How to know who holds a lock?

Ray · March 24, 2009, 7:19pm

Hi guys,

I’m having a deadlock problem in a MiniFilter driver when it opens files. The call stack looks like this:

THREAD 891b7d78 Cid 0828.0ca4 Teb: 7ff81000 Win32Thread: fe915c08 WAIT: (Executive) UserMode Non-Alertable
845d350c NotificationEvent
IRP List:
bb2f0db8: (0006,0244) Flags: 40000884 Mdl: 00000000
c181cf68: (0006,0094) Flags: 40060030 Mdl: 00000000
Not impersonating
DeviceMap 84209ee0
Owning Process 0 Image:
Attached Process b039f900 Image: myService.exe
Wait Start TickCount 72278 Ticks: 663 (0:00:00:10.342)
Context Switch Count 30750 NoStackSwap
UserTime 00:00:02.246
KernelTime 00:00:11.934
Win32 Start Address 0x0044a6d0
Stack Init 845d4000 Current 845d33e8 Base 845d4000 Limit 845d1000 Call 0
Priority 13 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr
845d3400 818d22ff nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
845d3444 8186fcc8 nt!KiSwapThread+0x44f
845d3498 8367dd74 nt!KeWaitForSingleObject+0x492
845d34c8 8369923f Ntfs!NtfsWaitForCreateEvent+0x5e (FPO: [Non-Fpo])
845d35c0 81afd6be Ntfs!NtfsFsdCreate+0x235 (FPO: [Non-Fpo])
845d35e4 818d6f8a nt!IovCallDriver+0x23f
845d35f8 81e9cba7 nt!IofCallDriver+0x1b
845d361c 81eaf643 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251 (FPO: [Non-Fpo])
845d3668 81afd6be fltmgr!FltpCreate+0x2a1 (FPO: [Non-Fpo])
845d368c 818d6f8a nt!IovCallDriver+0x23f
845d36a0 81a3bd11 nt!IofCallDriver+0x1b
845d3770 81a613ff nt!IopParseDevice+0xf61
845d3800 81a390f6 nt!ObpLookupObjectName+0x5a8
845d3864 81a3abf3 nt!ObOpenObjectByName+0x13c
845d38d8 81a4154d nt!IopCreateFile+0x63b
845d3934 81eb17dc nt!IoCreateFileEx+0x9d
845d39b8 81eb18ce fltmgr!FltCreateFileEx2+0xae (FPO: [Non-Fpo])
845d3a00 81ebe337 fltmgr!FltCreateFile+0x38 (FPO: [Non-Fpo])
845d3a4c 807d2ffb fltmgr!FltvCreateFile+0x47 (FPO: [Non-Fpo])
845d3aec 807d3284 MyDriver!MyCreateFile+0x31d (FPO: [Non-Fpo]) (CONV: stdcall) [c:\project\io.c @ 482]
845d3b50 807bb26d MyDriver!MyDeleteFile+0x38 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\project\io.c @ 1338]
845d3c0c 81afd6be MyDriver!DeviceIoControlDispatch+0x1291 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\project\io.c @ 529]
845d3c30 818d6f8a nt!IovCallDriver+0x23f
845d3c44 81a67615 nt!IofCallDriver+0x1b
845d3c64 81a67dba nt!IopSynchronousServiceTail+0x1d9
845d3d00 81a51a8d nt!IopXxxControlFile+0x6b7
845d3d34 81872a1a nt!NtDeviceIoControlFile+0x2a
845d3d34 76e39a94 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 845d3d64)
0e78f978 76e38444 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0e78f97c 75c3c2a3 ntdll!ZwDeviceIoControlFile+0xc (FPO: [10,0,0])
WARNING: Frame IP not in any known module. Following frames may be wrong.
0e78f9dc 1002de6c 0x75c3c2a3
0e78fa70 100053e2 0x1002de6c
0e78fba4 76e20be7 0x100053e2
0e78fc50 76e50587 ntdll!RtlpDeCommitFreeBlock+0x69b (FPO: [Non-Fpo])
0e78fc7c 76e1e4b6 ntdll!RtlFreeHeap+0xc5 (FPO: [Non-Fpo])
75c54911 9075c110 ntdll!__RtlUserThreadStart+0x23 (FPO: [Non-Fpo])
75c5491d 4cec83ec 0x9075c110
75c54921 5308458b 0x4cec83ec
75c54925 c33bdb33 0x5308458b
75c54929 fc45c766 0xc33bdb33

From the above I can know it’s blocked by an event (845d350c) and dt shows it’s not signaled:

1: kd> dt nt!_DISPATCHER_HEADER 845d350c
+0x000 Type : 0 ‘’
+0x001 Abandoned : 0 ‘’
+0x001 Absolute : 0 ‘’
+0x001 NpxIrql : 0 ‘’
+0x001 Signalling : 0 ‘’
+0x002 Size : 0x4 ‘’
+0x002 Hand : 0x4 ‘’
+0x003 Inserted : 0xff ‘’
+0x003 DebugActive : 0xff ‘’
+0x003 DpcActive : 0xff ‘’
+0x000 Lock : 0xff040000
+0x004 SignalState : 0
+0x008 WaitListHead : _LIST_ENTRY [0x891b7e30 - 0x891b7e30]

So, how can I know which thread holds this event? I tried to set breakpoint at memory write of SignalState, but it was not hitted.
At the same time, the driver was sending several file events with FltSendMessage after calling KeEnterCriticalRegion/ExAcquireResourceSharedLite. Those events are from explorer.exe, SearchFilterHost.exe and RacAgent.exe.

Any ideas?

Don_Burn_1 · March 24, 2009, 7:38pm

Nobody holds events, basically you are waiting for the event to be signaled,
that could be anyone.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntfsd…
> Hi guys,
>
> I’m having a deadlock problem in a MiniFilter driver when it opens files.
> The call stack looks like this:
>
> THREAD 891b7d78 Cid 0828.0ca4 Teb: 7ff81000 Win32Thread: fe915c08
> WAIT: (Executive) UserMode Non-Alertable
> 845d350c NotificationEvent
> IRP List:
> bb2f0db8: (0006,0244) Flags: 40000884 Mdl: 00000000
> c181cf68: (0006,0094) Flags: 40060030 Mdl: 00000000
> Not impersonating
> DeviceMap 84209ee0
> Owning Process 0 Image:
> Attached Process b039f900 Image:
> myService.exe
> Wait Start TickCount 72278 Ticks: 663
> (0:00:00:10.342)
> Context Switch Count 30750 NoStackSwap
> UserTime 00:00:02.246
> KernelTime 00:00:11.934
> Win32 Start Address 0x0044a6d0
> Stack Init 845d4000 Current 845d33e8 Base 845d4000 Limit 845d1000
> Call 0
> Priority 13 BasePriority 8 PriorityDecrement 0 IoPriority 2
> PagePriority 5
> ChildEBP RetAddr
> 845d3400 818d22ff nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
> 845d3444 8186fcc8 nt!KiSwapThread+0x44f
> 845d3498 8367dd74 nt!KeWaitForSingleObject+0x492
> 845d34c8 8369923f Ntfs!NtfsWaitForCreateEvent+0x5e (FPO: [Non-Fpo])
> 845d35c0 81afd6be Ntfs!NtfsFsdCreate+0x235 (FPO: [Non-Fpo])
> 845d35e4 818d6f8a nt!IovCallDriver+0x23f
> 845d35f8 81e9cba7 nt!IofCallDriver+0x1b
> 845d361c 81eaf643
> fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251 (FPO:
> [Non-Fpo])
> 845d3668 81afd6be fltmgr!FltpCreate+0x2a1 (FPO: [Non-Fpo])
> 845d368c 818d6f8a nt!IovCallDriver+0x23f
> 845d36a0 81a3bd11 nt!IofCallDriver+0x1b
> 845d3770 81a613ff nt!IopParseDevice+0xf61
> 845d3800 81a390f6 nt!ObpLookupObjectName+0x5a8
> 845d3864 81a3abf3 nt!ObOpenObjectByName+0x13c
> 845d38d8 81a4154d nt!IopCreateFile+0x63b
> 845d3934 81eb17dc nt!IoCreateFileEx+0x9d
> 845d39b8 81eb18ce fltmgr!FltCreateFileEx2+0xae (FPO: [Non-Fpo])
> 845d3a00 81ebe337 fltmgr!FltCreateFile+0x38 (FPO: [Non-Fpo])
> 845d3a4c 807d2ffb fltmgr!FltvCreateFile+0x47 (FPO: [Non-Fpo])
> 845d3aec 807d3284 MyDriver!MyCreateFile+0x31d (FPO: [Non-Fpo])
> (CONV: stdcall) [c:\project\io.c @ 482]
> 845d3b50 807bb26d MyDriver!MyDeleteFile+0x38 (FPO: [Non-Fpo])
> (CONV: stdcall) [c:\project\io.c @ 1338]
> 845d3c0c 81afd6be MyDriver!DeviceIoControlDispatch+0x1291 (FPO:
> [Non-Fpo]) (CONV: stdcall) [c:\project\io.c @ 529]
> 845d3c30 818d6f8a nt!IovCallDriver+0x23f
> 845d3c44 81a67615 nt!IofCallDriver+0x1b
> 845d3c64 81a67dba nt!IopSynchronousServiceTail+0x1d9
> 845d3d00 81a51a8d nt!IopXxxControlFile+0x6b7
> 845d3d34 81872a1a nt!NtDeviceIoControlFile+0x2a
> 845d3d34 76e39a94 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @
> 845d3d64)
> 0e78f978 76e38444 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
> 0e78f97c 75c3c2a3 ntdll!ZwDeviceIoControlFile+0xc (FPO: [10,0,0])
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 0e78f9dc 1002de6c 0x75c3c2a3
> 0e78fa70 100053e2 0x1002de6c
> 0e78fba4 76e20be7 0x100053e2
> 0e78fc50 76e50587 ntdll!RtlpDeCommitFreeBlock+0x69b (FPO:
> [Non-Fpo])
> 0e78fc7c 76e1e4b6 ntdll!RtlFreeHeap+0xc5 (FPO: [Non-Fpo])
> 75c54911 9075c110 ntdll!RtlUserThreadStart+0x23 (FPO: [Non-Fpo])
> 75c5491d 4cec83ec 0x9075c110
> 75c54921 5308458b 0x4cec83ec
> 75c54925 c33bdb33 0x5308458b
> 75c54929 fc45c766 0xc33bdb33
>
> From the above I can know it’s blocked by an event (845d350c) and dt shows
> it’s not signaled:
>
> 1: kd> dt nt!DISPATCHER_HEADER 845d350c
> +0x000 Type : 0 ‘’
> +0x001 Abandoned : 0 ‘’
> +0x001 Absolute : 0 ‘’
> +0x001 NpxIrql : 0 ‘’
> +0x001 Signalling : 0 ‘’
> +0x002 Size : 0x4 ‘’
> +0x002 Hand : 0x4 ‘’
> +0x003 Inserted : 0xff ‘’
> +0x003 DebugActive : 0xff ‘’
> +0x003 DpcActive : 0xff ‘’
> +0x000 Lock : 0xff040000
> +0x004 SignalState : 0
> +0x008 WaitListHead : LIST_ENTRY [0x891b7e30 - 0x891b7e30]
>
> So, how can I know which thread holds this event? I tried to set
> breakpoint at memory write of SignalState, but it was not hitted.
> At the same time, the driver was sending several file events with
> FltSendMessage after calling
> KeEnterCriticalRegion/ExAcquireResourceSharedLite. Those events are from
> explorer.exe, SearchFilterHost.exe and RacAgent.exe.
>
> Any ideas?
>
>
>
>______ Information from ESET NOD32 Antivirus, version of virus
> signature database 3958 (20090324)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 3958 (20090324) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Ray · March 24, 2009, 8:14pm

Yep, that’s my wrong expression.

Is it possible to set a breakpoint somewhere so I can know which thread will signal this event?

Ken_Johnson · March 24, 2009, 8:20pm

If you want to discover who calls KeSetEvent on a KEVENT, you could try a ba w1 on the Signalled member of the DISPATCH_HEADER, IIRC.

S

-----Original Message-----
From: xxxxx@ybwork.com
Sent: Tuesday, March 24, 2009 17:14
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] How to know who holds a lock?

Yep, that’s my wrong expression.

Is it possible to set a breakpoint somewhere so I can know which thread will signal this event?

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 25, 2009, 6:42am

> So, how can I know which thread holds this event?

Impossible. Possible for ERESOURCE locks only.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · March 25, 2009, 6:42am

Put a data breakpoint on the Signaled field of this DISPATCHER_HEADER

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> Yep, that’s my wrong expression.
>
> Is it possible to set a breakpoint somewhere so I can know which thread will signal this event?
>

Sarosh_Havewala · March 25, 2009, 4:49pm

This is a complete guesstimate - but most of the times when I see a
thread blocked in the file system in create, it is because the file
system is waiting for an oplock break to be acknowledged.

So you may want to set up a trace using minispy and check if someone
requested an oplock on the file before you sent down your create.

Regards,
Sarosh.
File System Filter Lead
Microsoft Corp

This posting is provided “AS IS” with no warranties, and confers no Rights

xxxxx@ybwork.com wrote:

Hi guys,

I’m having a deadlock problem in a MiniFilter driver when it opens files. The call stack looks like this:

THREAD 891b7d78 Cid 0828.0ca4 Teb: 7ff81000 Win32Thread: fe915c08 WAIT: (Executive) UserMode Non-Alertable
845d350c NotificationEvent
IRP List:
bb2f0db8: (0006,0244) Flags: 40000884 Mdl: 00000000
c181cf68: (0006,0094) Flags: 40060030 Mdl: 00000000
Not impersonating
DeviceMap 84209ee0
Owning Process 0 Image:
> Attached Process b039f900 Image: myService.exe
> Wait Start TickCount 72278 Ticks: 663 (0:00:00:10.342)
> Context Switch Count 30750 NoStackSwap
> UserTime 00:00:02.246
> KernelTime 00:00:11.934
> Win32 Start Address 0x0044a6d0
> Stack Init 845d4000 Current 845d33e8 Base 845d4000 Limit 845d1000 Call 0
> Priority 13 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
> ChildEBP RetAddr
> 845d3400 818d22ff nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
> 845d3444 8186fcc8 nt!KiSwapThread+0x44f
> 845d3498 8367dd74 nt!KeWaitForSingleObject+0x492
> 845d34c8 8369923f Ntfs!NtfsWaitForCreateEvent+0x5e (FPO: [Non-Fpo])
> 845d35c0 81afd6be Ntfs!NtfsFsdCreate+0x235 (FPO: [Non-Fpo])
> 845d35e4 818d6f8a nt!IovCallDriver+0x23f
> 845d35f8 81e9cba7 nt!IofCallDriver+0x1b
> 845d361c 81eaf643 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251 (FPO: [Non-Fpo])
> 845d3668 81afd6be fltmgr!FltpCreate+0x2a1 (FPO: [Non-Fpo])
> 845d368c 818d6f8a nt!IovCallDriver+0x23f
> 845d36a0 81a3bd11 nt!IofCallDriver+0x1b
> 845d3770 81a613ff nt!IopParseDevice+0xf61
> 845d3800 81a390f6 nt!ObpLookupObjectName+0x5a8
> 845d3864 81a3abf3 nt!ObOpenObjectByName+0x13c
> 845d38d8 81a4154d nt!IopCreateFile+0x63b
> 845d3934 81eb17dc nt!IoCreateFileEx+0x9d
> 845d39b8 81eb18ce fltmgr!FltCreateFileEx2+0xae (FPO: [Non-Fpo])
> 845d3a00 81ebe337 fltmgr!FltCreateFile+0x38 (FPO: [Non-Fpo])
> 845d3a4c 807d2ffb fltmgr!FltvCreateFile+0x47 (FPO: [Non-Fpo])
> 845d3aec 807d3284 MyDriver!MyCreateFile+0x31d (FPO: [Non-Fpo]) (CONV: stdcall) [c:\project\io.c @ 482]
> 845d3b50 807bb26d MyDriver!MyDeleteFile+0x38 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\project\io.c @ 1338]
> 845d3c0c 81afd6be MyDriver!DeviceIoControlDispatch+0x1291 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\project\io.c @ 529]
> 845d3c30 818d6f8a nt!IovCallDriver+0x23f
> 845d3c44 81a67615 nt!IofCallDriver+0x1b
> 845d3c64 81a67dba nt!IopSynchronousServiceTail+0x1d9
> 845d3d00 81a51a8d nt!IopXxxControlFile+0x6b7
> 845d3d34 81872a1a nt!NtDeviceIoControlFile+0x2a
> 845d3d34 76e39a94 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 845d3d64)
> 0e78f978 76e38444 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
> 0e78f97c 75c3c2a3 ntdll!ZwDeviceIoControlFile+0xc (FPO: [10,0,0])
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 0e78f9dc 1002de6c 0x75c3c2a3
> 0e78fa70 100053e2 0x1002de6c
> 0e78fba4 76e20be7 0x100053e2
> 0e78fc50 76e50587 ntdll!RtlpDeCommitFreeBlock+0x69b (FPO: [Non-Fpo])
> 0e78fc7c 76e1e4b6 ntdll!RtlFreeHeap+0xc5 (FPO: [Non-Fpo])
> 75c54911 9075c110 ntdll!__RtlUserThreadStart+0x23 (FPO: [Non-Fpo])
> 75c5491d 4cec83ec 0x9075c110
> 75c54921 5308458b 0x4cec83ec
> 75c54925 c33bdb33 0x5308458b
> 75c54929 fc45c766 0xc33bdb33
>
> From the above I can know it’s blocked by an event (845d350c) and dt shows it’s not signaled:
>
> 1: kd> dt nt!_DISPATCHER_HEADER 845d350c
> +0x000 Type : 0 ‘’
> +0x001 Abandoned : 0 ‘’
> +0x001 Absolute : 0 ‘’
> +0x001 NpxIrql : 0 ‘’
> +0x001 Signalling : 0 ‘’
> +0x002 Size : 0x4 ‘’
> +0x002 Hand : 0x4 ‘’
> +0x003 Inserted : 0xff ‘’
> +0x003 DebugActive : 0xff ‘’
> +0x003 DpcActive : 0xff ‘’
> +0x000 Lock : 0xff040000
> +0x004 SignalState : 0
> +0x008 WaitListHead : _LIST_ENTRY [0x891b7e30 - 0x891b7e30]
>
> So, how can I know which thread holds this event? I tried to set breakpoint at memory write of SignalState, but it was not hitted.
> At the same time, the driver was sending several file events with FltSendMessage after calling KeEnterCriticalRegion/ExAcquireResourceSharedLite. Those events are from explorer.exe, SearchFilterHost.exe and RacAgent.exe.
>
> Any ideas?
>
>

Ray · March 30, 2009, 11:02pm

Thanks Sarosh.

If that’s the case, is there something I should do before calling FltCreateFile to avoid such deadlock?

This is a complete guesstimate - but most of the times when I see a
thread blocked in the file system in create, it is because the file
system is waiting for an oplock break to be acknowledged.

So you may want to set up a trace using minispy and check if someone
requested an oplock on the file before you sent down your create.

Regards,
Sarosh.
File System Filter Lead
Microsoft Corp

This posting is provided “AS IS” with no warranties, and confers no Rights

xxxxx@ybwork.com wrote:
> Hi guys,
>
> I’m having a deadlock problem in a MiniFilter driver when it opens files. The
call stack looks like this:
>
> THREAD 891b7d78 Cid 0828.0ca4 Teb: 7ff81000 Win32Thread: fe915c08
WAIT: (Executive) UserMode Non-Alertable
> 845d350c NotificationEvent
> IRP List:
> bb2f0db8: (0006,0244) Flags: 40000884 Mdl: 00000000
> c181cf68: (0006,0094) Flags: 40060030 Mdl: 00000000
> Not impersonating
<…excess quoted lines suppressed…>

Ray · March 30, 2009, 11:06pm

The breakpoint works this time. The callstack is like this. The event is signaled by a system thread.

Breakpoint 0 hit
nt!KeSetEvent+0x55:
804fa299 e8dc8b0000 call nt!KiWaitTest (80502e7a)
1: kd> .thread
Implicit thread is now 869d3a20
1: kd> !thread 869d3a20
THREAD 869d3a20 Cid 0004.0010 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 1
Not impersonating
DeviceMap e1001158
Owning Process 869d4660 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 23799 Ticks: 0
Context Switch Count 3161
UserTime 00:00:00.000
KernelTime 00:00:00.125
Start Address nt!ExpWorkerThread (0x8053868e)
Stack Init f78bf000 Current f78bea28 Base f78bf000 Limit f78bc000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
f78bea94 bad802bb f60b4448 00000000 00000000 nt!KeSetEvent+0x55 (FPO: [Non-Fpo])
f78beaac 80658330 869e9020 8a57ae00 f60b4444 Ntfs!NtfsCreateCompletionRoutine+0x3c (FPO: [Non-Fpo])
f78bead0 804f16c0 869e9020 8a57ae00 f78beb34 nt!IovpLocalCompletionRoutine+0xb4 (FPO: [Non-Fpo])
f78beb00 806587b8 8a57ae00 00000000 00000000 nt!IopfCompleteRequest+0xa2 (FPO: [Non-Fpo])
f78beb6c bad3e6bb 85e1b7f0 00000000 f78beccc nt!IovCompleteRequest+0x9a (FPO: [Non-Fpo])
f78beb7c bad621bc 85e1b7f0 8a57ae00 00000000 Ntfs!NtfsCompleteRequest+0xac (FPO: [Non-Fpo])
f78beccc bad45bbf 85e1b7f0 8a57ae00 f78becf0 Ntfs!NtfsCommonCreate+0x19f4 (FPO: [Non-Fpo])
f78bed7c 8053877d 85e1b7f0 00000000 869d3a20 Ntfs!NtfsFspDispatch+0x113 (FPO: [Non-Fpo])
f78bedac 805cff70 85e1b7f0 00000000 00000000 nt!ExpWorkerThread+0xef (FPO: [Non-Fpo])
f78beddc 805460ee 8053868e 00000000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16