Hi, let’s say I’m inspecting a process and found this:
THREAD ffffd6097211a700 Cid 0edc.0f40 Teb: 000000551979e000 Win32Thread: ffffd6095dbc7080 WAIT: (WrUserRequest) UserMode Non-Alertable
ffffd60971c08f80 QueueObject
Not impersonating
DeviceMap ffffbf085d2e0fb0
Owning Process ffffd60971c66540 Image: sihost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 333686 Ticks: 18333 (0:00:04:46.453)
Context Switch Count 130 IdealProcessor: 1
UserTime 00:00:00.015
KernelTime 00:00:00.093
Win32 Start Address combase!CRpcThreadCache::RpcWorkerThreadEntry (0x00007ffb2f187870)
Stack Init ffff86047ae1bc90 Current ffff86047ae1b250
Base ffff86047ae1c000 Limit ffff86047ae16000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
and running !thread
shows:
!thread ffffd6097211a700
Unable to get field ReservedForNtRpc of type TEB at 0xffffd6097211a700
I try, without success things like:
.pagein /f /p ffffd60971c66540 ffff86047ae16000
using kernel and user mode stack area addresses (the latter obtained in TEB) but pages are not loaded after the g
command.
Is there some OS settings I’m forgetting to check or some extra task I’m missing?
Thanks,
Mauro.