Archive for the ‘Reading Notebook’ Category

Reading Notebook: 17-May-2012

Friday, May 18th, 2012

Comments in italics are mine and express my own views, thoughts and opinions

Mac OS X Internals by A. Singh:

kextstat command (p. 49) - here’s the output from my system:

MacBook-Air:~ DumpAnalysis$ kextstat
Index Refs Address            Size       Wired      Name (Version) <Linked Against>
1   78 0xffffff7f80739000 0x683c     0x683c     com.apple.kpi.bsd (11.3.0)
2    6 0xffffff7f807de000 0x3d0      0x3d0      com.apple.kpi.dsep (11.3.0)
3  104 0xffffff7f80744000 0x1b9d8    0x1b9d8    com.apple.kpi.iokit (11.3.0)
4  109 0xffffff7f8072f000 0x9b54     0x9b54     com.apple.kpi.libkern (11.3.0)
5   93 0xffffff7f80740000 0x88c      0x88c      com.apple.kpi.mach (11.3.0)
6   37 0xffffff7f80760000 0x4938     0x4938     com.apple.kpi.private (11.3.0)
7   53 0xffffff7f80741000 0x22a0     0x22a0     com.apple.kpi.unsupported (11.3.0)
8   19 0xffffff7f80bc6000 0x7000     0x7000     com.apple.iokit.IOACPIFamily (1.4) <7 6 4 3>
9   27 0xffffff7f80765000 0x1e000    0x1e000    com.apple.iokit.IOPCIFamily (2.6.8) <7 6 5 4 3>
10    2 0xffffff7f81ba4000 0x58000    0x58000    com.apple.driver.AppleACPIPlatform (1.4) <9 8 7 6 5 4 3 1>
11    1 0xffffff7f809cc000 0xc000     0xc000     com.apple.driver.AppleKeyStore (28.18) <7 6 5 4 3 1>
12    9 0xffffff7f807e2000 0x25000    0x25000    com.apple.iokit.IOStorageFamily (1.7) <7 6 5 4 3 1>
13    0 0xffffff7f80c4c000 0x19000    0x19000    com.apple.driver.DiskImages (331.3) <12 7 6 5 4 3 1>
14    0 0xffffff7f818e6000 0x2a000    0x2a000    com.apple.driver.AppleIntelCPUPowerManagement (167.3.0) <7 6 5 4 3 1>
15    0 0xffffff7f807df000 0x3000     0x3000     com.apple.security.TMSafetyNet (7) <7 6 5 4 2 1>
16    2 0xffffff7f80846000 0x4000     0x4000     com.apple.kext.AppleMatch (1.0.0d1) <4 1>
17    1 0xffffff7f8084a000 0x11000    0x11000    com.apple.security.sandbox (177.3) <16 7 6 5 4 3 2 1>
18    0 0xffffff7f8085b000 0x5000     0x5000     com.apple.security.quarantine (1.1) <17 16 7 6 5 4 2 1>
19    0 0xffffff7f81c0b000 0x8000     0x8000     com.apple.nke.applicationfirewall (3.2.30) <7 6 5 4 3 1>
20    0 0xffffff7f818e2000 0x3000     0x3000     com.apple.driver.AppleIntelCPUPowerManagementClient (167.3.0) <7 6 5 4 3 1>
21    0 0xffffff7f81b81000 0x3000     0x3000     com.apple.driver.AppleAPIC (1.5) <4 3>
22    3 0xffffff7f80b62000 0x4000     0x4000     com.apple.iokit.IOSMBusFamily (1.1) <5 4 3>
23    0 0xffffff7f81bfc000 0x7000     0x7000     com.apple.driver.AppleACPIEC (1.4) <22 10 8 5 4 3>
24    0 0xffffff7f816da000 0x4000     0x4000     com.apple.driver.AppleSMBIOS (1.7) <7 4 3>
25    0 0xffffff7f81918000 0x3000     0x3000     com.apple.driver.AppleHPET (1.6) <8 7 5 4 3>
26    0 0xffffff7f816ff000 0x7000     0x7000     com.apple.driver.AppleRTC (1.4) <8 5 4 3 1>
27    6 0xffffff7f809d8000 0x6b000    0x6b000    com.apple.iokit.IOHIDFamily (1.7.1) <11 7 6 5 4 3 2 1>
28    0 0xffffff7f81c05000 0x4000     0x4000     com.apple.driver.AppleACPIButtons (1.4) <27 10 8 7 6 5 4 3 1>
29    1 0xffffff7f81b57000 0x4000     0x4000     com.apple.driver.AppleEFIRuntime (1.5.0) <7 6 5 4 3>
30   13 0xffffff7f80783000 0x4f000    0x4f000    com.apple.iokit.IOUSBFamily (4.5.8) <9 7 5 4 3 1>
32    0 0xffffff7f80a8e000 0x17000    0x17000    com.apple.driver.AppleUSBEHCI (4.5.8) <30 9 7 5 4 3 1>
33    2 0xffffff7f80dc8000 0xa000     0xa000     com.apple.iokit.IOAHCIFamily (2.0.7) <5 4 3 1>
34    0 0xffffff7f81b85000 0x18000    0x18000    com.apple.driver.AppleAHCIPort (2.2.0) <33 9 5 4 3 1>
35    0 0xffffff7f816df000 0x8000     0x8000     com.apple.driver.AppleSmartBatteryManager (161.0.0) <22 8 5 4 3 1>
36    0 0xffffff7f81b5b000 0x7000     0x7000     com.apple.driver.AppleEFINVRAM (1.5.0) <29 7 5 4 3>
37    5 0xffffff7f80986000 0x29000    0x29000    com.apple.iokit.IONetworkingFamily (2.0) <7 6 5 4 3 1>
38    1 0xffffff7f80dfb000 0x38000    0x38000    com.apple.iokit.IO80211Family (412.2) <37 7 5 4 3 1>
39    0 0xffffff7f80e33000 0x1e0000   0x1e0000   com.apple.driver.AirPort.Brcm4331 (513.20.19) <38 37 9 7 5 4 3 1>
40    0 0xffffff7f809c9000 0x3000     0x3000     com.apple.iokit.IOUSBUserClient (4.5.8) <30 7 5 4 3 1>
41    0 0xffffff7f80a79000 0x11000    0x11000    com.apple.driver.AppleUSBHub (4.5.0) <30 5 4 3 1>
42    4 0xffffff7f80ab2000 0x9e000    0x9e000    com.apple.iokit.IOThunderboltFamily (1.7.4) <5 4 3 1>
43    0 0xffffff7f8163e000 0x12000    0x12000    com.apple.driver.AppleThunderboltNHI (1.3.2) <42 9 8 5 4 3 1>
44    0 0xffffff7f80dde000 0x15000    0x15000    com.apple.iokit.IOAHCIBlockStorage (2.0.1) <33 12 5 4 3 1>
45    0 0xffffff7f815b2000 0x4000     0x4000     com.apple.driver.XsanFilter (403) <12 5 4 3 1>
46    0 0xffffff7f81342000 0x9000     0x9000     com.apple.BootCache (33) <7 6 5 4 3 1>
47    0 0xffffff7f81b46000 0x5000     0x5000     com.apple.AppleFSCompression.AppleFSCompressionTypeZlib (1.0.0d1) <6 4 3 2 1>
48    0 0xffffff7f81b4d000 0x5000     0x5000     com.apple.AppleFSCompression.AppleFSCompressionTypeDataless (1.0.0d1) <7 6 4 3 2 1>
49    1 0xffffff7f807d2000 0x6000     0x6000     com.apple.driver.AppleUSBComposite (4.5.8) <30 4 3 1>
50    0 0xffffff7f807d8000 0x6000     0x6000     com.apple.driver.AppleUSBMergeNub (4.5.3) <49 30 4 3 1>
51    3 0xffffff7f80a43000 0x8000     0x8000     com.apple.iokit.IOUSBHIDDriver (4.4.5) <30 27 5 4 3 1>
52    0 0xffffff7f815de000 0x4000     0x4000     com.apple.driver.AppleUSBTCKeyboard (225.2) <51 30 27 7 6 5 4 3 1>
55    2 0xffffff7f80cc1000 0x76000    0x76000    com.apple.iokit.IOBluetoothFamily (4.0.3f12) <7 5 4 3 1>
56    1 0xffffff7f80d57000 0xe000     0xe000     com.apple.driver.AppleUSBBluetoothHCIController (4.0.3f12) <55 30 7 5 4 3>
57    0 0xffffff7f80d6d000 0x9000     0x9000     com.apple.driver.BroadcomUSBBluetoothHCIController (4.0.3f12) <56 55 30 5 4 3>
58    0 0xffffff7f81632000 0x4000     0x4000     com.apple.driver.AppleThunderboltPCIDownAdapter (1.2.1) <42 9 4 3>
59    0 0xffffff7f815e7000 0x13000    0x13000    com.apple.driver.AppleUSBMultitouch (227.1) <51 30 27 6 5 4 3 1>
60    1 0xffffff7f81650000 0x8000     0x8000     com.apple.driver.AppleThunderboltDPAdapterFamily (1.5.9) <42 9 8 5 4 3>
61    0 0xffffff7f81658000 0x4000     0x4000     com.apple.driver.AppleThunderboltDPInAdapter (1.5.9) <60 42 9 8 5 4 3>
62    0 0xffffff7f815e3000 0x3000     0x3000     com.apple.driver.AppleUSBTCButtons (225.2) <51 30 27 7 6 5 4 3 1>
64    3 0xffffff7f80861000 0x2b000    0x2b000    com.apple.iokit.IOSCSIArchitectureModelFamily (3.0.3) <5 4 3 1>
65    1 0xffffff7f809b8000 0x11000    0x11000    com.apple.iokit.IOUSBMassStorageClass (3.0.1) <64 30 12 5 4 3 1>
67   14 0xffffff7f80c02000 0x38000    0x38000    com.apple.iokit.IOGraphicsFamily (2.3.2) <9 7 5 4 3>
68    0 0xffffff7f817a8000 0x3a000    0x3a000    com.apple.driver.AppleIntelSNBGraphicsFB (7.1.8) <67 9 8 7 6 5 4 3 1>
72    7 0xffffff7f80c3a000 0x12000    0x12000    com.apple.iokit.IONDRVSupport (2.3.2) <67 9 7 5 4 3>
73    1 0xffffff7f81b1c000 0x3000     0x3000     com.apple.driver.AppleBacklightExpert (1.0.3) <72 67 9 5 4 3>
74    0 0xffffff7f81b71000 0x5000     0x5000     com.apple.driver.AppleBacklight (170.1.9) <73 72 67 9 5 4 3>
75    1 0xffffff7f81b0a000 0x3000     0x3000     com.apple.driver.AppleGraphicsControl (3.0.16) <72 67 9 8 7 5 4 3 1>
77    0 0xffffff7f8179b000 0x3000     0x3000     com.apple.driver.AppleLPC (1.5.3) <9 5 4 3>
78    0 0xffffff7f816c9000 0x3000     0x3000     com.apple.driver.AppleSMBusPCI (1.0.10d0) <9 5 4 3>
79    1 0xffffff7f80bcd000 0x13000    0x13000    com.apple.driver.IOPlatformPluginFamily (4.7.5d4) <8 7 6 5 4 3>
80    3 0xffffff7f80be0000 0xc000     0xc000     com.apple.driver.AppleSMC (3.1.1d8) <8 7 5 4 3>
81    0 0xffffff7f80bec000 0x11000    0x11000    com.apple.driver.ACPI_SMC_PlatformPlugin (4.7.5d4) <80 79 9 8 7 6 5 4 3>
82    0 0xffffff7f81b0d000 0xf000     0xf000     com.apple.driver.ApplePolicyControl (3.0.16) <75 72 67 9 8 7 5 4 3 1>
83    2 0xffffff7f8135c000 0x6000     0x6000     com.apple.kext.OSvKernDSPLib (1.3) <5 4>
84    4 0xffffff7f81362000 0x2a000    0x2a000    com.apple.iokit.IOAudioFamily (1.8.6fc6) <83 5 4 3 1>
85    0 0xffffff7f8138c000 0x4000     0x4000     com.apple.driver.AudioIPCDriver (1.2.2) <84 5 4 3 1>
86    0 0xffffff7f812a6000 0x5000     0x5000     com.apple.Dont_Steal_Mac_OS_X (7.0.0) <80 7 4 3 1>
87    2 0xffffff7f81931000 0xc000     0xc000     com.apple.iokit.IOHDAFamily (2.1.7f9) <5 4 3 1>
88    1 0xffffff7f8196c000 0x1a000    0x1a000    com.apple.driver.AppleHDAController (2.1.7f9) <87 67 9 6 5 4 3 1>
89    1 0xffffff7f80d76000 0x5000     0x5000     com.apple.iokit.IOEthernetAVBController (1.0.0d5) <37 5 4 3 1>
90    0 0xffffff7f80d7b000 0x9000     0x9000     com.apple.iokit.IOAVBFamily (1.0.0d22) <89 37 5 4 3 1>
91    1 0xffffff7f80b66000 0xe000     0xe000     com.apple.iokit.IOSerialFamily (10.0.5) <7 6 5 4 3 1>
92    0 0xffffff7f80d49000 0xe000     0xe000     com.apple.iokit.IOBluetoothSerialManager (4.0.3f12) <91 7 5 4 3 1>
93    0 0xffffff7f816c2000 0x5000     0x5000     com.apple.driver.AppleSMCLMU (2.0.1d2) <80 67 5 4 3>
94    0 0xffffff7f80b50000 0x12000    0x12000    com.apple.iokit.IOSurface (80.0) <7 5 4 3 1>
95    0 0xffffff7f809af000 0x6000     0x6000     com.apple.iokit.IOUserEthernet (1.0.0d1) <37 6 5 4 3 1>
96    0 0xffffff7f817e2000 0xe1000    0xe1000    com.apple.driver.AppleIntelHD3000Graphics (7.1.8) <72 67 9 7 5 4 3 1>
97    1 0xffffff7f816cc000 0xe000     0xe000     com.apple.driver.AppleSMBusController (1.0.10d0) <22 9 8 5 4 3>
98    0 0xffffff7f81afb000 0xb000     0xb000     com.apple.driver.AGPM (100.12.42) <72 67 9 5 4 3>
100    0 0xffffff7f8174b000 0x4000     0x4000     com.apple.driver.ApplePlatformEnabler (2.0.4d2) <7 5 4 3>
101    0 0xffffff7f81392000 0x5000     0x5000     com.apple.driver.AudioAUUC (1.59) <84 67 9 8 7 5 4 3 1>
102    0 0xffffff7f81b77000 0xa000     0xa000     com.apple.driver.AppleAVBAudio (1.0.0d11) <5 4 3 1>
103    0 0xffffff7f8176c000 0xa000     0xa000     com.apple.driver.AppleMCCSControl (1.0.26) <67 9 7 5 4 3 1>
104    0 0xffffff7f81601000 0x5000     0x5000     com.apple.driver.AppleUpstreamUserClient (3.5.9) <67 9 8 7 5 4 3 1>
105    0 0xffffff7f8193d000 0x22000    0x22000    com.apple.driver.AppleMikeyDriver (2.1.7f9) <97 8 5 4 3 1>
106    1 0xffffff7f81986000 0xa4000    0xa4000    com.apple.driver.DspFuncLib (2.1.7f9) <84 83 5 4 3 1>
107    0 0xffffff7f81a2a000 0xaf000    0xaf000    com.apple.driver.AppleHDA (2.1.7f9) <106 88 87 84 72 67 6 5 4 3 1>
109    0 0xffffff7f81761000 0x3000     0x3000     com.apple.driver.AppleMikeyHIDDriver (122) <27 7 4 3 1>
110    1 0xffffff7f8134c000 0x5000     0x5000     com.apple.kext.triggers (1.0) <7 6 5 4 3 1>
111    0 0xffffff7f81351000 0x9000     0x9000     com.apple.filesystems.autofs (3.0) <110 7 6 5 4 3 1>
116    3 0xffffff7f80b8a000 0xd000     0xd000     com.apple.iokit.IOCDStorageFamily (1.7) <12 5 4 3 1>
117    2 0xffffff7f80b97000 0xb000     0xb000     com.apple.iokit.IODVDStorageFamily (1.7) <116 12 5 4 3 1>
118    1 0xffffff7f80ba2000 0xa000     0xa000     com.apple.iokit.IOBDStorageFamily (1.6) <117 116 12 5 4 3 1>
119    0 0xffffff7f80bac000 0x1a000    0x1a000    com.apple.iokit.IOSCSIMultimediaCommandsDevice (3.0.3) <118 117 116 64 12 5 4 3 1>
121    0 0xffffff7f81911000 0x5000     0x5000     com.apple.driver.AppleHWSensor (1.9.4d0) <5 4 3>
122    7 0xffffff7f81c20000 0x46000    0x46000    com.apple.iokit.AppleProfileFamily (85.2) <9 7 6 5 4 3 1>
123    0 0xffffff7f81c66000 0x7000     0x7000     com.apple.driver.AppleIntelProfile (85.2) <122 6 4 3>
124    0 0xffffff7f81c6f000 0x4000     0x4000     com.apple.driver.AppleProfileCallstackAction (85.2) <122 6 5 4 3 1>
125    0 0xffffff7f81c73000 0x3000     0x3000     com.apple.driver.AppleProfileKEventAction (85.2) <122 4 3 1>
126    0 0xffffff7f81c76000 0x4000     0x4000     com.apple.driver.AppleProfileReadCounterAction (85.2) <122 6 4 3>
127    0 0xffffff7f81c7a000 0x3000     0x3000     com.apple.driver.AppleProfileRegisterStateAction (85.2) <122 4 3 1>
128    0 0xffffff7f81c7d000 0x4000     0x4000     com.apple.driver.AppleProfileThreadInfoAction (85.2) <122 6 4 3 1>
129    0 0xffffff7f81c81000 0x4000     0x4000     com.apple.driver.AppleProfileTimestampAction (85.2) <122 5 4 3 1>
130    0 0xffffff7f80807000 0xc000     0xc000     com.apple.nke.ppp (1.7) <7 6 5 4 3 1>
313    0 0xffffff7f808ff000 0x2000     0x2000     com.apple.driver.AppleUSBODD (3.0.1) <65 64 30 12 5 4 3 1>
315    0 0xffffff7f8147b000 0x35000    0x35000    com.apple.filesystems.udf (2.2) <7 5 4 1>

XNU is not a microkernel (p. 50) - Windows Internals book also mentions that about itself at the beginning

u-area (p. 52) - in Windows the equivalent can be TEB and PEB structures

UBC (p. 52) - looks like in Windows we have the same unification of file cache and virtual memory subsystems

Resuming Reading Notebook

Friday, April 13th, 2012

Finally the book has arrived and I plan to continue my close reading with relevant comments pointing to DumpAnalysis.org and any additional experiments if needed, for example, to cover x64 Windows (the new edition is still 32-bit oriented in WinDbg examples).

Windows Internals, Part 1: Covering Windows Server 2008 R2 and Windows 7

Reading Notebook: 04-March-11

Thursday, March 10th, 2011

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

HKLM\S\MountedDevices and basic disk volume partition offset (pp. 667 - 668)

General reparse points; symbolic links and mount points as their applications (p. 669)

Device object -> VPB, !vpb WinDbg command (p. 670) - here’s on my x64 W2K8 system:

0: kd> dt _DEVICE_OBJECT
ntdll!_DEVICE_OBJECT
+0x000 Type             : Int2B
+0x002 Size             : Uint2B
+0x004 ReferenceCount   : Int4B
+0x008 DriverObject     : Ptr64 _DRIVER_OBJECT
+0x010 NextDevice       : Ptr64 _DEVICE_OBJECT
+0x018 AttachedDevice   : Ptr64 _DEVICE_OBJECT
+0x020 CurrentIrp       : Ptr64 _IRP
+0x028 Timer            : Ptr64 _IO_TIMER
+0x030 Flags            : Uint4B
+0x034 Characteristics  : Uint4B
   +0×038 Vpb              : Ptr64 _VPB
+0×040 DeviceExtension  : Ptr64 Void
+0×048 DeviceType       : Uint4B
+0×04c StackSize        : Char
+0×050 Queue            : <unnamed-tag>
+0×098 AlignmentRequirement : Uint4B
+0×0a0 DeviceQueue      : _KDEVICE_QUEUE
+0×0c8 Dpc              : _KDPC
+0×108 ActiveThreadCount : Uint4B
+0×110 SecurityDescriptor : Ptr64 Void
+0×118 DeviceLock       : _KEVENT
+0×130 SectorSize       : Uint2B
+0×132 Spare1           : Uint2B
+0×138 DeviceObjectExtension : Ptr64 _DEVOBJ_EXTENSION
+0×140 Reserved         : Ptr64 Void

0: kd> dt _VPB
ntdll!_VPB
+0x000 Type             : Int2B
+0x002 Size             : Int2B
+0x004 Flags            : Uint2B
+0x006 VolumeLabelLength : Uint2B
+0x008 DeviceObject     : Ptr64 _DEVICE_OBJECT
+0x010 RealDevice       : Ptr64 _DEVICE_OBJECT
+0x018 SerialNumber     : Uint4B
+0x01c ReferenceCount   : Uint4B
+0x020 VolumeLabel      : [32] Wchar

FS -> Volume I/O (pp. 674 - 675) - we can also see driver stack from IRP I/O stack locations:

2: kd> !irp fffffa8017492b80
[...]
cmd  flg cl Device   File     Completion-Context
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                     Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                     Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                     Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                     Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                     Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                     Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                     Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                     Args: 00000000 00000000 00000000 00000000
>[  4,34]  1c e0 fffffa800dfe2060 00000000 fffff88001186f30-00000000 Success Error Cancel
\Driver\Disk  partmgr!PmReadWriteCompletion
Args: 00001000 00000000 b99a9000 00000000
[  4, 0]  1c e0 fffffa800dfe2b90 00000000 fffff88001197180-fffffa800da89e20 Success Error Cancel
\Driver\partmgr     volmgr!VmpReadWriteCompletionRoutine
Args: 148ce8c5bed 00000000 b99a9000 00000000
[  4, 0]   c e0 fffffa800da89cd0 00000000 fffff88001968150-fffffa800dfe7190 Success Error Cancel
\Driver\volmgr      volsnap!VspRefCountCompletionRoutine
Args: 00001000 00000000 148ce8c5be9 00000000
[  4, 0]   c e1 fffffa800dfe7040 00000000 fffff88001a464f4-fffff88002777a10 Success Error Cancel pending
\Driver\volsnap     Ntfs!NtfsMasterIrpSyncCompletionRoutine
Args: 00001000 00000000 b996a000 00000000
[  4, 0]   0  0 fffffa800dfed030 fffffa800da958e0 00000000-00000000
\FileSystem\Ntfs
Args: 00001000 00000000 01afc000 00000000
[…]

BitLocker architecture diagram (p.678) - parts can be seen from IRP I/O stack locations:

 kd> !irp 85e7ee00
[...]
cmd  flg cl Device   File     Completion-Context
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                  Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                  Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                  Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                  Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

                  Args: 00000000 00000000 00000000 00000000
>[  3,34]  10 e0 857b9030 00000000 8353724e-00000000 Success Error Cancel
\Driver\Disk     partmgr!PmReadWriteCompletion
Args: 00001000 00000000 400d6000 00000000
[  3, 0]  10  0 857b9d18 00000000 00000000-00000000
\Driver\partmgr
Args: 6bad71d7 00000000 400d6000 00000000
[  3, 0]  10 e0 8478b5f0 00000000 835487a4-857bc2f0 Success Error Cancel
\Driver\DriverA   volmgr!VmpReadWriteCompletionRoutine
Args: 00001000 00000000 400d6000 00000000
[  3, 0]   0 e0 857bc238 00000000 872c83e2-857bfb70 Success Error Cancel
\Driver\volmgr   fvevol!FvePassThroughCompletion
Args: 00001000 00000000 6bad70ba 00000000
[  3, 0]   0 e0 857bfab8 00000000 8709807a-859a2118 Success Error Cancel
\Driver\fvevol   Ntfs!NtfsMasterIrpAsyncCompletionRoutine
Args: 00001000 00000000 40097000 00000000
[  3, 0]   0  1 857e2020 8584ca40 00000000-00000000    pending
\FileSystem\Ntfs
Args: 00001000 00000000 0329e000 00000000
[…]

VMK -> FVEK: possibility for rekeying (p. 679)

Maximum protection: TPM+USB+PIN (p. 679)

Diffuser to protect from manipulations with AES-encrypted ciphertext (p. 681)

Reading Notebook: 23-February-11

Thursday, February 24th, 2011

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

The distinction between class, port and miniport components in storage stack (pp. 646 - 647)

Example: disk.sys as a class driver, ataport.sys and atapi.sys as port and miniport drivers (pp. 647 - 448)

MPIO (multi path I/O), DSM (device-specific modules) and storage stack (pp. 649 - 650)

Old and new naming convention (DRX) for disk device objects (p. 650)

Win32 API disk drive naming (p. 651)

Partition device objects (p. 652)

Volume manager as a bus driver (p. 655)

System vs. boot volume (p. 660)

Volmgr.sys vs. Volmgrx.sys (p. 661)

The advantages of storing volume metadata in a file (p. 662)

Spanned, striped (RAID-0), mirrored (RAID-1), RAID-5 (striped with rotated parity) (pp. 662 - 667)

Reading Notebook: 21-February-11

Monday, February 21st, 2011

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Differences between driver and service loading (p. 623)

Tag value precedence redefinition (p. 624)

Verbose !devnode command options (pp. 627 - 628)

DID=VID.PID and DIID=DID.IID (p. 630)

Hybrid sleep (pp. 637-638)

Power dispatch routine (p. 639) - Here’s a dispatch routine for a PCI driver from my x64 W2K8R2 system:

0: kd> !devnode 0 3
Dumping IopRootDeviceNode (= 0xfffffa8003c1ed90)
DevNode 0xfffffa8003c1ed90 for PDO 0xfffffa8003c1db10
InstancePath is "HTREE\ROOT\0"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)

[...]

        DevNode 0xfffffa8003e91b10 for PDO 0xfffffa8003e40a20
InstancePath is “PCI\VEN_8086&DEV_2810&SUBSYS_00000000&REV_02\3&172e68dd&0&F8″
ServiceName is “msisadrv”
State = DeviceNodeStarted (0×308)
Previous State = DeviceNodeEnumerateCompletion (0×30d)

[...]

0: kd> !devobj 0xfffffa8003e40a20
Device object (fffffa8003e40a20) is for:
NTPNP_PCI0013 \Driver\pci DriverObject fffffa8003cfe270
Current Irp 00000000 RefCount 0 Type 00000022 Flags 00001040
Dacl fffff9a10008b231 DevExt fffffa8003e40b70 DevObjExt fffffa8003e40f90 DevNode fffffa8003e91b10
ExtensionFlags (0×00000800)
Unknown flags 0×00000800
AttachedDevice (Upper) fffffa8003e3f800
\Driver\ACPI
Device queue is not busy.

0: kd> !drvobj fffffa8003cfe270 f
Driver object (fffffa8003cfe270) is for:
\Driver\pci
Driver Extension List: (id , addr)

Device Object list:
fffffa8003e9da20  fffffa8003e9a060  fffffa8003e99a20  fffffa8003e939f0
fffffa8003e93040  fffffa8003e92660  fffffa8003e92cb0  fffffa8003e42060
fffffa8003e41a20  fffffa8003e41060  fffffa8003e40a20  fffffa8003e40060
fffffa8003e3fa20  fffffa8003e3f060  fffffa8003e3ea20  fffffa8003e3e060
fffffa8003e3da20  fffffa8003e3d060  fffffa8003e3ca20  fffffa8003e3c060
fffffa8003e3ba20  fffffa8003e3b060  fffffa8003e3aa20  fffffa8003e3a060
fffffa8003e37530

DriverEntry:   fffff880013ae1a0 pci!GsDriverEntry
DriverStartIo: 00000000�
DriverUnload:  fffff880013a2fec pci!PciDriverUnload
AddDevice:     fffff8800139ae54 pci!PciAddDevice

Dispatch routines:
[00] IRP_MJ_CREATE                      fffff80001ab5cfc nt!IopInvalidDeviceRequest
[01] IRP_MJ_CREATE_NAMED_PIPE           fffff80001ab5cfc nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE                       fffff80001ab5cfc nt!IopInvalidDeviceRequest
[03] IRP_MJ_READ                        fffff80001ab5cfc nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE                       fffff80001ab5cfc nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION           fffff80001ab5cfc nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION             fffff80001ab5cfc nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA                    fffff80001ab5cfc nt!IopInvalidDeviceRequest
[08] IRP_MJ_SET_EA                      fffff80001ab5cfc nt!IopInvalidDeviceRequest
[09] IRP_MJ_FLUSH_BUFFERS               fffff80001ab5cfc nt!IopInvalidDeviceRequest
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION    fffff80001ab5cfc nt!IopInvalidDeviceRequest
[0b] IRP_MJ_SET_VOLUME_INFORMATION      fffff80001ab5cfc nt!IopInvalidDeviceRequest
[0c] IRP_MJ_DIRECTORY_CONTROL           fffff80001ab5cfc nt!IopInvalidDeviceRequest
[0d] IRP_MJ_FILE_SYSTEM_CONTROL         fffff80001ab5cfc nt!IopInvalidDeviceRequest
[0e] IRP_MJ_DEVICE_CONTROL              fffff8800139e6d0 pci!PciDispatchDeviceControl
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     fffff80001ab5cfc nt!IopInvalidDeviceRequest
[10] IRP_MJ_SHUTDOWN                    fffff80001ab5cfc nt!IopInvalidDeviceRequest
[11] IRP_MJ_LOCK_CONTROL                fffff80001ab5cfc nt!IopInvalidDeviceRequest
[12] IRP_MJ_CLEANUP                     fffff80001ab5cfc nt!IopInvalidDeviceRequest
[13] IRP_MJ_CREATE_MAILSLOT             fffff80001ab5cfc nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY              fffff80001ab5cfc nt!IopInvalidDeviceRequest
[15] IRP_MJ_SET_SECURITY                fffff80001ab5cfc nt!IopInvalidDeviceRequest
[16] IRP_MJ_POWER                       fffff880013848fc pci!PciDispatchPnpPower
[17] IRP_MJ_SYSTEM_CONTROL              fffff8800139e66c pci!PciDispatchSystemControl
[18] IRP_MJ_DEVICE_CHANGE               fffff80001ab5cfc nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA                 fffff80001ab5cfc nt!IopInvalidDeviceRequest
[1a] IRP_MJ_SET_QUOTA                   fffff80001ab5cfc nt!IopInvalidDeviceRequest
[1b] IRP_MJ_PNP                         fffff880013848fc pci!PciDispatchPnpPower

!pocaps and !popolicy WinDbg commands (pp. 641 - 643)

Unlike other PnP operations like normal eject power cannot be vetoed by drivers and apps (pp. 643 - 644)

Reading Notebook: 20-September-10

Tuesday, September 28th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

I/O Completion Ports (pp. 592 - 598) - my own architectural investigation from a complete memory dump perspective: http://www.dumpanalysis.org/blog/index.php/2007/11/27/understanding-io-completion-ports/

Lock contention (p. 594) - some patterns: http://www.dumpanalysis.org/blog/index.php/2010/09/21/contention-patterns/

Concurrency value may exceed concurrently limit for I/O CP (p. 595)

KeRemoveQueueEx (p. 596) - see also Passive System Thread pattern: http://www.dumpanalysis.org/blog/index.php/2007/11/20/crash-dump-analysis-patterns-part-31a/

I/O priority queues and strategies for IRP (p. 599) - priority fields in _EPROCESS and _ETHREAD structures from x64 W2K8 R2:

1: kd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb              : _KPROCESS
[...]
+0x438 DefaultIoPriority : Pos 27, 3 Bits
[...]

1: kd> dt _ETHREAD
ntdll!_ETHREAD
+0x000 Tcb              : _KTHREAD
[...]
+0x448 ThreadIoPriority : Pos 10, 3 Bits
[...]

Driver Verifier (pp. 604 - 606) - see also Instrumentation Information pattern: http://www.dumpanalysis.org/blog/index.php/2010/09/27/crash-dump-analysis-patterns-part-107/ 

WDF book (p. 607) - there is also another book coming soon: http://www.dumpanalysis.org/blog/index.php/2010/08/19/windows-7-device-driver-book/

Listing KMDF drivers (p. 608) - here’s the output from x64 W2K8 R2 system:

1: kd> !wdfkd.wdfldr
LoadedModuleList      0xfffff8800115a2d8
----------------------------------
LIBRARY_MODULE  fffffa8003bc8d10
Version       v1.9 build(7600)
Service       \Registry\Machine\System\CurrentControlSet\Services\Wdf01000
ImageName     Wdf01000.sys
ImageAddress  0xfffff880010ae000
ImageSize     0xa4000
Associated Clients: 10

  ImageName      Version    WdfGlobals         FxGlobals          ImageAddress       ImageSize
peauth.sys     v1.7(6001) 0xfffffa8004bf6510 0xfffffa8004bf63c0 0xfffff88004600000 0x000a6000
monitor.sys    v1.9(7600) 0xfffffa80048f55d0 0xfffffa80048f5480 0xfffff88003752000 0x0000e000
umbus.sys      v1.9(7600) 0xfffffa8004371160 0xfffffa8004371010 0xfffff88002db0000 0x00012000
CompositeBus.sys v1.9(7600) 0xfffffa8004440800 0xfffffa80044406b0 0xfffff88002a45000 0x00010000
HDAudBus.sys   v1.7(6001) 0xfffffa80043c9160 0xfffffa80043c9010 0xfffff88002b48000 0x00024000
intelppm.sys   v1.9(7600) 0xfffffa8004271dd0 0xfffffa8004271c80 0xfffff88002ab0000 0x00016000
cdrom.sys      v1.9(7600) 0xfffffa80041f3fc0 0xfffffa80041f3e70 0xfffff88001400000 0x0002a000
vmstorfl.sys   v1.5(6000) 0xfffffa80040129e0 0xfffffa8004012890 0xfffff88001750000 0x00010000
msisadrv.sys   v1.9(7600) 0xfffffa8003ebb910 0xfffffa8003ebb7c0 0xfffff880012c6000 0x0000a000
vdrvroot.sys   v1.9(7600) 0xfffffa8003d3fa00 0xfffffa8003d3f8b0 0xfffff88001262000 0x0000d000
----------------------------------
Total: 1 library loaded

Extension of device extension extension into object context in KMDF (pp. 611 - 612)

UMDF reflectors (p. 617)

WUDFHost.exe (p. 618) - here’s its stack trace collection from x64 W2K8 R2 after I inserted an USB flash drive and attached WinDbg non-invasilvely:

0:000> ~*k

.  0  Id: 58c.12f4 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0018f988 000007fe`fd8510ac ntdll!ZwWaitForSingleObject+0xa
00000000`0018f990 00000000`ff3bba44 KERNELBASE!WaitForSingleObjectEx+0x9c
00000000`0018fa30 00000000`ff3b8ce7 WUDFHost!CLpcNotification::Run+0x1c
00000000`0018fa60 00000000`ff3d2cb1 WUDFHost!wmain+0xc7b
00000000`0018fc60 00000000`7746f56d WUDFHost!ConvertStringSidToSidW+0x19b
00000000`0018fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0018fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   1  Id: 58c.1304 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00c4f918 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00c4f920 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00c4f990 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00c4f9e0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00c4fa70 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00c4fc20 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00c4fc70 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00c4fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00c4fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   2  Id: 58c.6e8 Suspend: 1 Teb: 000007ff`fffda000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00dfe988 000007fe`fd853ef8 ntdll!NtQueryAttributesFile+0xa
00000000`00dfe990 000007fe`f3be9970 KERNELBASE!GetFileAttributesW+0x78
00000000`00dfea30 000007fe`f27ce8c9 WpdFs!COperationGetFastBasicProperties::OnImpersonate+0x1c0
00000000`00dfea70 000007fe`f3be9734 WUDFx!CWdfIoRequest::Impersonate+0x151
00000000`00dfeae0 000007fe`f3bda26b WpdFs!COperationGetFastBasicProperties::Invoke+0x2c4
00000000`00dfeb50 000007fe`f3bd8837 WpdFs!WpdObjectProperties::GetValues+0x3f7
00000000`00dfecd0 000007fe`f3bd8344 WpdFs!WpdObjectProperties::OnGetValues+0x10b
00000000`00dfed50 000007fe`f3bcf974 WpdFs!WpdObjectProperties::DispatchWpdMessage+0x1a0
00000000`00dfee10 000007fe`f3bcd51a WpdFs!WpdBaseDriver::DispatchWpdMessage+0x4c0
00000000`00dfef60 000007fe`f3bcdd6c WpdFs!CQueue::ProcessWpdMessage+0x29a
00000000`00dff010 000007fe`f27bf610 WpdFs!CQueue::OnDeviceIoControl+0x494
00000000`00dff160 000007fe`f27c0b5a WUDFx!CWdfIoQueue::SubmitRequest+0x358
00000000`00dff1f0 000007fe`f27c0955 WUDFx!CWdfIoQueue::DispatchRequestToDriver+0x86
00000000`00dff240 000007fe`f27bff83 WUDFx!CWdfIoQueue::DispatchEvents+0x3cd
00000000`00dff2b0 000007fe`f27b61b5 WUDFx!CWdfIoQueue::QueueRequest+0x2c3
00000000`00dff300 000007fe`f27b6f20 WUDFx!CWdfDevice::DispatchRequest+0x149
00000000`00dff350 00000000`ff3ccbb6 WUDFx!CWdfDevice::DeviceControl+0x1a8
00000000`00dff3c0 00000000`ff3c2f92 WUDFHost!CWudfIoIrp::Dispatch+0x13e
00000000`00dff420 00000000`ff3bad47 WUDFHost!CWudfDeviceStack::Forward+0x41a
00000000`00dff490 000007fe`fb87da6a WUDFHost!CLpcNotification::Message+0xd9b
00000000`00dff6c0 000007fe`fb87c848 WUDFPlatform!WdfLpcPort::ProcessMessage+0x3be
00000000`00dff760 000007fe`fb87b299 WUDFPlatform!WdfLpcCommPort::ProcessMessage+0x214
00000000`00dff7b0 000007fe`fb87b900 WUDFPlatform!WdfLpcConnPort::ProcessMessage+0xf9
00000000`00dff830 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x178
00000000`00dff880 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00dff8b0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00dff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   3  Id: 58c.2e4 Suspend: 1 Teb: 000007ff`fffd8000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00d7f5e8 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00d7f5f0 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00d7f660 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00d7f6b0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00d7f740 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00d7f8f0 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00d7f940 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00d7f970 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00d7f9a0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   4  Id: 58c.12b4 Suspend: 1 Teb: 000007ff`fffd6000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00f8fa58 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00f8fa60 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00f8fad0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00f8fb20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00f8fbb0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00f8fd60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00f8fdb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00f8fde0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00f8fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   5  Id: 58c.106c Suspend: 1 Teb: 000007ff`fffd3000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00f0f958 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00f0f960 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00f0f9d0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00f0fa20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00f0fab0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00f0fc60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00f0fcb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00f0fce0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00f0fd10 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   6  Id: 58c.8fc Suspend: 1 Teb: 000007ff`fffae000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0136f8c8 00000000`7758c95e USER32!NtUserGetMessage+0xa
00000000`0136f8d0 000007fe`f3bd26e5 USER32!GetMessageW+0x34
00000000`0136f900 00000000`7746f56d WpdFs!CDiskNotifier::NotificationThreadWorker+0x245
00000000`0136fa50 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0136fa80 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   7  Id: 58c.520 Suspend: 1 Teb: 000007ff`fffac000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0152f6f8 00000000`77689bd7 ntdll!ZwWaitForMultipleObjects+0xa
00000000`0152f700 00000000`7746f56d ntdll!EtwTraceMessageVa+0xe07
00000000`0152f9a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0152f9d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   8  Id: 58c.89c Suspend: 1 Teb: 000007ff`fffaa000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`012df9b8 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`012df9c0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`012dfcc0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`012dfcf0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   9  Id: 58c.1394 Suspend: 1 Teb: 000007ff`fffa8000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0140f498 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0140f4a0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0140f7a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0140f7d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  10  Id: 58c.1294 Suspend: 1 Teb: 000007ff`fffa6000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0182f758 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0182f760 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0182fa60 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0182fa90 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  11  Id: 58c.a98 Suspend: 1 Teb: 000007ff`fffa4000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0170f708 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0170f710 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0170fa10 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0170fa40 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  12  Id: 58c.121c Suspend: 1 Teb: 000007ff`fffa2000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0179fd68 000007fe`fd851203 ntdll!NtDelayExecution+0xa
00000000`0179fd70 000007fe`fe2cea00 KERNELBASE!SleepEx+0xb3
00000000`0179fe10 000007fe`fe2d2046 ole32!CROIDTable::WorkerThreadLoop+0x10
00000000`0179fe40 000007fe`fe2d358a ole32!CRpcThread::WorkerLoop+0x1e
00000000`0179fe80 00000000`7746f56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a
00000000`0179feb0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0179fee0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Reading Notebook: 20-September-10

Tuesday, September 28th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

I/O Completion Ports (pp. 592 - 598) - my own architectural investigation from a complete memory dump perspective: http://www.dumpanalysis.org/blog/index.php/2007/11/27/understanding-io-completion-ports/

Lock contention (p. 594) - some patterns: http://www.dumpanalysis.org/blog/index.php/2010/09/21/contention-patterns/

Concurrency value may exceed concurrently limit for I/O CP (p. 595)

KeRemoveQueueEx (p. 596) - see also Passive System Thread pattern: http://www.dumpanalysis.org/blog/index.php/2007/11/20/crash-dump-analysis-patterns-part-31a/

I/O priority queues and strategies for IRP (p. 599) - priority fields in _EPROCESS and _ETHREAD structures from x64 W2K8 R2:

1: kd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb              : _KPROCESS
[...]
+0x438 DefaultIoPriority : Pos 27, 3 Bits
[...]

1: kd> dt _ETHREAD
ntdll!_ETHREAD
+0x000 Tcb              : _KTHREAD
[...]
+0x448 ThreadIoPriority : Pos 10, 3 Bits
[...]

Driver Verifier (pp. 604 - 606) - see also Instrumentation Information pattern: http://www.dumpanalysis.org/blog/index.php/2010/09/27/crash-dump-analysis-patterns-part-107/ 

WDF book (p. 607) - there is also another book coming soon: http://www.dumpanalysis.org/blog/index.php/2010/08/19/windows-7-device-driver-book/

Listing KMDF drivers (p. 608) - here’s the output from x64 W2K8 R2 system:

1: kd> !wdfkd.wdfldr
LoadedModuleList      0xfffff8800115a2d8
----------------------------------
LIBRARY_MODULE  fffffa8003bc8d10
Version       v1.9 build(7600)
Service       \Registry\Machine\System\CurrentControlSet\Services\Wdf01000
ImageName     Wdf01000.sys
ImageAddress  0xfffff880010ae000
ImageSize     0xa4000
Associated Clients: 10

  ImageName      Version    WdfGlobals         FxGlobals          ImageAddress       ImageSize
peauth.sys     v1.7(6001) 0xfffffa8004bf6510 0xfffffa8004bf63c0 0xfffff88004600000 0x000a6000
monitor.sys    v1.9(7600) 0xfffffa80048f55d0 0xfffffa80048f5480 0xfffff88003752000 0x0000e000
umbus.sys      v1.9(7600) 0xfffffa8004371160 0xfffffa8004371010 0xfffff88002db0000 0x00012000
CompositeBus.sys v1.9(7600) 0xfffffa8004440800 0xfffffa80044406b0 0xfffff88002a45000 0x00010000
HDAudBus.sys   v1.7(6001) 0xfffffa80043c9160 0xfffffa80043c9010 0xfffff88002b48000 0x00024000
intelppm.sys   v1.9(7600) 0xfffffa8004271dd0 0xfffffa8004271c80 0xfffff88002ab0000 0x00016000
cdrom.sys      v1.9(7600) 0xfffffa80041f3fc0 0xfffffa80041f3e70 0xfffff88001400000 0x0002a000
vmstorfl.sys   v1.5(6000) 0xfffffa80040129e0 0xfffffa8004012890 0xfffff88001750000 0x00010000
msisadrv.sys   v1.9(7600) 0xfffffa8003ebb910 0xfffffa8003ebb7c0 0xfffff880012c6000 0x0000a000
vdrvroot.sys   v1.9(7600) 0xfffffa8003d3fa00 0xfffffa8003d3f8b0 0xfffff88001262000 0x0000d000
----------------------------------
Total: 1 library loaded

Extension of device extension extension into object context in KMDF (pp. 611 - 612)

UMDF reflectors (p. 617)

WUDFHost.exe (p. 618) - here’s its stack trace collection from x64 W2K8 R2 after I inserted an USB flash drive and attached WinDbg non-invasilvely:

0:000> ~*k

.  0  Id: 58c.12f4 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0018f988 000007fe`fd8510ac ntdll!ZwWaitForSingleObject+0xa
00000000`0018f990 00000000`ff3bba44 KERNELBASE!WaitForSingleObjectEx+0x9c
00000000`0018fa30 00000000`ff3b8ce7 WUDFHost!CLpcNotification::Run+0x1c
00000000`0018fa60 00000000`ff3d2cb1 WUDFHost!wmain+0xc7b
00000000`0018fc60 00000000`7746f56d WUDFHost!ConvertStringSidToSidW+0x19b
00000000`0018fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0018fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   1  Id: 58c.1304 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00c4f918 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00c4f920 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00c4f990 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00c4f9e0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00c4fa70 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00c4fc20 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00c4fc70 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00c4fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00c4fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   2  Id: 58c.6e8 Suspend: 1 Teb: 000007ff`fffda000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00dfe988 000007fe`fd853ef8 ntdll!NtQueryAttributesFile+0xa
00000000`00dfe990 000007fe`f3be9970 KERNELBASE!GetFileAttributesW+0x78
00000000`00dfea30 000007fe`f27ce8c9 WpdFs!COperationGetFastBasicProperties::OnImpersonate+0x1c0
00000000`00dfea70 000007fe`f3be9734 WUDFx!CWdfIoRequest::Impersonate+0x151
00000000`00dfeae0 000007fe`f3bda26b WpdFs!COperationGetFastBasicProperties::Invoke+0x2c4
00000000`00dfeb50 000007fe`f3bd8837 WpdFs!WpdObjectProperties::GetValues+0x3f7
00000000`00dfecd0 000007fe`f3bd8344 WpdFs!WpdObjectProperties::OnGetValues+0x10b
00000000`00dfed50 000007fe`f3bcf974 WpdFs!WpdObjectProperties::DispatchWpdMessage+0x1a0
00000000`00dfee10 000007fe`f3bcd51a WpdFs!WpdBaseDriver::DispatchWpdMessage+0x4c0
00000000`00dfef60 000007fe`f3bcdd6c WpdFs!CQueue::ProcessWpdMessage+0x29a
00000000`00dff010 000007fe`f27bf610 WpdFs!CQueue::OnDeviceIoControl+0x494
00000000`00dff160 000007fe`f27c0b5a WUDFx!CWdfIoQueue::SubmitRequest+0x358
00000000`00dff1f0 000007fe`f27c0955 WUDFx!CWdfIoQueue::DispatchRequestToDriver+0x86
00000000`00dff240 000007fe`f27bff83 WUDFx!CWdfIoQueue::DispatchEvents+0x3cd
00000000`00dff2b0 000007fe`f27b61b5 WUDFx!CWdfIoQueue::QueueRequest+0x2c3
00000000`00dff300 000007fe`f27b6f20 WUDFx!CWdfDevice::DispatchRequest+0x149
00000000`00dff350 00000000`ff3ccbb6 WUDFx!CWdfDevice::DeviceControl+0x1a8
00000000`00dff3c0 00000000`ff3c2f92 WUDFHost!CWudfIoIrp::Dispatch+0x13e
00000000`00dff420 00000000`ff3bad47 WUDFHost!CWudfDeviceStack::Forward+0x41a
00000000`00dff490 000007fe`fb87da6a WUDFHost!CLpcNotification::Message+0xd9b
00000000`00dff6c0 000007fe`fb87c848 WUDFPlatform!WdfLpcPort::ProcessMessage+0x3be
00000000`00dff760 000007fe`fb87b299 WUDFPlatform!WdfLpcCommPort::ProcessMessage+0x214
00000000`00dff7b0 000007fe`fb87b900 WUDFPlatform!WdfLpcConnPort::ProcessMessage+0xf9
00000000`00dff830 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x178
00000000`00dff880 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00dff8b0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00dff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   3  Id: 58c.2e4 Suspend: 1 Teb: 000007ff`fffd8000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00d7f5e8 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00d7f5f0 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00d7f660 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00d7f6b0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00d7f740 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00d7f8f0 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00d7f940 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00d7f970 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00d7f9a0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   4  Id: 58c.12b4 Suspend: 1 Teb: 000007ff`fffd6000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00f8fa58 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00f8fa60 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00f8fad0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00f8fb20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00f8fbb0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00f8fd60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00f8fdb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00f8fde0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00f8fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   5  Id: 58c.106c Suspend: 1 Teb: 000007ff`fffd3000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`00f0f958 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00f0f960 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00f0f9d0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00f0fa20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00f0fab0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00f0fc60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00f0fcb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00f0fce0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00f0fd10 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   6  Id: 58c.8fc Suspend: 1 Teb: 000007ff`fffae000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0136f8c8 00000000`7758c95e USER32!NtUserGetMessage+0xa
00000000`0136f8d0 000007fe`f3bd26e5 USER32!GetMessageW+0x34
00000000`0136f900 00000000`7746f56d WpdFs!CDiskNotifier::NotificationThreadWorker+0x245
00000000`0136fa50 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0136fa80 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   7  Id: 58c.520 Suspend: 1 Teb: 000007ff`fffac000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0152f6f8 00000000`77689bd7 ntdll!ZwWaitForMultipleObjects+0xa
00000000`0152f700 00000000`7746f56d ntdll!EtwTraceMessageVa+0xe07
00000000`0152f9a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0152f9d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   8  Id: 58c.89c Suspend: 1 Teb: 000007ff`fffaa000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`012df9b8 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`012df9c0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`012dfcc0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`012dfcf0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

   9  Id: 58c.1394 Suspend: 1 Teb: 000007ff`fffa8000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0140f498 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0140f4a0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0140f7a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0140f7d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  10  Id: 58c.1294 Suspend: 1 Teb: 000007ff`fffa6000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0182f758 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0182f760 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0182fa60 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0182fa90 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  11  Id: 58c.a98 Suspend: 1 Teb: 000007ff`fffa4000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0170f708 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0170f710 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0170fa10 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0170fa40 00000000`00000000 ntdll!RtlUserThreadStart+0x21

  12  Id: 58c.121c Suspend: 1 Teb: 000007ff`fffa2000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0179fd68 000007fe`fd851203 ntdll!NtDelayExecution+0xa
00000000`0179fd70 000007fe`fe2cea00 KERNELBASE!SleepEx+0xb3
00000000`0179fe10 000007fe`fe2d2046 ole32!CROIDTable::WorkerThreadLoop+0x10
00000000`0179fe40 000007fe`fe2d358a ole32!CRpcThread::WorkerLoop+0x1e
00000000`0179fe80 00000000`7746f56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a
00000000`0179feb0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0179fee0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Reading Notebook: 03-August-10

Tuesday, August 10th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Scatter/gather (p. 566) - you can find examples of scatter/gather I/O residues left on a thread raw stack in Hardware Activity pattern and corresponding case study:

http://www.dumpanalysis.org/blog/index.php/2010/05/08/crash-dump-analysis-patterns-part-98/ 

and

http://www.dumpanalysis.org/blog/index.php/2010/06/07/irp-distribution-anomaly-inconsistent-dump-execution-residue-hardware-activity-coincidental-symbolic-information-not-my-version-virtualized-system-pattern-cooperation/

IRP (pp. 566 - 567) - here is an expanded IRP structure from x64 W2K8:

0: kd> dt -r1 _IRP
ntdll!_IRP
+0x000 Type             : Int2B
+0x002 Size             : Uint2B
+0x008 MdlAddress       : Ptr64 _MDL
+0x000 Next             : Ptr64 _MDL
+0x008 Size             : Int2B
+0x00a MdlFlags         : Int2B
+0x010 Process          : Ptr64 _EPROCESS
+0x018 MappedSystemVa   : Ptr64 Void
+0x020 StartVa          : Ptr64 Void
+0x028 ByteCount        : Uint4B
+0x02c ByteOffset       : Uint4B
+0x010 Flags            : Uint4B
+0x018 AssociatedIrp    : <unnamed-tag>
+0x000 MasterIrp        : Ptr64 _IRP
+0x000 IrpCount         : Int4B
+0x000 SystemBuffer     : Ptr64 Void
+0x020 ThreadListEntry  : _LIST_ENTRY
+0x000 Flink            : Ptr64 _LIST_ENTRY
+0x008 Blink            : Ptr64 _LIST_ENTRY
+0x030 IoStatus         : _IO_STATUS_BLOCK
+0x000 Status           : Int4B
+0x000 Pointer          : Ptr64 Void
+0x008 Information      : Uint8B
+0x040 RequestorMode    : Char
+0x041 PendingReturned  : UChar
+0x042 StackCount       : Char
+0x043 CurrentLocation  : Char
+0x044 Cancel           : UChar
+0x045 CancelIrql       : UChar
+0x046 ApcEnvironment   : Char
+0x047 AllocationFlags  : UChar
+0x048 UserIosb         : Ptr64 _IO_STATUS_BLOCK
+0x000 Status           : Int4B
+0x000 Pointer          : Ptr64 Void
+0x008 Information      : Uint8B
+0x050 UserEvent        : Ptr64 _KEVENT
+0x000 Header           : _DISPATCHER_HEADER
+0x058 Overlay          : <unnamed-tag>
+0x000 AsynchronousParameters : <unnamed-tag>
+0x000 AllocationSize   : _LARGE_INTEGER
+0x068 CancelRoutine    : Ptr64     void
+0x070 UserBuffer       : Ptr64 Void
+0x078 Tail             : <unnamed-tag>
+0x000 Overlay          : <unnamed-tag>
+0x000 Apc              : _KAPC
+0x000 CompletionKey    : Ptr64 Void

IRP stack locations (pp. 568 - 569) - here is a corresponding structure from x64 W2K8:

0: kd> dt _IO_STACK_LOCATION
ntdll!_IO_STACK_LOCATION
+0x000 MajorFunction    : UChar
+0x001 MinorFunction    : UChar
+0x002 Flags            : UChar
+0x003 Control          : UChar
+0x008 Parameters       : <unnamed-tag>
+0x028 DeviceObject     : Ptr64 _DEVICE_OBJECT
+0x030 FileObject       : Ptr64 _FILE_OBJECT
+0x038 CompletionRoutine : Ptr64     long
+0x040 Context          : Ptr64 Void 

Buffered I/O (p. 570) - this part of IRP references a buffer (user input data is copied there and device output is copied there):

   +0x018 AssociatedIrp    : <unnamed-tag>
+0x000 MasterIrp        : Ptr64 _IRP
+0x000 IrpCount         : Int4B
      +0×000 SystemBuffer     : Ptr64 Void

These parts of I/O stack location structure handle buffer lengths:

      +0x000 DeviceIoControl  : <unnamed-tag>
         +0×000 OutputBufferLength : Uint4B
+0×008 InputBufferLength : Uint4B

+0×010 IoControlCode    : Uint4B
+0×018 Type3InputBuffer : Ptr64 Void

      +0x000 Read             : <unnamed-tag>
         +0×000 Length           : Uint4B
+0×008 Key              : Uint4B
+0×010 ByteOffset       : _LARGE_INTEGER

      +0x000 Write            : <unnamed-tag>
         +0×000 Length           : Uint4B
+0×008 Key              : Uint4B
+0×010 ByteOffset       : _LARGE_INTEGER

Direct I/O (p. 570) - these parts of IRP handle IOCTL input data (SystemBuffer, via buffering) and IOCTL output/Read/Write data (MdlAddress):

   +0x008 MdlAddress       : Ptr64 _MDL
+0x000 Next             : Ptr64 _MDL
+0x008 Size             : Int2B
+0x00a MdlFlags         : Int2B
+0x010 Process          : Ptr64 _EPROCESS
+0x018 MappedSystemVa   : Ptr64 Void
+0x020 StartVa          : Ptr64 Void
+0x028 ByteCount        : Uint4B
+0x02c ByteOffset       : Uint4B

   +0x018 AssociatedIrp    : <unnamed-tag>
+0x000 MasterIrp        : Ptr64 _IRP
+0x000 IrpCount         : Int4B
+0x000 SystemBuffer     : Ptr64 Void

Neither I/O (p. 571) - these parts handle input data (IO_STACK_LOCATION.Parameters.DeviceIoControl.Type3InputBuffer) and output data (IRP.UserBuffer):

      +0x000 DeviceIoControl  : <unnamed-tag>
+0x000 OutputBufferLength : Uint4B
+0x008 InputBufferLength : Uint4B
+0x010 IoControlCode    : Uint4B
         +0×018 Type3InputBuffer : Ptr64 Void

   +0×070 UserBuffer       : Ptr64 Void

I/O status block and kernel APC (pp. 575 - 577) - this is a part of IRP  structure:

   +0x030 IoStatus         : _IO_STATUS_BLOCK
+0x000 Status           : Int4B
+0x000 Pointer          : Ptr64 Void
+0x008 Information      : Uint8B

KeSynchronizeExecution (p. 578) - here is a stack trace fragment showing it in action:

[...]
b9ada518 8088d661 SCSIPORT!SpStartIoSynchronized+0x14f
b9ada550 80a60147 nt!KeSynchronizeExecution+0×21
b9ada57c f72523a6 hal!HalBuildScatterGatherList+0×1c7
b9ada5c8 8081cfa2 SCSIPORT!ScsiPortStartIo+0×36a
b9ada5ec f725262f nt!IoStartPacket+0×82
b9ada620 f7252146 SCSIPORT!ScsiPortFdoDispatch+0×270
b9ada63c f7251dc3 SCSIPORT!SpDispatchRequest+0×68
b9ada658 f7251299 SCSIPORT!ScsiPortPdoScsi+0×129
b9ada66c 8081df85 SCSIPORT!ScsiPortGlobalDispatch+0×1d
b9ada680 f723e607 nt!IofCallDriver+0×45
b9ada690 f723e2b2 CLASSPNP!SubmitTransferPacket+0xbb
b9ada6c4 f723e533 CLASSPNP!ServiceTransferRequest+0×1e4
b9ada6e8 8081df85 CLASSPNP!ClassReadWrite+0×159
b9ada6fc f74c80cf nt!IofCallDriver+0×45
b9ada70c 8081df85 PartMgr!PmReadWrite+0×95
b9ada720 f7317053 nt!IofCallDriver+0×45
b9ada73c 8081df85 ftdisk!FtDiskReadWrite+0×1a9
b9ada750 f72bf8bc nt!IofCallDriver+0×45
b9ada768 8081df85 volsnap!VolSnapRead+0×52
b9ada77c f7163a62 nt!IofCallDriver+0×45
b9ada788 f71638d9 Ntfs!NtfsSingleAsync+0×91
b9ada960 f7164156 Ntfs!NtfsNonCachedIo+0×2db
b9adaa4c f7164079 Ntfs!NtfsCommonRead+0xaf5
b9adabf8 8081df85 Ntfs!NtfsFsdRead+0×113
b9adac0c f721cc45 nt!IofCallDriver+0×45
b9adac34 8081df85 fltmgr!FltpDispatch+0×6f
b9adac48 bafd5373 nt!IofCallDriver+0×45
[…]

IRP and layered drivers (pp. 578 - 586) - here’s a UML-style diagram (#3) for IRP flow:

http://www.dumpanalysis.org/blog/index.php/2006/10/08/uml-and-device-drivers/ 

Associated IRP (pp. 585 - 586) - this is a part of IRP structure:

   +0x018 AssociatedIrp    : <unnamed-tag>
+0x000 MasterIrp        : Ptr64 _IRP

File object vs. thread IRP association (p. 587)

Thread Termination and pending IRP (pp. 589 - 590) - this pattern uses I/O cancellation as an example:

http://www.dumpanalysis.org/blog/index.php/2007/12/14/crash-dump-analysis-patterns-part-42a/ 

Reading Notebook: 19-July-10

Thursday, July 22nd, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Viewing the loaded driver list (pp. 546 - 547) - if we don’t see company information in lmv command output we can examine raw driver data like in this pattern: http://www.dumpanalysis.org/blog/index.php/2007/08/16/crash-dump-analysis-patterns-part-22/

DriverEntry (p. 548) - consider this as similar to main (console) or WinMain (Win32). For example, if you are writing a Windows service you have to register certain functions with SCM.

Dispatch routines (p. 548) - if you know C++ consider them as class functions for a device object where DeviceObject is a this parameter (C++ class function implementation in C where an implicit this becomes the first function argument):

NTSTATUS (*PDRIVER_DISPATCH) (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

and a driver object can be seen as a container for a virtual function table (vtable) for a device object (purely from implementation perspective): devObj->DriverObject->MajorFunction[IRP_MJ_XXX]

Relationship between device and driver objects (pp. 553 - 554) - long time ago when I was preparing a presentation about Windows drivers for escalation engineers I created some UML diagrams you can see in the following blog post: http://www.dumpanalysis.org/blog/index.php/2006/10/08/uml-and-device-drivers/ 

AttachedDevice vs. AttachedTo (p.554)

File object structure and extension (pp. 556 - 557) - Here are driver, device and file object structures from x64 W2K8:

0: kd> dt _DRIVER_OBJECT
ntdll!_DRIVER_OBJECT
+0x000 Type             : Int2B
+0x002 Size             : Int2B
+0x008 DeviceObject     : Ptr64 _DEVICE_OBJECT
+0x010 Flags            : Uint4B
+0x018 DriverStart      : Ptr64 Void
+0x020 DriverSize       : Uint4B
+0x028 DriverSection    : Ptr64 Void
+0x030 DriverExtension  : Ptr64 _DRIVER_EXTENSION
+0x038 DriverName       : _UNICODE_STRING
+0x048 HardwareDatabase : Ptr64 _UNICODE_STRING
+0x050 FastIoDispatch   : Ptr64 _FAST_IO_DISPATCH
+0x058 DriverInit       : Ptr64     long
+0x060 DriverStartIo    : Ptr64     void
+0x068 DriverUnload     : Ptr64     void
+0x070 MajorFunction    : [28] Ptr64     long

0: kd> dt _DEVICE_OBJECT
ntdll!_DEVICE_OBJECT
+0x000 Type             : Int2B
+0x002 Size             : Uint2B
+0x004 ReferenceCount   : Int4B
+0x008 DriverObject     : Ptr64 _DRIVER_OBJECT
+0x010 NextDevice       : Ptr64 _DEVICE_OBJECT
+0x018 AttachedDevice   : Ptr64 _DEVICE_OBJECT
+0x020 CurrentIrp       : Ptr64 _IRP
+0x028 Timer            : Ptr64 _IO_TIMER
+0x030 Flags            : Uint4B
+0x034 Characteristics  : Uint4B
+0x038 Vpb              : Ptr64 _VPB
+0x040 DeviceExtension  : Ptr64 Void
+0x048 DeviceType       : Uint4B
+0x04c StackSize        : Char
+0x050 Queue            : <unnamed-tag>
+0x098 AlignmentRequirement : Uint4B
+0x0a0 DeviceQueue      : _KDEVICE_QUEUE
+0x0c8 Dpc              : _KDPC
+0x108 ActiveThreadCount : Uint4B
+0x110 SecurityDescriptor : Ptr64 Void
+0x118 DeviceLock       : _KEVENT
+0x130 SectorSize       : Uint2B
+0x132 Spare1           : Uint2B
+0x138 DeviceObjectExtension : Ptr64 _DEVOBJ_EXTENSION
+0x140 Reserved         : Ptr64 Void

0: kd> dt _FILE_OBJECT
ntdll!_FILE_OBJECT
+0x000 Type             : Int2B
+0x002 Size             : Int2B
+0x008 DeviceObject     : Ptr64 _DEVICE_OBJECT
+0x010 Vpb              : Ptr64 _VPB
+0x018 FsContext        : Ptr64 Void
+0x020 FsContext2       : Ptr64 Void
+0x028 SectionObjectPointer : Ptr64 _SECTION_OBJECT_POINTERS
+0x030 PrivateCacheMap  : Ptr64 Void
+0x038 FinalStatus      : Int4B
+0x040 RelatedFileObject : Ptr64 _FILE_OBJECT
+0x048 LockOperation    : UChar
+0x049 DeletePending    : UChar
+0x04a ReadAccess       : UChar
+0x04b WriteAccess      : UChar
+0x04c DeleteAccess     : UChar
+0x04d SharedRead       : UChar
+0x04e SharedWrite      : UChar
+0x04f SharedDelete     : UChar
+0x050 Flags            : Uint4B
+0x058 FileName         : _UNICODE_STRING
+0x068 CurrentByteOffset : _LARGE_INTEGER
+0x070 Waiters          : Uint4B
+0x074 Busy             : Uint4B
+0x078 LastLock         : Ptr64 Void
+0x080 Lock             : _KEVENT
+0x098 Event            : _KEVENT
+0x0b0 CompletionContext : Ptr64 _IO_COMPLETION_CONTEXT
+0x0b8 IrpListLock      : Uint8B
+0x0c0 IrpList          : _LIST_ENTRY
+0x0d0 FileObjectExtension : Ptr64 Void

Reading Notebook: 12-July-10

Monday, July 12th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

File and registry virtualization is for 32-bit apps only  (p. 522)

Files (as locations) with executable extensions are excluded from virtualization (p. 524)

luafv.sys - filesystem virtualization driver (pp. 524 - 525)

\Users\<user>\AppData\Local\VirtualStore\Windows\*.* (p. 525)

Admin Approval Mode, over-the-shoulder and consent elevations (p. 529)

appinfo.dll -> consent.exe (p. 529)

Process reparenting (p. 531)

Running regedt32.exe to get virtualized registry view (p. 533)

Typical I/O request flow (pp. 540 - 541) - here is a stack trace example from x64 Windows for a remote file request that reaches network drivers (some irrelevant 3rd-party filter drivers like antivirus were skipped):

Child-SP          RetAddr           Call Site
fffffadf`25d92ff0 fffffadf`28ec5b97 NetworkCardVendor!send_packet+0x33c
fffffadf`25d93250 fffffadf`28ec5903 NDIS!ndisMProcessSGList+0x8e
fffffadf`25d932e0 fffffadf`28e85618 NDIS!ndisMAllocSGList+0x17c
fffffadf`25d933a0 fffffadf`26ab57c4 NDIS!ndisMSendX+0x21e
fffffadf`25d934d0 fffffadf`26ab5999 tcpip!ARPSendData+0x23a
fffffadf`25d93540 fffffadf`26ab20ea tcpip!ARPTransmit+0x151
fffffadf`25d935d0 fffffadf`26aaecad tcpip!IPTransmit+0xaf5
fffffadf`25d93850 fffffadf`26aa94c6 tcpip!TCPSend+0x8d5
fffffadf`25d93930 fffffadf`26aafa8c tcpip!TdiSend+0x344
fffffadf`25d939a0 fffffadf`26a4085c tcpip!TCPSendData+0xee
fffffadf`25d93a00 fffffadf`26a4845b netbt!NTSend+0x227
fffffadf`25d93ac0 fffffadf`269a546d netbt!NbtDispatchInternalCtrl+0x38
fffffadf`25d93c50 fffffadf`269cea18 rdbss!RxTdiSend+0x1a2
fffffadf`25d93cf0 fffffadf`2693efcf rdbss!RxCeSend+0x98
fffffadf`25d93d80 fffffadf`268d82fd mrxsmb!VctTranceive+0xa6
fffffadf`25d93de0 fffffadf`2693fea9 mrxsmb!SmbCeTranceive+0x483
fffffadf`25d93e70 fffffadf`2693e94b mrxsmb!SmbTransactExchangeStart+0x558
fffffadf`25d93f20 fffffadf`26940abf mrxsmb!SmbCeInitiateExchange+0x2fd
fffffadf`25d93f70 fffffadf`26940c5b mrxsmb!SmbCeSubmitTransactionRequest+0x148
fffffadf`25d93fe0 fffffadf`269412e0 mrxsmb!_SmbCeTransact+0x1a1
fffffadf`25d940c0 fffffadf`26941625 mrxsmb!MRxSmbQueryFileInformation+0x811
fffffadf`25d94220 fffffadf`26941dfa mrxsmb!MRxSmbQueryFileInformationFromPseudoOpen+0x116
fffffadf`25d94260 fffffadf`2693e94b mrxsmb!SmbPseExchangeStart_Create+0x2da
fffffadf`25d94300 fffffadf`2693f50c mrxsmb!SmbCeInitiateExchange+0x2fd
fffffadf`25d94350 fffffadf`269cc4c1 mrxsmb!MRxSmbCreate+0x5d6
fffffadf`25d94430 fffffadf`269cc730 rdbss!RxCollapseOrCreateSrvOpen+0x154
fffffadf`25d944d0 fffffadf`269c7a92 rdbss!RxCreateFromNetRoot+0x399
fffffadf`25d94570 fffffadf`269a2a77 rdbss!RxCommonCreate+0x49a
fffffadf`25d94680 fffffadf`269343e8 rdbss!RxFsdCommonDispatch+0x51c
fffffadf`25d94780 fffffadf`290bfdb3 mrxsmb!MRxSmbFsdDispatch+0x211
fffffadf`25d947d0 fffffadf`290bfdb3 fltmgr!FltpCreate+0x353
[...]
fffffadf`25d98460 fffff800`012840b4 nt!IopParseDevice+0x1088
fffffadf`25d98610 fffff800`012887d7 nt!ObpLookupObjectName+0x931
fffffadf`25d98720 fffff800`01295dad nt!ObOpenObjectByName+0x180
fffffadf`25d98910 fffff800`0129cd87 nt!IopCreateFile+0x630
fffffadf`25d98aa0 fffff800`012987f9 nt!IoCreateFile+0x12f
fffffadf`25d98b80 fffff800`0102e5fd nt!NtOpenFile+0x49
fffffadf`25d98c00 00000000`77ef0d1a nt!KiSystemServiceCopyEnd+0x3
00000000`000ac568 00000000`77d6f7c9 ntdll!NtCreateFile+0xa
00000000`000ac570 000007ff`7fd535c3 kernel32!CreateFileW+0x511

Reading Notebook: 16-June-10

Friday, June 18th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Local security policy audit (pp. 511 - 512) - I used in the past to recommend process audit to track process launch sequences for debugging purposes

Access tokens have separate ACL (pp. 512 - 513)

MSV1_0 - local authentication package (p. 513)

Default credential providers authui.dll amd SmartcardCredentialProvider.dll (p. 514) - Here are stack traces from x64 LogonUI.exe:

THREAD fffffa8013dde9d0  Cid 0238.04f8  Teb: 000007fffffd7000 Win32Thread: fffff900c0679d50 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8013ddee60  SynchronizationEvent
fffffa8013dde810  SynchronizationEvent
Not impersonating
DeviceMap                 fffff88000008e00
Owning Process            fffffa80296ecae0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      26019          Ticks: 402642 (0:01:44:41.255)
Context Switch Count      170                 LargeStack
UserTime                  00:00:00.015
KernelTime                00:00:00.046
Win32 Start Address authui!CCredentialProviderThread::_sThreadProc (0x000007fefc6d151c)
Stack Init fffffa6008efadb0 Current fffffa6008efa230
Base fffffa6008efb000 Limit fffffa6008ef5000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 2 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP          RetAddr           Call Site
fffffa60`08efa270 fffff800`01a6b9fa nt!KiSwapContext+0x7f
fffffa60`08efa3b0 fffff800`01a712db nt!KiSwapThread+0x13a
fffffa60`08efa420 fffff800`01cd160e nt!KeWaitForMultipleObjects+0x2eb
fffffa60`08efa4a0 fffff800`01cd1c53 nt!ObpWaitForMultipleObjects+0x26e
fffffa60`08efa960 fffff800`01a69233 nt!NtWaitForMultipleObjects+0xe2
fffffa60`08efabb0 00000000`778c72ca nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`08efac20)
00000000`0211f978 00000000`7769bc03 ntdll!ZwWaitForMultipleObjects+0xa
00000000`0211f980 00000000`777ce2b5 kernel32!WaitForMultipleObjectsEx+0x10b
00000000`0211fa90 00000000`777ce32e USER32!RealMsgWaitForMultipleObjectsEx+0x129
00000000`0211fb30 000007fe`fe4fb196 USER32!MsgWaitForMultipleObjectsEx+0x46
00000000`0211fb70 000007fe`fe608d42 ole32!CCliModalLoop::BlockFn+0xb6
00000000`0211fbb0 000007fe`fc6d07ad ole32!CoWaitForMultipleHandles+0x102
00000000`0211fcb0 000007fe`fc6d15d4 authui!InternalCoWaitForSingleHandle+0x31
00000000`0211fcf0 000007fe`fc6d1525 authui!CCredentialProviderThread::_vThreadProc+0xa0
00000000`0211fd30 00000000`7769be3d authui!CCredentialProviderThread::_sThreadProc+0x9
00000000`0211fd60 00000000`778a6a51 kernel32!BaseThreadInitThunk+0xd
00000000`0211fd90 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8013e48060  Cid 0238.0610  Teb: 000007fffffa0000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8013e4ab50  NotificationEvent
fffffa8013e425b0  SynchronizationEvent
Not impersonating
DeviceMap                 fffff88000008e00
Owning Process            fffffa80296ecae0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      13245          Ticks: 415416 (0:01:48:00.531)
Context Switch Count      29
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address SmartcardCredentialProvider!I_ReaderMonitorThreadProc (0x000007fefc481db0)
Stack Init fffffa6009181db0 Current fffffa6009181230
Base fffffa6009182000 Limit fffffa600917c000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 2 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP          RetAddr           Call Site
fffffa60`09181270 fffff800`01a6b9fa nt!KiSwapContext+0x7f
fffffa60`091813b0 fffff800`01a712db nt!KiSwapThread+0x13a
fffffa60`09181420 fffff800`01cd160e nt!KeWaitForMultipleObjects+0x2eb
fffffa60`091814a0 fffff800`01cd1c53 nt!ObpWaitForMultipleObjects+0x26e
fffffa60`09181960 fffff800`01a69233 nt!NtWaitForMultipleObjects+0xe2
fffffa60`09181bb0 00000000`778c72ca nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`09181c20)
00000000`045efa48 00000000`7769bc03 ntdll!ZwWaitForMultipleObjects+0xa
00000000`045efa50 00000000`77691aa1 kernel32!WaitForMultipleObjectsEx+0x10b
00000000`045efb60 000007fe`fc4819bb kernel32!WaitForMultipleObjects+0x11
00000000`045efba0 000007fe`fc481de1 SmartcardCredentialProvider!I_ReaderMonitorWorker+0x8f
00000000`045efc30 00000000`7769be3d SmartcardCredentialProvider!I_ReaderMonitorThreadProc+0x31
00000000`045efc70 00000000`778a6a51 kernel32!BaseThreadInitThunk+0xd
00000000`045efca0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Win32k.sys sends keyboard messages to LogonUI.exe via RPC (p. 514)

Secondary authentication providers in LogonUI.exe, SSON (p. 515)

wininit.exe is for session 0 legacy GUI processes (p. 516)

Raw input thread (p. 516) - here’re 3 kinds of csrss.exe (different IRPs):

session 0 (no IRP)

THREAD fffffa8013a7d980  Cid 02ec.0338  Teb: 000007fffffae000 Win32Thread: fffff900c00da010 WAIT: (WrUserRequest) KernelMode Alertable
fffffa8013665d00  SynchronizationEvent
fffffa8013037df0  NotificationTimer
fffffa8013665c80  SynchronizationTimer
fffff80001bb9f60  NotificationEvent
Not impersonating
DeviceMap                 fffff88000008e00
Owning Process            fffffa8029668710       Image:         csrss.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      428616         Ticks: 45 (0:00:00:00.702)
Context Switch Count      317                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address winsrv!StartCreateSystemThreads (0x000007fefde7c3b0)
Stack Init fffffa6002c33db0 Current fffffa6002c33890
Base fffffa6002c34000 Limit fffffa6002c2e000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffffa60`02c338d0 fffff800`01a6b9fa nt!KiSwapContext+0x7f
fffffa60`02c33a10 fffff800`01a712db nt!KiSwapThread+0x13a
fffffa60`02c33a80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0x2eb
fffffa60`02c33b00 fffff960`00068317 win32k!RawInputThread+0x79c
fffffa60`02c33bc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0x67
fffffa60`02c33bf0 fffff800`01a69233 win32k!NtUserCallNoParam+0x36
fffffa60`02c33c20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`02c33c20)
00000000`002afd98 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa
00000000`002afda0 00000000`778e2f6c winsrv!StartCreateSystemThreads+0x19
00000000`002afdd0 00000000`00000000 ntdll!RtlUserThreadStart+0x29

session 1 (console, keyboard IRP)

THREAD fffffa80296821d0  Cid 0324.0370  Teb: 000007fffffd3000 Win32Thread: fffff900c00e33b0 WAIT: (WrUserRequest) KernelMode Alertable
fffffa80137c6430  SynchronizationEvent
fffffa802967fc30  NotificationTimer
fffffa8029680360  SynchronizationTimer
fffffa802967f970  SynchronizationEvent
IRP List:
fffffa802968b2e0: (0006,03a0) Flags: 00060970  Mdl: 00000000
fffffa802960d4c0: (0006,03a0) Flags: 00060970  Mdl: 00000000
fffffa8012ec7470: (0006,03a0) Flags: 00060970  Mdl: 00000000

Not impersonating
DeviceMap                 fffff88000008e00
Owning Process            fffffa8029672c10       Image:         csrss.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      428605         Ticks: 56 (0:00:00:00.873)
Context Switch Count      24934                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address winsrv!StartCreateSystemThreads (0×000007fefde7c3b0)
Stack Init fffffa6008bd0db0 Current fffffa6008bd0890
Base fffffa6008bd1000 Limit fffffa6008bcb000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffffa60`08bd08d0 fffff800`01a6b9fa nt!KiSwapContext+0×7f
fffffa60`08bd0a10 fffff800`01a712db nt!KiSwapThread+0×13a
fffffa60`08bd0a80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0×2eb
fffffa60`08bd0b00 fffff960`00068317 win32k!RawInputThread+0×79c
fffffa60`08bd0bc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0×67
fffffa60`08bd0bf0 fffff800`01a69233 win32k!NtUserCallNoParam+0×36
fffffa60`08bd0c20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`08bd0c20)
00000000`014afab8 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa
00000000`014afac0 00000000`778e2f6c winsrv!StartCreateSystemThreads+0×19
00000000`014afaf0 00000000`00000000 ntdll!RtlUserThreadStart+0×29

15: kd> !irp fffffa802968b2e0
Irp is active with 7 stacks 7 is current (= 0xfffffa802968b560)
No Mdl: System buffer=fffffa8029688790: Thread fffffa80296821d0:  Irp stack trace.
cmd  flg cl Device   File     Completion-Context
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
>[  3, 0]   0  1 fffffa8013703ce0 fffffa8029687670 00000000-00000000    pending
        \Driver\kbdclass
Args: 00000078 00000000 00000000 00000000

15: kd> !irp fffffa802960d4c0
Irp is active with 10 stacks 10 is current (= 0xfffffa802960d818)
No Mdl: System buffer=fffffa8029681010: Thread fffffa80296821d0:  Irp stack trace.
cmd  flg cl Device   File     Completion-Context
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
>[  3, 0]   0  1 fffffa801392ace0 fffffa8029686880 00000000-00000000    pending
        \Driver\kbdclass
Args: 00000078 00000000 00000000 00000000

15: kd> !irp fffffa8012ec7470
Irp is active with 3 stacks 3 is current (= 0xfffffa8012ec75d0)
No Mdl: System buffer=fffffa8029687010: Thread fffffa80296821d0:  Irp stack trace.
cmd  flg cl Device   File     Completion-Context
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
>[  3, 0]   0  1 fffffa8013722060 fffffa8029680200 00000000-00000000    pending
        \Driver\kbdclass
Args: 00000078 00000000 00000000 00000000

session N (terminal services, termdd IRP)

THREAD fffffa80168fbac0  Cid 175c.533c  Teb: 000007fffffae000 Win32Thread: fffff900c018d010 WAIT: (WrUserRequest) KernelMode Alertable
fffffa8015355e70  SynchronizationEvent
fffffa8016442950  NotificationTimer
fffffa80156f9f70  SynchronizationTimer
fffffa8016967a50  SynchronizationEvent
IRP List:
fffffa801501ba30: (0006,0118) Flags: 00060900  Mdl: 00000000

Not impersonating
DeviceMap                 fffff88000008e00
Owning Process            fffffa802b33ac10       Image:         csrss.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      428641         Ticks: 20 (0:00:00:00.312)
Context Switch Count      32238                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.218
Win32 Start Address winsrv!StartCreateSystemThreads (0×000007fefde7c3b0)
Stack Init fffffa601ccdbdb0 Current fffffa601ccdb890
Base fffffa601ccdc000 Limit fffffa601ccd6000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffffa60`1ccdb8d0 fffff800`01a6b9fa nt!KiSwapContext+0×7f
fffffa60`1ccdba10 fffff800`01a712db nt!KiSwapThread+0×13a
fffffa60`1ccdba80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0×2eb
fffffa60`1ccdbb00 fffff960`00068317 win32k!RawInputThread+0×79c
fffffa60`1ccdbbc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0×67
fffffa60`1ccdbbf0 fffff800`01a69233 win32k!NtUserCallNoParam+0×36
fffffa60`1ccdbc20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`1ccdbc20)
00000000`0137f878 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa
00000000`0137f880 00000000`778e2f6c winsrv!StartCreateSystemThreads+0×19
00000000`0137f8b0 00000000`00000000 ntdll!RtlUserThreadStart+0×29

15: kd> !irp fffffa801501ba30
Irp is active with 1 stacks 1 is current (= 0xfffffa801501bb00)
No Mdl: No System Buffer: Thread fffffa80168fbac0:  Irp stack trace.
cmd  flg cl Device   File     Completion-Context
>[  3, 0]   0  1 fffffa801370adb0 fffffa801705ef20 00000000-00000000    pending
        \Driver\TermDD
Args: 00000078 00000000 00000000 00000000

Half-hash caching of passwords (p. 517)

logonsessions tool (pp. 519 - 520)

Reading Notebook: 31-May-10

Monday, May 31st, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Objects vs. account attributes, privilege vs. account right (p. 501)

NtRaiseHardError requires SeShutdownPrivilege (p. 508)

firmware environment variables (p. 508) - some more info: http://msdn.microsoft.com/en-us/library/ms724325(VS.85).aspx

Implication of Bypass Traverse Checking (SeNotifyPrivilege) (p. 509)

Elevated priviliges don’t extend past machine boundaries (p. 510)

Reading Notebook: 26-May-10

Thursday, May 27th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Explicit ACE are ahead of inherited (p. 491)

Differences of inheritable ACE propagation AD objects (p. 491)

Ntmarta.dll: security inheritance support DLL (p. 492)

SeAccessCheck optimization: integrity check -> DACL check (p. 492)

Low and medium integrity processes can read high integrity objects (p. 493)

UIPI safe messages, shatter attacks, blocked (journal) hooks (pp. 493 - 494)

Owner Rights SID (pp. 495 - 496)

Importance of ACE ordering (pp. 497 - 498)

Security editors place Deny ACE on top, Advanced Settings and Effective Permissions (pp. 498 - 500)

AuthZ API: security model in user mode (pp. 500 - 501)

Reading Notebook: 25-May-10

Tuesday, May 25th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

No share access for impersonation: we need logon  (p. 481)

S(ecure)QOS levels, SECURITY_CONTEXT_TRACKING (p. 482)

Integrity Level (client) <= Integrity Level (server) (pp. 482 - 483)

Restricted tokens -> filtered admin tokens (logon as admin with UAC) (pp. 483 - 484)

Callback, allowed(denied)-object (GUID-based for AD) ACEs (p. 487)

No DACL: full access, empty DACL: no access (p. 487)

System audit-object ACEs (p. 488)

Reading Notebook: 24-May-10

Monday, May 24th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Process integrity levels as SIDs (pp. 464 - 465)

Protected mode IE startup sequence (pp. 467 - 470) - ieuser.exe might block several iexplore.exe instances: http://www.dumpanalysis.org/blog/index.php/2009/02/11/stack-trace-collection-blocked-thread-and-coupled-processes-pattern-cooperation/

Integrity levels and mandatory policies for objects (pp. 471- 473)

Many faces of an Administrator, filtered admin tokens (p. 474)

CreateProcessWithLogonW (p. 474)

The token source field (p. 476)

Token authentication and modified IDs (pp. 476 - 477) - token structure from x64 Windows Server R2:

0: kd> dt _TOKEN
nt!_TOKEN
+0x000 TokenSource      : _TOKEN_SOURCE
+0x010 TokenId          : _LUID
+0x018 AuthenticationId : _LUID
+0x020 ParentTokenId    : _LUID
+0x028 ExpirationTime   : _LARGE_INTEGER
+0x030 TokenLock        : Ptr64 _ERESOURCE
+0x038 ModifiedId       : _LUID
+0x040 Privileges       : _SEP_TOKEN_PRIVILEGES
+0x058 AuditPolicy      : _SEP_AUDIT_POLICY
+0x074 SessionId        : Uint4B
+0x078 UserAndGroupCount : Uint4B
+0x07c RestrictedSidCount : Uint4B
+0x080 VariableLength   : Uint4B
+0x084 DynamicCharged   : Uint4B
+0x088 DynamicAvailable : Uint4B
+0x08c DefaultOwnerIndex : Uint4B
+0x090 UserAndGroups    : Ptr64 _SID_AND_ATTRIBUTES
+0x098 RestrictedSids   : Ptr64 _SID_AND_ATTRIBUTES
+0x0a0 PrimaryGroup     : Ptr64 Void
+0x0a8 DynamicPart      : Ptr64 Uint4B
+0x0b0 DefaultDacl      : Ptr64 _ACL
+0x0b8 TokenType        : _TOKEN_TYPE
+0x0bc ImpersonationLevel : _SECURITY_IMPERSONATION_LEVEL
+0x0c0 TokenFlags       : Uint4B
+0x0c4 TokenInUse       : UChar
+0x0c8 IntegrityLevelIndex : Uint4B
+0x0cc MandatoryPolicy  : Uint4B
+0x0d0 LogonSession     : Ptr64 _SEP_LOGON_SESSION_REFERENCES
+0x0d8 OriginatingLogonSession : _LUID
+0x0e0 SidHash          : _SID_AND_ATTRIBUTES_HASH
+0x1f0 RestrictedSidHash : _SID_AND_ATTRIBUTES_HASH
+0x300 pSecurityAttributes : Ptr64 _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
+0x308 VariablePart     : Uint8B

Reading Notebook: 12-May-10

Thursday, May 13th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SAS -> winlogon.exe starts LogonUI.exe (p. 455) - Here are winlogon.exe threads on x64 W2K8 R2 before SAS:

THREAD fffffa8003cf7060  Cid 01d0.01d4  Teb: 000007fffffdd000 Win32Thread: fffff900c00df900 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8004991c90  SynchronizationEvent
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8003cf65a0       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      8831           Ticks: 21731 (0:00:05:39.005)
Context Switch Count      424                 LargeStack
UserTime                  00:00:00.015
KernelTime                00:00:00.015
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff36ec08)
Stack Init fffff88003595db0 Current fffff88003595900
Base fffff88003596000 Limit fffff8800358c000 Call 0
Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP          RetAddr           Call Site
fffff880`03595940 fffff800`01ac3752 nt!KiSwapContext+0x7a
fffff880`03595a80 fffff800`01ac58af nt!KiCommitThreadWait+0x1d2
fffff880`03595b10 fffff800`01db7db2 nt!KeWaitForSingleObject+0x19f
fffff880`03595bb0 fffff800`01abb853 nt!NtWaitForSingleObject+0xb2
fffff880`03595c20 00000000`77bafefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03595c20)
00000000`0018f778 000007fe`fdc910ac ntdll!NtWaitForSingleObject+0xa
00000000`0018f780 00000000`ff3619ad KERNELBASE!WaitForSingleObjectEx+0x79
00000000`0018f820 00000000`ff3616e8 winlogon!SignalManagerWaitForSignal+0x135
00000000`0018f860 00000000`ff36b8b0 winlogon!StateMachineRun+0x404
00000000`0018fb80 00000000`ff36ed85 winlogon!WinMain+0x13a3
00000000`0018fcf0 00000000`77a5f56d winlogon!I_WMsgkSendMessage+0x252
00000000`0018fdb0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd
00000000`0018fde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800498a060  Cid 01d0.0320  Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa800497bef0  SynchronizationTimer
fffffa8004988060  SynchronizationTimer
fffffa8004bfe2a0  NotificationEvent
fffffa8003c783b0  SynchronizationEvent
fffffa8003c78310  SynchronizationEvent
fffffa8003c78450  SynchronizationEvent
fffffa80049894c0  SynchronizationTimer
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8003cf65a0       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      19271          Ticks: 11291 (0:00:02:56.140)
Context Switch Count      16
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x0000000077b79a90)
Stack Init fffff88004006db0 Current fffff88004005fd0
Base fffff88004007000 Limit fffff88004001000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`04006010 fffff800`01ac3752 nt!KiSwapContext+0x7a
fffff880`04006150 fffff800`01abfc4b nt!KiCommitThreadWait+0x1d2
fffff880`040061e0 fffff800`01db8ecf nt!KeWaitForMultipleObjects+0x271
fffff880`04006490 fffff800`01db97d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`04006960 fffff800`01abb853 nt!NtWaitForMultipleObjects+0xe5
fffff880`04006bb0 00000000`77bb046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04006c20)
00000000`0139f848 00000000`77b79bd7 ntdll!NtWaitForMultipleObjects+0xa
00000000`0139f850 00000000`77a5f56d ntdll!TppWaiterpThread+0x14d
00000000`0139faf0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd
00000000`0139fb20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8004ed7060  Cid 01d0.0a58  Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa800489ac20  QueueObject
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8003cf65a0       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      27861          Ticks: 2701 (0:00:00:42.135)
Context Switch Count      4
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000077b78f00)
Stack Init fffff88003555db0 Current fffff880035557d0
Base fffff88003556000 Limit fffff88003550000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`03555810 fffff800`01ac3752 nt!KiSwapContext+0x7a
fffff880`03555950 fffff800`01ac71c1 nt!KiCommitThreadWait+0x1d2
fffff880`035559e0 fffff800`01db89d7 nt!KeRemoveQueueEx+0x301
fffff880`03555a90 fffff800`01acc996 nt!IoRemoveIoCompletion+0x47
fffff880`03555b20 fffff800`01abb853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`03555c20 00000000`77bb17ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03555c20)
00000000`00dcfa18 00000000`77b7914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`00dcfa20 00000000`77a5f56d ntdll!TppWorkerThread+0x2c9
00000000`00dcfd20 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd
00000000`00dcfd50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Here are main threads from both processes on x64 W2K8 R2 after SAS (I brought change password dialog):

THREAD fffffa8004888770  Cid 01c0.01c4  Teb: 000007fffffde000 Win32Thread: fffff900c00d9c30 WAIT: (UserRequest) UserMode Non-Alertable
fffffa80049c25c0  SynchronizationEvent
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa80048879d0       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664851       Ticks: 1875 (0:00:00:29.250)
Context Switch Count      3202                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.218
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ffc2ec08)
Stack Init fffff880031acdb0 Current fffff880031ac900
Base fffff880031ad000 Limit fffff880031a7000 Call 0
Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`031ac940 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`031aca80 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2
fffff880`031acb10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0x19f
fffff880`031acbb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2
fffff880`031acc20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`031acc20)
00000000`0023f398 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa
00000000`0023f3a0 00000000`ffc219ad KERNELBASE!WaitForSingleObjectEx+0x79
00000000`0023f440 00000000`ffc216e8 winlogon!SignalManagerWaitForSignal+0x135
00000000`0023f480 00000000`ffc2b8b0 winlogon!StateMachineRun+0x404
00000000`0023f7a0 00000000`ffc2ed85 winlogon!WinMain+0x13a3
00000000`0023f910 00000000`76bdf56d winlogon!I_WMsgkSendMessage+0x252
00000000`0023f9d0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0023fa00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80049ba060  Cid 01c0.0304  Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa80049b87e0  SynchronizationTimer
fffffa80049b4650  SynchronizationTimer
fffffa8004e81e20  NotificationEvent
fffffa8004edcbf0  SynchronizationEvent
fffffa8004edcb50  SynchronizationEvent
fffffa8004edcc90  SynchronizationEvent
fffffa80049b8670  SynchronizationTimer
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa80048879d0       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34428081       Ticks: 238645 (0:01:02:02.885)
Context Switch Count      175
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90)
Stack Init fffff88004193db0 Current fffff88004192fd0
Base fffff88004194000 Limit fffff8800418e000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP          RetAddr           Call Site
fffff880`04193010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`04193150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`041931e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`04193490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`04193960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`04193bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04193c20)
00000000`00d2fb38 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa
00000000`00d2fb40 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d
00000000`00d2fde0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`00d2fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005b8e810  Cid 01c0.12d4  Teb: 000007fffffdc000 Win32Thread: fffff900c37a6250 WAIT: (WrLpcReply) UserMode Non-Alertable
fffffa8005b8ebd0  Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff8a00c87e750 : queued at port fffffa800661ec60 : owned by process fffffa8005f442b0
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa80048879d0       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664851       Ticks: 1875 (0:00:00:29.250)
Context Switch Count      150                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00)
Stack Init fffff88006c8edb0 Current fffff88006c8e620
Base fffff88006c8f000 Limit fffff88006c87000 Call 0
Priority 14 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`06c8e660 fffff800`01ad6752 nt!KiSwapContext+0×7a
fffff880`06c8e7a0 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2
fffff880`06c8e830 fffff800`01aedbef nt!KeWaitForSingleObject+0×19f
fffff880`06c8e8d0 fffff800`01dd6a36 nt!AlpcpSignalAndWait+0×8f
fffff880`06c8e980 fffff800`01dd49c0 nt!AlpcpReceiveSynchronousReply+0×46
fffff880`06c8e9e0 fffff800`01dd1f3b nt!AlpcpProcessSynchronousRequest+0×33d
fffff880`06c8eb00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0×1ab
fffff880`06c8ebb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`06c8ec20)
00000000`0103f298 000007fe`fea8aa76 ntdll!ZwAlpcSendWaitReceivePort+0xa
00000000`0103f2a0 000007fe`feb2cb64 RPCRT4!LRPC_CCALL::SendReceive+0×156
00000000`0103f360 000007fe`feb2cd55 RPCRT4!NdrpClientCall3+0×244
00000000`0103f620 00000000`ffc24979 RPCRT4!NdrClientCall3+0xf2
00000000`0103f9b0 00000000`ffc4e781 winlogon!WluiRequestCredentials+0×71
00000000`0103fa20 00000000`ffc21d04 winlogon!WLGeneric_Request_Change_Credz_Execute+0xa5
00000000`0103fa90 00000000`76df0fb4 winlogon!StateMachineWorkerCallback+0×7f
00000000`0103fac0 00000000`76df4b1f ntdll!TppWorkpExecuteCallback+0xa4
00000000`0103fb20 00000000`76bdf56d ntdll!TppWorkerThread+0×6c9
00000000`0103fe20 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0103fe50 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8006480640  Cid 01c0.131c  Teb: 000007fffffd9000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa80042479a0  QueueObject
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa80048879d0       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664380       Ticks: 2346 (0:00:00:36.597)
Context Switch Count      2
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff8800715ddb0 Current fffff8800715d7d0
Base fffff8800715e000 Limit fffff88007158000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0715d810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0715d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`0715d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`0715da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`0715db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`0715dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0715dc20)
00000000`010bf908 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`010bf910 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`010bfc10 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`010bfc40 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005916290  Cid 01c0.0c04  Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa80042479a0  QueueObject
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa80048879d0       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664851       Ticks: 1875 (0:00:00:29.250)
Context Switch Count      3
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff88007126db0 Current fffff880071267d0
Base fffff88007127000 Limit fffff88007121000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`07126810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`07126950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`071269e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`07126a90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`07126b20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`07126c20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07126c20)
00000000`009cfaa8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`009cfab0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`009cfdb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`009cfde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

We now see the new thread fffffa8005b8e810 waiting for an ALPC message fffff8a00c87e750:

0: kd> !alpc /m fffff8a00c87e750

Message @ fffff8a00c87e750
MessageID             : 0x0534 (1332)
CallbackID            : 0x14152C5 (21058245)
SequenceNumber        : 0x00000006 (6)
Type                  : LPC_REQUEST
DataLength            : 0x0060 (96)
TotalLength           : 0x0088 (136)
Canceled              : No
Release               : No
ReplyWaitReply        : No
Continuation          : Yes
OwnerPort             : fffffa80065696c0 [ALPC_CLIENT_COMMUNICATION_PORT]
WaitingThread         : fffffa8005b8e810
QueueType             : ALPC_MSGQUEUE_PENDING
QueuePort             : fffffa800661ec60 [ALPC_CONNECTION_PORT]
  QueuePortOwnerProcess : fffffa8005f442b0 (LogonUI.exe)
  ServerThread          : fffffa8005a9b2a0
QuotaCharged          : No
CancelQueuePort       : 0000000000000000
CancelSequencePort    : 0000000000000000
CancelSequenceNumber  : 0×00000000 (0)
ClientContext         : 00000000003f5b30
ServerContext         : 0000000000000000
PortContext           : 00000000015e2640
CancelPortContext     : 0000000000000000
SecurityData          : 0000000000000000
View                  : 0000000000000000

The server thread is fffffa8005a9b2a0 and is owned by LogonUI.exe. Here are all threads in that process where I highlighted credential providers:

THREAD fffffa8005f47b60  Cid 06d0.13e0  Teb: 000007fffffde000 Win32Thread: fffff900c1d6ec30 WAIT: (UserRequest) UserMode Non-Alertable
fffffa80065be260  SynchronizationEvent
fffffa8005bf6240  SynchronizationEvent
fffffa8005bcbc70  SynchronizationEvent
fffffa80052a9dc0  SynchronizationEvent
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8005f442b0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34666693       Ticks: 33 (0:00:00:00.514)
Context Switch Count      722                 LargeStack
UserTime                  00:00:00.171
KernelTime                00:00:00.140
Win32 Start Address LogonUI!wWinMainCRTStartup (0x00000000ffb45c58)
Stack Init fffff88004911db0 Current fffff88004910fd0
Base fffff88004912000 Limit fffff88004908000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`04911010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`04911150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`049111e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`04911490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`04911960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`04911bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04911c20)
00000000`001bf708 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`001bf710 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`001bf810 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`001bf8a0 000007fe`fae19ecd USER32!RealMsgWaitForMultipleObjectsEx+0x12a
00000000`001bf940 000007fe`fae19d8e DUser!CoreSC::DUIMsgWaitForMultipleObjectsEx+0x17c
00000000`001bf9f0 00000000`76cf9079 DUser!MphMsgWaitForMultipleObjectsEx+0x7a
00000000`001bfa30 000007fe`fb8e407b USER32!MsgWaitForMultipleObjectsEx+0x37
00000000`001bfa70 000007fe`fb8e4f6c authui!CLogonFrame::DoModal+0×67
00000000`001bfaf0 000007fe`fb8e50cf authui!CLogonUI_CreateThenDoModalThenDestroy+0×299
00000000`001bfb50 00000000`ffb454df authui!CLogonUI::DoModal+0×73

00000000`001bfb80 00000000`ffb45ae6 LogonUI!wWinMain+0xfb
00000000`001bfbe0 00000000`76bdf56d LogonUI!ParseCommandLineToStringArrayLocalAlloc+0×33a
00000000`001bfca0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`001bfcd0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8006595720  Cid 06d0.1158  Teb: 000007fffffdc000 Win32Thread: fffff900c35105f0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8005cad160  SynchronizationEvent
fffffa8005618d30  SynchronizationEvent
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8005f442b0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664381       Ticks: 2345 (0:00:00:36.582)
Context Switch Count      2                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address msvcrt!endthreadex (0x000007feff0573fc)
Stack Init fffff88005638db0 Current fffff88005637fd0
Base fffff88005639000 Limit fffff88005632000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`05638010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`05638150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`056381e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`05638490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`05638960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`05638bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05638c20)
00000000`00eaf4d8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`00eaf4e0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`00eaf5e0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`00eaf670 000007fe`fae114e6 USER32!RealMsgWaitForMultipleObjectsEx+0x12a
00000000`00eaf710 000007fe`fae116b2 DUser!CoreSC::Wait+0x62
00000000`00eaf760 000007fe`fae205dd DUser!CoreSC::xwProcessNL+0xed
00000000`00eaf7d0 000007fe`fae20500 DUser!GetMessageExA+0x7b
00000000`00eaf820 000007fe`ff0542bf DUser!ResourceManager::SharedThreadProc+0xe8
00000000`00eaf8b0 000007fe`ff057459 msvcrt!endthreadex+0x47
00000000`00eaf8e0 00000000`76bdf56d msvcrt!endthreadex+0xe0
00000000`00eaf910 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`00eaf940 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8006646060  Cid 06d0.1174  Teb: 000007fffffda000 Win32Thread: fffff900c397bc30 WAIT: (UserRequest) UserMode Non-Alertable
fffffa80059522e0  SynchronizationEvent
fffffa80061cf2d0  SynchronizationEvent
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8005f442b0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664855       Ticks: 1871 (0:00:00:29.187)
Context Switch Count      101                 LargeStack
UserTime                  00:00:00.015
KernelTime                00:00:00.015
Win32 Start Address authui!CCredentialProviderThread::_sThreadProc (0x000007fefb8e51c0)
Stack Init fffff880057addb0 Current fffff880057acfd0
Base fffff880057ae000 Limit fffff880057a6000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`057ad010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`057ad150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`057ad1e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`057ad490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`057ad960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`057adbb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`057adc20)
00000000`02c5f9b8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`02c5f9c0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`02c5fac0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`02c5fb50 00000000`76cf905a USER32!RealMsgWaitForMultipleObjectsEx+0x12a
00000000`02c5fbf0 000007fe`febdb46a USER32!MsgWaitForMultipleObjectsEx+0x46
00000000`02c5fc30 000007fe`fecfa542 ole32!CCliModalLoop::BlockFn+0xc2
00000000`02c5fc80 000007fe`fb8e4bc1 ole32!CoWaitForMultipleHandles+0x102
00000000`02c5fd90 000007fe`fb8e4a4a authui!InternalCoWaitForSingleHandle+0×31
00000000`02c5fdd0 000007fe`fb8e51c9 authui!CCredentialProviderThread::_vThreadProc+0xbf
00000000`02c5fe10 00000000`76bdf56d authui!CCredentialProviderThread::_sThreadProc+0×9

00000000`02c5fe40 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02c5fe70 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8005a9b2a0  Cid 06d0.1248  Teb: 000007fffffd4000 Win32Thread: fffff900c397b850 WAIT: (UserRequest) UserMode Non-Alertable
fffffa800559c800  NotificationEvent
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8005f442b0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664851       Ticks: 1875 (0:00:00:29.250)
Context Switch Count      12                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00)
Stack Init fffff88005871db0 Current fffff88005871900
Base fffff88005872000 Limit fffff8800586b000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`05871940 fffff800`01ad6752 nt!KiSwapContext+0×7a
fffff880`05871a80 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2
fffff880`05871b10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0×19f
fffff880`05871bb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2
fffff880`05871c20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`05871c20)
00000000`02aee898 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa
00000000`02aee8a0 000007fe`fb8e4586 KERNELBASE!WaitForSingleObjectEx+0×79
00000000`02aee940 000007fe`fb8e891c authui!InternalWaitForSingleObject+0×26
00000000`02aee980 000007fe`fb8e8ac4 authui!WPP_SF_qqddd+0×157d
00000000`02aee9e0 000007fe`fea7c7f5 authui!WluirRequestCredentials+0×44

00000000`02aeea20 000007fe`feb2b62e RPCRT4!Invoke+0×65
00000000`02aeeaa0 000007fe`fea74070 RPCRT4!Ndr64StubWorker+0×61b
00000000`02aef060 000007fe`fea79c24 RPCRT4!NdrServerCallAll+0×40
00000000`02aef0b0 000007fe`fea79d86 RPCRT4!DispatchToStubInCNoAvrf+0×14
00000000`02aef0e0 000007fe`fea7c44b RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×146
00000000`02aef200 000007fe`fea7c38b RPCRT4!RPC_INTERFACE::DispatchToStub+0×9b
00000000`02aef240 000007fe`fea7c322 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0×5b
00000000`02aef2c0 000007fe`fea7a11d RPCRT4!LRPC_SCALL::DispatchRequest+0×422
00000000`02aef3a0 000007fe`fea87ddf RPCRT4!LRPC_SCALL::HandleRequest+0×20d
00000000`02aef4d0 000007fe`fea87995 RPCRT4!LRPC_ADDRESS::ProcessIO+0×3bf
00000000`02aef610 00000000`76dfb43b RPCRT4!LrpcIoComplete+0xa5
00000000`02aef6a0 00000000`76df923f ntdll!TppAlpcpExecuteCallback+0×26b
00000000`02aef730 00000000`76bdf56d ntdll!TppWorkerThread+0×3f8
00000000`02aefa30 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02aefa60 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8005941a10  Cid 06d0.0f10  Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa800663a9a0  SynchronizationTimer
fffffa8005881650  SynchronizationTimer
fffffa8006577ef0  SynchronizationTimer
fffffa8005a93bd0  NotificationEvent
fffffa80063f6450  SynchronizationEvent
fffffa80058fe4c0  SynchronizationEvent
fffffa80064c0290  SynchronizationEvent
fffffa8004e49e90  NotificationEvent
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8005f442b0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664421       Ticks: 2305 (0:00:00:35.958)
Context Switch Count      11
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90)
Stack Init fffff88006946db0 Current fffff88006945fd0
Base fffff88006947000 Limit fffff88006941000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`06946010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`06946150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`069461e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`06946490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`06946960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`06946bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06946c20)
00000000`02dbf718 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa
00000000`02dbf720 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d
00000000`02dbf9c0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02dbf9f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80056de060  Cid 06d0.0ba8  Teb: 000007fffffac000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa8005f7d3e0  QueueObject
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8005f442b0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664389       Ticks: 2337 (0:00:00:36.457)
Context Switch Count      5
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff8800569ddb0 Current fffff8800569d7d0
Base fffff8800569e000 Limit fffff88005698000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0569d810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0569d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`0569d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`0569da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`0569db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`0569dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0569dc20)
00000000`035cfbb8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`035cfbc0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`035cfec0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`035cfef0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005ccfa10  Cid 06d0.03a0  Teb: 000007fffffd8000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa8005f7d3e0  QueueObject
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8005f442b0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664420       Ticks: 2306 (0:00:00:35.973)
Context Switch Count      7
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00)
Stack Init fffff8800459bdb0 Current fffff8800459b7d0
Base fffff8800459c000 Limit fffff88004596000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0459b810 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0459b950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2
fffff880`0459b9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301
fffff880`0459ba90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47
fffff880`0459bb20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`0459bc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0459bc20)
00000000`02e5f8c8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000000`02e5f8d0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9
00000000`02e5fbd0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02e5fc00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800662a800  Cid 06d0.0a54  Teb: 000007fffffaa000 Win32Thread: 0000000000000000 WAIT: (DelayExecution) UserMode Non-Alertable
fffffa800662aad8  Semaphore Limit 0x2
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8005f442b0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664389       Ticks: 2337 (0:00:00:36.457)
Context Switch Count      1
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ole32!CRpcThreadCache::RpcWorkerThreadEntry (0x000007fefebf3570)
Stack Init fffff8800568fdb0 Current fffff8800568f970
Base fffff88005690000 Limit fffff8800568a000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0568f9b0 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`0568faf0 fffff800`01ad8e56 nt!KiCommitThreadWait+0x1d2
fffff880`0568fb80 fffff800`01dcacee nt!KeDelayExecutionThread+0x186
fffff880`0568fbf0 fffff800`01ace853 nt!NtDelayExecution+0x59
fffff880`0568fc20 00000000`76e301fa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0568fc20)
00000000`0371fa68 000007fe`fd081203 ntdll!NtDelayExecution+0xa
00000000`0371fa70 000007fe`febeea00 KERNELBASE!SleepEx+0xab
00000000`0371fb10 000007fe`febf2046 ole32!CROIDTable::WorkerThreadLoop+0x10
00000000`0371fb40 000007fe`febf358a ole32!CRpcThread::WorkerLoop+0x1e
00000000`0371fb80 00000000`76bdf56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a
00000000`0371fbb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0371fbe0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80063a4490  Cid 06d0.0ca0  Teb: 000007fffffa8000 Win32Thread: fffff900c1fffc30 WAIT: (WrLpcReceive) UserMode Non-Alertable
fffffa80063a4850  Semaphore Limit 0x1
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8005f442b0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664404       Ticks: 2322 (0:00:00:36.223)
Context Switch Count      11                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address MSCTF!CCtfServerPort::StaticServerThread (0x000007fefe959274)
Stack Init fffff88005b30db0 Current fffff88005b30750
Base fffff88005b31000 Limit fffff88005b2a000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`05b30790 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`05b308d0 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2
fffff880`05b30960 fffff800`01dcf329 nt!KeWaitForSingleObject+0x19f
fffff880`05b30a00 fffff800`01dd0a37 nt!AlpcpReceiveMessagePort+0x189
fffff880`05b30a60 fffff800`01dd1f76 nt!AlpcpReceiveMessage+0x2d4
fffff880`05b30b00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0x1e6
fffff880`05b30bb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05b30c20)
00000000`0390e7b8 000007fe`fe9426a9 ntdll!ZwAlpcSendWaitReceivePort+0xa
00000000`0390e7c0 000007fe`fe959417 MSCTF!CCtfServerPort::ServerLoop+0x16c
00000000`0390f8e0 000007fe`fe959296 MSCTF!CCtfServerPort::ServerThread+0x15b
00000000`0390fc20 00000000`76bdf56d MSCTF!CCtfServerPort::StaticServerThread+0x28
00000000`0390fc50 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`0390fc80 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800489eb60  Cid 06d0.13b8  Teb: 000007fffffa6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8005833be0  NotificationEvent
fffffa8005a03ad0  SynchronizationEvent
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa8005f442b0       Image:         LogonUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34664421       Ticks: 2305 (0:00:00:35.958)
Context Switch Count      19
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address SmartcardCredentialProvider!I_ReaderMonitorThreadProc (0x000007feed747028)
Stack Init fffff88005894db0 Current fffff88005893fd0
Base fffff88005895000 Limit fffff8800588f000 Call 0
Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`05894010 fffff800`01ad6752 nt!KiSwapContext+0x7a
fffff880`05894150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2
fffff880`058941e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271
fffff880`05894490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294
fffff880`05894960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5
fffff880`05894bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05894c20)
00000000`02d1f948 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa
00000000`02d1f950 00000000`76bcf190 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`02d1fa50 000007fe`ed746b84 kernel32!WaitForMultipleObjects+0xb0
00000000`02d1fae0 000007fe`ed747059 SmartcardCredentialProvider!I_ReaderMonitorWorker+0×9c
00000000`02d1fb80 00000000`76bdf56d SmartcardCredentialProvider!I_ReaderMonitorThreadProc+0×31

00000000`02d1fbc0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd
00000000`02d1fbf0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

So according to memory dump analysis pattern terminology these 2 processes are strongly coupled and this fact can be used for analysis logon problems in terminal services environments: http://www.dumpanalysis.org/blog/index.php/2007/09/26/crash-dump-analysis-patterns-part-28/ 

intrauser isolation (p. 459)

file object security (p. 460) - here is an example from x64 W2K8 R2:

0: kd> !handle
[...]
0008: Object: fffffa800658e070  GrantedAccess: 00100020 Entry: fffff8a00445d020
Object: fffffa800658e070  Type: (fffffa8003c0dde0) File
ObjectHeader: fffffa800658e040 (new version)
HandleCount: 1  PointerCount: 1
Directory Object: 00000000  Name: \DL\Notmyfault\exe\x64\Release {HarddiskVolume2}
[…]
001c: Object: fffffa8005f44ee0  GrantedAccess: 001f0003 (Protected) Entry: fffff8a00445d070
Object: fffffa8005f44ee0  Type: (fffffa8003c00570) Event
ObjectHeader: fffffa8005f44eb0 (new version)
HandleCount: 1  PointerCount: 2
[…]

0: kd> dt _OBJECT_TYPE fffffa8003c0dde0
ntdll!_OBJECT_TYPE
+0x000 TypeList         : _LIST_ENTRY [ 0xfffffa80`03c0dde0 - 0xfffffa80`03c0dde0 ]
+0x010 Name             : _UNICODE_STRING "File"
+0x020 DefaultObject    : 0x00000000`00000098
+0x028 Index            : 0x1c ''
+0x02c TotalNumberOfObjects : 0x5645
+0x030 TotalNumberOfHandles : 0x89e
+0x034 HighWaterNumberOfObjects : 0x5baf
+0x038 HighWaterNumberOfHandles : 0x8b5
   +0×040 TypeInfo         : _OBJECT_TYPE_INITIALIZER
+0×0b0 TypeLock         : _EX_PUSH_LOCK
+0×0b8 Key              : 0×656c6946
+0×0c0 CallbackList     : _LIST_ENTRY [ 0xfffffa80`03c0dea0 - 0xfffffa80`03c0dea0 ]

0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c0dde0+40
ntdll!_OBJECT_TYPE_INITIALIZER
+0x000 Length           : 0x70
+0x002 ObjectTypeFlags  : 0x11 ''
+0x002 CaseInsensitive  : 0y1
+0x002 UnnamedObjectsOnly : 0y0
+0x002 UseDefaultObject : 0y0
+0x002 SecurityRequired : 0y0
+0x002 MaintainHandleCount : 0y1
+0x002 MaintainTypeList : 0y0
+0x002 SupportsObjectCallbacks : 0y0
+0x004 ObjectTypeCode   : 1
+0x008 InvalidAttributes : 0x130
+0x00c GenericMapping   : _GENERIC_MAPPING
+0x01c ValidAccessMask  : 0x1f01ff
+0x020 RetainAccess     : 0
+0x024 PoolType         : 0 ( NonPagedPool )
+0x028 DefaultPagedPoolCharge : 0x400
+0x02c DefaultNonPagedPoolCharge : 0x180
+0x030 DumpProcedure    : (null)
+0x038 OpenProcedure    : (null)
+0x040 CloseProcedure   : 0xfffff800`01de6890     void  nt!IopCloseFile+0
+0x048 DeleteProcedure  : 0xfffff800`01de6610     void  nt!IopDeleteFile+0
+0x050 ParseProcedure   : 0xfffff800`01df7370     long  nt!IopParseFile+0
   +0×058 SecurityProcedure : 0xfffff800`01db7130     long  nt!IopGetSetSecurityObject+0
+0×060 QueryNameProcedure : 0xfffff800`01db7470     long  nt!IopQueryName+0<>
+0×068 OkayToCloseProcedure : (null)

0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c00570+40
ntdll!_OBJECT_TYPE_INITIALIZER
+0x000 Length           : 0x70
+0x002 ObjectTypeFlags  : 0 ''
+0x002 CaseInsensitive  : 0y0
+0x002 UnnamedObjectsOnly : 0y0
+0x002 UseDefaultObject : 0y0
+0x002 SecurityRequired : 0y0
+0x002 MaintainHandleCount : 0y0
+0x002 MaintainTypeList : 0y0
+0x002 SupportsObjectCallbacks : 0y0
+0x004 ObjectTypeCode   : 2
+0x008 InvalidAttributes : 0x100
+0x00c GenericMapping   : _GENERIC_MAPPING
+0x01c ValidAccessMask  : 0x1f0003
+0x020 RetainAccess     : 0
+0x024 PoolType         : 0 ( NonPagedPool )
+0x028 DefaultPagedPoolCharge : 0
+0x02c DefaultNonPagedPoolCharge : 0x70
+0x030 DumpProcedure    : (null)
+0x038 OpenProcedure    : (null)
+0x040 CloseProcedure   : (null)
+0x048 DeleteProcedure  : (null)
+0x050 ParseProcedure   : (null)
   +0×058 SecurityProcedure : 0xfffff800`01d97070     long  nt!SeDefaultObjectMethod+0
+0×060 QueryNameProcedure : (null)
+0×068 OkayToCloseProcedure : (null)

SID = SVAS*-RID, S-Version-Authority-Subauthority*-RelativeID (pp. 461 - 462)

PsGetSid (p. 463)

Administrator SID = Machine SID + ‘-500′ (p. 463) - here’s my test (real computer name has been changed to COMPUTER):

C:\PsTools>PsGetSid COMPUTER

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for COMPUTER\COMPUTER:
S-1-5-21-30...49-19...94-15...96

C:\PsTools>PsGetSid S-1-5-21-30...49-19...94-15...96-500

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

Account for COMPUTER\S-1-5-21-30...49-19...94-15...96-500:
User: COMPUTER\Administrator

Reading Notebook: 09-April-10

Saturday, April 10th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Hard CPU limits per-session, -user and -system (pp. 444-445)

Security and user-interface limits on jobs (p. 447)

job objects (pp. 447 - 450) - we can dump all processes via !process 0 1 command and look for “Job ” in the output as on my x64 W2K8 system:

1: kd> !process 0 1

PROCESS fffffa8004e28c10
SessionId: 1  Cid: 0a70    Peb: 7fffffd8000  ParentCid: 09ec
DirBase: 93cfb000  ObjectTable: fffff88008ec2a20  HandleCount: 405.
Image: MSASCui.exe
VadRoot fffffa8004de0390 Vads 106 Clone 0 Private 1932. Modified 352. Locked 0.
DeviceMap fffff88008479c90
Token                             fffff88008edb060
ElapsedTime                       00:03:15.554
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         197440
QuotaPoolUsage[NonPagedPool]      21728
Working Set Sizes (now,min,max)  (3259, 50, 345) (13036KB, 200KB, 1380KB)
PeakWorkingSetSize                3259
VirtualSize                       96 Mb
PeakVirtualSize                   96 Mb
PageFaultCount                    5245
MemoryPriority                    BACKGROUND
BasePriority                      8
CommitCharge                      2214
    Job                               fffffa80050f8860

PROCESS fffffa800511b260
SessionId: 1  Cid: 0a78    Peb: 7fffffd3000  ParentCid: 09ec
DirBase: 93dcb000  ObjectTable: fffff880089d4ae0  HandleCount: 128.
Image: wmdSync.exe
VadRoot fffffa800511aba0 Vads 77 Clone 0 Private 436. Modified 0. Locked 0.
DeviceMap fffff88008479c90
Token                             fffff88008ee1060
ElapsedTime                       00:03:15.429
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         150088
QuotaPoolUsage[NonPagedPool]      7296
Working Set Sizes (now,min,max)  (1554, 50, 345) (6216KB, 200KB, 1380KB)
PeakWorkingSetSize                1558
VirtualSize                       75 Mb
PeakVirtualSize                   76 Mb
PageFaultCount                    1643
MemoryPriority                    BACKGROUND
BasePriority                      8
CommitCharge                      584
    Job                               fffffa80050f8860

PROCESS fffffa8005120a30
SessionId: 1  Cid: 0a88    Peb: 7efdf000  ParentCid: 09ec
DirBase: 923cd000  ObjectTable: fffff88008e29560  HandleCount:  99.
Image: daemon.exe
VadRoot fffffa8004a8cba0 Vads 96 Clone 0 Private 843. Modified 0. Locked 0.
DeviceMap fffff88008479c90
Token                             fffff88008eed730
ElapsedTime                       00:03:14.976
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         175272
QuotaPoolUsage[NonPagedPool]      9024
Working Set Sizes (now,min,max)  (2608, 50, 345) (10432KB, 200KB, 1380KB)
PeakWorkingSetSize                2615
VirtualSize                       92 Mb
PeakVirtualSize                   94 Mb
PageFaultCount                    3463
MemoryPriority                    BACKGROUND
BasePriority                      8
CommitCharge                      1397
    Job                               fffffa80050f8860

PROCESS fffffa80051b5640
SessionId: 1  Cid: 0b98    Peb: 7efdf000  ParentCid: 09ec
DirBase: 8e371000  ObjectTable: fffff8800910ced0  HandleCount:  59.
Image: WZQKPICK.EXE
VadRoot fffffa80051c1630 Vads 58 Clone 0 Private 215. Modified 0. Locked 0.
DeviceMap fffff88008479c90
Token                             fffff8800910c860
ElapsedTime                       00:03:00.903
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         123744
QuotaPoolUsage[NonPagedPool]      5376
Working Set Sizes (now,min,max)  (1274, 50, 345) (5096KB, 200KB, 1380KB)
PeakWorkingSetSize                1274
VirtualSize                       62 Mb
PeakVirtualSize                   63 Mb
PageFaultCount                    1304
MemoryPriority                    BACKGROUND
BasePriority                      8
CommitCharge                      331
    Job                               fffffa80050f8860

PROCESS fffffa800530e040
SessionId: 0  Cid: 0bcc    Peb: 7fffffd6000  ParentCid: 0328
DirBase: 12c7cc000  ObjectTable: fffff880097c19e0  HandleCount: 193.
Image: WmiPrvSE.exe
VadRoot fffffa80053864c0 Vads 107 Clone 0 Private 766. Modified 0. Locked 0.
DeviceMap fffff88007fe7530
Token                             fffff8800995f060
ElapsedTime                       00:00:27.349
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         102888
QuotaPoolUsage[NonPagedPool]      10176
Working Set Sizes (now,min,max)  (2338, 50, 345) (9352KB, 200KB, 1380KB)
PeakWorkingSetSize                2338
VirtualSize                       56 Mb
PeakVirtualSize                   56 Mb
PageFaultCount                    2724
MemoryPriority                    BACKGROUND
BasePriority                      8
CommitCharge                      1359
    Job                               fffffa8004d71560

1: kd> !job fffffa8004d71560
Job at fffffa8004d71560
TotalPageFaultCount      0
TotalProcesses           1
ActiveProcesses          1
TotalTerminatedProcesses 0
LimitFlags               2b08
MinimumWorkingSetSize    0
MaximumWorkingSetSize    0
ActiveProcessLimit       20
PriorityClass            0
UIRestrictionsClass      0
SecurityLimitFlags       0
Token                    0000000000000000

1: kd> !job fffffa80050f8860
Job at fffffa80050f8860
TotalPageFaultCount      0
TotalProcesses           4
ActiveProcesses          4
TotalTerminatedProcesses 0
LimitFlags               1000
MinimumWorkingSetSize    0
MaximumWorkingSetSize    0
ActiveProcessLimit       0
PriorityClass            0
UIRestrictionsClass      0
SecurityLimitFlags       0
Token                    0000000000000000

1: kd> dt _EJOB fffffa80050f8860
nt!_EJOB
+0x000 Event            : _KEVENT
+0x018 JobLinks         : _LIST_ENTRY [ 0xfffff800`019c2450 - 0xfffffa80`04d71578 ]
+0x028 ProcessListHead  : _LIST_ENTRY [ 0xfffffa80`04e28e58 - 0xfffffa80`051b5888 ]
+0x038 JobLock          : _ERESOURCE
+0x0a0 TotalUserTime    : _LARGE_INTEGER 0x0
+0x0a8 TotalKernelTime  : _LARGE_INTEGER 0x0
+0x0b0 ThisPeriodTotalUserTime : _LARGE_INTEGER 0x0
+0x0b8 ThisPeriodTotalKernelTime : _LARGE_INTEGER 0x0
+0x0c0 TotalPageFaultCount : 0
+0x0c4 TotalProcesses   : 4
+0x0c8 ActiveProcesses  : 4
+0x0cc TotalTerminatedProcesses : 0
+0x0d0 PerProcessUserTimeLimit : _LARGE_INTEGER 0x0
+0x0d8 PerJobUserTimeLimit : _LARGE_INTEGER 0x0
+0x0e0 LimitFlags       : 0x1000
+0x0e8 MinimumWorkingSetSize : 0
+0x0f0 MaximumWorkingSetSize : 0
+0x0f8 ActiveProcessLimit : 0
+0x100 Affinity         : 0
+0x108 PriorityClass    : 0 ''
+0x110 AccessState      : (null)
+0x118 UIRestrictionsClass : 0
+0x11c EndOfJobTimeAction : 0
+0x120 CompletionPort   : (null)
+0x128 CompletionKey    : (null)
+0x130 SessionId        : 1
+0x134 SchedulingClass  : 5
+0x138 ReadOperationCount : 0
+0x140 WriteOperationCount : 0
+0x148 OtherOperationCount : 0
+0x150 ReadTransferCount : 0
+0x158 WriteTransferCount : 0
+0x160 OtherTransferCount : 0
+0x168 ProcessMemoryLimit : 0
+0x170 JobMemoryLimit   : 0
+0x178 PeakProcessMemoryUsed : 0x912
+0x180 PeakJobMemoryUsed : 0x11b3
+0x188 CurrentJobMemoryUsed : 0x11ae
+0x190 MemoryLimitsLock : _EX_PUSH_LOCK
+0x198 JobSetLinks      : _LIST_ENTRY [ 0xfffffa80`050f89f8 - 0xfffffa80`050f89f8 ]
+0x1a8 MemberLevel      : 0
+0x1ac JobFlags         : 1

C2 reqs: SLF - DAC - SAC - ORP (p. 452) - mnemonic to remember perhaps for security exams like CISSP

B reqs: TPF - TFM (p. 453)

Security targets and protection profiles (p. 453)

Advanced .NET Debugging by M. Hewardt:

type handle as a pointer to method table (p. 53) - I liked managed heap - execution engine boundary and propose this colored space diagram (will add this to Dictionary of Debugging soon as a tripartite “virtual” memory  division):

!DumpModule command (p. 57)

!U command (pp. 58 - 59)

!DumpMT command (p. 59)

!DumpMT -md to dump type method descriptors (p. 60)

!DumpMD command (p. 60)

m_CodeOrIL: 00920070 (p. 61) - the address looks like as UNICODE string but I belive this is just a coincidence, the false positive of Wild Pointer pattern: http://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/

Reading Notebook: 30-March-10

Saturday, April 3rd, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

per-PRCB queued, system-wide dispatcher, system-wide context swap and per-thread spinlocks (pp. 434-435)

physical over logical processor preference for scheduling (p. 435)

!smt command (p. 436) - here is the putput from x64 machine (from the output we can infer the following relationship logical processor -> core -> physical processor):

1: kd> !smt
SMT Summary:
------------
KeActiveProcessors: **-------------------------------------------------------------- (0000000000000003)
KiIdleSummary: -*-------------------------------------------------------------- (0000000000000002)
No PRCB SMT Set APIC Id
0 fffff80001991680 **-------------------------------------------------------------- (0000000000000003) 0x00000000
1 fffffa60005ec180 **-------------------------------------------------------------- (0000000000000003) 0x00000001

Maximum cores per physical processor: 2
Maximum logical processors per core: 1

NUMA (pp. 436 - 438) - I can see NUMA even on my small desktop system

1: kd> !numa
NUMA Summary:
------------
Number of NUMA nodes : 1
Number of Processors : 2
MmAvailablePages : 0x000C7CB9
KeActiveProcessors : (3)

NODE 0 (FFFFF80001995640):
ProcessorMask : (3)
Color : 0x00000000
MmShiftedColor : 0x00000000
Seed : 0x00000001
Right : 0x00000000
Left : 0x00000001
Zeroed Page Count: 0x0000000000000000
Free Page Count : 0x0000000000000000

Thread affinity (pp. 438 - 440) - see also Affine Thread crash dump analysis pattern: http://www.dumpanalysis.org/blog/index.php/2008/06/27/crash-dump-analysis-patterns-part-68/

uniprocessor flag as a workaround for multithreading defects (p. 439)

Set(Query)ProcessAffinityUpdateMode and dynamic processor changes (p. 442)

choosing a processor (idle ideal -> idle current -> idle previous -> current -> ideal running less priority thread) (pp. 433 - 444)

no guarantee to run all highest priority threads vs. always runs the highest priority thread (p. 444)

Advanced .NET Debugging by M. Hewardt:

value vs. reference types (p. 42)

sosex!bpsc (p. 46)

per frame managed stack trace: !ClrStack -a (p. 46)

d* for simple local value types, !dumpobj for references, !dumpvc for value type fields (pp. 46 - 47)

sync blocks (pp. 49 - 52) - here is the output from my x64 test program:

0:000> !ClrStack -a
OS Thread Id: 0x6e8 (0)

000000000013ed10 000007ff001ac709 System.IO.TextReader+SyncTextReader.ReadLine()
PARAMETERS:
this = 0x0000000002a2b568

0:000> !dumpobj 0x0000000002a2b568
Name: System.IO.TextReader+SyncTextReader
MethodTable: 000007feee67bea8
EEClass: 000007feedb851e0
Size: 32(0x20) bytes
(C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
Fields:
MT Field Offset Type VT Attr Value Name
000007feede86048 400018a 8 System.Object 0 instance 0000000000000000 __identity
000007feedecd198 4001c87 b18 System.IO.TextReader 0 shared static Null
>> Domain:Value 0000000000220840:0000000002a2b060 <<
000007feedecd198 4001c88 10 System.IO.TextReader 0 instance 0000000002a2af28 _in
ThinLock owner 1 (0000000000000000), Recursive 0

0:000> dq 0x0000000002a2b568-8
00000000`02a2b560 00000001`00000000 000007fe`ee67bea8
00000000`02a2b570 00000000`00000000 00000000`02a2af28
00000000`02a2b580 00000000`00000000 00000000`00000000
00000000`02a2b590 00000000`00000000 00000000`00000000
00000000`02a2b5a0 00000000`00000000 00000000`00000000
00000000`02a2b5b0 00000000`00000000 00000000`00000000
00000000`02a2b5c0 00000000`00000000 00000000`00000000
00000000`02a2b5d0 00000000`00000000 00000000`00000000

0:000> !syncblk 1
Index SyncBlock MonitorHeld Recursion Owning Thread Info SyncBlock Owner
1 0000000000259bf8 0 0 0000000000000000 none 0000000002a28030 System.EventHandler
-----------------------------
Total 1
CCW 0
RCW 0
ComClassFactory 0
Free 0

thin sync blocks (p. 52)

Reading Notebook: 26-March-10

Friday, March 26th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Impossibility to disable foreground after-wait priority boosts (p. 423)

CPU Stress tool (pp. 423 - 425, 428 - 430) - Good tool to model CPU spikes. See also Modeling CPU Spikes article I co-authored for Debugging Expert magazine

CPU starvation prevention via balance set manager thread (p. 427)

MMCSS priority boosts (p. 432)

Network throttling to prevent DPC activity interrupting MMCSS boosting (p. 433)

Advanced .NET Debugging by M. Hewardt:

System | shared | def app := bookkeeping, precreation | mscorlib | app code (pp. 37 - 38) - here we check that mscorlib assembly belongs to the shared domain:

0:003> !dumpdomain--------------------------------------System Domain: 000007fef00f8ef0LowFrequencyHeap: 000007fef00f8f38HighFrequencyHeap: 000007fef00f8fc8StubHeap: 000007fef00f9058Stage: OPENName: None--------------------------------------Shared Domain: 000007fef00f9860LowFrequencyHeap: 000007fef00f98a8HighFrequencyHeap: 000007fef00f9938StubHeap: 000007fef00f99c8Stage: OPENName: NoneAssembly: 00000000003a2d10————————————–Domain 1: 0000000000390840LowFrequencyHeap: 0000000000390888HighFrequencyHeap: 0000000000390918StubHeap: 00000000003909a8Stage: OPENSecurityDescriptor: 00000000003930e0Name: TestCLR.exe

[...]

Assembly: 00000000003a2d10[C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll]ClassLoader: 00000000003a2dd0SecurityDescriptor: 00000000003a2110Module Name000007feeda51000 C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

0:003> !dumpassembly 00000000003a2d10Parent Domain: 000007fef00f9860Name: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllClassLoader: 00000000003a2dd0SecurityDescriptor: 000000000335db78Module Name000007feeda51000 C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

Multimodule assemblies with separate PE file for a manifest (p. 40)

Reading Notebook: 22-March-10

Wednesday, March 24th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Processor mode doesn’t affect thread scheduling (p. 414)

Preemption can be before a quantum ends and in that case the preempted thread is pushed at the front of a ready queue (pp. 414 - 415)

Clock interval extension of quanta for interrupted threads (pp. 416 - 417)

Context Switching (p. 418) - just noticed (never paid attention to before) that WinDbg shows empty context for the preempted thread:

x86 W2K3:

0: kd> kL
ChildEBP RetAddr
ba3a2a44 80833ed1 nt!KiSwapContext+0x26
ba3a2a70 80829c14 nt!KiSwapThread+0x2e5
ba3a2ab8 b9c5674d nt!KeWaitForSingleObject+0x346
[...]

0: kd> r
Last set context:
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=8088f77e esp=ba3a2a38 ebp=ba3a2a70 iopl=0         nv up di pl nz na po nc
cs=0008  ss=0010  ds=0000  es=0000  fs=0000  gs=0000             efl=00000000
nt!KiSwapContext+0×26:
8088f77e 8b2c24          mov     ebp,dword ptr [esp]  ss:0010:ba3a2a38=ba3a2a70

0: kd> uf nt!KiSwapContext
nt!KiSwapContext:
8088f758 sub     esp,10h
8088f75b mov     dword ptr [esp+0Ch],ebx
8088f75f mov     dword ptr [esp+8],esi
8088f763 mov     dword ptr [esp+4],edi
8088f767 mov     dword ptr [esp],ebp
8088f76a mov     ebx,dword ptr fs:[1Ch]
8088f771 mov     edi,ecx
8088f773 mov     esi,edx
8088f775 movzx   ecx,byte ptr [edi+4Eh]
8088f779 call    nt!SwapContext (8088f880)
8088f77e mov     ebp,dword ptr [esp]
8088f781 mov     edi,dword ptr [esp+4]
8088f785 mov     esi,dword ptr [esp+8]
8088f789 mov     ebx,dword ptr [esp+0Ch]
8088f78d add     esp,10h
8088f790 ret

x64 W2K8:

1: kd> kL
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
fffffa60`02ddc7c0 fffff800`0187a6fa nt!KiSwapContext+0x7f
fffffa60`02ddc900 fffff800`0186f35b nt!KiSwapThread+0x13a
fffffa60`02ddc970 fffff800`01ad9e57 nt!KeWaitForSingleObject+0x2cb
fffffa60`02ddca00 fffff800`01ad9219 nt!AlpcpReceiveMessagePort+0x287
fffffa60`02ddca60 fffff800`01ada58a nt!AlpcpReceiveMessage+0x245
fffffa60`02ddcb00 fffff800`01877ef3 nt!NtAlpcSendWaitReceivePort+0x1da
fffffa60`02ddcbb0 00000000`7747756a nt!KiSystemServiceCopyEnd+0x13
00000000`0020f5a8 00000000`00000000 ntdll!ZwAlpcSendWaitReceivePort+0xa

1: kd> r
Last set context:
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8000187ac7f rsp=fffffa6002ddc7c0 rbp=fffffa80047ca290
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up di pl nz na pe nc
cs=0000  ss=0000  ds=0000  es=0000  fs=0000  gs=0000             efl=00000000

nt!KiSwapContext+0×7f:
fffff800`0187ac7f 488d8c2400010000 lea     rcx,[rsp+100h]

1: kd> uf nt!KiSwapContext
nt!KiSwapContext:
fffff800`0187ac00 sub     rsp,138h
fffff800`0187ac07 lea     rax,[rsp+100h]
fffff800`0187ac0f movaps  xmmword ptr [rsp+30h],xmm6
fffff800`0187ac14 movaps  xmmword ptr [rsp+40h],xmm7
fffff800`0187ac19 movaps  xmmword ptr [rsp+50h],xmm8
fffff800`0187ac1f movaps  xmmword ptr [rsp+60h],xmm9
fffff800`0187ac25 movaps  xmmword ptr [rsp+70h],xmm10
fffff800`0187ac2b movdqa  xmmword ptr [rax-80h],xmm11
fffff800`0187ac31 movdqa  xmmword ptr [rax-70h],xmm12
fffff800`0187ac37 movdqa  xmmword ptr [rax-60h],xmm13
fffff800`0187ac3d movdqa  xmmword ptr [rax-50h],xmm14
fffff800`0187ac43 movdqa  xmmword ptr [rax-40h],xmm15
fffff800`0187ac49 mov     qword ptr [rax],rbx
fffff800`0187ac4c mov     qword ptr [rax+8],rdi
fffff800`0187ac50 mov     qword ptr [rax+10h],rsi
fffff800`0187ac54 mov     qword ptr [rax+18h],r12
fffff800`0187ac58 mov     qword ptr [rax+20h],r13
fffff800`0187ac5c mov     qword ptr [rax+28h],r14
fffff800`0187ac60 mov     qword ptr [rax+30h],r15
fffff800`0187ac64 mov     rbx,qword ptr gs:[20h]
fffff800`0187ac6d mov     rdi,rcx
fffff800`0187ac70 mov     rsi,rdx
fffff800`0187ac73 movzx   ecx,byte ptr [rdi+156h]
fffff800`0187ac7a call    nt!SwapContext (fffff800`0187af50)
fffff800`0187ac7f lea     rcx,[rsp+100h]
fffff800`0187ac87 movdqa  xmm6,xmmword ptr [rsp+30h]
fffff800`0187ac8d movdqa  xmm7,xmmword ptr [rsp+40h]
fffff800`0187ac93 movdqa  xmm8,xmmword ptr [rsp+50h]
fffff800`0187ac9a movdqa  xmm9,xmmword ptr [rsp+60h]
fffff800`0187aca1 movdqa  xmm10,xmmword ptr [rsp+70h]
fffff800`0187aca8 movdqa  xmm11,xmmword ptr [rcx-80h]
fffff800`0187acae movdqa  xmm12,xmmword ptr [rcx-70h]
fffff800`0187acb4 movdqa  xmm13,xmmword ptr [rcx-60h]
fffff800`0187acba movdqa  xmm14,xmmword ptr [rcx-50h]
fffff800`0187acc0 movdqa  xmm15,xmmword ptr [rcx-40h]
fffff800`0187acc6 mov     rbx,qword ptr [rcx]
fffff800`0187acc9 mov     rdi,qword ptr [rcx+8]
fffff800`0187accd mov     rsi,qword ptr [rcx+10h]
fffff800`0187acd1 mov     r12,qword ptr [rcx+18h]
fffff800`0187acd5 mov     r13,qword ptr [rcx+20h]
fffff800`0187acd9 mov     r14,qword ptr [rcx+28h]
fffff800`0187acdd mov     r15,qword ptr [rcx+30h]
fffff800`0187ace1 add     rsp,138h
fffff800`0187ace8 ret

We also see that if there is an attempt to switch from a DPC we get a bugcheck

1: kd> uf nt!SwapContext
nt!SwapContext:
fffff800`0187af50 sub     rsp,38h
fffff800`0187af54 mov     qword ptr [rsp+30h],rbp
fffff800`0187af59 mov     byte ptr [rsp+28h],cl
fffff800`0187af5d cmp     byte ptr [rsi+95h],0
fffff800`0187af64 jne     nt!SwapContext+0x1cb (fffff800`0187b11b)

[...]

nt!SwapContext+0x1b2:
fffff800`0187b102 xor     r9,r9
fffff800`0187b105 mov     qword ptr [rsp+20h],r9
fffff800`0187b10a mov     r8,rsi
fffff800`0187b10d mov     rdx,rdi
fffff800`0187b110 mov     ecx,0B8h
fffff800`0187b115 call    nt!KeBugCheckEx (fffff800`01878450)
fffff800`0187b11a ret

It happens infrequently: http://www.dumpanalysis.org/blog/index.php/2008/03/12/bug-check-frequencies/

Idle process and threads can have NULL fields (pp. 418 - 419) - on x64 W2K8:

1: kd> !process poi(PsIdleProcess)
PROCESS fffff800019970c0
SessionId: none  Cid: 0000    Peb: 00000000  ParentCid: 0000
DirBase: 00124000  ObjectTable: fffff88000000080  HandleCount: 551.
Image: Idle
VadRoot fffffa8003b97c70 Vads 1 Clone 0 Private 1. Modified 0. Locked 0.
DeviceMap 0000000000000000
Token                             fffff88000003330
ElapsedTime                       00:00:00.000
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         0
QuotaPoolUsage[NonPagedPool]      0
Working Set Sizes (now,min,max)  (6, 50, 450) (24KB, 200KB, 1800KB)
PeakWorkingSetSize                6
VirtualSize                       0 Mb
PeakVirtualSize                   0 Mb
PageFaultCount                    1
MemoryPriority                    BACKGROUND
BasePriority                      0
CommitCharge                      0

        THREAD fffff80001996b80  Cid 0000.0000  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap                 fffff88000007310
Owning Process            fffff800019970c0       Image:         Idle
Attached Process          fffffa8003bf1040       Image:         System
Wait Start TickCount      16846          Ticks: 1721 (0:00:00:26.847)
Context Switch Count      229608
UserTime                  00:00:00.000
KernelTime                00:04:13.532
Win32 Start Address nt!KiIdleLoop (0xfffff8000187c880)
Stack Init fffff80002bdadb0 Current fffff80002bdad40
Base fffff80002bdb000 Limit fffff80002bd5000 Call 0
Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP          RetAddr           Call Site
fffff800`02bdad80 fffff800`01a49860 nt!KiIdleLoop+0x11b
fffff800`02bdadb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

        THREAD fffffa60005f5d40  Cid 0000.0000  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap                 fffff88000007310
Owning Process            fffff800019970c0       Image:         Idle
Attached Process          fffffa8003bf1040       Image:         System
Wait Start TickCount      0              Ticks: 18567 (0:00:04:49.647)
Context Switch Count      241262
UserTime                  00:00:00.000
KernelTime                00:04:23.501
Win32 Start Address nt!KiIdleLoop (0xfffff8000187c880)
Stack Init fffffa600191bdb0 Current fffffa600191bd40
Base fffffa600191c000 Limit fffffa6001916000 Call 0
Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP          RetAddr           Call Site
fffffa60`0191bcd8 fffffa60`00f07685 intelppm!C1Halt+0x2
fffffa60`0191bce0 fffff800`0187cb83 intelppm!C1Idle+0x9
fffffa60`0191bd10 fffff800`0187c8a1 nt!PoIdle+0x183
fffffa60`0191bd80 fffff800`01a49860 nt!KiIdleLoop+0x21
fffffa60`0191bdb0 00000000`fffffa60 nt!zzz_AsmCodeRange_End+0x4
fffffa60`005efd00 00000000`00000000 0xfffffa60

MMCSS (MultiMedia Class Schedular Service) and priority boosts in Vista (p. 420)

Priority boosts never go beyond level 15 (p. 421) - looks like addition of velocities in relativity, where v1 > c/2, v2 > c/2 but v1+v2 < c (where c is the speed of light) :-)

Priority boosts for low prioroty _ERESOURCE owners (pp. 422 - 423)