Software Diagnostics Library

The Latent Structure pattern addresses situations where a memory region appears raw and untyped yet shows early, incomplete signs of structural organization. Signals, such as small or pointer-like values, alignment regularities, recurring byte sequences, partial strings, or fragments that resemble fields, suggest that a real structure might exist, but cannot yet be interpreted safely or confidently. Latent Structure represents the pre-suspect stage in structural diagnostics: the point where the analyst notices potential form but must resist premature interpretation. Acting too early risks misclassifying problems and misidentifying root causes. Several forces complicate this stage: partial overwrites, coincidental alignments, ABI or version mismatches, and cognitive biases that encourage overinterpretation. This analysis pattern, therefore, emphasizes careful, hypothesis-driven exploration using techniques such as tentative structure casting, pointer-chain heuristics, checks for internal semantic coherence, software internals, and domain knowledge, all without assuming the structure’s validity. When enough evidence accumulates, a Latent Structure transitions into a Suspect Structure (subject of the next analysis pattern), where it becomes testable.

For example, we may see these fragment in Execution Residue:

00000029`e7efeb00 00001f80`0010004b
00000029`e7efeb08 0053002b`002b0033
00000029`e7efeb10 00000242`002b002b

Finally, we write the formal pattern structure card.

Intent

Detect hidden or unclear structural organization in raw memory regions that exhibit early indicators of structure-like form but whose types are not yet known.

Context

Appears in:
Execution Residue, Pointer Cone, Memory Region, and Region Strata.

Problem

A memory dump shows a region of raw bytes without explicit type information that contains hints suggesting that a structure may be present. Prematurely interpreting such memory can lead to false positives, misclassification, incorrect casting, and a chain of misleading hypotheses.

Forces

Data:

• Memory may contain partial structures
• Overwrites blur structure boundaries
• Random-looking regions may hide structured subregions

Semantics:

• Pointer-like values may be real or coincidental
• Partial strings
• Field alignments may appear regular due to chance

Modules:

• Coincidental symbols
• ABI or version mismatches

Cognitive biases:

• Insufficient domain knowledge
• Premature suspicion

Symptoms

• Structural hints in bytes
• Pointer-like values
• Strings and identity hints
• Alignment and regularity
• Recurring patterns across multiple memory locations
• Partial structure validity
• Incomplete or corrupt-like structure

Resolution Strategies

• Structure casting
• Heuristic field and pointer chain analysis
• Verification of internal semantic coherence

Resulting Context

Structure becomes Suspect and testable for validity.

Related Patterns

Hidden Artifact Patterns, Corrupt Structure, Module Hint, Falsity and Coincidence Patterns, Shared Buffer Overwrite, Value References, Small Value, Design Value, Shared Structure, and Regular Data.

Formal Card

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

DPC Stack Collection is yet another area to mine for Execution Residue and Rough Stack Traces. Some DPC Stacks may be visible in Stack Trace Collections such as from CPUs.

Each CPU has a DPC stack for execution of queued DPCs. We can get its base stack region address from the corresponding _KPRCB structure for each CPU. The stack region limit can be calculated from the KeKernelStackSize Module Variable:

0: kd> dd nt!KeKernelStackSize L1
fffff800`e27c4028 00007000

0: kd> !dpcs
CPU Type KDPC Function
0: Normal : 0xffffc9019b313400 0xfffff8008b6b31b0 igdkmd64

0: kd> !prcb 0
PRCB for Processor 0 at fffff8006ff97180:
Current IRQL — 0
Threads– Current ffffc901ad242040 Next 0000000000000000 Idle fffff800e27d1640
Processor Index 0 Number (0, 0) GroupSetMember 1
Interrupt Count — 06278469
Times — Dpc 0000b229 Interrupt 0000b897
Kernel 00d11420 User 000b6650

0: kd> dt nt!_KPRCB fffff8006ff97180 DpcStack
+0×38a0 DpcStack : 0xfffff800`745b1fb0 Void

0: kd> dpS 0xfffff800`745b1fb0-7000 L7000/8
fffff800`e1ba7e6c nt!RtlpHpLfhSlotAllocateSlow+0×484
fffff800`e26ee9c0 nt!ExPoolState+0×86940
fffff800`e1a3ecb4 nt!ExAllocateHeapPool+0×2134
fffff800`e1800000 nt!RtlCompressBufferProcs
fffff800`e236a196 nt!ExFreePoolWithTag+0×4c6
fffff800`e2369189 nt!ExAllocatePool2+0×99
fffff800`e1b9e0ba nt!AuthzBasepEvaluateExpression+0×3a
fffff800`e1b9c1a0 nt!AuthzBasepEvaluateAceCondition+0×2a0
fffff800`e1b9b649 nt!SepNormalAccessCheck+0×589
fffff800`e1b9a852 nt!SepAccessCheck+0×2c2
fffff800`e26ee9c0 nt!ExPoolState+0×86940
fffff800`e1a3ecb4 nt!ExAllocateHeapPool+0×2134
fffff800`7400e5d8 LXCORE!VfsFileGetPathString+0×114
fffff800`e1d022ee nt!qsort+0×3be
fffff800`e26ee9c0 nt!ExPoolState+0×86940
fffff800`e1a3ecb4 nt!ExAllocateHeapPool+0×2134
fffff800`e1800000 nt!RtlCompressBufferProcs
fffff800`e236a196 nt!ExFreePoolWithTag+0×4c6
fffff800`e2638a00 nt!MiSystemPartition
fffff800`e1b7166f nt!MmDeleteKernelStack+0×22f
fffff800`e1b7235b nt!KiExpandKernelStackAndCalloutOnStackSegment+0×31b
fffff800`75464450 NETIO!ArbitrateAndEnforceCallout
fffff800`e1aeef4c nt!KiExpandKernelStackAndCalloutSwitchStack+0×17c
fffff800`75464450 NETIO!ArbitrateAndEnforceCallout
fffff800`e1aeeca3 nt!KeExpandKernelStackAndCalloutInternal+0×33
fffff800`75464450 NETIO!ArbitrateAndEnforceCallout
fffff800`75282d7e ndis!NdisAcquireRWLockRead+0×2e
fffff800`e1aeec5d nt!KeExpandKernelStackAndCalloutEx+0×1d
fffff800`7544a27d NETIO!UpdateLayerClassifyStat+0×19d
fffff800`e2638a00 nt!MiSystemPartition
fffff800`e1b7166f nt!MmDeleteKernelStack+0×22f
fffff800`754a6000 NETIO!WPP_GLOBAL_Control
fffff800`e1b2db6f nt!KeSetEvent+0×10f
fffff800`786a3faa Ndu!NduUpdateProcessEnergyContext+0×6a
fffff800`786ab8c9 Ndu!NduUpdateInterfaceTimeStatsEntryList+0×149
fffff800`e1bf167c nt!ExFreeToLookasideListEx+0×4c
fffff800`786a1aee Ndu!NduUpdateInterfacePowerContext+0×1be
fffff800`786a38ff Ndu!NduDeleteNblContext+0×9f
fffff800`e1800000 nt!RtlCompressBufferProcs
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`75260642 ndis!NdisFSendNetBufferListsComplete+0×32
fffff800`75419b30 NETIO!WfpNblInfoDestroyIfUnused+0xf0
fffff800`8b732bc2 igdkmd64+0×392bc2
fffff800`752a7557 ndis!NdisFreeMemory+0×17
fffff800`8b73113c igdkmd64+0×39113c
fffff800`8b48f165 igdkmd64+0xef165
fffff800`8b57aeaa igdkmd64+0×1daeaa
fffff800`8b73113c igdkmd64+0×39113c
fffff800`8b5f3ad9 igdkmd64+0×253ad9
fffff800`8b48f165 igdkmd64+0xef165
fffff800`8b4778d3 igdkmd64+0xd78d3
fffff800`8b625db3 igdkmd64+0×285db3
fffff800`e1ae3a2f nt!KiSelectProcessorToPreempt+0xff
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`8b467e79 igdkmd64+0xc7e79
fffff800`8b7355ad igdkmd64+0×3955ad
fffff800`8b73a25a igdkmd64+0×39a25a
fffff800`8b732bc2 igdkmd64+0×392bc2
fffff800`8b732d0c igdkmd64+0×392d0c
fffff800`8b731209 igdkmd64+0×391209
fffff800`8b6c1081 igdkmd64+0×321081
fffff800`8b6a54ac igdkmd64+0×3054ac
fffff800`8b6cccec igdkmd64+0×32ccec
fffff800`8b6c0390 igdkmd64+0×320390
fffff800`8b6b3577 igdkmd64+0×313577
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`e1b3143c nt!KeAcquireSpinLockAtDpcLevel+0×1c
fffff800`786a406a Ndu!NduUpdateProcessEnergyContext+0×12a
fffff800`7525b85d ndis!ndisFreeToLookasideList+0×5d
fffff800`786ab8c9 Ndu!NduUpdateInterfaceTimeStatsEntryList+0×149
fffff800`7525b645 ndis!NdisFreeNetBufferList+0xa5
fffff800`786a1aee Ndu!NduUpdateInterfacePowerContext+0×1be
fffff800`75451260 NETIO!NetioFreeNetBufferAndNetBufferList+0×10
fffff800`e1b3143c nt!KeAcquireSpinLockAtDpcLevel+0×1c
fffff800`786a406a Ndu!NduUpdateProcessEnergyContext+0×12a
fffff800`7569b5dc tcpip!TcpTcbSendDatagramsComplete+0×9c
fffff800`7525b85d ndis!ndisFreeToLookasideList+0×5d
fffff800`7525b645 ndis!NdisFreeNetBufferList+0xa5
fffff800`75451260 NETIO!NetioFreeNetBufferAndNetBufferList+0×10
fffff800`75514e63 fwpkclnt!FwppNetBufferListAssociateContext+0×153
fffff800`75611fb1 tcpip!TcpSendDatagramsComplete+0xd1
fffff800`786a2f9f Ndu!NduHandleNblContextRemoved+0×1b3
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`75611ee0 tcpip!TcpSendDatagramsComplete
fffff800`75419dd4 NETIO!NetioDereferenceNetBufferListChain+0×174
fffff800`75512f51 fwpkclnt!FwppNetBufferListEventNotify+0×1a1
fffff800`7571ca2d tcpip!FlSendNetBufferListChainComplete+0×6d
fffff800`7527258b ndis!ndisMSendCompleteNetBufferListsInternal+0×25b
fffff800`7551342f fwpkclnt!FwpsNetBufferListRetrieveContext0+0×4f
fffff800`91054a30 bridge+0×4a30
fffff800`786a251e Ndu!NduFindOrAssociateNblContext+0×6e
fffff800`75287472 ndis!NdisMSendNetBufferListsComplete+0×5c2
fffff800`786a2b2d Ndu!NduOutboundMacClassifyProcessSingleNbl+0×5d
fffff800`786a2961 Ndu!NduOutboundMacClassify+0×181
fffff800`754a6000 NETIO!WPP_GLOBAL_Control
fffff800`75434553 NETIO!ProcessCallout2+0×163
fffff800`78016d00 nwifi!Dot11SendNBComplete+0×170
fffff800`75463246 NETIO!KfdClassify2+0xbb6
fffff800`7527258b ndis!ndisMSendCompleteNetBufferListsInternal+0×25b
fffff800`e1eaeb31 nt!HvcallpExtendedFastHypercall+0×51
fffff800`e1ae040b nt!HvcallFastExtended+0×13b
fffff800`75272330 ndis!ndisMSendCompleteNetBufferListsInternal
fffff800`e1ae0903 nt!HvlFlushRangeListTb+0×353
fffff800`8ad0b2cd wdiwifi!CPort::CompletePendingCancelSendsOrHaltJobs+0xdd
fffff800`8adea5f0 wdiwifi!WPP_de984c7e04793f3292dfaa0cae396821_Traceguids
fffff800`e1aee810 nt!EtwpReserveTraceBuffer+0×310
fffff800`e1aee810 nt!EtwpReserveTraceBuffer+0×310
fffff800`e1aed852 nt!EtwpTraceMessageVa+0×7f2
fffff800`8abae2d8 mrvlpcie8897+0×2e2d8
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8abae1af mrvlpcie8897+0×2e1af
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8abb7c74 mrvlpcie8897+0×37c74
fffff800`73ee2e1a WppRecorder!WppAutoLogTrace+0×31a
fffff800`e1c6b43e nt!WmiTraceMessage+0×1e
fffff800`e1800000 nt!RtlCompressBufferProcs
fffff800`e236a196 nt!ExFreePoolWithTag+0×4c6
fffff800`e1c6b43e nt!WmiTraceMessage+0×1e
fffff800`8ad05493 wdiwifi!WPP_RECORDER_SF_DDD+0xbf
fffff800`8ad184da wdiwifi!operator delete+0×1a
fffff800`73ee2e1a WppRecorder!WppAutoLogTrace+0×31a
fffff800`8acaf8f0 mrvlpcie8897+0×12f8f0
fffff800`8abad86d mrvlpcie8897+0×2d86d
fffff800`8acaf8f0 mrvlpcie8897+0×12f8f0
fffff800`8ab8facb mrvlpcie8897+0xfacb
fffff800`e1c3e85a nt!DbgPrint+0×5a
fffff800`8acaf8f0 mrvlpcie8897+0×12f8f0
fffff800`8abc4510 mrvlpcie8897+0×44510
fffff800`8acaf8f0 mrvlpcie8897+0×12f8f0
fffff800`8ab8fdad mrvlpcie8897+0xfdad
fffff800`e1eba502 nt! ?? ::FNODOBFM::`string’+0×2
fffff800`8abb000d mrvlpcie8897+0×3000d
fffff800`8abc4510 mrvlpcie8897+0×44510
fffff800`8acaf8f0 mrvlpcie8897+0×12f8f0
fffff800`8ab883d6 mrvlpcie8897+0×83d6
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8ab9311b mrvlpcie8897+0×1311b
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8abb7c40 mrvlpcie8897+0×37c40
fffff800`8abaf470 mrvlpcie8897+0×2f470
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8adea5e0 wdiwifi!WPP_fabfc031111e31c4b597567128b91120_Traceguids
fffff800`8ad0832b wdiwifi!CTxMgr::AddNBLToTxQueue+0×2bb
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`8ad06051 wdiwifi!CTxMgr::ServiceQueues+0×1c1
fffff800`75518cc8 fwpkclnt!FwpiGetValueFromClassifyContext+0×38
fffff800`8adfd040 wdiwifi!WPP_RECORDER_INITIALIZED
fffff800`8ad06599 wdiwifi!CPort::SendNetBufferLists+0×129
fffff800`786a2015 Ndu!NduInboundMacClassify+0×355
fffff800`8adea5f0 wdiwifi!WPP_de984c7e04793f3292dfaa0cae396821_Traceguids
fffff800`754a6000 NETIO!WPP_GLOBAL_Control
fffff800`75434553 NETIO!ProcessCallout2+0×163
fffff800`75463246 NETIO!KfdClassify2+0xbb6
fffff800`e26ee9c0 nt!ExPoolState+0×86940
fffff800`e1a3ecb4 nt!ExAllocateHeapPool+0×2134
fffff800`7527bfff ndis!ndisInvokeNextSendHandler+0×23f
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`e1a3cb12 nt!ExpAllocatePoolWithTagFromNode+0×52
fffff800`e2369189 nt!ExAllocatePool2+0×99
fffff800`e23690b4 nt!ExAllocatePoolWithTag+0xa4
fffff800`e1c4ea7d nt!ExAllocatePoolEx+0xd
fffff800`e2369189 nt!ExAllocatePool2+0×99
fffff800`e1bef072 nt!ExAllocateFromLookasideListEx+0×152
fffff800`91055984 bridge+0×5984
fffff800`9105dd94 bridge+0xdd94
fffff800`75451dc4 NETIO!PplpGenericAllocateFunction+0×14
fffff800`e1beef35 nt!ExAllocateFromLookasideListEx+0×15
fffff800`e1a8f495 nt!ObfReferenceObjectWithTag+0×25
fffff800`e23690b4 nt!ExAllocatePoolWithTag+0xa4
fffff800`75416008 NETIO!WfpNblInfoAlloc+0×58
fffff800`e1a8eace nt!ObfReferenceObject+0xe
fffff800`75514e63 fwpkclnt!FwppNetBufferListAssociateContext+0×153
fffff800`e1a3ecb4 nt!ExAllocateHeapPool+0×2134
fffff800`75514cc7 fwpkclnt!FwpsNetBufferListAssociateContext1+0×77
fffff800`786b42d8 Ndu!NduWfpCalloutProviderGuid
fffff800`786a1280 Ndu!NduNblNotifyCallback
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`786a2613 Ndu!NduFindOrAssociateNblContext+0×163
fffff800`75273918 ndis!NdisFIndicateReceiveNetBufferLists+0×68
fffff800`786a1280 Ndu!NduNblNotifyCallback
fffff800`754a6000 NETIO!WPP_GLOBAL_Control
fffff800`75988200 wfplwfs!L2NativeIsNetBufferListPermitted+0×2d0
fffff800`759897b3 wfplwfs!L2InspectNetBufferListsFast+0×183
fffff800`75463246 NETIO!KfdClassify2+0xbb6
fffff800`7609e7f3 afd!AFDETW_TRACESENDMSG+0×8f
fffff800`e2369189 nt!ExAllocatePool2+0×99
fffff800`75288882 ndis!NdisAcquireReadWriteLock+0×62
fffff800`91055a73 bridge+0×5a73
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`9105662a bridge+0×662a
fffff800`91057920 bridge+0×7920
fffff800`91057db5 bridge+0×7db5
fffff800`752888d3 ndis!NdisAcquireReadWriteLock+0xb3
fffff800`910543b0 bridge+0×43b0
fffff800`91054448 bridge+0×4448
fffff800`75988260 wfplwfs!LwfLowerRecvNetBufferLists
fffff800`75276dc1 ndis!NdisMIndicateReceiveNetBufferLists+0×1941
fffff800`7525b678 ndis!NdisFreeNetBufferList+0xd8
fffff800`786a38ff Ndu!NduDeleteNblContext+0×9f
fffff800`75419dd4 NETIO!NetioDereferenceNetBufferListChain+0×174
fffff800`756b95c0 tcpip!UdpSendMessagesDatagramsComplete
fffff800`786804d5 NdisImPlatform!implatUpdateInStatisticsCounters+0×235
fffff800`e1bf2146 nt!HalpApicRequestInterrupt+0×96
fffff800`e1b5141c nt!HalpInterruptSendIpi+0xac
fffff800`e1cf553c nt!KiSetProcessorIdle_LockFree+0×2b8
fffff800`e1ae22f8 nt!KiHeteroSelectIdleProcessorFromSubNode+0×308
fffff800`7867f6c7 NdisImPlatform!implatReceiveNetBufferLists+0×1f7
fffff800`e1ae9a0b nt!KiComputeThreadQos+0xfb
fffff800`e1bf2146 nt!HalpApicRequestInterrupt+0×96
fffff800`e1b5141c nt!HalpInterruptSendIpi+0xac
fffff800`e1cf553c nt!KiSetProcessorIdle_LockFree+0×2b8
fffff800`e1ae22f8 nt!KiHeteroSelectIdleProcessorFromSubNode+0×308
fffff800`e1ae9a0b nt!KiComputeThreadQos+0xfb
fffff800`e1dda677 nt!PpmEventTraceCoreParkingSelection+0×197
fffff800`e1b50cfc nt!KiExitDispatcher+0×4c
fffff800`e1cf277c nt!PpmParkComputeUnparkMask+0xa2c
fffff800`e1bb2241 nt!KiIntSteerCalculatePriorityDistribution+0×201
fffff800`e1bb361d nt!KiIntSteerLogMask+0×55
fffff800`e270f7b0 nt!KiIntTrackRootList
fffff800`e1bb3699 nt!KiIntSteerLogProc+0×5d
fffff800`e270f7b0 nt!KiIntTrackRootList
fffff800`e1bb37e3 nt!KiIntSteerCalculateDistribution+0×103
fffff800`e1bb32c3 nt!KeIntSteerPeriodic+0×17f
fffff800`e1bb2ed8 nt!PpmParkSteerInterrupts+0×5e8
fffff800`e1b335a4 nt!EtwpLogKernelEvent+0×2f4
fffff800`e270b0a8 nt!PpmPerfPolicyLock+0×8
fffff800`e1b2db6f nt!KeSetEvent+0×10f
fffff800`e270b0ac nt!PpmPerfPolicyLock+0xc
fffff800`e1be8f10 nt!PpmCheckMakeupSkippedChecks
fffff800`e1be9040 nt!PpmPerfReadFeedback
fffff800`e1be9177 nt!PpmReleaseLock+0×1b
fffff800`e1b32bc6 nt!KiExecuteAllDpcs+0xdc6
fffff800`e2709dc0 nt!PpmCheckDpc
fffff800`e1a0cfb9 nt!KiNormalPriorityReadyScan+0×2b9
fffff800`e1be8e00 nt!PpmCheckRun
fffff800`e1a0c228 nt!KiRetireDpcList+0×668
fffff800`e1bb4180 nt!PpmPerfAction
fffff800`e1be8e00 nt!PpmCheckRun
fffff800`e1eac3c5 nt!KxSwapStacksAndRetireDpcList+0×5

0: kd> !prcb 1
PRCB for Processor 1 at ffff84014911c180:
Current IRQL — 0
Threads– Current ffffc901a7d580c0 Next 0000000000000000 Idle ffffc9019375f040
Processor Index 1 Number (0, 1) GroupSetMember 2
Interrupt Count — 057d181c
Times — Dpc 00005ae1 Interrupt 000072cb
Kernel 00cf00e2 User 000d7983

0: kd> dt nt!_KPRCB ffff84014911c180 DpcStack
+0×38a0 DpcStack : 0xffffa206`68e47fb0 Void

0: kd> dpS 0xffffa206`68e47fb0-7000 L7000/8
fffff800`e1adfa8f nt!MiFlushTbList+0×35f
fffff800`e1b0b02c nt!MiGetPage+0×8dc
fffff800`e1b158c5 nt!MiFlushTbAsNeeded+0×265
fffff800`e1a636e0 nt!MiAssignNonPagedPoolPte+0×110
fffff800`e2638180 nt!MiState+0xb940
fffff800`e1a63fcb nt!MiReturnExcessPoolCommit+0×27
fffff800`e1a631c6 nt!MiCommitPoolMemory+0×1b6
fffff800`e1a62c6b nt!RtlpHpEnvAllocVA+0×22b
fffff800`e1e9fb70 nt!HvlEndSystemInterrupt
fffff800`e1c20b6a nt!HalPerformEndOfInterrupt+0×1a
fffff800`e1ea6feb nt!KiInterruptDispatchNoLockNoEtw+0×5b
fffff800`e2638180 nt!MiState+0xb940
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`e1bac123 nt!RtlpHpAllocVA+0xd7
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`e1e9fb70 nt!HvlEndSystemInterrupt
fffff800`8b732bc2 igdkmd64+0×392bc2
fffff800`e1ae3a2f nt!KiSelectProcessorToPreempt+0xff
fffff800`8b73113c igdkmd64+0×39113c
fffff800`8b48f165 igdkmd64+0xef165
fffff800`8b57aeaa igdkmd64+0×1daeaa
fffff800`e27cfbc0 nt!ExNode0
fffff800`e2615740 nt!KiInitialNodeStructures+0×40
fffff800`e1ae3a2f nt!KiSelectProcessorToPreempt+0xff
fffff800`e27cfbc0 nt!ExNode0
fffff800`e1bf2146 nt!HalpApicRequestInterrupt+0×96
fffff800`e27cfbc0 nt!ExNode0
fffff800`e1b5141c nt!HalpInterruptSendIpi+0xac
fffff800`e1cf553c nt!KiSetProcessorIdle_LockFree+0×2b8
fffff800`e1ae22f8 nt!KiHeteroSelectIdleProcessorFromSubNode+0×308
fffff800`e1ae5cff nt!KiUpdateSoftParkElectionStatisticsOnInsertion+0×16f
fffff800`e1ae9a0b nt!KiComputeThreadQos+0xfb
fffff800`e1b51124 nt!KiProcessThreadWaitList+0×224
fffff800`e1beef35 nt!ExAllocateFromLookasideListEx+0×15
fffff800`786a1aee Ndu!NduUpdateInterfacePowerContext+0×1be
fffff800`786aa0b4 Ndu!PplpGenericAllocateFunction+0×14
fffff800`e1b2db6f nt!KeSetEvent+0×10f
fffff800`e1b3143c nt!KeAcquireSpinLockAtDpcLevel+0×1c
fffff800`786a406a Ndu!NduUpdateProcessEnergyContext+0×12a
fffff800`7525b85d ndis!ndisFreeToLookasideList+0×5d
fffff800`7525b645 ndis!NdisFreeNetBufferList+0xa5
fffff800`75451260 NETIO!NetioFreeNetBufferAndNetBufferList+0×10
fffff800`75611fb1 tcpip!TcpSendDatagramsComplete+0xd1
fffff800`786a2f9f Ndu!NduHandleNblContextRemoved+0×1b3
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`75611ee0 tcpip!TcpSendDatagramsComplete
fffff800`75419dd4 NETIO!NetioDereferenceNetBufferListChain+0×174
fffff800`75512f51 fwpkclnt!FwppNetBufferListEventNotify+0×1a1
fffff800`7571ca2d tcpip!FlSendNetBufferListChainComplete+0×6d
fffff800`7527258b ndis!ndisMSendCompleteNetBufferListsInternal+0×25b
fffff800`91054a30 bridge+0×4a30
fffff800`75272330 ndis!ndisMSendCompleteNetBufferListsInternal
fffff800`75287472 ndis!NdisMSendNetBufferListsComplete+0×5c2
fffff800`75260993 ndis!NdisFSendNetBufferListsComplete+0×383
fffff800`7867fe70 NdisImPlatform!implatSendNetBufferListsComplete+0×1a0
fffff800`78016d00 nwifi!Dot11SendNBComplete+0×170
fffff800`7527258b ndis!ndisMSendCompleteNetBufferListsInternal+0×25b
fffff800`7615aff9 vwififlt!FilterSendNetBufferListsCompleteWDI+0xd9
fffff800`75272330 ndis!ndisMSendCompleteNetBufferListsInternal
fffff800`75287472 ndis!NdisMSendNetBufferListsComplete+0×5c2
fffff800`8b739bc0 igdkmd64+0×399bc0
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`8ad0b2cd wdiwifi!CPort::CompletePendingCancelSendsOrHaltJobs+0xdd
fffff800`8adea5f0 wdiwifi!WPP_de984c7e04793f3292dfaa0cae396821_Traceguids
fffff800`8ad09710 wdiwifi!CTxMgr::CompleteNdisNbl+0×250
fffff800`8adfd040 wdiwifi!WPP_RECORDER_INITIALIZED
fffff800`8b48f0c8 igdkmd64+0xef0c8
fffff800`8b48f0c8 igdkmd64+0xef0c8
fffff800`8adea5e0 wdiwifi!WPP_fabfc031111e31c4b597567128b91120_Traceguids
fffff800`8adfd040 wdiwifi!WPP_RECORDER_INITIALIZED
fffff800`8ad07570 wdiwifi!CTxMgr::TxTransferCompleteInd+0×2f0
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`73de6345 Wdf01000!imp_WdfSpinLockRelease+0×95 [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 180]
fffff800`73de6345 Wdf01000!imp_WdfSpinLockRelease+0×95 [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 180]
fffff800`8abab1d3 mrvlpcie8897+0×2b1d3
fffff800`73de62b0 Wdf01000!imp_WdfSpinLockRelease [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 159]
fffff800`8ab94257 mrvlpcie8897+0×14257
fffff800`73de62b0 Wdf01000!imp_WdfSpinLockRelease [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 159]
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8abac585 mrvlpcie8897+0×2c585
fffff800`786a2d6b Ndu!NduIsL2MediaTypeWan+0×3b
fffff800`8b625db3 igdkmd64+0×285db3
fffff800`8abb72a0 mrvlpcie8897+0×372a0
fffff800`8aba71db mrvlpcie8897+0×271db
fffff800`754a6000 NETIO!WPP_GLOBAL_Control
fffff800`8ab93f3e mrvlpcie8897+0×13f3e
fffff800`75463246 NETIO!KfdClassify2+0xbb6
fffff800`8b6ce960 igdkmd64+0×32e960
fffff800`8b6cfdf2 igdkmd64+0×32fdf2
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`8ab93e4a mrvlpcie8897+0×13e4a
fffff800`e1beef35 nt!ExAllocateFromLookasideListEx+0×15
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`73de6345 Wdf01000!imp_WdfSpinLockRelease+0×95 [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 180]
fffff800`8ab8c4f4 mrvlpcie8897+0xc4f4
fffff800`73de62b0 Wdf01000!imp_WdfSpinLockRelease [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 159]
fffff800`8adea5e0 wdiwifi!WPP_fabfc031111e31c4b597567128b91120_Traceguids
fffff800`73e18d40 Wdf01000!imp_WdfMemoryGetBuffer+0×60 [minkernel\wdf\framework\shared\core\fxmemorybufferapi.cpp @ 204]
fffff800`8ab8f1ca mrvlpcie8897+0xf1ca
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`73de6345 Wdf01000!imp_WdfSpinLockRelease+0×95 [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 180]
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`73de6345 Wdf01000!imp_WdfSpinLockRelease+0×95 [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 180]
fffff800`8ab92a47 mrvlpcie8897+0×12a47
fffff800`8ab87de2 mrvlpcie8897+0×7de2
fffff800`73de62b0 Wdf01000!imp_WdfSpinLockRelease [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 159]
fffff800`8ab9311b mrvlpcie8897+0×1311b
fffff800`73de62b0 Wdf01000!imp_WdfSpinLockRelease [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 159]
fffff800`8adea5e0 wdiwifi!WPP_fabfc031111e31c4b597567128b91120_Traceguids
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`8ad06051 wdiwifi!CTxMgr::ServiceQueues+0×1c1
fffff800`8adfd040 wdiwifi!WPP_RECORDER_INITIALIZED
fffff800`8ad06599 wdiwifi!CPort::SendNetBufferLists+0×129
fffff800`8adea5f0 wdiwifi!WPP_de984c7e04793f3292dfaa0cae396821_Traceguids
fffff800`7527eac1 ndis!ndisWdmSetBusyAsync+0×101
fffff800`8adfd040 wdiwifi!WPP_RECORDER_INITIALIZED
fffff800`8ad05c30 wdiwifi!MPWrapperSendNetBufferLists+0×160
fffff800`8ad05ad0 wdiwifi!MPWrapperSendNetBufferLists
fffff800`75280dc2 ndis!ndisMSendNBLToMiniportInternal+0×122
fffff800`8ad05ad0 wdiwifi!MPWrapperSendNetBufferLists
fffff800`76158ab3 vwififlt!FilterSendNetBufferListsWDI+0×1c3
fffff800`75280c80 ndis!ndisMSendNBLToMiniport
fffff800`75280c8e ndis!ndisMSendNBLToMiniport+0xe
fffff800`75988620 wfplwfs!LwfLowerSendNetBufferLists
fffff800`7527bf92 ndis!ndisInvokeNextSendHandler+0×1d2
fffff800`7525feed ndis!NdisFSendNetBufferLists+0×3bd
fffff800`759897b3 wfplwfs!L2InspectNetBufferListsFast+0×183
fffff800`75260564 ndis!FILTER_TEST_FLAG+0×14
fffff800`753325f2 ndis!NdisSendNetBufferLists+0xc1372
fffff800`78014750 nwifi!FilterSendNetBufferLists
fffff800`8b78c622 igdkmd64+0×3ec622
fffff800`759887e8 wfplwfs!LwfLowerSendNetBufferLists+0×1c8
fffff800`910581d1 bridge+0×81d1
fffff800`910559c5 bridge+0×59c5
fffff800`9105dd94 bridge+0xdd94
fffff800`e1adfa8f nt!MiFlushTbList+0×35f
fffff800`7867f394 NdisImPlatform!implatPrepareForSendNetBufferLists+0xec
fffff800`7867fc52 NdisImPlatform!implatSendNetBufferLists+0×182
fffff800`9105ce01 bridge+0xce01
fffff800`7867fad0 NdisImPlatform!implatSendNetBufferLists
fffff800`75280dc2 ndis!ndisMSendNBLToMiniportInternal+0×122
fffff800`9105d4ae bridge+0xd4ae
fffff800`e1b0b02c nt!MiGetPage+0×8dc
fffff800`7867fad0 NdisImPlatform!implatSendNetBufferLists
fffff800`e1b158c5 nt!MiFlushTbAsNeeded+0×265
fffff800`e1a636e0 nt!MiAssignNonPagedPoolPte+0×110
fffff800`e2638180 nt!MiState+0xb940
fffff800`e1a63fcb nt!MiReturnExcessPoolCommit+0×27
fffff800`e1a631c6 nt!MiCommitPoolMemory+0×1b6
fffff800`e1a62c6b nt!RtlpHpEnvAllocVA+0×22b
fffff800`e2638180 nt!MiState+0xb940
fffff800`e1bac123 nt!RtlpHpAllocVA+0xd7
fffff800`e1babdb7 nt!RtlpHpVaMgrCtxQuery+0×4b
fffff800`e1bab920 nt!RtlpHpSegMgrCommit+0×228
fffff800`e1ae3a2f nt!KiSelectProcessorToPreempt+0xff
fffff800`e1bf2146 nt!HalpApicRequestInterrupt+0×96
fffff800`e1ba7e6c nt!RtlpHpLfhSlotAllocateSlow+0×484
fffff800`e27cfbc0 nt!ExNode0
fffff800`e1b5141c nt!HalpInterruptSendIpi+0xac
fffff800`e1cf553c nt!KiSetProcessorIdle_LockFree+0×2b8
fffff800`e1ae22f8 nt!KiHeteroSelectIdleProcessorFromSubNode+0×308
fffff800`e1ae5cbc nt!KiUpdateSoftParkElectionStatisticsOnInsertion+0×12c
fffff800`e1ae9a0b nt!KiComputeThreadQos+0xfb
fffff800`e1dda677 nt!PpmEventTraceCoreParkingSelection+0×197
fffff800`e1b51124 nt!KiProcessThreadWaitList+0×224
fffff800`e1b50cfc nt!KiExitDispatcher+0×4c
fffff800`e1cf277c nt!PpmParkComputeUnparkMask+0xa2c
fffff800`e1b3149e nt!KeAcquireSpinLockRaiseToDpc+0×3e
fffff800`e1bb2241 nt!KiIntSteerCalculatePriorityDistribution+0×201
fffff800`e1bb361d nt!KiIntSteerLogMask+0×55
fffff800`e270f7b0 nt!KiIntTrackRootList
fffff800`e1bb3699 nt!KiIntSteerLogProc+0×5d
fffff800`e270f7b0 nt!KiIntTrackRootList
fffff800`e1bb37e3 nt!KiIntSteerCalculateDistribution+0×103
fffff800`e1bb32c3 nt!KeIntSteerPeriodic+0×17f
fffff800`e1bb2ed8 nt!PpmParkSteerInterrupts+0×5e8
fffff800`e1c594e9 nt!HvlUpdatePerformanceStateCountersForLp+0×79
fffff800`776b2781 intelppm!PerfHvReadFeedback+0×61
fffff800`e1cf553c nt!KiSetProcessorIdle_LockFree+0×2b8
fffff800`e1ae22f8 nt!KiHeteroSelectIdleProcessorFromSubNode+0×308
fffff800`e1a0afa5 nt!KiUpdateThreadQosGroupingSummaries+0×75
fffff800`e1a0a927 nt!KiCommitRescheduleContextEntry+0×1e7
fffff800`e27d1183 nt!KiInitialSharedReadyQueue+0×243
fffff800`e1ae9a0b nt!KiComputeThreadQos+0xfb
fffff800`e1b3673a nt!KiDeferredReadySingleThread+0×29fa
fffff800`e1a0f077 nt!PpmUpdatePerformanceFeedback+0×3b7
fffff800`e1b51006 nt!KiProcessThreadWaitList+0×106
fffff800`e1b335a4 nt!EtwpLogKernelEvent+0×2f4
fffff800`e1b2db6f nt!KeSetEvent+0×10f
fffff800`e1bb7182 nt!PopQueueTargetDpc+0xee
fffff800`e1b32bc6 nt!KiExecuteAllDpcs+0xdc6
fffff800`e1bb6680 nt!PopExecuteProcessorCallback
fffff800`e1bb6680 nt!PopExecuteProcessorCallback
fffff800`e1a0c228 nt!KiRetireDpcList+0×668
fffff800`e1bb6680 nt!PopExecuteProcessorCallback
fffff800`e1eac3c5 nt!KxSwapStacksAndRetireDpcList+0×5

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Interrupt Stack Collection is another area to mine for Execution Residue and Rough Stack Traces. Some Interrupt Stacks may be visible in Stack Trace Collections such as from CPUs. In addition to Stack Overflow double fault stack region, we also have debug, NMI, and machine check interrupt stack 6Kb regions:

6: kd> !idt

Dumping IDT: ffffbd014d6b1000

00: fffff806f53ad100 nt!KiDivideErrorFaultShadow
01: fffff806f53ad180 nt!KiDebugTrapOrFaultShadow Stack = 0xFFFFBD014D6B59D0
02: fffff806f53ad240 nt!KiNmiInterruptShadow Stack = 0xFFFFBD014D6B57D0
03: fffff806f53ad2c0 nt!KiBreakpointTrapShadow
04: fffff806f53ad340 nt!KiOverflowTrapShadow
05: fffff806f53ad3c0 nt!KiBoundFaultShadow
06: fffff806f53ad440 nt!KiInvalidOpcodeFaultShadow
07: fffff806f53ad4c0 nt!KiNpxNotAvailableFaultShadow
08: fffff806f53ad540 nt!KiDoubleFaultAbortShadow Stack = 0xFFFFBD014D6B53D0
09: fffff806f53ad5c0 nt!KiNpxSegmentOverrunAbortShadow
0a: fffff806f53ad640 nt!KiInvalidTssFaultShadow
0b: fffff806f53ad6c0 nt!KiSegmentNotPresentFaultShadow
0c: fffff806f53ad740 nt!KiStackFaultShadow
0d: fffff806f53ad7c0 nt!KiGeneralProtectionFaultShadow
0e: fffff806f53ad840 nt!KiPageFaultShadow
10: fffff806f53ad8c0 nt!KiFloatingErrorFaultShadow
11: fffff806f53ad940 nt!KiAlignmentFaultShadow
12: fffff806f53ad9c0 nt!KiMcheckAbortShadow Stack = 0xFFFFBD014D6B55D0
13: fffff806f53adac0 nt!KiXmmExceptionShadow
[…]

These stacks are different for each CPU. It is also possible to get these stack bases from TSS:

6: kd> ~0s

0: kd> !pcr
KPCR for Processor 0 at fffff80680079000:
Major 1 Minor 1
NtTib.ExceptionList: fffff8068743efb0
NtTib.StackBase: fffff8068743d000
NtTib.StackLimit: 0000000000000000
NtTib.SubSystemTib: fffff80680079000
NtTib.Version: 0000000080079180
NtTib.UserPointer: fffff80680079870
NtTib.SelfTib: 00000060414a8000

SelfPcr: 0000000000000000
Prcb: fffff80680079180
Irql: 0000000000000000
IRR: 0000000000000000
IDR: 0000000000000000
InterruptMode: 0000000000000000
IDT: 0000000000000000
GDT: 0000000000000000
TSS: 0000000000000000

CurrentThread: ffffa80b0c8240c0
NextThread: 0000000000000000
IdleThread: fffff806f57d0640

DpcQueue:

0: kd> dt nt!_KPCR fffff80680079000
nt!_KPCR
+0×000 NtTib : _NT_TIB
+0×000 GdtBase : 0xfffff806`8743efb0 _KGDTENTRY64
+0×008 TssBase : 0xfffff806`8743d000 _KTSS64
+0×010 UserRsp : 0
+0×018 Self : 0xfffff806`80079000 _KPCR
+0×020 CurrentPrcb : 0xfffff806`80079180 _KPRCB
+0×028 LockArray : 0xfffff806`80079870 _KSPIN_LOCK_QUEUE
+0×030 Used_Self : 0×00000060`414a8000 Void
+0×038 IdtBase : 0xfffff806`8743c000 _KIDTENTRY64
+0×040 Unused : [2] 0
+0×050 Irql : 0 ”
+0×051 SecondLevelCacheAssociativity : 0×10 ”
+0×052 ObsoleteNumber : 0 ”
+0×053 Fill0 : 0 ”
+0×054 Unused0 : [3] 0
+0×060 MajorVersion : 1
+0×062 MinorVersion : 1
+0×064 StallScaleFactor : 0×840
+0×068 Unused1 : [3] (null)
+0×080 KernelReserved : [15] 0
+0×0bc SecondLevelCacheSize : 0×800000
+0×0c0 HalReserved : [16] 0×7de29000
+0×100 Unused2 : 0
+0×108 KdVersionBlock : (null)
+0×110 Unused3 : (null)
+0×118 PcrAlign1 : [24] 0

0: kd> dt nt!_KTSS64 0xfffff806`8743d000
nt!_KTSS64
+0×000 Reserved0 : 0
+0×004 Rsp0 : 0xfffff806`87440200
+0×00c Rsp1 : 0
+0×014 Rsp2 : 0
+0×01c Ist : [8] 0
+0×05c Reserved1 : 0
+0×064 Reserved2 : 0
+0×066 IoMapBase : 0×68

0: kd> dps 0xfffff806`8743d000+1c L8
fffff806`8743d01c 00000000`00000000
fffff806`8743d024 fffff806`874403d0
fffff806`8743d02c fffff806`874405d0
fffff806`8743d034 fffff806`874407d0
fffff806`8743d03c fffff806`874409d0
fffff806`8743d044 00000000`00000000
fffff806`8743d04c 00000000`00000000
fffff806`8743d054 00000000`00000000

0: kd> !idt 2

Dumping IDT: fffff8068743c000

02: fffff806f53ad240 nt!KiNmiInterruptShadow Stack = 0xFFFFF806874407D0

These stack base values may be transition stack values. In such a case, a redirection is required:

0: kd> dps fffff806`874407d0 L4
fffff806`874407d0 fffff806`80079000
fffff806`874407d8 fffff806`87471fe0
fffff806`874407e0 fffff806`80079000
fffff806`874407e8 00000004`237bf002

0: kd> dpS fffff806`87471fe0+20-6000 L6000/8
fffff806`f4dcd566 nt!KiSaveProcessorState+0xb6
fffff806`f4dc588a nt!KiFreezeTargetExecution+0×1ba
fffff806`f4db72ea nt!KiCheckForFreezeExecution+0×2a
fffff806`f4dbb242 nt!KiProcessNMI+0×52
fffff806`f4eb0fc2 nt!KxNmiInterrupt+0×82
fffff806`f4dcd124 nt!KiMcheckFastForward+0×64

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Terminated threads are not listed in unmanaged space Stack Trace Collections. In kernel space, we may notice them if we expect N kernel threads but see less like Missing Threads in user space. If we see less kernel threads in a process context then, definitely, user space counterparts to Dual Stack Traces are missing (but we may still recover Hidden Stacks). Sometimes, using appropriate extensions, like SwishDbgExt, we can see terminated threads based on exit time:

0: kd> !ms_process /pid 0x250 /threads
[...]
| 0x0250 | 0x02a0 | 0x00007FFC858FE680 | winsrvext!TerminalServerRequestThread | 13/11/2021 22:14:28 | 00/00/ 0 00:00:00 |
| 0×0250 | 0×02a4 | 0×00007FFC858F2710 | winsrvext!GdiAddInitialFontsThread | 13/11/2021 22:14:28 | 13/11/2021 22:14:29 |
| 0×0250 | 0×02a8 | 0×00007FFC858F3430 | winsrvext!NotificationThread | 13/11/2021 22:14:28 | 00/00/ 0 00:00:00 |
[…]

If we get thread ids from some Paratext, we can directly check if the thread is terminated or not:

0: kd> !thread -t 2a4 3f
THREAD ffffc38c3040e080 Cid 0250.02a4 Teb: 0000000000000000 Win32Thread: 0000000000000000 TERMINATED
Not impersonating
DeviceMap ffffac8a0423d290
Owning Process ffffc38c30880140 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 1282 Ticks: 10674 (0:00:02:46.781)
Context Switch Count 1192 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.078
Win32 Start Address winsrvext!GdiAddInitialFontsThread (0×00007ffc858f2710)
Stack Init 0000000000000000 Current ffffbe8295331670
Base ffffbe8295332000 Limit ffffbe829532c000 Call 0000000000000000
Priority 14 BasePriority 13 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffffbe82`953316b0 fffffc57`1e5ba085 0×4
ffffbe82`953316b8 fffff806`6255f501 0xfffffc57`1e5ba085
ffffbe82`953316c0 000002ac`02048e80 nt!PspThreadFromTicket+0×51
ffffbe82`953316f0 ffffffff`ffffffff 0×000002ac`02048e80
ffffbe82`953316f8 ffffbe82`95331b60 0xffffffff`ffffffff
ffffbe82`95331700 ffffbe82`953319a0 0xffffbe82`95331b60
ffffbe82`95331708 fffff806`62136778 0xffffbe82`953319a0
ffffbe82`95331710 fffff806`62138fdc nt!IoRemoveIoCompletion+0×98
ffffbe82`95331830 fffff806`62227b75 nt!NtWaitForWorkViaWorkerFactory+0×39c
ffffbe82`95331a70 00000000`00000000 nt!KiSystemServiceCopyEnd+0×25

Please note that in case of Incorrect Stack Trace we can get Rough Stack Trace or try to reconstruct the one manually from Execution Residue:

0: kd> dpS ffffbe829532c000 ffffbe8295332000
fffff806`6210aeb4 nt!MiGetPerfectColorHeadPage+0×94
fffff806`624e9fa2 nt!PspGetContext+0×2e2
fffff806`62a54e00 nt!MiSystemPartition
fffff806`624e9aba nt!PspGetSetContextInternal+0×3aa
fffff806`624e9aba nt!PspGetSetContextInternal+0×3aa
fffff806`621090b1 nt!MiAddWorkingSetEntries+0×451
fffff806`62108965 nt!MiAllocateWsle+0×295
fffff806`62a54e00 nt!MiSystemPartition
fffff806`62107eac nt!MiCompletePrivateZeroFault+0×77c
fffff806`62a54e00 nt!MiSystemPartition
fffff806`62107315 nt!MiResolvePrivateZeroFault+0×1a5
fffff806`62105c28 nt!MiResolveDemandZeroFault+0×298
fffff806`62a54e00 nt!MiSystemPartition
fffff806`621290cc nt!MiDispatchFault+0×2ac
fffff806`6221db3d nt!PspGetSetContextSpecialApc+0×6d
fffff806`624ea5fd nt!PspSetContextThreadInternal+0×16d
fffff806`624e9083 nt!PspInitializeThunkContext+0×28f
00007ffc`884b6870 ntdll!TppWorkerThread
00007ffc`884a4830 ntdll!RtlUserThreadStart
fffff806`620d58e4 nt!EtwpEventWriteFull+0×3f4
fffff806`620d58e4 nt!EtwpEventWriteFull+0×3f4
fffff806`61e0f808 nt!ThreadWorkOnBehalfUpdate
fffff806`6221d818 nt!SwapContext+0×4d8
fffff806`6221d056 nt!KiSwapContext+0×76
fffff806`62132457 nt!KiSwapThread+0×3a7
fffff806`61e0f808 nt!ThreadWorkOnBehalfUpdate
fffff806`61e0f808 nt!ThreadWorkOnBehalfUpdate
fffff806`62134309 nt!KiCommitThreadWait+0×159
fffff806`62136d66 nt!KeRemoveQueueEx+0×2b6
fffff806`6255f501 nt!PspThreadFromTicket+0×51
fffff806`62136778 nt!IoRemoveIoCompletion+0×98
fffff806`6256d901 nt!ObpReferenceObjectByHandleWithTag+0×231
fffff806`6256d6be nt!ObReferenceObjectByHandle+0×2e
fffff806`62138fdc nt!NtWaitForWorkViaWorkerFactory+0×39c
fffff806`62227b75 nt!KiSystemServiceCopyEnd+0×25
fffff806`62227b75 nt!KiSystemServiceCopyEnd+0×25
00007ffc`88546f14 ntdll!NtWaitForWorkViaWorkerFactory+0×14

Such Historical Information may help in the reconstruction of past system behavior.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Generative AI LLM models such as GPT-4 can be used as Analysis Summary devices (although such summaries should be treated with caution and double-checked). For example, let’s look at the default !analyze -v WinDbg command summary:

Summarize:
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffbc06b64895a0, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80403c61981, address which referenced memory

Debugging Details:
------------------

Unable to load image \??\C:\WINDOWS\system32\drivers\myfault.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

Followup: MachineOwner
---------

This summary is based on a Windows bugcheck (blue screen of death) analysis report. The specific error encountered is DRIVER_IRQL_NOT_LESS_OR_EQUAL with a stop code of 0xD1. This error indicates that a driver attempted to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that was too high, which is typically a result of drivers using improper addresses.

Key details from the analysis include:

• Memory Referenced (Arg1): ffffbc06b64895a0. This is the memory address that was being accessed when the error occurred.
• IRQL (Arg2): 2, indicating the interrupt request level at the time of the error.
• Operation Type (Arg3): 0, meaning a read operation was being performed.
• Address that Referenced Memory (Arg4): fffff80403c61981, the address within the driver or system component that attempted the illegal memory access.

Additional debugging details highlight that the error was caused by the myfault.sys driver, which is notably used for generating system crashes for testing purposes. The error occurred while running the process notmyfault64.exe, further suggesting that this was a deliberate test of system stability or error handling.

The analysis also included various technical details about the system state, such as CPU and memory usage metrics, the virtual machine environment (VMware), and other system flags. The failure bucket identifies the issue as an access violation (AV) within the myfault driver, without specifying a known function, indicating a potentially unknown or unexpected path within the driver causing the crash.

Given the context, it appears this crash was induced as part of a debugging or system testing exercise, likely to analyze how the system and its error handling mechanisms respond to driver-induced errors.

The following are Analysis Summaries from the two latest pattern cooperation case studies:

Spiking Thread, Top Module, Module Hint, and Memory Fluctuation

The analysis revolves around diagnosing a sluggish performance issue on a Windows 7 system, attributed to high CPU and physical memory usage by one of the svchost.exe processes. A process memory dump revealed a significantly large file size (almost 1.5 GB), hinting at abnormal behavior warranting a deeper investigation using crash and hang dump analysis techniques.

Key Observations:

1. Spiking Thread Pattern: Initial analysis identified a single thread consuming a disproportionate amount of CPU time, indicative of a Spiking Thread pattern. This thread, identified through the !runaway command in WinDbg, significantly outpaced other threads in both user and kernel mode time.
2. Windows Update Agent Activity: The stack trace of the spiking thread pointed to activity related to the Windows Update Agent (wuaueng.dll), suggesting that the Windows Update process was contributing to the system’s sluggish performance.
3. Heap Usage and Potential Memory Leak: Examination of the process address space showed nearly 1 GB occupied by the process heap, with many large virtual blocks allocated. This was suspected to be indicative of a memory leak.
4. Temporary Condition: Interestingly, the system’s performance normalized after about 20 minutes, and a subsequent memory dump was significantly smaller (less than 150 KB). Analysis of this dump showed a different thread (#32) as having consumed CPU time in the past, but with the system no longer exhibiting high CPU or memory usage.
5. Memory Fluctuation: The investigation concluded that the observed behavior was a case of Memory Fluctuation, associated with the temporary demands of the Windows Update process. The initial large memory usage and CPU consumption were temporary and resolved without intervention, as evidenced by the normalization of resource usage and the significant reduction in the size of the process memory dump.

Conclusion:

The investigation showcases the importance of crash and hang dump analysis in diagnosing and understanding transient performance issues in Windows systems. It highlights how system processes, in this case, the Windows Update Agent, can temporarily consume significant system resources, leading to performance degradation. The analysis also demonstrates the system’s ability to recover from such states, emphasizing the temporary nature of certain performance issues.

Exception Stack Trace, Stored Exception, Translated Exception, Execution Residue, Hidden Exception, NULL Pointer, Exception Module, Stack Trace Motif, No Component Symbols, and Coincidental Symbolic Information

The analysis provided deals with an investigation into a series of crashes of the backgroundTaskHost.exe on a system, focusing on the crash dumps found in a specified folder set up through the LocalDumps Windows Error Reporting (WER) registry. These crashes are characterized by a consistent Exception Stack Trace and a Stored Exception that suggests a security vulnerability (stack buffer overrun) potentially exploitable by malicious actors. The investigation involves detailed WinDbg command outputs, providing insight into the nature of the crashes, the involved modules, and the potential causes.

Key Findings:

1. Consistent Crash Cause: All crash dumps share the same Exception Stack Trace and Stored Exception, indicating a consistent failure mode across multiple instances. The failure is identified as a stack buffer overrun (c0000409), a type of vulnerability that could allow unauthorized control over the application.
2. Exception Stack Trace Analysis: The stack trace points to several modules, including ucrtbase, vccorlib140_app, and Microsoft_Applications_Telemetry_Windows, among others. The presence of multiple calls to DllGetActivationFactory and the involvement of telemetry-related functions suggest the crashes may be related to the handling of telemetry data.
3. Translated and Hidden Exceptions: The analysis reveals a discrepancy between the exception addresses and contexts reported by different WinDbg commands, suggesting the presence of translated exceptions. Further examination of the execution residue uncovers hidden exceptions, indicating that the initial crash may be concealing additional underlying issues.
4. Module Involvement and Symbolic Information: The Microsoft_Applications_Telemetry_Windows module is highlighted as a significant factor in the crashes, particularly due to its association with telemetry data processing functions. However, the analysis also suggests that the symbolic information for this module may be coincidental, due to the absence of component symbols and an unusually large offset for the getJsonFormattedEvent function.
5. Function Size Discrepancy: Discrepancies in the expected size of the getJsonFormattedEvent function, compared to its offset, raise questions about the accuracy of the symbolic information provided. This discrepancy also complicates the search for pointers to JSON strings in the memory dump, as typical commands do not reveal expected patterns.

Overall, the analysis suggests that the crashes may be related to the processing of telemetry data, potentially due to a stack buffer overrun vulnerability in the backgroundTaskHost.exe. The involvement of the Microsoft_Applications_Telemetry_Windows module and discrepancies in symbolic information point to the need for further investigation, including the possibility of missing or inaccurate debugging symbols that could clarify the root cause of these crashes.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Generative AI LLM models such as GPT-4 are very good at annotation and summarization of memory regions (Region Summaries) with symbolic information and may provide additional insight even without symbolic information (although all such insights should be treated with caution):

Summarize:
0: kd> dpS ffffa7848e4c5000 ffffa7848e4cb000
fffff804`04c0fa78 nt!HalpApicRequestInterrupt+0xd8
fffff804`04d2b18d nt!HalpInterruptSendIpi+0xfd
fffff804`04d091f1 nt!MiAddWorkingSetEntries+0x451
fffff804`04a0f800 nt!MiFreeThenFree
fffff804`04d08aa5 nt!MiAllocateWsle+0x295
fffff804`04d0a520 nt!MiGetPageChain+0xeb0
fffff804`05654fc0 nt!MiSystemPartition
fffff804`04d07fec nt!MiCompletePrivateZeroFault+0x77c
fffff804`04cd2d1d nt!HalRequestIpiSpecifyVector+0x7d
fffff804`04cd2aa7 nt!KiIpiSendRequest+0x397
fffff804`04d5f66c nt!KiIpiSendRequestEx+0x88
fffff804`04d5f5d1 nt!KxFlushEntireTb+0x1a5
fffff804`04c31710 nt!KiFlushCurrentTbWorker
fffff804`05654fc0 nt!MiSystemPartition
fffff804`04d5eccd nt!KeFlushTb+0xa1
fffff804`04c65e3e nt!MiFlushEntireTbDueToAttributeChange+0x4a
fffff804`04d0b1c4 nt!MiGetPerfectColorHeadPage+0x94
fffff804`05654f00 nt!PnpSystemHiveTooLarge
fffff804`04c6cfad nt!MiChangePageAttribute+0xed
fffff804`04cf7fc6 nt!MiFlushTbAsNeeded+0x156
fffff804`04d50053 nt!MiGetContainingPageTable+0x43
fffff804`04d4fc5c nt!MiAssignNonPagedPoolPte+0x1ac
fffff804`04c0fa78 nt!HalpApicRequestInterrupt+0xd8
fffff804`04c0fa78 nt!HalpApicRequestInterrupt+0xd8
fffff804`04d2b18d nt!HalpInterruptSendIpi+0xfd
fffff804`04cf86a6 nt!MmAllocatePoolMemory+0xca
fffff804`05654fc0 nt!MiSystemPartition
fffff804`04c6feeb nt!MiReplenishPageSlist+0x31b
fffff804`05654fc0 nt!MiSystemPartition
fffff804`05654fc0 nt!MiSystemPartition
fffff804`04c1356a nt!HalPerformEndOfInterrupt+0x1a
fffff804`05655a00 nt!MiSystemPartition+0xa40
fffff804`04d2ee05 nt!ExReleaseAutoExpandPushLockShared+0x85
fffff804`0960cfde Ntfs!NtfsLookupNtfsMcbEntryWithSyncFlag+0x14e
fffff804`04e1e197 nt!SwapContext+0x1c7
fffff804`056eabd0 nt!KiAbTreeArray+0x52d0
fffff804`04cfb100 nt!KiAbEntryGetLockedHeadEntry+0x2a0
fffff804`04e1dce6 nt!KiSwapContext+0x76
fffff804`04cc0d52 nt!KiCancelTimer+0x262
fffff804`05653500 nt!MiState+0x4480
fffff804`05653500 nt!MiState+0x4480
fffff804`04cdd148 nt!MiReservePtes+0x48
fffff804`09543e42 Wof!WofPostReadCallback+0x72
fffff804`096086a9 Ntfs!NtfsVerifyAndRevertUsaBlock+0x25d
fffff804`0893676f FLTMGR!FltpPerformPostCallbacksWorker+0x3bf
fffff804`04d2ba3b nt!KeQueryCurrentStackInformationEx+0x8b
fffff804`04c0fa78 nt!HalpApicRequestInterrupt+0xd8
fffff804`04d2b18d nt!HalpInterruptSendIpi+0xfd
fffff804`04d2f11f nt!KeSetEvent+0xdf
fffff804`04cc5dc7 nt!IopFreeIrp+0xf7
fffff804`04d34cc7 nt!IofCompleteRequest+0x17
fffff804`09619028 Ntfs!NtfsExtendedCompleteRequestInternal+0x218
fffff804`04d2ee05 nt!ExReleaseAutoExpandPushLockShared+0x85
fffff804`04d0e611 nt!MmCheckCachedPageStates+0x681
fffff804`05659240 nt!MiSystemPartition+0x4280
fffff804`04d0e611 nt!MmCheckCachedPageStates+0x681
fffff804`05654fc0 nt!MiSystemPartition
fffff804`05654fc0 nt!MiSystemPartition
fffff804`04d30071 nt!MiUnlockWorkingSetShared+0x81
fffff804`04d2ee05 nt!ExReleaseAutoExpandPushLockShared+0x85
fffff804`04d0e611 nt!MmCheckCachedPageStates+0x681
fffff804`0960feca Ntfs!NtfsCheckMappingPairs+0xea
fffff804`0960cfde Ntfs!NtfsLookupNtfsMcbEntryWithSyncFlag+0x14e
fffff804`04c9b51a nt!SepNormalAccessCheck+0x1fa
fffff804`04d2f11f nt!KeSetEvent+0xdf
fffff804`04d0e611 nt!MmCheckCachedPageStates+0x681
fffff804`04c9ad64 nt!SepAccessCheck+0x304
fffff804`0960fe00 Ntfs!NtfsCheckMappingPairs+0x20
fffff804`054351f8 nt!IopFileMapping
fffff804`04c9a570 nt!SeAccessCheckWithHint+0x640
fffff804`054351f8 nt!IopFileMapping
fffff804`054351f8 nt!IopFileMapping
fffff804`09721fb2 Ntfs!TxfAccessCheck+0x192
fffff804`05163eff nt!CcUnpinData+0x1f
fffff804`054351f8 nt!IopFileMapping
fffff804`04c93842 nt!FsRtlCheckOplockEx2+0x922
fffff804`04d3027b nt!ExReleaseResourceLite+0xeb
fffff804`050f44bb nt!SeUnlockSubjectContext+0x1b
fffff804`0971f872 Ntfs!NtfsAccessCheck+0x11b2
fffff804`04c92f0c nt!FsRtlCheckOplockEx+0x3c
fffff804`09721b48 Ntfs!NtfsOpenAttribute+0x1768
fffff804`0971e585 Ntfs!NtfsCheckExistingFile+0x775
fffff804`096e7a2c Ntfs!NtfsBreakBatchOplock+0xfc
fffff804`0971dce2 Ntfs!NtfsOpenExistingAttr+0x252
fffff804`0971d6cb Ntfs!NtfsOpenAttributeInExistingFile+0xcbb
fffff804`04d2dae9 nt!FsRtlLookupPerStreamContextInternal+0x1a9
fffff804`04d2ee05 nt!ExReleaseAutoExpandPushLockShared+0x85
fffff804`08934f4e FLTMGR!FltGetStreamContext+0xce
fffff804`095637c6 Wof!WofPostCleanupCallback+0xa6
fffff804`0893676f FLTMGR!FltpPerformPostCallbacksWorker+0x3bf
fffff804`04d302d6 nt!ExReleaseResourceLite+0x146
fffff804`05157ff1 nt!HvpGetCellContextInitialize+0x15
fffff804`051580aa nt!HvpMapEntryGetBlockAddress+0xe
fffff804`05157fcf nt!HvpReleaseCellPaged+0x2f
fffff804`05158072 nt!HvpGetCellPaged+0x72
fffff804`05157ff1 nt!HvpGetCellContextInitialize+0x15
fffff804`0515be21 nt!CmpCompareInIndex+0x211
fffff804`05157fcf nt!HvpReleaseCellPaged+0x2f
fffff804`04cc684c nt!KiSetAddressPolicy+0xc
fffff804`04cc6b6d nt!KiStackAttachProcess+0x24d
fffff804`04d2cd97 nt!wil_details_FeatureReporting_ReportUsageToServiceDirect+0xd7
fffff804`05157ff1 nt!HvpGetCellContextInitialize+0x15
fffff804`05157fcf nt!HvpReleaseCellPaged+0x2f
fffff804`04cc684c nt!KiSetAddressPolicy+0xc
fffff804`04c842f7 nt!wil_details_FeatureReporting_ReportUsageToService+0x37
fffff804`04cc6de5 nt!KiSwapProcess+0x75
fffff804`04cc6faa nt!KiUnstackDetachProcess+0x17a
fffff804`054b132b nt!CmpDetachFromRegistryProcess+0xb
fffff804`0517eee1 nt!CmpDoParseKey+0x2f11
fffff804`096e8d01 Ntfs!NtfsCompleteCleanupRequest+0x51
fffff804`04d40000 nt!MiFreeWsleList+0x130
fffff804`05654fc0 nt!MiSystemPartition
fffff804`095e71be WdFilter+0x571be
fffff804`095c8c5f WdFilter+0x38c5f
fffff804`04d2cd97 nt!wil_details_FeatureReporting_ReportUsageToServiceDirect+0xd7
fffff804`051b1ac1 nt!VrpRegistryCallback+0xc1
fffff804`0517f9c5 nt!CmpCallCallBacksEx+0x3f5
fffff804`04d2ce3f nt!CmpIsRegistryLockAcquired+0x2f
fffff804`0517bd15 nt!CmpParseKey+0x445
fffff804`04d28a55 nt!MiFastLockLeafPageTable+0x175
fffff804`04d24578 nt!MiGetPageProtection+0x408
fffff804`04d23a2e nt!MiQueryAddressState+0x6ee
fffff804`095e0000 WdFilter+0x50000
fffff804`04d1abe6 nt!MiQueryAddressSpan+0x1e6
fffff804`04d1a862 nt!MiUnlockAndDereferenceVadShared+0x62
fffff804`0517785c nt!MmQueryVirtualMemory+0x6bc
fffff804`0896d280 FLTMGR!FltpFastIoWrite+0x190
fffff804`0516dfc1 nt!ObpReferenceObjectByHandleWithTag+0x231
fffff804`0516dd41 nt!ObReferenceObjectByHandleWithTag+0x31
fffff804`0516ac7b nt!ObWaitForSingleObject+0xdb
fffff804`0516ab8a nt!NtWaitForSingleObject+0x6a
fffff804`04e28775 nt!KiSystemServiceCopyEnd+0x25
00007ffe`4d2637d4 ntdll!NtWaitForSingleObject+0x14

This output appears to be from the dpS (display words and symbols) debugger command, which is listing memory contents and associated symbols within a specified range (from ffffa7848e4c5000 to ffffa7848e4cb000). The listing shows addresses in memory alongside their corresponding symbol names, indicating various kernel and system functions being referenced in this memory range.

• Functions from nt! (the NT kernel) dominate the list, suggesting this memory range is heavily involved in core operating system operations. This includes interrupt handling (HalpApicRequestInterrupt), memory management (MiAllocateWsle, MiGetPageChain), process and thread management (KiSwapProcess, KiUnstackDetachProcess), and others.
• Specific actions related to memory management and page table entries are frequent, such as MiFlushEntireTbDueToAttributeChange, indicating operations that involve modifying the Translation Lookaside Buffer (TLB) as part of memory attribute changes.
• There are references to file system operations and filter manager functions (e.g., Ntfs!NtfsOpenAttribute, FLTMGR!FltpPerformPostCallbacksWorker), pointing to disk I/O and file system activities within this memory range.
• Several entries related to security and access control (e.g., SepAccessCheck, SeAccessCheckWithHint), showing that some operations in this range involve security checks.
• The presence of symbols like WdFilter suggests Windows Defender operations, possibly indicating anti-malware activities happening or logged within this memory segment.
• The repeated appearance of certain base addresses (MiSystemPartition) and operations (e.g., ExReleaseAutoExpandPushLockShared, KeSetEvent) highlights system-level management tasks, including synchronization and event signaling.
• Additionally, there are references to Registry operations (e.g., CmpCallCallBacksEx, CmpParseKey), indicating some part of this memory is used for Registry access and manipulation.

Overall, the memory range contains a mix of low-level kernel operations, security checks, file system interactions, and system state management tasks, reflecting the complex and interwoven nature of operating system activities. This kind of data is typically used for deep debugging and analysis of system behavior, performance tuning, or troubleshooting specific issues.

Explain:
0: kd> dpp rsp
00000033`d2d7c1d8 00007ffe`1c9e705c 78c08500`00441f0f
00000033`d2d7c1e0 00007ffe`1ca0e818 00000000`00666544
00000033`d2d7c1e8 00000000`00001434
00000033`d2d7c1f0 0000015f`3fed7680 6f46203a`6c707041
00000033`d2d7c1f8 00007ffe`1ca07bea ccccccc3`28c48348
00000033`d2d7c200 00000000`000023b4
00000033`d2d7c208 0000015f`3db4c7b0 00000073`006c0043
00000033`d2d7c210 00000000`00000000
00000033`d2d7c218 00000000`00000000
00000033`d2d7c220 00000033`d2d7c2c8 00000000`04000000
00000033`d2d7c228 00007ffe`1ca02fb6 00000218`36ac8946
00000033`d2d7c230 00000033`d2d7c2c8 00000000`04000000
00000033`d2d7c238 00000000`00000000
00000033`d2d7c240 00007ffe`1ca1578c 00000000`00530025
00000033`d2d7c248 00007ffe`1ba95124 63656e6f`00000044
00000033`d2d7c250 00000000`00000000

The dpp command in the Windows Debugger (WinDbg) displays memory contents at the address specified by the stack pointer register (rsp) and attempts to resolve any pointers to their symbolic names, essentially showing a double word pointer list from the specified location.

Here’s a breakdown of the information provided by the output:

• Each line shows two memory addresses. The left side shows the address being inspected, and the right side shows the content at that address, which may be a value or a pointer to another memory location. If the content is a pointer and a symbol is available, it will show the symbol name next to it.
• For instance, the first line shows the memory address 00000033d2d7c1d8 contains the pointer 00007ffe1c9e705c, which doesn’t have an associated symbolic name provided in this snippet. This could be a function pointer, object pointer, or data pointer depending on the context which isn’t fully given here.
• The output includes pointers to various memory locations, and some lines display what appears to be function pointers (e.g., 00007ffe1c9e705c) and possibly some constants or flags right next to them (e.g., 78c08500`00441f0f). Without more context or symbol information, it’s difficult to specify exactly what each value represents.
• The snippet mentions several pointers that seem related to executable modules (indicated by the 7ffe segment in the addresses, which is common for user-mode addresses on a 64-bit system). These could point to functions or data structures within those modules.
• Addresses like 0000015f3fed7680 or 0000015f3db4c7b0 appear to be heap or dynamically allocated memory addresses due to their range, which differs from the typical ranges used for executable modules or stack memory.

Without the full context, such as the associated source code, loaded modules list, or symbols, it’s challenging to derive a meaningful interpretation of what each pointer or value represents in this scenario. Typically, this command is used by developers or analysts to inspect the call stack, arguments to functions, or specific data structures in memory during debugging sessions to understand the state of an application or diagnose issues.

Please note, symbolic addresses may be Coincidental. Raw stack regions may also be treated as Rough Stack Trace with the corresponding Annotated Stack Traces.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Generative AI LLM models such as GPT-4 are very good at annotation and summarization of disassembly and may provide additional insight (although such insights should be treated with caution):

Summarize:
0: kd> ub fffff804`095c8c5f
WdFilter+0x38c3c:
fffff804`095c8c3c mov rcx,qword ptr [WdFilter+0x16000 (fffff804`095a6000)]
fffff804`095c8c43 mov edx,0Eh
fffff804`095c8c48 mov rcx,qword ptr [rcx+18h]
fffff804`095c8c4c call WdFilter+0x1150 (fffff804`09591150)
fffff804`095c8c51 mov rdi,qword ptr [rbp-39h]
fffff804`095c8c55 xor edx,edx
fffff804`095c8c57 lea ecx,[rdx+1]
fffff804`095c8c5a call WdFilter+0x57198 (fffff804`095e7198)

This sequence of instructions is from the WdFilter module, likely part of the Windows Defender filtering mechanism. The disassembled code provides a glimpse into how certain operations are performed within this module:

Instruction Breakdown:

• The first instruction moves a value from a specific address within the WdFilter module into the rcx register. This address (WdFilter+0×16000) is likely a reference to a data structure or a function pointer used by the filter.
• The mov edx, 0Eh instruction sets the edx register to 14 (in hexadecimal notation, 0Eh), which might be used as an argument for a subsequent function call or an operation code.
• Another value is moved into rcx from the address pointed to by rcx+18h, updating rcx with a new address or value located 24 bytes (18h) from the initial reference. This suggests a traversal or access within a structured data or a chain of function pointers.
• A call is made to another function within the WdFilter module (WdFilter+0×1150), indicating an internal operation or check being performed with the previously set parameters.
• The value at rbp-39h is moved into the rdi register. This instruction likely retrieves a saved value or a pointer from the stack frame for use in subsequent operations.
• The xor edx, edx instruction clears the edx register, setting it to zero. This is a common practice for resetting a register value efficiently.
• The lea ecx,[rdx+1] instruction loads the effective address of edx+1 into ecx, effectively setting ecx to 1. This could be preparing an argument for the next function call.
• Finally, a call is made to another function within the WdFilter module (WdFilter+0×57198), which could be part of the filtering, analysis, or action decision-making process based on the context set by the preceding instructions.

Summary:

This code snippet from the WdFilter module performs a series of data retrieval and setup operations before calling two internal functions. These functions could be involved in processing, analyzing, or taking actions on objects or events within the Windows Defender’s filtering system. The exact purpose of these operations would depend on the broader context of the WdFilter module’s functionality and the data structures it manipulates.

Please also note how instruction annotations are combined, for example, about xor and lea. This Disassembly Summary analysis pattern differs from Annotated Disassembly that is done by a debugger that has access to other parts of memory and meta and symbolic information not available to external text processing tools.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Generative AI LLM models such as GPT-4 are very good at producing Annotated Stack Traces. This is similar to Message Annotations trace and log analysis pattern. Below are two examples from ChatGPT:

Explain this stack trace fragment line by line:
06 ffffa784`8ee7db20 fffff804`0516bbf2 nt!IofCallDriver+0x55
07 ffffa784`8ee7db60 fffff804`0516b9d2 nt!IopSynchronousServiceTail+0x1d2
08 ffffa784`8ee7dc10 fffff804`0516ad36 nt!IopXxxControlFile+0xc82
09 ffffa784`8ee7dd40 fffff804`04e28775 nt!NtDeviceIoControlFile+0x56
0a ffffa784`8ee7ddb0 00007ffe`4d263834 nt!KiSystemServiceCopyEnd+0x25
0b 0000009b`cc0fedd8 00007ffe`4a893ffb ntdll!NtDeviceIoControlFile+0x14
0c 0000009b`cc0fede0 00007ffe`4bb95f91 KERNELBASE!DeviceIoControl+0x6b
0d 0000009b`cc0fee50 00007ff7`6544342f KERNEL32!DeviceIoControlImplementation+0x81

This stack trace appears to be from the Windows operating system, showing a series of function calls related to an I/O operation, specifically a device I/O control operation (DeviceIoControl). The stack trace is displayed in reverse chronological order, meaning the most recent call is shown first. Here’s a line-by-line explanation:

Lines 06 to 09 (nt!…): These lines are part of the Windows kernel (ntoskrnl.exe), which is the core of the Windows operating system. The prefix nt! indicates functions within the kernel.

IofCallDriver (line 06): A kernel function that forwards an I/O request packet (IRP) to a driver. The +0×55 indicates the offset within the function where the call occurred.
IopSynchronousServiceTail (line 07): A function that handles synchronous I/O operations. The +0×1d2 offset shows where in the function the operation occurred, indicating further processing of the IRP.
IopXxxControlFile (line 08): Likely a function that processes control operations (like IOCTL calls) on files. The +0xc82 is the offset where the call happened.
NtDeviceIoControlFile (line 09): A system service function that applications can call to execute device I/O control operations. The +0×56 offset indicates the point of execution within the function.
Line 0a (nt!KiSystemServiceCopyEnd): This is part of the system call dispatch mechanism, which is responsible for transitioning from user mode to kernel mode. +0×25 is the offset within this function.

Line 0b (ntdll!NtDeviceIoControlFile): This represents a call made from a user-mode application into the Windows Native API (NTDLL.dll) to perform a device I/O control operation. The +0×14 offset indicates the execution point within the function.

Line 0c (KERNELBASE!DeviceIoControl): This call originates from the KERNELBASE.dll, a Windows DLL that provides the base-level functionality for high-level APIs. The DeviceIoControl function is a wrapper that applications can use to send control codes to drivers. The +0×6b offset indicates where the function proceeds with the operation.

Line 0d (KERNEL32!DeviceIoControlImplementation): This is the implementation of the DeviceIoControl function in KERNEL32.dll, which is another layer of abstraction that eventually calls into the kernel-mode function to perform the operation. The +0×81 offset indicates the execution point within this implementation.

This stack trace illustrates how a device I/O control operation initiated by an application flows through various layers of the Windows operating system, from high-level APIs down to kernel-mode functions, to interact with a device driver. Each step in the process is crucial for understanding how the operating system processes I/O requests, handles system calls, and communicates with hardware.

Explain this stack trace fragment line by line:
00 msvcrt!vsnwprintf
01 wdscore!StringCchPrintfW
02 wdscore!CLogManager::LogA
03 wdscore!WdsSetupLogMessageA
04 cbscore!CBSWdsLog
05 cbscore!CCbsExecutionObject::AddPackage
06 cbscore!CCbsExecutionObject::AddPackage
07 cbscore!CCbsExecutionObject::AddPackage
08 cbscore!CCbsExecutionObject::RecallOrSupersedLowerVersion
09 cbscore!CCbsExecutionObject::ProcessMumServicing
0a cbscore!CCbsExecutionObject::AddPackage
0b cbscore!CCbsExecutionObject::Plan
0c cbscore!CCbsExecutionObject::GenerateExpressFileList
0d cbscore!CCbsSession::ActionListGenerateMissingFileList
0e cbscore!CCbsPublicSession::WritePackageFileList
0f RPCRT4!Invoke
10 RPCRT4!Ndr64StubWorker
11 RPCRT4!NdrStubCall3
12 combase!CStdStubBuffer_Invoke
13 RPCRT4!CStdStubBuffer_Invoke
14 combase!InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_ c9f3956a20c9da92a64affc24fdd69ec>::operator()
15 combase!ObjectMethodExceptionHandlingAction<<lambda_ c9f3956a20c9da92a64affc24fdd69ec> >
16 combase!InvokeStubWithExceptionPolicyAndTracing
17 combase!DefaultStubInvoke
18 combase!SyncServerCall::StubInvoke
19 combase!StubInvoke
1a combase!ServerCall::ContextInvoke
1b combase!CServerChannel::ContextInvoke
1c combase!DefaultInvokeInApartment
1d combase!ComInvokeWithLockAndIPID
1e combase!ThreadInvokeReturnHresult
1f combase!ThreadInvoke
20 RPCRT4!DispatchToStubInCNoAvrf
21 RPCRT4!RPC_INTERFACE::DispatchToStubWorker
22 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject
23 RPCRT4!LRPC_SCALL::DispatchRequest
24 RPCRT4!LRPC_SCALL::HandleRequest
25 RPCRT4!LRPC_SASSOCIATION::HandleRequest
26 RPCRT4!LRPC_ADDRESS::HandleRequest
27 RPCRT4!LRPC_ADDRESS::ProcessIO
28 RPCRT4!LrpcIoComplete
29 ntdll!TppAlpcpExecuteCallback
2a ntdll!TppWorkerThread
2b KERNEL32!BaseThreadInitThunk
2c ntdll!RtlUserThreadStart

This stack trace seems to come from a Windows environment, and it illustrates the flow of a specific operation—likely a component-based servicing action (related to Windows Updates or system component management) that involves logging, package addition, and possibly dealing with an RPC (Remote Procedure Call) request. Let’s break down the stack trace line by line:

msvcrt!vsnwprintf: This function is part of the Microsoft Visual C Runtime Library. It’s a variant of snprintf that works with wide (Unicode) strings, used for formatted string operations.

wdscore!StringCchPrintfW: A function likely related to Windows Deployment Services (WDS) for secure string formatting into a buffer. StringCchPrintfW is a safer version of sprintf for wide strings.

wdscore!CLogManager::LogA: A method in the WDS core library for logging messages. This method suggests the operation involves ASCII string logging.

wdscore!WdsSetupLogMessageA: Another logging-related function in WDS, focused on setup log messages.

cbscore!CBSWdsLog: Indicates a function within the Component-Based Servicing (CBS) core library, specifically for logging in the context of WDS.

6-0a. cbscore!CCbsExecutionObject::AddPackage (lines 05 to 0a): Repeated calls to a method that adds a package to the CBS execution object. This could be part of an update or system component management operation.

cbscore!CCbsExecutionObject::RecallOrSupersedLowerVersion: A method that deals with recalling or superseding lower versions of a package or component.

cbscore!CCbsExecutionObject::ProcessMumServicing: A method likely involved in servicing manifest updates (MUM files), which are used in Windows servicing to describe updates.

cbscore!CCbsExecutionObject::Plan: Part of the planning phase in a CBS operation, where the system determines what actions to take with the packages.

cbscore!CCbsExecutionObject::GenerateExpressFileList: Generates a list of files for an express installation, which is a faster update method that only downloads necessary components.

cbscore!CCbsSession::ActionListGenerateMissingFileList: A method to generate a list of missing files based on the planned actions.

cbscore!CCbsPublicSession::WritePackageFileList: Writes out the list of files associated with the packages being serviced.

13-1e. RPCRT4 and combase (lines 0f to 1e): These lines involve the RPC runtime and COM base libraries, indicating that part of the operation was invoked over RPC, a mechanism that allows a program to execute code on another machine or process.

1f-2c. The stack trace concludes with system and thread initialization functions, like TppWorkerThread and BaseThreadInitThunk, which are part of the thread pool and thread startup routines in Windows. These functions are standard for threads executing in the Windows environment.

This trace is a deep dive into how Windows manages system components, specifically around updating or managing packages, and involves various subsystems like WDS, CBS, and RPC communications.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

If we look at memory values in a thread stack region we see they are either come from the stack or some other non-stack region, such as heap, pool, or just some static code or data location. What is quite unusual is when such value belongs to another thread stack:

0:004> ~0e !teb
TEB at 00000055ad63d000
ExceptionList: 0000000000000000
StackBase: 00000055ad900000
StackLimit: 00000055ad8fd000
SubSystemTib: 0000000000000000
FiberData: 0000000000001e00
ArbitraryUserPointer: 0000000000000000
Self: 00000055ad63d000
EnvironmentPointer: 0000000000000000
ClientId: 00000000000035c4 . 0000000000005fa4
RpcHandle: 0000000000000000
Tls Storage: 000001c2e6269540
PEB Address: 00000055ad63c000
LastErrorValue: 0
LastStatusValue: c0000034
Count Owned Locks: 0
HardErrorMode: 0

0:004> ~3e !teb
TEB at 00000055ad643000
ExceptionList: 0000000000000000
StackBase: 00000055adc00000
StackLimit: 00000055adbfe000
SubSystemTib: 0000000000000000
FiberData: 0000000000001e00
ArbitraryUserPointer: 0000000000000000
Self: 00000055ad643000
EnvironmentPointer: 0000000000000000
ClientId: 00000000000035c4 . 0000000000005f1c
RpcHandle: 0000000000000000
Tls Storage: 000001c2e62714b0
PEB Address: 00000055ad63c000
LastErrorValue: 187
LastStatusValue: c000000d
Count Owned Locks: 0
HardErrorMode: 0

0:004> dps 00000055adbfe000 00000055adc00000
00000055`adbfe000 00000000`00000000
00000055`adbfe008 00000000`00000000
00000055`adbfe010 00000000`00000000
00000055`adbfe018 00000000`00000000
00000055`adbfe020 00000000`00000000
…
00000055`adbffa58 00000000`00000008
00000055`adbffa60 00000055`adbffb28
00000055`adbffa68 00007ff7`96e116a3 module!func+0×13
00000055`adbffa70 00000055`ad8ffde0
00000055`adbffa78 00000000`00000000
00000055`adbffa80 00000000`00000000
00000055`adbffa88 00007ffa`28ecc9a8 ucrtbase!`string’
00000055`adbffa90 00000000`00000000
00000055`adbffa98 00007ff7`96e116c3 module!thread_proc+0×13
00000055`adbffaa0 00000055`ad8ffde0
00000055`adbffaa8 00000055`adbffb28
00000055`adbffab0 ffffffff`ffffffff
00000055`adbffab8 00007ffa`28fa0748 KERNELBASE!GetAppModelPolicy+0×18
00000055`adbffac0 00000055`adbffba0
00000055`adbffac8 00007ff7`96e12657 module!std::invoke<void (__cdecl*)(int *),int *>+0×27
00000055`adbffad0 00000055`ad8ffde0
00000055`adbffad8 00000055`adbffb00
00000055`adbffae0 00000055`adbffb18
…

Such Foreign Stack references in user space may point to possibly questionable use of pointers to local variables in asynchronous scenarios. In kernel space, !findthreads WinDbg command may find values from the kernel stack of the specified thread address on other thread kernel stacks even from different processes. Such references may also reveal deep process and thread relationships in kernel.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Sometimes, we are interested in Past Processes, processes that ran in the past to suggest troubleshooting hints. Some may still be present as Zombie Processes and information about some may be present as control areas of the the previously mapped files (even if there are no mapped views at the moment):

1: kd> !memusage
...
Control Valid Standby Dirty Shared Locked PageTables name
…
ffffbe0c8b47f460 0 148 0 0 0 0 mapped_file( WerFault.exe )
…

1: kd> !ca ffffbe0c8b47f460 4
...
\Windows\System32\WerFault.exe

No mapped views.

This analysis pattern is different from Hidden Process where the process is still running or at least its image is still mapped to memory.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Modern x64 Windows targets may support hardware shadow stacks. In such a case, WinDbg shows this message even if you open a memory dump on computers that do not support it:

This target supports Hardware-enforced Stack Protection. A HW based
"Shadow Stack" may be available to assist in debugging and analysis.
See aka.ms/userhsp for more info.
dps @ssp

The data from shadow stacks may be useful in case of Local Buffer Overflow. In such a case, we can compare the problem Stack Trace with the Shadow Stack Trace that was supposed to be without the stack region corruption.

For example, if see this exception and Incorrect Stack Trace, we can see that the stack trace should have been if the the return address were not modified:

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(5a34.4bb8): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
Subcode: 0×39 FAST_FAIL_CONTROL_INVALID_RETURN_ADDRESS Shadow stack violation

0:000> k
# Child-SP RetAddr Call Site
00 000000fa`b94ffdf8 000002aa`5d420588 user32!GetMessageW+0×5c
01 000000fa`b94ffe00 000002aa`5d420588 0×000002aa`5d420588
02 000000fa`b94ffe08 00000000`00000000 0×000002aa`5d420588

0:000> r
rax=0000000000000001 rbx=000002aa5d420588 rcx=00007ff9c3d31534
rdx=0000000000000000 rsi=0000000000000000 rdi=000002aa5d420530
rip=00007ff9c3ea538c rsp=000000fab94ffdf8 rbp=000002aa5d420588
r8=000000fab94ffd98 r9=0000000000000000 r10=0000000000000000
r11=0000000000000244 r12=00007ff66b204070 r13=0000000000000000
r14=0000000000000001 r15=00000000ffffffff
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
user32!GetMessageW+0x5c:
00007ff9`c3ea538c ret

0:000> dps @rsp L1
000000fa`b94ffdf8 000002aa`5d420588

0:000> dps @ssp
000000fa`b95fefd0 00007ff9`4ae2f877 mfc140u!AfxInternalPumpMessage+0x27
000000fa`b95fefd8 00007ff9`4ae301b1 mfc140u!CWinThread::Run+0x81
000000fa`b95fefe0 00007ff9`4ae63230 mfc140u!AfxWinMain+0xc0
000000fa`b95fefe8 00007ff6`6b135742 mspaint+0xc5742
000000fa`b95feff0 00007ff9`c500257d kernel32!BaseThreadInitThunk+0x1d
000000fa`b95feff8 00007ff9`c618aa58 ntdll!RtlUserThreadStart+0x28
000000fa`b95ff000 ????????`????????
000000fa`b95ff008 ????????`????????
000000fa`b95ff010 ????????`????????
000000fa`b95ff018 ????????`????????
000000fa`b95ff020 ????????`????????
000000fa`b95ff028 ????????`????????
000000fa`b95ff030 ????????`????????
000000fa`b95ff038 ????????`????????
000000fa`b95ff040 ????????`????????
000000fa`b95ff048 ????????`????????

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This is an unmanaged code analysis pattern variant of the previously published Annotated Disassembly. In modern WinDbg (which was previously called WinDbg Preview), the Disassembly window may annotate local variables in the presence of debugging symbols (this is absent from the output of the uf WinDbg command):

; uf command output
511 00007ff6`6ab22a44 mov dword ptr [rbp+2078h],1
511 00007ff6`6ab22a4e mov dword ptr [rbp+207Ch],2
513 00007ff6`6ab22a58 mov eax,dword ptr [rbp+2078h]
513 00007ff6`6ab22a5e mov dword ptr [rbp+0Ch],eax
514 00007ff6`6ab22a61 mov dword ptr [rbp+0Ch],64h
515 00007ff6`6ab22a68 mov dword ptr [rbp+48h],3
515 00007ff6`6ab22a6f mov dword ptr [rbp+4Ch],4
516 00007ff6`6ab22a76 mov eax,dword ptr [rbp+0Ch]


; Disassembly window
00007ff6`6ab22a4e c7857c20000002000000 mov dword ptr [myDerived.field2 (rbp+207Ch)], 2
00007ff6`6ab22a58 8b8578200000 mov eax, dword ptr [myDerived{.field} (rbp+2078h)]
00007ff6`6ab22a5e 89450c mov dword ptr [myBase{.field} (rbp+Ch)], eax
00007ff6`6ab22a61 c7450c64000000 mov dword ptr [myBase{.field} (rbp+Ch)], 64h
00007ff6`6ab22a68 c7454803000000 mov dword ptr [myDerived2{.field} (rbp+48h)], 3
00007ff6`6ab22a6f c7454c04000000 mov dword ptr [myDerived2.field2 (rbp+4Ch)], 4
00007ff6`6ab22a76 8b450c mov eax, dword ptr [myBase{.field} (rbp+Ch)]


- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Sometimes, when we have debugging symbols, information about local variables may be helpful in making sense of function disassembly. For example, we have this code fragment from WinDbg uf command:

511 00007ff6`6ab22a44 mov dword ptr [rbp+2078h],1
511 00007ff6`6ab22a4e mov dword ptr [rbp+207Ch],2
513 00007ff6`6ab22a58 mov eax,dword ptr [rbp+2078h]
513 00007ff6`6ab22a5e mov dword ptr [rbp+0Ch],eax
514 00007ff6`6ab22a61 mov dword ptr [rbp+0Ch],64h
515 00007ff6`6ab22a68 mov dword ptr [rbp+48h],3
515 00007ff6`6ab22a6f mov dword ptr [rbp+4Ch],4
516 00007ff6`6ab22a76 mov eax,dword ptr [rbp+0Ch]

Although source code lines are shown, suppose we don’t have source code to match. However, we can match Address Representations, such as [rbp+xxx], from the output of dv /V WinDbg command:

0:000> dv /V
...
000000ab`740fd00c @rbp+0x000c myBase = struct wmain::__l2::Base
...
000000ab`740ff078 @rbp+0x2078 myDerived = struct wmain::__l2::Derived
...
000000ab`740fd048 @rbp+0x0048 myDerived2 = struct wmain::__l2::Derived
...

Another usage is matching values in raw stack data with local variable addresses. Values as addresses and their symbolic representations here have some connection to ADDR Symbolic and Interpreted Pointers.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Sometimes, we are interested in Exception Collection from all different memory parts and space types and using different analysis patterns, for example, for the user and managed spaces:

- Stored Exception;

- Exception Stack Traces from Stack Trace Collection from unmanaged space;

- Managed Code Exceptions from CLR Runtime Threads (~*e !pe -nested and !Threads WinDbg commands) including Nested and Mixed Exceptions;

- Recorded heap failures (!heap -s -v) and other Historical Information;

- Hidden Exceptions (unmanaged space) in Execution Residue (unmanaged user space) for all threads;

- Hidden Exceptions (managed space) in Execution Residue (managed space) for all threads.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Shared Buffer Overwrite may happen via different mechanisms. A virtual address and its underlying physical page may be used by different threads from one process, or if threads from different processes are involved, its underlying physical memory page may be shared between different processes. In the former case, we can check threads’ Execution Residue for the page virtual address range. In the latter case, for example, when we have random crashes in different processes at different virtual addresses, we can compare page frame numbers for problem virtual addresses:

0: kd> !process ffffc38c3010b0c0 0
PROCESS ffffc38c3010b0c0
SessionId: 1 Cid: 1224 Peb: 24fc30b000 ParentCid: 1284
DirBase: 0a953002 ObjectTable: ffffac8a0b2aab40 HandleCount: 184.
Image: conhost.exe

0: kd> !process ffffc38c305e8080 0
PROCESS ffffc38c305e8080
SessionId: 0 Cid: 01c8 Peb: 4acc277000 ParentCid: 0290
DirBase: 10b62b002 ObjectTable: ffffac8a081b33c0 HandleCount: 276.
Image: svchost.exe

0: kd> !pte 00007ffc`884a0000
VA 00007ffc884a0000
PXE at FFFFFB7DBEDF67F8 PPE at FFFFFB7DBECFFF90 PDE at FFFFFB7D9FFF2210 PTE at FFFFFB3FFE442500
contains 8A0000000485F867 contains 0A00000115063867 contains 0A00000009D64867 contains 86000001358EF025
pfn 485f ---DA--UW-V pfn 115063 ---DA--UWEV pfn 9d64 ---DA--UWEV pfn 1358ef —-A–UR-V

0: kd> .process /r /p ffffc38c3010b0c0
Implicit process is now ffffc38c`3010b0c0
Loading User Symbols
.................................

0: kd> .process /r /p ffffc38c305e8080
Implicit process is now ffffc38c`305e8080
Loading User Symbols
..................................

0: kd> !pte 00007ffc`884a0000
VA 00007ffc884a0000
PXE at FFFFFB7DBEDF67F8 PPE at FFFFFB7DBECFFF90 PDE at FFFFFB7D9FFF2210 PTE at FFFFFB3FFE442500
contains 0A00000107137867 contains 0A0000010703A867 contains 0A0000010713B867 contains 81000001358EF005
pfn 107137 ---DA--UWEV pfn 10703a ---DA--UWEV pfn 10713b ---DA--UWEV pfn 1358ef ——-UR-V

We call such an analysis pattern Shared Page.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

COM Object analysis pattern is similar to C++ Object because of the same binary compatibility (the first object member is a pointer (vptr) to a table of function pointers (vtbl):

0:003> !teb
TEB at 000000c0033d8000
ExceptionList: 0000000000000000
StackBase: 000000c003480000
StackLimit: 000000c00347a000
SubSystemTib: 0000000000000000
FiberData: 0000000000001e00
ArbitraryUserPointer: 0000000000000000
Self: 000000c0033d8000
EnvironmentPointer: 0000000000000000
ClientId: 00000000000012e8 . 00000000000023c8
RpcHandle: 0000000000000000
Tls Storage: 000002a0b8be97f0
PEB Address: 000000c0033d1000
LastErrorValue: 14007
LastStatusValue: c0150008
Count Owned Locks: 0
HardErrorMode: 0

0:003> dpp 000000c00347a000 000000c003480000
[...]
000000c0`0347d698 000000c0`0347d630 00000001`574f454d
000000c0`0347d6a0 000002a0`b3dc36e0 00007ffc`f5f98430 combase!CObjectContext::`vftable’
000000c0`0347d6a8 000002a0`00000000
000000c0`0347d6b0 000000c0`0347d9e8 00000000`00000000
000000c0`0347d6b8 000000c0`0347d7a0 00000000`00260001
000000c0`0347d6c0 000002a0`b8c07050 4b62055c`8a40a45d
000000c0`0347d6c8 000000c0`0347d9b0 000000c0`0347e2c0
000000c0`0347d6d0 000000c0`0347d9b0 000000c0`0347e2c0
000000c0`0347d6d8 00000000`00000010
000000c0`0347d6e0 0000eda0`2ba8550b
000000c0`0347d6e8 000002a0`b8c0cbe0 00007ffc`f5f9bae8 combase!CClientChannel::`vftable’
000000c0`0347d6f0 00000000`00000002
[…]

We have the following chain of memory addresses: 000000c0`0347d6a0 (the address of the object pointer) -> 000002a0`b3dc36e0 (the address of the object allocated from heap) -> 00007ffc`f5f98430 (vptr, the address of the first vtbl entry).

0:003> dps 00007ffc`f5f98430
00007ffc`f5f98430 00007ffc`f5dacd30 combase!CObjectContext::QueryInterface
00007ffc`f5f98438 00007ffc`f5e25120 combase!CObjectContext::AddRef
00007ffc`f5f98440 00007ffc`f5d8e990 combase!CObjectContext::Release
00007ffc`f5f98448 00007ffc`f5e769e0 combase!CObjectContext::SetProperty
00007ffc`f5f98450 00007ffc`f5ef7000 combase!CObjectContext::RemoveProperty
00007ffc`f5f98458 00007ffc`f5dffb00 combase!CObjectContext::GetProperty
00007ffc`f5f98460 00007ffc`f5ef57e0 combase!CObjectContext::EnumContextProps
00007ffc`f5f98468 00007ffc`f5e20e90 combase!CObjectContext::Freeze
00007ffc`f5f98470 00007ffc`f5ef57a0 combase!CObjectContext::DoCallback
00007ffc`f5f98478 00007ffc`f5ef7140 combase!CObjectContext::SetContextMarshaler
00007ffc`f5f98480 00007ffc`f5df7d50 combase!CObjectContext::GetContextMarshaler
00007ffc`f5f98488 00007ffc`f5ef7120 combase!CObjectContext::SetContextFlags
00007ffc`f5f98490 00007ffc`f5ef5340 combase!CObjectContext::ClearContextFlags
00007ffc`f5f98498 00007ffc`f5ef5960 combase!CObjectContext::GetContextFlags
00007ffc`f5f984a0 00007ffc`f5d8e750 combase!CObjectContext::FreezeWithApartmentSet
00007ffc`f5f984a8 00007ffc`f5d9b4c0 combase!CObjectContext::InternalContextCallback

The difference from a traditional C++ object (with virtual functions) layout is that the first 3 functions in vtbl (vftable) are QueryInterface, AddRef, and Release. In a C++ object, there can be an arbitrary number of function pointers with any corresponding symbolic names.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This is High Contention pattern variant for network communication via sockets. Stack Trace Collection or Stack Trace Set may show frames with Winsock API (ws2_32 module) or SPI (WSP prefix, mswsock module) based on these template stack trace frames:

06 000000fa`f96eaa90 00007ffb`998d3e9f mswsock!WSPSend+0x1ce
07 000000fa`f96eab90 00007ffb`8bba1062 ws2_32!send+0x197

0:000> !findstack mswsock!WSP
Thread 008, 1 frame(s) match
* 06 000000faf4a0d628 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 009, 1 frame(s) match
* 06 000000faf4b0ca78 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 015, 1 frame(s) match
* 06 000000faf976bf98 00007ffb998d3e9f mswsock!WSPSend+0x1ce

Thread 021, 1 frame(s) match
* 06 000000faf96eaa88 00007ffb998d3e9f mswsock!WSPSend+0x1ce

Thread 026, 1 frame(s) match
* 10 000000fafa1eb168 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 043, 1 frame(s) match
* 06 000000faf8eebe68 00007ffb998d3e9f mswsock!WSPSend+0x1ce

Thread 051, 1 frame(s) match
* 10 000000fafa66bdf8 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 052, 1 frame(s) match
* 06 000000fafa6ebdb8 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 058, 1 frame(s) match
* 06 000000fafa9ea908 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 059, 1 frame(s) match
* 06 000000fafaa6b0e8 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 060, 1 frame(s) match
* 06 000000fafaaeb3b8 00007ffb998d3e9f mswsock!WSPSend+0x1ce

Thread 064, 1 frame(s) match
* 10 000000fafaceb7d8 00007ffb998d3e9f mswsock!WSPSend+0x1ce

Thread 069, 1 frame(s) match
* 06 000000fafaf6bfd8 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 073, 1 frame(s) match
* 06 000000fafb16c798 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 074, 1 frame(s) match
* 06 000000fafb1ec2b8 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 080, 1 frame(s) match
* 10 000000fafb4eaf38 00007ffb998cf857 mswsock!WSPRecv+0x2ef

Thread 081, 1 frame(s) match
* 10 000000fafb56bd98 00007ffb998d3e9f mswsock!WSPSend+0x1ce

[...]

It is always good to compare the number of such suspicious threads with a normal memory dump.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

We have parallels between various Stack Trace analysis patterns and corresponding Stack Trace Collection analysis patterns, for example, for unmanaged space. The same can be done between Rough Stack Trace and the new analysis pattern that we call Rough Stack Trace Collection, for example, for unmanaged space. In WinDbg, such a collection can be done using a similar script but with dpS command instead. In essence, it is a collection of symbolic Execution Residue from all thread stack regions. This analysis pattern may help in identification of Ubiquitous Components not visible on stack traces, and Past Stack Traces, for example, corresponding to various leaks.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

We found the number of backgroundTaskHost.exe crash dumps in our honeypot MemoryDumps folder specified in the LocalDumps WER registry setup. All of them have the same Exception Stack Trace:

0:006> kc 10
# Call Site
00 ucrtbase!invoke_watson
01 vccorlib140_app!__abi_FailFast
02 vccorlib140_app!__abi_translateCurrentException
03 Microsoft_Applications_Telemetry_Windows!DllGetActivationFactory
04 VCRUNTIME140_1_APP!_CallSettingFrame_LookupContinuationIndex
05 VCRUNTIME140_1_APP!__FrameHandler4::CxxCallCatchBlock
06 ntdll!RcConsolidateFrames
07 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent
08 SurfaceApp!RHBinder__ShimExeMain
09 SurfaceApp!RHBinder__ShimExeMain
0a SurfaceApp!DllGetActivationFactory
0b SurfaceApp!DllGetActivationFactory
0c SurfaceApp!DllGetActivationFactory
0d SurfaceApp!DllGetActivationFactory
0e SurfaceApp!DllGetActivationFactory
0f SurfaceApp!DllGetActivationFactory
[...]

and the same Stored Exception:

0:006> .exr -1
ExceptionAddress: 00007ff96a66c648 (ucrtbase!invoke_watson+0x0000000000000018)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000005
Subcode: 0×5 FAST_FAIL_INVALID_ARG

0:006> !error c0000409
Error code: (NTSTATUS) 0xc0000409 (3221226505) - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

The !analyze -v command however reports a different exception address and its context that looks like invalid memory access via NULL Pointer (Data):

STACK_TEXT:
00000060`3d8fdaa0 00007ff9`25f36ba2 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
00000060`3d8fdad0 00007ff9`25f3904e Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×7dde
00000060`3d8fdda0 00007ff9`25fbc385 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent+0×46a25
00000060`3d8fde50 00007ff9`25fb722d Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent+0×418cd
00000060`3d8fde80 00007ff8`c58bb5e5 SurfaceApp!RHBinder__ShimExeMain+0×4d0c55
00000060`3d8fdf50 00007ff8`c58e921b SurfaceApp!RHBinder__ShimExeMain+0×4fe88b
00000060`3d8fdfb0 00007ff8`c663977f SurfaceApp!DllGetActivationFactory+0×996d5f
00000060`3d8fdfe0 00007ff8`c6debbac SurfaceApp!DllGetActivationFactory+0×114918c
[…]

STACK_COMMAND: .cxr 603d8fd300 ; kb ; ** Pseudo Context ** Pseudo ** Value: 192e03234f0 ** ; kb
[…]

0:006> .cxr 603d8fd300
rax=0000000000000000 rbx=000000603d8fdb30 rcx=0000024030cb3300
rdx=0000024033346ea0 rsi=0000024030c7e910 rdi=0000024033346ea0
rip=00007ff925f36ba2 rsp=000000603d8fdaa0 rbp=000000603d8fdbd0
r8=0000000000000001 r9=0000000000000001 r10=00000fff24be7202
r11=4000000000000004 r12=0000000000000000 r13=0000024033bb2b28
r14=00000240333b9120 r15=00000240339835c8
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932:
00007ff9`25f36ba2 488b8090010000 mov rax,qword ptr [rax+190h] ds:00000000`00000190=????????????????

So we have a case of Translated Exception here. We can also find the Hidden Exception in Execution Residue:

0:006> !teb
TEB at 000000603d510000
ExceptionList: 0000000000000000
StackBase: 000000603d900000
StackLimit: 000000603d8f6000
SubSystemTib: 0000000000000000
FiberData: 0000000000001e00
ArbitraryUserPointer: 0000000000000000
Self: 000000603d510000
EnvironmentPointer: 0000000000000000
ClientId: 000000000000723c . 0000000000002288
RpcHandle: 0000000000000000
Tls Storage: 0000024030cfcd10
PEB Address: 000000603d503000
LastErrorValue: 0
LastStatusValue: c000007e
Count Owned Locks: 0
HardErrorMode: 0

0:006> dps 000000603d8f6000 000000603d900000
00000060`3d8f6000 00000000`00000000
00000060`3d8f6008 00000000`00000000
00000060`3d8f6010 00000000`00000000
00000060`3d8f6018 00000000`00000000
00000060`3d8f6020 00000000`00000000
00000060`3d8f6028 00000000`00000000
00000060`3d8f6030 00000000`00000000
[…]
00000060`3d8fd2d0 00000240`33bb2b28
00000060`3d8fd2d8 00000000`00000000
00000060`3d8fd2e0 00000240`33346ea0
00000060`3d8fd2e8 00000240`30c7e910
00000060`3d8fd2f0 00000060`3d8fdbd0
00000060`3d8fd2f8 00007ff9`6ce276fe ntdll!KiUserExceptionDispatch+0×2e
00000060`3d8fd300 00000000`00000000
00000060`3d8fd308 00000000`00000002
00000060`3d8fd310 00000060`3d8fdb30
00000060`3d8fd318 00000000`00000158
00000060`3d8fd320 00000000`00000002
00000060`3d8fd328 00000060`3d8fd3d9
00000060`3d8fd330 00001fa0`0010005f
00000060`3d8fd338 0053002b`002b0033
00000060`3d8fd340 00010206`002b002b
00000060`3d8fd348 00000000`00000000
00000060`3d8fd350 00000000`00000000
00000060`3d8fd358 00000000`00000000
00000060`3d8fd360 00000000`00000000
00000060`3d8fd368 00000000`00000000
00000060`3d8fd370 00000000`00000000
00000060`3d8fd378 00000000`00000000
00000060`3d8fd380 00000240`30cb3300
00000060`3d8fd388 00000240`33346ea0
00000060`3d8fd390 00000060`3d8fdb30
00000060`3d8fd398 00000060`3d8fdaa0
00000060`3d8fd3a0 00000060`3d8fdbd0
00000060`3d8fd3a8 00000240`30c7e910
00000060`3d8fd3b0 00000240`33346ea0
00000060`3d8fd3b8 00000000`00000001
00000060`3d8fd3c0 00000000`00000001
00000060`3d8fd3c8 00000fff`24be7202
00000060`3d8fd3d0 40000000`00000004
00000060`3d8fd3d8 00000000`00000000
00000060`3d8fd3e0 00000240`33bb2b28
00000060`3d8fd3e8 00000240`333b9120
00000060`3d8fd3f0 00000240`339835c8
00000060`3d8fd3f8 00007ff9`25f36ba2 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
00000060`3d8fd400 00000000`0000027f
00000060`3d8fd408 00000000`00000000
00000060`3d8fd410 00000000`00000000
00000060`3d8fd418 0000ffff`00001fa0
00000060`3d8fd420 00000000`00000000
[…]
00000060`3d8fd7e0 000001e0`000000f0
00000060`3d8fd7e8 00000000`00000000
00000060`3d8fd7f0 00000000`c0000005
00000060`3d8fd7f8 00000000`00000000
00000060`3d8fd800 00007ff9`25f36ba2 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
00000060`3d8fd808 00000000`00000002
00000060`3d8fd810 00000000`00000000
00000060`3d8fd818 00000000`00000190
00000060`3d8fd820 00000000`00000000
00000060`3d8fd828 00000000`00000000
00000060`3d8fd830 00000000`00000000
00000060`3d8fd838 00000000`00000000
00000060`3d8fd840 00000000`00000000
00000060`3d8fd848 00000000`00000000
[…]

0:006> .cxr 00000060`3d8fd300
[...]

0:006> k 3
# Child-SP RetAddr Call Site
00 00000060`3d8fdaa0 00007ff9`25f3904e Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
01 00000060`3d8fdad0 00007ff9`25fbc385 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×7dde
02 00000060`3d8fdda0 00007ff9`25fb722d Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent+0×46a25

We see that Microsoft_Applications_Telemetry_Windows is Exception Module. We may think that it is related to JSON telemetry data based on Stack Trace Motif but getJsonFormattedEvent function offset is too large for a real function. So we have here Coincidental Symbolic Information of exported function due to No Component Symbols.

0:006> lm m Microsoft_Applications_Telemetry_Windows
Browse full module list
start end module name
00007ff9`25f10000 00007ff9`260f8000 Microsoft_Applications_Telemetry_Windows C (export symbols) Microsoft.Applications.Telemetry.Windows.dll

0:006> uf Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent
Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent:
00007ff9`25f75960 48895c2408 mov qword ptr [rsp+8],rbx
00007ff9`25f75965 55 push rbp
00007ff9`25f75966 56 push rsi
00007ff9`25f75967 57 push rdi
00007ff9`25f75968 4154 push r12
00007ff9`25f7596a 4155 push r13
00007ff9`25f7596c 4156 push r14
00007ff9`25f7596e 4157 push r15
[…]
00007ff9`25f767df 4881c420010000 add rsp,120h
00007ff9`25f767e6 415f pop r15
00007ff9`25f767e8 415e pop r14
00007ff9`25f767ea 415d pop r13
00007ff9`25f767ec 415c pop r12
00007ff9`25f767ee 5f pop rdi
00007ff9`25f767ef 5e pop rsi
00007ff9`25f767f0 5d pop rbp
00007ff9`25f767f1 c3 ret

0:006> ? 00007ff9`25f767f1 - 00007ff9`25f75960
Evaluate expression: 3729 = 00000000`00000e91

We see that the function size is rather small compared to the offset value. This also “explains” that we don’t see any pointers to possible JSON strings in raw stack region data (dpa and dpu WinDbg commands) and if we do memory search there (s-sa and s-su commands).

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Black Box analysis pattern generalizes from the undocumented WinDbg commands !blackbox* to external system information included in process memory dump files which is accessible via .dumpdebug command.

2: kd> !blackboxpnp
PnpActivityId : {00000000-0000-0000-0000-000000000000}
PnpActivityTime : 132804247587428354
PnpEventInformation: 3
PnpEventInProgress : 0
PnpProblemCode : 24
PnpVetoType : 0
DeviceId : SW\{96E080C7-143C-11D1-B40F-00A0C9223196}\{3C0D501A-140B-11D1-B40F-00A0C9223196}
VetoString

Searching the registry we can find that it corresponds to “@ksfilter.inf,%mskssrv.devicedesc%;Microsoft Streaming Service Proxy”. Such commands may be used in conjunction with Historical Information (such as unloaded modules) and Execution Residue analysis patterns to check the last activities.

Other commands include !blackboxbsd and !blackboxntfs.

In process memory dump we may see information from a system the dump came from:

0:000> .dumpdebug
[...]
Stream 10: type SystemMemoryInfoStream (21), size 000001EC, RVA 00002288
Revision : 1
Flags : 0xf
BasicInfo
TimerResolution : 156,250
PageSize : 0x1000
NumberOfPhysicalPages : 4,173,065
LowestPhysicalPageNumber : 0x1
HighestPhysicalPageNumber : 0x46f7ff
AllocationGranularity : 0x10000
MinimumUserModeAddress : 0x10000
MaximumUserModeAddress : 0x7ffffffeffff
ActiveProcessorsAffinityMask : 0xff
NumberOfProcessors : 8
FileCacheInfo
CurrentSize : 514,248,704
PeakSize : 661,852,160
PageFaultCount : 19,464,228
MinimumWorkingSet : 0x100
MaximumWorkingSet : 0x100000000
CurrentSizeIncludingTransitionInPages : 1,327,191
PeakSizeIncludingTransitionInPages : 2,152,355
TransitionRePurposeCount : 8,923,412
Flags : 0
BasicPerfInfo
AvailablePages : 1,536,323
CommittedPages : 4,085,165
CommitLimit : 6,396,880
PeakCommitment : 4,850,269
PerfInfo
IdleProcessTime : 8,086,699,531,250
IoReadTransferCount : 97,860,850,993
IoWriteTransferCount : 55,567,419,561
IoOtherTransferCount : 9,725,039,400
IoReadOperationCount : 55,137,206
IoWriteOperationCount : 39,605,057
IoOtherOperationCount : 82,693,846
AvailablePages : 1,536,323
CommittedPages : 4,085,165
CommitLimit : 6,396,880
PeakCommitment : 4,850,269
CommitLimit : 6,396,880
PageFaultCount : 485,407,430
CopyOnWriteCount : 4,789,295
TransitionCount : 203,364,433
CacheTransitionCount : 0
DemandZeroCount : 275,205,178
PageReadCount : 9,363,018
PageReadIoCount : 1,641,521
CacheReadCount : 0
CacheIoCount : 0
DirtyPagesWriteCount : 295,086
DirtyWriteIoCount : 1,186
MappedPagesWriteCount : 425,398
MappedWriteIoCount : 5,656
PagedPoolPages : 231,590
NonPagedPoolPages : 155,982
PagedPoolAllocs : 0
PagedPoolFrees : 0
NonPagedPoolAllocs : 0
NonPagedPoolFrees : 0
FreeSystemPtes : 16,697,739
ResidentSystemCodePage : 4,175
TotalSystemDriverPages : 15,235
TotalSystemCodePages : 2
NonPagedPoolLookasideHits : 0
PagedPoolLookasideHits : 0
AvailablePagedPoolPages : 12,670,812
ResidentSystemCachePage : 125,549
ResidentPagedPoolPage : 220,095
ResidentSystemDriverPage : 13,012
CcFastReadNoWait : 0
CcFastReadWait : 13,492,886
CcFastReadResourceMiss : 0
CcFastReadNotPossible : 326,025
CcFastMdlReadNoWait : 0
CcFastMdlReadWait : 0
CcFastMdlReadResourceMiss : 0
CcFastMdlReadNotPossible : 0
CcMapDataNoWait : 0
CcMapDataWait : 77,200,777
CcMapDataNoWaitMiss : 0
CcMapDataWaitMiss : 391,734
CcPinMappedDataCount : 13,827,443
CcPinReadNoWait : 2,442
CcPinReadWait : 7,295,776
CcPinReadNoWaitMiss : 1,842,225
CcPinReadWaitMiss : 104,160
CcCopyReadNoWait : 720,327
CcCopyReadWait : 14,332,510
CcCopyReadNoWaitMiss : 73,632
CcCopyReadWaitMiss : 828,820
CcMdlReadNoWait : 0
CcMdlReadWait : 7,430
CcMdlReadNoWaitMiss : 0
CcMdlReadWaitMiss : 0
CcReadAheadIos : 1,577,774
CcLazyWriteIos : 737,095
CcLazyWritePages : 4,455,123
CcDataFlushes : 1,687,345
CcDataPages : 9,178,586
ContextSwitches : 690,599,392
FirstLevelTbFills : 0
SecondLevelTbFills : 0
SystemCalls : 2,382,592,584
CcTotalDirtyPages : 25,337
CcDirtyPageThreshold : 187,360
ResidentAvailablePages : 3,502,801
SharedCommittedPages : 693,491
Stream 11: type ProcessVmCountersStream (22), size 00000098, RVA 00002474
Revision : 2
Process Counters
PageFaultCount : 216,205
PeakWorkingSetSize : 0xdaa6000
WorkingSetSize : 0x160f000
QuotaPeakPagedPoolUsage : 0xfa0f8
QuotaPagedPoolUsage : 0xe8e88
QuotaPeakNonPagedPoolUsage : 0x22258
QuotaNonPagedPoolUsage : 0x180d8
PagefileUsage : 0xe6c000
PeakPagefileUsage : 0xcd67000
PeakVirtualSize : 0x201162a5000
VirtualSize : 0x20111ade000
PrivateUsage : 0xe6c000
PrivateWorkingSetSize : 0xb000
SharedCommitUsage : 0x1f2000
Job Counters
JobSharedCommitUsage : 0x72c000
JobPrivateCommitUsage : 0x71bc9000
JobPeakPrivateCommitUsage : 0x861ac000
JobPrivateCommitLimit : 0
JobTotalCommitLimit : 0
[...]

Other memory acquisition tools may write additional information in memory dump files. The difference between this analysis pattern and Paratext is that the latter involves additional files.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -