Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

LastError becomes ERROR_NO_MEMORY after (apparently successful) syscall?

On Win2012R2 I have a winlogon.exe thread that calls CreateWindowStation().

USERMODE: break at user32!NtUserCreateWindowStation
USERMODE: !gle: 0
USERMODE: step over syscall for NtUserCreateWindowStation

KERNMODE: break at win32k!NtUserCreateWindowStation
KERNMODE: !gle: 0
KERNMODE: step out of win32k!NtUserCreateWindowStation
KERNMODE: !gle: 0

USERMODE: break on instruction after syscall (ret)
USERMODE: !gle: 8 (ERROR_NO_MEMORY)

> LastErrorValue: (Win32) 0x8 (8) - Not enough storage is available to process this command.
> LastStatusValue: (NTSTATUS) 0xc0000017 - {Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation.

Can anyone give a pointer or otherwise shed light on how or where this
error occurs? My goal is to figure out why the call fails, but I don't
understand where it comes from.

Thanks!

-Nathan

Comments

  • On 12/01/18 11:22 AM, xxxxx@spicycrypto.ca wrote:
    > On Win2012R2 I have a winlogon.exe thread that calls CreateWindowStation().
    >
    > USERMODE: break at user32!NtUserCreateWindowStation
    > USERMODE: !gle: 0
    > USERMODE: step over syscall for NtUserCreateWindowStation
    >
    > KERNMODE: break at win32k!NtUserCreateWindowStation
    > KERNMODE: !gle: 0
    > KERNMODE: step out of win32k!NtUserCreateWindowStation
    > KERNMODE: !gle: 0
    >
    > USERMODE: break on instruction after syscall (ret)
    > USERMODE: !gle: 8 (ERROR_NO_MEMORY)
    >
    >> LastErrorValue: (Win32) 0x8 (8) - Not enough storage is available to process this command.
    >> LastStatusValue: (NTSTATUS) 0xc0000017 - {Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation.
    >
    > Can anyone give a pointer or otherwise shed light on how or where this
    > error occurs?
    Answer: !gle isn't strictly reliable in kernel mode. Instead break on
    win32k!UserSetLastError and look at rcx. (Which, curiously, may cause
    !gle to return the expected error value.)

    -Nathan
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!