Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


work out why remote screen sharing driver cause wininit.exe to exit on startup

Malcolm_McCafferyMalcolm_McCaffery Member - All Emails Posts: 9
On Windows 8.1 device, with kernel debugger attached. I am trying to
workout why wininit.exe is terminating during startup ie. what cause
it to call ntdll!RtlExitUserProcess. Through trial and error have
worked out it is releated to 3rd party remote screen sharing drivers,
disabling them stops wininit.exe from terminating. However now trying
to work out why, because these same version driver on other machines
don't cause this problem...Any suggestions?

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is: srv*
Windows 8.1 Kernel Version 9600 MP (1 procs) Free x64
Built by: 9600.18589.amd64fre.winblue_ltsb.170204-0600
Machine Name:
Kernel base = 0xfffff802`46e09000 PsLoadedModuleList = 0xfffff802`470dc670
System Uptime: 0 days 0:00:00.230
KDTARGET: Refreshing KD connection

*** Unhandled exception 0xc0000008, hit in
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
SharedSection=1024,20480,768 Windows=On SubSystemType=Windows
ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16:
*** enter .exr 000000890852F480 for the exception record
*** enter .cxr 000000890852EE70 for the context
*** then kb to get the faulting stack
Break instruction exception - code 80000003 (first chance)
rax=0000000000000000 rbx=0000000000000065 rcx=9e66b3d5c9350000
rdx=0000000000000028 rsi=0000000000000000 rdi=0000000000000001
rip=00007ffd0984b360 rsp=000000890852e3f0 rbp=000000890852fa30
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=00007ffd097f73e0 r13=00000089085f199c
r14=000000890852e560 r15=000000890852f480
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
ntdll!RtlUnhandledExceptionFilter2+0x340:
0033:00007ffd`0984b360 cc int 3
kd> bp ntdll!RtlExitUserProcess
kd> g
Breakpoint 0 hit
rax=0000000000000000 rbx=000000000000000e rcx=000000000000000e
rdx=0000000000000000 rsi=000000ad68f71220 rdi=000000ad68f71218
rip=00007ffd09778490 rsp=000000ad68ccf708 rbp=0000000000000000
r8=000000000000007e r9=0000000000000054 r10=000000000000009e
r11=0000000000000288 r12=000000ad68f71220 r13=000000000000000e
r14=0000000000000000 r15=000000ad68f71228
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!RtlExitUserProcess:
0033:00007ffd`09778490 48895c2410 mov qword ptr [rsp+10h],rbx
ss:002b:000000ad`68ccf718=0000000000000000
kd> kv
# Child-SP RetAddr : Args to Child
: Call Site
00 000000ad`68ccf708 00007ffd`0962516a : 00000000`0000000e
00000000`00000000 000000ad`68f71220 00007ffd`097b5f67 :
ntdll!RtlExitUserProcess
01 000000ad`68ccf710 00000000`0000000e : 00000000`00000000
000000ad`68f71220 00007ffd`097b5f67 000000ad`68f71218 :
0x00007ffd`0962516a
02 000000ad`68ccf718 00000000`00000000 : 000000ad`68f71220
00007ffd`097b5f67 000000ad`68f71218 00007ffd`084b71d5 : 0xe
kd> !process ffffe000`3f3db8c0 7
PROCESS ffffe0003f3db8c0
SessionId: 0 Cid: 023c Peb: 7ff7f5c4f000 ParentCid: 01e0
DirBase: 17be3000 ObjectTable: ffffc0017b562280 HandleCount:
<Data Not Accessible>
Image: wininit.exe
VadRoot ffffe0003f3d83d0 Vads 42 Clone 0 Private 190. Modified 42. Locked 0.
DeviceMap ffffc0017600d800
Token ffffc0017cace1c0
ElapsedTime 00:00:14.227
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 85928
QuotaPoolUsage[NonPagedPool] 5360
Working Set Sizes (now,min,max) (927, 50, 345) (3708KB, 200KB, 1380KB)
PeakWorkingSetSize 888
VirtualSize 2097192 Mb
PeakVirtualSize 2097196 Mb
PageFaultCount 1009
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 244
THREAD ffffe0003f3dc880 Cid 023c.0240 Teb: 00007ff7f5c4d000
Win32Thread: fffff901400e3b50 RUNNING on processor 0
Not impersonating
DeviceMap ffffc0017600d800
Owning Process ffffe0003f3db8c0 Image:
wininit.exe
Attached Process N/A Image: N/A
Wait Start TickCount 819 Ticks: 0
Context Switch Count 197 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.125
Win32 Start Address 0x00007ff7f6bb7bb0
Stack Init ffffd0012f1aab90 Current ffffd0012f1aa300
Base ffffd0012f1ab000 Limit ffffd0012f1a4000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr : Args to Child
: Call Site
000000ad`68ccf708 00007ffd`0962516a : 00000000`0000000e
00000000`00000000 000000ad`68f71220 00007ffd`097b5f67 :
ntdll!RtlExitUserProcess
000000ad`68ccf710 00000000`0000000e : 00000000`00000000
000000ad`68f71220 00007ffd`097b5f67 000000ad`68f71218 :
0x00007ffd`0962516a
000000ad`68ccf718 00000000`00000000 : 000000ad`68f71220
00007ffd`097b5f67 000000ad`68f71218 00007ffd`084b71d5 : 0xe
THREAD ffffe0004059e880 Cid 023c.0254 Teb: 00007ff7f5c4b000
Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffffe0003f1d5440 QueueObject
Not impersonating
DeviceMap ffffc0017600d800
Owning Process ffffe0003f3db8c0 Image:
wininit.exe
Attached Process N/A Image: N/A
Wait Start TickCount 779 Ticks: 40 (0:00:00:00.625)
Context Switch Count 6 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x00007ffd097989b0)
Stack Init ffffd0012edd7b90 Current ffffd0012edd7330
Base ffffd0012edd8000 Limit ffffd0012edd1000 Call 0000000000000000
Priority 13 BasePriority 13 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr : Args to Child
: Call Site
ffffd001`2edd7370 fffff802`46e9cf1e : fffff802`47106180
ffffe000`4059e880 00000000`fffffffe 00000000`00000000 :
nt!KiSwapContext+0x76
ffffd001`2edd74b0 fffff802`46e9c999 : ffffe000`4059e880
00000000`00000001 ffffe000`3dfd7010 ffffd001`2edd7688 :
nt!KiSwapThread+0x14e
ffffd001`2edd7550 fffff802`46e9b908 : 00000000`00000000
00000000`00000000 ffffd001`000000cc fffff802`46e38194 :
nt!KiCommitThreadWait+0x129
ffffd001`2edd75d0 fffff802`46e9af6a : ffffe000`3f1d5440
00000000`00000001 ffffe000`3f3cd801 ffffe000`00000002 :
nt!KeRemoveQueueEx+0x788
ffffd001`2edd7650 fffff802`46e9a5fb : 00000000`00000000
00000000`00000000 00000000`00000000 00000000`00000000 :
nt!IoRemoveIoCompletion+0x8a
ffffd001`2edd7770 fffff802`46f62ab3 : 00000000`0000002c
000000ad`68d10d70 00000000`00000010 000000ad`68fffaa8 :
nt!NtWaitForWorkViaWorkerFactory+0x30b
ffffd001`2edd7990 00007ffd`097f21aa : 00007ffd`097990f6
00000000`00000000 00007ffd`0979acf0 00000000`00000010 :
nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd001`2edd7a00)
000000ad`68fffa28 00007ffd`097990f6 : 00000000`00000000
00007ffd`0979acf0 00000000`00000010 000000ad`68d110f0 :
ntdll!NtWaitForWorkViaWorkerFactory+0xa
000000ad`68fffa30 00007ffd`096213d2 : 00000000`00000000
00007ffd`097989b0 000000ad`68d17650 00000000`00000000 :
ntdll!TppWorkerThread+0x746
000000ad`68fffe10 00000000`00000000 : 00007ffd`097989b0
000000ad`68d17650 00000000`00000000 00007ffd`097989b0 :
0x00007ffd`096213d2
THREAD ffffe0003f3cd880 Cid 023c.0260 Teb: 00007ff7f5c49000
Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffffe0003f1d5440 QueueObject
Not impersonating
DeviceMap ffffc0017600d800
Owning Process ffffe0003f3db8c0 Image:
wininit.exe
Attached Process N/A Image: N/A
Wait Start TickCount 779 Ticks: 40 (0:00:00:00.625)
Context Switch Count 1 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x00007ffd097989b0)
Stack Init ffffd0012f08ab90 Current ffffd0012f08a330
Base ffffd0012f08b000 Limit ffffd0012f084000 Call 0000000000000000
Priority 13 BasePriority 13 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr : Args to Child
: Call Site
ffffd001`2f08a370 fffff802`46e9cf1e : fffff802`47106180
ffffe000`3f3cd880 00000000`fffffffe 00000000`00000000 :
nt!KiSwapContext+0x76
ffffd001`2f08a4b0 fffff802`46e9c999 : ffffe000`3f3cd880
00000000`00000000 00000000`00000000 00000000`00000000 :
nt!KiSwapThread+0x14e
ffffd001`2f08a550 fffff802`46e9b908 : 00000000`00000000
00000000`00000000 ffffe000`000000cc 00000000`00000000 :
nt!KiCommitThreadWait+0x129
ffffd001`2f08a5d0 fffff802`46e9af6a : ffffe000`3f1d5440
00000000`00000001 00000000`00000001 00000000`00000002 :
nt!KeRemoveQueueEx+0x788
ffffd001`2f08a650 fffff802`46e9a5fb : 00000000`00000000
00000000`00000000 00000000`00000000 00000000`00000000 :
nt!IoRemoveIoCompletion+0x8a
ffffd001`2f08a770 fffff802`46f62ab3 : 00000000`0000002c
000000ad`68d13bb0 ffffe000`00000010 000000ad`6977fad8 :
nt!NtWaitForWorkViaWorkerFactory+0x30b
ffffd001`2f08a990 00007ffd`097f21aa : 00007ffd`097990f6
00007ffd`097989b0 00000000`00000003 000000ad`68d17650 :
nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd001`2f08aa00)
000000ad`6977fa58 00007ffd`097990f6 : 00007ffd`097989b0
00000000`00000003 000000ad`68d17650 000000ad`68d17650 :
ntdll!NtWaitForWorkViaWorkerFactory+0xa
000000ad`6977fa60 00007ffd`096213d2 : 00000000`00000000
00007ffd`097989b0 000000ad`68d17650 00000000`00000000 :
ntdll!TppWorkerThread+0x746
000000ad`6977fe40 00000000`00000000 : 00007ffd`097989b0
000000ad`68d17650 00000000`00000000 00007ffd`097989b0 :
0x00007ffd`096213d2

regs

Malcolm
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA