff0006
00000000`76f3b8c7 f6158b48`00000099 0x840fc33b`48f08b4c
00000000`76f3b8cf 0238c281`480006f3 0xf6158b48`00000099
00000000`76f3b8d7 48cfe8c8`8b480000 0x0238c281`480006f3
00000000`76f3b8df 8b4c7f74`c33bfff9 0x48cfe8c8`8b480000
00000000`76f3b8e7 888b4900`06f3dc05 0x8b4c7f74`c33bfff9
00000000`76f3b8ef 75083949`00000238 0x888b4900`06f3dc05
00000000`76f3b8f7 00000240`808b496c 0x75083949`00000238
00000000`76f3b8ff 8b415f75`08403949 0x00000240`808b496c
00000000`76f3b907 00024880`3b411040 0x8b415f75`08403949
00000000`76f3b90f 01040000`a9527500 0x00024880`3b411040
00000000`76f3b917 00025090`8d491874 0x01040000`a9527500
00000000`76f3b91f c68a4418`488d4900 0x00025090`8d491874
00000000`76f3b927 c33a0000`117315ff 0xc68a4418`488d4900
00000000`76f3b92f 4e15ffcf`8b493374 0xc33a0000`117315ff
00000000`76f3b937 ff41cc8b`4900000e 0x4e15ffcf`8b493374
00000000`76f3b93f 00028c84`0fc63bd6 0xff41cc8b`4900000e
00000000`76f3b947 00028484`0fc73b00 0x00028c84`0fc63bd6
00000000`76f3b94f 6ee7e819`75c33b00 0x00028484`0fc73b00
00000000`76f3b957 c0331074`c33bfffa 0x6ee7e819`75c33b00
00000000`76f3b95f cf8b4900`000270e9 0xc0331074`c33bfffa
00000000`76f3b967 8b490000`0e1b15ff 0xcf8b4900`000270e9
00000000`76f3b96f 3b000013`e215ffcc 0x8b490000`0e1b15ff
00000000`76f3b977 0253e9c7`8b0775c7 0x3b000013`e215ffcc
00000000`76f3b97f 41fff959`4ae80000 0x0253e9c7`8b0775c7
00000000`76f3b987 c6844100`000002be 0x41fff959`4ae80000
00000000`76f3b98f 15ff0000`023d850f 0xc6844100`000002be
00000000`76f3b997 850f20a8`00000f65 0x15ff0000`023d850f
00000000`76f3b99f 245c8948`0000022f 0x850f20a8`00000f65
00000000`76f3b9a7 448d4c3e`4e8d4520 0x245c8948`0000022f
00000000`76f3b9af ffc933d6`8b416024 0x448d4c3e`4e8d4520
00000000`76f3b9b7 7cc33b00`0009f415 0xffc933d6`8b416024
00000000`76f3b9bf 730a7024`64ba0f0f 0x7cc33b00`0009f415
00000000`76f3b9c7 00000205`e9c68b07 0x730a7024`64ba0f0f
00000000`76f3b9cf cc8b49d6`8bfb8b44 0x00000205`e9c68b07
00000000`76f3b9d7 f08b44ff`fffdc4e8 0xcc8b49d6`8bfb8b44
00000000`76f3b9df e9c03307`7508f883 0xf08b44ff`fffdc4e8
00000000`76f3b9e7 7506f883`000001e9 0xe9c03307`7508f883
00000000`76f3b9ef c33bfffa`6e4be810 0x7506f883`000001e9
00000000`76f3b9f7 0001d4e9`c0330774 0xc33bfffa`6e4be810
00000000`76f3b9ff 86850f04`fe834100 0x0001d4e9`c0330774
00000000`76f3ba07 0000024a`ba000001 0x86850f04`fe834100
00000000`76f3ba0f 00b841ce`8b45c933 0x0000024a`ba000001
00000000`76f3ba17 fff7a249`e8000010 0x00b841ce`8b45c933
00000000`76f3ba1f 0775c33b`48e88b4c 0xfff7a249`e8000010
00000000`76f3ba27 48000001`a6e9c033 0x0775c33b`48e88b4c
00000000`76f3ba2f 24448948`3024448d 0x48000001`a6e9c033
00000000`76f3ba37 0000f024`8c8d4c20 0x24448948`3024448d
00000000`76f3ba3f 49000001`25b84100 0x0000f024`8c8d4c20
00000000`76f3ba47 8a0fe8cf`8b48d58b 0x49000001`25b84100
00000000`76f3ba4f 4166097c`c33bfffe 0x8a0fe8cf`8b48d58b
00000000`76f3ba57 39fe450f`44005d39 0x4166097c`c33bfffe
00000000`76f3ba5f 850f0000`00f0249c 0x39fe450f`44005d39
00000000`76f3ba67 240c8b49`000000bc 0x850f0000`00f0249c
00000000`76f3ba6f 40244489`48016348 0x240c8b49`000000bc
00000000`76f3ba77 24448948`10418b48 0x40244489`48016348
00000000`76f3ba7f 75c00000`06398148 0x24448948`10418b48
00000000`76f3ba87 480b7203`18798318 0x75c00000`06398148
00000000`76f3ba8f 50244489`4830418b 0x480b7203`18798318
00000000`76f3ba97 eb50245c`89481ceb 0x50244489`4830418b
00000000`76f3ba9f 8b480b72`18713915 0xeb50245c`89481ceb
00000000`76f3baa7 eb502444`89482041 0x8b480b72`18713915
00000000`76f3baaf 02ba5024`5c894805 0xeb502444`89482041
00000000`76f3bab7 0b721851`39000000 0x02ba5024`5c894805
00000000`76f3babf 24448948`28418b48 0x0b721851`39000000
00000000`76f3bac7 58245c89`4805eb58 0x24448948`28418b48
00000000`76f3bacf ba1d3808`74fb3b44 0x58245c89`4805eb58
00000000`76f3bad7 48d68b02`740006fd 0xba1d3808`74fb3b44
00000000`76f3badf 48000000`e824848d 0x48d68b02`740006fd
00000000`76f3bae7 20245489`28244489 0x48000000`e824848d
00000000`76f3baef c0334540`244c8d4c 0x20245489`28244489
00000000`76f3baf7 000144b9`04508d41 0xc0334540`244c8d4c
00000000`76f3baff ba00000d`7215ffd0 0x000144b9`04508d41
00000000`76f3bb07 8c8bc223`c0000000 0xba00000d`7215ffd0
00000000`76f3bb0f b8c23b00`0000e824 0x8c8bc223`c0000000
00000000`76f3bb17 89c8440f`00000006 0xb8c23b00`0000e824
00000000`76f3bb1f 07eb0000`00e8248c 0x89c8440f`00000006
00000000`76f3bb27 44000000`e8248c8b 0x07eb0000`00e8248c
00000000`76f3bb2f 7403f983`5d74fb3b 0x44000000`e8248c8b
00000000`76f3bb37 000000f0`249c3909 0x7403f983`5d74fb3b
00000000`76f3bb3f 0006fd4d`058a4f74 0x000000f0`249c3909
00000000`76f3bb47 f85f5ce8`4b75c33a 0x0006fd4d`058a4f74
00000000`76f3bb4f 448b3b75`5c5838ff 0xf85f5ce8`4b75c33a
00000000`76f3bb57 894c2824`44893024 0x448b3b75`5c5838ff
00000000`76f3bb5f 08244c8b`4d20246c 0x894c2824`44893024
00000000`76f3bb67 fec2c748`24048b4d 0x08244c8b`4d20246c
00000000`76f3bb6f b6e8cf8b`48ffffff 0xfec2c748`24048b4d
00000000`76f3bb77 fd130db6`0fffffea 0xb6e8cf8b`48ffffff
00000000`76f3bb7f 88ce4c0f`c33b0006 0xfd130db6`0fffffea
00000000`76f3bb87 ebfb8b00`06fd080d 0x88ce4c0f`c33b0006
00000000`76f3bb8f 3a0006fc`fe058a29 0xebfb8b00`06fd080d
00000000`76f3bb97 8b240c8b`491874c3 0x3a0006fc`fe058a29
00000000`76f3bb9f 060f15ff`cf8b4811 0x8b240c8b`491874c3
00000000`76f3bba7 0000f824`bc8b0000 0x060f15ff`cf8b4811
00000000`76f3bbaf 00f824bc`8b07eb00 0x0000f824`bc8b0000
00000000`76f3bbb7 331074eb`3b4c0000 0x00f824bc`8b07eb00
00000000`76f3bbbf 49000080`00b841d2 0x331074eb`3b4c0000
00000000`76f3bbc7 8bfff74b`5ae8cd8b 0x49000080`00b841d2
00000000`76f3bbcf c48148c6`8b02ebc7 0x8bfff74b`5ae8cd8b
00000000`76f3bbd7 5e415f41`000000a0 0xc48148c6`8b02ebc7
00000000`76f3bbdf c35b5e5f`5c415d41 0x5e415f41`000000a0
00000000`76f3bbe7 158ead00`00000090 0xc35b5e5f`5c415d41
00000000`76f3bbef 00000200`00000053 0x158ead00`00000090
00000000`76f3bbf7 09bc2400`00002500 0x00000200`00000053
00000000`76f3bbff 00000000`09b42400 0x09bc2400`00002500
00000000`76f3bc07 7e023553`158ead00 0x9b42400
00000000`76f3bc0f 00000400`00000a19 0x7e023553`158ead00
00000000`76f3bc17 09b42000`09bc2000 0x00000400`00000a19
00000000`76f3bc1f 445352bb`03197e00 0x09b42000`09bc2000
00000000`76f3bc27 4c886225`48e28953 0x445352bb`03197e00
00000000`76f3bc2f 4fb29af4`dfbb8344 0x4c886225`48e28953
00000000`76f3bc37 72656b00`0000020e 0x4fb29af4`dfbb8344
00000000`76f3bc3f 64702e32`336c656e 0x72656b00`0000020e
00000000`76f3bc47 00000000`00000062 0x64702e32`336c656e

We check for any Hidden Exceptions and find it was NULL Data Pointer:

0:003> .cxr
Resetting default scope

0:003> k
Child-SP RetAddr Call Site
00000000`0244e858 000007fe`fd061430 ntdll!NtWaitForMultipleObjects+0xa
00000000`0244e860 00000000`76ec1723 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`0244e960 00000000`76f3b5e5 kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`0244e9f0 00000000`76f3b767 kernel32!WerpReportFaultInternal+0x215
00000000`0244ea90 00000000`76f3b7bf kernel32!WerpReportFault+0x77
00000000`0244eac0 00000000`76f3b9dc kernel32!BasepReportFault+0x1f
00000000`0244eaf0 00000000`77153398 kernel32!UnhandledExceptionFilter+0x1fc
00000000`0244ebd0 00000000`770d85c8 ntdll! ?? ::FNODOBFM::`string'+0x2365
00000000`0244ec00 00000000`770e9d2d ntdll!_C_specific_handler+0x8c
00000000`0244ec70 00000000`770d91cf ntdll!RtlpExecuteHandlerForException+0xd
00000000`0244eca0 00000000`77111248 ntdll!RtlDispatchException+0×45a
00000000`0244f380 00000000`ffdbdb27 ntdll!KiUserExceptionDispatch+0×2e
00000000`0244fab0 00000000`76eb59ed calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244faf0 00000000`770ec541 kernel32!BaseThreadInitThunk+0xd
00000000`0244fb20 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

0:003> dps 00000000`0244eca0 00000000`0244fab0
00000000`0244eca0 00000000`02450000
00000000`0244eca8 00000000`76fadda0 kernel32!__PchSym_ <PERF> (kernel32+0x10dda0)
00000000`0244ecb0 00000000`00012f00
00000000`0244ecb8 00000000`7711920a ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x3da
00000000`0244ecc0 00000000`00000005
00000000`0244ecc8 00000000`00000000
00000000`0244ecd0 00000000`00000000
00000000`0244ecd8 00000000`00000000
00000000`0244ece0 00000000`0244fb20
00000000`0244ece8 00000000`00000000
00000000`0244ecf0 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0)
00000000`0244ecf8 00000000`00000000
00000000`0244ed00 00000000`00000000
00000000`0244ed08 00000000`02450000
00000000`0244ed10 00000000`771e8180 ntdll!`string'+0xc040
00000000`0244ed18 00000000`0244b000
00000000`0244ed20 00000000`0244f250
00000000`0244ed28 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0)
00000000`0244ed30 00000000`770ec541 ntdll!RtlUserThreadStart+0x1d
00000000`0244ed38 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0)
00000000`0244ed40 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0)
00000000`0244ed48 00000000`0244fb20
00000000`0244ed50 00000000`771d7718 ntdll!LdrpDefaultExtension
00000000`0244ed58 00000000`0244ed80
00000000`0244ed60 00000000`770d852c ntdll!_C_specific_handler
00000000`0244ed68 00000000`771e8180 ntdll!`string'+0xc040
00000000`0244ed70 00000000`0244f250
00000000`0244ed78 00000000`00000000
00000000`0244ed80 00000000`00000000
00000000`0244ed88 00000000`00000000
00000000`0244ed90 00000000`00000000
00000000`0244ed98 00000000`00000000
00000000`0244eda0 00000000`00000000
00000000`0244eda8 00000000`00000000
00000000`0244edb0 00001f80`00000000
00000000`0244edb8 00000000`00000033
00000000`0244edc0 00010246`002b0000
00000000`0244edc8 00000000`00000000
00000000`0244edd0 00000000`00000000
00000000`0244edd8 00000000`00000000
00000000`0244ede0 00000000`00000000
00000000`0244ede8 000007fe`ff3625c0 msctf!s_szCompClassName
00000000`0244edf0 00000000`00200000
00000000`0244edf8 00000000`0244ee40
00000000`0244ee00 00000000`0244ee40
00000000`0244ee08 00000000`0244ee40
00000000`0244ee10 00000000`00000000
00000000`0244ee18 00000000`0244fb70
00000000`0244ee20 00000000`00000000
00000000`0244ee28 00000000`00000000
00000000`0244ee30 00000000`00000000
00000000`0244ee38 000007fe`fd602790 ole32!`string'
00000000`0244ee40 00000000`00292170
00000000`0244ee48 00000000`770e7a33 ntdll!LdrpFindOrMapDll+0x138
00000000`0244ee50 00000000`0244ef68
00000000`0244ee58 00000000`00000000
00000000`0244ee60 00000000`00000000
00000000`0244ee68 00000000`00000000
00000000`0244ee70 00000000`00000000
00000000`0244ee78 00000000`00000000
00000000`0244ee80 00000000`0000027f
00000000`0244ee88 00000000`00000000
00000000`0244ee90 00000000`00000000
00000000`0244ee98 0000ffff`00001f80
00000000`0244eea0 00000000`00000000
00000000`0244eea8 00000000`00000000
00000000`0244eeb0 00000000`00000000
00000000`0244eeb8 00000000`00000000
00000000`0244eec0 00000000`00000000
00000000`0244eec8 00000000`00000000
00000000`0244eed0 00000000`00000000
00000000`0244eed8 00000000`00000000
00000000`0244eee0 00000000`00000000
00000000`0244eee8 00000000`00000000
00000000`0244eef0 00000000`00000000
00000000`0244eef8 00000000`00000000
00000000`0244ef00 00000000`00000000
00000000`0244ef08 00000000`00000000
00000000`0244ef10 00000000`00000000
00000000`0244ef18 00000000`00000000
00000000`0244ef20 00000000`00000000
00000000`0244ef28 00000000`771192a8 ntdll!LdrpApplyFileNameRedirection+0x2d3
00000000`0244ef30 00000000`00000000
00000000`0244ef38 00000000`00000000
00000000`0244ef40 00000000`00000000
00000000`0244ef48 00000000`02080000
00000000`0244ef50 00000000`0244f028
00000000`0244ef58 00000000`0244f020
00000000`0244ef60 00000000`00000000
00000000`0244ef68 00000000`00000000
00000000`0244ef70 00000000`00000000
00000000`0244ef78 000007fe`fd602848 ole32!`string'
00000000`0244ef80 00000000`00000000
00000000`0244ef88 00000000`00000000
00000000`0244ef90 00000000`00000000
00000000`0244ef98 00000000`00000000
00000000`0244efa0 00000000`00000000
00000000`0244efa8 00000000`00000000
00000000`0244efb0 00000000`00000000
00000000`0244efb8 00000000`00000000
00000000`0244efc0 00000000`00000000
00000000`0244efc8 00000000`00000000
00000000`0244efd0 00000000`00000000
00000000`0244efd8 00000000`00000000
00000000`0244efe0 00000000`00000000
00000000`0244efe8 00000000`00000000
00000000`0244eff0 00000000`00000000
00000000`0244eff8 00000000`00000000
00000000`0244f000 00000000`00000000
00000000`0244f008 00000000`00000000
00000000`0244f010 00000000`00000000
00000000`0244f018 00000000`00000000
00000000`0244f020 00000000`0244f038
00000000`0244f028 00000000`0000011b
00000000`0244f030 00000000`024d0000
00000000`0244f038 00000080`001a024d
00000000`0244f040 00000000`01c0c8a0
00000000`0244f048 00000000`002f0101
00000000`0244f050 00000000`00000000
00000000`0244f058 00000000`00000022
00000000`0244f060 00000000`002f9b00
00000000`0244f068 00000000`01bd5390
00000000`0244f070 00000000`002f7c00
00000000`0244f078 00000000`01bd5580
00000000`0244f080 00000000`01bd57b0
00000000`0244f088 00000000`002f9b00
00000000`0244f090 00000000`00000000
00000000`0244f098 00000024`00000003
00000000`0244f0a0 00000000`002e91b0
00000000`0244f0a8 00000000`00000022
00000000`0244f0b0 00000000`771d5430 ntdll!RtlpInterceptorRoutines
00000000`0244f0b8 00000000`00000000
00000000`0244f0c0 00000000`00000010
00000000`0244f0c8 00000000`01bd0000
00000000`0244f0d0 00000000`00000008
00000000`0244f0d8 00000000`00000001
00000000`0244f0e0 00000000`01bd0288
00000000`0244f0e8 00000000`77113448 ntdll!RtlAllocateHeap+0xe4
00000000`0244f0f0 00000000`00000000
00000000`0244f0f8 00000000`00000001
00000000`0244f100 000002b2`000f002f
00000000`0244f108 00000000`01bd5780
00000000`0244f110 00000000`00250230
00000000`0244f118 00000000`000000df
00000000`0244f120 00000000`002551a0
00000000`0244f128 00000000`00255210
00000000`0244f130 00000000`002f9b00
00000000`0244f138 00000000`002551a0
00000000`0244f140 00000000`000000df
00000000`0244f148 00000000`10000010
00000000`0244f150 00000000`00250230
00000000`0244f158 00000000`00000000
00000000`0244f160 00000000`00250498
00000000`0244f168 00000000`0025026c
00000000`0244f170 00000000`002f9b00
00000000`0244f178 00000000`002551a0
00000000`0244f180 00000000`00000022
00000000`0244f188 00000000`76fd88b8 user32!GetPropW+0x4d
00000000`0244f190 00000000`00002974
00000000`0244f198 00000000`76fd88b8 user32!GetPropW+0x4d
00000000`0244f1a0 00000000`00250230
00000000`0244f1a8 00000000`76fd7931 user32!IsWindow+0x9
00000000`0244f1b0 00000000`002ed6d0
00000000`0244f1b8 00000000`76fd7931 user32!IsWindow+0x9
00000000`0244f1c0 00000000`00000000
00000000`0244f1c8 00000000`01c0c8d0
00000000`0244f1d0 00000000`01c0c8a0
00000000`0244f1d8 00000000`00000000
00000000`0244f1e0 00000000`00000008
00000000`0244f1e8 00000000`01bd0000
00000000`0244f1f0 00000000`00000000
00000000`0244f1f8 00000000`770f41c8 ntdll!RtlpReAllocateHeap+0x178
00000000`0244f200 00000000`00000002
00000000`0244f208 00000000`00000002
00000000`0244f210 00000000`00000000
00000000`0244f218 000007fe`4f00024d
00000000`0244f220 00000000`00000000
00000000`0244f228 000007fe`fb601381 uxtheme!CThemeWnd::_PreDefWindowProc+0x31
00000000`0244f230 00000000`00000082
00000000`0244f238 00000000`00000000
00000000`0244f240 00000000`7a337100
00000000`0244f248 00000000`01c0c8c0
00000000`0244f250 00000000`00000003
00000000`0244f258 00000000`76eb59e0 kernel32!BaseThreadInitThunk
00000000`0244f260 00000000`ffdbdb32 calc!CTimedCalc::Start+0xa9
00000000`0244f268 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0x0)
00000000`0244f270 00000000`ffe0ac64 calc!_dyn_tls_init_callback <PERF> (calc+0x7ac64)
00000000`0244f278 00000000`76ea0000 kernel32!TestResourceDataMatchEntry <PERF> (kernel32+0x0)
00000000`0244f280 00000000`76fadda0 kernel32!__PchSym_ <PERF> (kernel32+0x10dda0)
00000000`0244f288 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0)
00000000`0244f290 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0)
00000000`0244f298 00000000`76fd760e user32!RealDefWindowProcW+0x5a
00000000`0244f2a0 00000000`00000001
00000000`0244f2a8 000007fe`fb600037 uxtheme!operator delete <PERF> (uxtheme+0x37)
00000000`0244f2b0 00000000`01bd0158
00000000`0244f2b8 00000000`00000082
00000000`0244f2c0 00000000`00000000
00000000`0244f2c8 00000000`00000003
00000000`0244f2d0 00000000`000111f2
00000000`0244f2d8 00000000`00000054
00000000`0244f2e0 00000000`00000000
00000000`0244f2e8 00000000`00000000
00000000`0244f2f0 00000000`00000001
00000000`0244f2f8 00000000`01c11c60
00000000`0244f300 00000000`0244f462
00000000`0244f308 00000000`01bd0230
00000000`0244f310 00000000`00000000
00000000`0244f318 00000000`00000000
00000000`0244f320 00000000`00000000
00000000`0244f328 00000000`14010015
00000000`0244f330 00000000`01c11570
00000000`0244f338 00000000`00000000
00000000`0244f340 00000000`00000000
00000000`0244f348 00000000`00000000
00000000`0244f350 00000000`00009c40
00000000`0244f358 00000000`00000000
00000000`0244f360 00000000`00000000
00000000`0244f368 00000000`00000000
00000000`0244f370 00000000`00002710
00000000`0244f378 00000000`77111248 ntdll!KiUserExceptionDispatch+0×2e
00000000`0244f380 00000000`0244f870
00000000`0244f388 00000000`0244f380
00000000`0244f390 00000000`00000000
00000000`0244f398 00000000`00000000
00000000`0244f3a0 000007fe`fb63fb40 uxtheme!$$VProc_ImageExportDirectory
00000000`0244f3a8 00000000`00000ad5
00000000`0244f3b0 00001f80`0010005f
00000000`0244f3b8 0053002b`002b0033
00000000`0244f3c0 00010246`002b002b
00000000`0244f3c8 00000000`00000000
00000000`0244f3d0 00000000`00000000
00000000`0244f3d8 00000000`00000000
00000000`0244f3e0 00000000`00000000
00000000`0244f3e8 00000000`00000000
00000000`0244f3f0 00000000`00000000
00000000`0244f3f8 00000000`0012c770
00000000`0244f400 00000000`00000000
00000000`0244f408 00000000`00000000
00000000`0244f410 00000000`00002710
00000000`0244f418 00000000`0244fab0
00000000`0244f420 00000000`00000000
00000000`0244f428 00000000`00000000
00000000`0244f430 00000000`00000000
00000000`0244f438 00000000`0244f938
00000000`0244f440 00000000`00962210
00000000`0244f448 00000000`00000000
00000000`0244f450 00000000`0244f9a0
00000000`0244f458 00000000`00009c40
00000000`0244f460 00000000`00000000
00000000`0244f468 00000000`00000000
00000000`0244f470 00000000`00000000
00000000`0244f478 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244f480 00000000`0000027f
00000000`0244f488 00000000`00000000
00000000`0244f490 00000000`00000000
00000000`0244f498 0000ffff`00001f80
00000000`0244f4a0 00000000`00000000
00000000`0244f4a8 00000000`00000000
00000000`0244f4b0 00000000`00000000
00000000`0244f4b8 00000000`00000000
00000000`0244f4c0 00000000`00000000
00000000`0244f4c8 00000000`00000000
00000000`0244f4d0 00000000`00000000
00000000`0244f4d8 00000000`00000000
00000000`0244f4e0 00000000`00000000
00000000`0244f4e8 00000000`00000000
00000000`0244f4f0 00000000`00000000
00000000`0244f4f8 00000000`00000000
00000000`0244f500 00000000`00000000
00000000`0244f508 00000000`00000000
00000000`0244f510 00000000`00000000
00000000`0244f518 00000000`00000000
00000000`0244f520 00000000`00000000
00000000`0244f528 00000000`00000000
00000000`0244f530 00000000`00000000
00000000`0244f538 00000000`00000000
00000000`0244f540 00000000`00000000
00000000`0244f548 00000000`00000000
00000000`0244f550 00000000`00000000
00000000`0244f558 00000000`00000000
00000000`0244f560 00000000`00000000
00000000`0244f568 00000000`00000000
00000000`0244f570 00000000`00000000
00000000`0244f578 00000000`00000000
00000000`0244f580 00000000`00000000
00000000`0244f588 00000000`00000000
00000000`0244f590 00000000`00000000
00000000`0244f598 00000000`00000000
00000000`0244f5a0 00000000`00000000
00000000`0244f5a8 00000000`00000000
00000000`0244f5b0 00000000`00000000
00000000`0244f5b8 00000000`00000000
00000000`0244f5c0 00000000`00000000
00000000`0244f5c8 00000000`00000000
00000000`0244f5d0 00000000`00000000
00000000`0244f5d8 00000000`00000000
00000000`0244f5e0 00000000`00000000
00000000`0244f5e8 00000000`00000000
00000000`0244f5f0 00000000`00000000
00000000`0244f5f8 00000000`00000000
00000000`0244f600 00000000`00000000
00000000`0244f608 00000000`00000000
00000000`0244f610 00000000`00000000
00000000`0244f618 00000000`00000000
00000000`0244f620 00000000`00000000
00000000`0244f628 00000000`00000000
00000000`0244f630 00000000`00000000
00000000`0244f638 00000000`00000000
00000000`0244f640 00000000`00000000
00000000`0244f648 00000000`00000000
00000000`0244f650 00000000`00000000
00000000`0244f658 00000000`00000000
00000000`0244f660 00000000`00000000
00000000`0244f668 fffff800`032d5e53
00000000`0244f670 00000000`00000002
00000000`0244f678 00000000`00000000
00000000`0244f680 00000000`01c11580
00000000`0244f688 00000000`00000082
00000000`0244f690 00000000`00000082
00000000`0244f698 00000000`000111e4
00000000`0244f6a0 00000000`00000002
00000000`0244f6a8 00000000`0244f6f0
00000000`0244f6b0 00000000`00000002
00000000`0244f6b8 00000000`00000000
00000000`0244f6c0 00000000`000111e4
00000000`0244f6c8 00000000`00000000
00000000`0244f6d0 00000000`00000082
00000000`0244f6d8 00000000`00000000
00000000`0244f6e0 00000000`00000000
00000000`0244f6e8 00000000`76fe76c2 user32!DefDlgProcW+0×36
00000000`0244f6f0 00000000`00000000
00000000`0244f6f8 00000000`00000000
00000000`0244f700 00000000`000111e4
00000000`0244f708 00000000`00000000
00000000`0244f710 00000000`00000082
00000000`0244f718 00000000`00000000
00000000`0244f720 00000000`0244f908
00000000`0244f728 00000000`76fd9bef user32!UserCallWinProcCheckWow+0×1cb
00000000`0244f730 00000000`00962210
00000000`0244f738 00000000`00000001
00000000`0244f740 00000000`00000000
00000000`0244f748 00000000`00000000
00000000`0244f750 00000000`0244f768
00000000`0244f758 00000000`0244f778
00000000`0244f760 00000000`00000001
00000000`0244f768 00000000`00000000
00000000`0244f770 00000000`00000000
00000000`0244f778 00000000`00000000
00000000`0244f780 00000000`00000048
00000000`0244f788 00000000`00000001
00000000`0244f790 00000000`00000000
00000000`0244f798 00000000`00000000
00000000`0244f7a0 00000000`00000070
00000000`0244f7a8 ffffffff`ffffffff
00000000`0244f7b0 ffffffff`ffffffff
00000000`0244f7b8 00000000`76fd9b43 user32!UserCallWinProcCheckWow+0×99
00000000`0244f7c0 00000000`76fd9bef user32!UserCallWinProcCheckWow+0×1cb
00000000`0244f7c8 00000000`00000000
00000000`0244f7d0 00000000`00000000
00000000`0244f7d8 00000000`00000000
00000000`0244f7e0 00000000`00000000
00000000`0244f7e8 00000000`76fd72cb user32!DispatchClientMessage+0xc3
00000000`0244f7f0 00000000`00000000
00000000`0244f7f8 00000000`770e46b4 ntdll!NtdllDialogWndProc_W
00000000`0244f800 00000000`00000000
00000000`0244f808 00000000`00000000
00000000`0244f810 00000000`00000000
00000000`0244f818 00000000`00000000
00000000`0244f820 00000000`00962238
00000000`0244f828 00000000`00000001
00000000`0244f830 00000000`00000000
00000000`0244f838 00000000`00000000
00000000`0244f840 00000000`00000000
00000000`0244f848 00000000`00000000
00000000`0244f850 00000730`fffffb30
00000000`0244f858 000004d0`fffffb30
00000000`0244f860 00000170`000000f0
00000000`0244f868 0000002c`00000001
00000000`0244f870 00000000`c0000005
00000000`0244f878 00000000`00000000
00000000`0244f880 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244f888 00000000`00000002
00000000`0244f890 00000000`00000000
00000000`0244f898 00000000`00000000
00000000`0244f8a0 00000000`00000000
00000000`0244f8a8 00000000`00000000
00000000`0244f8b0 00000000`00000000
00000000`0244f8b8 00000000`00000000
00000000`0244f8c0 00000000`00000000
00000000`0244f8c8 00000000`00000000
00000000`0244f8d0 00000000`00000000
00000000`0244f8d8 00000000`00000000
00000000`0244f8e0 00000000`00000000
00000000`0244f8e8 00000000`00000000
00000000`0244f8f0 00000000`00000000
00000000`0244f8f8 00000000`00000000
00000000`0244f900 00000000`00000000
00000000`0244f908 00000000`00962210
00000000`0244f910 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244f918 00000000`00000000
00000000`0244f920 00000000`00000000
00000000`0244f928 00000000`0244fab0
00000000`0244f930 00000000`77101530 ntdll!NtdllDispatchMessage_W
00000000`0244f938 00000000`76fe505b user32!DialogBox2+0×2ec
00000000`0244f940 00000000`00000000
00000000`0244f948 00000000`00000000
00000000`0244f950 00000000`00000000
00000000`0244f958 00000000`00000000
00000000`0244f960 00000000`00000000
00000000`0244f968 00000000`00000000
00000000`0244f970 00000000`00000000
00000000`0244f978 00000000`00000000
00000000`0244f980 00000000`00000002
00000000`0244f988 00000000`000111f0
00000000`0244f990 00000271`0f689359
00000000`0244f998 00000000`00000030
00000000`0244f9a0 00000000`00000000
00000000`0244f9a8 00000000`00000000
00000000`0244f9b0 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0×0)
00000000`0244f9b8 00000000`001a17e0
00000000`0244f9c0 00000000`00000000
00000000`0244f9c8 00000000`76fe4edd user32!InternalDialogBox+0×135
00000000`0244f9d0 00000000`00000000
00000000`0244f9d8 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc
00000000`0244f9e0 00000000`00000000
00000000`0244f9e8 00000000`00000000
00000000`0244f9f0 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc
00000000`0244f9f8 00000000`00000000
00000000`0244fa00 00000000`00000001
00000000`0244fa08 00000000`00000000
00000000`0244fa10 00000000`00000000
00000000`0244fa18 00000000`00009c40
00000000`0244fa20 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0×0)
00000000`0244fa28 00000000`76fe4f52 user32!DialogBoxIndirectParamAorW+0×58
00000000`0244fa30 00000000`001a17e0
00000000`0244fa38 00000000`00000000
00000000`0244fa40 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc
00000000`0244fa48 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc
00000000`0244fa50 00000000`00000000
00000000`0244fa58 00000000`00000001
00000000`0244fa60 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0×0)
00000000`0244fa68 00000000`76fdd476 user32!DialogBoxParamW+0×66
00000000`0244fa70 ffffffff`ffffffff
00000000`0244fa78 00000000`00000000
00000000`0244fa80 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc
00000000`0244fa88 00000000`00000000
00000000`0244fa90 00000000`00000000
00000000`0244fa98 00000000`00000000
00000000`0244faa0 00000000`00000000
00000000`0244faa8 00000000`ffdbdafa calc!CTimedCalc::WatchDogThread+0×72
00000000`0244fab0 00000000`00002710

Segment registers and flags look normal now:

0:003> .cxr 00000000`0244f380
rax=000000000012c770 rbx=0000000000002710 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=00000000ffdbdb27 rsp=000000000244fab0 rbp=0000000000000000
r8=000000000244f938 r9=0000000000962210 r10=0000000000000000
r11=000000000244f9a0 r12=0000000000009c40 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
calc!CTimedCalc::WatchDogThread+0xb2:
00000000`ffdbdb27 488b01 mov rax,qword ptr [rcx] ds:00000000`00000000=????????????????

0:003> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
00000000`0244fab0 00000000`76eb59ed calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244faf0 00000000`770ec541 kernel32!BaseThreadInitThunk+0xd
00000000`0244fb20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -