Hooking Windbg

WINDBG
1

Hello experts,

here is what i am trying to do with windbg but unable to think

i have created a folder on desktop , i have removed all the permissions, when i try to open the folder it gives me “access denied” which is fair.

Now i want to analyze the access token from windbg , how would i do it ?
i think i should attach to explorer.exe process , coz desktop main process would be explorer, but how to debug further ?

I understand there are other utilites like file mon , regmon / procmon. but i want to do it with windbg

2

This question really belongs in the NTFSD newsgroup. It is not a windbg
problem but a lack of understanding about how the file system stack works.
Here are some thoughts that may assist or not:

  1. Breaking on the file system entry point for the boot/system drive is
    not a good idea because of excessive activity. Yes, it can be done but it
    will be far too much of an overload. I would suggest placing the folder on
    a separate drive that is formatted NTFS.
  2. Doing this via a standard win32 CreateFile also includes the
    complexity of the win32 subsystem translation layer. It might be better to
    use filetest, available on osronline to being to understand the issue.
  3. I want to be rich, young, and much better looking but it is unlikely
    it will happen. OK, impossible. You can use the minifilter sample minispy
    to give you a much better way to see what you want. It will also have the
    advantage of getting you closer to the NTFS driver. It will be after some
    of the higher level security checks, but start somewhere you can learn and
    obtain the skills to work through the entire stack. Some access checks may
    be done in code that is executed before the NTFS driver.
  4. You can hook the CreateFile entry point but it may take days before
    you can see your access. Using a hooking driver will allow you to do a
    breakpoint when you know it is the request you want to trace. Remember to
    activate windbg’s ability to record all output to a text file. I always
    have logging enabled with append.
  5. Your description of your problem is too general and being more
    specific in NTFSD may give you the answers you seek without all the
    debugging.

wrote in message news:xxxxx@windbg…

Hello experts,

here is what i am trying to do with windbg but unable to think

i have created a folder on desktop , i have removed all the permissions,
when i try to open the folder it gives me “access denied” which is fair.

Now i want to analyze the access token from windbg , how would i do it ?
i think i should attach to explorer.exe process , coz desktop main process
would be explorer, but how to debug further ?

I understand there are other utilites like file mon , regmon / procmon. but
i want to do it with windbg

3

The first rule in life for debugging these kinds of problems is to ditch
Explorer for your repro, it generates WAY too much activity to be useful.
You’re better off going to the command prompt or FileTest
(http://www.zezula.net/en/fstools/filetest.html). This cuts down the
activity and can be effectively used with process specific breakpoints if
you’re doing kernel debugging (http://analyze-v.com/?p=655).

Now, to answer your specific question:

Now i want to analyze the access token from windbg , how would i do it ?

From a kernel debug session:

!process 0 0

PROCESS 84d86520 SessionId: 1 Cid: 110c Peb: 7ffd8000 ParentCid: 0a18
DirBase: 3ec4c620 ObjectTable: 94948260 HandleCount: 23.
Image: cmd.exe

0: kd> !PROCESS 84d86520 1
PROCESS 84d86520 SessionId: 1 Cid: 110c Peb: 7ffd8000 ParentCid: 0a18
DirBase: 3ec4c620 ObjectTable: 94948260 HandleCount: 23.
Image: cmd.exe
VadRoot 85538510 Vads 37 Clone 0 Private 150. Modified 0. Locked 0.
DeviceMap 9909c510
Token 97e4bc08

0: kd> !token 97e4bc08
_TOKEN 97e4bc08
TS Session ID: 0x1
User: S-1-5-21-2673080606-3459038579-239265617-1000
Groups:
00 S-1-5-21-2673080606-3459038579-239265617-513
Attributes - Mandatory Default Enabled

From user mode you can just run !token without any parameters.

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

Hope to see you at the next OSR kernel debugging class February 14th in
Columbia, MD!

wrote in message news:xxxxx@windbg…

Hello experts,

here is what i am trying to do with windbg but unable to think

i have created a folder on desktop , i have removed all the permissions,
when i try to open the folder it gives me “access denied” which is fair.

Now i want to analyze the access token from windbg , how would i do it ?
i think i should attach to explorer.exe process , coz desktop main process
would be explorer, but how to debug further ?

I understand there are other utilites like file mon , regmon / procmon. but
i want to do it with windbg

4

hi Scott,

Ty for your reply. And yes !token would give you the info , but my question was specific to folder residing on explorer.exe.

the example which i mentioned in my first post is what i am trying to do and want to hook windbg to analyze

a) folder activity ( when i double click , i want to see the api’s being called , the stack etc. )

b) later i want to check the access token of that folder –> because IMO every process / thread has the access token attached ( this access token gets generated when the user logs in ) , so every object ( file / folder etc… ) has a token attached and i want to anlayze that in windbg.

i dont want to analyze the accesstoken of the explorer.exe on which the folder is residing , rather i want to analyze the access token of the folder using Windbg.

5

I know that we’ve been over this already, but why windbg? As others have
already pointed out, breaking in on every access will make the system
totally unusable, and having to analyze every token will also be unusable.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@live.com
Sent: Sunday, January 02, 2011 11:16 PM
To: Kernel Debugging Interest List
Subject: RE:[windbg] Hooking Windbg

hi Scott,

Ty for your reply. And yes !token would give you the info , but my question
was specific to folder residing on explorer.exe.

the example which i mentioned in my first post is what i am trying to do and
want to hook windbg to analyze

a) folder activity ( when i double click , i want to see the api’s being
called , the stack etc. )

b) later i want to check the access token of that folder –> because IMO
every process / thread has the access token attached ( this access token
gets generated when the user logs in ) , so every object ( file / folder
etc… ) has a token attached and i want to anlayze that in windbg.

i dont want to analyze the accesstoken of the explorer.exe on which the
folder is residing , rather i want to analyze the access token of the folder
using Windbg.

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

6

>a) folder activity ( when i double click , i want to see the api’s being

called , the stack etc. )

Really better done with Process Monitor, which has this all built in. If you
insist though you can look at Logger and logexts:

http://msdn.microsoft.com/en-us/library/ff552060(v=vs.85).aspx

Not sure if that gets you call stacks though.

b) later i want to check the access token of that folder

Your terminology isn’t correct here. A token is what gets associated with
your process and inherited by your threads by default (impersonation allows
you to change the token under which a thread executes to be something other
than the parent). An ACL is what gets associated with the object that you
want want to secure.

In order to see the ACL associated with a folder you need NTFS to look it up
for you, so it’s not something that can be easily done by the debugger. The
only thing that I can think of is you would need to put a breakpoint on
SeAccessCheck and wait for the call made by NTFS for that particular folder.
However, try setting a breakpoint on this API and you’ll soon see why you’re
getting push back on this (even if you restrict the breakpoint to just NTFS’
invocations of this API you’ll still get a staggering number of breakpoints:
http://www.osronline.com/article.cfm?article=522).

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

Hope to see you at the next OSR kernel debugging class February 14th in
Columbia, MD!

7

As pointed out banging head with explorer is not easy also access denied is
NTSTATUS so you would need to run from user land to kernel land and back
which is another hurdle

anyway ill summarize see if you can follow

C:\Documents and Settings\Admin\Desktop>md somedirondesktop

C:\Documents and Settings\Admin\Desktop>cd somedirondesktop

C:\Documents and Settings\Admin\Desktop\somedirondesktop>cd …

C:\Documents and Settings\Admin\Desktop>cacls somedirondesktop /p Admin:N
Are you sure (Y/N)?y
processed dir: C:\Documents and Settings\Admin\Desktop\somedirondesktop

C:\Documents and Settings\Admin\Desktop>cd somedirondesktop
Access is denied.

C:\Documents and Settings\Admin\Desktop>

attach windbg to explorer.exe

set a bp on one most probable api ill use SHGetFolderpathW

and once it breaks use gu to trace around userland code

it should take you to ntdll!NtOpenFile at last where it transits to
kernelland

if you can use ntsd in conjunction with kd you can set a break on
IopCreatefile Routine and follow it allthe way to fltmgr.sys

and back

somewhere along the path you should find your token

here is a paste

C:\>cd %userprofile%\desktop\acctok
Access is denied.

C:\>f:\windbg\ntsd.exe -pn explorer.exe

0:000> bd *
0:000> bp SHELL32!CFSFolder::EnumObjects
0:000> bl
0 d 7c9eed76 0001 (0001) 0:**** SHELL32!SHGetFolderPathW
1 e 7c9f3b27 0001 (0001) 0:**** SHELL32!CFSFolder::EnumObjects
0:000> k
ChildEBP RetAddr
0007f10c 7c9f2781 SHELL32!SHGetFolderPathW
0007f138 7c9ece91 SHELL32!CFSFolder::_GetPath+0x2c
0007f148 7c9fd9b3 SHELL32!CFSFolder::_GetPathForItem+0x10
0007f164 7c9fd927 SHELL32!CFSAssocEnumData::CFSAssocEnumData+0x3e
0007f1ac 7ca11a55 SHELL32!CFileSysItemString::AssocCreate+0x153
0007f42c 7ca11a05 SHELL32!CFSFolder::_CreateContextMenu+0x47
0007f448 7c9f2dc2 SHELL32!CFSFolder::_GetContextMenu+0x19
0007f47c 7ca34fca SHELL32!CFSFolder::GetUIObjectOf+0x21c
0007f4a4 7ca34f96 SHELL32!CDesktopFolder::_GetItemUIObject+0x31
0007f4d4 7ca2d3a6 SHELL32!CDesktopFolder::GetUIObjectOf+0x110
0007f510 7ca48630 SHELL32!CRegFolder::GetUIObjectOf+0x28c
0007f548 7ca05b22 SHELL32!CDefView::_GetUIObjectFromItem+0x69
0007f58c 7cb2ca32 SHELL32!CDefView::GetItemObject+0x20c
0007f5b8 7caaabb6 SHELL32!CDefView::_CreateSelectionContextMenu+0xa9
0007f5dc 7ca495e1 SHELL32!CDefView::_InvokeContextMenuVerbOnSelection+0x71
0007f85c 7c9f461b SHELL32!CDefView::_OnLVNotify+0x37a
0007f874 7c9f448b SHELL32!CDefView::_OnNotify+0x7c
0007f9e8 7c9f44ff SHELL32!CDefView::WndProc+0x860
0007fa2c 7e418734 SHELL32!CDefView::s_WndProc+0x72
0007fa58 7e418816 USER32!InternalCallWinProc+0x28

0:000> db poi(esp+18) l20
00107778 3a 00 31 00 00 00 00 00-98 3d 76 19 10 20 61 63 :.1…=v… ac
00107788 63 74 6f 6b 00 00 24 00-03 00 04 00 ef be 98 3d ctok…$…=

0:000> !dml_proc
DbgId PID Image file name
0 b2c C:\WINDOWS\explorer.exe

0:000> gu
SHELL32!CFSFolder::_GetPath+0x2c:
7c9f2781 83f801 cmp eax,1
0:000> gu
SHELL32!CFSFolder::_GetPathForItem+0x10:
7c9ece91 85c0 test eax,eax
0:000> gu
SHELL32!CFSAssocEnumData::CFSAssocEnumData+0x3e:
7c9fd9b3 837e0c00 cmp dword ptr [esi+0Ch],0

ds:0023:0011385c=00000000

0:000> gu
SHELL32!CFileSysItemString::AssocCreate+0x153:
7c9fd927 8bf0 mov esi,eax
0:000> gu
SHELL32!CFSFolder::_CreateContextMenu+0x47:
7ca11a55 8b06 mov eax,dword ptr [esi]

ds:0023:000c7ed8={SHELL32!CFSFolder::`vftable’ (7c9c71f0)}
0:000> gu
SHELL32!CFSFolder::_GetContextMenu+0x19:
7ca11a05 5d pop ebp
0:000> gu
SHELL32!CFSFolder::GetUIObjectOf+0x21c:
7c9f2dc2 ebb5 jmp SHELL32!CFSFolder::GetUIObjectOf+0x261

(7c9f2d79)
0:000> gu
SHELL32!CDesktopFolder::_GetItemUIObject+0x31:
7ca34fca 5e pop esi
0:000> gu
SHELL32!CDesktopFolder::GetUIObjectOf+0x110:
7ca34f96 e97684ffff jmp

SHELL32!CDesktopFolder::GetUIObjectOf+0x110 (7ca2d411)
0:000> gu
SHELL32!CRegFolder::GetUIObjectOf+0x28c:
7ca2d3a6 e99b8cfcff jmp SHELL32!CRegFolder::GetUIObjectOf+0x28c

(7c9f6046)
0:000> gu
SHELL32!CDefView::_GetUIObjectFromItem+0x69:
7ca48630 3bc6 cmp eax,esi
0:000> gu
SHELL32!CDefView::GetItemObject+0x20c:
7ca05b22 8bf0 mov esi,eax
0:000> gu
SHELL32!CDefView::_CreateSelectionContextMenu+0xa9:
7cb2ca32 8945fc mov dword ptr [ebp-4],eax

ss:0023:0007f5b4=8007000e
0:000> gu
SHELL32!CDefView::_InvokeContextMenuVerbOnSelection+0x71:
7caaabb6 8bf8 mov edi,eax
0:000> gu
SHELL32!CDefView::_OnLVNotify+0x37a:
7ca495e1 e917b1faff jmp SHELL32!CDefView::_OnLVNotify+0x72b

(7c9f46fd)
0:000> gu
SHELL32!CDefView::_OnNotify+0x7c:
7c9f461b 5e pop esi
0:000> gu
SHELL32!CDefView::WndProc+0x860:
7c9f448b 8bf8 mov edi,eax
0:000> gu
SHELL32!CDefView::s_WndProc+0x72:
7c9f44ff 8945e0 mov dword ptr [ebp-20h],eax

ss:0023:0007fa0c=00000000
0:000> gu
USER32!InternalCallWinProc+0x28:
7e418734 648b0d18000000 mov ecx,dword ptr fs:[18h]

fs:003b:00000018=7ffdf000
0:000> gu
USER32!UserCallWinProcCheckWow+0x150:
7e418816 8945e4 mov dword ptr [ebp-1Ch],eax

ss:0023:0007faa4=00000000
0:000> gu
USER32!SendMessageWorker+0x4a5:
7e42927b 8bc8 mov ecx,eax
0:000> gu
USER32!SendMessageW+0x7f:
7e4292e3 5e pop esi
0:000> gu
comctl32!CCSendNotify+0xc20:
773eb001 e9e1fbffff jmp comctl32!CCSendNotify+0x806 (773eabe7)
0:000> gu
comctl32!ListView_HandleMouse+0x20e:
77420711 eb13 jmp comctl32!ListView_HandleMouse+0x223

(77420726)
0:000> gu
comctl32!ListView_OnButtonDown+0x1b:
77420ab6 5d pop ebp
0:000> gu
comctl32!ListView_WndProc+0x857:
774214e9 e983f8ffff jmp comctl32!ListView_WndProc+0xdf (77420d71)
0:000> gu
USER32!InternalCallWinProc+0x28:
7e418734 648b0d18000000 mov ecx,dword ptr fs:[18h]

fs:003b:00000018=7ffdf000
0:000> gu
USER32!UserCallWinProcCheckWow+0x150:
7e418816 8945e4 mov dword ptr [ebp-1Ch],eax

ss:0023:0007fe38=00000000
0:000> gu
USER32!DispatchMessageWorker+0x306:
7e4189cd 8bc8 mov ecx,eax
0:000> gu
USER32!DispatchMessageW+0xf:
7e418a10 5d pop ebp
0:000> gu
SHELL32!CDesktopBrowser::_PeekForAMessage+0x66:
7c9f4bcf 6a02 push 2
0:000> gu
SHELL32!CDesktopBrowser::_MessageLoop+0x14:
7c9f4a64 33ff xor edi,edi
0:000> gu

Breakpoint 1 hit
SHELL32!CFSFolder::EnumObjects:
7c9f3b27 8bff mov edi,edi

0:013> bd *
0:013> bp ntdll!ZwOpenFile
0:013> gu

Breakpoint 2 hit
ntdll!NtOpenFile:
7c90d59e b874000000 mov eax,74h
0:013> dt ntdll!_OBJECT_ATTRIBUTES poi(esp+0c)
+0x000 Length : 0x18
+0x004 RootDirectory : (null)
+0x008 ObjectName : 0x029bd5a0 _UNICODE_STRING "??\C:\Documents

and Settings\Admin\Desktop\acctok"
+0x00c Attributes : 0x40
+0x010 SecurityDescriptor : (null)
+0x014 SecurityQualityOfService : (null)
0:013> gu
kernel32!FindFirstFileExW+0x1a7:
7c80ec96 3d0d0000c0 cmp eax,0C000000Dh

0:013> r eax
eax=c0000022

0:013> !error eax

Error code: (NTSTATUS) 0xc0000022 (3221225506) - {Access Denied} A process

has
requested access to an object, but has not been granted those access

rights.
0:013> .detach
Detached
NoTarget>

regards

raj

On Mon, Jan 3, 2011 at 9:45 AM, wrote:

> hi Scott,
>
> Ty for your reply. And yes !token would give you the info , but my question
> was specific to folder residing on explorer.exe.
>
> the example which i mentioned in my first post is what i am trying to do
> and want to hook windbg to analyze
>
> a) folder activity ( when i double click , i want to see the api’s being
> called , the stack etc. )
>
> b) later i want to check the access token of that folder –> because IMO
> every process / thread has the access token attached ( this access token
> gets generated when the user logs in ) , so every object ( file / folder
> etc… ) has a token attached and i want to anlayze that in windbg.
>
> i dont want to analyze the accesstoken of the explorer.exe on which the
> folder is residing , rather i want to analyze the access token of the folder
> using Windbg.
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


thanks and regards

raj_r

8

Note that in general the concept of “process” is irrelevant here. It is the
thread which carries the token, and the thread is all that matters. There
is a way (I forget how) to get a thread to carry another token, so it looks
like a specific user, but what that means is the “process token” has no
meaning for calls issued from that thread. Only the thread token matters.
In many ways, the concept of “process” as having much meaning is a holdover
from Unix. In Windows, a process is merely a repository for resources,
which include memory, open handles, file locks, and the like, but most of
what matters is what the thread has. Here you have confused the concept of
logging in (which generates a token) with the concept of process token
(which BY DEFAULT is the login token, but under “run as” can be anyone!)
with the thread token (which BY DEFAULT is the process token) but in fact
can be anyone else. For all practical purposes, the kernel cares ONLY about
the token of the thread, and doesn’t care how it got it. I’m not an expert
on how tokens work, but I know that the thread token dominates.

So it is not clear why you would make an appeal back to the session token.
The only token that matters is the current thread’s token.

Folders do not reside in explorer.exe, the reside on the media.
Explorer.exe is just a program that displays information. You can write
your own program.

I know this doesn’t answer the question of how to see the ACLS of a folder
from windbg, but the question is sufficiently confused that it isn’t clear
you understand what you are asking.

Which now gets to another question: why do you need to see it in windbg when
you can trivially view it using properties of the file or by writing an
application that gets the information?
joe

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@live.com
Sent: Sunday, January 02, 2011 11:16 PM
To: Kernel Debugging Interest List
Subject: RE:[windbg] Hooking Windbg

hi Scott,

Ty for your reply. And yes !token would give you the info , but my question
was specific to folder residing on explorer.exe.

the example which i mentioned in my first post is what i am trying to do and
want to hook windbg to analyze

a) folder activity ( when i double click , i want to see the api’s being
called , the stack etc. )

b) later i want to check the access token of that folder –> because IMO
every process / thread has the access token attached ( this access token
gets generated when the user logs in ) , so every object ( file / folder
etc… ) has a token attached and i want to anlayze that in windbg.

i dont want to analyze the accesstoken of the explorer.exe on which the
folder is residing , rather i want to analyze the access token of the folder
using Windbg.

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

9

TY very much Scott and Raj,

i was looking exactly what you both mentioned.

@raj i will repro in my lab

@scott like everytime you are just awesome.

@joseph ty very much .

10

>Note that in general the concept of “process” is irrelevant here. It is

the
thread which carries the token, and the thread is all that matters.

This is conceptually correct, however as a Windows implementation detail
only threads that are impersonating actually carry a token. Otherwise the
token in the thread is NULL and the parent process’ token is used. For
example, here’s a thread that isn’t impersonating:

+0x3e0 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0x000 ImpersonationData : 0
+0x000 ImpersonationToken : (null)
+0x000 ImpersonationLevel : 0y00
+0x000 EffectiveOnly : 0y0

Versus one that is:

+0x3e0 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0x000 ImpersonationData : 0xfffff8a00d30e533 +0x000 ImpersonationToken : 0xfffff8a00d30e533 Void
+0x000 ImpersonationLevel : 0y11
+0x000 EffectiveOnly : 0y0

Luckily !thread understands all of this already and can interpret it for
you, but worth noting.

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

Hope to see you at the next OSR kernel debugging class February 14th in
Columbia, MD!

11

here is another paste that shows the user mode to kernel mode transition
using ntsd in a target vm and kd in host with use of .breakin
commands

use ntsd -d -pn explorer.exe in target vm

it will break in kd on host in usermode with INPUT prompt

set user mode bps trace around and when you near the point where kernel
transition is going to occur

use .breakin

kd will break in kerneldebugging mode

set bp in kernelland

and issue a g

kd will turn back to usermode debugging where you left off

now tracing or issung gu will result in break into kd

0:000> gu
SHELL32!CFSFolder::_GetPath+0x2c:
7c9f2781 83f801 cmp eax,1

0:000> gu
SHELL32!CFSFolder::_GetPathForItem+0x10:
7c9ece91 85c0 test eax,eax

0:000> g
Breakpoint 1 hit
eax=00116928 ebx=7c9c71a0 ecx=00116928 edx=ffffffff esi=00112468
edi=00112480
eip=7c9f3b27 esp=01badd10 ebp=01badd40 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000202
SHELL32!CFSFolder::EnumObjects:
7c9f3b27 8bff mov edi,edi
0:014> k
k
ChildEBP RetAddr
01badd0c 7c9f9299 SHELL32!CFSFolder::EnumObjects
01badd40 7c9f9a08 SHELL32!CDefviewEnumTask::FillObjectsToDPA+0x8b
01badd94 7e2ad91d SHELL32!CDefView::CreateViewWindow2+0x2de
01bade40 7e2aae15 SHDOCVW!FileCabinet_CreateViewWindow2+0x245
01bade68 75f88540 SHDOCVW!CBaseBrowser2::CreateViewWindow+0x39
01bade84 75f9c8a2 BROWSEUI!CCommonBrowser::CreateViewWindow+0x20
01badea4 7e2ab0df BROWSEUI!CShellBrowser2::CreateViewWindow+0x39
01badee8 7e2aaf60 SHDOCVW!CBaseBrowser2::_CreateNewShellView+0x181
01badf14 7e2aad8e SHDOCVW!CBaseBrowser2::_CreateNewShellViewPidl+0x7d
01baef94 75f88617 SHDOCVW!CBaseBrowser2::_NavigateToPidl+0x17c
01baefac 75f9b944 BROWSEUI!CCommonBrowser::_NavigateToPidl+0x1d
01baefd0 75fa339f BROWSEUI!CShellBrowser2::_NavigateToPidl+0x111
01baf044 7e2ad3bf BROWSEUI!CShellBrowser2::OnCreate+0x49f
01baf060 75f828e1 SHDOCVW!CBaseBrowser2::WndProcBS+0xf1
01baf07c 75fa5ab9 BROWSEUI!CCommonBrowser::WndProcBS+0x20
01baf0b8 75fa467f BROWSEUI!CShellBrowser2::WndProcBS+0x196
01baf0e4 7e418734 BROWSEUI!IEFrameWndProc+0xff
01baf110 7e42bdf1 USER32!InternalCallWinProc+0x28
01baf178 7e428ea0 USER32!UserCallWinProcCheckWow+0xea
01baf1cc 7e42ce7c USER32!DispatchClientMessage+0xa3

0:014> .breakin
.breakin
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> !process 0 0 Explorer.exe
PROCESS 820ffda0 SessionId: 0 Cid: 04b4 Peb: 7ffdf000 ParentCid: 0488
DirBase: 0a28d000 ObjectTable: 00000000 HandleCount: 0.
Image: explorer.exe

PROCESS 821ecda0 SessionId: 0 Cid: 027c Peb: 7ffdd000 ParentCid: 01ec
DirBase: 1156f000 ObjectTable: e15dd478 HandleCount: 308.
Image: explorer.exe

THREAD 8211c400 Cid 027c.02a4 Teb: 7ffac000 Win32Thread: e10c3770
WAIT: (Executive) KernelMode Non-Alertable
SuspendCount 1
f4e27f14 SynchronizationEvent
Not impersonating
DeviceMap e163e0b0
Owning Process 821ecda0 Image: explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 39155 Ticks: 7 (0:00:00:00.070)
Context Switch Count 161 LargeStack
UserTime 00:00:00.030
KernelTime 00:00:00.080
Win32 Start Address 0x75fa5339
Start Address 0x7c8106e9
Stack Init f4e28740 Current f4e27e98 Base f4e29000 Limit f4e23000
Call f4e2874c
Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4e27eb0 804dc0f7 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f4e27ebc 804dc143 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f4e27ee4 8065a35b nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
f4e27fc4 8065b4c5 nt!DbgkpQueueMessage+0x17c (FPO: [5,46,4])
f4e27fe8 80610c79 nt!DbgkpSendApiMessage+0x45 (FPO: [2,0,0])
f4e28074 80503113 nt!DbgkForwardException+0x8f (FPO: [3,30,4])
f4e28434 804df235 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])
f4e2849c 804df947 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
f4e2849c 7c9f3b28 nt!KiTrap03+0xad (FPO: [0,0] TrapFrame @ f4e284a4)
WARNING: Frame IP not in any known module. Following frames may be wrong.
01badd40 00000000 0x7c9f3b28

kd> bp /p 821ecda0 nt!IoCreateFile “dt nt!_OBJECT_ATTRIBUTES poi(esp+c)”

kd> bl
0 e 8056cc6b 0001 (0001) nt!IoCreateFile “dt nt!_OBJECT_ATTRIBUTES
poi(esp+c)”
Match process data 821ecda0

kd> g
0:014> k
k
ChildEBP RetAddr
01badd0c 7c9f9299 SHELL32!CFSFolder::EnumObjects
01badd40 7c9f9a08 SHELL32!CDefviewEnumTask::FillObjectsToDPA+0x8b
01badd94 7e2ad91d SHELL32!CDefView::CreateViewWindow2+0x2de
01bade40 7e2aae15 SHDOCVW!FileCabinet_CreateViewWindow2+0x245
01bade68 75f88540 SHDOCVW!CBaseBrowser2::CreateViewWindow+0x39
01bade84 75f9c8a2 BROWSEUI!CCommonBrowser::CreateViewWindow+0x20
01badea4 7e2ab0df BROWSEUI!CShellBrowser2::CreateViewWindow+0x39
01badee8 7e2aaf60 SHDOCVW!CBaseBrowser2::_CreateNewShellView+0x181
01badf14 7e2aad8e SHDOCVW!CBaseBrowser2::_CreateNewShellViewPidl+0x7d
01baef94 75f88617 SHDOCVW!CBaseBrowser2::_NavigateToPidl+0x17c
01baefac 75f9b944 BROWSEUI!CCommonBrowser::_NavigateToPidl+0x1d
01baefd0 75fa339f BROWSEUI!CShellBrowser2::_NavigateToPidl+0x111
01baf044 7e2ad3bf BROWSEUI!CShellBrowser2::OnCreate+0x49f
01baf060 75f828e1 SHDOCVW!CBaseBrowser2::WndProcBS+0xf1
01baf07c 75fa5ab9 BROWSEUI!CCommonBrowser::WndProcBS+0x20
01baf0b8 75fa467f BROWSEUI!CShellBrowser2::WndProcBS+0x196
01baf0e4 7e418734 BROWSEUI!IEFrameWndProc+0xff
01baf110 7e42bdf1 USER32!InternalCallWinProc+0x28
01baf178 7e428ea0 USER32!UserCallWinProcCheckWow+0xea
01baf1cc 7e42ce7c USER32!DispatchClientMessage+0xa3

0:014> t
SHELL32!CFSFolder::EnumObjects+0x2:
7c9f3b29 55 push ebp

================snip off ================================
0:014>

eax=000000e0 ebx=7c9c71a0 ecx=00108468 edx=ffffffff esi=00112468
edi=00112480
eip=7c9f3b51 esp=01badd00 ebp=01badd0c iopl=0 nv up ei pl nz na po
cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000203
SHELL32!CFSFolder::EnumObjects+0x2a:
7c9f3b51 51 push ecx
0:014>

eax=000000e0 ebx=7c9c71a0 ecx=00108468 edx=ffffffff esi=00112468
edi=00112480
eip=7c9f3b52 esp=01badcfc ebp=01badd0c iopl=0 nv up ei pl nz na po
cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000203
SHELL32!CFSFolder::EnumObjects+0x2b:
7c9f3b52 e8ccfcffff call SHELL32!CFSFolder_CreateEnum (7c9f3823)

0:014>

+0x000 Length : 0x18
+0x004 RootDirectory : (null)
+0x008 ObjectName : 0x01bad5a0 _UNICODE_STRING "??\C:\Documents
and Settings\rr\Desktop\acctok"
+0x00c Attributes : 0x40
+0x010 SecurityDescriptor : (null)
+0x014 SecurityQualityOfService : (null)
nt!IoCreateFile:
8056cc6b 8bff mov edi,edi
kd> r
eax=00000000 ebx=8056cd5b ecx=00000000 edx=01bad52c esi=01bad544
edi=f4e284a4
eip=8056cc6b esp=f4e28448 ebp=f4e28484 iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000246
nt!IoCreateFile:
8056cc6b 8bff mov edi,edi
kd> bl
0 e 8056cc6b 0001 (0001) nt!IoCreateFile “dt nt!_OBJECT_ATTRIBUTES
poi(esp+c)”
Match process data 821ecda0

kd> .echo “set this bp with .breakin command while your explorer is frozen
on a usermode breakpoint”
set this bp with .breakin command while your explorer is frozen on a
usermode breakpoint
kd> .echo “and resume with g (go) start tracing and you will land here”
and resume with g (go) start tracing and you will land here

regards

raj

On Tue, Jan 4, 2011 at 10:26 AM, wrote:

> TY very much Scott and Raj,
>
> i was looking exactly what you both mentioned.
>
> @raj i will repro in my lab
>
> @scott like everytime you are just awesome.
>
> @joseph ty very much .
>
> —
> WINDBG is sponsoroed by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


thanks and regards

raj_r

12

here is the complete thread stack that has the same usermode stack you saw
in earlier post

kd> .reload /user
Loading User Symbols


kd> !thread 8211c400
THREAD 8211c400 Cid 027c.02a4 Teb: 7ffac000 Win32Thread: e10c3770 RUNNING
on processor 0
Not impersonating
DeviceMap e163e0b0
Owning Process 821ecda0 Image: explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 39253 Ticks: 0
Context Switch Count 242 LargeStack
UserTime 00:00:00.030
KernelTime 00:00:00.180
Win32 Start Address BROWSEUI!BrowserProtectedThreadProc (0x75fa5339)
Start Address kernel32!BaseThreadStartThunk (0x7c8106e9)
Stack Init f4e28740 Current f4e27ea0 Base f4e29000 Limit f4e23000 Call
f4e2874c
Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
f4e28444 8056cd82 01bad5ac 00100001 01bad550 nt!IoCreateFile (FPO: [14,3,0])
f4e28484 804de7ec 01bad5ac 00100001 01bad550 nt!NtOpenFile+0x27 (FPO:
[6,0,0])
f4e28484 7c90e4f4 01bad5ac 00100001 01bad550 nt!KiFastCallEntry+0xf8 (FPO:
[0,0] TrapFrame @ f4e284a4)
01bad520 7c90d58c 7c80ec86 01bad5ac 00100001 ntdll!KiFastSystemCallRet (FPO:
[0,0,0])
01bad524 7c80ec86 01bad5ac 00100001 01bad550 ntdll!NtOpenFile+0xc (FPO:
[6,0,0])
01bad81c 7c9ef93b 01badac4 00000000 001170ec kernel32!FindFirstFileExW+0x1a7
(FPO: [6,179,4])
01bad840 7c9ef8d5 01badac4 001170ec 00116edc SHELL32!SHFindFirstFile+0x2a
(FPO: [3,0,4])
01bada94 7c9f3980 000f00ae 00000000 01badac4
SHELL32!SHFindFirstFileRetry+0x5b (FPO: [6,141,4])
01badce4 7c9f385a 00112480 00112468 01badd0c
SHELL32!CFileSysEnum::Init+0x14b (FPO: [0,137,4])
01badcf4 7c9f3b57 00108468 000f00ae 000000e0
SHELL32!CFSFolder_CreateEnum+0x37 (FPO: [4,0,0])
01badd0c 7c9f9299 00108478 000f00ae 000000e0
SHELL32!CFSFolder::EnumObjects+0x30 (FPO: [4,0,0])
01badd40 7c9f9a08 000f00ae 01bade1c 001183a8
SHELL32!CDefviewEnumTask::FillObjectsToDPA+0x8b (FPO: [1,4,0])
01badd94 7e2ad91d 00000008 00000000 001183a8
SHELL32!CDefView::CreateViewWindow2+0x2de (FPO: [2,15,0])
01bade40 7e2aae15 000f76b8 001183a8 00116928
SHDOCVW!FileCabinet_CreateViewWindow2+0x245 (FPO: [6,36,4])
01bade68 75f88540 0011801c 00116928 00000000
SHDOCVW!CBaseBrowser2::CreateViewWindow+0x39 (FPO: [5,0,0])
01bade84 75f9c8a2 000f76bc 00116928 00000000
BROWSEUI!CCommonBrowser::CreateViewWindow+0x20 (FPO: [5,0,0])
01badea4 7e2ab0df 000f76bc 00116928 00000000
BROWSEUI!CShellBrowser2::CreateViewWindow+0x39 (FPO: [5,0,4])
01badee8 7e2aaf60 00000000 00115f88 00000000
SHDOCVW!CBaseBrowser2::_CreateNewShellView+0x181 (FPO: [3,7,4])
01badf14 7e2aad8e 00115f88 00000000 00000000
SHDOCVW!CBaseBrowser2::_CreateNewShellViewPidl+0x7d (FPO: [3,3,4])
01baef94 75f88617 0011801c 00115f88 00000000
SHDOCVW!CBaseBrowser2::_NavigateToPidl+0x17c (FPO: [4,1048,4])
01baefac 75f9b944 000f76bc 00115f88 00000000
BROWSEUI!CCommonBrowser::_NavigateToPidl+0x1d (FPO: [4,0,0])
01baefd0 75fa339f 000f76bc 00115f88 00000000
BROWSEUI!CShellBrowser2::_NavigateToPidl+0x111 (FPO: [4,0,4])
01baf044 7e2ad3bf 000f76a8 76007bfc 000f76bc
BROWSEUI!CShellBrowser2::OnCreate+0x49f (FPO: [2,20,4])
01baf060 75f828e1 0011801c 000f00ae 00000001
SHDOCVW!CBaseBrowser2::WndProcBS+0xf1 (FPO: [5,0,0])
01baf07c 75fa5ab9 000f76bc 000f00ae 00000001
BROWSEUI!CCommonBrowser::WndProcBS+0x20 (FPO: [5,0,0])
01baf0b8 75fa467f 000f76a8 000f00ae 00000001
BROWSEUI!CShellBrowser2::WndProcBS+0x196 (FPO: [5,5,4])
01baf0e4 7e418734 000f76a8 00000001 00000000 BROWSEUI!IEFrameWndProc+0xff
(FPO: [4,1,4])
01baf110 7e42bdf1 75fa4580 000f00ae 00000001 USER32!InternalCallWinProc+0x28
01baf178 7e428ea0 00000000 75fa4580 000f00ae
USER32!UserCallWinProcCheckWow+0xea (FPO: [Non-Fpo])
01baf1cc 7e42ce7c 0054e268 00000001 00000000
USER32!DispatchClientMessage+0xa3 (FPO: [Non-Fpo])
01baf1fc 7c90e453 01baf20c 00000088 00000088
USER32!__fnINLPCREATESTRUCT+0x8b (FPO: [1,3,0])
01baf1fc 804e2b1c 01baf20c 00000088 00000088
ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
f4e28764 80566b60 f4e28880 f4e28884 f4e28854 nt!KiCallUserMode+0x4 (FPO:
[2,3,4])
f4e287c0 bf83d6fa 0000000a f4e288b0 00000088 nt!KeUserModeCallback+0x87
(FPO: [Non-Fpo])
f4e28acc bf813f31 bc6ae268 00000001 00000000
win32k!SfnINLPCREATESTRUCT+0x489 (FPO: [Non-Fpo])
f4e28b14 bf814123 026ae268 00000001 00000000
win32k!xxxSendMessageToClient+0x176 (FPO: [7,5,4])
f4e28b60 bf80ecc6 bc6ae268 00000001 00000000
win32k!xxxSendMessageTimeout+0x1a6 (FPO: [7,7,0])
f4e28b84 bf83e467 bc6ae268 00000001 00000000 win32k!xxxSendMessage+0x1b
(FPO: [4,0,0])
f4e28c6c bf834ab7 00000100 00000000 bc6b8168 win32k!xxxCreateWindowEx+0xbdd
(FPO: [15,49,0])
f4e28d20 804de7ec 00000100 f4e28cec f4e28ce0
win32k!NtUserCreateWindowEx+0x1c1 (FPO: [Non-Fpo])

now post back what token ?? acl you mean ? from here :slight_smile:

raj

On Tue, Jan 4, 2011 at 5:45 PM, raj_r wrote:

> here is another paste that shows the user mode to kernel mode transition
> using ntsd in a target vm and kd in host with use of .breakin
> commands
>
> use ntsd -d -pn explorer.exe in target vm
>
> it will break in kd on host in usermode with INPUT prompt
>
> set user mode bps trace around and when you near the point where kernel
> transition is going to occur
>
> use .breakin
>
> kd will break in kerneldebugging mode
>
> set bp in kernelland
>
> and issue a g
>
> kd will turn back to usermode debugging where you left off
>
> now tracing or issung gu will result in break into kd
>
>
>
>
> 0:000> gu
> SHELL32!CFSFolder::_GetPath+0x2c:
> 7c9f2781 83f801 cmp eax,1
>
> 0:000> gu
> SHELL32!CFSFolder::_GetPathForItem+0x10:
> 7c9ece91 85c0 test eax,eax
>
> 0:000> g
> Breakpoint 1 hit
> eax=00116928 ebx=7c9c71a0 ecx=00116928 edx=ffffffff esi=00112468
> edi=00112480
> eip=7c9f3b27 esp=01badd10 ebp=01badd40 iopl=0 nv up ei pl nz na po
> nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
> efl=00000202
>
> SHELL32!CFSFolder::EnumObjects:
> 7c9f3b27 8bff mov edi,edi
> 0:014> k
> k
> ChildEBP RetAddr
> 01badd0c 7c9f9299 SHELL32!CFSFolder::EnumObjects
> 01badd40 7c9f9a08 SHELL32!CDefviewEnumTask::FillObjectsToDPA+0x8b
> 01badd94 7e2ad91d SHELL32!CDefView::CreateViewWindow2+0x2de
> 01bade40 7e2aae15 SHDOCVW!FileCabinet_CreateViewWindow2+0x245
> 01bade68 75f88540 SHDOCVW!CBaseBrowser2::CreateViewWindow+0x39
> 01bade84 75f9c8a2 BROWSEUI!CCommonBrowser::CreateViewWindow+0x20
> 01badea4 7e2ab0df BROWSEUI!CShellBrowser2::CreateViewWindow+0x39
> 01badee8 7e2aaf60 SHDOCVW!CBaseBrowser2::_CreateNewShellView+0x181
> 01badf14 7e2aad8e SHDOCVW!CBaseBrowser2::_CreateNewShellViewPidl+0x7d
> 01baef94 75f88617 SHDOCVW!CBaseBrowser2::_NavigateToPidl+0x17c
> 01baefac 75f9b944 BROWSEUI!CCommonBrowser::_NavigateToPidl+0x1d
> 01baefd0 75fa339f BROWSEUI!CShellBrowser2::_NavigateToPidl+0x111
> 01baf044 7e2ad3bf BROWSEUI!CShellBrowser2::OnCreate+0x49f
> 01baf060 75f828e1 SHDOCVW!CBaseBrowser2::WndProcBS+0xf1
> 01baf07c 75fa5ab9 BROWSEUI!CCommonBrowser::WndProcBS+0x20
> 01baf0b8 75fa467f BROWSEUI!CShellBrowser2::WndProcBS+0x196
> 01baf0e4 7e418734 BROWSEUI!IEFrameWndProc+0xff
> 01baf110 7e42bdf1 USER32!InternalCallWinProc+0x28
> 01baf178 7e428ea0 USER32!UserCallWinProcCheckWow+0xea
> 01baf1cc 7e42ce7c USER32!DispatchClientMessage+0xa3
>
>
> 0:014> .breakin
> .breakin
> Break instruction exception - code 80000003 (first chance)
> nt!RtlpBreakWithStatusInstruction:
> 804e3592 cc int 3
> kd> !process 0 0 Explorer.exe
> PROCESS 820ffda0 SessionId: 0 Cid: 04b4 Peb: 7ffdf000 ParentCid: 0488
> DirBase: 0a28d000 ObjectTable: 00000000 HandleCount: 0.
> Image: explorer.exe
>
> PROCESS 821ecda0 SessionId: 0 Cid: 027c Peb: 7ffdd000 ParentCid: 01ec
> DirBase: 1156f000 ObjectTable: e15dd478 HandleCount: 308.
> Image: explorer.exe
>
>
> THREAD 8211c400 Cid 027c.02a4 Teb: 7ffac000 Win32Thread: e10c3770
> WAIT: (Executive) KernelMode Non-Alertable
> SuspendCount 1
> f4e27f14 SynchronizationEvent
> Not impersonating
> DeviceMap e163e0b0
> Owning Process 821ecda0 Image:
> explorer.exe
> Attached Process N/A Image: N/A
> Wait Start TickCount 39155 Ticks: 7 (0:00:00:00.070)
> Context Switch Count 161 LargeStack
> UserTime 00:00:00.030
> KernelTime 00:00:00.080
> Win32 Start Address 0x75fa5339
> Start Address 0x7c8106e9
> Stack Init f4e28740 Current f4e27e98 Base f4e29000 Limit f4e23000
> Call f4e2874c
> Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 0
> ChildEBP RetAddr
> f4e27eb0 804dc0f7 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
> f4e27ebc 804dc143 nt!KiSwapThread+0x46 (FPO: [0,0,0])
> f4e27ee4 8065a35b nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
> f4e27fc4 8065b4c5 nt!DbgkpQueueMessage+0x17c (FPO: [5,46,4])
> f4e27fe8 80610c79 nt!DbgkpSendApiMessage+0x45 (FPO: [2,0,0])
> f4e28074 80503113 nt!DbgkForwardException+0x8f (FPO: [3,30,4])
> f4e28434 804df235 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])
> f4e2849c 804df947 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
> f4e2849c 7c9f3b28 nt!KiTrap03+0xad (FPO: [0,0] TrapFrame @
> f4e284a4)
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 01badd40 00000000 0x7c9f3b28
>
>
>
> kd> bp /p 821ecda0 nt!IoCreateFile “dt nt!_OBJECT_ATTRIBUTES poi(esp+c)”
>
> kd> bl
> 0 e 8056cc6b 0001 (0001) nt!IoCreateFile “dt nt!_OBJECT_ATTRIBUTES
> poi(esp+c)”
> Match process data 821ecda0
>
> kd> g
> 0:014> k
> k
> ChildEBP RetAddr
> 01badd0c 7c9f9299 SHELL32!CFSFolder::EnumObjects
> 01badd40 7c9f9a08 SHELL32!CDefviewEnumTask::FillObjectsToDPA+0x8b
> 01badd94 7e2ad91d SHELL32!CDefView::CreateViewWindow2+0x2de
> 01bade40 7e2aae15 SHDOCVW!FileCabinet_CreateViewWindow2+0x245
> 01bade68 75f88540 SHDOCVW!CBaseBrowser2::CreateViewWindow+0x39
> 01bade84 75f9c8a2 BROWSEUI!CCommonBrowser::CreateViewWindow+0x20
> 01badea4 7e2ab0df BROWSEUI!CShellBrowser2::CreateViewWindow+0x39
> 01badee8 7e2aaf60 SHDOCVW!CBaseBrowser2::_CreateNewShellView+0x181
> 01badf14 7e2aad8e SHDOCVW!CBaseBrowser2::_CreateNewShellViewPidl+0x7d
> 01baef94 75f88617 SHDOCVW!CBaseBrowser2::_NavigateToPidl+0x17c
> 01baefac 75f9b944 BROWSEUI!CCommonBrowser::_NavigateToPidl+0x1d
> 01baefd0 75fa339f BROWSEUI!CShellBrowser2::_NavigateToPidl+0x111
> 01baf044 7e2ad3bf BROWSEUI!CShellBrowser2::OnCreate+0x49f
> 01baf060 75f828e1 SHDOCVW!CBaseBrowser2::WndProcBS+0xf1
> 01baf07c 75fa5ab9 BROWSEUI!CCommonBrowser::WndProcBS+0x20
> 01baf0b8 75fa467f BROWSEUI!CShellBrowser2::WndProcBS+0x196
> 01baf0e4 7e418734 BROWSEUI!IEFrameWndProc+0xff
> 01baf110 7e42bdf1 USER32!InternalCallWinProc+0x28
> 01baf178 7e428ea0 USER32!UserCallWinProcCheckWow+0xea
> 01baf1cc 7e42ce7c USER32!DispatchClientMessage+0xa3
>
> 0:014> t
> SHELL32!CFSFolder::EnumObjects+0x2:
> 7c9f3b29 55 push ebp
>
> ================snip off ================================
> 0:014>
>
> eax=000000e0 ebx=7c9c71a0 ecx=00108468 edx=ffffffff esi=00112468
> edi=00112480
> eip=7c9f3b51 esp=01badd00 ebp=01badd0c iopl=0 nv up ei pl nz na po
> cy
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
> efl=00000203
> SHELL32!CFSFolder::EnumObjects+0x2a:
> 7c9f3b51 51 push ecx
> 0:014>
>
> eax=000000e0 ebx=7c9c71a0 ecx=00108468 edx=ffffffff esi=00112468
> edi=00112480
> eip=7c9f3b52 esp=01badcfc ebp=01badd0c iopl=0 nv up ei pl nz na po
> cy
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
> efl=00000203
> SHELL32!CFSFolder::EnumObjects+0x2b:
> 7c9f3b52 e8ccfcffff call SHELL32!CFSFolder_CreateEnum (7c9f3823)
>
>
> 0:014>
>
> +0x000 Length : 0x18
> +0x004 RootDirectory : (null)
> +0x008 ObjectName : 0x01bad5a0 _UNICODE_STRING "??\C:\Documents
> and Settings\rr\Desktop\acctok"
>
> +0x00c Attributes : 0x40
> +0x010 SecurityDescriptor : (null)
> +0x014 SecurityQualityOfService : (null)
> nt!IoCreateFile:
> 8056cc6b 8bff mov edi,edi
> kd> r
> eax=00000000 ebx=8056cd5b ecx=00000000 edx=01bad52c esi=01bad544
> edi=f4e284a4
> eip=8056cc6b esp=f4e28448 ebp=f4e28484 iopl=0 nv up ei pl zr na pe
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00000246
> nt!IoCreateFile:
> 8056cc6b 8bff mov edi,edi
> kd> bl
> 0 e 8056cc6b 0001 (0001) nt!IoCreateFile “dt nt!_OBJECT_ATTRIBUTES
> poi(esp+c)”
> Match process data 821ecda0
>
>
> kd> .echo “set this bp with .breakin command while your explorer is frozen
> on a usermode breakpoint”
> set this bp with .breakin command while your explorer is frozen on a
> usermode breakpoint
> kd> .echo “and resume with g (go) start tracing and you will land here”
> and resume with g (go) start tracing and you will land here
>
>
> regards
>
> raj
>
>
>
> On Tue, Jan 4, 2011 at 10:26 AM, wrote:
>
>> TY very much Scott and Raj,
>>
>> i was looking exactly what you both mentioned.
>>
>> @raj i will repro in my lab
>>
>> @scott like everytime you are just awesome.
>>
>> @joseph ty very much .
>>
>> —
>> WINDBG is sponsoroed by OSR
>>
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> –
> thanks and regards
>
> raj_r
>


thanks and regards

raj_r