Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


.pagein never works (for me)

Mauro_LeggieriMauro_Leggieri Member Posts: 107
edited December 2019 in WINDBG

Hi, let's say I'm inspecting a process and found this:

THREAD ffffd6097211a700  Cid 0edc.0f40  Teb: 000000551979e000 Win32Thread: ffffd6095dbc7080 WAIT: (WrUserRequest) UserMode Non-Alertable
            ffffd60971c08f80  QueueObject
        Not impersonating
        DeviceMap                 ffffbf085d2e0fb0
        Owning Process            ffffd60971c66540       Image:         sihost.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      333686         Ticks: 18333 (0:00:04:46.453)
        Context Switch Count      130            IdealProcessor: 1             
        UserTime                  00:00:00.015
        KernelTime                00:00:00.093
        Win32 Start Address combase!CRpcThreadCache::RpcWorkerThreadEntry (0x00007ffb2f187870)
        Stack Init ffff86047ae1bc90 Current ffff86047ae1b250
        Base ffff86047ae1c000 Limit ffff86047ae16000 Call 0000000000000000
        Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
        Kernel stack not resident.

and running !thread shows:

!thread ffffd6097211a700  
Unable to get field ReservedForNtRpc of type TEB at 0xffffd6097211a700

I try, without success things like:

.pagein /f /p ffffd60971c66540 ffff86047ae16000

using kernel and user mode stack area addresses (the latter obtained in TEB) but pages are not loaded after the g command.

Is there some OS settings I'm forgetting to check or some extra task I'm missing?

Thanks,
Mauro.

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE