Software Diagnostics Library

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Deferred ready and standby thread states (p. 400)

Gait waiting (p. 401)

Transition state as state with paged out kernel stack (p. 401) - flattening thread state transition diagram for ready state: 

deferred ready -> ready <-> running

Thread state counter in Performance Monitor (pp. 402 - 404)

Per-processor ready queues and O(1) (pp. 404 - 405)

PRCB (p. 404) - rather a huge structure on x64 W2K8:

0: kd> dt nt!_KPRCB
+0x000 MxCsr            : Uint4B
+0x004 Number           : Uint2B
+0x006 InterruptRequest : UChar
+0x007 IdleHalt         : UChar
+0x008 CurrentThread    : Ptr64 _KTHREAD
+0x010 NextThread       : Ptr64 _KTHREAD
+0x018 IdleThread       : Ptr64 _KTHREAD
+0x020 NestingLevel     : UChar
+0x021 Group            : UChar
+0x022 PrcbPad00        : [6] UChar
+0x028 RspBase          : Uint8B
+0x030 PrcbLock         : Uint8B
+0x038 SetMember        : Uint8B
+0x040 ProcessorState   : _KPROCESSOR_STATE
+0x5f0 CpuType          : Char
+0x5f1 CpuID            : Char
+0x5f2 CpuStep          : Uint2B
+0x5f2 CpuStepping      : UChar
+0x5f3 CpuModel         : UChar
+0x5f4 MHz              : Uint4B
+0x5f8 HalReserved      : [8] Uint8B
+0x638 MinorVersion     : Uint2B
+0x63a MajorVersion     : Uint2B
+0x63c BuildType        : UChar
+0x63d CpuVendor        : UChar
+0x63e CoresPerPhysicalProcessor : UChar
+0x63f LogicalProcessorsPerCore : UChar
+0x640 ApicMask         : Uint4B
+0x644 CFlushSize       : Uint4B
+0x648 AcpiReserved     : Ptr64 Void
+0x650 InitialApicId    : Uint4B
+0x654 Stride           : Uint4B
+0x658 PrcbPad01        : [3] Uint8B
+0x670 LockQueue        : [49] _KSPIN_LOCK_QUEUE
+0x980 PPLookasideList  : [16] _PP_LOOKASIDE_LIST
+0xa80 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0x1680 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0x2280 PacketBarrier    : Uint8B
   +0×2288 DeferredReadyListHead : _SINGLE_LIST_ENTRY
+0×2290 MmPageFaultCount : Int4B
+0×2294 MmCopyOnWriteCount : Int4B
+0×2298 MmTransitionCount : Int4B
+0×229c MmDemandZeroCount : Int4B
+0×22a0 MmPageReadCount  : Int4B
+0×22a4 MmPageReadIoCount : Int4B
+0×22a8 MmDirtyPagesWriteCount : Int4B
+0×22ac MmDirtyWriteIoCount : Int4B
+0×22b0 MmMappedPagesWriteCount : Int4B
+0×22b4 MmMappedWriteIoCount : Int4B
+0×22b8 KeSystemCalls    : Uint4B
+0×22bc KeContextSwitches : Uint4B
+0×22c0 CcFastReadNoWait : Uint4B
+0×22c4 CcFastReadWait   : Uint4B
+0×22c8 CcFastReadNotPossible : Uint4B
+0×22cc CcCopyReadNoWait : Uint4B
+0×22d0 CcCopyReadWait   : Uint4B
+0×22d4 CcCopyReadNoWaitMiss : Uint4B
+0×22d8 LookasideIrpFloat : Int4B
+0×22dc IoReadOperationCount : Int4B
+0×22e0 IoWriteOperationCount : Int4B
+0×22e4 IoOtherOperationCount : Int4B
+0×22e8 IoReadTransferCount : _LARGE_INTEGER
+0×22f0 IoWriteTransferCount : _LARGE_INTEGER
+0×22f8 IoOtherTransferCount : _LARGE_INTEGER
+0×2300 TargetSet        : Uint8B
+0×2308 IpiFrozen        : Uint4B
+0×230c PrcbPad3         : [116] UChar
+0×2380 RequestMailbox   : [64] _REQUEST_MAILBOX
+0×3380 SenderSummary    : Uint8B
+0×3388 PrcbPad4         : [120] UChar
+0×3400 DpcData          : [2] _KDPC_DATA
+0×3440 DpcStack         : Ptr64 Void
+0×3448 SparePtr0        : Ptr64 Void
+0×3450 MaximumDpcQueueDepth : Int4B
+0×3454 DpcRequestRate   : Uint4B
+0×3458 MinimumDpcRate   : Uint4B
+0×345c DpcInterruptRequested : UChar
+0×345d DpcThreadRequested : UChar
+0×345e DpcRoutineActive : UChar
+0×345f DpcThreadActive  : UChar
+0×3460 TimerHand        : Uint8B
+0×3460 TimerRequest     : Uint8B
+0×3468 TickOffset       : Int4B
+0×346c MasterOffset     : Int4B
+0×3470 DpcLastCount     : Uint4B
+0×3474 ThreadDpcEnable  : UChar
+0×3475 QuantumEnd       : UChar
+0×3476 PrcbPad50        : UChar
+0×3477 IdleSchedule     : UChar
+0×3478 DpcSetEventRequest : Int4B
+0×347c KeExceptionDispatchCount : Uint4B
+0×3480 DpcEvent         : _KEVENT
+0×3498 PrcbPad51        : Ptr64 Void
+0×34a0 CallDpc          : _KDPC
+0×34e0 ClockKeepAlive   : Int4B
+0×34e4 ClockCheckSlot   : UChar
+0×34e5 ClockPollCycle   : UChar
+0×34e6 PrcbPad6         : [2] UChar
+0×34e8 DpcWatchdogPeriod : Int4B
+0×34ec DpcWatchdogCount : Int4B
+0×34f0 PrcbPad70        : [2] Uint8B
+0×3500 WaitListHead     : _LIST_ENTRY
+0×3510 WaitLock         : Uint8B
   +0×3518 ReadySummary     : Uint4B
+0×351c QueueIndex       : Uint4B
+0×3520 PrcbPad71        : [12] Uint8B
   +0×3580 DispatcherReadyListHead : [32] _LIST_ENTRY
+0×3780 InterruptCount   : Uint4B
+0×3784 KernelTime       : Uint4B
+0×3788 UserTime         : Uint4B
+0×378c DpcTime          : Uint4B
+0×3790 InterruptTime    : Uint4B
+0×3794 AdjustDpcThreshold : Uint4B
+0×3798 SkipTick         : UChar
+0×3799 DebuggerSavedIRQL : UChar
+0×379a PollSlot         : UChar
+0×379b PrcbPad80        : [5] UChar
+0×37a0 DpcTimeCount     : Uint4B
+0×37a4 DpcTimeLimit     : Uint4B
+0×37a8 PeriodicCount    : Uint4B
+0×37ac PeriodicBias     : Uint4B
+0×37b0 PrcbPad81        : [2] Uint8B
+0×37c0 ParentNode       : Ptr64 _KNODE
+0×37c8 MultiThreadProcessorSet : Uint8B
+0×37d0 MultiThreadSetMaster : Ptr64 _KPRCB
+0×37d8 StartCycles      : Uint8B
+0×37e0 MmSpinLockOrdering : Int4B
+0×37e4 PageColor        : Uint4B
+0×37e8 NodeColor        : Uint4B
+0×37ec NodeShiftedColor : Uint4B
+0×37f0 SecondaryColorMask : Uint4B
+0×37f4 Sleeping         : Int4B
+0×37f8 CycleTime        : Uint8B
+0×3800 CcFastMdlReadNoWait : Uint4B
+0×3804 CcFastMdlReadWait : Uint4B
+0×3808 CcFastMdlReadNotPossible : Uint4B
+0×380c CcMapDataNoWait  : Uint4B
+0×3810 CcMapDataWait    : Uint4B
+0×3814 CcPinMappedDataCount : Uint4B
+0×3818 CcPinReadNoWait  : Uint4B
+0×381c CcPinReadWait    : Uint4B
+0×3820 CcMdlReadNoWait  : Uint4B
+0×3824 CcMdlReadWait    : Uint4B
+0×3828 CcLazyWriteHotSpots : Uint4B
+0×382c CcLazyWriteIos   : Uint4B
+0×3830 CcLazyWritePages : Uint4B
+0×3834 CcDataFlushes    : Uint4B
+0×3838 CcDataPages      : Uint4B
+0×383c CcLostDelayedWrites : Uint4B
+0×3840 CcFastReadResourceMiss : Uint4B
+0×3844 CcCopyReadWaitMiss : Uint4B
+0×3848 CcFastMdlReadResourceMiss : Uint4B
+0×384c CcMapDataNoWaitMiss : Uint4B
+0×3850 CcMapDataWaitMiss : Uint4B
+0×3854 CcPinReadNoWaitMiss : Uint4B
+0×3858 CcPinReadWaitMiss : Uint4B
+0×385c CcMdlReadNoWaitMiss : Uint4B
+0×3860 CcMdlReadWaitMiss : Uint4B
+0×3864 CcReadAheadIos   : Uint4B
+0×3868 MmCacheTransitionCount : Int4B
+0×386c MmCacheReadCount : Int4B
+0×3870 MmCacheIoCount   : Int4B
+0×3874 PrcbPad91        : [3] Uint4B
+0×3880 PowerState       : _PROCESSOR_POWER_STATE
+0×3998 KeAlignmentFixupCount : Uint4B
+0×399c VendorString     : [13] UChar
+0×39a9 PrcbPad10        : [3] UChar
+0×39ac FeatureBits      : Uint4B
+0×39b0 UpdateSignature  : _LARGE_INTEGER
+0×39b8 DpcWatchdogDpc   : _KDPC
+0×39f8 DpcWatchdogTimer : _KTIMER
+0×3a38 Cache            : [5] _CACHE_DESCRIPTOR
+0×3a74 CacheCount       : Uint4B
+0×3a78 CachedCommit     : Uint4B
+0×3a7c CachedResidentAvailable : Uint4B
+0×3a80 HyperPte         : Ptr64 Void
+0×3a88 WheaInfo         : Ptr64 Void
+0×3a90 EtwSupport       : Ptr64 Void
+0×3aa0 InterruptObjectPool : _SLIST_HEADER
+0×3ab0 HypercallPageList : _SLIST_HEADER
+0×3ac0 HypercallPageVirtual : Ptr64 Void
+0×3ac8 VirtualApicAssist : Ptr64 Void
+0×3ad0 StatisticsPage   : Ptr64 Uint8B
+0×3ad8 RateControl      : Ptr64 Void
+0×3ae0 CacheProcessorMask : [5] Uint8B
+0×3b08 PackageProcessorSet : Uint8B
+0×3b10 CoreProcessorSet : Uint8B

Changed thread quantum accounting in Vista (now: clock cycles), quantum targets, partial quantum decay (pp. 406 - 407)

The mystery of huge number in KiCyclesPerClockQuantum (p. 408) - here is an output on my PC:

0: kd> dd KiCyclesPerClockQuantum l1
fffff800`01a45170  008e58db

0: kd> !cpuinfo
CP  F/M/S Manufacturer  MHz PRCB Signature    MSR 8B Signature Features
0  6,15,2 GenuineIntel 1794 0000005600000000                   20193ffe
1  6,15,2 GenuineIntel 1794 0000005600000000                   20193ffe
Cached Update Signature 0000005a00000000
Initial Update Signature 0000005600000000

C:\>C:\DL\Clockres.exe

ClockRes v2.0 - View the system clock resolution
Copyright (C) 2009 Mark Russinovich
SysInternals - www.sysinternals.com

Maximum timer interval: 15.600 ms
Minimum timer interval: 0.500 ms
Current timer interval: 1.000 ms

HKLM\S\CCS\C\PriorityControl\Win32PrioritySeparation vs. PsPrioritySeperation - looks like a misprint that needs fixing in the next version of Windows. Why it was a deliberate misspelling (p. 411) we can only guess…

0: kd> dd PsPrioritySeperation l1
fffff800`01a45228  00000002

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Limiting high-priority ready threads by a processor affinity (p. 391)

Thread dispatch reasons: ready, leaves running state, priority change, processor affinity change (p. 392)

Thread vs. process scheduling granularity (pp. 392 - 393)

Thread priority level 0 is reserved for zero page thread (p. 393)

2 pespectives on thread priority levels (pp. 393 - 394)

Changing CPU-intensive process base priority instead of priority of individual threads (p. 395)

Increased based priority for special processes (p. 395) - here is a comparison of base priorities between lsm.exe and smss.exe from x64 W2K8:

0: kd> !process fffffa80047ffc10
PROCESS fffffa80047ffc10
SessionId: 0  Cid: 0294    Peb: 7fffffd6000  ParentCid: 0238
DirBase: b1c4e000  ObjectTable: fffff88007f05cd0  HandleCount: 173.
Image: lsm.exe
VadRoot fffffa80046dd720 Vads 68 Clone 0 Private 462. Modified 0. Locked 0.
DeviceMap fffff88000007310
Token                             fffff88007f376f0
ElapsedTime                       00:04:17.552
UserTime                          00:00:00.015
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         69000
QuotaPoolUsage[NonPagedPool]      7072
Working Set Sizes (now,min,max)  (1314, 50, 345) (5256KB, 200KB, 1380KB)
PeakWorkingSetSize                1318
VirtualSize                       36 Mb
PeakVirtualSize                   38 Mb
PageFaultCount                    1375
MemoryPriority                    BACKGROUND
    BasePriority                      8
CommitCharge                      756

0: kd> !process fffffa80046d9040
PROCESS fffffa80046d9040
SessionId: none  Cid: 019c    Peb: 7fffffdf000  ParentCid: 0004
DirBase: bccd5000  ObjectTable: fffff880005f45b0  HandleCount:  33.
Image: smss.exe
VadRoot fffffa80046d97e0 Vads 19 Clone 0 Private 96. Modified 24. Locked 0.
DeviceMap fffff88000007310
Token                             fffff88000964af0
ElapsedTime                       00:04:40.343
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         10392
QuotaPoolUsage[NonPagedPool]      1728
Working Set Sizes (now,min,max)  (254, 50, 345) (1016KB, 200KB, 1380KB)
PeakWorkingSetSize                254
VirtualSize                       6 Mb
PeakVirtualSize                   16 Mb
PageFaultCount                    458
MemoryPriority                    BACKGROUND
    BasePriority                      11
CommitCharge                      127

Sleep(0) to relinquish the rest of quantum (p. 396) 

Realtime Notepad (pp. 397 - 398) - I’m often asked why it doesn’t affect performance? This is because most threads in a system are waiting and notepad is waiting for window messages to process like keyboard and mouse. It is more noticeable when a realtime thread starts looping - it becomes scheduled every time

WSRM (Windows System Resource Manager) (pp. 398 - 399) - Looks good to prevent CPU spikes and memory leaks to come out of control

Thread priorities and IRQL (pp. 399 - 400) - in another words these concepts are orthogonal (independent from each other)

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Clock cycle counter for measuring CPU activity  (p. 382)

Process Explorer usage to inspect hung threads (p. 383) - useful for coupled processes (http://www.dumpanalysis.org/blog/index.php/2007/09/26/crash-dump-analysis-patterns-part-28/) and could be great with simultaneous WinDbg session to inspect wait chains (http://www.dumpanalysis.org/blog/index.php/2009/02/17/wait-chain-patterns/)

Process Explorer shows both thread and WOW64 thread stacks on x64 (p. 384)

Thread stack and context query limitations for protected processes (pp. 384 - 386)

Thread pool mechanism was moved into kernel space in Vista (p. 387)

TpWorkerFactory and I/O completion ports and KQUEUE (pp. 387 - 388) - see also a “brief guide” to I/O completion ports: http://www.dumpanalysis.org/blog/index.php/2007/11/27/understanding-io-completion-ports/ 

The mystery of ntdll!TppWorkerThread in stack traces (pp. 389 - 390)

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

W32THREAD (p. 371) - One candidate in _ETHREAD that points to it is Tcb.Win32Thread. One interesting code I found on how to extract window message queues from it: http://www.cc.gatech.edu/~brendan/volatility/dl/threadqueues.py. _W32THREAD structure on x64 W2K8 (we also see that is points to _ETHREAD):

0: kd> dt _W32THREAD
win32k!_W32THREAD
+0x000 pEThread         : Ptr64 _ETHREAD
+0x008 RefCount         : Uint4B
+0x010 ptlW32           : Ptr64 _TL
+0x018 pgdiDcattr       : Ptr64 Void
+0x020 pgdiBrushAttr    : Ptr64 Void
+0x028 pUMPDObjs        : Ptr64 Void
+0x030 pUMPDHeap        : Ptr64 Void
+0x038 pUMPDObj         : Ptr64 Void
+0x040 pProxyPort       : Ptr64 Void
+0x048 pClientID        : Ptr64 Void
+0x050 GdiTmpTgoList    : _LIST_ENTRY

!thread output fields (p. 376) - Stack Base and Limit fields can be useful to dump raw stack data via dps command to see execution residue or when reconstructing stack trace, see, for example, this pattern: http://www.dumpanalysis.org/blog/index.php/2009/10/23/crash-dump-analysis-patterns-part-88/

tlist utility (p. 377)

Thread creation calls (pp. 380 - 381) - a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c CreateThread
kernel32!CreateThread (00000000`7731c1c0)
kernel32!CreateThread+0x28 (00000000`7731c1e8):
call to kernel32!CreateRemoteThread (00000000`7731c200)

0: kd> uf /c CreateRemoteThread
Flow analysis was incomplete, some code may be missing
kernel32!CreateRemoteThread (00000000`7731c200)
kernel32!CreateRemoteThread+0x134 (00000000`7731c334):
    call to ntdll!NtCreateThreadEx (00000000`77477790)
  kernel32!CreateRemoteThread+0×166 (00000000`7731c366):
call to ntdll!RtlAllocateActivationContextStack (00000000`77456900)
kernel32!CreateRemoteThread+0×1b4 (00000000`7731c3b4):
call to ntdll!RtlQueryInformationActivationContext (00000000`77456b20)
kernel32!CreateRemoteThread+0×241 (00000000`7731c441):
    call to ntdll!CsrClientCallServer (00000000`7747a460)
  kernel32!CreateRemoteThread+0×281 (00000000`7731c47d):
    call to ntdll!ZwResumeThread (00000000`77477230)
  kernel32!CreateRemoteThread+0×38b (00000000`7731c4ae):
call to kernel32!_security_check_cookie (00000000`7732c200)

0: kd> uf /c NtCreateThreadEx
ntdll!NtCreateThreadEx (00000000`77477790)
no calls found

0: kd> uf NtCreateThreadEx
ntdll!NtCreateThreadEx:
00000000`77477790 4c8bd1          mov     r10,rcx
00000000`77477793 b8a5000000      mov     eax,0A5h
00000000`77477798 0f05            syscall
00000000`7747779a c3              ret

0: kd> uf /c nt!NtCreateThreadEx
nt!NtCreateThreadEx (fffff800`01af60fc)
nt!NtCreateThreadEx+0x3d (fffff800`01af6139):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateThreadEx+0x5b (fffff800`01af6157):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateThreadEx+0x99 (fffff800`01af6195):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateThreadEx+0xc8 (fffff800`01af61c4):
call to nt!PspBuildCreateProcessContext (fffff800`01af5204)
nt!NtCreateThreadEx+0x1e1 (fffff800`01af62dd):
    call to nt!PspCreateThread (fffff800`01af5d40)
  nt!NtCreateThreadEx+0×1f0 (fffff800`01af62ec):
call to nt!PspDeleteCreateProcessContext (fffff800`01af68f0)

0: kd> uf /c nt!PspCreateThread
nt!PspCreateThread (fffff800`01af5d40)
nt!PspCreateThread+0x102 (fffff800`01af5e42):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt!PspCreateThread+0x15b (fffff800`01af5e9b):
call to nt!ObfReferenceObject (fffff800`01883250)
nt!PspCreateThread+0x22f (fffff800`01af5f6f):
call to nt!PspAllocateThread (fffff800`01af6338)
nt!PspCreateThread+0x243 (fffff800`01af5f83):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateThread+0x2a6 (fffff800`01af5fe6):
call to nt!PspInsertThread (fffff800`01af4c10)
nt!PspCreateThread+0x318 (fffff800`01af6058):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateThread+0x32a (fffff800`01af606a):
call to nt!_security_check_cookie (fffff800`01895e50)
nt!PspCreateThread+0x36a (fffff800`01af60aa):
call to nt!ObfReferenceObject (fffff800`01883250)
nt!PspCreateThread+0x3a2 (fffff800`01af60e2):
call to nt!ExfAcquireRundownProtection (fffff800`0184f66c)
nt! ?? ::NNGAKEGL::`string'+0x2816e (fffff800`01b3628e):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x281ad (fffff800`01b362ca):
call to nt!ExfReleaseRundownProtection (fffff800`0184f690)
nt! ?? ::NNGAKEGL::`string'+0x281ce (fffff800`01b362eb):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x281d8 (fffff800`01b362f5):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt! ?? ::NNGAKEGL::`string'+0x281e7 (fffff800`01b36304):
call to nt!ExfReleaseRundownProtection (fffff800`0184f690)
nt! ?? ::NNGAKEGL::`string'+0x281ff (fffff800`01b3631c):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x2821a (fffff800`01b36337):
call to nt!PspTerminateThreadByPointer (fffff800`01ad30dc)

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

NtCreateProcess (pp. 349 - 351) -  a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c nt!NtCreateProcess
nt!NtCreateProcess (fffff800`01c51770)
nt!NtCreateProcess+0x64 (fffff800`01c517d4):
call to nt!NtCreateProcessEx (fffff800`01c516e0)

0: kd> uf /c nt!NtCreateProcessEx
nt!NtCreateProcessEx (fffff800`01c516e0)
nt!NtCreateProcessEx+0x7d (fffff800`01c5175d):
call to nt!PspCreateProcess (fffff800`01c51410)

0: kd> uf /c nt!PspCreateProcess
nt!PspCreateProcess (fffff800`01c51410)
nt!PspCreateProcess+0xd0 (fffff800`01c514e0):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt!PspCreateProcess+0xff (fffff800`01c5150f):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateProcess+0x146 (fffff800`01c51556):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt!PspCreateProcess+0x1a6 (fffff800`01c515b6):
call to nt!PspAllocateProcess (fffff800`01aac690)
nt!PspCreateProcess+0x202 (fffff800`01c51612):
call to nt!PspInsertProcess (fffff800`01aa6520)
nt!PspCreateProcess+0x21b (fffff800`01c5162b):
call to nt!PspDoHandleSweepSingle (fffff800`01b92770)
nt!PspCreateProcess+0x26f (fffff800`01c5167f):
call to nt!SeDeleteAccessState (fffff800`01b02f8c)
nt!PspCreateProcess+0x27a (fffff800`01c5168a):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateProcess+0x287 (fffff800`01c51697):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateProcess+0x294 (fffff800`01c516a4):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateProcess+0x2a7 (fffff800`01c516b7):
call to nt!_security_check_cookie (fffff800`01895e50)

NtCreateUserProcess (pp. 351 - 360) - a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c nt!NtCreateUserProcess
nt!NtCreateUserProcess (fffff800`01ab2238)
nt!NtCreateUserProcess+0x97 (fffff800`01ab22cf):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateUserProcess+0xb4 (fffff800`01ab22ec):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateUserProcess+0x184 (fffff800`01ab23bc):
call to nt!ExRaiseDatatypeMisalignment (fffff800`01bddd20)
nt!NtCreateUserProcess+0x1c2 (fffff800`01ab23fb):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateUserProcess+0x1dd (fffff800`01ab2416):
call to nt!PspBuildCreateProcessContext (fffff800`01af5204)
nt!NtCreateUserProcess+0x207 (fffff800`01ab2440):
call to nt!PspCaptureCreateInfo (fffff800`01aad390)
nt!NtCreateUserProcess+0x2d1 (fffff800`01ab250a):
call to nt!ZwOpenFile (fffff800`01873480)
nt!NtCreateUserProcess+0x311 (fffff800`01ab254a):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt!NtCreateUserProcess+0x378 (fffff800`01ab25b1):
call to nt!ZwCreateSection (fffff800`01873760)
nt!NtCreateUserProcess+0x3af (fffff800`01ab25e8):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt!NtCreateUserProcess+0x412 (fffff800`01ab264b):
call to nt!PspCaptureProcessParameters (fffff800`01aae128)
nt!NtCreateUserProcess+0x483 (fffff800`01ab26bc):
call to nt!PspAllocateProcess (fffff800`01aac690)
nt!NtCreateUserProcess+0x546 (fffff800`01ab277f):
call to nt!ObfReferenceObject (fffff800`01883250)
nt!NtCreateUserProcess+0x630 (fffff800`01ab2869):
call to nt!PspAllocateThread (fffff800`01af6338)
nt!NtCreateUserProcess+0x69f (fffff800`01ab28d8):
call to nt!PspInsertProcess (fffff800`01aa6520)
nt!NtCreateUserProcess+0x70e (fffff800`01ab2947):
call to nt!PspInsertThread (fffff800`01af4c10)
nt!NtCreateUserProcess+0x74f (fffff800`01ab2988):
call to nt!PspCreateObjectHandle (fffff800`01b01e10)
nt!NtCreateUserProcess+0x775 (fffff800`01ab29ae):
call to nt!memmove (fffff800`0186fce0)
nt!NtCreateUserProcess+0x7ca (fffff800`01ab2a03):
call to nt!PspUpdateCreateInfo (fffff800`01aadc9c)
nt!NtCreateUserProcess+0x7d9 (fffff800`01ab2a12):
call to nt!SeDeleteAccessState (fffff800`01b02f8c)
nt!NtCreateUserProcess+0x7e9 (fffff800`01ab2a22):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!NtCreateUserProcess+0x7f1 (fffff800`01ab2a2a):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!NtCreateUserProcess+0x7fe (fffff800`01ab2a37):
call to nt!PspDeleteCreateProcessContext (fffff800`01af68f0)
nt!NtCreateUserProcess+0x810 (fffff800`01ab2a49):
call to nt!_security_check_cookie (fffff800`01895e50)
nt!NtCreateUserProcess+0x862 (fffff800`01ab2a9b):
call to nt!ZwOpenFile (fffff800`01873480)
nt!NtCreateUserProcess+0x884 (fffff800`01ab2abd):
call to nt!PspUpdateCreateInfo (fffff800`01aadc9c)
nt! ?? ::NNGAKEGL::`string'+0x4f944 (fffff800`01b55164):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt! ?? ::NNGAKEGL::`string'+0x4f9a5 (fffff800`01b551c5):
call to nt!PspUpdateCreateInfo (fffff800`01aadc9c)
nt! ?? ::NNGAKEGL::`string'+0x4fa80 (fffff800`01b55298):
call to nt!PspGetContextThreadInternal (fffff800`01b02660)
nt! ?? ::NNGAKEGL::`string'+0x4faf3 (fffff800`01b55303):
call to nt!ExfTryToWakePushLock (fffff800`0186b924)
nt! ?? ::NNGAKEGL::`string'+0x4fb21 (fffff800`01b55325):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x4fb3e (fffff800`01b55342):
call to nt!PspDoHandleSweepSingle (fffff800`01b92770)
nt! ?? ::NNGAKEGL::`string'+0x4fb92 (fffff800`01b55392):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x4fba0 (fffff800`01b553a0):
call to nt!PspDoHandleSweepSingle (fffff800`01b92770)
nt! ?? ::NNGAKEGL::`string'+0x4fbb2 (fffff800`01b553b2):
call to nt!PsTerminateProcess (fffff800`01b94140)

The check for import of disallowed API during post-process initialization (p. 361)

CsrCreateProcess (pp. 361 - 362) - Here’s a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c CsrCreateProcess
CSRSRV!CsrCreateProcess (000007fe`fd8c76c8)
CSRSRV!CsrCreateProcess+0x18 (000007fe`fd8c76e0):
call to CSRSRV!CsrpCreateProcess (000007fe`fd8c7280)

0: kd> uf /c CsrpCreateProcess
CSRSRV!CsrpCreateProcess (000007fe`fd8c7280)
CSRSRV!CsrpCreateProcess+0x2e (000007fe`fd8c72ae):
call to ntdll!RtlEnterCriticalSection (00000000`77478920)
CSRSRV!CsrpCreateProcess+0x66 (000007fe`fd8c72e6):
call to CSRSRV!CsrCreateThread (000007fe`fd8c77fc)
CSRSRV!CsrpCreateProcess+0x78 (000007fe`fd8c72f8):
call to ntdll!ZwClose (00000000`77476e00)
CSRSRV!CsrpCreateProcess+0x83 (000007fe`fd8c7303):
call to CSRSRV!CsrAllocateProcess (000007fe`fd8c715c)
CSRSRV!CsrpCreateProcess+0xa4 (000007fe`fd8c7324):
call to CSRSRV!CsrGetProcessLuid (000007fe`fd8c8790)
CSRSRV!CsrpCreateProcess+0x114 (000007fe`fd8c7394):
call to CSRSRV!memcpy (000007fe`fd8cadec)
CSRSRV!CsrpCreateProcess+0x1ab (000007fe`fd8c742b):
call to ntdll!NtSetInformationProcess (00000000`77476ed0)
CSRSRV!CsrpCreateProcess+0x1d2 (000007fe`fd8c7452):
call to ntdll!NtSetInformationProcess (00000000`77476ed0)
CSRSRV!CsrpCreateProcess+0x257 (000007fe`fd8c74d7):
call to ntdll!NtSetInformationProcess (00000000`77476ed0)
CSRSRV!CsrpCreateProcess+0x277 (000007fe`fd8c74f7):
call to ntdll!RtlFreeHeap (00000000`77478c80)
CSRSRV!CsrpCreateProcess+0x2d8 (000007fe`fd8c7558):
call to ntdll!NtQueryInformationThread (00000000`77476f60)
CSRSRV!CsrpCreateProcess+0x2f0 (000007fe`fd8c7570):
call to ntdll!RtlFreeHeap (00000000`77478c80)
CSRSRV!CsrpCreateProcess+0x2fd (000007fe`fd8c757d):
call to CSRSRV!CsrAllocateThread (000007fe`fd8c7b94)
CSRSRV!CsrpCreateProcess+0x32d (000007fe`fd8c75ad):
call to CSRSRV!CsrInsertThread (000007fe`fd8c7bfc)
CSRSRV!CsrpCreateProcess+0x344 (000007fe`fd8c75c4):
call to ntdll!RtlFreeHeap (00000000`77478c80)
CSRSRV!CsrpCreateProcess+0x356 (000007fe`fd8c75d6):
call to ntdll!RtlFreeHeap (00000000`77478c80)
CSRSRV!CsrpCreateProcess+0x365 (000007fe`fd8c75e5):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)
CSRSRV!CsrpCreateProcess+0x393 (000007fe`fd8c7613):
call to CSRSRV!CsrSetBackgroundPriority (000007fe`fd8c712c)
CSRSRV!CsrpCreateProcess+0x3b6 (000007fe`fd8c7636):
call to CSRSRV!CsrInsertProcess (000007fe`fd8c71f0)
CSRSRV!CsrpCreateProcess+0x3d8 (000007fe`fd8c7658):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)

No elevation, virtualization and compatibility checks for protected processes (p. 362)

KiThreadStartup (p. 363) - it looks like on x64 W2K8 it is KxStartUserThread that has this high-level call structure:

0: kd> uf /c nt!KxStartUserThread
nt!KxStartUserThread (fffff800`018b56e0)
nt!KiStartUserThread+0x12 (fffff800`018b5756):
unresolvable call: call    qword ptr [rsp+10h]
nt!KiStartUserThread+0x9f (fffff800`018b57e3):
call to nt!KiInitiateUserApc (fffff800`0189d710)
nt!KiStartUserThread+0xbc (fffff800`018b5800):
call to nt!KiRestoreDebugRegisterState (fffff800`01878860)

PspUserThreadStartup (p. 363) - high-level call structure on x64 W2K8

0: kd> uf /c PspUserThreadStartup
nt!PspUserThreadStartup (fffff800`01b01ae4)
nt!PspUserThreadStartup+0xa1 (fffff800`01b01b85):
call to nt!MmGetSessionLocaleId (fffff800`01b028a4)
nt!PspUserThreadStartup+0xdc (fffff800`01b01bc0):
call to nt!DbgkCreateThread (fffff800`01b02cc0)
nt!PspUserThreadStartup+0x100 (fffff800`01b01be4):
call to nt!PfProcessCreateNotification (fffff800`01ab46cc)
nt!PspUserThreadStartup+0x121 (fffff800`01b01c05):
call to nt!PspInitializeThunkContext (fffff800`01b028e4)
nt! ?? ::NNGAKEGL::`string'+0x42263 (fffff800`01b48d5a):
call to nt!ExfAcquirePushLockExclusive (fffff800`0186aa60)
nt! ?? ::NNGAKEGL::`string'+0x4226b (fffff800`01b48d62):
call to nt!ExfReleasePushLockExclusive (fffff800`018c4b98)
nt! ?? ::NNGAKEGL::`string'+0x42283 (fffff800`01b48d7a):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x42299 (fffff800`01b48d90):
call to nt!PspTerminateThreadByPointer (fffff800`01ad30dc)

System-wide cookie in SharedUserData for pointer encoding/decoding API (p. 363)

LdrInitializeThunk (p. 364) - high-level call structure on x64 W2K8

0: kd> uf /c LdrInitializeThunk
ntdll!LdrInitializeThunk (00000000`774568d0)
ntdll!LdrInitializeThunk+0x9 (00000000`774568d9):
    call to ntdll!LdrpInitialize (00000000`77456990)
  ntdll!LdrInitializeThunk+0×13 (00000000`774568e3):
    call to ntdll!ZwContinue (00000000`77477140)
  ntdll!LdrInitializeThunk+0×1a (00000000`774568ea):
call to ntdll!RtlRaiseStatus (00000000`774e8fa0)
ntdll!RtlAllocateActivationContextStack+0×29 (00000000`7745692d):
call to ntdll!RtlAllocateHeap (00000000`774789b0)

0: kd> uf /c LdrpInitialize
Matched: 00000000`774567f0 ntdll!LdrpInitialize = <no type information>
Matched: 00000000`77456990 ntdll!LdrpInitialize = <no type information>
Ambiguous symbol error at ‘LdrpInitialize’

0: kd> uf /c 00000000`77456990
Flow analysis was incomplete, some code may be missing
ntdll!LdrpInitialize (00000000`77456990)
ntdll!LdrpInitialize+0xaa (00000000`7745689a):
    call to ntdll!LdrpInitializeThread (00000000`77470770)
  ntdll!LdrpInitialize+0xaf (00000000`7745689f):
call to ntdll!ZwTestAlert (00000000`77478490)
ntdll! ?? ::FNODOBFM::`string’+0×20948 (00000000`7746bb8b):
call to ntdll!RtlInitializeSRWLock (00000000`774687f0)
ntdll! ?? ::FNODOBFM::`string’+0×20954 (00000000`7746bb97):
    call to ntdll!LdrpInitializeProcess (00000000`7746ca20)
  ntdll! ?? ::FNODOBFM::`string’+0×20b40 (00000000`7746d540):
call to ntdll!InitSecurityCookie (00000000`7746d560)
ntdll! ?? ::FNODOBFM::`string’+0×20ae4 (00000000`7746e52f):
call to ntdll!NtDelayExecution (00000000`77477050)

0: kd> uf /c ntdll!LdrpInitializeThread
ntdll!LdrpInitializeThread (00000000`77470770)
ntdll!LdrShutdownThread+0x139 (00000000`77437544):
call to ntdll!LdrpCallTlsInitializers (00000000`77437630)
ntdll!LdrpInitializeThread+0x16d (00000000`774376f8):
call to ntdll!LdrpCallTlsInitializers (00000000`77437630)
ntdll!LdrShutdownThread+0x124 (00000000`77448199):
call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0)
ntdll!LdrShutdownThread+0x149 (00000000`774481b5):
unresolvable call: call    rsi
ntdll!LdrShutdownThread+0x151 (00000000`774481bd):
call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00)
ntdll!LdrShutdownThread+0x68 (00000000`77448238):
call to ntdll!RtlEnterCriticalSection (00000000`77478920)
ntdll!LdrShutdownThread+0x1cd (00000000`774483cf):
call to ntdll!LdrpFreeTls (00000000`774482f0)
ntdll!LdrShutdownThread+0x1e1 (00000000`774483e3):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)
ntdll!LdrShutdownThread+0x1e6 (00000000`774483e8):
call to ntdll!LdrpCleanupThreadTlsData (00000000`77448490)
ntdll!LdrShutdownThread+0x213 (00000000`77448415):
call to ntdll!RtlFreeHeap (00000000`77478c80)
ntdll!LdrShutdownThread+0x246 (00000000`77448448):
call to ntdll!RtlFreeActivationContextStack (00000000`774480a0)
ntdll!LdrpInitializeThread+0x264 (00000000`774706bf):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)
ntdll!LdrpInitializeThread+0x43 (00000000`774707b3):
call to ntdll!RtlAllocateActivationContextStack (00000000`77456900)
ntdll!LdrpInitializeThread+0x5f (00000000`774707cf):
call to ntdll!RtlEnterCriticalSection (00000000`77478920)
ntdll!LdrpInitializeThread+0x65 (00000000`774707d5):
call to ntdll!LdrpAllocateTls (00000000`774569d0)
ntdll!LdrpInitializeThread+0x13e (00000000`774708ae):
call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0)
ntdll!LdrpInitializeThread+0x161 (00000000`774708d5):
unresolvable call: call    rsi
ntdll!LdrpInitializeThread+0x17c (00000000`774708e1):
call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00)
ntdll!LdrpInitializeThread+0x1a9 (00000000`7749017c):
call to ntdll!RtlRaiseStatus (00000000`774e8fa0)
ntdll!LdrpInitializeThread+0x1b5 (00000000`77490188):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)
ntdll!LdrpInitializeThread+0x1d0 (00000000`774901a3):
call to ntdll!NtDelayExecution (00000000`77477050)
ntdll!LdrpInitializeThread+0x1dc (00000000`774901af):
call to ntdll!RtlEnterCriticalSection (00000000`77478920)
ntdll!LdrpInitializeThread+0x233 (00000000`7749020a):
call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0)
ntdll!LdrpInitializeThread+0x245 (00000000`7749021c):
call to ntdll!LdrpCallTlsInitializers (00000000`77437630)
ntdll!LdrpInitializeThread+0x250 (00000000`77490227):
call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00)
ntdll!LdrShutdownThread+0x1ab (00000000`7749027e):
call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0)
ntdll!LdrShutdownThread+0x1bd (00000000`77490290):
call to ntdll!LdrpCallTlsInitializers (00000000`77437630)
ntdll!LdrShutdownThread+0x1c8 (00000000`7749029b):
call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00)
ntdll! ?? ::FNODOBFM::`string'+0x15c61 (00000000`774bd160):
call to ntdll!NtDelayExecution (00000000`77477050)
ntdll! ?? ::FNODOBFM::`string'+0x15c6e (00000000`774bd16d):
call to ntdll!RtlRaiseStatus (00000000`774e8fa0)
ntdll! ?? ::FNODOBFM::`string'+0x15cb0 (00000000`774bd1a6):
call to ntdll!RtlEnterCriticalSection (00000000`77478920)
ntdll! ?? ::FNODOBFM::`string'+0x15cbc (00000000`774bd1b2):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)
ntdll! ?? ::FNODOBFM::`string'+0x15cd7 (00000000`774bd1cd):
call to ntdll!RtlFreeHeap (00000000`77478c80)
ntdll! ?? ::FNODOBFM::`string'+0x15cfd (00000000`774bd1f3):
call to ntdll!RtlFreeHeap (00000000`77478c80)

0: kd> uf /c ntdll!LdrpInitializeProcess
Flow analysis was incomplete, some code may be missing
ntdll!LdrpInitializeProcess (00000000`7746ca20)
ntdll!LdrpInitializeProcess+0xf88 (00000000`7746bc0d):
call to ntdll!LdrpUpdateOrderLinks (00000000`774644c0)
ntdll!LdrpInitializeProcess+0xf9c (00000000`7746bc21):
call to ntdll!RtlInsertInvertedFunctionTable (00000000`77464e50)
ntdll!LdrpInitializeProcess+0xfa4 (00000000`7746bc29):
call to ntdll!LdrpAllocateDataTableEntry (00000000`77464380)
ntdll!LdrpInitializeProcess+0x1098 (00000000`7746bc76):
call to ntdll!RtlImageNtHeaderEx (00000000`7747dc00)
ntdll!LdrpInitializeProcess+0x10f1 (00000000`7746bccd):
call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0)
ntdll!LdrpInitializeProcess+0x110f (00000000`7746bceb):
call to ntdll!LdrpUpdateOrderLinks (00000000`774644c0)
ntdll!LdrpInitializeProcess+0x1123 (00000000`7746bcff):
call to ntdll!RtlInsertInvertedFunctionTable (00000000`77464e50)
ntdll!LdrpInitializeProcess+0x1128 (00000000`7746bd04):
call to ntdll!RtlInitializeHistoryTable (00000000`7746da90)
ntdll!LdrpInitializeProcess+0x11c9 (00000000`7746bd4f):
call to ntdll!RtlpInitCurrentDir (00000000`7746db70)
ntdll!LdrpInitializeProcess+0x1648 (00000000`7746bdca):
call to ntdll!LdrLoadDll (00000000`77463e30)
ntdll!LdrpInitializeProcess+0x16ba (00000000`7746bdf9):
call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10)
ntdll!LdrpInitializeProcess+0x171f (00000000`7746be16):
call to ntdll!LdrpWalkImportDescriptor (00000000`77466390)
ntdll!LdrpInitializeProcess+0x18cd (00000000`7746be5b):
call to ntdll!LdrpInitializeTls (00000000`7746e380)
ntdll!LdrpInitializeProcess+0x1940 (00000000`7746be88):
call to ntdll!LdrpRunInitializeRoutines (00000000`77464650)
ntdll!LdrpInitializeProcess+0x138e (00000000`7746bedf):
call to ntdll!LdrLoadDll (00000000`77463e30)
ntdll!LdrpInitializeProcess+0x13ff (00000000`7746bf0d):
call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10)
ntdll!LdrpInitializeProcess+0x1475 (00000000`7746bf3b):
call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10)
ntdll!LdrpInitializeProcess+0x14eb (00000000`7746bf69):
call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10)
ntdll!LdrpInitializeProcess+0x19f5 (00000000`7746bfc5):
call to ntdll!_security_check_cookie (00000000`7747acb0)
ntdll!LdrpInitializeProcess+0x32 (00000000`7746ca52):
call to ntdll!RtlSetUnhandledExceptionFilter (00000000`7746c2d0)
ntdll!LdrpInitializeProcess+0xe9 (00000000`7746ca9a):
call to ntdll!RtlInitNlsTables (00000000`7746c920)
ntdll!LdrpInitializeProcess+0xf6 (00000000`7746caa7):
call to ntdll!RtlResetRtlTranslations (00000000`7746c410)
ntdll!LdrpInitializeProcess+0xfe (00000000`7746caaf):
call to ntdll!RtlpInitSRWLock (00000000`7746c530)
ntdll!LdrpInitializeProcess+0x103 (00000000`7746cab4):
call to ntdll!RtlpInitConditionVariable (00000000`7746c550)
ntdll!LdrpInitializeProcess+0x213 (00000000`7746cb7d):
call to ntdll!RtlImageNtHeader (00000000`774567b0)
ntdll!LdrpInitializeProcess+0x273 (00000000`7746cbd7):
call to ntdll!LdrpInitializeExecutionOptions (00000000`7746c6b0)
ntdll!LdrpInitializeProcess+0x353 (00000000`7746cc2f):
call to ntdll!RtlImageDirectoryEntryToData (00000000`7746a940)
ntdll!LdrpInitializeProcess+0x3cd (00000000`7746cc95):
call to ntdll!RtlNormalizeProcessParams (00000000`7746c2f0)
ntdll!LdrpInitializeProcess+0x423 (00000000`7746cce3):
call to ntdll!RtlImageDirectoryEntryToData (00000000`7746a940)
ntdll!LdrpInitializeProcess+0x448 (00000000`7746cd02):
call to ntdll!memset (00000000`77478830)
ntdll!LdrpInitializeProcess+0x58c (00000000`7746cd53):
call to ntdll!RtlpInitDeferredCriticalSection (00000000`7746c640)
ntdll!LdrpInitializeProcess+0x7d5 (00000000`7746ceb5):
call to ntdll!RtlInitializeCriticalSection (00000000`77455d20)
ntdll!LdrpInitializeProcess+0x7fb (00000000`7746cedb):
call to ntdll!RtlInitializeHeapManager (00000000`7746c7a0)
ntdll!LdrpInitializeProcess+0x84b (00000000`7746cf2a):
call to ntdll!RtlCreateHeap (00000000`77466ed0)
ntdll!LdrpInitializeProcess+0x8e2 (00000000`7746cf51):
call to ntdll!RtlAllocateActivationContextStack (00000000`77456900)
ntdll!LdrpInitializeProcess+0x8f6 (00000000`7746cf65):
call to ntdll!EtwpInitializeDll (00000000`7746c250)
ntdll!LdrpInitializeProcess+0x916 (00000000`7746cf85):
call to ntdll!RtlCreateTagHeap (00000000`7746d320)
ntdll!LdrpInitializeProcess+0x942 (00000000`7746cfb1):
call to ntdll!RtlCreateTagHeap (00000000`7746d320)
ntdll!LdrpInitializeProcess+0x962 (00000000`7746cfd1):
call to ntdll!RtlpInitEnvironmentBlock (00000000`7746d380)
ntdll!LdrpInitializeProcess+0x96f (00000000`7746cfde):
call to ntdll!RtlpInitParameterBlock (00000000`7746d7f0)
ntdll!LdrpInitializeProcess+0xa5e (00000000`7746d068):
call to ntdll!RtlInitUnicodeString (00000000`7747ad10)
ntdll!LdrpInitializeProcess+0xa73 (00000000`7746d07d):
call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0)
ntdll!LdrpInitializeProcess+0xa87 (00000000`7746d091):
call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0)
ntdll!LdrpInitializeProcess+0xaf0 (00000000`7746d0fe):
call to ntdll!ZwOpenDirectoryObject (00000000`77477290)
ntdll!LdrpInitializeProcess+0xc2a (00000000`7746d171):
call to ntdll!ZwOpenSymbolicLinkObject (00000000`77477cb0)
ntdll!LdrpInitializeProcess+0xc6b (00000000`7746d1b2):
call to ntdll!ZwQuerySymbolicLinkObject (00000000`77477f60)
ntdll!LdrpInitializeProcess+0xc7a (00000000`7746d1c1):
call to ntdll!ZwClose (00000000`77476e00)
ntdll!LdrpInitializeProcess+0xe50 (00000000`7746d24d):
call to ntdll!LdrpAllocateDataTableEntry (00000000`77464380)
ntdll!LdrpInitializeProcess+0xee4 (00000000`7746d289):
call to ntdll!RtlImageNtHeaderEx (00000000`7747dc00)
ntdll!LdrpInitializeProcess+0x30d (00000000`77473eb0):
call to ntdll!NtQueryInformationProcess (00000000`77476ea0)
ntdll!LdrpInitializeProcess+0x635 (00000000`77473ef0):
call to ntdll!RtlSetBits (00000000`77466c00)
ntdll!LdrpInitializeProcess+0x873 (00000000`77473f19):
call to ntdll!RtlCreateHeap (00000000`77466ed0)
ntdll!LdrpInitializeProcess+0xbb8 (00000000`774744f9):
call to ntdll!ZwOpenDirectoryObject (00000000`77477290)
ntdll!LdrpInitializeProcess+0xe10 (00000000`77474554):
call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0)
ntdll!LdrpInitializeProcess+0x77 (00000000`77490a96):
call to ntdll!NtQueryVirtualMemory (00000000`77476f40)
ntdll!LdrpInitializeProcess+0xb3 (00000000`77490ad2):
call to ntdll!NtQueryVirtualMemory (00000000`77476f40)
ntdll!LdrpInitializeProcess+0x2d2 (00000000`77490b92):
call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0)
ntdll!LdrpInitializeProcess+0x2db (00000000`77490b9d):
call to ntdll!DbgBreakPoint (00000000`77476060)
ntdll!LdrpInitializeProcess+0x720 (00000000`77490d34):
call to ntdll!LdrQueryImageFileExecutionOptions (00000000`77473260)
ntdll!LdrpInitializeProcess+0x790 (00000000`77490da4):
call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0)
ntdll!LdrpInitializeProcess+0x79a (00000000`77490dae):
call to ntdll!DbgBreakPoint (00000000`77476060)
ntdll!LdrpInitializeProcess+0x7c6 (00000000`77490dda):
call to ntdll!RtlControlStackTraceDataBase (00000000`774e3cd0)
ntdll!LdrpInitializeProcess+0x8ac (00000000`77490e27):
call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0)
ntdll!LdrpInitializeProcess+0x8bf (00000000`77490e3a):
call to ntdll!DbgBreakPoint (00000000`77476060)
ntdll!LdrpInitializeProcess+0x9ff (00000000`77490e8c):
call to ntdll!RtlQueryImageFileKeyOption (00000000`77473320)
ntdll!LdrpInitializeProcess+0xb0f (00000000`77490ee2):
call to ntdll!RtlInitUnicodeString (00000000`7747ad10)
ntdll!LdrpInitializeProcess+0xcea (00000000`77490f57):
call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0)
ntdll!LdrpInitializeProcess+0xd01 (00000000`77490f6e):
call to ntdll!LdrpInitializationFailure (00000000`774ed120)
ntdll!LdrpInitializeProcess+0xd3f (00000000`77490f82):
call to ntdll!RtlAllocateHeap (00000000`774789b0)
ntdll!LdrpInitializeProcess+0xd7d (00000000`77490fc0):
call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0)
ntdll!LdrpInitializeProcess+0xd90 (00000000`77490fd3):
call to ntdll!DbgBreakPoint (00000000`77476060)

Private vs. shared assemblies (p. 365)

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

CreateProcess and Increase Scheduling Priority privilege (p. 351)

MS-DOS apps share the same VDM (p. 353)

HKLM\S\CCS\C\WOW\DefaultSeparateVDM (p. 353)

IMAGE_FILE_UP_SYSTEM_ONLY PE characteristic to run on a single CPU (p. 358)

Upon creation initial thread starts in kernel mode in KiThreadStartup (p. 360)

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Kernel Process variables (p. 343)

0: kd> !process poi(PsIdleProcess)
PROCESS fffff800019910c0
SessionId: none  Cid: 0000    Peb: 00000000  ParentCid: 0000
DirBase: 00124000  ObjectTable: fffff88000000080  HandleCount: 606.
Image: Idle
VadRoot fffffa8003b97c70 Vads 1 Clone 0 Private 1. Modified 0. Locked 0.
DeviceMap 0000000000000000
Token                             fffff88000003330
ElapsedTime                       00:00:00.000
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         0
QuotaPoolUsage[NonPagedPool]      0
Working Set Sizes (now,min,max)  (6, 50, 450) (24KB, 200KB, 1800KB)
PeakWorkingSetSize                6
VirtualSize                       0 Mb
PeakVirtualSize                   0 Mb
PageFaultCount                    1
MemoryPriority                    BACKGROUND
BasePriority                      0
CommitCharge                      0

        THREAD fffff80001990b80  Cid 0000.0000  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap                 fffff88000007310
Owning Process            fffff800019910c0       Image:         Idle
Attached Process          fffffa8003bf1040       Image:         System
Wait Start TickCount      16021          Ticks: 13224 (0:00:03:26.295)
Context Switch Count      142852
UserTime                  00:00:00.000
KernelTime                00:06:13.700
Win32 Start Address nt!KiIdleLoop (0xfffff80001876880)
Stack Init fffff80002bdadb0 Current fffff80002bdad40
Base fffff80002bdb000 Limit fffff80002bd5000 Call 0
Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP          RetAddr           Call Site
fffff800`02bdad80 fffff800`01a43860 nt!KiIdleLoop+0x11b
fffff800`02bdadb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

        THREAD fffffa60005f5d40  Cid 0000.0000  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap                 fffff88000007310
Owning Process            fffff800019910c0       Image:         Idle
Attached Process          fffffa8003bf1040       Image:         System
Wait Start TickCount      0              Ticks: 29245 (0:00:07:36.224)
Context Switch Count      162365
UserTime                  00:00:00.000
KernelTime                00:06:14.808
Win32 Start Address nt!KiIdleLoop (0xfffff80001876880)
Stack Init fffffa600191bdb0 Current fffffa600191bd40
Base fffffa600191c000 Limit fffffa6001916000 Call 0
Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP          RetAddr           Call Site
fffffa60`0191bd80 fffff800`01a43860 nt!KiIdleLoop+0x11b
fffffa60`0191bdb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

Relevant process functions (pp. 344 - 345) - More of them can be found here: http://msdn.microsoft.com/en-us/library/ms684847(VS.85).aspx

Protected processes (pp. 346 - 348) - It can be seen in _EPROCESS block (the output taken from a complete memory dump):

0: kd> dt _EPROCESS fffffa8004b5e040
ntdll!_EPROCESS
[...]
+0x36c ProtectedProcess : 0y1
[...]

The following script lists protected processes on W2K8:

0: kd> !for_each_process "dt _EPROCESS ImageFileName @#Process; dt _EPROCESS ProtectedProcess @#Process"
ntdll!_EPROCESS
+0x238 ImageFileName : [16]  "System"
ntdll!_EPROCESS
+0x36c ProtectedProcess : 0y1
[...]
ntdll!_EPROCESS
+0x238 ImageFileName : [16]  "audiodg.exe"
ntdll!_EPROCESS
+0x36c ProtectedProcess : 0y1
[...]

System process is protected because of Ksecdd.sys stores info in user space (p. 347)

PROCESS_QUERY_LIMITED_INFORMATION (p. 347)

Access violation by design for Protected Media Path processes when a kernel-mode debugger is enabled (p. 348) - this is not an optimal design in my opinion - I had problems with that: http://www.dumpanalysis.org/blog/index.php/2010/01/08/live-kernel-debugging-of-a-system-freeze-case-study/. The better way is to show a message box and gracefully exit and only emit AV if message box is bypassed. 

Advanced .NET Debugging by M. Hewardt:

PE format and its relation to .NET (pp. 26 - 27)

AddressOfEntryPoint (pp. 28 - 29 and p. 31) - we can also use !dh command to find that address (similar to what dumpbin.exe does):

0:001> lm m notepad
start             end                 module name
00000000`ff180000 00000000`ff1af000   notepad    (deferred)        

0:001> !dh 00000000`ff180000
[...]
OPTIONAL HEADER VALUES
20B magic #
8.00 linker version
E400 size of code
1CC00 size of initialized data
0 size of uninitialized data
D1B4 address of entry point
1000 base of code
—– new —–
00000000ff180000 image base
1000 section alignment
200 file alignment
2 subsystem (Windows GUI)
6.00 operating system version
6.00 image version
6.00 subsystem version
2F000 size of image
400 size of headers
32C26 checksum
[…]

0:001> u 00000000`ff180000+D1B4
notepad!WinMainCRTStartup:
00000000`ff18d1b4 4883ec28        sub     rsp,28h
00000000`ff18d1b8 e88b020000      call    notepad!_security_init_cookie (00000000`ff18d448)
00000000`ff18d1bd 4883c428        add     rsp,28h
00000000`ff18d1c1 e9b6fcffff      jmp     notepad!IsTextUTF8+0xc0 (00000000`ff18ce7c)
00000000`ff18d1c6 cc              int     3
00000000`ff18d1c7 cc              int     3
00000000`ff18d1c8 cc              int     3
00000000`ff18d1c9 cc              int     3

Application domains in ASP.NET; 3 default app domains (system, shared, default) in normal app (p. 34)

!dumpdomain SOS command (pp. 35 - 36)

Low(High)FrequencyHeap and StubHeap (p. 36) - Looks like they are not normal heaps or heap segments. I plan to test all commands on x64 .NET:

0:003> !dumpdomain
--------------------------------------
System Domain: 000007fef15a8ef0
LowFrequencyHeap: 000007fef15a8f38
HighFrequencyHeap: 000007fef15a8fc8
StubHeap: 000007fef15a9058
Stage: OPEN
Name: None
--------------------------------------
Shared Domain: 000007fef15a9860
LowFrequencyHeap: 000007fef15a98a8
HighFrequencyHeap: 000007fef15a9938
StubHeap: 000007fef15a99c8
Stage: OPEN
Name: None
Assembly: 0000000000372d10
--------------------------------------
Domain 1: 0000000000360840
LowFrequencyHeap: 0000000000360888
HighFrequencyHeap: 0000000000360918
StubHeap: 00000000003609a8
Stage: OPEN
SecurityDescriptor: 00000000003630e0
Name: TestCLR.exe
[...]

A few have probably noticed (following numerous Twitter updates) my preference for combining lunches with book and  magazine (a mini-book) reading (also combined with Mod N reading system). From now on this activity obtains the status of a ritual in Memorianity and depicted on this physicalist art picture (the choice of book titles is arbitrary and fully coincidental for this post):

- Dmitry Vostokov @ Memory Religion Portal -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Diagnostic Policy Service, DPS (pp. 330 - 331)

SMART (p. 332) - Don’t confuse with recursive acronym Smart Memory Analysis in Real Time (coined by me)

Windows system responsiveness performance diagnostics (p. 332)

Program Compatibility Assistant, PCA (p. 333)

_EPROCESS and _KPROCESS (pp. 337 - 339) - x64 equivalents from W2K8:

lkd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb              : _KPROCESS
+0x0c0 ProcessLock      : _EX_PUSH_LOCK
+0x0c8 CreateTime       : _LARGE_INTEGER
+0x0d0 ExitTime         : _LARGE_INTEGER
+0x0d8 RundownProtect   : _EX_RUNDOWN_REF
+0x0e0 UniqueProcessId  : Ptr64 Void
+0x0e8 ActiveProcessLinks : _LIST_ENTRY
+0x0f8 QuotaUsage       : [3] Uint8B
+0x110 QuotaPeak        : [3] Uint8B
+0x128 CommitCharge     : Uint8B
+0x130 PeakVirtualSize  : Uint8B
+0x138 VirtualSize      : Uint8B
+0x140 SessionProcessLinks : _LIST_ENTRY
+0x150 DebugPort        : Ptr64 Void
+0x158 ExceptionPortData : Ptr64 Void
+0x158 ExceptionPortValue : Uint8B
+0x158 ExceptionPortState : Pos 0, 3 Bits
+0x160 ObjectTable      : Ptr64 _HANDLE_TABLE
+0x168 Token            : _EX_FAST_REF
+0x170 WorkingSetPage   : Uint8B
+0x178 AddressCreationLock : _EX_PUSH_LOCK
+0x180 RotateInProgress : Ptr64 _ETHREAD
+0x188 ForkInProgress   : Ptr64 _ETHREAD
+0x190 HardwareTrigger  : Uint8B
+0x198 PhysicalVadRoot  : Ptr64 _MM_AVL_TABLE
+0x1a0 CloneRoot        : Ptr64 Void
+0x1a8 NumberOfPrivatePages : Uint8B
+0x1b0 NumberOfLockedPages : Uint8B
+0x1b8 Win32Process     : Ptr64 Void
+0x1c0 Job              : Ptr64 _EJOB
+0x1c8 SectionObject    : Ptr64 Void
+0x1d0 SectionBaseAddress : Ptr64 Void
+0x1d8 QuotaBlock       : Ptr64 _EPROCESS_QUOTA_BLOCK
+0x1e0 WorkingSetWatch  : Ptr64 _PAGEFAULT_HISTORY
+0x1e8 Win32WindowStation : Ptr64 Void
+0x1f0 InheritedFromUniqueProcessId : Ptr64 Void
+0x1f8 LdtInformation   : Ptr64 Void
+0x200 Spare            : Ptr64 Void
+0x208 VdmObjects       : Ptr64 Void
+0x210 DeviceMap        : Ptr64 Void
+0x218 EtwDataSource    : Ptr64 Void
+0x220 FreeTebHint      : Ptr64 Void
+0x228 PageDirectoryPte : _HARDWARE_PTE
+0x228 Filler           : Uint8B
+0x230 Session          : Ptr64 Void
+0x238 ImageFileName    : [16] UChar
+0x248 JobLinks         : _LIST_ENTRY
+0x258 LockedPagesList  : Ptr64 Void
+0x260 ThreadListHead   : _LIST_ENTRY
+0x270 SecurityPort     : Ptr64 Void
+0x278 Wow64Process     : Ptr64 Void
+0x280 ActiveThreads    : Uint4B
+0x284 ImagePathHash    : Uint4B
+0x288 DefaultHardErrorProcessing : Uint4B
+0x28c LastThreadExitStatus : Int4B
+0x290 Peb              : Ptr64 _PEB
+0x298 PrefetchTrace    : _EX_FAST_REF
+0x2a0 ReadOperationCount : _LARGE_INTEGER
+0x2a8 WriteOperationCount : _LARGE_INTEGER
+0x2b0 OtherOperationCount : _LARGE_INTEGER
+0x2b8 ReadTransferCount : _LARGE_INTEGER
+0x2c0 WriteTransferCount : _LARGE_INTEGER
+0x2c8 OtherTransferCount : _LARGE_INTEGER
+0x2d0 CommitChargeLimit : Uint8B
+0x2d8 CommitChargePeak : Uint8B
+0x2e0 AweInfo          : Ptr64 Void
+0x2e8 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x2f0 Vm               : _MMSUPPORT
+0x358 MmProcessLinks   : _LIST_ENTRY
+0x368 ModifiedPageCount : Uint4B
+0x36c Flags2           : Uint4B
+0x36c JobNotReallyActive : Pos 0, 1 Bit
+0x36c AccountingFolded : Pos 1, 1 Bit
+0x36c NewProcessReported : Pos 2, 1 Bit
+0x36c ExitProcessReported : Pos 3, 1 Bit
+0x36c ReportCommitChanges : Pos 4, 1 Bit
+0x36c LastReportMemory : Pos 5, 1 Bit
+0x36c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x36c HandleTableRundown : Pos 7, 1 Bit
+0x36c NeedsHandleRundown : Pos 8, 1 Bit
+0x36c RefTraceEnabled  : Pos 9, 1 Bit
+0x36c NumaAware        : Pos 10, 1 Bit
+0x36c ProtectedProcess : Pos 11, 1 Bit
+0x36c DefaultPagePriority : Pos 12, 3 Bits
+0x36c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x36c ProcessVerifierTarget : Pos 16, 1 Bit
+0x36c StackRandomizationDisabled : Pos 17, 1 Bit
+0x36c AffinityPermanent : Pos 18, 1 Bit
+0x36c AffinityUpdateEnable : Pos 19, 1 Bit
+0x36c CrossSessionCreate : Pos 20, 1 Bit
+0x370 Flags            : Uint4B
+0x370 CreateReported   : Pos 0, 1 Bit
+0x370 NoDebugInherit   : Pos 1, 1 Bit
+0x370 ProcessExiting   : Pos 2, 1 Bit
+0x370 ProcessDelete    : Pos 3, 1 Bit
+0x370 Wow64SplitPages  : Pos 4, 1 Bit
+0x370 VmDeleted        : Pos 5, 1 Bit
+0x370 OutswapEnabled   : Pos 6, 1 Bit
+0x370 Outswapped       : Pos 7, 1 Bit
+0x370 ForkFailed       : Pos 8, 1 Bit
+0x370 Wow64VaSpace4Gb  : Pos 9, 1 Bit
+0x370 AddressSpaceInitialized : Pos 10, 2 Bits
+0x370 SetTimerResolution : Pos 12, 1 Bit
+0x370 BreakOnTermination : Pos 13, 1 Bit
+0x370 DeprioritizeViews : Pos 14, 1 Bit
+0x370 WriteWatch       : Pos 15, 1 Bit
+0x370 ProcessInSession : Pos 16, 1 Bit
+0x370 OverrideAddressSpace : Pos 17, 1 Bit
+0x370 HasAddressSpace  : Pos 18, 1 Bit
+0x370 LaunchPrefetched : Pos 19, 1 Bit
+0x370 InjectInpageErrors : Pos 20, 1 Bit
+0x370 VmTopDown        : Pos 21, 1 Bit
+0x370 ImageNotifyDone  : Pos 22, 1 Bit
+0x370 PdeUpdateNeeded  : Pos 23, 1 Bit
+0x370 VdmAllowed       : Pos 24, 1 Bit
+0x370 SmapAllowed      : Pos 25, 1 Bit
+0x370 ProcessInserted  : Pos 26, 1 Bit
+0x370 DefaultIoPriority : Pos 27, 3 Bits
+0x370 ProcessSelfDelete : Pos 30, 1 Bit
+0x370 SpareProcessFlags : Pos 31, 1 Bit
+0x374 ExitStatus       : Int4B
+0x378 Spare7           : Uint2B
+0x37a SubSystemMinorVersion : UChar
+0x37b SubSystemMajorVersion : UChar
+0x37a SubSystemVersion : Uint2B
+0x37c PriorityClass    : UChar
+0x380 VadRoot          : _MM_AVL_TABLE
+0x3c0 Cookie           : Uint4B
+0x3c8 AlpcContext      : _ALPC_PROCESS_CONTEXT

lkd> dt _KPROCESS
ntdll!_KPROCESS
+0x000 Header           : _DISPATCHER_HEADER
+0x018 ProfileListHead  : _LIST_ENTRY
+0x028 DirectoryTableBase : Uint8B
+0x030 Unused0          : Uint8B
+0x038 IopmOffset       : Uint2B
+0x040 ActiveProcessors : Uint8B
+0x048 KernelTime       : Uint4B
+0x04c UserTime         : Uint4B
+0x050 ReadyListHead    : _LIST_ENTRY
+0x060 SwapListEntry    : _SINGLE_LIST_ENTRY
+0x068 InstrumentationCallback : Ptr64 Void
+0x070 ThreadListHead   : _LIST_ENTRY
+0x080 ProcessLock      : Uint8B
+0x088 Affinity         : Uint8B
+0x090 AutoAlignment    : Pos 0, 1 Bit
+0x090 DisableBoost     : Pos 1, 1 Bit
+0x090 DisableQuantum   : Pos 2, 1 Bit
+0x090 ReservedFlags    : Pos 3, 29 Bits
+0x090 ProcessFlags     : Int4B
+0x094 BasePriority     : Char
+0x095 QuantumReset     : Char
+0x096 State            : UChar
+0x097 ThreadSeed       : UChar
+0x098 PowerState       : UChar
+0x099 IdealNode        : UChar
+0x09a Visited          : UChar
+0x09b Flags            : _KEXECUTE_OPTIONS
+0x09b ExecuteOptions   : UChar
+0x0a0 StackCount       : Uint8B
+0x0a8 ProcessListEntry : _LIST_ENTRY
+0x0b8 CycleTime        : Uint8B

Working set list, MMWSL (p. 340) - I guessed the structure name right:

lkd> dt _MMWSL
nt!_MMWSL
+0x000 FirstFree        : Uint4B
+0x004 FirstDynamic     : Uint4B
+0x008 LastEntry        : Uint4B
+0x00c NextSlot         : Uint4B
+0x010 Wsle             : Ptr64 _MMWSLE
+0x018 LowestPagableAddress : Ptr64 Void
+0x020 LastInitializedWsle : Uint4B
+0x024 NextEstimationSlot : Uint4B
+0x028 NextAgingSlot    : Uint4B
+0x02c EstimatedAvailable : Uint4B
+0x030 GrowthSinceLastEstimate : Uint4B
+0x034 NumberOfCommittedPageTables : Uint4B
+0x038 VadBitMapHint    : Uint4B
+0x03c NonDirectCount   : Uint4B
+0x040 LastVadBit       : Uint4B
+0x044 MaximumLastVadBit : Uint4B
+0x048 LastAllocationSizeHint : Uint4B
+0x04c LastAllocationSize : Uint4B
+0x050 NonDirectHash    : Ptr64 _MMWSLE_NONDIRECT_HASH
+0x058 HashTableStart   : Ptr64 _MMWSLE_HASH
+0x060 HighestPermittedHashAddress : Ptr64 _MMWSLE_HASH
+0x068 HighestUserAddress : Ptr64 Void
+0x070 MaximumUserPageTablePages : Uint4B
+0x074 MaximumUserPageDirectoryPages : Uint4B
+0x078 CommittedPageTables : Ptr64 Uint4B
+0x080 NumberOfCommittedPageDirectories : Uint4B
+0x088 CommittedPageDirectories : [128] Uint8B
+0x488 NumberOfCommittedPageDirectoryParents : Uint4B
+0x490 CommittedPageDirectoryParents : [1] Uint8B

PEB (pp. 341 - 342) - here’s x64 PEB structure from W2K8:

lkd> dt _PEB
ntdll!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged    : UChar
+0x003 BitField         : UChar
+0x003 ImageUsesLargePages : Pos 0, 1 Bit
+0x003 IsProtectedProcess : Pos 1, 1 Bit
+0x003 IsLegacyProcess  : Pos 2, 1 Bit
+0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit
+0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit
+0x003 SpareBits        : Pos 5, 3 Bits
+0x008 Mutant           : Ptr64 Void
+0x010 ImageBaseAddress : Ptr64 Void
+0x018 Ldr              : Ptr64 _PEB_LDR_DATA
+0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS
+0x028 SubSystemData    : Ptr64 Void
+0x030 ProcessHeap      : Ptr64 Void
+0x038 FastPebLock      : Ptr64 _RTL_CRITICAL_SECTION
+0x040 AtlThunkSListPtr : Ptr64 Void
+0x048 IFEOKey          : Ptr64 Void
+0x050 CrossProcessFlags : Uint4B
+0x050 ProcessInJob     : Pos 0, 1 Bit
+0x050 ProcessInitializing : Pos 1, 1 Bit
+0x050 ProcessUsingVEH  : Pos 2, 1 Bit
+0x050 ProcessUsingVCH  : Pos 3, 1 Bit
+0x050 ReservedBits0    : Pos 4, 28 Bits
+0x058 KernelCallbackTable : Ptr64 Void
+0x058 UserSharedInfoPtr : Ptr64 Void
+0x060 SystemReserved   : [1] Uint4B
+0x064 SpareUlong       : Uint4B
+0x068 SparePebPtr0     : Uint8B
+0x070 TlsExpansionCounter : Uint4B
+0x078 TlsBitmap        : Ptr64 Void
+0x080 TlsBitmapBits    : [2] Uint4B
+0x088 ReadOnlySharedMemoryBase : Ptr64 Void
+0x090 HotpatchInformation : Ptr64 Void
+0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void
+0x0a0 AnsiCodePageData : Ptr64 Void
+0x0a8 OemCodePageData  : Ptr64 Void
+0x0b0 UnicodeCaseTableData : Ptr64 Void
+0x0b8 NumberOfProcessors : Uint4B
+0x0bc NtGlobalFlag     : Uint4B
+0x0c0 CriticalSectionTimeout : _LARGE_INTEGER
+0x0c8 HeapSegmentReserve : Uint8B
+0x0d0 HeapSegmentCommit : Uint8B
+0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B
+0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B
+0x0e8 NumberOfHeaps    : Uint4B
+0x0ec MaximumNumberOfHeaps : Uint4B
+0x0f0 ProcessHeaps     : Ptr64 Ptr64 Void
+0x0f8 GdiSharedHandleTable : Ptr64 Void
+0x100 ProcessStarterHelper : Ptr64 Void
+0x108 GdiDCAttributeList : Uint4B
+0x110 LoaderLock       : Ptr64 _RTL_CRITICAL_SECTION
+0x118 OSMajorVersion   : Uint4B
+0x11c OSMinorVersion   : Uint4B
+0x120 OSBuildNumber    : Uint2B
+0x122 OSCSDVersion     : Uint2B
+0x124 OSPlatformId     : Uint4B
+0x128 ImageSubsystem   : Uint4B
+0x12c ImageSubsystemMajorVersion : Uint4B
+0x130 ImageSubsystemMinorVersion : Uint4B
+0x138 ActiveProcessAffinityMask : Uint8B
+0x140 GdiHandleBuffer  : [60] Uint4B
+0x230 PostProcessInitRoutine : Ptr64     void
+0x238 TlsExpansionBitmap : Ptr64 Void
+0x240 TlsExpansionBitmapBits : [32] Uint4B
+0x2c0 SessionId        : Uint4B
+0x2c8 AppCompatFlags   : _ULARGE_INTEGER
+0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER
+0x2d8 pShimData        : Ptr64 Void
+0x2e0 AppCompatInfo    : Ptr64 Void
+0x2e8 CSDVersion       : _UNICODE_STRING
+0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
+0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
+0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
+0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
+0x318 MinimumStackCommit : Uint8B
+0x320 FlsCallback      : Ptr64 _FLS_CALLBACK_INFO
+0x328 FlsListHead      : _LIST_ENTRY
+0x338 FlsBitmap        : Ptr64 Void
+0x340 FlsBitmapBits    : [4] Uint4B
+0x350 FlsHighIndex     : Uint4B
+0x358 WerRegistrationData : Ptr64 Void
+0x360 WerShipAssertPtr : Ptr64 Void

PEB and pointers to process heap (p. 340) - couldn’t find them after PEB on x86 and x64. Needs more clarification:

7: kd> !peb
PEB at 7ffdb000
[...]

7: kd> dt _PEB
ntdll!_PEB
[...]
+0x22c FlsHighIndex     : Uint4B

7: kd> dd 7ffdb000 +0x22c +4
7ffdb230  00000000 00000000 00000000 00000000
7ffdb240  00000000 00000000 00000000 00000000
7ffdb250  00000000 00000000 00000000 00000000
7ffdb260  00000000 00000000 00000000 00000000
7ffdb270  00000000 00000000 00000000 00000000
7ffdb280  00000000 00000000 00000000 00000000
7ffdb290  00000000 00000000 00000000 00000000
7ffdb2a0  00000000 00000000 00000000 00000000

Advanced .NET Debugging (Addison-Wesley Microsoft Technology Series)

I’ve just started reading this book (see my notes on Software Generalist blog) and this review is written from the perspective of an unmanaged and native software engineer (the last phrase sounds funny). Being a member of a software support of a large software company I analyze crash dumps that have mscorwks.dll on their stack traces. So if you see them too this book helps you to understand what this DLL is all about and how to dig inside the hidden world of .NET it manages. I’m on page 26 and will update this review as soon as I finish the book in a few months. Please also see my review of the previous Mario’s (co-authored with Daniel Pravat) book: Advanced Windows Debugging. It is of great importance to know .NET world for Windows maintenance engineers and I originally planned a similar book Unmanaged Code: Escaping the Matrix of .NET but didn’t have time to finish it yet

- Dmitry Vostokov @ DumpAnalysis.org -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

WMI CIM Studio (pp. 321 - 322)

dynamic and static MOF classes (p. 323)

WbemTest, BMF (binary MOF), Mofcomp.exe (p. 323)

Object keys as WMI class instance specifiers (\\computer\root\namespace:class_name.Key1=”…”, Key2=”…”, … ) (pp. 324 - 325)

WMI association classes (p. 325)

WQL exampe (p. 327)

wmiprvse.exe as a WMI provider host (p. 327)

wmic.exe (p. 328)

Namespace level WMI secutiry (p. 329)

WDI, Windows Diagnostic Infrastructure and its instrumentation, DiagLog, SEM Scenario Event Mapper, on-demand diagnosis (pp. 329 - 330) - looks interesting, especially in the context of possible first fault software problem solving techniques (OpenTask has published a book on this topic: http://www.dumpanalysis.com/First+Fault+Software+Problem+Solving)

Advanced Windows Debugging by M. Hewardt and D. Pravat:

LRPC_CCALL(ADDRESS) vs. OSF_CCALL(ADDRESS) vs. DG_CCALL(ADDRESS) (pp. 389 - 390)

Undocumented MSRPC (p. 391) - there is an empirical technique to find LRPC server endpoint: http://www.dumpanalysis.org/blog/index.php/2008/07/11/in-search-of-lost-pid/

!lpc message (p. 393) - some additional scenarios can be found in patterns: http://www.dumpanalysis.org/blog/index.php/2008/12/17/crash-dump-analysis-patterns-part-42e/, http://www.dumpanalysis.org/blog/index.php/2007/11/29/crash-dump-analysis-patterns-part-9d/ and various case studies involving LPC chains: http://www.dumpanalysis.org/blog/index.php/pattern-cooperation/

_PS_IMPERSONATION_INFORMATION (p. 395) - Looks like on W2K8 x64 it is another bit union:

lkd> dt -r _ETHREAD
[…]
+0×3b0 ClientSecurity   : _PS_CLIENT_SECURITY_CONTEXT
      +0×000 ImpersonationData : Uint8B
+0×000 ImpersonationToken : Ptr64 Void
      +0×000 ImpersonationLevel : Pos 0, 2 Bits
+0×000 EffectiveOnly    : Pos 2, 1 Bit

RPC cell debugging configuration (pp. 397 - 398)

Advanced .NET Debugging by M. Hewardt:

Lutz Roeder’s .NET Reflector (pp. 15 - 16)

Roberto Farah’s PowerDbg (pp. 17 -18)

MDA Managed Debugging Assistants (pp. 19 - 21) - looks similar to WDI (Windows Diagnostic Infrastructure) on-demand diagnostics for unmanaged code mentioned in Windows Internals book

CLI(+BCL) -> CLR (p. 24)

Rotor (p. 25) - looks like it has the same value as WINE for unmanaged code: http://www.dumpanalysis.org/blog/index.php/2006/11/16/how-wine-can-help-in-crash-dump-analysis/

I always carry my blogging notebook with me. A few weeks ago I was pictured while trying to reach it and write down one of ideas that usually spring to my mind during nature and family walks:

I plan to update The Perfect Gift for a Blogger in Q1, 2010 taking into account my year long experience with it and various accumulated suggestions. It will also have a short Twitter section.

- Dmitry Vostokov @ DumpAnalysis.org -

The idea to have a reading notebook online came to me after I recalled that at school I heard that Lenin had Philosophical Notebooks. You can find them in Lenin Internet Library, volume 38 of his Collected Works. As a schoolboy, I was curious about Lenin’s notebooks and even borrowed them from the school library to see how they looked like inside. I wasn’t impressed though due to the lack of philosophical knowledge on my side but the idea stuck to my mind. At my school age I read his biography several times and my favourite episode was an assassination attempt by socialist revolutionary Fanny Kaplan.

- Dmitry Vostokov @ DumpAnalysis.org -

I resumed this week my reading notebook on Software Generalist blog with a top priority book to read every working day: Windows Internals, 5th edition. In reading notes I put what I find interesting for me (at this time) or related to Windows memory dump analysis or debugging and troubleshooting in general. For the latter case, sometimes I put additional references or even WinDbg examples from user, kernel and complete memory dumps in full color. Hope you find these notes useful too.

- Dmitry Vostokov @ DumpAnalysis.org -

I’ve decided to spend a few hours every week reading and / or re-reading various Intel 64 and IA-32 Architectures manuals to keep myself informed in differences between x64 and x86, revive Asmpedia and perhaps even apply gained insights to memory dump analysis. Today I read 2.1 - 2.2.5 sections from Volume 1 and here’s a rough picture of processor families that I assembled after reading:

Most of these models and their hardware architecture are discussed in this popular book that I read more than a year ago and still recommend without hesitation:

Inside the Machine 

- Dmitry Vostokov @ DumpAnalysis.org -

As soon as I wrote my review of the 2nd edition I found out that the 3rd edition was recently published and immediately bought it. I intend to read it from cover to cover again and publish my notes and comments in my reading notebook on Software Generalist blog. The new edition is also bundled with a companion CD.

Programming Language Pragmatics, Third Edition

Hope in one of subsequent editions the author includes my Riemann Programming Language :-)

- Dmitry Vostokov @ DumpAnalysis.org -

Long time ago a professor of mathematical analysis told me a joke about reading comprehension levels:

Level 1: You feel good while reading

Level 2: You can repeat what you’ve read

Level 3: You can refute what you’ve read

After looking at some books on my shelves that I bought last month including 11 volume history of philosophy I would like to add

Level 0: You feel good before reading

- Dmitry Vostokov @ DumpAnalysis.org -

If you are interested in mathematical ideas or want to learn serious math you can skip proofs when reading various math textbooks. My speed of math book processing greatly increased after I started to skip proofs of lemmas and theorems. The slow progress through proofs inhibited my reading advance in the past. Even professional mathematicians confess after a few beers how slow they are as Thomas Garrity mentioned in the preface to his book All the Mathematics You Missed. I found that it is more important is to read several books on the same subject to see different explanations and more examples than to concentrate on a one book. By skipping proofs I can now read 2-3 more books in the same amount of time.

- Dmitry Vostokov @ DumpAnalysis.org -