Software Diagnostics Library

Generative AI LLM models such as GPT-4 are very good at producing Annotated Stack Traces. This is similar to Message Annotations trace and log analysis pattern. Below are two examples from ChatGPT:

Explain this stack trace fragment line by line:
06 ffffa784`8ee7db20 fffff804`0516bbf2 nt!IofCallDriver+0x55
07 ffffa784`8ee7db60 fffff804`0516b9d2 nt!IopSynchronousServiceTail+0x1d2
08 ffffa784`8ee7dc10 fffff804`0516ad36 nt!IopXxxControlFile+0xc82
09 ffffa784`8ee7dd40 fffff804`04e28775 nt!NtDeviceIoControlFile+0x56
0a ffffa784`8ee7ddb0 00007ffe`4d263834 nt!KiSystemServiceCopyEnd+0x25
0b 0000009b`cc0fedd8 00007ffe`4a893ffb ntdll!NtDeviceIoControlFile+0x14
0c 0000009b`cc0fede0 00007ffe`4bb95f91 KERNELBASE!DeviceIoControl+0x6b
0d 0000009b`cc0fee50 00007ff7`6544342f KERNEL32!DeviceIoControlImplementation+0x81

This stack trace appears to be from the Windows operating system, showing a series of function calls related to an I/O operation, specifically a device I/O control operation (DeviceIoControl). The stack trace is displayed in reverse chronological order, meaning the most recent call is shown first. Here’s a line-by-line explanation:

Lines 06 to 09 (nt!…): These lines are part of the Windows kernel (ntoskrnl.exe), which is the core of the Windows operating system. The prefix nt! indicates functions within the kernel.

IofCallDriver (line 06): A kernel function that forwards an I/O request packet (IRP) to a driver. The +0×55 indicates the offset within the function where the call occurred.
IopSynchronousServiceTail (line 07): A function that handles synchronous I/O operations. The +0×1d2 offset shows where in the function the operation occurred, indicating further processing of the IRP.
IopXxxControlFile (line 08): Likely a function that processes control operations (like IOCTL calls) on files. The +0xc82 is the offset where the call happened.
NtDeviceIoControlFile (line 09): A system service function that applications can call to execute device I/O control operations. The +0×56 offset indicates the point of execution within the function.
Line 0a (nt!KiSystemServiceCopyEnd): This is part of the system call dispatch mechanism, which is responsible for transitioning from user mode to kernel mode. +0×25 is the offset within this function.

Line 0b (ntdll!NtDeviceIoControlFile): This represents a call made from a user-mode application into the Windows Native API (NTDLL.dll) to perform a device I/O control operation. The +0×14 offset indicates the execution point within the function.

Line 0c (KERNELBASE!DeviceIoControl): This call originates from the KERNELBASE.dll, a Windows DLL that provides the base-level functionality for high-level APIs. The DeviceIoControl function is a wrapper that applications can use to send control codes to drivers. The +0×6b offset indicates where the function proceeds with the operation.

Line 0d (KERNEL32!DeviceIoControlImplementation): This is the implementation of the DeviceIoControl function in KERNEL32.dll, which is another layer of abstraction that eventually calls into the kernel-mode function to perform the operation. The +0×81 offset indicates the execution point within this implementation.

This stack trace illustrates how a device I/O control operation initiated by an application flows through various layers of the Windows operating system, from high-level APIs down to kernel-mode functions, to interact with a device driver. Each step in the process is crucial for understanding how the operating system processes I/O requests, handles system calls, and communicates with hardware.

Explain this stack trace fragment line by line:
00 msvcrt!vsnwprintf
01 wdscore!StringCchPrintfW
02 wdscore!CLogManager::LogA
03 wdscore!WdsSetupLogMessageA
04 cbscore!CBSWdsLog
05 cbscore!CCbsExecutionObject::AddPackage
06 cbscore!CCbsExecutionObject::AddPackage
07 cbscore!CCbsExecutionObject::AddPackage
08 cbscore!CCbsExecutionObject::RecallOrSupersedLowerVersion
09 cbscore!CCbsExecutionObject::ProcessMumServicing
0a cbscore!CCbsExecutionObject::AddPackage
0b cbscore!CCbsExecutionObject::Plan
0c cbscore!CCbsExecutionObject::GenerateExpressFileList
0d cbscore!CCbsSession::ActionListGenerateMissingFileList
0e cbscore!CCbsPublicSession::WritePackageFileList
0f RPCRT4!Invoke
10 RPCRT4!Ndr64StubWorker
11 RPCRT4!NdrStubCall3
12 combase!CStdStubBuffer_Invoke
13 RPCRT4!CStdStubBuffer_Invoke
14 combase!InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_ c9f3956a20c9da92a64affc24fdd69ec>::operator()
15 combase!ObjectMethodExceptionHandlingAction<<lambda_ c9f3956a20c9da92a64affc24fdd69ec> >
16 combase!InvokeStubWithExceptionPolicyAndTracing
17 combase!DefaultStubInvoke
18 combase!SyncServerCall::StubInvoke
19 combase!StubInvoke
1a combase!ServerCall::ContextInvoke
1b combase!CServerChannel::ContextInvoke
1c combase!DefaultInvokeInApartment
1d combase!ComInvokeWithLockAndIPID
1e combase!ThreadInvokeReturnHresult
1f combase!ThreadInvoke
20 RPCRT4!DispatchToStubInCNoAvrf
21 RPCRT4!RPC_INTERFACE::DispatchToStubWorker
22 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject
23 RPCRT4!LRPC_SCALL::DispatchRequest
24 RPCRT4!LRPC_SCALL::HandleRequest
25 RPCRT4!LRPC_SASSOCIATION::HandleRequest
26 RPCRT4!LRPC_ADDRESS::HandleRequest
27 RPCRT4!LRPC_ADDRESS::ProcessIO
28 RPCRT4!LrpcIoComplete
29 ntdll!TppAlpcpExecuteCallback
2a ntdll!TppWorkerThread
2b KERNEL32!BaseThreadInitThunk
2c ntdll!RtlUserThreadStart

This stack trace seems to come from a Windows environment, and it illustrates the flow of a specific operation—likely a component-based servicing action (related to Windows Updates or system component management) that involves logging, package addition, and possibly dealing with an RPC (Remote Procedure Call) request. Let’s break down the stack trace line by line:

msvcrt!vsnwprintf: This function is part of the Microsoft Visual C Runtime Library. It’s a variant of snprintf that works with wide (Unicode) strings, used for formatted string operations.

wdscore!StringCchPrintfW: A function likely related to Windows Deployment Services (WDS) for secure string formatting into a buffer. StringCchPrintfW is a safer version of sprintf for wide strings.

wdscore!CLogManager::LogA: A method in the WDS core library for logging messages. This method suggests the operation involves ASCII string logging.

wdscore!WdsSetupLogMessageA: Another logging-related function in WDS, focused on setup log messages.

cbscore!CBSWdsLog: Indicates a function within the Component-Based Servicing (CBS) core library, specifically for logging in the context of WDS.

6-0a. cbscore!CCbsExecutionObject::AddPackage (lines 05 to 0a): Repeated calls to a method that adds a package to the CBS execution object. This could be part of an update or system component management operation.

cbscore!CCbsExecutionObject::RecallOrSupersedLowerVersion: A method that deals with recalling or superseding lower versions of a package or component.

cbscore!CCbsExecutionObject::ProcessMumServicing: A method likely involved in servicing manifest updates (MUM files), which are used in Windows servicing to describe updates.

cbscore!CCbsExecutionObject::Plan: Part of the planning phase in a CBS operation, where the system determines what actions to take with the packages.

cbscore!CCbsExecutionObject::GenerateExpressFileList: Generates a list of files for an express installation, which is a faster update method that only downloads necessary components.

cbscore!CCbsSession::ActionListGenerateMissingFileList: A method to generate a list of missing files based on the planned actions.

cbscore!CCbsPublicSession::WritePackageFileList: Writes out the list of files associated with the packages being serviced.

13-1e. RPCRT4 and combase (lines 0f to 1e): These lines involve the RPC runtime and COM base libraries, indicating that part of the operation was invoked over RPC, a mechanism that allows a program to execute code on another machine or process.

1f-2c. The stack trace concludes with system and thread initialization functions, like TppWorkerThread and BaseThreadInitThunk, which are part of the thread pool and thread startup routines in Windows. These functions are standard for threads executing in the Windows environment.

This trace is a deep dive into how Windows manages system components, specifically around updating or managing packages, and involves various subsystems like WDS, CBS, and RPC communications.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Sometimes, we are interested in Past Processes, processes that ran in the past to suggest troubleshooting hints. Some may still be present as Zombie Processes and information about some may be present as control areas of the the previously mapped files (even if there are no mapped views at the moment):

1: kd> !memusage
...
Control Valid Standby Dirty Shared Locked PageTables name
…
ffffbe0c8b47f460 0 148 0 0 0 0 mapped_file( WerFault.exe )
…

1: kd> !ca ffffbe0c8b47f460 4
...
\Windows\System32\WerFault.exe

No mapped views.

This analysis pattern is different from Hidden Process where the process is still running or at least its image is still mapped to memory.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Modern x64 Windows targets may support hardware shadow stacks. In such a case, WinDbg shows this message even if you open a memory dump on computers that do not support it:

This target supports Hardware-enforced Stack Protection. A HW based
"Shadow Stack" may be available to assist in debugging and analysis.
See aka.ms/userhsp for more info.
dps @ssp

The data from shadow stacks may be useful in case of Local Buffer Overflow. In such a case, we can compare the problem Stack Trace with the Shadow Stack Trace that was supposed to be without the stack region corruption.

For example, if see this exception and Incorrect Stack Trace, we can see that the stack trace should have been if the the return address were not modified:

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(5a34.4bb8): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
Subcode: 0×39 FAST_FAIL_CONTROL_INVALID_RETURN_ADDRESS Shadow stack violation

0:000> k
# Child-SP RetAddr Call Site
00 000000fa`b94ffdf8 000002aa`5d420588 user32!GetMessageW+0×5c
01 000000fa`b94ffe00 000002aa`5d420588 0×000002aa`5d420588
02 000000fa`b94ffe08 00000000`00000000 0×000002aa`5d420588

0:000> r
rax=0000000000000001 rbx=000002aa5d420588 rcx=00007ff9c3d31534
rdx=0000000000000000 rsi=0000000000000000 rdi=000002aa5d420530
rip=00007ff9c3ea538c rsp=000000fab94ffdf8 rbp=000002aa5d420588
r8=000000fab94ffd98 r9=0000000000000000 r10=0000000000000000
r11=0000000000000244 r12=00007ff66b204070 r13=0000000000000000
r14=0000000000000001 r15=00000000ffffffff
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
user32!GetMessageW+0x5c:
00007ff9`c3ea538c ret

0:000> dps @rsp L1
000000fa`b94ffdf8 000002aa`5d420588

0:000> dps @ssp
000000fa`b95fefd0 00007ff9`4ae2f877 mfc140u!AfxInternalPumpMessage+0x27
000000fa`b95fefd8 00007ff9`4ae301b1 mfc140u!CWinThread::Run+0x81
000000fa`b95fefe0 00007ff9`4ae63230 mfc140u!AfxWinMain+0xc0
000000fa`b95fefe8 00007ff6`6b135742 mspaint+0xc5742
000000fa`b95feff0 00007ff9`c500257d kernel32!BaseThreadInitThunk+0x1d
000000fa`b95feff8 00007ff9`c618aa58 ntdll!RtlUserThreadStart+0x28
000000fa`b95ff000 ????????`????????
000000fa`b95ff008 ????????`????????
000000fa`b95ff010 ????????`????????
000000fa`b95ff018 ????????`????????
000000fa`b95ff020 ????????`????????
000000fa`b95ff028 ????????`????????
000000fa`b95ff030 ????????`????????
000000fa`b95ff038 ????????`????????
000000fa`b95ff040 ????????`????????
000000fa`b95ff048 ????????`????????

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Shared Buffer Overwrite may happen via different mechanisms. A virtual address and its underlying physical page may be used by different threads from one process, or if threads from different processes are involved, its underlying physical memory page may be shared between different processes. In the former case, we can check threads’ Execution Residue for the page virtual address range. In the latter case, for example, when we have random crashes in different processes at different virtual addresses, we can compare page frame numbers for problem virtual addresses:

0: kd> !process ffffc38c3010b0c0 0
PROCESS ffffc38c3010b0c0
SessionId: 1 Cid: 1224 Peb: 24fc30b000 ParentCid: 1284
DirBase: 0a953002 ObjectTable: ffffac8a0b2aab40 HandleCount: 184.
Image: conhost.exe

0: kd> !process ffffc38c305e8080 0
PROCESS ffffc38c305e8080
SessionId: 0 Cid: 01c8 Peb: 4acc277000 ParentCid: 0290
DirBase: 10b62b002 ObjectTable: ffffac8a081b33c0 HandleCount: 276.
Image: svchost.exe

0: kd> !pte 00007ffc`884a0000
VA 00007ffc884a0000
PXE at FFFFFB7DBEDF67F8 PPE at FFFFFB7DBECFFF90 PDE at FFFFFB7D9FFF2210 PTE at FFFFFB3FFE442500
contains 8A0000000485F867 contains 0A00000115063867 contains 0A00000009D64867 contains 86000001358EF025
pfn 485f ---DA--UW-V pfn 115063 ---DA--UWEV pfn 9d64 ---DA--UWEV pfn 1358ef —-A–UR-V

0: kd> .process /r /p ffffc38c3010b0c0
Implicit process is now ffffc38c`3010b0c0
Loading User Symbols
.................................

0: kd> .process /r /p ffffc38c305e8080
Implicit process is now ffffc38c`305e8080
Loading User Symbols
..................................

0: kd> !pte 00007ffc`884a0000
VA 00007ffc884a0000
PXE at FFFFFB7DBEDF67F8 PPE at FFFFFB7DBECFFF90 PDE at FFFFFB7D9FFF2210 PTE at FFFFFB3FFE442500
contains 0A00000107137867 contains 0A0000010703A867 contains 0A0000010713B867 contains 81000001358EF005
pfn 107137 ---DA--UWEV pfn 10703a ---DA--UWEV pfn 10713b ---DA--UWEV pfn 1358ef ——-UR-V

We call such an analysis pattern Shared Page.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

We found the number of backgroundTaskHost.exe crash dumps in our honeypot MemoryDumps folder specified in the LocalDumps WER registry setup. All of them have the same Exception Stack Trace:

0:006> kc 10
# Call Site
00 ucrtbase!invoke_watson
01 vccorlib140_app!__abi_FailFast
02 vccorlib140_app!__abi_translateCurrentException
03 Microsoft_Applications_Telemetry_Windows!DllGetActivationFactory
04 VCRUNTIME140_1_APP!_CallSettingFrame_LookupContinuationIndex
05 VCRUNTIME140_1_APP!__FrameHandler4::CxxCallCatchBlock
06 ntdll!RcConsolidateFrames
07 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent
08 SurfaceApp!RHBinder__ShimExeMain
09 SurfaceApp!RHBinder__ShimExeMain
0a SurfaceApp!DllGetActivationFactory
0b SurfaceApp!DllGetActivationFactory
0c SurfaceApp!DllGetActivationFactory
0d SurfaceApp!DllGetActivationFactory
0e SurfaceApp!DllGetActivationFactory
0f SurfaceApp!DllGetActivationFactory
[...]

and the same Stored Exception:

0:006> .exr -1
ExceptionAddress: 00007ff96a66c648 (ucrtbase!invoke_watson+0x0000000000000018)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000005
Subcode: 0×5 FAST_FAIL_INVALID_ARG

0:006> !error c0000409
Error code: (NTSTATUS) 0xc0000409 (3221226505) - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

The !analyze -v command however reports a different exception address and its context that looks like invalid memory access via NULL Pointer (Data):

STACK_TEXT:
00000060`3d8fdaa0 00007ff9`25f36ba2 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
00000060`3d8fdad0 00007ff9`25f3904e Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×7dde
00000060`3d8fdda0 00007ff9`25fbc385 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent+0×46a25
00000060`3d8fde50 00007ff9`25fb722d Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent+0×418cd
00000060`3d8fde80 00007ff8`c58bb5e5 SurfaceApp!RHBinder__ShimExeMain+0×4d0c55
00000060`3d8fdf50 00007ff8`c58e921b SurfaceApp!RHBinder__ShimExeMain+0×4fe88b
00000060`3d8fdfb0 00007ff8`c663977f SurfaceApp!DllGetActivationFactory+0×996d5f
00000060`3d8fdfe0 00007ff8`c6debbac SurfaceApp!DllGetActivationFactory+0×114918c
[…]

STACK_COMMAND: .cxr 603d8fd300 ; kb ; ** Pseudo Context ** Pseudo ** Value: 192e03234f0 ** ; kb
[…]

0:006> .cxr 603d8fd300
rax=0000000000000000 rbx=000000603d8fdb30 rcx=0000024030cb3300
rdx=0000024033346ea0 rsi=0000024030c7e910 rdi=0000024033346ea0
rip=00007ff925f36ba2 rsp=000000603d8fdaa0 rbp=000000603d8fdbd0
r8=0000000000000001 r9=0000000000000001 r10=00000fff24be7202
r11=4000000000000004 r12=0000000000000000 r13=0000024033bb2b28
r14=00000240333b9120 r15=00000240339835c8
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932:
00007ff9`25f36ba2 488b8090010000 mov rax,qword ptr [rax+190h] ds:00000000`00000190=????????????????

So we have a case of Translated Exception here. We can also find the Hidden Exception in Execution Residue:

0:006> !teb
TEB at 000000603d510000
ExceptionList: 0000000000000000
StackBase: 000000603d900000
StackLimit: 000000603d8f6000
SubSystemTib: 0000000000000000
FiberData: 0000000000001e00
ArbitraryUserPointer: 0000000000000000
Self: 000000603d510000
EnvironmentPointer: 0000000000000000
ClientId: 000000000000723c . 0000000000002288
RpcHandle: 0000000000000000
Tls Storage: 0000024030cfcd10
PEB Address: 000000603d503000
LastErrorValue: 0
LastStatusValue: c000007e
Count Owned Locks: 0
HardErrorMode: 0

0:006> dps 000000603d8f6000 000000603d900000
00000060`3d8f6000 00000000`00000000
00000060`3d8f6008 00000000`00000000
00000060`3d8f6010 00000000`00000000
00000060`3d8f6018 00000000`00000000
00000060`3d8f6020 00000000`00000000
00000060`3d8f6028 00000000`00000000
00000060`3d8f6030 00000000`00000000
[…]
00000060`3d8fd2d0 00000240`33bb2b28
00000060`3d8fd2d8 00000000`00000000
00000060`3d8fd2e0 00000240`33346ea0
00000060`3d8fd2e8 00000240`30c7e910
00000060`3d8fd2f0 00000060`3d8fdbd0
00000060`3d8fd2f8 00007ff9`6ce276fe ntdll!KiUserExceptionDispatch+0×2e
00000060`3d8fd300 00000000`00000000
00000060`3d8fd308 00000000`00000002
00000060`3d8fd310 00000060`3d8fdb30
00000060`3d8fd318 00000000`00000158
00000060`3d8fd320 00000000`00000002
00000060`3d8fd328 00000060`3d8fd3d9
00000060`3d8fd330 00001fa0`0010005f
00000060`3d8fd338 0053002b`002b0033
00000060`3d8fd340 00010206`002b002b
00000060`3d8fd348 00000000`00000000
00000060`3d8fd350 00000000`00000000
00000060`3d8fd358 00000000`00000000
00000060`3d8fd360 00000000`00000000
00000060`3d8fd368 00000000`00000000
00000060`3d8fd370 00000000`00000000
00000060`3d8fd378 00000000`00000000
00000060`3d8fd380 00000240`30cb3300
00000060`3d8fd388 00000240`33346ea0
00000060`3d8fd390 00000060`3d8fdb30
00000060`3d8fd398 00000060`3d8fdaa0
00000060`3d8fd3a0 00000060`3d8fdbd0
00000060`3d8fd3a8 00000240`30c7e910
00000060`3d8fd3b0 00000240`33346ea0
00000060`3d8fd3b8 00000000`00000001
00000060`3d8fd3c0 00000000`00000001
00000060`3d8fd3c8 00000fff`24be7202
00000060`3d8fd3d0 40000000`00000004
00000060`3d8fd3d8 00000000`00000000
00000060`3d8fd3e0 00000240`33bb2b28
00000060`3d8fd3e8 00000240`333b9120
00000060`3d8fd3f0 00000240`339835c8
00000060`3d8fd3f8 00007ff9`25f36ba2 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
00000060`3d8fd400 00000000`0000027f
00000060`3d8fd408 00000000`00000000
00000060`3d8fd410 00000000`00000000
00000060`3d8fd418 0000ffff`00001fa0
00000060`3d8fd420 00000000`00000000
[…]
00000060`3d8fd7e0 000001e0`000000f0
00000060`3d8fd7e8 00000000`00000000
00000060`3d8fd7f0 00000000`c0000005
00000060`3d8fd7f8 00000000`00000000
00000060`3d8fd800 00007ff9`25f36ba2 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
00000060`3d8fd808 00000000`00000002
00000060`3d8fd810 00000000`00000000
00000060`3d8fd818 00000000`00000190
00000060`3d8fd820 00000000`00000000
00000060`3d8fd828 00000000`00000000
00000060`3d8fd830 00000000`00000000
00000060`3d8fd838 00000000`00000000
00000060`3d8fd840 00000000`00000000
00000060`3d8fd848 00000000`00000000
[…]

0:006> .cxr 00000060`3d8fd300
[...]

0:006> k 3
# Child-SP RetAddr Call Site
00 00000060`3d8fdaa0 00007ff9`25f3904e Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
01 00000060`3d8fdad0 00007ff9`25fbc385 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×7dde
02 00000060`3d8fdda0 00007ff9`25fb722d Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent+0×46a25

We see that Microsoft_Applications_Telemetry_Windows is Exception Module. We may think that it is related to JSON telemetry data based on Stack Trace Motif but getJsonFormattedEvent function offset is too large for a real function. So we have here Coincidental Symbolic Information of exported function due to No Component Symbols.

0:006> lm m Microsoft_Applications_Telemetry_Windows
Browse full module list
start end module name
00007ff9`25f10000 00007ff9`260f8000 Microsoft_Applications_Telemetry_Windows C (export symbols) Microsoft.Applications.Telemetry.Windows.dll

0:006> uf Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent
Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent:
00007ff9`25f75960 48895c2408 mov qword ptr [rsp+8],rbx
00007ff9`25f75965 55 push rbp
00007ff9`25f75966 56 push rsi
00007ff9`25f75967 57 push rdi
00007ff9`25f75968 4154 push r12
00007ff9`25f7596a 4155 push r13
00007ff9`25f7596c 4156 push r14
00007ff9`25f7596e 4157 push r15
[…]
00007ff9`25f767df 4881c420010000 add rsp,120h
00007ff9`25f767e6 415f pop r15
00007ff9`25f767e8 415e pop r14
00007ff9`25f767ea 415d pop r13
00007ff9`25f767ec 415c pop r12
00007ff9`25f767ee 5f pop rdi
00007ff9`25f767ef 5e pop rsi
00007ff9`25f767f0 5d pop rbp
00007ff9`25f767f1 c3 ret

0:006> ? 00007ff9`25f767f1 - 00007ff9`25f75960
Evaluate expression: 3729 = 00000000`00000e91

We see that the function size is rather small compared to the offset value. This also “explains” that we don’t see any pointers to possible JSON strings in raw stack region data (dpa and dpu WinDbg commands) and if we do memory search there (s-sa and s-su commands).

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Black Box analysis pattern generalizes from the undocumented WinDbg commands !blackbox* to external system information included in process memory dump files which is accessible via .dumpdebug command.

2: kd> !blackboxpnp
PnpActivityId : {00000000-0000-0000-0000-000000000000}
PnpActivityTime : 132804247587428354
PnpEventInformation: 3
PnpEventInProgress : 0
PnpProblemCode : 24
PnpVetoType : 0
DeviceId : SW\{96E080C7-143C-11D1-B40F-00A0C9223196}\{3C0D501A-140B-11D1-B40F-00A0C9223196}
VetoString

Searching the registry we can find that it corresponds to “@ksfilter.inf,%mskssrv.devicedesc%;Microsoft Streaming Service Proxy”. Such commands may be used in conjunction with Historical Information (such as unloaded modules) and Execution Residue analysis patterns to check the last activities.

Other commands include !blackboxbsd and !blackboxntfs.

In process memory dump we may see information from a system the dump came from:

0:000> .dumpdebug
[...]
Stream 10: type SystemMemoryInfoStream (21), size 000001EC, RVA 00002288
Revision : 1
Flags : 0xf
BasicInfo
TimerResolution : 156,250
PageSize : 0x1000
NumberOfPhysicalPages : 4,173,065
LowestPhysicalPageNumber : 0x1
HighestPhysicalPageNumber : 0x46f7ff
AllocationGranularity : 0x10000
MinimumUserModeAddress : 0x10000
MaximumUserModeAddress : 0x7ffffffeffff
ActiveProcessorsAffinityMask : 0xff
NumberOfProcessors : 8
FileCacheInfo
CurrentSize : 514,248,704
PeakSize : 661,852,160
PageFaultCount : 19,464,228
MinimumWorkingSet : 0x100
MaximumWorkingSet : 0x100000000
CurrentSizeIncludingTransitionInPages : 1,327,191
PeakSizeIncludingTransitionInPages : 2,152,355
TransitionRePurposeCount : 8,923,412
Flags : 0
BasicPerfInfo
AvailablePages : 1,536,323
CommittedPages : 4,085,165
CommitLimit : 6,396,880
PeakCommitment : 4,850,269
PerfInfo
IdleProcessTime : 8,086,699,531,250
IoReadTransferCount : 97,860,850,993
IoWriteTransferCount : 55,567,419,561
IoOtherTransferCount : 9,725,039,400
IoReadOperationCount : 55,137,206
IoWriteOperationCount : 39,605,057
IoOtherOperationCount : 82,693,846
AvailablePages : 1,536,323
CommittedPages : 4,085,165
CommitLimit : 6,396,880
PeakCommitment : 4,850,269
CommitLimit : 6,396,880
PageFaultCount : 485,407,430
CopyOnWriteCount : 4,789,295
TransitionCount : 203,364,433
CacheTransitionCount : 0
DemandZeroCount : 275,205,178
PageReadCount : 9,363,018
PageReadIoCount : 1,641,521
CacheReadCount : 0
CacheIoCount : 0
DirtyPagesWriteCount : 295,086
DirtyWriteIoCount : 1,186
MappedPagesWriteCount : 425,398
MappedWriteIoCount : 5,656
PagedPoolPages : 231,590
NonPagedPoolPages : 155,982
PagedPoolAllocs : 0
PagedPoolFrees : 0
NonPagedPoolAllocs : 0
NonPagedPoolFrees : 0
FreeSystemPtes : 16,697,739
ResidentSystemCodePage : 4,175
TotalSystemDriverPages : 15,235
TotalSystemCodePages : 2
NonPagedPoolLookasideHits : 0
PagedPoolLookasideHits : 0
AvailablePagedPoolPages : 12,670,812
ResidentSystemCachePage : 125,549
ResidentPagedPoolPage : 220,095
ResidentSystemDriverPage : 13,012
CcFastReadNoWait : 0
CcFastReadWait : 13,492,886
CcFastReadResourceMiss : 0
CcFastReadNotPossible : 326,025
CcFastMdlReadNoWait : 0
CcFastMdlReadWait : 0
CcFastMdlReadResourceMiss : 0
CcFastMdlReadNotPossible : 0
CcMapDataNoWait : 0
CcMapDataWait : 77,200,777
CcMapDataNoWaitMiss : 0
CcMapDataWaitMiss : 391,734
CcPinMappedDataCount : 13,827,443
CcPinReadNoWait : 2,442
CcPinReadWait : 7,295,776
CcPinReadNoWaitMiss : 1,842,225
CcPinReadWaitMiss : 104,160
CcCopyReadNoWait : 720,327
CcCopyReadWait : 14,332,510
CcCopyReadNoWaitMiss : 73,632
CcCopyReadWaitMiss : 828,820
CcMdlReadNoWait : 0
CcMdlReadWait : 7,430
CcMdlReadNoWaitMiss : 0
CcMdlReadWaitMiss : 0
CcReadAheadIos : 1,577,774
CcLazyWriteIos : 737,095
CcLazyWritePages : 4,455,123
CcDataFlushes : 1,687,345
CcDataPages : 9,178,586
ContextSwitches : 690,599,392
FirstLevelTbFills : 0
SecondLevelTbFills : 0
SystemCalls : 2,382,592,584
CcTotalDirtyPages : 25,337
CcDirtyPageThreshold : 187,360
ResidentAvailablePages : 3,502,801
SharedCommittedPages : 693,491
Stream 11: type ProcessVmCountersStream (22), size 00000098, RVA 00002474
Revision : 2
Process Counters
PageFaultCount : 216,205
PeakWorkingSetSize : 0xdaa6000
WorkingSetSize : 0x160f000
QuotaPeakPagedPoolUsage : 0xfa0f8
QuotaPagedPoolUsage : 0xe8e88
QuotaPeakNonPagedPoolUsage : 0x22258
QuotaNonPagedPoolUsage : 0x180d8
PagefileUsage : 0xe6c000
PeakPagefileUsage : 0xcd67000
PeakVirtualSize : 0x201162a5000
VirtualSize : 0x20111ade000
PrivateUsage : 0xe6c000
PrivateWorkingSetSize : 0xb000
SharedCommitUsage : 0x1f2000
Job Counters
JobSharedCommitUsage : 0x72c000
JobPrivateCommitUsage : 0x71bc9000
JobPeakPrivateCommitUsage : 0x861ac000
JobPrivateCommitLimit : 0
JobTotalCommitLimit : 0
[...]

Other memory acquisition tools may write additional information in memory dump files. The difference between this analysis pattern and Paratext is that the latter involves additional files.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Stack Overflow caused by managed code is manifested as Stack Overflow (User Mode) with JIT Code recursive entries. !CLRStack WinDbg SOS extension command may work for very long if stack frame are small so we may need to increase the number of frames to show (.kframes command) and then manually check the originating frames using !IP2MD SOS extension command.

0:000> !CLRStack
OS Thread Id: 0x1da0 (0)
Child SP IP Call Site
000000F83D205FE0 00007ffc82570539 UserQuery.g__foo|4_1()
000000F83D206010 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206040 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206070 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D2060A0 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D2060D0 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206100 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206130 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206160 00007ffc8257053e UserQuery.g__foo|4_1()
[...]

0:000> .kframes 0xFFFF
Default stack trace depth is 0n65535 frames

0:000> kL
# Child-SP RetAddr Call Site
00 000000f8`3d205fe0 00007ffc`8257053e 0x00007ffc`82570539
01 000000f8`3d206010 00007ffc`8257053e 0x00007ffc`8257053e
02 000000f8`3d206040 00007ffc`8257053e 0x00007ffc`8257053e
03 000000f8`3d206070 00007ffc`8257053e 0x00007ffc`8257053e
04 000000f8`3d2060a0 00007ffc`8257053e 0x00007ffc`8257053e
05 000000f8`3d2060d0 00007ffc`8257053e 0x00007ffc`8257053e
06 000000f8`3d206100 00007ffc`8257053e 0x00007ffc`8257053e
07 000000f8`3d206130 00007ffc`8257053e 0x00007ffc`8257053e
08 000000f8`3d206160 00007ffc`8257053e 0x00007ffc`8257053e
09 000000f8`3d206190 00007ffc`8257053e 0x00007ffc`8257053e
[...]
7cfa 000000f8`3d37cec0 00007ffc`8257053e 0x00007ffc`8257053e
7cfb 000000f8`3d37cef0 00007ffc`8257053e 0x00007ffc`8257053e
7cfc 000000f8`3d37cf20 00007ffc`8257053e 0x00007ffc`8257053e
7cfd 000000f8`3d37cf50 00007ffc`8257053e 0x00007ffc`8257053e
7cfe 000000f8`3d37cf80 00007ffc`8257053e 0x00007ffc`8257053e
7cff 000000f8`3d37cfb0 00007ffc`8257053e 0x00007ffc`8257053e
7d00 000000f8`3d37cfe0 00007ffc`8257053e 0x00007ffc`8257053e
7d01 000000f8`3d37d010 00007ffc`825704fe 0×00007ffc`8257053e
7d02 000000f8`3d37d040 00007ffc`825704c4 0×00007ffc`825704fe
7d03 000000f8`3d37d070 00007ffc`82582bdd 0×00007ffc`825704c4
7d04 000000f8`3d37d0a0 00007ffc`8236b45e 0×00007ffc`82582bdd
7d05 000000f8`3d37d940 00007ffc`82366850 0×00007ffc`8236b45e
7d06 000000f8`3d37dc10 00007ffc`82365faf 0×00007ffc`82366850
7d07 000000f8`3d37dd50 00007ffc`82365edc 0×00007ffc`82365faf
7d08 000000f8`3d37dd90 00007ffc`823316f5 0×00007ffc`82365edc
7d09 000000f8`3d37dde0 00007ffc`8233144b 0×00007ffc`823316f5
7d0a 000000f8`3d37de70 00007ffc`81de8db1 0×00007ffc`8233144b
7d0b 000000f8`3d37df60 00007ffc`81de59fa 0×00007ffc`81de8db1
7d0c 000000f8`3d37e0c0 00007ffc`81de5985 0×00007ffc`81de59fa
7d0d 000000f8`3d37e110 00007ffc`81de4d59 0×00007ffc`81de5985
7d0e 000000f8`3d37e160 00007ffc`81de45f5 0×00007ffc`81de4d59
7d0f 000000f8`3d37e1e0 00007ffc`e196a573 0×00007ffc`81de45f5
7d10 000000f8`3d37e220 00007ffc`e18902d0 coreclr!CallDescrWorkerInternal+0×83
7d11 (Inline Function) ——–`——– coreclr!CallDescrWorkerWithHandler+0×30
7d12 000000f8`3d37e260 00007ffc`e189202c coreclr!CallDescrWorkerReflectionWrapper+0×48
7d13 000000f8`3d37e2b0 00007ffc`d5ddc9d7 coreclr!RuntimeMethodHandle::InvokeMethod+0×91c
[…]
7d1b 000000f8`3d37ed60 00007ffc`e18e0d95 coreclr!RunMain+0xd2
7d1c 000000f8`3d37ee10 00007ffc`e18e0b56 coreclr!Assembly::ExecuteMainMethod+0×1c9
7d1d 000000f8`3d37f1a0 00007ffc`e19152b2 coreclr!CorHost2::ExecuteAssembly+0×1c6
7d1e 000000f8`3d37f310 00007ffd`053896bb coreclr!coreclr_execute_assembly+0xe2
7d1f (Inline Function) ——–`——– hostpolicy!coreclr_t::execute_assembly+0×2a
7d20 000000f8`3d37f3b0 00007ffd`053899ec hostpolicy!run_app_for_context+0×56b
7d21 000000f8`3d37f550 00007ffd`0538a387 hostpolicy!run_app+0×3c
7d22 000000f8`3d37f590 00007ffd`07fab539 hostpolicy!corehost_main+0×107
7d23 000000f8`3d37f740 00007ffd`07fae506 hostfxr!execute_app+0×2e9
7d24 000000f8`3d37f840 00007ffd`07fb0821 hostfxr!`anonymous namespace’::read_config_and_execute+0xa6
7d25 000000f8`3d37f940 00007ffd`07faeb62 hostfxr!fx_muxer_t::handle_exec_host_command+0×161
7d26 000000f8`3d37f9f0 00007ffd`07fa82ab hostfxr!fx_muxer_t::execute+0×482
7d27 000000f8`3d37fb30 00007ff6`64fe2351 hostfxr!hostfxr_main_startupinfo+0xab
7d28 000000f8`3d37fc30 00007ff6`64fe2748 LINQPad7_Query_exe!exe_start+0×651
7d29 000000f8`3d37fe60 00007ff6`64fe45f8 LINQPad7_Query_exe!wmain+0×88
7d2a (Inline Function) ——–`——– LINQPad7_Query_exe!invoke_main+0×22
7d2b 000000f8`3d37fe90 00007ffd`164b54e0 LINQPad7_Query_exe!__scrt_common_main_seh+0×10c
7d2c 000000f8`3d37fed0 00007ffd`185e485b kernel32!BaseThreadInitThunk+0×10
7d2d 000000f8`3d37ff00 00000000`00000000 ntdll!RtlUserThreadStart+0×2b

0:000> !IP2MD 0×00007ffc`8257053e
MethodDesc: 00007ffc8257ce18
Method Name: UserQuery.<Main>g__foo|4_1()
Class: 00007ffc8257cd08
MethodTable: 00007ffc8257ce48
mdToken: 0000000006000007
Module: 00007ffc8257c060
IsJitted: yes
Current CodeAddr: 00007ffc82570520
Version History:
ILCodeVersion: 0000000000000000
ReJIT ID: 0
IL Addr: 0000027575cc20f2
CodeAddr: 00007ffc82570520 (MinOptJitted)
NativeCodeVersion: 0000000000000000

0:000> !DumpIL 00007ffc8257ce18
ilAddr is 0000027575CC20F2 pImport is 000001C7B44109C0
ilAddr = 0000027575CC20F2
IL_0000: nop
IL_0001: call void UserQuery::<Main>g__foo|4_1()
IL_0006: nop
IL_0007: ret

0:000> !IP2MD 0×00007ffc`825704fe
MethodDesc: 00007ffc8257ce00
Method Name: UserQuery.<Main>g__bar|4_0()
Class: 00007ffc8257cd08
MethodTable: 00007ffc8257ce48
mdToken: 0000000006000006
Module: 00007ffc8257c060
IsJitted: yes
Current CodeAddr: 00007ffc825704e0
Version History:
ILCodeVersion: 0000000000000000
ReJIT ID: 0
IL Addr: 0000027575cc20f2
CodeAddr: 00007ffc825704e0 (MinOptJitted)
NativeCodeVersion: 0000000000000000

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

I resume online training sessions. You can now register: https://www.patterndiagnostics.com/accelerated-windows-memory-dump-analysis

In addition to the previous Spiking Thread and Distributed Spike CPU consumption analysis patterns we add Spiking Interrupts since they may account for perceived performance degradation such as response lags and system freezes. This pattern also includes DPC activity. We can see the times spent and the number of interrupts using this command and specify CPU number:

0: kd> !prcb 2
PRCB for Processor 2 at ffffe480b3600180:
Current IRQL — 2
Threads– Current ffffe480b360c240 Next 0000000000000000 Idle ffffe480b360c240
Processor Index 2 Number (0, 2) GroupSetMember 4
Interrupt Count — 0cadbd58
Times — Dpc 0000219c Interrupt 00002ae0
Kernel 00e7808e User 0041303b

0: kd> !whattime 0000219c + 00002ae0
19580 Ticks in Standard Time: 05:05.937s

We can also see the number of DPC requests from the structure itself:

0: kd> dt _KPRCB DPCData
nt!_KPRCB
+0×3340 DpcData : [2] _KDPC_DATA

0: kd> dt _KDPC_DATA
nt!_KDPC_DATA
+0x000 DpcList : _KDPC_LIST
+0x010 DpcLock : Uint8B
+0x018 DpcQueueDepth : Int4B
+0x01c DpcCount : Uint4B
+0x020 ActiveDpc : Ptr64 _KDPC
+0x028 LongDpcPresent : Uint4B
+0×02c Padding : Uint4B

0: kd> dt _KDPC_DATA ffffe480b3600180+0×3340
nt!_KDPC_DATA
+0×000 DpcList : _KDPC_LIST
+0×010 DpcLock : 0
+0×018 DpcQueueDepth : 0n1
+0×01c DpcCount : 0×74d9e0
+0×020 ActiveDpc : 0xffffa30f`e8f1f230 _KDPC
+0×028 LongDpcPresent : 0
+0×02c Padding : 0

0: kd> dt _KDPC_DATA ffffe480b3600180+0×3340+30
nt!_KDPC_DATA
+0×000 DpcList : _KDPC_LIST
+0×010 DpcLock : 0
+0×018 DpcQueueDepth : 0n0
+0×01c DpcCount : 0xd39
+0×020 ActiveDpc : (null)
+0×028 LongDpcPresent : 0
+0×02c Padding : 0

Since these numbers are high and depend on the system age, it is important to compare them with the normal system.

We should be aware that Windows 11 has DPC delegate threads (in addition to Idle threads) that are always shown as running even if they swapped (we can also check their number of context switches and kernel time):

0: kd> !process fffff80443332b00
PROCESS fffff80443332b00
SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 001ae002 ObjectTable: ffff82869fa52800 HandleCount: 3321.
Image: Idle
VadRoot ffffce8384257f70 Vads 2 Clone 0 Private 9. Modified 2094. Locked 0.
DeviceMap 0000000000000000
Token ffff82869fa1f120
ElapsedTime 3 Days 23:10:01.662
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 272
Working Set Sizes (now,min,max) (9, 50, 450) (36KB, 200KB, 1800KB)
PeakWorkingSetSize 2
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 9
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 15

THREAD fffff80443335bc0 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21906707 Ticks: 20013 (0:00:05:12.703)
Context Switch Count 72626555 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 3 Days 06:22:34.281
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init fffff8043f4beb70 Current fffff8043f4beb00
Base fffff8043f4bf000 Limit fffff8043f4b8000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 5
Child-SP RetAddr Call Site
fffff804`3f4be490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
fffff804`3f4be4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
fffff804`3f4be970 fffff804`42a16a74 nt!PoIdle+0x3a6
fffff804`3f4beb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b3519240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905854 Ticks: 20866 (0:00:05:26.031)
Context Switch Count 83248123 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 3 Days 08:20:45.812
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe822fb70 Current ffffa30fe822fb00
Base ffffa30fe8230000 Limit ffffa30fe8229000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e822f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e822f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e822f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e822fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b360c240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 2
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21926718 Ticks: 2 (0:00:00:00.031)
Context Switch Count 90942117 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 2 Days 15:59:04.671
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe823fb70 Current ffffa30fe823fb00
Base ffffa30fe8240000 Limit ffffa30fe8239000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e823f6c8 fffff804`42b5d0f6 nt!KeBugCheckEx
ffffa30f`e823f6d0 fffff804`43068f46 nt!PnpBugcheckPowerTimeout+0x76
ffffa30f`e823f730 fffff804`428dcc74 nt!PopBuildDeviceNotifyListWatchdog+0x16
ffffa30f`e823f760 fffff804`428db264 nt!KiProcessExpiredTimerList+0x204
ffffa30f`e823f890 fffff804`42a16abe nt!KiRetireDpcList+0x714
ffffa30f`e823fb40 00000000`00000000 nt!KiIdleLoop+0x9e

THREAD ffffe480b370c240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905684 Ticks: 21036 (0:00:05:28.687)
Context Switch Count 66067949 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 3 Days 08:02:26.906
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe824fb70 Current ffffa30fe824fb00
Base ffffa30fe8250000 Limit ffffa30fe8249000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e824f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e824f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e824f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e824fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b380c240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 4
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905843 Ticks: 20877 (0:00:05:26.203)
Context Switch Count 91986345 IdealProcessor: 4
UserTime 00:00:00.000
KernelTime 3 Days 05:20:02.156
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe825fb70 Current ffffa30fe825fb00
Base ffffa30fe8260000 Limit ffffa30fe8259000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e825f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e825f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e825f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e825fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b389d240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 5
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905822 Ticks: 20898 (0:00:05:26.531)
Context Switch Count 78668897 IdealProcessor: 5
UserTime 00:00:00.000
KernelTime 3 Days 08:24:03.187
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe826fb70 Current ffffa30fe826fb00
Base ffffa30fe8270000 Limit ffffa30fe8269000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e826f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e826f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e826f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e826fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b39b3240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 6
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905853 Ticks: 20867 (0:00:05:26.046)
Context Switch Count 96137826 IdealProcessor: 6
UserTime 00:00:00.000
KernelTime 3 Days 06:36:10.375
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe827fb70 Current ffffa30fe827fb00
Base ffffa30fe8280000 Limit ffffa30fe8279000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e827f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e827f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e827f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e827fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b3b0c240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 7
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905670 Ticks: 21050 (0:00:05:28.906)
Context Switch Count 39349487 IdealProcessor: 7
UserTime 00:00:00.000
KernelTime 3 Days 06:49:50.156
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe828fb70 Current ffffa30fe828fb00
Base ffffa30fe8290000 Limit ffffa30fe8289000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e828f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e828f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e828f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e828fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffce8384321140 Cid 0000.002c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21906745 Ticks: 19975 (0:00:05:12.109)
Context Switch Count 55086 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.234
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe82bfb70 Current ffffa30fe82bf8b0
Base ffffa30fe82c0000 Limit ffffa30fe82b9000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e82bf8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e82bfa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e82bfb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e82bfb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce8384362080 Cid 0000.0034 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 16926767 Ticks: 4999953 (0:21:42:04.265)
Context Switch Count 4968 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe82cfb70 Current ffffa30fe82cf8b0
Base ffffa30fe82d0000 Limit ffffa30fe82c9000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e82cf8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e82cfa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e82cfb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e82cfb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce83842f7040 Cid 0000.003c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 2
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21631408 Ticks: 295312 (0:01:16:54.250)
Context Switch Count 522 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe82dfb70 Current ffffa30fe82df8b0
Base ffffa30fe82e0000 Limit ffffa30fe82d9000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e82df8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e82dfa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e82dfb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e82dfb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce8384367040 Cid 0000.0044 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21667748 Ticks: 258972 (0:01:07:26.437)
Context Switch Count 301 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe82efb70 Current ffffa30fe82ef8b0
Base ffffa30fe82f0000 Limit ffffa30fe82e9000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e82ef8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e82efa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e82efb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e82efb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce8384369040 Cid 0000.004c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 4
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 20333183 Ticks: 1593537 (0:06:54:59.015)
Context Switch Count 405 IdealProcessor: 4
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe82ffb70 Current ffffa30fe82ff8b0
Base ffffa30fe8300000 Limit ffffa30fe82f9000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e82ff8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e82ffa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e82ffb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e82ffb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce838436b040 Cid 0000.0054 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 5
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 4760713 Ticks: 17166007 (3:02:30:18.859)
Context Switch Count 118 IdealProcessor: 5
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe830fb70 Current ffffa30fe830f8b0
Base ffffa30fe8310000 Limit ffffa30fe8309000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e830f8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e830fa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e830fb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e830fb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce838436d040 Cid 0000.005c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 6
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 20662898 Ticks: 1263822 (0:05:29:07.218)
Context Switch Count 249 IdealProcessor: 6
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe831fb70 Current ffffa30fe831f8b0
Base ffffa30fe8320000 Limit ffffa30fe8319000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e831f8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e831fa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e831fb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e831fb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce838436f040 Cid 0000.0064 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 7
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 20547550 Ticks: 1379170 (0:05:59:09.531)
Context Switch Count 196 IdealProcessor: 7
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe832fb70 Current ffffa30fe832f8b0
Base ffffa30fe8330000 Limit ffffa30fe8329000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e832f8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e832fa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e832fb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e832fb40 00000000`00000000 nt!KiStartSystemThread+0×34

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -