Software Diagnostics Library

Trace Nerve is Thread of Activity or Adjoint Thread of Activity that runs through all Activity Regions. An example is illustrated in the following diagram:

Of course, depending on trace or log, there can be several Trace Nerves. This analysis pattern was inspired by nerve complexes in topology.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Looking at software traces and logs as 2-categories allows us to consider Whisker Traces (horizontal composition) in addition to vertical composition such as Serial Traces, Trace Mask, and Container Traces. The same ATIDs can be combined, and if there is a time mismatch, additional message copies need to be added (whiskering). The process is illustrated in the following diagram:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace embedding usually happens when some external tracing or logging framework or library is used. In this case, a trace message becomes part of an outer trace message which may have its own uniform Trace Schema. In this case, Embedded Trace analysis pattern is different from Container Trace where outer Trace Schemas may be different.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Windows, the obvious analysis pattern that was always implicit, is added now due to the proliferation of stream processing nowadays. However, it captures not only horizontal windows but vertical ones, similar to subspaces if we consider messages as vectors. Both types of windows can be combined. This is illustrated in the following diagram:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

There’s some kind of duality between trace data and activity. For example, trace data corresponds to CoData (CoTrace, CoLog), the analysis activity. On the other hand, Regions of Activity (and various Activity-related patterns such Thread of Activity) may contain data that itself may point to some activity (not necessarily the same), CoActivity. For example, some keyboard-related message data may contain values of passwords. This analysis pattern is illustrated schematically in the following diagram:

CoActivity is different from Data Flow, where the same or modified value is passed from one message to another, not necessarily inside the same activity.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

For any Message Complex, we can choose the corresponding Tracemes and assign them to points. If we keep ourselves only to line segments, we call these arrangements Trace Molecules. One example is illustrated in the following diagram:

This molecular approach was inspired by semic molecules in semic analysis. On the other hand, ultimately, the whole trace is one giant molecule similar to the traces and logs as proteins metaphor. This approach differs from the earlier artificial chemistry approach to trace and log analysis where molecules are patterns.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Consider the following trace message:

object: 0x77F468AB100 ref: 2

It contains several Tracemes, the smallest units of tracing (trace meaning, by analogy with semes), corresponding to Message Invariants and their data: //object memory address//, and //reference count//. However, they are structurally higher in the semantic hierarchy when compared with sememes. Traceme is pronounced /tɹeɪˈsiːm/ and can also be interpreted as trace me.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Message Complex takes inspiration from simplicial complexes. We select a message, choose TID or ATID, and connect to the nearest messages having the same TID or ATID. This procedure can be repeated for newly connected messages. Then we select another ATID and repeat the procedure. Three connected messages with the same ATID may form a triangle and may also intersect another triangle with a different ATID if they share the same message. A very simple example is illustrated in the following diagram:

Message Complex is more structural and geometric compared to Message Context, which is just a set of surrounding messages regardless of their TID or ATID based on some relationship criteria.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

(Adjoint) Threads of Activity can be interpreted as braids (multibraiding). This braid analogy assumes that all (adjoint) threads implicitly start and end outside of the trace boundaries. However, some (adjoint) threads may start after the beginning of the tracing or end before the finishing of the tracing. Such modified braids are called braidoids. There can be several braidoids per trace based on the chosen (A)TIDs. We call this analysis pattern Trace Braidoids and one, based on TID, is illustrated in the following diagram:

We added arc crossings when a different TID becomes current. Please also compare these crossings with other analysis patterns such as Braid Group and Braid of Activity.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Message data may point to other messages in the same trace (see the example of Linked Messages) or in the other trace (see the Data Selector example). But similar data in other messages may not point to any other messages in the same or other, perhaps Truncated, traces and logs collected at the same time - similar to invalid pointers, for example, kernel addresses in process memory dumps or user space addresses in kernel memory dumps. We call this analysis pattern Null Reference (also notice the analogy with foreign key values in data tables where Null is not a value). Another analogy here is referential failure. This is illustrated in the following diagram adapted from Linked Messages analysis pattern diagram.

This analysis pattern is different from Missing Data where the reference is itself missing.

These Null References can be remediated by longer supplemental traces, Fiber Bundle, and Adjoint Spaces.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

When we disregard the length of message blocks having the same attribute (ATID), we get Quotient Trace. But when we disregard the content of these message blocks (and replace each message with the same “empty” non-Silent Message) but preserve their length, we get Trace Skeleton.

Different Trace Shapes may have different Trace Skeletons but we can generate similar shapes from one skeleton.

We can also apply a music metaphor and consider it as Trace Rhythm:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

COM Object analysis pattern is similar to C++ Object because of the same binary compatibility (the first object member is a pointer (vptr) to a table of function pointers (vtbl):

0:003> !teb
TEB at 000000c0033d8000
ExceptionList: 0000000000000000
StackBase: 000000c003480000
StackLimit: 000000c00347a000
SubSystemTib: 0000000000000000
FiberData: 0000000000001e00
ArbitraryUserPointer: 0000000000000000
Self: 000000c0033d8000
EnvironmentPointer: 0000000000000000
ClientId: 00000000000012e8 . 00000000000023c8
RpcHandle: 0000000000000000
Tls Storage: 000002a0b8be97f0
PEB Address: 000000c0033d1000
LastErrorValue: 14007
LastStatusValue: c0150008
Count Owned Locks: 0
HardErrorMode: 0

0:003> dpp 000000c00347a000 000000c003480000
[...]
000000c0`0347d698 000000c0`0347d630 00000001`574f454d
000000c0`0347d6a0 000002a0`b3dc36e0 00007ffc`f5f98430 combase!CObjectContext::`vftable’
000000c0`0347d6a8 000002a0`00000000
000000c0`0347d6b0 000000c0`0347d9e8 00000000`00000000
000000c0`0347d6b8 000000c0`0347d7a0 00000000`00260001
000000c0`0347d6c0 000002a0`b8c07050 4b62055c`8a40a45d
000000c0`0347d6c8 000000c0`0347d9b0 000000c0`0347e2c0
000000c0`0347d6d0 000000c0`0347d9b0 000000c0`0347e2c0
000000c0`0347d6d8 00000000`00000010
000000c0`0347d6e0 0000eda0`2ba8550b
000000c0`0347d6e8 000002a0`b8c0cbe0 00007ffc`f5f9bae8 combase!CClientChannel::`vftable’
000000c0`0347d6f0 00000000`00000002
[…]

We have the following chain of memory addresses: 000000c0`0347d6a0 (the address of the object pointer) -> 000002a0`b3dc36e0 (the address of the object allocated from heap) -> 00007ffc`f5f98430 (vptr, the address of the first vtbl entry).

0:003> dps 00007ffc`f5f98430
00007ffc`f5f98430 00007ffc`f5dacd30 combase!CObjectContext::QueryInterface
00007ffc`f5f98438 00007ffc`f5e25120 combase!CObjectContext::AddRef
00007ffc`f5f98440 00007ffc`f5d8e990 combase!CObjectContext::Release
00007ffc`f5f98448 00007ffc`f5e769e0 combase!CObjectContext::SetProperty
00007ffc`f5f98450 00007ffc`f5ef7000 combase!CObjectContext::RemoveProperty
00007ffc`f5f98458 00007ffc`f5dffb00 combase!CObjectContext::GetProperty
00007ffc`f5f98460 00007ffc`f5ef57e0 combase!CObjectContext::EnumContextProps
00007ffc`f5f98468 00007ffc`f5e20e90 combase!CObjectContext::Freeze
00007ffc`f5f98470 00007ffc`f5ef57a0 combase!CObjectContext::DoCallback
00007ffc`f5f98478 00007ffc`f5ef7140 combase!CObjectContext::SetContextMarshaler
00007ffc`f5f98480 00007ffc`f5df7d50 combase!CObjectContext::GetContextMarshaler
00007ffc`f5f98488 00007ffc`f5ef7120 combase!CObjectContext::SetContextFlags
00007ffc`f5f98490 00007ffc`f5ef5340 combase!CObjectContext::ClearContextFlags
00007ffc`f5f98498 00007ffc`f5ef5960 combase!CObjectContext::GetContextFlags
00007ffc`f5f984a0 00007ffc`f5d8e750 combase!CObjectContext::FreezeWithApartmentSet
00007ffc`f5f984a8 00007ffc`f5d9b4c0 combase!CObjectContext::InternalContextCallback

The difference from a traditional C++ object (with virtual functions) layout is that the first 3 functions in vtbl (vftable) are QueryInterface, AddRef, and Release. In a C++ object, there can be an arbitrary number of function pointers with any corresponding symbolic names.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This is High Contention pattern variant for network communication via sockets. Stack Trace Collection or Stack Trace Set may show frames with Winsock API (ws2_32 module) or SPI (WSP prefix, mswsock module) based on these template stack trace frames:

06 000000fa`f96eaa90 00007ffb`998d3e9f mswsock!WSPSend+0x1ce
07 000000fa`f96eab90 00007ffb`8bba1062 ws2_32!send+0x197

0:000> !findstack mswsock!WSP
Thread 008, 1 frame(s) match
* 06 000000faf4a0d628 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 009, 1 frame(s) match
* 06 000000faf4b0ca78 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 015, 1 frame(s) match
* 06 000000faf976bf98 00007ffb998d3e9f mswsock!WSPSend+0x1ce

Thread 021, 1 frame(s) match
* 06 000000faf96eaa88 00007ffb998d3e9f mswsock!WSPSend+0x1ce

Thread 026, 1 frame(s) match
* 10 000000fafa1eb168 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 043, 1 frame(s) match
* 06 000000faf8eebe68 00007ffb998d3e9f mswsock!WSPSend+0x1ce

Thread 051, 1 frame(s) match
* 10 000000fafa66bdf8 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 052, 1 frame(s) match
* 06 000000fafa6ebdb8 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 058, 1 frame(s) match
* 06 000000fafa9ea908 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 059, 1 frame(s) match
* 06 000000fafaa6b0e8 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 060, 1 frame(s) match
* 06 000000fafaaeb3b8 00007ffb998d3e9f mswsock!WSPSend+0x1ce

Thread 064, 1 frame(s) match
* 10 000000fafaceb7d8 00007ffb998d3e9f mswsock!WSPSend+0x1ce

Thread 069, 1 frame(s) match
* 06 000000fafaf6bfd8 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 073, 1 frame(s) match
* 06 000000fafb16c798 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 074, 1 frame(s) match
* 06 000000fafb1ec2b8 00007ffb998cffd3 mswsock!WSPSelect+0x4fa

Thread 080, 1 frame(s) match
* 10 000000fafb4eaf38 00007ffb998cf857 mswsock!WSPRecv+0x2ef

Thread 081, 1 frame(s) match
* 10 000000fafb56bd98 00007ffb998d3e9f mswsock!WSPSend+0x1ce

[...]

It is always good to compare the number of such suspicious threads with a normal memory dump.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Sometimes we want to collapse messages into one message while preserving content, for example, for grep. We call such an analysis pattern Collapsed Message (by an analogy for collapsing an internal directed graph edge, or edge contraction). Several consecutive messages having the same attribute, for example Thread of Activity for Exception Stack Trace may be collapsed into one longer trace message. This is a simple case of Quotient Trace without compression or transform. And this is different than Motivic Trace which doesn’t preserve message content.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

We have parallels between various Stack Trace analysis patterns and corresponding Stack Trace Collection analysis patterns, for example, for unmanaged space. The same can be done between Rough Stack Trace and the new analysis pattern that we call Rough Stack Trace Collection, for example, for unmanaged space. In WinDbg, such a collection can be done using a similar script but with dpS command instead. In essence, it is a collection of symbolic Execution Residue from all thread stack regions. This analysis pattern may help in identification of Ubiquitous Components not visible on stack traces, and Past Stack Traces, for example, corresponding to various leaks.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

We found the number of backgroundTaskHost.exe crash dumps in our honeypot MemoryDumps folder specified in the LocalDumps WER registry setup. All of them have the same Exception Stack Trace:

0:006> kc 10
# Call Site
00 ucrtbase!invoke_watson
01 vccorlib140_app!__abi_FailFast
02 vccorlib140_app!__abi_translateCurrentException
03 Microsoft_Applications_Telemetry_Windows!DllGetActivationFactory
04 VCRUNTIME140_1_APP!_CallSettingFrame_LookupContinuationIndex
05 VCRUNTIME140_1_APP!__FrameHandler4::CxxCallCatchBlock
06 ntdll!RcConsolidateFrames
07 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent
08 SurfaceApp!RHBinder__ShimExeMain
09 SurfaceApp!RHBinder__ShimExeMain
0a SurfaceApp!DllGetActivationFactory
0b SurfaceApp!DllGetActivationFactory
0c SurfaceApp!DllGetActivationFactory
0d SurfaceApp!DllGetActivationFactory
0e SurfaceApp!DllGetActivationFactory
0f SurfaceApp!DllGetActivationFactory
[...]

and the same Stored Exception:

0:006> .exr -1
ExceptionAddress: 00007ff96a66c648 (ucrtbase!invoke_watson+0x0000000000000018)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000005
Subcode: 0×5 FAST_FAIL_INVALID_ARG

0:006> !error c0000409
Error code: (NTSTATUS) 0xc0000409 (3221226505) - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

The !analyze -v command however reports a different exception address and its context that looks like invalid memory access via NULL Pointer (Data):

STACK_TEXT:
00000060`3d8fdaa0 00007ff9`25f36ba2 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
00000060`3d8fdad0 00007ff9`25f3904e Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×7dde
00000060`3d8fdda0 00007ff9`25fbc385 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent+0×46a25
00000060`3d8fde50 00007ff9`25fb722d Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent+0×418cd
00000060`3d8fde80 00007ff8`c58bb5e5 SurfaceApp!RHBinder__ShimExeMain+0×4d0c55
00000060`3d8fdf50 00007ff8`c58e921b SurfaceApp!RHBinder__ShimExeMain+0×4fe88b
00000060`3d8fdfb0 00007ff8`c663977f SurfaceApp!DllGetActivationFactory+0×996d5f
00000060`3d8fdfe0 00007ff8`c6debbac SurfaceApp!DllGetActivationFactory+0×114918c
[…]

STACK_COMMAND: .cxr 603d8fd300 ; kb ; ** Pseudo Context ** Pseudo ** Value: 192e03234f0 ** ; kb
[…]

0:006> .cxr 603d8fd300
rax=0000000000000000 rbx=000000603d8fdb30 rcx=0000024030cb3300
rdx=0000024033346ea0 rsi=0000024030c7e910 rdi=0000024033346ea0
rip=00007ff925f36ba2 rsp=000000603d8fdaa0 rbp=000000603d8fdbd0
r8=0000000000000001 r9=0000000000000001 r10=00000fff24be7202
r11=4000000000000004 r12=0000000000000000 r13=0000024033bb2b28
r14=00000240333b9120 r15=00000240339835c8
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932:
00007ff9`25f36ba2 488b8090010000 mov rax,qword ptr [rax+190h] ds:00000000`00000190=????????????????

So we have a case of Translated Exception here. We can also find the Hidden Exception in Execution Residue:

0:006> !teb
TEB at 000000603d510000
ExceptionList: 0000000000000000
StackBase: 000000603d900000
StackLimit: 000000603d8f6000
SubSystemTib: 0000000000000000
FiberData: 0000000000001e00
ArbitraryUserPointer: 0000000000000000
Self: 000000603d510000
EnvironmentPointer: 0000000000000000
ClientId: 000000000000723c . 0000000000002288
RpcHandle: 0000000000000000
Tls Storage: 0000024030cfcd10
PEB Address: 000000603d503000
LastErrorValue: 0
LastStatusValue: c000007e
Count Owned Locks: 0
HardErrorMode: 0

0:006> dps 000000603d8f6000 000000603d900000
00000060`3d8f6000 00000000`00000000
00000060`3d8f6008 00000000`00000000
00000060`3d8f6010 00000000`00000000
00000060`3d8f6018 00000000`00000000
00000060`3d8f6020 00000000`00000000
00000060`3d8f6028 00000000`00000000
00000060`3d8f6030 00000000`00000000
[…]
00000060`3d8fd2d0 00000240`33bb2b28
00000060`3d8fd2d8 00000000`00000000
00000060`3d8fd2e0 00000240`33346ea0
00000060`3d8fd2e8 00000240`30c7e910
00000060`3d8fd2f0 00000060`3d8fdbd0
00000060`3d8fd2f8 00007ff9`6ce276fe ntdll!KiUserExceptionDispatch+0×2e
00000060`3d8fd300 00000000`00000000
00000060`3d8fd308 00000000`00000002
00000060`3d8fd310 00000060`3d8fdb30
00000060`3d8fd318 00000000`00000158
00000060`3d8fd320 00000000`00000002
00000060`3d8fd328 00000060`3d8fd3d9
00000060`3d8fd330 00001fa0`0010005f
00000060`3d8fd338 0053002b`002b0033
00000060`3d8fd340 00010206`002b002b
00000060`3d8fd348 00000000`00000000
00000060`3d8fd350 00000000`00000000
00000060`3d8fd358 00000000`00000000
00000060`3d8fd360 00000000`00000000
00000060`3d8fd368 00000000`00000000
00000060`3d8fd370 00000000`00000000
00000060`3d8fd378 00000000`00000000
00000060`3d8fd380 00000240`30cb3300
00000060`3d8fd388 00000240`33346ea0
00000060`3d8fd390 00000060`3d8fdb30
00000060`3d8fd398 00000060`3d8fdaa0
00000060`3d8fd3a0 00000060`3d8fdbd0
00000060`3d8fd3a8 00000240`30c7e910
00000060`3d8fd3b0 00000240`33346ea0
00000060`3d8fd3b8 00000000`00000001
00000060`3d8fd3c0 00000000`00000001
00000060`3d8fd3c8 00000fff`24be7202
00000060`3d8fd3d0 40000000`00000004
00000060`3d8fd3d8 00000000`00000000
00000060`3d8fd3e0 00000240`33bb2b28
00000060`3d8fd3e8 00000240`333b9120
00000060`3d8fd3f0 00000240`339835c8
00000060`3d8fd3f8 00007ff9`25f36ba2 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
00000060`3d8fd400 00000000`0000027f
00000060`3d8fd408 00000000`00000000
00000060`3d8fd410 00000000`00000000
00000060`3d8fd418 0000ffff`00001fa0
00000060`3d8fd420 00000000`00000000
[…]
00000060`3d8fd7e0 000001e0`000000f0
00000060`3d8fd7e8 00000000`00000000
00000060`3d8fd7f0 00000000`c0000005
00000060`3d8fd7f8 00000000`00000000
00000060`3d8fd800 00007ff9`25f36ba2 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
00000060`3d8fd808 00000000`00000002
00000060`3d8fd810 00000000`00000000
00000060`3d8fd818 00000000`00000190
00000060`3d8fd820 00000000`00000000
00000060`3d8fd828 00000000`00000000
00000060`3d8fd830 00000000`00000000
00000060`3d8fd838 00000000`00000000
00000060`3d8fd840 00000000`00000000
00000060`3d8fd848 00000000`00000000
[…]

0:006> .cxr 00000060`3d8fd300
[...]

0:006> k 3
# Child-SP RetAddr Call Site
00 00000060`3d8fdaa0 00007ff9`25f3904e Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×5932
01 00000060`3d8fdad0 00007ff9`25fbc385 Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: GetDefaultConfiguration+0×7dde
02 00000060`3d8fdda0 00007ff9`25fb722d Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent+0×46a25

We see that Microsoft_Applications_Telemetry_Windows is Exception Module. We may think that it is related to JSON telemetry data based on Stack Trace Motif but getJsonFormattedEvent function offset is too large for a real function. So we have here Coincidental Symbolic Information of exported function due to No Component Symbols.

0:006> lm m Microsoft_Applications_Telemetry_Windows
Browse full module list
start end module name
00007ff9`25f10000 00007ff9`260f8000 Microsoft_Applications_Telemetry_Windows C (export symbols) Microsoft.Applications.Telemetry.Windows.dll

0:006> uf Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent
Microsoft_Applications_Telemetry_Windows!Microsoft::Applications::Events:: JsonFormatter::getJsonFormattedEvent:
00007ff9`25f75960 48895c2408 mov qword ptr [rsp+8],rbx
00007ff9`25f75965 55 push rbp
00007ff9`25f75966 56 push rsi
00007ff9`25f75967 57 push rdi
00007ff9`25f75968 4154 push r12
00007ff9`25f7596a 4155 push r13
00007ff9`25f7596c 4156 push r14
00007ff9`25f7596e 4157 push r15
[…]
00007ff9`25f767df 4881c420010000 add rsp,120h
00007ff9`25f767e6 415f pop r15
00007ff9`25f767e8 415e pop r14
00007ff9`25f767ea 415d pop r13
00007ff9`25f767ec 415c pop r12
00007ff9`25f767ee 5f pop rdi
00007ff9`25f767ef 5e pop rsi
00007ff9`25f767f0 5d pop rbp
00007ff9`25f767f1 c3 ret

0:006> ? 00007ff9`25f767f1 - 00007ff9`25f75960
Evaluate expression: 3729 = 00000000`00000e91

We see that the function size is rather small compared to the offset value. This also “explains” that we don’t see any pointers to possible JSON strings in raw stack region data (dpa and dpu WinDbg commands) and if we do memory search there (s-sa and s-su commands).

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Black Box analysis pattern generalizes from the undocumented WinDbg commands !blackbox* to external system information included in process memory dump files which is accessible via .dumpdebug command.

2: kd> !blackboxpnp
PnpActivityId : {00000000-0000-0000-0000-000000000000}
PnpActivityTime : 132804247587428354
PnpEventInformation: 3
PnpEventInProgress : 0
PnpProblemCode : 24
PnpVetoType : 0
DeviceId : SW\{96E080C7-143C-11D1-B40F-00A0C9223196}\{3C0D501A-140B-11D1-B40F-00A0C9223196}
VetoString

Searching the registry we can find that it corresponds to “@ksfilter.inf,%mskssrv.devicedesc%;Microsoft Streaming Service Proxy”. Such commands may be used in conjunction with Historical Information (such as unloaded modules) and Execution Residue analysis patterns to check the last activities.

Other commands include !blackboxbsd and !blackboxntfs.

In process memory dump we may see information from a system the dump came from:

0:000> .dumpdebug
[...]
Stream 10: type SystemMemoryInfoStream (21), size 000001EC, RVA 00002288
Revision : 1
Flags : 0xf
BasicInfo
TimerResolution : 156,250
PageSize : 0x1000
NumberOfPhysicalPages : 4,173,065
LowestPhysicalPageNumber : 0x1
HighestPhysicalPageNumber : 0x46f7ff
AllocationGranularity : 0x10000
MinimumUserModeAddress : 0x10000
MaximumUserModeAddress : 0x7ffffffeffff
ActiveProcessorsAffinityMask : 0xff
NumberOfProcessors : 8
FileCacheInfo
CurrentSize : 514,248,704
PeakSize : 661,852,160
PageFaultCount : 19,464,228
MinimumWorkingSet : 0x100
MaximumWorkingSet : 0x100000000
CurrentSizeIncludingTransitionInPages : 1,327,191
PeakSizeIncludingTransitionInPages : 2,152,355
TransitionRePurposeCount : 8,923,412
Flags : 0
BasicPerfInfo
AvailablePages : 1,536,323
CommittedPages : 4,085,165
CommitLimit : 6,396,880
PeakCommitment : 4,850,269
PerfInfo
IdleProcessTime : 8,086,699,531,250
IoReadTransferCount : 97,860,850,993
IoWriteTransferCount : 55,567,419,561
IoOtherTransferCount : 9,725,039,400
IoReadOperationCount : 55,137,206
IoWriteOperationCount : 39,605,057
IoOtherOperationCount : 82,693,846
AvailablePages : 1,536,323
CommittedPages : 4,085,165
CommitLimit : 6,396,880
PeakCommitment : 4,850,269
CommitLimit : 6,396,880
PageFaultCount : 485,407,430
CopyOnWriteCount : 4,789,295
TransitionCount : 203,364,433
CacheTransitionCount : 0
DemandZeroCount : 275,205,178
PageReadCount : 9,363,018
PageReadIoCount : 1,641,521
CacheReadCount : 0
CacheIoCount : 0
DirtyPagesWriteCount : 295,086
DirtyWriteIoCount : 1,186
MappedPagesWriteCount : 425,398
MappedWriteIoCount : 5,656
PagedPoolPages : 231,590
NonPagedPoolPages : 155,982
PagedPoolAllocs : 0
PagedPoolFrees : 0
NonPagedPoolAllocs : 0
NonPagedPoolFrees : 0
FreeSystemPtes : 16,697,739
ResidentSystemCodePage : 4,175
TotalSystemDriverPages : 15,235
TotalSystemCodePages : 2
NonPagedPoolLookasideHits : 0
PagedPoolLookasideHits : 0
AvailablePagedPoolPages : 12,670,812
ResidentSystemCachePage : 125,549
ResidentPagedPoolPage : 220,095
ResidentSystemDriverPage : 13,012
CcFastReadNoWait : 0
CcFastReadWait : 13,492,886
CcFastReadResourceMiss : 0
CcFastReadNotPossible : 326,025
CcFastMdlReadNoWait : 0
CcFastMdlReadWait : 0
CcFastMdlReadResourceMiss : 0
CcFastMdlReadNotPossible : 0
CcMapDataNoWait : 0
CcMapDataWait : 77,200,777
CcMapDataNoWaitMiss : 0
CcMapDataWaitMiss : 391,734
CcPinMappedDataCount : 13,827,443
CcPinReadNoWait : 2,442
CcPinReadWait : 7,295,776
CcPinReadNoWaitMiss : 1,842,225
CcPinReadWaitMiss : 104,160
CcCopyReadNoWait : 720,327
CcCopyReadWait : 14,332,510
CcCopyReadNoWaitMiss : 73,632
CcCopyReadWaitMiss : 828,820
CcMdlReadNoWait : 0
CcMdlReadWait : 7,430
CcMdlReadNoWaitMiss : 0
CcMdlReadWaitMiss : 0
CcReadAheadIos : 1,577,774
CcLazyWriteIos : 737,095
CcLazyWritePages : 4,455,123
CcDataFlushes : 1,687,345
CcDataPages : 9,178,586
ContextSwitches : 690,599,392
FirstLevelTbFills : 0
SecondLevelTbFills : 0
SystemCalls : 2,382,592,584
CcTotalDirtyPages : 25,337
CcDirtyPageThreshold : 187,360
ResidentAvailablePages : 3,502,801
SharedCommittedPages : 693,491
Stream 11: type ProcessVmCountersStream (22), size 00000098, RVA 00002474
Revision : 2
Process Counters
PageFaultCount : 216,205
PeakWorkingSetSize : 0xdaa6000
WorkingSetSize : 0x160f000
QuotaPeakPagedPoolUsage : 0xfa0f8
QuotaPagedPoolUsage : 0xe8e88
QuotaPeakNonPagedPoolUsage : 0x22258
QuotaNonPagedPoolUsage : 0x180d8
PagefileUsage : 0xe6c000
PeakPagefileUsage : 0xcd67000
PeakVirtualSize : 0x201162a5000
VirtualSize : 0x20111ade000
PrivateUsage : 0xe6c000
PrivateWorkingSetSize : 0xb000
SharedCommitUsage : 0x1f2000
Job Counters
JobSharedCommitUsage : 0x72c000
JobPrivateCommitUsage : 0x71bc9000
JobPeakPrivateCommitUsage : 0x861ac000
JobPrivateCommitLimit : 0
JobTotalCommitLimit : 0
[...]

Other memory acquisition tools may write additional information in memory dump files. The difference between this analysis pattern and Paratext is that the latter involves additional files.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Stack Overflow caused by managed code is manifested as Stack Overflow (User Mode) with JIT Code recursive entries. !CLRStack WinDbg SOS extension command may work for very long if stack frame are small so we may need to increase the number of frames to show (.kframes command) and then manually check the originating frames using !IP2MD SOS extension command.

0:000> !CLRStack
OS Thread Id: 0x1da0 (0)
Child SP IP Call Site
000000F83D205FE0 00007ffc82570539 UserQuery.g__foo|4_1()
000000F83D206010 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206040 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206070 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D2060A0 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D2060D0 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206100 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206130 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206160 00007ffc8257053e UserQuery.g__foo|4_1()
[...]

0:000> .kframes 0xFFFF
Default stack trace depth is 0n65535 frames

0:000> kL
# Child-SP RetAddr Call Site
00 000000f8`3d205fe0 00007ffc`8257053e 0x00007ffc`82570539
01 000000f8`3d206010 00007ffc`8257053e 0x00007ffc`8257053e
02 000000f8`3d206040 00007ffc`8257053e 0x00007ffc`8257053e
03 000000f8`3d206070 00007ffc`8257053e 0x00007ffc`8257053e
04 000000f8`3d2060a0 00007ffc`8257053e 0x00007ffc`8257053e
05 000000f8`3d2060d0 00007ffc`8257053e 0x00007ffc`8257053e
06 000000f8`3d206100 00007ffc`8257053e 0x00007ffc`8257053e
07 000000f8`3d206130 00007ffc`8257053e 0x00007ffc`8257053e
08 000000f8`3d206160 00007ffc`8257053e 0x00007ffc`8257053e
09 000000f8`3d206190 00007ffc`8257053e 0x00007ffc`8257053e
[...]
7cfa 000000f8`3d37cec0 00007ffc`8257053e 0x00007ffc`8257053e
7cfb 000000f8`3d37cef0 00007ffc`8257053e 0x00007ffc`8257053e
7cfc 000000f8`3d37cf20 00007ffc`8257053e 0x00007ffc`8257053e
7cfd 000000f8`3d37cf50 00007ffc`8257053e 0x00007ffc`8257053e
7cfe 000000f8`3d37cf80 00007ffc`8257053e 0x00007ffc`8257053e
7cff 000000f8`3d37cfb0 00007ffc`8257053e 0x00007ffc`8257053e
7d00 000000f8`3d37cfe0 00007ffc`8257053e 0x00007ffc`8257053e
7d01 000000f8`3d37d010 00007ffc`825704fe 0×00007ffc`8257053e
7d02 000000f8`3d37d040 00007ffc`825704c4 0×00007ffc`825704fe
7d03 000000f8`3d37d070 00007ffc`82582bdd 0×00007ffc`825704c4
7d04 000000f8`3d37d0a0 00007ffc`8236b45e 0×00007ffc`82582bdd
7d05 000000f8`3d37d940 00007ffc`82366850 0×00007ffc`8236b45e
7d06 000000f8`3d37dc10 00007ffc`82365faf 0×00007ffc`82366850
7d07 000000f8`3d37dd50 00007ffc`82365edc 0×00007ffc`82365faf
7d08 000000f8`3d37dd90 00007ffc`823316f5 0×00007ffc`82365edc
7d09 000000f8`3d37dde0 00007ffc`8233144b 0×00007ffc`823316f5
7d0a 000000f8`3d37de70 00007ffc`81de8db1 0×00007ffc`8233144b
7d0b 000000f8`3d37df60 00007ffc`81de59fa 0×00007ffc`81de8db1
7d0c 000000f8`3d37e0c0 00007ffc`81de5985 0×00007ffc`81de59fa
7d0d 000000f8`3d37e110 00007ffc`81de4d59 0×00007ffc`81de5985
7d0e 000000f8`3d37e160 00007ffc`81de45f5 0×00007ffc`81de4d59
7d0f 000000f8`3d37e1e0 00007ffc`e196a573 0×00007ffc`81de45f5
7d10 000000f8`3d37e220 00007ffc`e18902d0 coreclr!CallDescrWorkerInternal+0×83
7d11 (Inline Function) ——–`——– coreclr!CallDescrWorkerWithHandler+0×30
7d12 000000f8`3d37e260 00007ffc`e189202c coreclr!CallDescrWorkerReflectionWrapper+0×48
7d13 000000f8`3d37e2b0 00007ffc`d5ddc9d7 coreclr!RuntimeMethodHandle::InvokeMethod+0×91c
[…]
7d1b 000000f8`3d37ed60 00007ffc`e18e0d95 coreclr!RunMain+0xd2
7d1c 000000f8`3d37ee10 00007ffc`e18e0b56 coreclr!Assembly::ExecuteMainMethod+0×1c9
7d1d 000000f8`3d37f1a0 00007ffc`e19152b2 coreclr!CorHost2::ExecuteAssembly+0×1c6
7d1e 000000f8`3d37f310 00007ffd`053896bb coreclr!coreclr_execute_assembly+0xe2
7d1f (Inline Function) ——–`——– hostpolicy!coreclr_t::execute_assembly+0×2a
7d20 000000f8`3d37f3b0 00007ffd`053899ec hostpolicy!run_app_for_context+0×56b
7d21 000000f8`3d37f550 00007ffd`0538a387 hostpolicy!run_app+0×3c
7d22 000000f8`3d37f590 00007ffd`07fab539 hostpolicy!corehost_main+0×107
7d23 000000f8`3d37f740 00007ffd`07fae506 hostfxr!execute_app+0×2e9
7d24 000000f8`3d37f840 00007ffd`07fb0821 hostfxr!`anonymous namespace’::read_config_and_execute+0xa6
7d25 000000f8`3d37f940 00007ffd`07faeb62 hostfxr!fx_muxer_t::handle_exec_host_command+0×161
7d26 000000f8`3d37f9f0 00007ffd`07fa82ab hostfxr!fx_muxer_t::execute+0×482
7d27 000000f8`3d37fb30 00007ff6`64fe2351 hostfxr!hostfxr_main_startupinfo+0xab
7d28 000000f8`3d37fc30 00007ff6`64fe2748 LINQPad7_Query_exe!exe_start+0×651
7d29 000000f8`3d37fe60 00007ff6`64fe45f8 LINQPad7_Query_exe!wmain+0×88
7d2a (Inline Function) ——–`——– LINQPad7_Query_exe!invoke_main+0×22
7d2b 000000f8`3d37fe90 00007ffd`164b54e0 LINQPad7_Query_exe!__scrt_common_main_seh+0×10c
7d2c 000000f8`3d37fed0 00007ffd`185e485b kernel32!BaseThreadInitThunk+0×10
7d2d 000000f8`3d37ff00 00000000`00000000 ntdll!RtlUserThreadStart+0×2b

0:000> !IP2MD 0×00007ffc`8257053e
MethodDesc: 00007ffc8257ce18
Method Name: UserQuery.<Main>g__foo|4_1()
Class: 00007ffc8257cd08
MethodTable: 00007ffc8257ce48
mdToken: 0000000006000007
Module: 00007ffc8257c060
IsJitted: yes
Current CodeAddr: 00007ffc82570520
Version History:
ILCodeVersion: 0000000000000000
ReJIT ID: 0
IL Addr: 0000027575cc20f2
CodeAddr: 00007ffc82570520 (MinOptJitted)
NativeCodeVersion: 0000000000000000

0:000> !DumpIL 00007ffc8257ce18
ilAddr is 0000027575CC20F2 pImport is 000001C7B44109C0
ilAddr = 0000027575CC20F2
IL_0000: nop
IL_0001: call void UserQuery::<Main>g__foo|4_1()
IL_0006: nop
IL_0007: ret

0:000> !IP2MD 0×00007ffc`825704fe
MethodDesc: 00007ffc8257ce00
Method Name: UserQuery.<Main>g__bar|4_0()
Class: 00007ffc8257cd08
MethodTable: 00007ffc8257ce48
mdToken: 0000000006000006
Module: 00007ffc8257c060
IsJitted: yes
Current CodeAddr: 00007ffc825704e0
Version History:
ILCodeVersion: 0000000000000000
ReJIT ID: 0
IL Addr: 0000027575cc20f2
CodeAddr: 00007ffc825704e0 (MinOptJitted)
NativeCodeVersion: 0000000000000000

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Various types of Measurements are important in software diagnostics. We consider traces and logs, and general software narratives (and even hardware narratives) as a medium for all types of possible measurements. Even a small display in a handheld device showing a number is an example of Singleton Trace.

Typical trace and log measurement analysis patterns include Time Delta, Statement Density and Current, and Trace Acceleration. Numeric analysis patterns include Counter Value, Trace Field, Signal in general, and the forthcoming Trace Distance that uses various metrics, for example, the number of messages, Activity Regions, or just hops.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Sometimes, we are interested in field values across many objects of the same type, for example, processes or threads. We call this analysis pattern Structure Field Collection. For example, we may be interested in all thread names or their number of context switches. Here’s an example script that outputs all non-null thread names and their _ETHREAD structure address for further exploration:

0: kd> !for_each_thread "r $t0 = @@C++(((nt!_ETHREAD *) @#Thread )->ThreadName); .if (@$t0 != 0) { .echo _ETHREAD: @#Thread; !ustr @$t0 }"
_ETHREAD: 0xffffad03ba43b080
String(46,46) at ffffad03b9a77790: Win32k Raw Input Thread
_ETHREAD: 0xffffad03ba468080
String(58,58) at ffffad03b6943e80: Win32k Desktop Thread (IO_DT)
_ETHREAD: 0xffffad03ba57d580
String(62,62) at ffffad03ba5aebc0: Win32k Desktop Thread (NOIO_DT)
_ETHREAD: 0xffffad03ba49b080
String(46,46) at ffffad03b9a792c0: Win32k Raw Input Thread
_ETHREAD: 0xffffad03ba49c080
String(58,58) at ffffad03b6945080: Win32k Desktop Thread (IO_DT)
_ETHREAD: 0xffffad03bcb44080
String(62,62) at ffffad03bcb89740: Win32k Desktop Thread (NOIO_DT)
_ETHREAD: 0xffffad03bad74080
String(38,38) at ffffad03bacf5a90: DWM LPC Port Thread
_ETHREAD: 0xffffad03bad70080
String(42,42) at ffffad03bacf6490: DWM Compositor Thread
_ETHREAD: 0xffffad03badbf080
String(32,32) at ffffad03ba5c7910: DWM Token Thread
_ETHREAD: 0xffffad03badbe080
String(46,46) at ffffad03bacf7340: DWM Master Input Thread
_ETHREAD: 0xffffad03badbd080
String(46,46) at ffffad03bacf7660: DWM Manipulation Thread
_ETHREAD: 0xffffad03bae71080
String(34,34) at ffffad03bacf82e0: uDWM Event Thread
_ETHREAD: 0xffffad03baf49080
String(32,32) at ffffad03ba5c8e10: OS Events thread
_ETHREAD: 0xffffad03baf98080
String(30,30) at ffffad03bafb4ed0: EventLog-System
_ETHREAD: 0xffffad03baf33080
String(40,40) at ffffad03baef7490: EventLog-Application
_ETHREAD: 0xffffad03bb00b080
String(34,34) at ffffad03baef74e0: EventLog-Security
_ETHREAD: 0xffffad03bbeee080
String(100,100) at ffffad03bc1ccaa0: MicrosoftWindows.Client.CBS_cw5n1h2txyewy!InputApp
_ETHREAD: 0xffffad03bc590080
String(30,30) at ffffad03bc75cd10: UnknownAppFrame
_ETHREAD: 0xffffad03bc539080
String(30,30) at ffffad03bc75f850: UnknownAppFrame
_ETHREAD: 0xffffad03bc20e300
String(44,44) at ffffad03bc0e44f0: DManip Delegate Thread
_ETHREAD: 0xffffad03bc208080
String(44,44) at ffffad03bc0e4770: DManip Delegate Thread
_ETHREAD: 0xffffad03bc457080
String(30,30) at ffffad03bc365cd0: WebView UI ASTA
_ETHREAD: 0xffffad03bc44a080
String(52,52) at ffffad03bc25be60: Chakra Background Recycler
_ETHREAD: 0xffffad03bc448080
String(52,52) at ffffad03bc25e620: Chakra Background Recycler
_ETHREAD: 0xffffad03bc4d1080
String(58,58) at ffffad03bc25de40: EdgeHtml Independent Hit Test
_ETHREAD: 0xffffad03bc4ce080
String(28,28) at ffffad03bc3671d0: EdgeHtml Timer
_ETHREAD: 0xffffad03bc4c1080
String(42,42) at ffffad03bc0e9950: EdgeHtml Download STA
_ETHREAD: 0xffffad03bc4c0080
String(58,58) at ffffad03bc25f8e0: Chakra Parallel Worker Thread
_ETHREAD: 0xffffad03bc4be080
String(40,40) at ffffad03bc0eae90: EdgeHtml Storage STA
_ETHREAD: 0xffffad03bc4bc080
String(34,34) at ffffad03bc93fbc0: Fetch Idle Worker
_ETHREAD: 0xffffad03bc46d080
String(30,30) at ffffad03bc36a1d0: EdgeHtml Render
_ETHREAD: 0xffffad03bc544080
String(26,26) at ffffad03bc0676d0: MTA Implicit
_ETHREAD: 0xffffad03bc68c040
String(26,26) at ffffad03bc363510: MTA Implicit
_ETHREAD: 0xffffad03bca08040
String(26,26) at ffffad03bc363550: MTA Implicit
_ETHREAD: 0xffffad03bca07080
String(50,50) at ffffad03bac853c0: EdgeHtml IDB MTA Implicit
_ETHREAD: 0xffffad03bca06080
String(26,26) at ffffad03bc363250: MTA Implicit
_ETHREAD: 0xffffad03bca04080
String(50,50) at ffffad03bb0fc170: EdgeHtml IDB MTA Implicit
_ETHREAD: 0xffffad03bc58e080
String(84,84) at ffffad03bbe4af10: WebPlatStorage Events Channel MTA Implicit
_ETHREAD: 0xffffad03bbcd5080
String(36,36) at ffffad03bc9445d0: EdgeHtml Image STA
_ETHREAD: 0xffffad03bc5df080
String(52,52) at ffffad03bc25a600: Chakra Background Recycler
_ETHREAD: 0xffffad03bc5de080
String(52,52) at ffffad03bc260060: Chakra Background Recycler
_ETHREAD: 0xffffad03bc68a080
String(44,44) at ffffad03bc0f3f40: DManip Delegate Thread
_ETHREAD: 0xffffad03bc5d8080
String(58,58) at ffffad03bc264f80: EdgeHtml Independent Hit Test
_ETHREAD: 0xffffad03bc5d7080
String(28,28) at ffffad03bc754510: EdgeHtml Timer
_ETHREAD: 0xffffad03bc0880c0
String(58,58) at ffffad03bc269a20: Chakra Parallel Worker Thread
_ETHREAD: 0xffffad03bc9e6080
String(12,12) at ffffad03bc51bd40: main()
_ETHREAD: 0xffffad03bc591080
String(20,20) at ffffad03bc75d010: InputPanel
_ETHREAD: 0xffffad03bc58c080
String(44,44) at ffffad03bc93e4a0: DManip Delegate Thread
_ETHREAD: 0xffffad03bc50e080
String(44,44) at ffffad03bc93f4e0: DManip Delegate Thread
_ETHREAD: 0xffffad03bc495040
String(26,26) at ffffad03bc3611d0: MTA Implicit
_ETHREAD: 0xffffad03bc494040
String(26,26) at ffffad03bc361a50: MTA Implicit
_ETHREAD: 0xffffad03bc490080
String(26,26) at ffffad03bc760bd0: MTA Implicit
_ETHREAD: 0xffffad03bc48f080
String(88,88) at ffffad03bbbe6890: RPC StorageEvents_WaitForEvents MTA Implicit
_ETHREAD: 0xffffad03bc2a5040
String(26,26) at ffffad03bc3631d0: MTA Implicit
_ETHREAD: 0xffffad03bc1c3040
String(26,26) at ffffad03bc361810: MTA Implicit
_ETHREAD: 0xffffad03bbced0c0
String(26,26) at ffffad03bc361350: MTA Implicit
_ETHREAD: 0xffffad03bca72080
String(52,52) at ffffad03bbdf06b0: Chakra Background Recycler
_ETHREAD: 0xffffad03bca71080
String(58,58) at ffffad03bbdf34d0: Chakra Parallel Worker Thread
_ETHREAD: 0xffffad03bc509080
String(26,26) at ffffad03bc369890: CrBrowserMain
_ETHREAD: 0xffffad03bcb45080
String(34,34) at ffffad03bc94e940: LoaderLockSampler
_ETHREAD: 0xffffad03bcb21080
String(22,22) at ffffad03bc368990: BrokerEvent
_ETHREAD: 0xffffad03bc682080
String(22,22) at ffffad03bc369950: HangWatcher
_ETHREAD: 0xffffad03bc681080
String(46,46) at ffffad03bc94f020: ThreadPoolServiceThread
_ETHREAD: 0xffffad03bc680080
String(106,106) at ffffad03bcb06800: ThreadPoolSingleThreadCOMSTASharedBackgroundBlocking0
_ETHREAD: 0xffffad03bc020080
String(106,106) at ffffad03bc1c8960: ThreadPoolSingleThreadCOMSTASharedForegroundBlocking1
_ETHREAD: 0xffffad03bc01e080
String(52,52) at ffffad03bc2663c0: ThreadPoolBackgroundWorker
_ETHREAD: 0xffffad03bc285080
String(30,30) at ffffad03bc3695d0: Chrome_IOThread
_ETHREAD: 0xffffad03bc284080
String(22,22) at ffffad03bc369910: MemoryInfra
_ETHREAD: 0xffffad03bc283080
String(90,90) at ffffad03bca64110: ThreadPoolSingleThreadCOMSTASharedForeground2
_ETHREAD: 0xffffad03bc1ed080
String(94,94) at ffffad03bbe41f10: ThreadPoolSingleThreadSharedBackgroundBlocking3
_ETHREAD: 0xffffad03bc1f2080
String(52,52) at ffffad03bcb8a040: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bc1b7080
String(42,42) at ffffad03bc94fb10: CompositorTileWorker1
_ETHREAD: 0xffffad03bc1b6080
String(36,36) at ffffad03bc94fc00: VideoCaptureThread
_ETHREAD: 0xffffad03bcc0e080
String(30,30) at ffffad03bc75f950: BrowserWatchdog
_ETHREAD: 0xffffad03bcc0d080
String(94,94) at ffffad03bbe42010: ThreadPoolSingleThreadSharedBackgroundBlocking4
_ETHREAD: 0xffffad03bc29b080
String(82,82) at ffffad03bce44110: ThreadPoolSingleThreadForegroundBlocking5
_ETHREAD: 0xffffad03bcdda080
String(42,42) at ffffad03bb09a120: CacheThread_BlockFile
_ETHREAD: 0xffffad03bcdc50c0
String(94,94) at ffffad03bce44590: ThreadPoolSingleThreadSharedForegroundBlocking6
_ETHREAD: 0xffffad03bc67f4c0
String(106,106) at ffffad03bcb05690: ThreadPoolSingleThreadCOMSTASharedBackgroundBlocking7
_ETHREAD: 0xffffad03bca85080
String(52,52) at ffffad03bcb8cf80: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bc6af080
String(36,36) at ffffad03bc94e580: CrashpadMainThread
_ETHREAD: 0xffffad03bca97080
String(42,42) at ffffad03bc94e620: ExitCodeWatcherThread
_ETHREAD: 0xffffad03bcc0c080
String(18,18) at ffffad03bc36dd10: CrGpuMain
_ETHREAD: 0xffffad03bcecd080
String(34,34) at ffffad03bc9518c0: LoaderLockSampler
_ETHREAD: 0xffffad03bcecb080
String(22,22) at ffffad03bc36e950: GpuWatchdog
_ETHREAD: 0xffffad03bce7e080
String(46,46) at ffffad03bc9535d0: ThreadPoolServiceThread
_ETHREAD: 0xffffad03bcdcc080
String(52,52) at ffffad03bc26c960: ThreadPoolBackgroundWorker
_ETHREAD: 0xffffad03bcdcb080
String(40,40) at ffffad03bc952c20: Chrome_ChildIOThread
_ETHREAD: 0xffffad03bcea8080
String(52,52) at ffffad03bcb8c8c0: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bcea7080
String(38,38) at ffffad03bc952c70: VizCompositorThread
_ETHREAD: 0xffffad03bc7ee080
String(26,26) at ffffad03bc36d390: CrUtilityMain
_ETHREAD: 0xffffad03bc1f1080
String(34,34) at ffffad03bc951a00: LoaderLockSampler
_ETHREAD: 0xffffad03bca3d080
String(46,46) at ffffad03bc951c30: ThreadPoolServiceThread
_ETHREAD: 0xffffad03bca3a080
String(40,40) at ffffad03bc951c80: Chrome_ChildIOThread
_ETHREAD: 0xffffad03bce81080
String(52,52) at ffffad03bc26ca80: ThreadPoolBackgroundWorker
_ETHREAD: 0xffffad03bcbd0080
String(52,52) at ffffad03bcf03da0: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03b67af080
String(52,52) at ffffad03bdcca800: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bd0db080
String(52,52) at ffffad03bcf0fd40: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bbdcc080
String(52,52) at ffffad03bcf10280: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bcdd94c0
String(26,26) at ffffad03bc36e7d0: CrUtilityMain
_ETHREAD: 0xffffad03baf95080
String(34,34) at ffffad03bc951aa0: LoaderLockSampler
_ETHREAD: 0xffffad03bcec9080
String(46,46) at ffffad03bc952270: ThreadPoolServiceThread
_ETHREAD: 0xffffad03bceb6080
String(52,52) at ffffad03bc26ca20: ThreadPoolBackgroundWorker
_ETHREAD: 0xffffad03bceb5080
String(40,40) at ffffad03bc952d60: Chrome_ChildIOThread
_ETHREAD: 0xffffad03bceb4080
String(52,52) at ffffad03bcb8ca40: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bcf3e040
String(166,166) at ffffad03bcc38590: windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel
_ETHREAD: 0xffffad03baf0a040
String(80,80) at ffffad03bcedb390: Microsoft.WindowsStore_8wekyb3d8bbwe!App
_ETHREAD: 0xffffad03b9850080
String(30,30) at ffffad03bc75e1d0: UnknownAppFrame
_ETHREAD: 0xffffad03bbf54080
String(30,30) at ffffad03ba344710: UnknownAppFrame
_ETHREAD: 0xffffad03ba48e080
String(44,44) at ffffad03ba32bf10: DManip Delegate Thread
_ETHREAD: 0xffffad03bada5080
String(44,44) at ffffad03bc950a10: DManip Delegate Thread

One of the early analysis patterns, Last Error Collection, is another instance of this general analysis pattern.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -