When I use the !process xxx 0x7 on a process, sometimes I get something like the following, where a particular thread has a attached process.
My question is what is the meaning of this? How can a process attach to a particular thread?
And In this particular case, csrss is attaching to one of its own threads, can someone make a sense out of this?
THREAD 8fa70600 Cid 0004.130c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
81facbb8 PriQueueObject
Not impersonating
DeviceMap 88206af8
Owning Process 81f68900 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 243348 Ticks: 937 (0:00:00:14.640)
Context Switch Count 167379 IdealProcessor: 1 NoStackSwap
UserTime 00:00:00.000
KernelTime 00:06:13.593
Win32 Start Address nt!ExpWorkerThread (0x820473c0)
Stack Init 8de5bde0 Current 8de5bbdc Base 8de5c000 Limit 8de59000 Call 00000000
Priority 15 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
8de5bbf4 82050a69 00000100 88bf4120 8fa70600 nt!KiSwapContext+0x19 (FPO: [Uses EBP] [1,0,4])
8de5bc90 8204fa97 81facbb8 8fa70600 8fa706e0 nt!KiSwapThread+0xb19 (FPO: [Non-Fpo])
8de5bce4 820477fc 00000000 81facbb8 8fa70600 nt!KiCommitThreadWait+0x127 (FPO: [Non-Fpo])
8de5bd24 8204744b 8230a540 00000000 00000000 nt!KeRemovePriQueue+0x13c (FPO: [Non-Fpo])
8de5bd78 821261c8 81facbb8 c4a283c8 00000000 nt!ExpWorkerThread+0x8b (FPO: [Non-Fpo])
8de5bdb0 8218178d 820473c0 81facbb8 00000000 nt!PspSystemThreadStartup+0x4a (FPO: [Non-Fpo])
8de5bdbc 00000000 00000000 00356dd0 00356e70 nt!KiThreadStartup+0x15
THREAD 91bb1040 Cid 0004.1314 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 1
Not impersonating
DeviceMap 88206af8
Owning Process 81f68900 Image: System
Attached Process 901798c0 Image: csrss.exe
Wait Start TickCount 244285 Ticks: 0
Context Switch Count 38517 IdealProcessor: 1 NoStackSwap
UserTime 00:00:00.000
KernelTime 00:00:07.671
Win32 Start Address nt!ExpWorkerThread (0x820473c0)
Stack Init 8de63de0 Current 8de637fc Base 8de64000 Limit 8de61000 Call 00000000
Priority 13 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
8de63a2c 823236b6 0000004c c000021a a2047964 nt!KeBugCheckEx
8de63a54 8231e12a 00000000 8de63c04 8de63c88 nt!PopGracefulShutdown+0x221 (FPO: [1,0,0])
8de63a98 82316026 00000004 00000006 c0000004 nt!PopTransitionSystemPowerStateEx+0xa93a
8de63bf0 821793eb 00000004 00000006 c0000004 nt!NtSetSystemPowerState+0x4e (FPO: [3,84,0])
8de63bf0 82164aa9 00000004 00000006 c0000004 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 8de63c04)
8de63c74 8250046d 00000004 00000006 c0000004 nt!ZwSetSystemPowerState+0x11 (FPO: [3,0,0])
8de63ccc 8243c43d 00000006 c0000004 00000000 nt!PopIssueActionRequest+0xc446f
8de63d0c 82034c3e 81facbb8 91bb1040 822b67b0 nt!PopPolicyWorkerAction+0x5f (FPO: [Non-Fpo])
8de63d28 820474aa 00000001 00000000 91bb1040 nt!PopPolicyWorkerThread+0x8a (FPO: [Non-Fpo])
8de63d78 821261c8 81facbb8 c4a103c8 00000000 nt!ExpWorkerThread+0xea (FPO: [Non-Fpo])
8de63db0 8218178d 820473c0 81facbb8 00000000 nt!PspSystemThreadStartup+0x4a (FPO: [Non-Fpo])
8de63dbc 00000000 00000000 80dc0dd0 0001e080 nt!KiThreadStartup+0x15