Hi everybody!

I need your assistance...
Vista
There is C#A - client application(currently with one thread), A#A - any arbitrary application, C#T - client thread and A#T arbitrary application thread respectively.
In FS filter driver I subscribe on LoadImageNotifyRoutine in which thread(C#T) is waiting for an event which can only be set from another application's(C#A) thread which is checks if image is ok and then call driver function to set it. But thread(C#T) that get notifications also puts results to a console and just in that moment it is hangs up in waiting on alpc, csrss port. Also at the same moment another application(A#A) is trying to map image calling my notify routine and waits for C#T set it up, but it allready hangs up!

The system isn't respond because the subsystem is not responding (I guess).

kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks...............................................

Resource @ 0x8339e430 Exclusively owned
Contention Count = 21520
NumberOfExclusiveWaiters = 4
Threads: 8359ad78-01<*>
Threads Waiting On Exclusive Access:
82752550 835d04c0 83712030 8f5e4600

KD: Scanning for held locks..

Resource @ 0x8323e3d8 Exclusively owned
Contention Count = 598
NumberOfExclusiveWaiters = 2
Threads: 8f687990-01<*>
Threads Waiting On Exclusive Access:
8359aac0 8359ad78

KD: Scanning for held locks..........................................................................................................................................................................................
7474 total locks, 2 locks currently held

Those two threads that held locks

kd> !thread 8359ad78
THREAD 8359ad78 Cid 0260.02f4 Teb: 7ffda000 Win32Thread: ff8c7008 WAIT: (WrResource) KernelMode Non-Alertable
83480308 SynchronizationEvent
8359ae00 NotificationTimer
IRP List:
834df1e0: (0006,01d8) Flags: 00060970 Mdl: 00000000
Not impersonating
DeviceMap 84c08a20
Owning Process 8347e700 Image: csrss.exe
Wait Start TickCount 271594 Ticks: 132 (0:00:00:02.062)
Context Switch Count 83100
UserTime 00:00:00.0015
KernelTime 00:00:33.0953
Win32 Start Address 0x7592bdd0
Stack Init 8b2dc000 Current 8b2dbb08 Base 8b2dc000 Limit 8b2d9000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
8b2dbb20 81869b66 8359ae00 8359ad78 8359ae30 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8b2dbb5c 818675bd 8359ad78 8323e3d8 8359ad78 nt!KiSwapThread+0x36d
8b2dbbbc 81873579 83480308 0000001b 00000000 nt!KeWaitForSingleObject+0x414
8b2dbbf4 81863aa6 83480308 fe416638 8b2dbc60 nt!ExpWaitForResource+0xbd
8b2dbc18 81873aa7 8323e3d8 00000001 8b2dbc3c nt!ExAcquireResourceExclusiveLite+0x96
8b2dbc28 8dad855d 8323e3d8 8dae8827 8b2dbc60 nt!ExEnterCriticalRegionAndAcquireResourceExclusive+0x1c
WARNING: Frame IP not in any known module. Following frames may be wrong.
8b2dbc3c 8dac0afd 8b2dbc80 ff8b52a8 8b2dbc78 0x8dad855d
8b2dbc4c 8da98d6b 8b2dbc80 ff889578 ffbea4b0 0x8dac0afd
8b2dbd58 818461fa 00000004 00f4fe64 771f0f34 0x8da98d6b
8b2dbd58 00180016 00000004 00f4fe64 771f0f34 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8b2dbca4)
8b2dbd58 818461fa 00000004 00f4fe64 771f0f34 0x180016
8b2dbd58 771f0f34 00000004 00f4fe64 771f0f34 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8b2dbd64)
00f4fe64 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])

kd> !thread 8f687990
THREAD 8f687990 Cid 0784.0d9c Teb: 7ffa8000 Win32Thread: fec7fbd0 GATEWAIT
Not impersonating
DeviceMap 8d5bdc30
Owning Process 836dd020 Image: explorer.exe
Wait Start TickCount 265673 Ticks: 6053 (0:00:01:34.578)
Context Switch Count 833
UserTime 00:00:00.0343
KernelTime 00:00:02.0296
Win32 Start Address 0x7381cc4d
Stack Init 8edc5fe0 Current 8edc5a98 Base 8edc6000 Limit 8edc3000 Call 42c
Priority 14 BasePriority 8 PriorityDecrement 6
ChildEBP RetAddr Args to Child
8edc5ab0 81869b66 00000000 8f687990 8edc5b50 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8edc5aec 8189d905 8f687990 836dd108 00000001 nt!KiSwapThread+0x36d
8edc5b24 8189468d 00000000 836dd020 8f687990 nt!KeWaitForGate+0x198
8edc5b84 81a04b1b 00000000 fe7ea320 ff8b52a8 nt!ExfAcquirePushLockExclusive+0x112
8edc5ba0 81a0c4a7 8f5b0da1 05000000 8edc5c14 nt!MiUnsecureVirtualMemory+0x37
8edc5bb0 8dabff23 8f5b0da1 00000000 08000000 nt!MmUnsecureVirtualMemory+0xe
WARNING: Frame IP not in any known module. Following frames may be wrong.
8edc5c14 8dac0038 00000000 00000000 8edc5c74 0x8dabff23
8edc5c24 8dac128c 00000000 00000000 00000001 0x8dac0038
8edc5d38 818461fa 26010b7d 04f0f088 771f0f34 0x8dac128c
8edc5d38 26010b7d 26010b7d 04f0f088 771f0f34 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8edc5cd8)
8edc5d44 00000000 badb0d00 04f0f06c 8e005d64 0x26010b7d

May be you need to look at another threads that is waiting for that locks…

###########################################################
Threads that is waiting for
Resource @ 0x8339e430

kd> !thread 82752550
THREAD 82752550 Cid 0260.0270 Teb: 7ffdc000 Win32Thread: ff86a520 WAIT: (WrResource) KernelMode Non-Alertable
8346c240 SynchronizationEvent
827525d8 NotificationTimer
Not impersonating
DeviceMap 84c08a20
Owning Process 8347e700 Image: csrss.exe
Wait Start TickCount 271594 Ticks: 132 (0:00:00:02.062)
Context Switch Count 12651
UserTime 00:00:01.0203
KernelTime 00:00:04.0687
Win32 Start Address 0x759a563f
Stack Init 8b2f8000 Current 8b2f7c18 Base 8b2f8000 Limit 8b2f5000 Call 0
Priority 14 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
8b2f7c30 81869b66 827525d8 82752550 82752608 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8b2f7c6c 818675bd 82752550 8339e430 82752550 nt!KiSwapThread+0x36d
8b2f7ccc 81873579 8346c240 0000001b 00000000 nt!KeWaitForSingleObject+0x414
8b2f7d04 81863aa6 8346c240 0014029c 0087f798 nt!ExpWaitForResource+0xbd
8b2f7d28 81873aa7 8339e430 00000001 8b2f7d4c nt!ExAcquireResourceExclusiveLite+0x96
8b2f7d4c 818461fa 0014029c 00000404 0503ef78 nt!ExEnterCriticalRegionAndAcquireResourceExclusive+0x1c
8b2f7d4c 0000003b 0014029c 00000404 0503ef78 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8b2f7d4c)
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000001 00000000 00000000 00000000 00000000 0x3b

kd> !thread 835d04c0
THREAD 835d04c0 Cid 040c.0608 Teb: 7ffdf000 Win32Thread: ffb11668 WAIT: (WrResource) KernelMode Non-Alertable
8346c240 SynchronizationEvent
835d0548 NotificationTimer
Not impersonating
DeviceMap 8d5bdc30
Owning Process 8376b020 Image: VMwareUser.exe
Wait Start TickCount 271594 Ticks: 132 (0:00:00:02.062)
Context Switch Count 40548
UserTime 00:00:01.0015
KernelTime 00:00:09.0718
Win32 Start Address procexp (0x0040db88)
Stack Init 8b0de000 Current 8b0ddc20 Base 8b0de000 Limit 8b0db000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0
ChildEBP RetAddr Args to Child
8b0ddc38 81869b66 835d0548 835d04c0 835d0578 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8b0ddc74 818675bd 835d04c0 8339e430 835d04c0 nt!KiSwapThread+0x36d
8b0ddcd4 81873579 8346c240 0000001b 00000000 nt!KeWaitForSingleObject+0x414
8b0ddd0c 81863aa6 8346c240 00000003 0012fdec nt!ExpWaitForResource+0xbd
8b0ddd30 81873aa7 8339e430 00000001 8b0ddd58 nt!ExAcquireResourceExclusiveLite+0x96
8b0ddd58 818461fa 00000003 0012fe24 771f0f34 nt!ExEnterCriticalRegionAndAcquireResourceExclusive+0x1c
8b0ddd58 0012fdf8 00000003 0012fe24 771f0f34 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8b0ddd58)
WARNING: Frame IP not in any known module. Following frames may be wrong.
8b0dddc8 771f0f33 0000001b 00000217 0012fde0 0x12fdf8
8b0dddcc 00000000 00000217 0012fde0 00000023 ntdll!KiFastSystemCall+0x3

kd> !thread 83712030
THREAD 83712030 Cid 016c.0170 Teb: 7ffdf000 Win32Thread: ffb2f840 WAIT: (WrResource) KernelMode Non-Alertable
8346c240 SynchronizationEvent
837120b8 NotificationTimer
Not impersonating
DeviceMap 8d5bdc30
Owning Process 8370f808 Image: taskeng.exe
Wait Start TickCount 271619 Ticks: 107 (0:00:00:01.671)
Context Switch Count 207
UserTime 00:00:00.0156
KernelTime 00:00:01.0421
Win32 Start Address 0x00eaadb0
Stack Init 8b239000 Current 8b238c20 Base 8b239000 Limit 8b236000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0
ChildEBP RetAddr Args to Child
8b238c38 81869b66 837120b8 83712030 837120e8 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8b238c74 818675bd 83712030 8339e430 83712030 nt!KiSwapThread+0x36d
8b238cd4 81873579 8346c240 0000001b 00000000 nt!KeWaitForSingleObject+0x414
8b238d0c 81863aa6 8346c240 00000003 0020f944 nt!ExpWaitForResource+0xbd
8b238d30 81873aa7 8339e430 00000001 8b238d58 nt!ExAcquireResourceExclusiveLite+0x96
8b238d58 818461fa 00000003 0020f97c 771f0f34 nt!ExEnterCriticalRegionAndAcquireResourceExclusive+0x1c
8b238d58 0020f950 00000003 0020f97c 771f0f34 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8b238d58)
WARNING: Frame IP not in any known module. Following frames may be wrong.
8b238dc8 771f0f33 0000001b 00000217 0020f938 0x20f950
8b238dcc 00000000 00000217 0020f938 00000023 ntdll!KiFastSystemCall+0x3 (FPO: [0,0,0])

kd> !thread 8f5e4600
THREAD 8f5e4600 Cid 0784.059c Teb: 7ff9a000 Win32Thread: fe6db418 WAIT: (WrResource) KernelMode Non-Alertable
8346c240 SynchronizationEvent
8f5e4688 NotificationTimer
Not impersonating
DeviceMap 8d5bdc30
Owning Process 836dd020 Image: explorer.exe
Wait Start TickCount 271701 Ticks: 25 (0:00:00:00.390)
Context Switch Count 81
UserTime 00:00:00.0125
KernelTime 00:00:00.0375
Win32 Start Address ntdll!TppWorkerThread (0x771fa044)
Stack Init 8ec3a000 Current 8ec39c20 Base 8ec3a000 Limit 8ec37000 Call 0
Priority 12 BasePriority 8 PriorityDecrement 2
ChildEBP RetAddr Args to Child
8ec39c38 81869b66 8f5e4688 8f5e4600 8f5e46b8 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8ec39c74 818675bd 8f5e4600 8339e430 8f5e4600 nt!KiSwapThread+0x36d
8ec39cd4 81873579 8346c240 0000001b 00000000 nt!KeWaitForSingleObject+0x414
8ec39d0c 81863aa6 8346c240 00000003 0528fae4 nt!ExpWaitForResource+0xbd
8ec39d30 81873aa7 8339e430 00000001 8ec39d58 nt!ExAcquireResourceExclusiveLite+0x96
8ec39d58 818461fa 00000003 0528fb1c 771f0f34 nt!ExEnterCriticalRegionAndAcquireResourceExclusive+0x1c
8ec39d58 0528faf0 00000003 0528fb1c 771f0f34 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8ec39d58)
WARNING: Frame IP not in any known module. Following frames may be wrong.
8ec39dc8 771f0f33 0000001b 00000217 0528fad8 0x528faf0
8ec39dcc 00000000 00000217 0528fad8 00000023 ntdll!KiFastSystemCall+0x3 (FPO: [0,0,0])

###########################################################
Threads that is waiting for
Resource @ 0x8323e3d8

kd> !thread 8359aac0
THREAD 8359aac0 Cid 0260.02f8 Teb: 7ffd9000 Win32Thread: ff8c50f8 WAIT: (WrResource) KernelMode Non-Alertable
83480308 SynchronizationEvent
8359ab48 NotificationTimer
IRP List:
8315d1a8: (0006,01d8) Flags: 00060970 Mdl: 00000000
Not impersonating
DeviceMap 84c08a20
Owning Process 8347e700 Image: csrss.exe
Wait Start TickCount 271593 Ticks: 133 (0:00:00:02.078)
Context Switch Count 9647
UserTime 00:00:00.0000
KernelTime 00:00:07.0859
Win32 Start Address 0x7592bdd0
Stack Init 8b2e0000 Current 8b2df9e0 Base 8b2e0000 Limit 8b2dd000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
8b2df9f8 81869b66 8359ab48 8359aac0 8359ab78 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8b2dfa34 818675bd 8359aac0 8323e3d8 8359aac0 nt!KiSwapThread+0x36d
8b2dfa94 81873579 83480308 0000001b 00000000 nt!KeWaitForSingleObject+0x414
8b2dfacc 81863aa6 83480308 00000001 ff8b52a8 nt!ExpWaitForResource+0xbd
8b2dfaf4 81873aa7 8323e3d8 00000001 8b2dfb28 nt!ExAcquireResourceExclusiveLite+0x96
8b2dfbb4 8186310f ff8ce4e8 ff8ce510 00000000 nt!ExEnterCriticalRegionAndAcquireResourceExclusive+0x1c
8b2dfc04 81869b81 00000000 00000000 00000000 nt!KiDeliverApc+0x138
8b2dfc4c 8184a265 8359aac0 81849de1 ff8c50f8 nt!KiSwapThread+0x388
8b2dfd58 818461fa 00000004 00f9fc98 771f0f34 nt!KeWaitForMultipleObjects+0x47d
8b2dfd58 818461fa 00000004 00f9fc98 771f0f34 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame-EDITED @ 8b2dfcf4)
00f9fc58 00000000 00000000 00000000 00000000 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame-EDITED @ 8b2dfcf4)

kd> !thread 8359ad78
THREAD 8359ad78 Cid 0260.02f4 Teb: 7ffda000 Win32Thread: ff8c7008 WAIT: (WrResource) KernelMode Non-Alertable
83480308 SynchronizationEvent
8359ae00 NotificationTimer
IRP List:
834df1e0: (0006,01d8) Flags: 00060970 Mdl: 00000000
Not impersonating
DeviceMap 84c08a20
Owning Process 8347e700 Image: csrss.exe
Wait Start TickCount 271594 Ticks: 132 (0:00:00:02.062)
Context Switch Count 83100
UserTime 00:00:00.0015
KernelTime 00:00:33.0953
Win32 Start Address 0x7592bdd0
Stack Init 8b2dc000 Current 8b2dbb08 Base 8b2dc000 Limit 8b2d9000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
8b2dbb20 81869b66 8359ae00 8359ad78 8359ae30 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8b2dbb5c 818675bd 8359ad78 8323e3d8 8359ad78 nt!KiSwapThread+0x36d
8b2dbbbc 81873579 83480308 0000001b 00000000 nt!KeWaitForSingleObject+0x414
8b2dbbf4 81863aa6 83480308 fe416638 8b2dbc60 nt!ExpWaitForResource+0xbd
8b2dbc18 81873aa7 8323e3d8 00000001 8b2dbc3c nt!ExAcquireResourceExclusiveLite+0x96
8b2dbc28 8dad855d 8323e3d8 8dae8827 8b2dbc60 nt!ExEnterCriticalRegionAndAcquireResourceExclusive+0x1c
WARNING: Frame IP not in any known module. Following frames may be wrong.
8b2dbc3c 8dac0afd 8b2dbc80 ff8b52a8 8b2dbc78 0x8dad855d
8b2dbc4c 8da98d6b 8b2dbc80 ff889578 ffbea4b0 0x8dac0afd
8b2dbd58 818461fa 00000004 00f4fe64 771f0f34 0x8da98d6b
8b2dbd58 00180016 00000004 00f4fe64 771f0f34 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8b2dbca4)
8b2dbd58 818461fa 00000004 00f4fe64 771f0f34 0x180016
8b2dbd58 771f0f34 00000004 00f4fe64 771f0f34 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8b2dbd64)
00f4fe64 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])

The “checker” thread must be as simple as possible, and not doing any extra
work. Otherwise, the deadlock potential is very large, not only in Vista.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> Hi everybody!
>
> I need your assistance…
> Vista
> There is C#A - client application(currently with one thread), A#A - any
arbitrary application, C#T - client thread and A#T arbitrary application thread
respectively.
> In FS filter driver I subscribe on LoadImageNotifyRoutine in which
thread(C#T) is waiting for an event which can only be set from another
application’s(C#A) thread which is checks if image is ok and then call driver
function to set it. But thread(C#T) that get notifications also puts results to
a console and just in that moment it is hangs up in waiting on alpc, csrss
port. Also at the same moment another application(A#A) is trying to map image
calling my notify routine and waits for C#T set it up, but it allready hangs
up!
>
> The system isn’t respond because the subsystem is not responding (I guess).
>
> kd> !locks
> DUMP OF ALL RESOURCE OBJECTS
> KD: Scanning for held locks…
>
> Resource @ 0x8339e430 Exclusively owned
> Contention Count = 21520
> NumberOfExclusiveWaiters = 4
> Threads: 8359ad78-01<>
> Threads Waiting On Exclusive Access:
> 82752550 835d04c0 83712030 8f5e4600
>
> KD: Scanning for held locks…
>
> Resource @ 0x8323e3d8 Exclusively owned
> Contention Count = 598
> NumberOfExclusiveWaiters = 2
> Threads: 8f687990-01<>
> Threads Waiting On Exclusive Access:
> 8359aac0 8359ad78
>
> KD: Scanning for held
locks…
…
…
> 7474 total locks, 2 locks currently held
> #
> # Those two threads that held locks
> #
> kd> !thread 8359ad78
> THREAD 8359ad78 Cid 0260.02f4 Teb: 7ffda000 Win32Thread: ff8c7008 WAIT:
(WrResource) KernelMode Non-Alertable
> 83480308 SynchronizationEvent
> 8359ae00 NotificationTimer
> IRP List:
> 834df1e0: (0006,01d8) Flags: 00060970 Mdl: 00000000
> Not impersonating
> DeviceMap 84c08a20
> Owning Process 8347e700 Image: csrss.exe
> Wait Start TickCount 271594 Ticks: 132 (0:00:00:02.062)
> Context Switch Count 83100
> UserTime 00:00:00.0015
> KernelTime 00:00:33.0953
> Win32 Start Address 0x7592bdd0
> Stack Init 8b2dc000 Current 8b2dbb08 Base 8b2dc000 Limit 8b2d9000 Call 0
> Priority 15 BasePriority 13 PriorityDecrement 0
> ChildEBP RetAddr Args to Child
> 8b2dbb20 81869b66 8359ae00 8359ad78 8359ae30 nt!KiSwapContext+0x26 (FPO:
[Uses EBP] [0,0,4])
> 8b2dbb5c 818675bd 8359ad78 8323e3d8 8359ad78 nt!KiSwapThread+0x36d
> 8b2dbbbc 81873579 83480308 0000001b 00000000 nt!KeWaitForSingleObject+0x414
> 8b2dbbf4 81863aa6 83480308 fe416638 8b2dbc60 nt!ExpWaitForResource+0xbd
> 8b2dbc18 81873aa7 8323e3d8 00000001 8b2dbc3c
nt!ExAcquireResourceExclusiveLite+0x96
> 8b2dbc28 8dad855d 8323e3d8 8dae8827 8b2dbc60
nt!ExEnterCriticalRegionAndAcquireResourceExclusive+0x1c
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 8b2dbc3c 8dac0afd 8b2dbc80 ff8b52a8 8b2dbc78 0x8dad855d
> 8b2dbc4c 8da98d6b 8b2dbc80 ff889578 ffbea4b0 0x8dac0afd
> 8b2dbd58 818461fa 00000004 00f4fe64 771f0f34 0x8da98d6b
> 8b2dbd58 00180016 00000004 00f4fe64 771f0f34 nt!KiFastCallEntry+0x12a (FPO:
[0,3] TrapFrame @ 8b2dbca4)
> 8b2dbd58 818461fa 00000004 00f4fe64 771f0f34 0x180016
> 8b2dbd58 771f0f34 00000004 00f4fe64 771f0f34 nt!KiFastCallEntry+0x12a (FPO:
[0,3] TrapFrame @ 8b2dbd64)
> 00f4fe64 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO:
[0,0,0])
>
> kd> !thread 8f687990
> THREAD 8f687990 Cid 0784.0d9c Teb: 7ffa8000 Win32Thread: fec7fbd0 GATEWAIT
> Not impersonating
> DeviceMap 8d5bdc30
> Owning Process 836dd020 Image: explorer.exe
> Wait Start TickCount 265673 Ticks: 6053 (0:00:01:34.578)
> Context Switch Count 833
> UserTime 00:00:00.0343
> KernelTime 00:00:02.0296
> Win32 Start Address 0x7381cc4d
> Stack Init 8edc5fe0 Current 8edc5a98 Base 8edc6000 Limit 8edc3000 Call 42c
> Priority 14 BasePriority 8 PriorityDecrement 6
> ChildEBP RetAddr Args to Child
> 8edc5ab0 81869b66 00000000 8f687990 8edc5b50 nt!KiSwapContext+0x26 (FPO:
[Uses EBP] [0,0,4])
> 8edc5aec 8189d905 8f687990 836dd108 00000001 nt!KiSwapThread+0x36d
> 8edc5b24 8189468d 00000000 836dd020 8f687990 nt!KeWaitForGate+0x198
> 8edc5b84 81a04b1b 00000000 fe7ea320 ff8b52a8
nt!ExfAcquirePushLockExclusive+0x112
> 8edc5ba0 81a0c4a7 8f5b0da1 05000000 8edc5c14 nt!MiUnsecureVirtualMemory+0x37
> 8edc5bb0 8dabff23 8f5b0da1 00000000 08000000 nt!MmUnsecureVirtualMemory+0xe
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 8edc5c14 8dac0038 00000000 00000000 8edc5c74 0x8dabff23
> 8edc5c24 8dac128c 00000000 00000000 00000001 0x8dac0038
> 8edc5d38 818461fa 26010b7d 04f0f088 771f0f34 0x8dac128c
> 8edc5d38 26010b7d 26010b7d 04f0f088 771f0f34 nt!KiFastCallEntry+0x12a (FPO:
[0,3] TrapFrame @ 8edc5cd8)
> 8edc5d44 00000000 badb0d00 04f0f06c 8e005d64 0x26010b7d
>
>

Thanks, Max. On Xp and 2k it was tested hundreds of times).