!locks dump question

WINDBG
1

Hi,
I have a question regarding the dump I get with “!locks” command.
Here is an example of the “!locks” dump, that I get.

0: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks…

Resource @ nt!CmpRegistryLock (0x804763c0) Shared 1 owning threads
Contention Count = 6715
NumberOfSharedWaiters = 7
NumberOfExclusiveWaiters = 4
Threads: a421bdb8-01 8198b140-01 aa569db8-01 bd1ebdb8-01
81c9d7c0-01 bcfd5db8-01 bebfbdb8-01 b621bdb8-01
KD: Scanning for held locks…

Resource @ 0xa54e1ce4 Shared 49 owning threads
Contention Count = 9
Threads: a41fddb8-01 818abb20-01 a4397db8-01 fcbd3480-01
f9247020-01 f8b96da0-01 81b64620-01 fec70560-01
8143d380-01 81b7c4a0-01 fe1042c0-01 8146aaa0-01
f9164360-01 816638e0-01 816499e0-01 8136dcc0-01
81179420-01 ff153120-01 f8a59da0-01 81778b40-01
f8c73da0-01 83545820-01 859ad560-01 fed34480-01
81193ce0-01 862f9020-01 81833020-01 f8bb2da0-01
813afb00-01 81281da0-01 f90a0620-01 f8b28840-01
f8f1e240-01 f8dfd340-01 f8eefda0-01 817eec00-01
830f6d00-01 f8d7a840-01 81623be0-01 80fcc020-01
f90f5da0-01 811f5020-01 8187c7e0-01 8185bda0-01
fc7a72c0-01 81bba7e0-01 818d0b60-01 81c92020-01
81802840-01
KD: Scanning for held locks…

… And so on …

Question:
Why is the count of shared owners for nt!CmpRegistryLock (0x804763c0)
resource equal to 1 (“Shared 1 owning threads”) and the list of its owning
“Threads:” contains 8 threads,
while for all other resources (also the one I didn’t paste in this e-mail)
that “!locks” dump, the number of “Shared X owning threads” matches the
number of listed “Threads:”?

e.g. for 0xa54e1ce4 resource the “Shared 49 owning threads” matches the
number of its listed “Threads:”.

I’m using WinDbg 6.0.17.0.
Thanks in advance!

WBR Primoz

2

I think you will find that the 8 threads listed are the one shared owner and
the 7 shared waiters - those 7 threads are blocked because by the time the
shared request was issued there were already exclusive waiters and the
caller did not use ExAcquireSharedStarveExclusive.

/simgr

-----Original Message-----
From: Primoz Beltram [mailto:xxxxx@hermes.si]
Sent: Tuesday, August 27, 2002 9:56 AM
To: Kernel Debugging Interest List
Subject: [windbg] !locks dump question

Hi,
I have a question regarding the dump I get with “!locks” command.
Here is an example of the “!locks” dump, that I get.

0: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks…

Resource @ nt!CmpRegistryLock (0x804763c0) Shared 1 owning threads
Contention Count = 6715
NumberOfSharedWaiters = 7
NumberOfExclusiveWaiters = 4
Threads: a421bdb8-01 8198b140-01 aa569db8-01 bd1ebdb8-01
81c9d7c0-01 bcfd5db8-01 bebfbdb8-01 b621bdb8-01
KD: Scanning for held locks…

Resource @ 0xa54e1ce4 Shared 49 owning threads
Contention Count = 9
Threads: a41fddb8-01 818abb20-01 a4397db8-01 fcbd3480-01
f9247020-01 f8b96da0-01 81b64620-01 fec70560-01
8143d380-01 81b7c4a0-01 fe1042c0-01 8146aaa0-01
f9164360-01 816638e0-01 816499e0-01 8136dcc0-01
81179420-01 ff153120-01 f8a59da0-01 81778b40-01
f8c73da0-01 83545820-01 859ad560-01 fed34480-01
81193ce0-01 862f9020-01 81833020-01 f8bb2da0-01
813afb00-01 81281da0-01 f90a0620-01 f8b28840-01
f8f1e240-01 f8dfd340-01 f8eefda0-01 817eec00-01
830f6d00-01 f8d7a840-01 81623be0-01 80fcc020-01
f90f5da0-01 811f5020-01 8187c7e0-01 8185bda0-01
fc7a72c0-01 81bba7e0-01 818d0b60-01 81c92020-01
81802840-01
KD: Scanning for held locks…

… And so on …

Question:
Why is the count of shared owners for nt!CmpRegistryLock (0x804763c0)
resource equal to 1 (“Shared 1 owning threads”) and the list of its owning
“Threads:” contains 8 threads,

while for all other resources (also the one I didn’t paste in this e-mail)
that “!locks” dump, the number of “Shared X owning threads” matches the
number of listed “Threads:”?

e.g. for 0xa54e1ce4 resource the “Shared 49 owning threads” matches the
number of its listed “Threads:”.

I’m using WinDbg 6.0.17.0.
Thanks in advance!

WBR Primoz

You are currently subscribed to windbg as: xxxxx@stratus.com
To unsubscribe send a blank email to %%email.unsub%%

3

Hi, all

I would like to know how to identify the specified process belongs to which
session from memry.dmp under the windows NT server or Teriminal Server
Edition.
If anyone knows about this topics, Would you tell me about it?

Thanks in advance,
Futoshi

4

Hi, all

I have some experiences that symbols under NT4 and TSE are mismatched during
analyzing dump.
Of couse, If I uses symbol server, I have always met symbols are mismatched,
but In most case of that,
After I copied symobls in local or network repository, I tried to do again,
such things are resolved.
But In this case, every time I try to change symbol file path order, I met
symbols are mismatched.

I attached verbous log with this mail.


0:001> .reload
…DBGHELP: ntdll.dll is stripped. Searching for dbg file
DBGHELP: f:\tsej_sp6\symbols\ntdll.dbg - file not found
DBGHELP: f:\tsej_sp6\symbols\symbols\dll\ntdll.dbg - path not found
DBGHELP: f:\tsej_sp6\symbols\dll\ntdll.dbg - OK <- symbols are found
*** WARNING: symbols timestamp is wrong 0x3d3d6a7b 0x396fb5a9 for ntdll.dll
DBGHELP: ntdll - coff symbols loaded from f:\tsej_sp6\symbols\dll\ntdll.dbg

Verbose mode ON.
0:001> .reload
.ModLoad: 00400000 0042b000 C:\Program Files\Citrix\System32\clntsetup.exe
.Loading symbols for 77f80000 ntdll.dll -> DBGHELP: ntdll.dll is
stripped. Searching for dbg file
DBGHELP: f:\tsej_sp6\symbols\ntdll.dbg - file not found
DBGHELP: f:\tsej_sp6\symbols\symbols\dll\ntdll.dbg - path not found
DBGHELP: f:\tsej_sp6\symbols\dll\ntdll.dbg - OK
ntdll.dll
*** WARNING: symbols timestamp is wrong 0x3d3d6a7b 0x396fb5a9 for ntdll.dll
DBGHELP: ntdll - coff symbols loaded from f:\tsej_sp6\symbols\dll\ntdll.dbg
ModLoad: 77f80000 77ffb000 C:\WINNT\System32\ntdll.dll
.ModLoad: 77b20000 77ba9000 C:\WINNT\system32\COMCTL32.dll
.ModLoad: 77f40000 77f7c000 C:\WINNT\system32\GDI32.DLL
.ModLoad: 77e50000 77f35000 C:\WINNT\system32\KERNEL32.DLL
.ModLoad: 77de0000 77e45000 C:\WINNT\system32\USER32.DLL
.ModLoad: 77d80000 77ddd000 C:\WINNT\system32\ADVAPI32.DLL
.ModLoad: 78780000 787f1000 C:\WINNT\system32\RPCRT4.DLL
.ModLoad: 78310000 783bd000 C:\WINNT\System32\SETUPAPI.dll
.ModLoad: 78000000 78046000 C:\WINNT\system32\MSVCRT.DLL
.ModLoad: 77be0000 77c3e000 C:\WINNT\System32\USERENV.DLL
.ModLoad: 77a20000 77b15000 C:\WINNT\system32\ole32.dll
.ModLoad: 67f30000 67f39000 C:\Program Files\Citrix\System32\cmcud.dll
.ModLoad: 74ff0000 75000000 C:\WINNT\system32\MPR.dll
.ModLoad: 648c0000 648cb000 C:\WINNT\System32\UTILDLL.dll
.ModLoad: 774e0000 77502000 C:\WINNT\System32\TAPI32.dll
.ModLoad: 77c40000 77c8a000 C:\WINNT\system32\SHLWAPI.DLL
.ModLoad: 750e0000 7512f000 C:\WINNT\System32\NETAPI32.dll
.ModLoad: 77bb0000 77bbf000 C:\WINNT\System32\SECUR32.DLL
.ModLoad: 75130000 75136000 C:\WINNT\System32\NETRAP.DLL
.ModLoad: 750c0000 750d0000 C:\WINNT\System32\SAMLIB.DLL
.ModLoad: 74f90000 74fa3000 C:\WINNT\System32\WS2_32.DLL
.ModLoad: 74f80000 74f88000 C:\WINNT\System32\WS2HELP.DLL
.ModLoad: 77920000 7794a000 C:\WINNT\system32\WLDAP32.DLL
.ModLoad: 77950000 77974000 C:\WINNT\System32\DNSAPI.DLL
.ModLoad: 74fb0000 74fba000 C:\WINNT\System32\WSOCK32.DLL
.ModLoad: 639d0000 639dc000 C:\WINNT\System32\WINSTA.dll
.ModLoad: 76f60000 77052000 C:\WINNT\System32\MFC42u.DLL
.ModLoad: 64e30000 64e3f000 C:\WINNT\System32\tsappcmp.dll
.ModLoad: 75df0000 75e0a000 C:\WINNT\System32\IMM32.DLL
.ModLoad: 10000000 10006000 C:\Program
Files\Citrix\System32\RMProcessLink.dll
.ModLoad: 67ad0000 67ad6000 C:\WINNT\System32\mfaphook.dll
.ModLoad: 6aa10000 6aa1d000 C:\WINNT\System32\MFC42LOC.DLL
.ModLoad: 6cc90000 6cc96000 C:\WINNT\System32\INDICDLL.dll
.ModLoad: 72cd0000 72d13000 C:\WINNT\System32\imejp.ime
.ModLoad: 73cc0000 73f06000 C:\WINNT\system32\SHELL32.DLL
.ModLoad: 73000000 730a1000 C:\WINNT\System32\IMEJPKNL.DLL


Thanks in Advance,
Futoshi

5

Hi, All

I got this output by typing “!handle 0 0” in command windoww under windbg.
I think they pointed out SMSS.exe recognized sessions as follows.

0: kd> !object 80e9a6f0
Object: 80e9a6f0 Type: (80fbfd60) Directory
ObjectHeader: 80e9a6d8
HandleCount: 2 PointerCount: 14
Directory Object: 80f8dc70 Name: WinStations
HashBucket[07]: 80ae53b0 WinStaObj ‘113’ <-session id 113
HashBucket[11]: 80e68970 WinStaObj ‘0’ <-console session
84e84a30 WinStaObj ‘117’ <-session id 117
HashBucket[12]: 84c6edb0 WinStaObj ‘131’ <-session id 131
HashBucket[13]: 808b3fd0 WinStaObj ‘126’ <-session id 126
80c1a730 WinStaObj ‘2’ <-listener port for ICA/TCP
HashBucket[14]: 80c790f0 WinStaObj ‘3’ <-listener port for RDP/TCP
HashBucket[15]: 80afc0d0 WinStaObj ‘128’ <-session id 128
HashBucket[16]: 809c1d90 WinStaObj ‘135’ <-session id 135
HashBucket[17]: 80bfa610 WinStaObj ‘136’ <-session id 136
HashBucket[25]: 84343470 WinStaObj ‘77’ <-session id 77

but I got the result that TermSrv.exe recognized 9 sessions as session as
follows.

What happened in this situation?
If anyone has any idea, Please give me any suggestions?

Thanks in advance,
Futoshi

0: kd> x termsrv!WinStationListHead
02b90d68 termsrv!WinStationListHead
0: kd> dd 02b90d68 l1
02b90d68 0013fd38
0: kd> dc 0013fd38+0x1c<-this is console session
0013fd54 00000000 006f0043 0073006e 006c006f …C.o.n.s.o.l.
0013fd64 00000065 00000000 00000000 00000000 e…
0013fd74 00000000 00000000 00000000 00000000 …
0013fd84 00000000 00000000 00000000 00000000 …
0013fd94 00000000 00000000 00000000 00000000 …
0013fda4 00000000 00000000 00000000 00000000 …
0013fdb4 00000000 00000000 00000000 00000000 …
0013fdc4 00000000 00000000 00000000 00000000 …
0: kd> dc 0013fd38+0x318c l1<-session status is ACTIVE
00142ec4 00000000 …
0: kd> dc 0013fd38 l1
0013fd38 00146990 .i…
0: kd> dc 00146990+0x1c <-this is ICA-TCP Listener port
001469ac 00000002 00430049 002d0041 00630074 …I.C.A.-.t.c.
001469bc 00000070 00000000 00000000 00000000 p…
001469cc 00000000 00000000 00000000 00000000 …
001469dc 00000000 00000000 00000000 00000000 …
001469ec 00000000 00000000 00000000 00000000 …
001469fc 00000000 00000000 00000000 00000000 …
00146a0c 00000000 00000000 00000000 00000000 …
00146a1c 00000000 00000000 00000000 00000000 …
0: kd> dc 00146990+0x318c l1<-session status is listen
00149b1c 00000006 …
0: kd> dc 00146990 l1
00146990 00149cd8 …
0: kd> dc 00149cd8+0x1c<-this is RDP-TCP Listner port
00149cf4 00000003 00440052 002d0050 00630074 …R.D.P.-.t.c.
00149d04 00000070 00000000 00000000 00000000 p…
00149d14 00000000 00000000 00000000 00000000 …
00149d24 00000000 00000000 00000000 00000000 …
00149d34 00000000 00000000 00000000 00000000 …
00149d44 00000000 00000000 00000000 00000000 …
00149d54 00000000 00000000 00000000 00000000 …
00149d64 00000000 00000000 00000000 00000000 …
0: kd> dc 00149cd8+0x318c l1 <-session status is listen
0014ce64 00000006 …
0: kd> dc 00149cd8 l1
00149cd8 00229798 …".
0: kd> dc 00229798+0x1c <-this session is that the number of ICA session is
77
002297b4 0000004d 00430049 002d0041 00630074 M…I.C.A.-.t.c.
002297c4 00230070 00370037 00000000 00000000 p.#.7.7…
002297d4 00000000 00000000 00000000 00000000 …
002297e4 00000000 00000000 00000000 00000000 …
002297f4 00000000 00490000 00410043 0074002d …I.C.A.-.t.
00229804 00700063 00000000 00000000 00000000 c.p…
00229814 00000000 00000000 00000000 00000000 …
00229824 00000000 00000000 00000000 00000000 …
0: kd> dc 00229798+0x318c l1 < -this session is Active.
0022c924 00000000 …
0: kd> dc 00229798 l1
00229798 07a6e008 …
0: kd> dc 07a6e008+0x1c <- this session is that the number of ICA session is
113
07a6e024 00000071 00430049 002d0041 00630074 q…I.C.A.-.t.c.
07a6e034 00230070 00310031 00000033 00000000 p.#.1.1.3…
07a6e044 00000000 00000000 00000000 00000000 …
07a6e054 00000000 00000000 00000000 00000000 …
07a6e064 00000000 00490000 00410043 0074002d …I.C.A.-.t.
07a6e074 00700063 00000000 00000000 00000000 c.p…
07a6e084 00000000 00000000 00000000 00000000 …
07a6e094 00000000 00000000 00000000 00000000 …
0: kd> dc 07a6e008+0x318c l1
07a71194 00000000 <- this session is Active …
0: kd> dc 07a6e008 l1
07a6e008 07a9d870 p…
0: kd> dc 07a9d870+0x1c <- this session is that the number of ICA session is
117
07a9d88c 00000075 00430049 002d0041 00630074 u…I.C.A.-.t.c.
07a9d89c 00230070 00310031 00000037 00000000 p.#.1.1.7…
07a9d8ac 00000000 00000000 00000000 00000000 …
07a9d8bc 00000000 00000000 00000000 00000000 …
07a9d8cc 00000000 00490000 00410043 0074002d …I.C.A.-.t.
07a9d8dc 00700063 00000000 00000000 00000000 c.p…
07a9d8ec 00000000 00000000 00000000 00000000 …
07a9d8fc 00000000 00000000 00000000 00000000 …
0: kd> dc 07a9d870+0x318c l1 <- this session is Active
07aa09fc 00000000 …
0: kd> dc 07a9d870 l1
07a9d870 001b0108 …
0: kd> dc 001b0108+0x1c <- this session is that the number of ICA session is
126
001b0124 0000007e 00430049 002d0041 00630074 ~…I.C.A.-.t.c.
001b0134 00230070 00320031 00000036 00000000 p.#.1.2.6…
001b0144 00000000 00000000 00000000 00000000 …
001b0154 00000000 00000000 00000000 00000000 …
001b0164 00000000 00490000 00410043 0074002d …I.C.A.-.t.
001b0174 00700063 00000000 00000000 00000000 c.p…
001b0184 00000000 00000000 00000000 00000000 …
001b0194 00000000 00000000 00000000 00000000 …
0: kd> dc 001b0108+0x318c l1
001b3294 00000000 <- this session is Active …
0: kd> dc 001b0108 l1
001b0108 00206008 .` .
0: kd> dc 00206008+0x1c <-this session is that the number of ICA session is
128
00206024 00000080 00430049 002d0041 00630074 …I.C.A.-.t.c.
00206034 00230070 00320031 00000038 00000000 p.#.1.2.8…
00206044 00000000 00000000 00000000 00000000 …
00206054 00000000 00000000 00000000 00000000 …
00206064 00000000 00490000 00410043 0074002d …I.C.A.-.t.
00206074 00700063 00000000 00000000 00000000 c.p…
00206084 00000000 00000000 00000000 00000000 …
00206094 00000000 00000000 00000000 00000000 …
0: kd> dc 00206008+0x318c l1 <-this session is Active
00209194 00000000 …
0: kd> dc 00206008 l1
00206008 00209300 … .
0: kd> dc 00209300+0x1c <-this session is that the number of ICA session is
131
0020931c 00000083 00430049 002d0041 00630074 …I.C.A.-.t.c.
0020932c 00230070 00330031 00000031 00000000 p.#.1.3.1…
0020933c 00000000 00000000 00000000 00000000 …
0020934c 00000000 00000000 00000000 00000000 …
0020935c 00000000 00490000 00410043 0074002d …I.C.A.-.t.
0020936c 00700063 00000000 00000000 00000000 c.p…
0020937c 00000000 00000000 00000000 00000000 …
0020938c 00000000 00000000 00000000 00000000 …
0: kd> dc 00209300+0x318c l1<-this session is Active
0020c48c 00000000 …

6

Hi, all

MS guys tell me there is something command file to set break points in
advance before windbg executes.
But I could not find it in windbg help document.
If anyone knows about it and how to use it, Would you tell me about them?

Thanks in advance,
Futoshi

7

$< (Run Script File)
Reads the contents of the specified script file and uses its contents as
debugger command input.

Syntax
$ Filename
A file containing valid debugger command text. The filename must follow
MicrosoftR MS-DOSR filename conventions. There cannot be any spaces between
the “$<” and Filename.
----- Original Message -----
From:
To: “Kernel Debugging Interest List”
Sent: Wednesday, August 28, 2002 12:50 AM
Subject: [windbg] [command file]

> Hi, all
>
> MS guys tell me there is something command file to set break points in
> advance before windbg executes.
> But I could not find it in windbg help document.
> If anyone knows about it and how to use it, Would you tell me about them?
>
> Thanks in advance,
> Futoshi
>
>
> —
> You are currently subscribed to windbg as: xxxxx@gte.net
> To unsubscribe send a blank email to %%email.unsub%%
>

8

Thank you for your reply.

I will try it.If I use command-file.

Futoshi
-----Original Message-----
From: Michael & Karen Gilson [mailto:xxxxx@gte.net]
Sent: Friday, August 30, 2002 8:29 PM
To: Kernel Debugging Interest List
Subject: [windbg] Re: [command file]

$< (Run Script File)
Reads the contents of the specified script file and uses its contents as
debugger command input.

Syntax
$ Filename
A file containing valid debugger command text. The filename must follow
MicrosoftR MS-DOSR filename conventions. There cannot be any spaces between
the “$<” and Filename.
----- Original Message -----
From:
To: “Kernel Debugging Interest List”
Sent: Wednesday, August 28, 2002 12:50 AM
Subject: [windbg] [command file]

> Hi, all
>
> MS guys tell me there is something command file to set break points in
> advance before windbg executes.
> But I could not find it in windbg help document.
> If anyone knows about it and how to use it, Would you tell me about them?
>
> Thanks in advance,
> Futoshi
>
>
> —
> You are currently subscribed to windbg as: xxxxx@gte.net
> To unsubscribe send a blank email to %%email.unsub%%
>


You are currently subscribed to windbg as: xxxxx@citrix.co.jp
To unsubscribe send a blank email to %%email.unsub%%

9

Hi, all

I would like to know how to specified lpc problems by using “!lpc”.
but windbg documentation is lack of explanation for the output of “!lpc” in
details.

For example, I got the following output by “!lpc”.
(1) does not contains thread stacks, but (2) contations some thread stack on
some process.
What is the difference? Did this specify some problems? or simply the thread
stack not displayed is swap out in page?

(1)Connection Port Object at e2194cc0 - Name=‘*** Bad object Name length for
Object’ created by CSRSS.EXE
Client Port Object at e3292f10 (connected to e21a5410) - created by
SMSS.EXE
(2)Connection Port Object at e13e8f60 - Name=‘\SmSsWinStationApiPort’
created by TERMSRV.EXE
Client Port Object at e1e482b0 (connected to e13edcf0) - created by
CSRSS.EXE
Reply Chain head: 8480ea98 . 8480ea98
THREAD 8480e8e0 Cid a34.35f Teb: 7ffdd000 Win32Thread: 00000000
WAIT: (WrLpcReply) UserMode Non-Alertable
8480eac8 Semaphore Limit 0x1
Waiting for reply to LPC MessageId 005351ef:
Not impersonating
Owning Process 808d2020
WaitTime (seconds) 4222491
Context Switch Count 3
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x5ffa9425
Stack Init ad108000 Current ad107e30 Base ad108000 Limit ad105000
Call 0
Priority 11 BasePriority 11 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.

ChildEBP RetAddr Args to Child
ad107e48 80118f9e 8480eadc 8480ea98 00000000 nt!KiSwapThread+0x1b1
ad107e6c 8018328d 8480eac8 00000011 107e8801
nt!KeWaitForSingleObject+0x1e2
ad107ef0 80148679 00000044 0056feb4 0056feb4
nt!NtRequestWaitReplyPort+0x539
ad107ef0 77f5836f 00000044 0056feb4 0056feb4 nt!KiSystemService+0xc9
0056fff4 00000000 00000000 00000000 00000000
ntdll!ZwRequestWaitReplyPort+0xb

If someone knows how to specify lpc problems by using “!lpc”, Would you tell
me about it?

Thanks in advance,
Futoshi