Is there a way to disable the user mode stack from being paged out for a particular process? This would be useful for debugging deadlocks where we have a full memory dump but the thread is blocked in user mode. If the user mode stack is paged out we get a stack that might look like the one below which is not terribly useful.
82483a5c 81ab5a62 0036cf00 00000000 896f7040 nt!KiSwapContext+0x19 (FPO: [Uses EBP] [1,0,4])
82483ab8 81ab5501 8988d0f0 896f7040 00000100 nt!KiSwapThread+0x172 (FPO: [Non-Fpo])
82483aec 81ab34d6 00000000 00000000 b680cc40 nt!KiCommitThreadWait+0x141 (FPO: [3,7,4])
82483ba0 81ce1bd3 8988d0f0 00000006 00000001 nt!KeWaitForSingleObject+0x176 (FPO: [5,37,4])
82483c00 81b7e6f7 84d77630 00000000 00000000 nt!NtWaitForSingleObject+0xd3 (FPO: [Non-Fpo])
82483c00 77b6f804 84d77630 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 82483c14)
0e2ff330 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
There is a way to disable paging of kernel stacks but based on the description below I doubt it would solve this problem.
https://msdn.microsoft.com/en-us/library/windows/hardware/ff541920(v=vs.85).aspx
Are you sure this is a full (not kernel) dump, and you have switched to the right process context using .process /p ? Can you see any other user mode state (like !peb) in this process?
If this memory is really paged out, one option you could try is simply disabling the pagefile.
If the system is responsive when this happens you can also try capturing a separate user mode dump of the process (and as a side effect, this will page in all the stacks and other memory in the process, so it will be present in the kernel dump as well).
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Thursday, May 19, 2016 11:48 AM
To: Kernel Debugging Interest List
Subject: [windbg] Disable paging of user mode stack
Is there a way to disable the user mode stack from being paged out for a particular process? This would be useful for debugging deadlocks where we have a full memory dump but the thread is blocked in user mode. If the user mode stack is paged out we get a stack that might look like the one below which is not terribly useful.
82483a5c 81ab5a62 0036cf00 00000000 896f7040 nt!KiSwapContext+0x19 (FPO: [Uses EBP] [1,0,4])
82483ab8 81ab5501 8988d0f0 896f7040 00000100 nt!KiSwapThread+0x172 (FPO: [Non-Fpo]) 82483aec 81ab34d6 00000000 00000000 b680cc40 nt!KiCommitThreadWait+0x141 (FPO: [3,7,4])
82483ba0 81ce1bd3 8988d0f0 00000006 00000001 nt!KeWaitForSingleObject+0x176 (FPO: [5,37,4])
82483c00 81b7e6f7 84d77630 00000000 00000000 nt!NtWaitForSingleObject+0xd3 (FPO: [Non-Fpo])
82483c00 77b6f804 84d77630 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 82483c14)
0e2ff330 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
There is a way to disable paging of kernel stacks but based on the description below I doubt it would solve this problem.
https://msdn.microsoft.com/en-us/library/windows/hardware/ff541920(v=vs.85).aspx
—
WINDBG is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:>
I get something like this when I do /p /r on the thread:
kd> .thread /p /r 0x896f7040
Implicit thread is now 896f7040
Implicit process is now aabc6040
Loading User Symbols
…
…Unable to read NT module Base Name string at 01126800 - NTSTATUS 0xC0000147
kd> !pte 01126800
VA 01126800
PDE at C0600040 PTE at C0008930
contains 000000002D23C867 contains 0002957400005080
pfn 2d23c —DA–UWEV not valid
PageFile: 0
Offset: 29574
Protect: 4 - ReadWrite
Live debugging would be difficult to setup in this case since we get these dumps from running stress automation in a VM farm.
Pavel’s advise makes sense to me. Are you sure this is a full memory dump,
and if you know the processes you want to navigate and still have ability
to create new processes on the system then user mode dump will page them
back in.
Alternatively this setting has helped me before but may change the
performance profile in stress tests.
https://technet.microsoft.com/en-us/library/cc959492.aspx
DisablePagingExecutive REG_DWORD 0x1 -
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Tom
On Sat, May 21, 2016 at 12:57 AM, wrote:
> I get something like this when I do /p /r on the thread:
>
> kd> .thread /p /r 0x896f7040
> Implicit thread is now 896f7040
> Implicit process is now aabc6040
> Loading User Symbols
> …
> …Unable to read NT module Base Name string at 01126800 -
> NTSTATUS 0xC0000147
>
> kd> !pte 01126800
> VA 01126800
> PDE at C0600040 PTE at C0008930
> contains 000000002D23C867 contains 0002957400005080
> pfn 2d23c —DA–UWEV not valid
> PageFile: 0
> Offset: 29574
> Protect: 4 - ReadWrite
>
> Live debugging would be difficult to setup in this case since we get these
> dumps from running stress automation in a VM farm.
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>