process with no active threads what information can be gleaned from it using windbg

WINDBG
1

what further info can be deduced from the information
the below process seems to run
but windbg says no active threads ?
so on whose back this is piggybacking ( i mean how to find the pig
that is backing this ? )
no handles ? no object table ?

i also can see two explorer instance one 2 days old and not having
active thread ??
another 1 day old and having threads ?

what mean no active threads ? ( i mean can passive threads if any can
be put to use to run something ? )

this is a vm that doesnt have /debug so i cant attach kd

what further info (maximum that is possible that could be learnt
passively using lkd or whatever !! before resorting to third degree
from the paste below

lkd> .process /p /r 85dba020
Implicit process is now 85dba020
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
lkd> !process 85dba020 17
PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
Image: wq3qef54.exe
VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 49. Locked 0.
DeviceMap e3059d10
Token e5146030
ElapsedTime 01:46:41.250
UserTime 00:00:00.046
KernelTime 00:00:00.171
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (8, 50, 345) (32KB, 200KB, 1380KB)
PeakWorkingSetSize 685
VirtualSize 26 Mb
PeakVirtualSize 29 Mb
PageFaultCount 694
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 0

No active threads

lkd> !process 0 0 explorer.exe
PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid: 07f4
DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
Image: explorer.exe

PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid: 0cc4
DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
Image: explorer.exe

lkd> .process /p /r 863fc320
Implicit process is now 863fc320
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001” for details
lkd> !process 863fc320 17
PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid: 07f4
DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
Image: explorer.exe
VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 929127. Locked 0.
DeviceMap e3059d10
Token e36d1438
ElapsedTime 2 Days 11:26:33.468
UserTime 00:04:15.703
KernelTime 00:02:14.125
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (14, 50, 345) (56KB, 200KB, 1380KB)
PeakWorkingSetSize 15789
VirtualSize 157 Mb
PeakVirtualSize 500 Mb
PageFaultCount 1042096
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 0

No active threads

lkd> !process 860009c8 17
PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid: 0cc4
DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
Image: explorer.exe
VadRoot 8601f920 Vads 539 Clone 0 Private 14425. Modified 397280. Locked 0.
DeviceMap e3059d10
Token e4606030
ElapsedTime 1 Day 07:38:39.984
UserTime 00:04:30.890
KernelTime 00:01:56.984
QuotaPoolUsage[PagedPool] 269404
QuotaPoolUsage[NonPagedPool] 24200
Working Set Sizes (now,min,max) (6962, 50, 345) (27848KB, 200KB, 1380KB)
PeakWorkingSetSize 15329
VirtualSize 210 Mb
PeakVirtualSize 234 Mb
PageFaultCount 524892
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 17170

THREAD 85ccfc78 Cid 0424.0f60 Teb: 7ffdf000 Win32Thread: e2b2cb50 WAIT
: (WrUserRequest) UserMode Non-Alertable
86596970 SynchronizationEvent
Not impersonating
DeviceMap e3059d10
Owning Process 0 Image:
Attached Process 860009c8 Image: explorer.exe
Wait Start TickCount 13693288 Ticks: 10206 (0:00:02:39.468)
Context Switch Count 45600 LargeStack
UserTime 00:00:07.546
KernelTime 00:00:14.109
*** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS<br>explorer.exe
Win32 Start Address explorer (0x0101a55f)
Start Address KERNEL32!BaseProcessStartThunk (0x7c810705)
Stack Init a862f000 Current a862ecb0 Base a862f000 Limit a862b000 Call 0

Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16
Kernel stack not resident.

THREAD 86568c88 Cid 0424.0c4c Teb: 7ffdd000 Win32Thread: e3865690 WAIT
: (Unknown) UserMode Non-Alertable
85ff1fc0 Semaphore Limit 0x7fffffff

lkd>

2

There are likely outstanding open handles and/or pointer references to this process. Try !object 85dba020. If it says handle count is non-zero, use !handle to find which processes hold those handles. If handle count is zero but refcount is not you can try !search 85dba021 and if you’re lucky it might point you to a driver that’s leaking references. If !search doesn’t show anything interesting you’ll have to use something like !obtrace to trace all ref/deref calls.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Monday, April 29, 2013 1:48 PM
To: Kernel Debugging Interest List
Subject: [windbg] process with no active threads what information can be gleaned from it using windbg

what further info can be deduced from the information the below process seems to run but windbg says no active threads ?
so on whose back this is piggybacking ( i mean how to find the pig that is backing this ? ) no handles ? no object table ?

i also can see two explorer instance one 2 days old and not having active thread ??
another 1 day old and having threads ?

what mean no active threads ? ( i mean can passive threads if any can be put to use to run something ? )

this is a vm that doesnt have /debug so i cant attach kd

what further info (maximum that is possible that could be learnt passively using lkd or whatever !! before resorting to third degree from the paste below

lkd> .process /p /r 85dba020
Implicit process is now 85dba020
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
lkd> !process 85dba020 17
PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
Image: wq3qef54.exe
VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 49. Locked 0.
DeviceMap e3059d10
Token e5146030
ElapsedTime 01:46:41.250
UserTime 00:00:00.046
KernelTime 00:00:00.171
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (8, 50, 345) (32KB, 200KB, 1380KB)
PeakWorkingSetSize 685
VirtualSize 26 Mb
PeakVirtualSize 29 Mb
PageFaultCount 694
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 0

No active threads

lkd> !process 0 0 explorer.exe
PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid: 07f4
DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
Image: explorer.exe

PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid: 0cc4
DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
Image: explorer.exe

lkd> .process /p /r 863fc320
Implicit process is now 863fc320
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001” for details
lkd> !process 863fc320 17
PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid: 07f4
DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
Image: explorer.exe
VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 929127. Locked 0.
DeviceMap e3059d10
Token e36d1438
ElapsedTime 2 Days 11:26:33.468
UserTime 00:04:15.703
KernelTime 00:02:14.125
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (14, 50, 345) (56KB, 200KB, 1380KB)
PeakWorkingSetSize 15789
VirtualSize 157 Mb
PeakVirtualSize 500 Mb
PageFaultCount 1042096
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 0

No active threads

lkd> !process 860009c8 17
PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid: 0cc4
DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
Image: explorer.exe
VadRoot 8601f920 Vads 539 Clone 0 Private 14425. Modified 397280. Locked 0.
DeviceMap e3059d10
Token e4606030
ElapsedTime 1 Day 07:38:39.984
UserTime 00:04:30.890
KernelTime 00:01:56.984
QuotaPoolUsage[PagedPool] 269404
QuotaPoolUsage[NonPagedPool] 24200
Working Set Sizes (now,min,max) (6962, 50, 345) (27848KB, 200KB, 1380KB)
PeakWorkingSetSize 15329
VirtualSize 210 Mb
PeakVirtualSize 234 Mb
PageFaultCount 524892
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 17170

THREAD 85ccfc78 Cid 0424.0f60 Teb: 7ffdf000 Win32Thread: e2b2cb50 WAIT
: (WrUserRequest) UserMode Non-Alertable
86596970 SynchronizationEvent
Not impersonating
DeviceMap e3059d10
Owning Process 0 Image:
Attached Process 860009c8 Image: explorer.exe
Wait Start TickCount 13693288 Ticks: 10206 (0:00:02:39.468)
Context Switch Count 45600 LargeStack
UserTime 00:00:07.546
KernelTime 00:00:14.109
*** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS\ explorer.exe
Win32 Start Address explorer (0x0101a55f)
Start Address KERNEL32!BaseProcessStartThunk (0x7c810705)
Stack Init a862f000 Current a862ecb0 Base a862f000 Limit a862b000 Call 0

Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16
Kernel stack not resident.

THREAD 86568c88 Cid 0424.0c4c Teb: 7ffdd000 Win32Thread: e3865690 WAIT
: (Unknown) UserMode Non-Alertable
85ff1fc0 Semaphore Limit 0x7fffffff

lkd>


WINDBG is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

Thank You Pavel For replying back

the results are as follows ( i assume 85dba201 is a typo or should i
use the delta ? )
and by refcount did you mean pointer count
it seems doing !object on the EPROCESS yields one handle count and two
pointer counts
but !handle says it cant read handle table and !search yields no
results (with 0 Delta)

results as follows

lkd> !object 85dba020
Object: 85dba020 Type: (86dc6e38) Process
ObjectHeader: 85dba008 (old version)
HandleCount: 1 PointerCount: 2
lkd> .process /p /r 85dba020
Implicit process is now 85dba020
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
lkd> !handle

PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
Image: wq3qef54.exe

00000000: Unable to read handle table

lkd> !search 85dba020
Searching PFNs in range 00000001 - 0003F679 for [FFFFFFFF85DBA020 - FFFFFFFF85DB
A020]

Pfn Offset Hit Va Pte

Search done.
lkd>

On 4/30/13, Pavel Lebedynskiy wrote:
> There are likely outstanding open handles and/or pointer references to this
> process. Try !object 85dba020. If it says handle count is non-zero, use
> !handle to find which processes hold those handles. If handle count is zero
> but refcount is not you can try !search 85dba021 and if you’re lucky it
> might point you to a driver that’s leaking references. If !search doesn’t
> show anything interesting you’ll have to use something like !obtrace to
> trace all ref/deref calls.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
> Sent: Monday, April 29, 2013 1:48 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] process with no active threads what information can be
> gleaned from it using windbg
>
> what further info can be deduced from the information the below process
> seems to run but windbg says no active threads ?
> so on whose back this is piggybacking ( i mean how to find the pig that is
> backing this ? ) no handles ? no object table ?
>
>
>
> i also can see two explorer instance one 2 days old and not having active
> thread ??
> another 1 day old and having threads ?
>
> what mean no active threads ? ( i mean can passive threads if any can be put
> to use to run something ? )
>
> this is a vm that doesnt have /debug so i cant attach kd
>
> what further info (maximum that is possible that could be learnt passively
> using lkd or whatever !! before resorting to third degree from the paste
> below
>
>
> lkd> .process /p /r 85dba020
> Implicit process is now 85dba020
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
> lkd> !process 85dba020 17
> PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
> DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
> Image: wq3qef54.exe
> VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 49. Locked 0.
> DeviceMap e3059d10
> Token e5146030
> ElapsedTime 01:46:41.250
> UserTime 00:00:00.046
> KernelTime 00:00:00.171
> QuotaPoolUsage[PagedPool] 0
> QuotaPoolUsage[NonPagedPool] 0
> Working Set Sizes (now,min,max) (8, 50, 345) (32KB, 200KB, 1380KB)
> PeakWorkingSetSize 685
> VirtualSize 26 Mb
> PeakVirtualSize 29 Mb
> PageFaultCount 694
> MemoryPriority BACKGROUND
> BasePriority 8
> CommitCharge 0
>
> No active threads
>
> lkd> !process 0 0 explorer.exe
> PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid: 07f4
> DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
> Image: explorer.exe
>
> PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid: 0cc4
> DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
> Image: explorer.exe
>
> lkd> .process /p /r 863fc320
> Implicit process is now 863fc320
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001” for details
> lkd> !process 863fc320 17
> PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid: 07f4
> DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
> Image: explorer.exe
> VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 929127. Locked 0.
> DeviceMap e3059d10
> Token e36d1438
> ElapsedTime 2 Days 11:26:33.468
> UserTime 00:04:15.703
> KernelTime 00:02:14.125
> QuotaPoolUsage[PagedPool] 0
> QuotaPoolUsage[NonPagedPool] 0
> Working Set Sizes (now,min,max) (14, 50, 345) (56KB, 200KB, 1380KB)
> PeakWorkingSetSize 15789
> VirtualSize 157 Mb
> PeakVirtualSize 500 Mb
> PageFaultCount 1042096
> MemoryPriority BACKGROUND
> BasePriority 8
> CommitCharge 0
>
> No active threads
>
> lkd> !process 860009c8 17
> PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid: 0cc4
> DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
> Image: explorer.exe
> VadRoot 8601f920 Vads 539 Clone 0 Private 14425. Modified 397280. Locked
> 0.
> DeviceMap e3059d10
> Token e4606030
> ElapsedTime 1 Day 07:38:39.984
> UserTime 00:04:30.890
> KernelTime 00:01:56.984
> QuotaPoolUsage[PagedPool] 269404
> QuotaPoolUsage[NonPagedPool] 24200
> Working Set Sizes (now,min,max) (6962, 50, 345) (27848KB, 200KB,
> 1380KB)
> PeakWorkingSetSize 15329
> VirtualSize 210 Mb
> PeakVirtualSize 234 Mb
> PageFaultCount 524892
> MemoryPriority BACKGROUND
> BasePriority 8
> CommitCharge 17170
>
> THREAD 85ccfc78 Cid 0424.0f60 Teb: 7ffdf000 Win32Thread: e2b2cb50
> WAIT
> : (WrUserRequest) UserMode Non-Alertable
> 86596970 SynchronizationEvent
> Not impersonating
> DeviceMap e3059d10
> Owning Process 0 Image:
> Attached Process 860009c8 Image:
> explorer.exe
> Wait Start TickCount 13693288 Ticks: 10206
> (0:00:02:39.468)
> Context Switch Count 45600 LargeStack
> UserTime 00:00:07.546
> KernelTime 00:00:14.109
> *** ERROR: Module load completed but symbols could not be loaded for
> C:\WINDOWS\ explorer.exe
> Win32 Start Address explorer (0x0101a55f)
> Start Address KERNEL32!BaseProcessStartThunk (0x7c810705)
> Stack Init a862f000 Current a862ecb0 Base a862f000 Limit a862b000
> Call 0
>
> Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16
> Kernel stack not resident.
>
> THREAD 86568c88 Cid 0424.0c4c Teb: 7ffdd000 Win32Thread: e3865690
> WAIT
> : (Unknown) UserMode Non-Alertable
> 85ff1fc0 Semaphore Limit 0x7fffffff
>
> lkd>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

4

raj_r wrote:

what further info can be deduced from the information
the below process seems to run
but windbg says no active threads ?
so on whose back this is piggybacking ( i mean how to find the pig
that is backing this ? )
no handles ? no object table ?

The name of the process is typical of a piece of malware:

lkd> .process /p /r 85dba020
Implicit process is now 85dba020
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
lkd> !process 85dba020 17
PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
Image: wq3qef54.exe

My wager is that you are infected.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

5

@tim
:slight_smile:
i take thee at thy word What’s in a name? that which we call a
malware By any other name would stink as bitter;

i congratulate thee on thy win

so what else can we learn more ? i mean forensically what bits and
pieces however tiny and insignificant and irrelevent at the first
sight they may be what else ?

On 4/30/13, Tim Roberts wrote:
> raj_r wrote:
>> what further info can be deduced from the information
>> the below process seems to run
>> but windbg says no active threads ?
>> so on whose back this is piggybacking ( i mean how to find the pig
>> that is backing this ? )
>> no handles ? no object table ?
>
> The name of the process is typical of a piece of malware:
>
>
>> lkd> .process /p /r 85dba020
>> Implicit process is now 85dba020
>> Loading User Symbols
>> PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
>> lkd> !process 85dba020 17
>> PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid:
>> 08e8
>> DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
>> Image: wq3qef54.exe
>
> My wager is that you are infected.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

6

You want to search handle tables of other processes to see which one holds the handle to the leaked process:

!handle 0 3 0 Process

For !search the right command would actually be !search -p 85dba020 (-p to avoid sign-extending the pointer). I also usually change one of the bits in the value I’m searching for because !search will find values that differ by a single bit which can be noisy. (It works better on 64 bits because 64-bit pointers have more redundancy in the high bits.)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Monday, April 29, 2013 2:41 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] process with no active threads what information can be gleaned from it using windbg

Thank You Pavel For replying back

the results are as follows ( i assume 85dba201 is a typo or should i use the delta ? ) and by refcount did you mean pointer count it seems doing !object on the EPROCESS yields one handle count and two pointer counts but !handle says it cant read handle table and !search yields no results (with 0 Delta)

results as follows

lkd> !object 85dba020
Object: 85dba020 Type: (86dc6e38) Process
ObjectHeader: 85dba008 (old version)
HandleCount: 1 PointerCount: 2
lkd> .process /p /r 85dba020
Implicit process is now 85dba020
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
lkd> !handle

PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
Image: wq3qef54.exe

00000000: Unable to read handle table

lkd> !search 85dba020
Searching PFNs in range 00000001 - 0003F679 for [FFFFFFFF85DBA020 - FFFFFFFF85DB A020]

Pfn Offset Hit Va Pte

                                                      • Search done.
                                                        lkd>

On 4/30/13, Pavel Lebedynskiy wrote:
> There are likely outstanding open handles and/or pointer references to
> this process. Try !object 85dba020. If it says handle count is
> non-zero, use !handle to find which processes hold those handles. If
> handle count is zero but refcount is not you can try !search 85dba021
> and if you’re lucky it might point you to a driver that’s leaking
> references. If !search doesn’t show anything interesting you’ll have
> to use something like !obtrace to trace all ref/deref calls.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
> Sent: Monday, April 29, 2013 1:48 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] process with no active threads what information can
> be gleaned from it using windbg
>
> what further info can be deduced from the information the below
> process seems to run but windbg says no active threads ?
> so on whose back this is piggybacking ( i mean how to find the pig
> that is backing this ? ) no handles ? no object table ?
>
>
>
> i also can see two explorer instance one 2 days old and not having
> active thread ??
> another 1 day old and having threads ?
>
> what mean no active threads ? ( i mean can passive threads if any can
> be put to use to run something ? )
>
> this is a vm that doesnt have /debug so i cant attach kd
>
> what further info (maximum that is possible that could be learnt
> passively using lkd or whatever !! before resorting to third degree
> from the paste below
>
>
> lkd> .process /p /r 85dba020
> Implicit process is now 85dba020
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for
> details
> lkd> !process 85dba020 17
> PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
> DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
> Image: wq3qef54.exe
> VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 49. Locked 0.
> DeviceMap e3059d10
> Token e5146030
> ElapsedTime 01:46:41.250
> UserTime 00:00:00.046
> KernelTime 00:00:00.171
> QuotaPoolUsage[PagedPool] 0
> QuotaPoolUsage[NonPagedPool] 0
> Working Set Sizes (now,min,max) (8, 50, 345) (32KB, 200KB, 1380KB)
> PeakWorkingSetSize 685
> VirtualSize 26 Mb
> PeakVirtualSize 29 Mb
> PageFaultCount 694
> MemoryPriority BACKGROUND
> BasePriority 8
> CommitCharge 0
>
> No active threads
>
> lkd> !process 0 0 explorer.exe
> PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid: 07f4
> DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
> Image: explorer.exe
>
> PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid: 0cc4
> DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
> Image: explorer.exe
>
> lkd> .process /p /r 863fc320
> Implicit process is now 863fc320
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001” for
> details
> lkd> !process 863fc320 17
> PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid: 07f4
> DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
> Image: explorer.exe
> VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 929127. Locked 0.
> DeviceMap e3059d10
> Token e36d1438
> ElapsedTime 2 Days 11:26:33.468
> UserTime 00:04:15.703
> KernelTime 00:02:14.125
> QuotaPoolUsage[PagedPool] 0
> QuotaPoolUsage[NonPagedPool] 0
> Working Set Sizes (now,min,max) (14, 50, 345) (56KB, 200KB, 1380KB)
> PeakWorkingSetSize 15789
> VirtualSize 157 Mb
> PeakVirtualSize 500 Mb
> PageFaultCount 1042096
> MemoryPriority BACKGROUND
> BasePriority 8
> CommitCharge 0
>
> No active threads
>
> lkd> !process 860009c8 17
> PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid: 0cc4
> DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
> Image: explorer.exe
> VadRoot 8601f920 Vads 539 Clone 0 Private 14425. Modified 397280.
> Locked 0.
> DeviceMap e3059d10
> Token e4606030
> ElapsedTime 1 Day 07:38:39.984
> UserTime 00:04:30.890
> KernelTime 00:01:56.984
> QuotaPoolUsage[PagedPool] 269404
> QuotaPoolUsage[NonPagedPool] 24200
> Working Set Sizes (now,min,max) (6962, 50, 345) (27848KB, 200KB,
> 1380KB)
> PeakWorkingSetSize 15329
> VirtualSize 210 Mb
> PeakVirtualSize 234 Mb
> PageFaultCount 524892
> MemoryPriority BACKGROUND
> BasePriority 8
> CommitCharge 17170
>
> THREAD 85ccfc78 Cid 0424.0f60 Teb: 7ffdf000 Win32Thread:
> e2b2cb50 WAIT
> : (WrUserRequest) UserMode Non-Alertable
> 86596970 SynchronizationEvent
> Not impersonating
> DeviceMap e3059d10
> Owning Process 0 Image:
> Attached Process 860009c8 Image:
> explorer.exe
> Wait Start TickCount 13693288 Ticks: 10206
> (0:00:02:39.468)
> Context Switch Count 45600 LargeStack
> UserTime 00:00:07.546
> KernelTime 00:00:14.109
> *** ERROR: Module load completed but symbols could not be loaded for
> C:\WINDOWS\ explorer.exe
> Win32 Start Address explorer (0x0101a55f)
> Start Address KERNEL32!BaseProcessStartThunk (0x7c810705)
> Stack Init a862f000 Current a862ecb0 Base a862f000 Limit
> a862b000 Call 0
>
> Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16
> Kernel stack not resident.
>
> THREAD 86568c88 Cid 0424.0c4c Teb: 7ffdd000 Win32Thread:
> e3865690 WAIT
> : (Unknown) UserMode Non-Alertable
> 85ff1fc0 Semaphore Limit 0x7fffffff
>
> lkd>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


WINDBG is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

7

Thanks once again pavel

!handle 0 3 0 means

!handle , basic handle info | info about objects ,
SystemProcess (pid = 0) ?? ,
EPROCESS ??

or

!handle , binfo | abouob , Systemprocess (pid ==0) ?? ,
" ??

or !handle binfo | abouob , EPROCESS , “PROCESS”

anyway dumping info for all three variations

lkd> !grep -i -e “85dba020” -c “!handle 0 3 0 85dba020”
!handle 0 3 0 85dba020

0114: Object: 85dba020 GrantedAccess: 001f0fff Entry: e1f8c228
Object: 85dba020 Type: (86dc6e38) Process
PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8

lkd> !grep -i -e “85dba020” -c "!handle 0 3 0 Process

0114: Object: 85dba020 GrantedAccess: 001f0fff Entry: e1f8c228
Object: 85dba020 Type: (86dc6e38) Process
PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
lkd> !grep -i -e “85dba020” -c “!handle 0 3 85dba020 Process”

!handle 0 3 85dba020 Process
PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8

lkd> !handle 0 3 85dba020 Process

Searching for handles of type Process
PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
Image: wq3qef54.exe

00000000: Unable to read handle table

where it is hiding :slight_smile: and what it is doing ?

On 4/30/13, Pavel Lebedynskiy wrote:
> You want to search handle tables of other processes to see which one holds
> the handle to the leaked process:
>
> !handle 0 3 0 Process
>
> For !search the right command would actually be !search -p 85dba020 (-p to
> avoid sign-extending the pointer). I also usually change one of the bits in
> the value I’m searching for because !search will find values that differ by
> a single bit which can be noisy. (It works better on 64 bits because 64-bit
> pointers have more redundancy in the high bits.)
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
> Sent: Monday, April 29, 2013 2:41 PM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] process with no active threads what information can be
> gleaned from it using windbg
>
> Thank You Pavel For replying back
>
> the results are as follows ( i assume 85dba201 is a typo or should i use
> the delta ? ) and by refcount did you mean pointer count it seems doing
> !object on the EPROCESS yields one handle count and two pointer counts but
> !handle says it cant read handle table and !search yields no results (with 0
> Delta)
>
>
> results as follows
>
> lkd> !object 85dba020
> Object: 85dba020 Type: (86dc6e38) Process
> ObjectHeader: 85dba008 (old version)
> HandleCount: 1 PointerCount: 2
> lkd> .process /p /r 85dba020
> Implicit process is now 85dba020
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
> lkd> !handle
>
> PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
> DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
> Image: wq3qef54.exe
>
> 00000000: Unable to read handle table
>
> lkd> !search 85dba020
> Searching PFNs in range 00000001 - 0003F679 for [FFFFFFFF85DBA020 -
> FFFFFFFF85DB A020]
>
> Pfn Offset Hit Va Pte
> - - - - - - - - - - - - - - - - - - - - - - - - - - - Search done.
> lkd>
>
>
>
>
>
> On 4/30/13, Pavel Lebedynskiy wrote:
>> There are likely outstanding open handles and/or pointer references to
>> this process. Try !object 85dba020. If it says handle count is
>> non-zero, use !handle to find which processes hold those handles. If
>> handle count is zero but refcount is not you can try !search 85dba021
>> and if you’re lucky it might point you to a driver that’s leaking
>> references. If !search doesn’t show anything interesting you’ll have
>> to use something like !obtrace to trace all ref/deref calls.
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>> Sent: Monday, April 29, 2013 1:48 PM
>> To: Kernel Debugging Interest List
>> Subject: [windbg] process with no active threads what information can
>> be gleaned from it using windbg
>>
>> what further info can be deduced from the information the below
>> process seems to run but windbg says no active threads ?
>> so on whose back this is piggybacking ( i mean how to find the pig
>> that is backing this ? ) no handles ? no object table ?
>>
>>
>>
>> i also can see two explorer instance one 2 days old and not having
>> active thread ??
>> another 1 day old and having threads ?
>>
>> what mean no active threads ? ( i mean can passive threads if any can
>> be put to use to run something ? )
>>
>> this is a vm that doesnt have /debug so i cant attach kd
>>
>> what further info (maximum that is possible that could be learnt
>> passively using lkd or whatever !! before resorting to third degree
>> from the paste below
>>
>>
>> lkd> .process /p /r 85dba020
>> Implicit process is now 85dba020
>> Loading User Symbols
>> PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for
>> details
>> lkd> !process 85dba020 17
>> PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid:
>> 08e8
>> DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
>> Image: wq3qef54.exe
>> VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 49. Locked 0.
>> DeviceMap e3059d10
>> Token e5146030
>> ElapsedTime 01:46:41.250
>> UserTime 00:00:00.046
>> KernelTime 00:00:00.171
>> QuotaPoolUsage[PagedPool] 0
>> QuotaPoolUsage[NonPagedPool] 0
>> Working Set Sizes (now,min,max) (8, 50, 345) (32KB, 200KB, 1380KB)
>> PeakWorkingSetSize 685
>> VirtualSize 26 Mb
>> PeakVirtualSize 29 Mb
>> PageFaultCount 694
>> MemoryPriority BACKGROUND
>> BasePriority 8
>> CommitCharge 0
>>
>> No active threads
>>
>> lkd> !process 0 0 explorer.exe
>> PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid:
>> 07f4
>> DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
>> Image: explorer.exe
>>
>> PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid:
>> 0cc4
>> DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
>> Image: explorer.exe
>>
>> lkd> .process /p /r 863fc320
>> Implicit process is now 863fc320
>> Loading User Symbols
>> PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001” for
>> details
>> lkd> !process 863fc320 17
>> PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid:
>> 07f4
>> DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
>> Image: explorer.exe
>> VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 929127. Locked 0.
>> DeviceMap e3059d10
>> Token e36d1438
>> ElapsedTime 2 Days 11:26:33.468
>> UserTime 00:04:15.703
>> KernelTime 00:02:14.125
>> QuotaPoolUsage[PagedPool] 0
>> QuotaPoolUsage[NonPagedPool] 0
>> Working Set Sizes (now,min,max) (14, 50, 345) (56KB, 200KB, 1380KB)
>> PeakWorkingSetSize 15789
>> VirtualSize 157 Mb
>> PeakVirtualSize 500 Mb
>> PageFaultCount 1042096
>> MemoryPriority BACKGROUND
>> BasePriority 8
>> CommitCharge 0
>>
>> No active threads
>>
>> lkd> !process 860009c8 17
>> PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid:
>> 0cc4
>> DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
>> Image: explorer.exe
>> VadRoot 8601f920 Vads 539 Clone 0 Private 14425. Modified 397280.
>> Locked 0.
>> DeviceMap e3059d10
>> Token e4606030
>> ElapsedTime 1 Day 07:38:39.984
>> UserTime 00:04:30.890
>> KernelTime 00:01:56.984
>> QuotaPoolUsage[PagedPool] 269404
>> QuotaPoolUsage[NonPagedPool] 24200
>> Working Set Sizes (now,min,max) (6962, 50, 345) (27848KB, 200KB,
>> 1380KB)
>> PeakWorkingSetSize 15329
>> VirtualSize 210 Mb
>> PeakVirtualSize 234 Mb
>> PageFaultCount 524892
>> MemoryPriority BACKGROUND
>> BasePriority 8
>> CommitCharge 17170
>>
>> THREAD 85ccfc78 Cid 0424.0f60 Teb: 7ffdf000 Win32Thread:
>> e2b2cb50 WAIT
>> : (WrUserRequest) UserMode Non-Alertable
>> 86596970 SynchronizationEvent
>> Not impersonating
>> DeviceMap e3059d10
>> Owning Process 0 Image:
>> Attached Process 860009c8 Image:
>> explorer.exe
>> Wait Start TickCount 13693288 Ticks: 10206
>> (0:00:02:39.468)
>> Context Switch Count 45600 LargeStack
>> UserTime 00:00:07.546
>> KernelTime 00:00:14.109
>> *** ERROR: Module load completed but symbols could not be loaded for
>> C:\WINDOWS\ explorer.exe
>> Win32 Start Address explorer (0x0101a55f)
>> Start Address KERNEL32!BaseProcessStartThunk (0x7c810705)
>> Stack Init a862f000 Current a862ecb0 Base a862f000 Limit
>> a862b000 Call 0
>>
>> Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16
>> Kernel stack not resident.
>>
>> THREAD 86568c88 Cid 0424.0c4c Teb: 7ffdd000 Win32Thread:
>> e3865690 WAIT
>> : (Unknown) UserMode Non-Alertable
>> 85ff1fc0 Semaphore Limit 0x7fffffff
>>
>> lkd>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

8

does loading a process in debugger that uses
ZwSetInformationThread with ThreadInfoClass HideThreadFromDebugger
leave the process in such a ghosted state ?

the code below compiled and run in a debugger jumps out of debugger
(well that is kinda expected as no debugging event will be generated
on using that specific ThreadInfoClass)

after closing the debugger i cant see this process in taskmanager

i have a cmd screen open in my desktop in a non closable state (doesnt
respond to clicking on the X in the right hand corner) (but
minimizable and maximizable)

and has no active threads

#include <stdio.h>
#include <windows.h>
void main()
{
printf(“lets call ZwSetThreadInformation api to hide this exe from
debugger\n”);
int id=(int)GetCurrentThread();
GetProcAddress(GetModuleHandle(“ntdll.dll”),“ZwSetInformationThread”);
_asm
{
push 0
push NULL
push 17 //ThreadHideFromDebugger
push id // CurretnThread
call eax
_emit 0xeb
_emit 0xfe
}
printf(“you see this but it is not steppable in debugger\n”);
}

C:&gt;tasklist /fi “imagename eq t*”

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ========
tasklist.exe 2532 Console 0 7,232 K

C:&gt;kd -kl -c “!process 0 17 testtubebaby.exe”

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86

lkd> kd: Reading initial command ‘!process 0 17 testtubebaby.exe’

PROCESS 86871da0 SessionId: 0 Cid: 0bf8 Peb: 7ffd8000 ParentCid: 0a5c
DirBase: 108802e0 ObjectTable: 00000000 HandleCount: 0.
Image: testtubebaby.exe
VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 99. Locked 0.
DeviceMap e2f788c0
Token e45e1690
ElapsedTime 00:11:01.453
UserTime 00:00:53.937
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (7, 50, 345) (28KB, 200KB, 1380KB)
PeakWorkingSetSize 452
VirtualSize 22 Mb
PeakVirtualSize 23 Mb
PageFaultCount 463
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 0

No active threads

!object 86871da0
Object: 86871da0 Type: (86dc6e38) Process
ObjectHeader: 86871d88 (old version)
HandleCount: 1 PointerCount: 2
lkd> .process /p /r 86871da0
Implicit process is now 86871da0
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd800c). Type “.hh dbgerr001” for details
!handle

PROCESS 86871da0 SessionId: 0 Cid: 0bf8 Peb: 7ffd8000 ParentCid: 0a5c
DirBase: 108802e0 ObjectTable: 00000000 HandleCount: 0.
Image: testtubebaby.exe

00000000: Unable to read handle table

!search -p 86871da1
Searching PFNs in range 00000001 - 0003F679 for [86871DA1 - 86871DA1]

Pfn Offset Hit Va Pte
- - - - - - - - - - - - - - - - - - - - - - - - - - -
00001AE7 00000534 86871DA0 01AE7534 0000D738
00005BAC 00000BD4 86871DA0 85BACBD4 C042DD60
85bacb70+0x64 : Thre (Protected) – Thread objects
00005BAC 00000DB0 86871DA0 85BACDB0 C042DD60
85bacb70+0x240 : Thre (Protected) – Thread objects
00005DA6 00000584 86871DA0 85DA6584 C042ED30
85da6580+0x4 : … (Free Protected) : No pool tag description
0000D8BE 00000CA8 86871DA0 00075CA8 C00003A8
000176B2 00000F44 86871DA0 00633F44 C0003198
000200A6 00000800 86871DA1 0007D800 C00003E8
000200A6 00000B38 86871DA1 0007DB38 C00003E8
000200A6 00000CB0 86871DA1 0007DCB0 C00003E8
000200A6 00000D40 86871DA1 0007DD40 C00003E8
000200A6 00000D48 86871DA1 0007DD48 C00003E8
00029BFE 000007F0 86871DA1 E408C7F0 C0720460
0002A262 00000D98 86871DA0 E3832D98 C071C190
e3832d60+0x38 : MmSt – Mm section object prototype ptes
00035427 00000FE0 86871DA0 00038FE0 C00001C0
Search done.
lkd> !handle 0 3 86871da0 Process

Searching for handles of type Process
PROCESS 86871da0 SessionId: 0 Cid: 0bf8 Peb: 7ffd8000 ParentCid: 0a5c
DirBase: 108802e0 ObjectTable: 00000000 HandleCount: 0.
Image: testtubebaby.exe

00000000: Unable to read handle table

lkd>

lkd> dt nt!_EPROCESS 86871da0 -y Debu -y Ima
+0x0bc DebugPort : (null)
+0x174 ImageFileName : [16] “testtubebaby.ex”
lkd>

lkd> dt nt!_EPROCESS Pcb.ThreadListHead.flink 86871da0
+0x000 Pcb :
+0x050 ThreadListHead : [0x86871df0 - 0x86871df0]
+0x000 Flink : 0x86871df0 _LIST_ENTRY [
0x86871df0 - 0x86871df0]
!walklist 86871df0
Assuming next field’s offset is +8.
Searching Session CURRENT list @ 86871df0 for 00000000
Couldn’t find 00000000 after walking 0 linked list entries.
lkd> dl 86871df0
86871df0 86871df0 86871df0 00000000 00000001
!list 86871df0
86871df0 86871df0 86871df0 00000000 00000001
86871e00 06080000 00000000 32000000 00000000
86871e10 8b35e8a8 01ce4a16 b481637c 01ce4a16
86871e20 00000001 00000bf8 86871868 85efa858
86871e30 00000000 00000000 00000000 00000bf0
86871e40 00003974 0000008d 00000000 01765000
86871e50 01648000 f7b90014 85da7914 00000000
86871e60 e1f3f2a8 00000000 e45e1697 00000001

!dflink 86871df0
86871df0 86871df0 86871df0 00000000 00000001
0x1 entries dumped

lkd> !dblink 86871df0
86871df0 86871df0 86871df0 00000000 00000001
0x1 entries dumped
lkd>

On 4/30/13, raj_r wrote:
> Thanks once again pavel
>
> !handle 0 3 0 means
>
> !handle , basic handle info | info about objects ,
> SystemProcess (pid = 0) ?? ,
> EPROCESS ??
>
> or
>
> !handle , binfo | abouob , Systemprocess (pid ==0) ?? ,
> " ??
>
>
> or !handle binfo | abouob , EPROCESS , “PROCESS”
>
> anyway dumping info for all three variations
>
> lkd> !grep -i -e “85dba020” -c “!handle 0 3 0 85dba020”
> !handle 0 3 0 85dba020
>
> 0114: Object: 85dba020 GrantedAccess: 001f0fff Entry: e1f8c228
> Object: 85dba020 Type: (86dc6e38) Process
> PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
>
> lkd> !grep -i -e “85dba020” -c "!handle 0 3 0 Process
>
> 0114: Object: 85dba020 GrantedAccess: 001f0fff Entry: e1f8c228
> Object: 85dba020 Type: (86dc6e38) Process
> PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
> lkd> !grep -i -e “85dba020” -c “!handle 0 3 85dba020 Process”
>
> !handle 0 3 85dba020 Process
> PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
>
> lkd> !handle 0 3 85dba020 Process
>
> Searching for handles of type Process
> PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid: 08e8
> DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
> Image: wq3qef54.exe
>
> 00000000: Unable to read handle table
>
> where it is hiding :slight_smile: and what it is doing ?
>
>
>
> On 4/30/13, Pavel Lebedynskiy wrote:
>> You want to search handle tables of other processes to see which one
>> holds
>> the handle to the leaked process:
>>
>> !handle 0 3 0 Process
>>
>> For !search the right command would actually be !search -p 85dba020 (-p
>> to
>> avoid sign-extending the pointer). I also usually change one of the bits
>> in
>> the value I’m searching for because !search will find values that differ
>> by
>> a single bit which can be noisy. (It works better on 64 bits because
>> 64-bit
>> pointers have more redundancy in the high bits.)
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>> Sent: Monday, April 29, 2013 2:41 PM
>> To: Kernel Debugging Interest List
>> Subject: Re: [windbg] process with no active threads what information can
>> be
>> gleaned from it using windbg
>>
>> Thank You Pavel For replying back
>>
>> the results are as follows ( i assume 85dba201 is a typo or should i use
>> the delta ? ) and by refcount did you mean pointer count it seems doing
>> !object on the EPROCESS yields one handle count and two pointer counts
>> but
>> !handle says it cant read handle table and !search yields no results (with
>> 0
>> Delta)
>>
>>
>> results as follows
>>
>> lkd> !object 85dba020
>> Object: 85dba020 Type: (86dc6e38) Process
>> ObjectHeader: 85dba008 (old version)
>> HandleCount: 1 PointerCount: 2
>> lkd> .process /p /r 85dba020
>> Implicit process is now 85dba020
>> Loading User Symbols
>> PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
>> lkd> !handle
>>
>> PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid:
>> 08e8
>> DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
>> Image: wq3qef54.exe
>>
>> 00000000: Unable to read handle table
>>
>> lkd> !search 85dba020
>> Searching PFNs in range 00000001 - 0003F679 for [FFFFFFFF85DBA020 -
>> FFFFFFFF85DB A020]
>>
>> Pfn Offset Hit Va Pte
>> - - - - - - - - - - - - - - - - - - - - - - - - - - - Search done.
>> lkd>
>>
>>
>>
>>
>>
>> On 4/30/13, Pavel Lebedynskiy wrote:
>>> There are likely outstanding open handles and/or pointer references to
>>> this process. Try !object 85dba020. If it says handle count is
>>> non-zero, use !handle to find which processes hold those handles. If
>>> handle count is zero but refcount is not you can try !search 85dba021
>>> and if you’re lucky it might point you to a driver that’s leaking
>>> references. If !search doesn’t show anything interesting you’ll have
>>> to use something like !obtrace to trace all ref/deref calls.
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>> Sent: Monday, April 29, 2013 1:48 PM
>>> To: Kernel Debugging Interest List
>>> Subject: [windbg] process with no active threads what information can
>>> be gleaned from it using windbg
>>>
>>> what further info can be deduced from the information the below
>>> process seems to run but windbg says no active threads ?
>>> so on whose back this is piggybacking ( i mean how to find the pig
>>> that is backing this ? ) no handles ? no object table ?
>>>
>>>
>>>
>>> i also can see two explorer instance one 2 days old and not having
>>> active thread ??
>>> another 1 day old and having threads ?
>>>
>>> what mean no active threads ? ( i mean can passive threads if any can
>>> be put to use to run something ? )
>>>
>>> this is a vm that doesnt have /debug so i cant attach kd
>>>
>>> what further info (maximum that is possible that could be learnt
>>> passively using lkd or whatever !! before resorting to third degree
>>> from the paste below
>>>
>>>
>>> lkd> .process /p /r 85dba020
>>> Implicit process is now 85dba020
>>> Loading User Symbols
>>> PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for
>>> details
>>> lkd> !process 85dba020 17
>>> PROCESS 85dba020 SessionId: 0 Cid: 09d8 Peb: 7ffde000 ParentCid:
>>> 08e8
>>> DirBase: 10700320 ObjectTable: 00000000 HandleCount: 0.
>>> Image: wq3qef54.exe
>>> VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 49. Locked 0.
>>> DeviceMap e3059d10
>>> Token e5146030
>>> ElapsedTime 01:46:41.250
>>> UserTime 00:00:00.046
>>> KernelTime 00:00:00.171
>>> QuotaPoolUsage[PagedPool] 0
>>> QuotaPoolUsage[NonPagedPool] 0
>>> Working Set Sizes (now,min,max) (8, 50, 345) (32KB, 200KB, 1380KB)
>>> PeakWorkingSetSize 685
>>> VirtualSize 26 Mb
>>> PeakVirtualSize 29 Mb
>>> PageFaultCount 694
>>> MemoryPriority BACKGROUND
>>> BasePriority 8
>>> CommitCharge 0
>>>
>>> No active threads
>>>
>>> lkd> !process 0 0 explorer.exe
>>> PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid:
>>> 07f4
>>> DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
>>> Image: explorer.exe
>>>
>>> PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid:
>>> 0cc4
>>> DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
>>> Image: explorer.exe
>>>
>>> lkd> .process /p /r 863fc320
>>> Implicit process is now 863fc320
>>> Loading User Symbols
>>> PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001” for
>>> details
>>> lkd> !process 863fc320 17
>>> PROCESS 863fc320 SessionId: 0 Cid: 017c Peb: 7ffdf000 ParentCid:
>>> 07f4
>>> DirBase: 107002e0 ObjectTable: 00000000 HandleCount: 0.
>>> Image: explorer.exe
>>> VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 929127. Locked
>>> 0.
>>> DeviceMap e3059d10
>>> Token e36d1438
>>> ElapsedTime 2 Days 11:26:33.468
>>> UserTime 00:04:15.703
>>> KernelTime 00:02:14.125
>>> QuotaPoolUsage[PagedPool] 0
>>> QuotaPoolUsage[NonPagedPool] 0
>>> Working Set Sizes (now,min,max) (14, 50, 345) (56KB, 200KB, 1380KB)
>>> PeakWorkingSetSize 15789
>>> VirtualSize 157 Mb
>>> PeakVirtualSize 500 Mb
>>> PageFaultCount 1042096
>>> MemoryPriority BACKGROUND
>>> BasePriority 8
>>> CommitCharge 0
>>>
>>> No active threads
>>>
>>> lkd> !process 860009c8 17
>>> PROCESS 860009c8 SessionId: 0 Cid: 0424 Peb: 7ffda000 ParentCid:
>>> 0cc4
>>> DirBase: 10700440 ObjectTable: e1c92a20 HandleCount: 826.
>>> Image: explorer.exe
>>> VadRoot 8601f920 Vads 539 Clone 0 Private 14425. Modified 397280.
>>> Locked 0.
>>> DeviceMap e3059d10
>>> Token e4606030
>>> ElapsedTime 1 Day 07:38:39.984
>>> UserTime 00:04:30.890
>>> KernelTime 00:01:56.984
>>> QuotaPoolUsage[PagedPool] 269404
>>> QuotaPoolUsage[NonPagedPool] 24200
>>> Working Set Sizes (now,min,max) (6962, 50, 345) (27848KB, 200KB,
>>> 1380KB)
>>> PeakWorkingSetSize 15329
>>> VirtualSize 210 Mb
>>> PeakVirtualSize 234 Mb
>>> PageFaultCount 524892
>>> MemoryPriority BACKGROUND
>>> BasePriority 8
>>> CommitCharge 17170
>>>
>>> THREAD 85ccfc78 Cid 0424.0f60 Teb: 7ffdf000 Win32Thread:
>>> e2b2cb50 WAIT
>>> : (WrUserRequest) UserMode Non-Alertable
>>> 86596970 SynchronizationEvent
>>> Not impersonating
>>> DeviceMap e3059d10
>>> Owning Process 0 Image:
>>> Attached Process 860009c8 Image:
>>> explorer.exe
>>> Wait Start TickCount 13693288 Ticks: 10206
>>> (0:00:02:39.468)
>>> Context Switch Count 45600 LargeStack
>>> UserTime 00:00:07.546
>>> KernelTime 00:00:14.109
>>> *** ERROR: Module load completed but symbols could not be loaded for
>>> C:\WINDOWS\ explorer.exe
>>> Win32 Start Address explorer (0x0101a55f)
>>> Start Address KERNEL32!BaseProcessStartThunk (0x7c810705)
>>> Stack Init a862f000 Current a862ecb0 Base a862f000 Limit
>>> a862b000 Call 0
>>>
>>> Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16
>>> Kernel stack not resident.
>>>
>>> THREAD 86568c88 Cid 0424.0c4c Teb: 7ffdd000 Win32Thread:
>>> e3865690 WAIT
>>> : (Unknown) UserMode Non-Alertable
>>> 85ff1fc0 Semaphore Limit 0x7fffffff
>>>
>>> lkd>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> OSR is hiring!! Info at http://www.osr.com/careers
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> OSR is hiring!! Info at http://www.osr.com/careers
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
></windows.h></stdio.h>