Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of this
service is owned by a different process, that no longer exist in the
process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case.
What does !process show on the owning process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread, that
has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver, the
driver finds the current process, and try to do the cleanup after attaching
to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current process
is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME WE TRY TO
ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case.
What does !process show on the owning process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess, before
calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c
f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48 nt!IopfCallDriver+0x31
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e
f4396d00 8055045c 00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5
f4396d34 805283c1 00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
0173ff20 00000000 00000000 00000000 00000000
SharedUserData!SystemCallStub+0x4 <<<- XP eqv to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid: 0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid: 01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid: 01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid: 0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid: 0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid: 0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid: 0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid: 0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid: 0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid: 0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid: 0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid: 0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid: 0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid: 07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid: 00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid: 00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid: 0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid: 0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid: 0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid: 0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked 0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB, 512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread: e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit f46f0000
Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f46f3c68 805568d6 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f46f3c90 80553b31 nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo])
f46f3d38 805283c1 nt!NtReadFile+0x559
f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f46f3d64)
0012fad4 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread: 00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit f4679000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f467bcec 80593f24 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f467bd50 805283c1 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])
f467bd50 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64)
00e1ff60 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread: 00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit f43b4000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f43b6cec 80593f24 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f43b6d50 805283c1 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])
f43b6d50 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64)
00f1ff64 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread: 00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit f4be9000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f4bebcec 80593f24 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f4bebd50 805283c1 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])
f4bebd50 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64)
0101ff60 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread: e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit f4cd0000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f4cd3cec 80593f24 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f4cd3d50 805283c1 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])
f4cd3d50 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64)
0128fef8 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread: e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit f4303000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f4306d0c 805e48b9 nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo])
f4306d54 805283c1 nt!NtDelayExecution+0x87 (FPO: [Non-Fpo])
f4306d54 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64)
0143ff00 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread: 00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit f4bc9000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f4bcbcec 80593f24 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f4bcbd50 805283c1 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])
f4bcbd50 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64)
0153ff48 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread: 00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit f4398000
Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f439acec 80593f24 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f439ad50 805283c1 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])
f439ad50 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64)
0163fea4 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
///////WATCH THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000
Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts
MachineInfo::SetContext failed - Thread: 00A9D7C8 Handle: 1 Id: 1 - Error
== 0x8000FFFF
ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo])
f4396ab0 804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc)
f4396b4c 804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo])
f4396b6c f4ab10e2 nt!KeAttachProcess+0x42 (FPO: [Non-Fpo])
f4396b74 f4ab12dc vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182]
f4396b8c f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271]
f4396bd4 f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP 0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320]
f4396c44 80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1])
f4396c58 8055759b nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo])
f4396d00 8055045c nt!IopXxxControlFile+0x5a5
f4396d34 805283c1 nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo])
f4396d34 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64)
0173ff20 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread: 00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit f4384000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f4386cec 80593f24 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f4386d50 805283c1 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])
f4386d50 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64)
0183fedc 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread: 00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit f4380000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f4382c98 8057ad38 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f4382d48 805283c1 nt!NtReplyWaitReceivePortEx+0x3e2
f4382d48 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64)
0193ff90 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread: 00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit f4378000
Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2])
f437ac98 8057ad38 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f437ad48 805283c1 nt!NtReplyWaitReceivePortEx+0x3e2
f437ad48 7ffe0304 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64)
01a3ff90 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO: [0,0]
TrapFrame @ f4396acc)
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42 (FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182]
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271]
f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac (FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320]
f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48 nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo])
f4396d00 8055045c 00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5
f4396d34 805283c1 00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f4396d64)
0173ff20 00000000 00000000 00000000 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000
Overlay.AsynchronousParameters.UserApcRoutine = 00000000
Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000
CancelRoutine = 00000000
UserBuffer = 04008020
&Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8
Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000
Tail.Overlay.ListEntry.Blink = 00000000
Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8
Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread, that
has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver, the
driver finds the current process, and try to do the cleanup after attaching
to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current process
is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME WE TRY TO
ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case.
What does !process show on the owning process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
Several problems here.
KeAttachProcess is not something that’s supported in the DDK. You need
to use KeStackAttachProcess() in the first place, which allows nested
attaches to happen - and even this is not DDK-recommended nor published-
it is supported in the IFSKIT though.
Now for the real problem. You passed in an invalid process pointer. The
debugger shows what you passed in as owning process because
Ke has already assigned that to be the owning process before later
bugchecking due to accessing a field in the supposed process pointer.
A checked build of windows would have caught that right in
KeAttachProcess().
In general it worries me that you are keeping around probably
unreferenced pointers to processes and attempting to attach to them.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Friday, October 18, 2002 2:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address
at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses. If a kernel debugger is
available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess,
before calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na
pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c f4396bd4 f4a9b214 04008020 00000000
81c8ee60 vsdatant!HookFree+0xac f4396bec f4a9b6e8 81eeeeb8 00000001
04008020 vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c
vsdatant!DriverDispatch+0x2a f4396c44 80556870 81eeeeb8 81c8eeb8
81c8ee48 nt!IopfCallDriver+0x31 f4396c58 8055759b 81daed20 81c8ee48
81eeeeb8 nt!IopSynchronousServiceTail+0x5e f4396d00 8055045c 00000330
00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1 00000330
00000000 00000000 nt!NtDeviceIoControlFile+0x28 f4396d34 7ffe0304
00000330 00000000 00000000 nt!KiSystemService+0xc4 0173ff20 00000000
00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 <<<- XP eqv
to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid:
0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid:
07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid:
0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked
0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB,
512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread:
e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit
f46f0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f46f3c68 805568d6
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f46f3c90 80553b31
nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo]) f46f3d38 805283c1
nt!NtReadFile+0x559 f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f46f3d64) 0012fad4 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit
f4679000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f467bcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f467bd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f467bd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64) 00e1ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit
f43b4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f43b6cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f43b6d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f43b6d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64) 00f1ff64
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit
f4be9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bebcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bebd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bebd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64) 0101ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread:
e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit
f4cd0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4cd3cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4cd3d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4cd3d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64) 0128fef8
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread:
e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit
f4303000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4306d0c 805e48b9
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f4306d54 805283c1
nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) f4306d54 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64) 0143ff00
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit
f4bc9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bcbcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bcbd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bcbd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64) 0153ff48
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit
f4398000 Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f439acec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f439ad50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f439ad50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64) 0163fea4
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) ///////WATCH
THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread:
00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit
f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts MachineInfo::SetContext failed - Thread:
00A9D7C8 Handle: 1 Id: 1 - Error == 0x8000FFFF ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo]) f4396ab0
804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc) f4396b4c
804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo]) f4396b6c f4ab10e2
nt!KeAttachProcess+0x42 (FPO: [Non-Fpo]) f4396b74 f4ab12dc
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271] f4396bd4
f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845] f4396bec
f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP
0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320] f4396c44
80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1]) f4396c58 8055759b
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo]) f4396d34 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64) 0173ff20
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit
f4384000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4386cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4386d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4386d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64) 0183fedc
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit
f4380000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4382c98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4382d48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f4382d48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64) 0193ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit
f4378000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f437ac98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f437ad48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f437ad48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64) 01a3ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO:
[0,0] TrapFrame @ f4396acc) f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00
nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
(FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c 04008020 003e0000 00016a00 vsdatant!UnmapDataInProcess+0x2c
(FPO: [4,0,2]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @
271] f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
(FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037] f4396c24
f4a9b75b 81daed20 81c8ee48 81c31978 vsdatant!DriverDeviceDispatch+0x68
(FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301] f4396c34
804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @
2320] f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48
nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
(FPO: [0,0] TrapFrame @ f4396d64) 0173ff20 00000000 00000000 00000000
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine =
00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000
UserBuffer = 04008020 &Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8 Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink =
00000000 Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8 Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread,
that has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver,
the driver finds the current process, and try to do the cleanup after
attaching to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current
process is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME
WE TRY TO ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case. What does !process show on the owning
process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
Okey, there are several questions
This occurs once in very long while. Also I am using one of the DDK function
to get the pointer… It would be nice to know where ( sure U r in in
insider, so you can help me, rather than me diggin thru disassembled code)
exactly KeAttachProcess() assigns this to the thread, by looking at the
disassembly it did not seem ( if I rembember) like calling any routine ( Ke
or Ki type ) to set this, may be the KiAttachProcess() is doing. JUST
CURIOSITY.
Also I suppose KeStackAttachProcess() is available for all the ddk starting
from nt4.0.
As I am thinking, it may be that by the time I am invoking KeAttacProcess(),
the process pointer I get before using PsGetCurrentProcess() before. The
only reason I am thinking this is that there are millions of compies running
this code ( sure it is not a proof, but then …). Any thought !!!
Thx
prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Friday, October 18, 2002 6:08 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Several problems here.
KeAttachProcess is not something that’s supported in the DDK. You need
to use KeStackAttachProcess() in the first place, which allows nested
attaches to happen - and even this is not DDK-recommended nor published-
it is supported in the IFSKIT though.
Now for the real problem. You passed in an invalid process pointer. The
debugger shows what you passed in as owning process because
Ke has already assigned that to be the owning process before later
bugchecking due to accessing a field in the supposed process pointer.
A checked build of windows would have caught that right in
KeAttachProcess().
In general it worries me that you are keeping around probably
unreferenced pointers to processes and attempting to attach to them.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Friday, October 18, 2002 2:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address
at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses. If a kernel debugger is
available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess,
before calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na
pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c f4396bd4 f4a9b214 04008020 00000000
81c8ee60 vsdatant!HookFree+0xac f4396bec f4a9b6e8 81eeeeb8 00000001
04008020 vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c
vsdatant!DriverDispatch+0x2a f4396c44 80556870 81eeeeb8 81c8eeb8
81c8ee48 nt!IopfCallDriver+0x31 f4396c58 8055759b 81daed20 81c8ee48
81eeeeb8 nt!IopSynchronousServiceTail+0x5e f4396d00 8055045c 00000330
00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1 00000330
00000000 00000000 nt!NtDeviceIoControlFile+0x28 f4396d34 7ffe0304
00000330 00000000 00000000 nt!KiSystemService+0xc4 0173ff20 00000000
00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 <<<- XP eqv
to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid:
0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid:
07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid:
0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked
0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB,
512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread:
e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit
f46f0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f46f3c68 805568d6
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f46f3c90 80553b31
nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo]) f46f3d38 805283c1
nt!NtReadFile+0x559 f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f46f3d64) 0012fad4 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit
f4679000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f467bcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f467bd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f467bd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64) 00e1ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit
f43b4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f43b6cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f43b6d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f43b6d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64) 00f1ff64
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit
f4be9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bebcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bebd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bebd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64) 0101ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread:
e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit
f4cd0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4cd3cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4cd3d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4cd3d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64) 0128fef8
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread:
e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit
f4303000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4306d0c 805e48b9
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f4306d54 805283c1
nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) f4306d54 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64) 0143ff00
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit
f4bc9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bcbcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bcbd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bcbd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64) 0153ff48
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit
f4398000 Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f439acec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f439ad50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f439ad50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64) 0163fea4
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) ///////WATCH
THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread:
00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit
f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts MachineInfo::SetContext failed - Thread:
00A9D7C8 Handle: 1 Id: 1 - Error == 0x8000FFFF ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo]) f4396ab0
804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc) f4396b4c
804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo]) f4396b6c f4ab10e2
nt!KeAttachProcess+0x42 (FPO: [Non-Fpo]) f4396b74 f4ab12dc
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271] f4396bd4
f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845] f4396bec
f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP
0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320] f4396c44
80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1]) f4396c58 8055759b
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo]) f4396d34 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64) 0173ff20
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit
f4384000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4386cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4386d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4386d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64) 0183fedc
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit
f4380000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4382c98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4382d48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f4382d48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64) 0193ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit
f4378000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f437ac98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f437ad48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f437ad48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64) 01a3ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO:
[0,0] TrapFrame @ f4396acc) f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00
nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
(FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c 04008020 003e0000 00016a00 vsdatant!UnmapDataInProcess+0x2c
(FPO: [4,0,2]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @
271] f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
(FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037] f4396c24
f4a9b75b 81daed20 81c8ee48 81c31978 vsdatant!DriverDeviceDispatch+0x68
(FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301] f4396c34
804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @
2320] f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48
nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
(FPO: [0,0] TrapFrame @ f4396d64) 0173ff20 00000000 00000000 00000000
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine =
00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000
UserBuffer = 04008020 &Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8 Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink =
00000000 Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8 Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread,
that has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver,
the driver finds the current process, and try to do the cleanup after
attaching to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current
process is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME
WE TRY TO ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case. What does !process show on the owning
process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
Actually I meant to say ifskit for KeStack*(), and that I should find out…
Also what I meant to say is , that if there is a possibility about the
process being cleaned out between the time we get the pProcess, and the time
we try to attach to it, SURE ENOUGH THAT I DID NOT GUARD BY RAISING IRQL TO
PEND THE SCHEDULING …
Finally, I suppose you mean that we can attach an object ( more than once,
nested ) before a paired call to KeDetach(), since this can be fatal !!!
-prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 9:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Okey, there are several questions
This occurs once in very long while. Also I am using one of the DDK function
to get the pointer… It would be nice to know where ( sure U r in in
insider, so you can help me, rather than me diggin thru disassembled code)
exactly KeAttachProcess() assigns this to the thread, by looking at the
disassembly it did not seem ( if I rembember) like calling any routine ( Ke
or Ki type ) to set this, may be the KiAttachProcess() is doing. JUST
CURIOSITY.
Also I suppose KeStackAttachProcess() is available for all the ddk starting
from nt4.0.
As I am thinking, it may be that by the time I am invoking KeAttacProcess(),
the process pointer I get before using PsGetCurrentProcess() before. The
only reason I am thinking this is that there are millions of compies running
this code ( sure it is not a proof, but then …). Any thought !!!
Thx
prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Friday, October 18, 2002 6:08 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Several problems here.
KeAttachProcess is not something that’s supported in the DDK. You need
to use KeStackAttachProcess() in the first place, which allows nested
attaches to happen - and even this is not DDK-recommended nor published-
it is supported in the IFSKIT though.
Now for the real problem. You passed in an invalid process pointer. The
debugger shows what you passed in as owning process because
Ke has already assigned that to be the owning process before later
bugchecking due to accessing a field in the supposed process pointer.
A checked build of windows would have caught that right in
KeAttachProcess().
In general it worries me that you are keeping around probably
unreferenced pointers to processes and attempting to attach to them.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Friday, October 18, 2002 2:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address
at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses. If a kernel debugger is
available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess,
before calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na
pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c f4396bd4 f4a9b214 04008020 00000000
81c8ee60 vsdatant!HookFree+0xac f4396bec f4a9b6e8 81eeeeb8 00000001
04008020 vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c
vsdatant!DriverDispatch+0x2a f4396c44 80556870 81eeeeb8 81c8eeb8
81c8ee48 nt!IopfCallDriver+0x31 f4396c58 8055759b 81daed20 81c8ee48
81eeeeb8 nt!IopSynchronousServiceTail+0x5e f4396d00 8055045c 00000330
00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1 00000330
00000000 00000000 nt!NtDeviceIoControlFile+0x28 f4396d34 7ffe0304
00000330 00000000 00000000 nt!KiSystemService+0xc4 0173ff20 00000000
00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 <<<- XP eqv
to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid:
0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid:
07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid:
0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked
0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB,
512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread:
e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit
f46f0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f46f3c68 805568d6
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f46f3c90 80553b31
nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo]) f46f3d38 805283c1
nt!NtReadFile+0x559 f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f46f3d64) 0012fad4 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit
f4679000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f467bcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f467bd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f467bd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64) 00e1ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit
f43b4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f43b6cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f43b6d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f43b6d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64) 00f1ff64
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit
f4be9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bebcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bebd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bebd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64) 0101ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread:
e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit
f4cd0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4cd3cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4cd3d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4cd3d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64) 0128fef8
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread:
e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit
f4303000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4306d0c 805e48b9
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f4306d54 805283c1
nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) f4306d54 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64) 0143ff00
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit
f4bc9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bcbcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bcbd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bcbd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64) 0153ff48
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit
f4398000 Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f439acec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f439ad50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f439ad50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64) 0163fea4
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) ///////WATCH
THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread:
00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit
f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts MachineInfo::SetContext failed - Thread:
00A9D7C8 Handle: 1 Id: 1 - Error == 0x8000FFFF ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo]) f4396ab0
804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc) f4396b4c
804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo]) f4396b6c f4ab10e2
nt!KeAttachProcess+0x42 (FPO: [Non-Fpo]) f4396b74 f4ab12dc
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271] f4396bd4
f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845] f4396bec
f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP
0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320] f4396c44
80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1]) f4396c58 8055759b
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo]) f4396d34 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64) 0173ff20
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit
f4384000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4386cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4386d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4386d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64) 0183fedc
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit
f4380000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4382c98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4382d48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f4382d48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64) 0193ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit
f4378000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f437ac98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f437ad48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f437ad48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64) 01a3ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO:
[0,0] TrapFrame @ f4396acc) f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00
nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
(FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c 04008020 003e0000 00016a00 vsdatant!UnmapDataInProcess+0x2c
(FPO: [4,0,2]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @
271] f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
(FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037] f4396c24
f4a9b75b 81daed20 81c8ee48 81c31978 vsdatant!DriverDeviceDispatch+0x68
(FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301] f4396c34
804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @
2320] f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48
nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
(FPO: [0,0] TrapFrame @ f4396d64) 0173ff20 00000000 00000000 00000000
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine =
00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000
UserBuffer = 04008020 &Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8 Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink =
00000000 Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8 Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread,
that has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver,
the driver finds the current process, and try to do the cleanup after
attaching to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current
process is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME
WE TRY TO ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case. What does !process show on the owning
process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
The process will not disappear while you are still in kernel mode
executing in its context.
I don’t believe you issued a KeAttachProcess( PsGetCurrentProcess()).
Why would you do that? In any case, if that’s what you did, the attach
would have trivially succeeded without any issues.
The stack below implies you did a KeAttachProcess( ProcessPointer )
where ProcessPointer is something you stashed away at some point for
some process. It turns out it’s invalid now.
Ravi
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, October 21, 2002 3:35 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Actually I meant to say ifskit for KeStack*(), and that I should find
out…
Also what I meant to say is , that if there is a possibility about the
process being cleaned out between the time we get the pProcess, and the
time we try to attach to it, SURE ENOUGH THAT I DID NOT GUARD BY RAISING
IRQL TO PEND THE SCHEDULING …
Finally, I suppose you mean that we can attach an object ( more than
once, nested ) before a paired call to KeDetach(), since this can be
fatal !!!
-prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 9:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Okey, there are several questions
This occurs once in very long while. Also I am using one of the DDK
function to get the pointer… It would be nice to know where ( sure U r
in in insider, so you can help me, rather than me diggin thru
disassembled code) exactly KeAttachProcess() assigns this to the thread,
by looking at the disassembly it did not seem ( if I rembember) like
calling any routine ( Ke or Ki type ) to set this, may be the
KiAttachProcess() is doing. JUST CURIOSITY.
Also I suppose KeStackAttachProcess() is available for all the ddk
starting from nt4.0.
As I am thinking, it may be that by the time I am invoking
KeAttacProcess(), the process pointer I get before using
PsGetCurrentProcess() before. The only reason I am thinking this is that
there are millions of compies running this code ( sure it is not a
proof, but then …). Any thought !!!
Thx
prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Friday, October 18, 2002 6:08 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Several problems here.
KeAttachProcess is not something that’s supported in the DDK. You need
to use KeStackAttachProcess() in the first place, which allows nested
attaches to happen - and even this is not DDK-recommended nor published-
it is supported in the IFSKIT though. Now for the real problem. You
passed in an invalid process pointer. The debugger shows what you passed
in as owning process because Ke has already assigned that to be the
owning process before later bugchecking due to accessing a field in the
supposed process pointer. A checked build of windows would have caught
that right in KeAttachProcess().
In general it worries me that you are keeping around probably
unreferenced pointers to processes and attempting to attach to them.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Friday, October 18, 2002 2:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address
at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses. If a kernel debugger is
available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess,
before calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na
pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c f4396bd4 f4a9b214 04008020 00000000
81c8ee60 vsdatant!HookFree+0xac f4396bec f4a9b6e8 81eeeeb8 00000001
04008020 vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c
vsdatant!DriverDispatch+0x2a f4396c44 80556870 81eeeeb8 81c8eeb8
81c8ee48 nt!IopfCallDriver+0x31 f4396c58 8055759b 81daed20 81c8ee48
81eeeeb8 nt!IopSynchronousServiceTail+0x5e f4396d00 8055045c 00000330
00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1 00000330
00000000 00000000 nt!NtDeviceIoControlFile+0x28 f4396d34 7ffe0304
00000330 00000000 00000000 nt!KiSystemService+0xc4 0173ff20 00000000
00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 <<<- XP eqv
to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid:
0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid:
07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid:
0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked
0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB,
512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread:
e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit
f46f0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f46f3c68 805568d6
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f46f3c90 80553b31
nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo]) f46f3d38 805283c1
nt!NtReadFile+0x559 f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f46f3d64) 0012fad4 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit
f4679000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f467bcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f467bd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f467bd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64) 00e1ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit
f43b4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f43b6cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f43b6d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f43b6d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64) 00f1ff64
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit
f4be9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bebcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bebd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bebd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64) 0101ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread:
e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit
f4cd0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4cd3cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4cd3d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4cd3d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64) 0128fef8
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread:
e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit
f4303000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4306d0c 805e48b9
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f4306d54 805283c1
nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) f4306d54 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64) 0143ff00
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit
f4bc9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bcbcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bcbd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bcbd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64) 0153ff48
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit
f4398000 Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f439acec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f439ad50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f439ad50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64) 0163fea4
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) ///////WATCH
THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread:
00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit
f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts MachineInfo::SetContext failed - Thread:
00A9D7C8 Handle: 1 Id: 1 - Error == 0x8000FFFF ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo]) f4396ab0
804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc) f4396b4c
804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo]) f4396b6c f4ab10e2
nt!KeAttachProcess+0x42 (FPO: [Non-Fpo]) f4396b74 f4ab12dc
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271] f4396bd4
f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845] f4396bec
f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP
0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320] f4396c44
80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1]) f4396c58 8055759b
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo]) f4396d34 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64) 0173ff20
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit
f4384000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4386cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4386d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4386d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64) 0183fedc
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit
f4380000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4382c98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4382d48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f4382d48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64) 0193ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit
f4378000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f437ac98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f437ad48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f437ad48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64) 01a3ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO:
[0,0] TrapFrame @ f4396acc) f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00
nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
(FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c 04008020 003e0000 00016a00 vsdatant!UnmapDataInProcess+0x2c
(FPO: [4,0,2]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @
271] f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
(FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037] f4396c24
f4a9b75b 81daed20 81c8ee48 81c31978 vsdatant!DriverDeviceDispatch+0x68
(FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301] f4396c34
804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @
2320] f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48
nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
(FPO: [0,0] TrapFrame @ f4396d64) 0173ff20 00000000 00000000 00000000
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine =
00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000
UserBuffer = 04008020 &Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8 Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink =
00000000 Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8 Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread,
that has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver,
the driver finds the current process, and try to do the cleanup after
attaching to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current
process is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME
WE TRY TO ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case. What does !process show on the owning
process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
Sure it is not called the way you mentioned here …
HookFree() {
[…]
pProcess = PsGetCurrentProcess() ;
[…]
UnMapDataInProcess( …, pProcess, … );
}
All of these, except inside UnMap*() is executed at PASSIVE_LEVEL, and that
is what I am afraid of, but then you just mentioned it is impossible that
the process would disappear…
As you can see me from the call stack, that HookFree did not have a valid
pProcess.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Monday, October 21, 2002 2:56 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
The process will not disappear while you are still in kernel mode
executing in its context.
I don’t believe you issued a KeAttachProcess( PsGetCurrentProcess()).
Why would you do that? In any case, if that’s what you did, the attach
would have trivially succeeded without any issues.
The stack below implies you did a KeAttachProcess( ProcessPointer )
where ProcessPointer is something you stashed away at some point for
some process. It turns out it’s invalid now.
Ravi
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, October 21, 2002 3:35 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Actually I meant to say ifskit for KeStack*(), and that I should find
out…
Also what I meant to say is , that if there is a possibility about the
process being cleaned out between the time we get the pProcess, and the
time we try to attach to it, SURE ENOUGH THAT I DID NOT GUARD BY RAISING
IRQL TO PEND THE SCHEDULING …
Finally, I suppose you mean that we can attach an object ( more than
once, nested ) before a paired call to KeDetach(), since this can be
fatal !!!
-prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 9:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Okey, there are several questions
This occurs once in very long while. Also I am using one of the DDK
function to get the pointer… It would be nice to know where ( sure U r
in in insider, so you can help me, rather than me diggin thru
disassembled code) exactly KeAttachProcess() assigns this to the thread,
by looking at the disassembly it did not seem ( if I rembember) like
calling any routine ( Ke or Ki type ) to set this, may be the
KiAttachProcess() is doing. JUST CURIOSITY.
Also I suppose KeStackAttachProcess() is available for all the ddk
starting from nt4.0.
As I am thinking, it may be that by the time I am invoking
KeAttacProcess(), the process pointer I get before using
PsGetCurrentProcess() before. The only reason I am thinking this is that
there are millions of compies running this code ( sure it is not a
proof, but then …). Any thought !!!
Thx
prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Friday, October 18, 2002 6:08 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Several problems here.
KeAttachProcess is not something that’s supported in the DDK. You need
to use KeStackAttachProcess() in the first place, which allows nested
attaches to happen - and even this is not DDK-recommended nor published-
it is supported in the IFSKIT though. Now for the real problem. You
passed in an invalid process pointer. The debugger shows what you passed
in as owning process because Ke has already assigned that to be the
owning process before later bugchecking due to accessing a field in the
supposed process pointer. A checked build of windows would have caught
that right in KeAttachProcess().
In general it worries me that you are keeping around probably
unreferenced pointers to processes and attempting to attach to them.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Friday, October 18, 2002 2:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address
at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses. If a kernel debugger is
available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess,
before calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na
pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c f4396bd4 f4a9b214 04008020 00000000
81c8ee60 vsdatant!HookFree+0xac f4396bec f4a9b6e8 81eeeeb8 00000001
04008020 vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c
vsdatant!DriverDispatch+0x2a f4396c44 80556870 81eeeeb8 81c8eeb8
81c8ee48 nt!IopfCallDriver+0x31 f4396c58 8055759b 81daed20 81c8ee48
81eeeeb8 nt!IopSynchronousServiceTail+0x5e f4396d00 8055045c 00000330
00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1 00000330
00000000 00000000 nt!NtDeviceIoControlFile+0x28 f4396d34 7ffe0304
00000330 00000000 00000000 nt!KiSystemService+0xc4 0173ff20 00000000
00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 <<<- XP eqv
to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid:
0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid:
07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid:
0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked
0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB,
512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread:
e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit
f46f0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f46f3c68 805568d6
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f46f3c90 80553b31
nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo]) f46f3d38 805283c1
nt!NtReadFile+0x559 f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f46f3d64) 0012fad4 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit
f4679000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f467bcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f467bd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f467bd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64) 00e1ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit
f43b4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f43b6cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f43b6d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f43b6d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64) 00f1ff64
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit
f4be9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bebcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bebd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bebd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64) 0101ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread:
e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit
f4cd0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4cd3cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4cd3d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4cd3d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64) 0128fef8
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread:
e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit
f4303000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4306d0c 805e48b9
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f4306d54 805283c1
nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) f4306d54 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64) 0143ff00
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit
f4bc9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bcbcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bcbd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bcbd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64) 0153ff48
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit
f4398000 Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f439acec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f439ad50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f439ad50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64) 0163fea4
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) ///////WATCH
THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread:
00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit
f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts MachineInfo::SetContext failed - Thread:
00A9D7C8 Handle: 1 Id: 1 - Error == 0x8000FFFF ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo]) f4396ab0
804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc) f4396b4c
804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo]) f4396b6c f4ab10e2
nt!KeAttachProcess+0x42 (FPO: [Non-Fpo]) f4396b74 f4ab12dc
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271] f4396bd4
f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845] f4396bec
f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP
0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320] f4396c44
80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1]) f4396c58 8055759b
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo]) f4396d34 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64) 0173ff20
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit
f4384000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4386cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4386d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4386d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64) 0183fedc
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit
f4380000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4382c98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4382d48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f4382d48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64) 0193ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit
f4378000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f437ac98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f437ad48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f437ad48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64) 01a3ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO:
[0,0] TrapFrame @ f4396acc) f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00
nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
(FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c 04008020 003e0000 00016a00 vsdatant!UnmapDataInProcess+0x2c
(FPO: [4,0,2]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @
271] f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
(FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037] f4396c24
f4a9b75b 81daed20 81c8ee48 81c31978 vsdatant!DriverDeviceDispatch+0x68
(FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301] f4396c34
804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @
2320] f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48
nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
(FPO: [0,0] TrapFrame @ f4396d64) 0173ff20 00000000 00000000 00000000
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine =
00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000
UserBuffer = 04008020 &Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8 Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink =
00000000 Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8 Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread,
that has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver,
the driver finds the current process, and try to do the cleanup after
attaching to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current
process is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME
WE TRY TO ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case. What does !process show on the owning
process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
Thanx again Ravi,
I think I got the problem, yes something stashed way might be coming here
!!!
-prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 3:15 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Sure it is not called the way you mentioned here …
HookFree() {
[…]
pProcess = PsGetCurrentProcess() ;
[…]
UnMapDataInProcess( …, pProcess, … );
}
All of these, except inside UnMap*() is executed at PASSIVE_LEVEL, and that
is what I am afraid of, but then you just mentioned it is impossible that
the process would disappear…
As you can see me from the call stack, that HookFree did not have a valid
pProcess.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Monday, October 21, 2002 2:56 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
The process will not disappear while you are still in kernel mode
executing in its context.
I don’t believe you issued a KeAttachProcess( PsGetCurrentProcess()).
Why would you do that? In any case, if that’s what you did, the attach
would have trivially succeeded without any issues.
The stack below implies you did a KeAttachProcess( ProcessPointer )
where ProcessPointer is something you stashed away at some point for
some process. It turns out it’s invalid now.
Ravi
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, October 21, 2002 3:35 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Actually I meant to say ifskit for KeStack*(), and that I should find
out…
Also what I meant to say is , that if there is a possibility about the
process being cleaned out between the time we get the pProcess, and the
time we try to attach to it, SURE ENOUGH THAT I DID NOT GUARD BY RAISING
IRQL TO PEND THE SCHEDULING …
Finally, I suppose you mean that we can attach an object ( more than
once, nested ) before a paired call to KeDetach(), since this can be
fatal !!!
-prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 9:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Okey, there are several questions
This occurs once in very long while. Also I am using one of the DDK
function to get the pointer… It would be nice to know where ( sure U r
in in insider, so you can help me, rather than me diggin thru
disassembled code) exactly KeAttachProcess() assigns this to the thread,
by looking at the disassembly it did not seem ( if I rembember) like
calling any routine ( Ke or Ki type ) to set this, may be the
KiAttachProcess() is doing. JUST CURIOSITY.
Also I suppose KeStackAttachProcess() is available for all the ddk
starting from nt4.0.
As I am thinking, it may be that by the time I am invoking
KeAttacProcess(), the process pointer I get before using
PsGetCurrentProcess() before. The only reason I am thinking this is that
there are millions of compies running this code ( sure it is not a
proof, but then …). Any thought !!!
Thx
prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Friday, October 18, 2002 6:08 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Several problems here.
KeAttachProcess is not something that’s supported in the DDK. You need
to use KeStackAttachProcess() in the first place, which allows nested
attaches to happen - and even this is not DDK-recommended nor published-
it is supported in the IFSKIT though. Now for the real problem. You
passed in an invalid process pointer. The debugger shows what you passed
in as owning process because Ke has already assigned that to be the
owning process before later bugchecking due to accessing a field in the
supposed process pointer. A checked build of windows would have caught
that right in KeAttachProcess().
In general it worries me that you are keeping around probably
unreferenced pointers to processes and attempting to attach to them.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Friday, October 18, 2002 2:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address
at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses. If a kernel debugger is
available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess,
before calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na
pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c f4396bd4 f4a9b214 04008020 00000000
81c8ee60 vsdatant!HookFree+0xac f4396bec f4a9b6e8 81eeeeb8 00000001
04008020 vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c
vsdatant!DriverDispatch+0x2a f4396c44 80556870 81eeeeb8 81c8eeb8
81c8ee48 nt!IopfCallDriver+0x31 f4396c58 8055759b 81daed20 81c8ee48
81eeeeb8 nt!IopSynchronousServiceTail+0x5e f4396d00 8055045c 00000330
00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1 00000330
00000000 00000000 nt!NtDeviceIoControlFile+0x28 f4396d34 7ffe0304
00000330 00000000 00000000 nt!KiSystemService+0xc4 0173ff20 00000000
00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 <<<- XP eqv
to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid:
0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid:
07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid:
0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked
0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB,
512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread:
e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit
f46f0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f46f3c68 805568d6
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f46f3c90 80553b31
nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo]) f46f3d38 805283c1
nt!NtReadFile+0x559 f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f46f3d64) 0012fad4 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit
f4679000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f467bcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f467bd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f467bd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64) 00e1ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit
f43b4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f43b6cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f43b6d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f43b6d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64) 00f1ff64
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit
f4be9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bebcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bebd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bebd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64) 0101ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread:
e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit
f4cd0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4cd3cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4cd3d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4cd3d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64) 0128fef8
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread:
e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit
f4303000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4306d0c 805e48b9
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f4306d54 805283c1
nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) f4306d54 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64) 0143ff00
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit
f4bc9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bcbcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bcbd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bcbd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64) 0153ff48
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit
f4398000 Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f439acec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f439ad50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f439ad50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64) 0163fea4
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) ///////WATCH
THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread:
00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit
f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts MachineInfo::SetContext failed - Thread:
00A9D7C8 Handle: 1 Id: 1 - Error == 0x8000FFFF ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo]) f4396ab0
804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc) f4396b4c
804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo]) f4396b6c f4ab10e2
nt!KeAttachProcess+0x42 (FPO: [Non-Fpo]) f4396b74 f4ab12dc
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271] f4396bd4
f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845] f4396bec
f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP
0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320] f4396c44
80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1]) f4396c58 8055759b
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo]) f4396d34 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64) 0173ff20
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit
f4384000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4386cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4386d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4386d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64) 0183fedc
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit
f4380000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4382c98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4382d48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f4382d48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64) 0193ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit
f4378000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f437ac98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f437ad48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f437ad48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64) 01a3ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO:
[0,0] TrapFrame @ f4396acc) f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00
nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
(FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c 04008020 003e0000 00016a00 vsdatant!UnmapDataInProcess+0x2c
(FPO: [4,0,2]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @
271] f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
(FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037] f4396c24
f4a9b75b 81daed20 81c8ee48 81c31978 vsdatant!DriverDeviceDispatch+0x68
(FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301] f4396c34
804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @
2320] f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48
nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
(FPO: [0,0] TrapFrame @ f4396d64) 0173ff20 00000000 00000000 00000000
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine =
00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000
UserBuffer = 04008020 &Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8 Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink =
00000000 Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8 Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread,
that has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver,
the driver finds the current process, and try to do the cleanup after
attaching to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current
process is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME
WE TRY TO ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case. What does !process show on the owning
process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
Now I have a ( EPROCESS *) pProcess, and again it is opaque, then how do I
make sure the process is valid ?. I see there is a member ExitStatus but
what I should check against ? and am not sure if that is enough to be sure
That the process is good for KeAttaching ().
Thx
prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 4:12 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Thanx again Ravi,
I think I got the problem, yes something stashed way might be coming here
!!!
-prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 3:15 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Sure it is not called the way you mentioned here …
HookFree() {
[…]
pProcess = PsGetCurrentProcess() ;
[…]
UnMapDataInProcess( …, pProcess, … );
}
All of these, except inside UnMap*() is executed at PASSIVE_LEVEL, and that
is what I am afraid of, but then you just mentioned it is impossible that
the process would disappear…
As you can see me from the call stack, that HookFree did not have a valid
pProcess.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Monday, October 21, 2002 2:56 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
The process will not disappear while you are still in kernel mode
executing in its context.
I don’t believe you issued a KeAttachProcess( PsGetCurrentProcess()).
Why would you do that? In any case, if that’s what you did, the attach
would have trivially succeeded without any issues.
The stack below implies you did a KeAttachProcess( ProcessPointer )
where ProcessPointer is something you stashed away at some point for
some process. It turns out it’s invalid now.
Ravi
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, October 21, 2002 3:35 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Actually I meant to say ifskit for KeStack*(), and that I should find
out…
Also what I meant to say is , that if there is a possibility about the
process being cleaned out between the time we get the pProcess, and the
time we try to attach to it, SURE ENOUGH THAT I DID NOT GUARD BY RAISING
IRQL TO PEND THE SCHEDULING …
Finally, I suppose you mean that we can attach an object ( more than
once, nested ) before a paired call to KeDetach(), since this can be
fatal !!!
-prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 9:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Okey, there are several questions
This occurs once in very long while. Also I am using one of the DDK
function to get the pointer… It would be nice to know where ( sure U r
in in insider, so you can help me, rather than me diggin thru
disassembled code) exactly KeAttachProcess() assigns this to the thread,
by looking at the disassembly it did not seem ( if I rembember) like
calling any routine ( Ke or Ki type ) to set this, may be the
KiAttachProcess() is doing. JUST CURIOSITY.
Also I suppose KeStackAttachProcess() is available for all the ddk
starting from nt4.0.
As I am thinking, it may be that by the time I am invoking
KeAttacProcess(), the process pointer I get before using
PsGetCurrentProcess() before. The only reason I am thinking this is that
there are millions of compies running this code ( sure it is not a
proof, but then …). Any thought !!!
Thx
prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Friday, October 18, 2002 6:08 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Several problems here.
KeAttachProcess is not something that’s supported in the DDK. You need
to use KeStackAttachProcess() in the first place, which allows nested
attaches to happen - and even this is not DDK-recommended nor published-
it is supported in the IFSKIT though. Now for the real problem. You
passed in an invalid process pointer. The debugger shows what you passed
in as owning process because Ke has already assigned that to be the
owning process before later bugchecking due to accessing a field in the
supposed process pointer. A checked build of windows would have caught
that right in KeAttachProcess().
In general it worries me that you are keeping around probably
unreferenced pointers to processes and attempting to attach to them.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Friday, October 18, 2002 2:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address
at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses. If a kernel debugger is
available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess,
before calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na
pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c f4396bd4 f4a9b214 04008020 00000000
81c8ee60 vsdatant!HookFree+0xac f4396bec f4a9b6e8 81eeeeb8 00000001
04008020 vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c
vsdatant!DriverDispatch+0x2a f4396c44 80556870 81eeeeb8 81c8eeb8
81c8ee48 nt!IopfCallDriver+0x31 f4396c58 8055759b 81daed20 81c8ee48
81eeeeb8 nt!IopSynchronousServiceTail+0x5e f4396d00 8055045c 00000330
00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1 00000330
00000000 00000000 nt!NtDeviceIoControlFile+0x28 f4396d34 7ffe0304
00000330 00000000 00000000 nt!KiSystemService+0xc4 0173ff20 00000000
00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 <<<- XP eqv
to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid:
0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid:
07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid:
0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked
0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB,
512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread:
e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit
f46f0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f46f3c68 805568d6
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f46f3c90 80553b31
nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo]) f46f3d38 805283c1
nt!NtReadFile+0x559 f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f46f3d64) 0012fad4 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit
f4679000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f467bcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f467bd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f467bd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64) 00e1ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit
f43b4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f43b6cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f43b6d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f43b6d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64) 00f1ff64
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit
f4be9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bebcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bebd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bebd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64) 0101ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread:
e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit
f4cd0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4cd3cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4cd3d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4cd3d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64) 0128fef8
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread:
e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit
f4303000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4306d0c 805e48b9
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f4306d54 805283c1
nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) f4306d54 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64) 0143ff00
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit
f4bc9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bcbcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bcbd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bcbd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64) 0153ff48
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit
f4398000 Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f439acec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f439ad50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f439ad50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64) 0163fea4
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) ///////WATCH
THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread:
00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit
f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts MachineInfo::SetContext failed - Thread:
00A9D7C8 Handle: 1 Id: 1 - Error == 0x8000FFFF ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo]) f4396ab0
804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc) f4396b4c
804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo]) f4396b6c f4ab10e2
nt!KeAttachProcess+0x42 (FPO: [Non-Fpo]) f4396b74 f4ab12dc
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271] f4396bd4
f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845] f4396bec
f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP
0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320] f4396c44
80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1]) f4396c58 8055759b
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo]) f4396d34 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64) 0173ff20
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit
f4384000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4386cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4386d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4386d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64) 0183fedc
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit
f4380000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4382c98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4382d48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f4382d48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64) 0193ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit
f4378000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f437ac98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f437ad48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f437ad48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64) 01a3ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO:
[0,0] TrapFrame @ f4396acc) f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00
nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
(FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c 04008020 003e0000 00016a00 vsdatant!UnmapDataInProcess+0x2c
(FPO: [4,0,2]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @
271] f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
(FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037] f4396c24
f4a9b75b 81daed20 81c8ee48 81c31978 vsdatant!DriverDeviceDispatch+0x68
(FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301] f4396c34
804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @
2320] f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48
nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
(FPO: [0,0] TrapFrame @ f4396d64) 0173ff20 00000000 00000000 00000000
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine =
00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000
UserBuffer = 04008020 &Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8 Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink =
00000000 Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8 Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread,
that has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver,
the driver finds the current process, and try to do the cleanup after
attaching to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current
process is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME
WE TRY TO ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case. What does !process show on the owning
process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
Prokash:
You could hook a callback into PsSetCreateProcessNotifyRoutine and create a
process list yourself. In that way, you don’t have to look into EPROCESS, if
you are so decline to do so, to see if the process is deleted. You callback
is
called upon process creation and deletion.
Bi
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, October 21, 2002 6:12 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Now I have a ( EPROCESS *) pProcess, and again it is opaque, then how do I
make sure the process is valid ?. I see there is a member ExitStatus but
what I should check against ? and am not sure if that is enough to be sure
That the process is good for KeAttaching ().
Thx
prokash
Thanx Bi,
Yes I do have that already in place, I’m bit brain-damaged for now…
Also I am not hesitant to use (EPROCESS *), just want to have an extra
guard, right before I want to Attach …
-prokash
-----Original Message-----
From: Bi Chen [mailto:xxxxx@AppStream.com]
Sent: Monday, October 21, 2002 5:23 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Prokash:
You could hook a callback into PsSetCreateProcessNotifyRoutine and create a
process list yourself. In that way, you don’t have to look into EPROCESS, if
you are so decline to do so, to see if the process is deleted. You callback
is
called upon process creation and deletion.
Bi
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com mailto:xxxxx
]
Sent: Monday, October 21, 2002 6:12 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Now I have a ( EPROCESS *) pProcess, and again it is opaque, then how do I
make sure the process is valid ?. I see there is a member ExitStatus but
what I should check against ? and am not sure if that is enough to be sure
That the process is good for KeAttaching ().
Thx
prokash
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%</mailto:xxxxx>
have you referenced the process object, or just gotten a pointer to it?
Unless you reference it there’s plenty of chance that it will get
“cleaned out” in between the time you got the pointer and the time you
tried to use it to attach.
-p
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, October 21, 2002 3:35 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Actually I meant to say ifskit for KeStack*(), and that I should find
out…
Also what I meant to say is , that if there is a possibility about the
process being cleaned out between the time we get the pProcess, and the
time we try to attach to it, SURE ENOUGH THAT I DID NOT GUARD BY RAISING
IRQL TO PEND THE SCHEDULING …
Finally, I suppose you mean that we can attach an object ( more than
once, nested ) before a paired call to KeDetach(), since this can be
fatal !!!
-prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 9:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Okey, there are several questions
This occurs once in very long while. Also I am using one of the DDK
function to get the pointer… It would be nice to know where ( sure U r
in in insider, so you can help me, rather than me diggin thru
disassembled code) exactly KeAttachProcess() assigns this to the thread,
by looking at the disassembly it did not seem ( if I rembember) like
calling any routine ( Ke or Ki type ) to set this, may be the
KiAttachProcess() is doing. JUST CURIOSITY.
Also I suppose KeStackAttachProcess() is available for all the ddk
starting from nt4.0.
As I am thinking, it may be that by the time I am invoking
KeAttacProcess(), the process pointer I get before using
PsGetCurrentProcess() before. The only reason I am thinking this is that
there are millions of compies running this code ( sure it is not a
proof, but then …). Any thought !!!
Thx
prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Friday, October 18, 2002 6:08 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Several problems here.
KeAttachProcess is not something that’s supported in the DDK. You need
to use KeStackAttachProcess() in the first place, which allows nested
attaches to happen - and even this is not DDK-recommended nor published-
it is supported in the IFSKIT though. Now for the real problem. You
passed in an invalid process pointer. The debugger shows what you passed
in as owning process because Ke has already assigned that to be the
owning process before later bugchecking due to accessing a field in the
supposed process pointer. A checked build of windows would have caught
that right in KeAttachProcess().
In general it worries me that you are keeping around probably
unreferenced pointers to processes and attempting to attach to them.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Friday, October 18, 2002 2:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address
at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses. If a kernel debugger is
available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess,
before calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na
pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c f4396bd4 f4a9b214 04008020 00000000
81c8ee60 vsdatant!HookFree+0xac f4396bec f4a9b6e8 81eeeeb8 00000001
04008020 vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c
vsdatant!DriverDispatch+0x2a f4396c44 80556870 81eeeeb8 81c8eeb8
81c8ee48 nt!IopfCallDriver+0x31 f4396c58 8055759b 81daed20 81c8ee48
81eeeeb8 nt!IopSynchronousServiceTail+0x5e f4396d00 8055045c 00000330
00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1 00000330
00000000 00000000 nt!NtDeviceIoControlFile+0x28 f4396d34 7ffe0304
00000330 00000000 00000000 nt!KiSystemService+0xc4 0173ff20 00000000
00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 <<<- XP eqv
to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid:
0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid:
07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid:
0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked
0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB,
512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread:
e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit
f46f0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f46f3c68 805568d6
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f46f3c90 80553b31
nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo]) f46f3d38 805283c1
nt!NtReadFile+0x559 f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f46f3d64) 0012fad4 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit
f4679000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f467bcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f467bd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f467bd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64) 00e1ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit
f43b4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f43b6cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f43b6d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f43b6d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64) 00f1ff64
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit
f4be9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bebcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bebd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bebd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64) 0101ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread:
e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit
f4cd0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4cd3cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4cd3d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4cd3d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64) 0128fef8
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread:
e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit
f4303000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4306d0c 805e48b9
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f4306d54 805283c1
nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) f4306d54 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64) 0143ff00
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit
f4bc9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bcbcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bcbd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bcbd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64) 0153ff48
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit
f4398000 Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f439acec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f439ad50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f439ad50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64) 0163fea4
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) ///////WATCH
THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread:
00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit
f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts MachineInfo::SetContext failed - Thread:
00A9D7C8 Handle: 1 Id: 1 - Error == 0x8000FFFF ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo]) f4396ab0
804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc) f4396b4c
804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo]) f4396b6c f4ab10e2
nt!KeAttachProcess+0x42 (FPO: [Non-Fpo]) f4396b74 f4ab12dc
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271] f4396bd4
f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845] f4396bec
f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP
0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320] f4396c44
80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1]) f4396c58 8055759b
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo]) f4396d34 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64) 0173ff20
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit
f4384000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4386cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4386d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4386d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64) 0183fedc
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit
f4380000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4382c98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4382d48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f4382d48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64) 0193ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit
f4378000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f437ac98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f437ad48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f437ad48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64) 01a3ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO:
[0,0] TrapFrame @ f4396acc) f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00
nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
(FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c 04008020 003e0000 00016a00 vsdatant!UnmapDataInProcess+0x2c
(FPO: [4,0,2]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @
271] f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
(FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037] f4396c24
f4a9b75b 81daed20 81c8ee48 81c31978 vsdatant!DriverDeviceDispatch+0x68
(FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301] f4396c34
804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @
2320] f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48
nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
(FPO: [0,0] TrapFrame @ f4396d64) 0173ff20 00000000 00000000 00000000
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine =
00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000
UserBuffer = 04008020 &Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8 Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink =
00000000 Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8 Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread,
that has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver,
the driver finds the current process, and try to do the cleanup after
attaching to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current
process is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME
WE TRY TO ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case. What does !process show on the owning
process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%
I don’t a reference to it, it is just the pointer, and clearly now I can
smell the problem I created. Actually you just gave me an interesting angle
to solve this, in another email-thread I was thinking to put another guard
using the (EPROCESS *)pProcess->ExitStatus, and I think that is still at
best a hack.
Thanx a bunch
-prokash
-----Original Message-----
From: Peter Wieland [mailto:xxxxx@windows.microsoft.com]
Sent: Tuesday, October 22, 2002 9:13 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
have you referenced the process object, or just gotten a pointer to it?
Unless you reference it there’s plenty of chance that it will get
“cleaned out” in between the time you got the pointer and the time you
tried to use it to attach.
-p
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, October 21, 2002 3:35 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Actually I meant to say ifskit for KeStack*(), and that I should find
out…
Also what I meant to say is , that if there is a possibility about the
process being cleaned out between the time we get the pProcess, and the
time we try to attach to it, SURE ENOUGH THAT I DID NOT GUARD BY RAISING
IRQL TO PEND THE SCHEDULING …
Finally, I suppose you mean that we can attach an object ( more than
once, nested ) before a paired call to KeDetach(), since this can be
fatal !!!
-prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 9:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Okey, there are several questions
This occurs once in very long while. Also I am using one of the DDK
function to get the pointer… It would be nice to know where ( sure U r
in in insider, so you can help me, rather than me diggin thru
disassembled code) exactly KeAttachProcess() assigns this to the thread,
by looking at the disassembly it did not seem ( if I rembember) like
calling any routine ( Ke or Ki type ) to set this, may be the
KiAttachProcess() is doing. JUST CURIOSITY.
Also I suppose KeStackAttachProcess() is available for all the ddk
starting from nt4.0.
As I am thinking, it may be that by the time I am invoking
KeAttacProcess(), the process pointer I get before using
PsGetCurrentProcess() before. The only reason I am thinking this is that
there are millions of compies running this code ( sure it is not a
proof, but then …). Any thought !!!
Thx
prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Friday, October 18, 2002 6:08 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Several problems here.
KeAttachProcess is not something that’s supported in the DDK. You need
to use KeStackAttachProcess() in the first place, which allows nested
attaches to happen - and even this is not DDK-recommended nor published-
it is supported in the IFSKIT though. Now for the real problem. You
passed in an invalid process pointer. The debugger shows what you passed
in as owning process because Ke has already assigned that to be the
owning process before later bugchecking due to accessing a field in the
supposed process pointer. A checked build of windows would have caught
that right in KeAttachProcess().
In general it worries me that you are keeping around probably
unreferenced pointers to processes and attempting to attach to them.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Friday, October 18, 2002 2:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address
at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses. If a kernel debugger is
available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess,
before calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na
pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c f4396bd4 f4a9b214 04008020 00000000
81c8ee60 vsdatant!HookFree+0xac f4396bec f4a9b6e8 81eeeeb8 00000001
04008020 vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c
vsdatant!DriverDispatch+0x2a f4396c44 80556870 81eeeeb8 81c8eeb8
81c8ee48 nt!IopfCallDriver+0x31 f4396c58 8055759b 81daed20 81c8ee48
81eeeeb8 nt!IopSynchronousServiceTail+0x5e f4396d00 8055045c 00000330
00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1 00000330
00000000 00000000 nt!NtDeviceIoControlFile+0x28 f4396d34 7ffe0304
00000330 00000000 00000000 nt!KiSystemService+0xc4 0173ff20 00000000
00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 <<<- XP eqv
to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid:
0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid:
07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid:
0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked
0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB,
512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread:
e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit
f46f0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f46f3c68 805568d6
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f46f3c90 80553b31
nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo]) f46f3d38 805283c1
nt!NtReadFile+0x559 f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f46f3d64) 0012fad4 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit
f4679000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f467bcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f467bd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f467bd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64) 00e1ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit
f43b4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f43b6cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f43b6d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f43b6d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64) 00f1ff64
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit
f4be9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bebcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bebd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bebd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64) 0101ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread:
e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit
f4cd0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4cd3cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4cd3d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4cd3d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64) 0128fef8
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread:
e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit
f4303000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4306d0c 805e48b9
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f4306d54 805283c1
nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) f4306d54 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64) 0143ff00
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit
f4bc9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bcbcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bcbd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bcbd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64) 0153ff48
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit
f4398000 Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f439acec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f439ad50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f439ad50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64) 0163fea4
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) ///////WATCH
THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread:
00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit
f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts MachineInfo::SetContext failed - Thread:
00A9D7C8 Handle: 1 Id: 1 - Error == 0x8000FFFF ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo]) f4396ab0
804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc) f4396b4c
804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo]) f4396b6c f4ab10e2
nt!KeAttachProcess+0x42 (FPO: [Non-Fpo]) f4396b74 f4ab12dc
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271] f4396bd4
f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845] f4396bec
f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP
0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320] f4396c44
80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1]) f4396c58 8055759b
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo]) f4396d34 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64) 0173ff20
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit
f4384000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4386cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4386d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4386d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64) 0183fedc
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit
f4380000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4382c98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4382d48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f4382d48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64) 0193ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit
f4378000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f437ac98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f437ad48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f437ad48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64) 01a3ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO:
[0,0] TrapFrame @ f4396acc) f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00
nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
(FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c 04008020 003e0000 00016a00 vsdatant!UnmapDataInProcess+0x2c
(FPO: [4,0,2]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @
271] f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
(FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037] f4396c24
f4a9b75b 81daed20 81c8ee48 81c31978 vsdatant!DriverDeviceDispatch+0x68
(FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301] f4396c34
804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @
2320] f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48
nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
(FPO: [0,0] TrapFrame @ f4396d64) 0173ff20 00000000 00000000 00000000
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine =
00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000
UserBuffer = 04008020 &Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8 Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink =
00000000 Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8 Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread,
that has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver,
the driver finds the current process, and try to do the cleanup after
attaching to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current
process is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME
WE TRY TO ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case. What does !process show on the owning
process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%
that “hack” is a crash waiting to happen. It will crash for the same
reason that KeAttachProcess crashed - the process has been freed and the
pointer you’ve got is stale. And even if it wasn’t stale right there it
could still be stale by the time you call KeAttachProcess.
-p
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Tuesday, October 22, 2002 10:28 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
I don’t a reference to it, it is just the pointer, and clearly now I can
smell the problem I created. Actually you just gave me an interesting
angle to solve this, in another email-thread I was thinking to put
another guard using the (EPROCESS *)pProcess->ExitStatus, and I think
that is still at best a hack.
Thanx a bunch
-prokash
-----Original Message-----
From: Peter Wieland [mailto:xxxxx@windows.microsoft.com]
Sent: Tuesday, October 22, 2002 9:13 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
have you referenced the process object, or just gotten a pointer to it?
Unless you reference it there’s plenty of chance that it will get
“cleaned out” in between the time you got the pointer and the time you
tried to use it to attach.
-p
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, October 21, 2002 3:35 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Actually I meant to say ifskit for KeStack*(), and that I should find
out…
Also what I meant to say is , that if there is a possibility about the
process being cleaned out between the time we get the pProcess, and the
time we try to attach to it, SURE ENOUGH THAT I DID NOT GUARD BY RAISING
IRQL TO PEND THE SCHEDULING …
Finally, I suppose you mean that we can attach an object ( more than
once, nested ) before a paired call to KeDetach(), since this can be
fatal !!!
-prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 9:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Okey, there are several questions
This occurs once in very long while. Also I am using one of the DDK
function to get the pointer… It would be nice to know where ( sure U r
in in insider, so you can help me, rather than me diggin thru
disassembled code) exactly KeAttachProcess() assigns this to the thread,
by looking at the disassembly it did not seem ( if I rembember) like
calling any routine ( Ke or Ki type ) to set this, may be the
KiAttachProcess() is doing. JUST CURIOSITY.
Also I suppose KeStackAttachProcess() is available for all the ddk
starting from nt4.0.
As I am thinking, it may be that by the time I am invoking
KeAttacProcess(), the process pointer I get before using
PsGetCurrentProcess() before. The only reason I am thinking this is that
there are millions of compies running this code ( sure it is not a
proof, but then …). Any thought !!!
Thx
prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Friday, October 18, 2002 6:08 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Several problems here.
KeAttachProcess is not something that’s supported in the DDK. You need
to use KeStackAttachProcess() in the first place, which allows nested
attaches to happen - and even this is not DDK-recommended nor published-
it is supported in the IFSKIT though. Now for the real problem. You
passed in an invalid process pointer. The debugger shows what you passed
in as owning process because Ke has already assigned that to be the
owning process before later bugchecking due to accessing a field in the
supposed process pointer. A checked build of windows would have caught
that right in KeAttachProcess().
In general it worries me that you are keeping around probably
unreferenced pointers to processes and attempting to attach to them.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Friday, October 18, 2002 2:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address
at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses. If a kernel debugger is
available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess,
before calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na
pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c f4396bd4 f4a9b214 04008020 00000000
81c8ee60 vsdatant!HookFree+0xac f4396bec f4a9b6e8 81eeeeb8 00000001
04008020 vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c
vsdatant!DriverDispatch+0x2a f4396c44 80556870 81eeeeb8 81c8eeb8
81c8ee48 nt!IopfCallDriver+0x31 f4396c58 8055759b 81daed20 81c8ee48
81eeeeb8 nt!IopSynchronousServiceTail+0x5e f4396d00 8055045c 00000330
00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1 00000330
00000000 00000000 nt!NtDeviceIoControlFile+0x28 f4396d34 7ffe0304
00000330 00000000 00000000 nt!KiSystemService+0xc4 0173ff20 00000000
00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 <<<- XP eqv
to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid:
0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid:
07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid:
0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked
0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB,
512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread:
e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit
f46f0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f46f3c68 805568d6
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f46f3c90 80553b31
nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo]) f46f3d38 805283c1
nt!NtReadFile+0x559 f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f46f3d64) 0012fad4 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit
f4679000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f467bcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f467bd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f467bd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64) 00e1ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit
f43b4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f43b6cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f43b6d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f43b6d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64) 00f1ff64
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit
f4be9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bebcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bebd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bebd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64) 0101ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread:
e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit
f4cd0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4cd3cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4cd3d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4cd3d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64) 0128fef8
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread:
e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit
f4303000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4306d0c 805e48b9
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f4306d54 805283c1
nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) f4306d54 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64) 0143ff00
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit
f4bc9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bcbcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bcbd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bcbd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64) 0153ff48
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit
f4398000 Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f439acec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f439ad50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f439ad50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64) 0163fea4
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) ///////WATCH
THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread:
00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit
f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts MachineInfo::SetContext failed - Thread:
00A9D7C8 Handle: 1 Id: 1 - Error == 0x8000FFFF ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo]) f4396ab0
804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc) f4396b4c
804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo]) f4396b6c f4ab10e2
nt!KeAttachProcess+0x42 (FPO: [Non-Fpo]) f4396b74 f4ab12dc
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271] f4396bd4
f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845] f4396bec
f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP
0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320] f4396c44
80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1]) f4396c58 8055759b
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo]) f4396d34 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64) 0173ff20
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit
f4384000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4386cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4386d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4386d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64) 0183fedc
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit
f4380000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4382c98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4382d48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f4382d48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64) 0193ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit
f4378000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f437ac98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f437ad48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f437ad48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64) 01a3ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO:
[0,0] TrapFrame @ f4396acc) f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00
nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
(FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c 04008020 003e0000 00016a00 vsdatant!UnmapDataInProcess+0x2c
(FPO: [4,0,2]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @
271] f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
(FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037] f4396c24
f4a9b75b 81daed20 81c8ee48 81c31978 vsdatant!DriverDeviceDispatch+0x68
(FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301] f4396c34
804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @
2320] f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48
nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
(FPO: [0,0] TrapFrame @ f4396d64) 0173ff20 00000000 00000000 00000000
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine =
00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000
UserBuffer = 04008020 &Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8 Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink =
00000000 Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8 Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread,
that has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver,
the driver finds the current process, and try to do the cleanup after
attaching to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current
process is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME
WE TRY TO ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case. What does !process show on the owning
process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%
Absoultely…
Thanx again
-prokash
-----Original Message-----
From: Peter Wieland [mailto:xxxxx@windows.microsoft.com]
Sent: Tuesday, October 22, 2002 9:42 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
that “hack” is a crash waiting to happen. It will crash for the same
reason that KeAttachProcess crashed - the process has been freed and the
pointer you’ve got is stale. And even if it wasn’t stale right there it
could still be stale by the time you call KeAttachProcess.
-p
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Tuesday, October 22, 2002 10:28 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
I don’t a reference to it, it is just the pointer, and clearly now I can
smell the problem I created. Actually you just gave me an interesting
angle to solve this, in another email-thread I was thinking to put
another guard using the (EPROCESS *)pProcess->ExitStatus, and I think
that is still at best a hack.
Thanx a bunch
-prokash
-----Original Message-----
From: Peter Wieland [mailto:xxxxx@windows.microsoft.com]
Sent: Tuesday, October 22, 2002 9:13 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
have you referenced the process object, or just gotten a pointer to it?
Unless you reference it there’s plenty of chance that it will get
“cleaned out” in between the time you got the pointer and the time you
tried to use it to attach.
-p
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, October 21, 2002 3:35 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Actually I meant to say ifskit for KeStack*(), and that I should find
out…
Also what I meant to say is , that if there is a possibility about the
process being cleaned out between the time we get the pProcess, and the
time we try to attach to it, SURE ENOUGH THAT I DID NOT GUARD BY RAISING
IRQL TO PEND THE SCHEDULING …
Finally, I suppose you mean that we can attach an object ( more than
once, nested ) before a paired call to KeDetach(), since this can be
fatal !!!
-prokash
-----Original Message-----
From: Prokash Sinha
Sent: Monday, October 21, 2002 9:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Okey, there are several questions
This occurs once in very long while. Also I am using one of the DDK
function to get the pointer… It would be nice to know where ( sure U r
in in insider, so you can help me, rather than me diggin thru
disassembled code) exactly KeAttachProcess() assigns this to the thread,
by looking at the disassembly it did not seem ( if I rembember) like
calling any routine ( Ke or Ki type ) to set this, may be the
KiAttachProcess() is doing. JUST CURIOSITY.
Also I suppose KeStackAttachProcess() is available for all the ddk
starting from nt4.0.
As I am thinking, it may be that by the time I am invoking
KeAttacProcess(), the process pointer I get before using
PsGetCurrentProcess() before. The only reason I am thinking this is that
there are millions of compies running this code ( sure it is not a
proof, but then …). Any thought !!!
Thx
prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Friday, October 18, 2002 6:08 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Several problems here.
KeAttachProcess is not something that’s supported in the DDK. You need
to use KeStackAttachProcess() in the first place, which allows nested
attaches to happen - and even this is not DDK-recommended nor published-
it is supported in the IFSKIT though. Now for the real problem. You
passed in an invalid process pointer. The debugger shows what you passed
in as owning process because Ke has already assigned that to be the
owning process before later bugchecking due to accessing a field in the
supposed process pointer. A checked build of windows would have caught
that right in KeAttachProcess().
In general it worries me that you are keeping around probably
unreferenced pointers to processes and attempting to attach to them.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Friday, October 18, 2002 2:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Here is the stack — SORRY FOR BEING BIT VERBOSE
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address
at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses. If a kernel debugger is
available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804ee465, address which referenced memory
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 2 <<<<— This one is bumped up by KeAttachProcess,
before calling KiAttachProcess. FINE NO PROBLEM.
FAULTING_IP:
nt!KiAttachProcess+6b
804ee465 894204 mov [edx+0x4],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A_W
TRAP_FRAME: f4396acc – (.trap fffffffff4396acc)
ErrCode = 00000002
eax=81eebfd4 ebx=81ca2da8 ecx=81b1e67c edx=00000000 esi=81ca2de8
edi=81ef2ddc
eip=804ee465 esp=f4396b40 ebp=f4396b4c iopl=0 nv up ei ng nz na
pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nt!KiAttachProcess+6b:
804ee465 894204 mov [edx+0x4],eax
Resetting default context
LAST_CONTROL_TRANSFER: from 804ee538 to 804ee465
/// See the detail later
STACK_TEXT:
f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00 nt!KiAttachProcess+0x6b
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42
f4396b8c f4a9af9c 04008020 003e0000 00016a00
vsdatant!UnmapDataInProcess+0x2c f4396bd4 f4a9b214 04008020 00000000
81c8ee60 vsdatant!HookFree+0xac f4396bec f4a9b6e8 81eeeeb8 00000001
04008020 vsdatant!DriverFastIoDispatch+0x1e4
f4396c24 f4a9b75b 81daed20 81c8ee48 81c31978
vsdatant!DriverDeviceDispatch+0x68
f4396c34 804e5d53 81daed20 81c8ee48 8069c43c
vsdatant!DriverDispatch+0x2a f4396c44 80556870 81eeeeb8 81c8eeb8
81c8ee48 nt!IopfCallDriver+0x31 f4396c58 8055759b 81daed20 81c8ee48
81eeeeb8 nt!IopSynchronousServiceTail+0x5e f4396d00 8055045c 00000330
00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1 00000330
00000000 00000000 nt!NtDeviceIoControlFile+0x28 f4396d34 7ffe0304
00000330 00000000 00000000 nt!KiSystemService+0xc4 0173ff20 00000000
00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 <<<- XP eqv
to Int2E
FOLLOWUP_IP:
vsdatant!UnmapAddressInProcess+42
f4ab10e2 8b44240c mov eax,[esp+0xc]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: vsdatant!UnmapAddressInProcess+42
MODULE_NAME: vsdatant
IMAGE_NAME: vsdatant.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3dabe944
STACK_COMMAND: .trap fffffffff4396acc ; kb
BUCKET_ID: 0xA_W_vsdatant!UnmapAddressInProcess+42
Followup: MachineOwner
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81fcea08 SessionId: 0 Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d50 TableSize: 254.
Image: System
PROCESS 81e4bda8 SessionId: 0 Cid: 01ac Peb: 7ffdf000 ParentCid:
0004
DirBase: 0b807000 ObjectTable: e13623d0 TableSize: 21.
Image: smss.exe
PROCESS 81c6b020 SessionId: 0 Cid: 01ec Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0c33d000 ObjectTable: e1553ae8 TableSize: 337.
Image: csrss.exe
PROCESS 81c4b130 SessionId: 0 Cid: 0204 Peb: 7ffdf000 ParentCid:
01ac
DirBase: 0cda2000 ObjectTable: e1532f10 TableSize: 514.
Image: winlogon.exe
PROCESS 81da09e8 SessionId: 0 Cid: 0230 Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d053000 ObjectTable: e149a7a8 TableSize: 301.
Image: services.exe
PROCESS 81e58da8 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0d06d000 ObjectTable: e1568670 TableSize: 344.
Image: lsass.exe
PROCESS 81c38568 SessionId: 0 Cid: 02f4 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d850000 ObjectTable: e1705d20 TableSize: 243.
Image: svchost.exe
PROCESS 81ea5da8 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0d948000 ObjectTable: e17172f0 TableSize: 991.
Image: svchost.exe
PROCESS 81c01020 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0e9d5000 ObjectTable: e16ca188 TableSize: 82.
Image: svchost.exe
PROCESS 81e301d0 SessionId: 0 Cid: 03b8 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ec6e000 ObjectTable: e168ad10 TableSize: 179.
Image: svchost.exe
PROCESS 81c05020 SessionId: 0 Cid: 0430 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0ee63000 ObjectTable: e188feb8 TableSize: 137.
Image: spoolsv.exe
PROCESS 81daa800 SessionId: 0 Cid: 0508 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f200000 ObjectTable: e19be4b8 TableSize: 452.
Image: inetinfo.exe
PROCESS 81c44558 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f165000 ObjectTable: e18909b0 TableSize: 43.
Image: nvsvc32.exe
PROCESS 81ee1b30 SessionId: 0 Cid: 0540 Peb: 7ffdf000 ParentCid:
0230
DirBase: 0f24a000 ObjectTable: e19b5ea0 TableSize: 186.
Image: snmp.exe
PROCESS 81e183c8 SessionId: 0 Cid: 00ec Peb: 7ffdf000 ParentCid:
07d4
DirBase: 125b4000 ObjectTable: e10c55e8 TableSize: 243.
Image: explorer.exe
PROCESS 81d58a88 SessionId: 0 Cid: 0178 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 130a9000 ObjectTable: e1269320 TableSize: 265.
Image: msmsgs.exe
PROCESS 81d49da8 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1313f000 ObjectTable: e126e450 TableSize: 363.
Image: zapro.exe
PROCESS 81ca9b30 SessionId: 0 Cid: 0690 Peb: 7ffdf000 ParentCid:
0328
DirBase: 169e7000 ObjectTable: e1133f08 TableSize: 138.
Image: wuauclt.exe
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
PROCESS 81d817f0 SessionId: 0 Cid: 055c Peb: 7ffdf000 ParentCid:
0204
DirBase: 0db9c000 ObjectTable: 00000000 TableSize: 0.
Image: logon.scr
kd> !process 81e15568
PROCESS 81e15568 SessionId: 0 Cid: 0330 Peb: 7ffdf000 ParentCid:
0230
DirBase: 1a100000 ObjectTable: e1c09bb0 TableSize: 250.
Image: vsmon.exe
VadRoot 81da2748 Vads 113 Clone 0 Private 672. Modified 402. Locked
0.
DeviceMap e1004578
Token e1aaa030
ElapsedTime 2:47:21.0640
UserTime 0:00:00.0390
KernelTime 0:00:00.0234
QuotaPoolUsage[PagedPool] 36888
QuotaPoolUsage[NonPagedPool] 73104
Working Set Sizes (now,min,max) (1356, 48, 128) (5424KB, 192KB,
512KB)
PeakWorkingSetSize 1553
VirtualSize 46 Mb
PeakVirtualSize 54 Mb
PageFaultCount 6151
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1036
THREAD 81b12020 Cid 330.60c Teb: 7ffde000 Win32Thread:
e1774e30
WAIT: (Executive) UserMode Non-Alertable
81ee47ac NotificationEvent
IRP List:
81e65980: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 89056
Context Switch Count 99 LargeStack
UserTime 0:00:00.0046
KernelTime 0:00:00.0046
Start Address 0x77e7eb41
Win32 Start Address 0x00477814
Stack Init f46f4000 Current f46f3c1c Base f46f4000 Limit
f46f0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f46f3c34 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf46f3c68] [0,0,4])
f46f3c40 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f46f3c68 805568d6
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f46f3c90 80553b31
nt!IopSynchronousServiceTail+0xc4 (FPO: [Non-Fpo]) f46f3d38 805283c1
nt!NtReadFile+0x559 f46f3d38 7ffe0304 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f46f3d64) 0012fad4 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b12600 Cid 330.7d8 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d6aff0 SynchronizationEvent
81b126f0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731699
Context Switch Count 10043
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f467c000 Current f467bca0 Base f467c000 Limit
f4679000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f467bcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf467bcec] [0,0,4])
f467bcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f467bcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f467bd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f467bd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f467bd64) 00e1ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d537e8 Cid 330.420 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Alertable
81c58f08 SynchronizationEvent
81d538d8 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731442
Context Switch Count 1017
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f43b7000 Current f43b6ca0 Base f43b7000 Limit
f43b4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f43b6cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf43b6cec] [0,0,4])
f43b6cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f43b6cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f43b6d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f43b6d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f43b6d64) 00f1ff64
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d518e0 Cid 330.3dc Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e5a2d0 SynchronizationEvent
81d519d0 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731717
Context Switch Count 10189
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01081a92
Stack Init f4bec000 Current f4bebca0 Base f4bec000 Limit
f4be9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bebcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bebcec] [0,0,4])
f4bebcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bebcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bebd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bebd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bebd64) 0101ff60
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6fda8 Cid 330.704 Teb: 7ffd9000 Win32Thread:
e1045e80
WAIT: (UserRequest) UserMode Non-Alertable
81d87e98 SynchronizationEvent
81c6fe98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731672
Context Switch Count 10135 LargeStack
UserTime 0:00:00.0125
KernelTime 0:00:00.0078
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4cd4000 Current f4cd3ca0 Base f4cd4000 Limit
f4cd0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4cd3cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4cd3cec] [0,0,4])
f4cd3cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4cd3cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4cd3d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4cd3d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4cd3d64) 0128fef8
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c67da8 Cid 330.1d4 Teb: 7ffd8000 Win32Thread:
e1342430
WAIT: (DelayExecution) UserMode Alertable
81c67e98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731721
Context Switch Count 10042 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4307000 Current f4306cbc Base f4307000 Limit
f4303000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4306cd4 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4306d0c] [0,0,4])
f4306ce0 804eff31 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4306d0c 805e48b9
nt!KeDelayExecutionThread+0x1c7 (FPO: [Non-Fpo]) f4306d54 805283c1
nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) f4306d54 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4306d64) 0143ff00
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81c6ada8 Cid 330.110 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81e1f060 SynchronizationEvent
81c6ae98 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731539
Context Switch Count 3347
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x01307578
Stack Init f4bcc000 Current f4bcbca0 Base f4bcc000 Limit
f4bc9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4bcbcb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4bcbcec] [0,0,4])
f4bcbcc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4bcbcec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4bcbd50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4bcbd50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4bcbd64) 0153ff48
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81b11020 Cid 330.3d4 Teb: 7ffd6000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81c5dd38 NotificationEvent
81b11110 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731710
Context Switch Count 2014
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f439b000 Current f439aca0 Base f439b000 Limit
f4398000 Call 0
Priority 1 BasePriority 1 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f439acb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf439acec] [0,0,4])
f439acc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f439acec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f439ad50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f439ad50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f439ad64) 0163fea4
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0]) ///////WATCH
THE THREAD
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread:
00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit
f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
Can’t set dump file contexts MachineInfo::SetContext failed - Thread:
00A9D7C8 Handle: 1 Id: 1 - Error == 0x8000FFFF ChildEBP RetAddr
f4396ab0 8052b165 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo]) f4396ab0
804ee465 nt!KiTrap0E+0x2ad (FPO: [0,0] TrapFrame @ f4396acc) f4396b4c
804ee538 nt!KiAttachProcess+0x6b (FPO: [Non-Fpo]) f4396b6c f4ab10e2
nt!KeAttachProcess+0x42 (FPO: [Non-Fpo]) f4396b74 f4ab12dc
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c vsdatant!UnmapDataInProcess+0x2c (FPO: [4,0,2])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 271] f4396bd4
f4a9b214 vsdatant!HookFree+0xac (FPO: [Non-Fpo])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845] f4396bec
f4a9b6e8 vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010]
[9,0,3]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037]
f4396c24 f4a9b75b vsdatant!DriverDeviceDispatch+0x68 (FPO: [EBP
0xf4396c58]
[2,0,4]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301]
f4396c34 804e5d53 vsdatant!DriverDispatch+0x2a (FPO: [2,0,1])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2320] f4396c44
80556870 nt!IopfCallDriver+0x31 (FPO: [0,0,1]) f4396c58 8055759b
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo]) f4396d34 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4396d64) 0173ff20
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81e1cc90 Cid 330.4b0 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d683d0 NotificationEvent
81e1cd80 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731543
Context Switch Count 1024
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x00418510
Stack Init f4387000 Current f4386ca0 Base f4387000 Limit
f4384000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4386cb8 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4386cec] [0,0,4])
f4386cc4 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4386cec 80593f24
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4386d50 805283c1
nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f4386d50 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4386d64) 0183fedc
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d97a80 Cid 330.574 Teb: 7ffaf000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d97b70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433226
UserTime 0:00:00.0015
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f4383000 Current f4382c4c Base f4383000 Limit
f4380000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f4382c64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf4382c98] [0,0,4])
f4382c70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f4382c98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f4382d48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f4382d48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f4382d64) 0193ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
THREAD 81d9ca80 Cid 330.4d8 Teb: 7ffae000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ee11a8 Semaphore Limit 0x7fffffff
81d9cb70 NotificationTimer
Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81e15568
WaitTime (ticks) 731719
Context Switch Count 1433640
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e802f4
Stack Init f437b000 Current f437ac4c Base f437b000 Limit
f4378000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f437ac64 804f6320 nt!KiSwapContext+0x2e (FPO: [EBP 0xf437ac98] [0,0,4])
f437ac70 804f04e8 nt!KiSwapThread+0x44 (FPO: [0,0,2]) f437ac98 8057ad38
nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f437ad48 805283c1
nt!NtReplyWaitReceivePortEx+0x3e2 f437ad48 7ffe0304
nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f437ad64) 01a3ff90
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//
//uniprocessor
//
kd> ~1
1 is not a valid processor number
//
//faulting thread of vsmon
//
kd> !thread 81ef2da8
THREAD 81ef2da8 Cid 330.408 Teb: 7ffd5000 Win32Thread: 00000000
RUNNING on processor 0
IRP List:
81c8ee48: (0006,0094) Flags: 00000000 Mdl: 00000000 <<< – Arp list
onely one irp Not impersonating
GetUlongFromAddress: unable to read from 00000000
Owning Process 81ca2da8
WaitTime (ticks) 731721
Context Switch Count 11129
UserTime 0:00:00.0093
KernelTime 0:00:00.0015
Start Address 0x77e802f4
Win32 Start Address 0x77c37f49
Stack Init f4397000 Current f4396ca0 Base f4397000 Limit f4394000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4396ab0 8052b165 0000000a 00000004 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
f4396ab0 804ee465 0000000a 00000004 00000002 nt!KiTrap0E+0x2ad (FPO:
[0,0] TrapFrame @ f4396acc) f4396b4c 804ee538 81ef2da8 81ca2da8 81ca2d00
nt!KiAttachProcess+0x6b (FPO:
[Non-Fpo])
f4396b6c f4ab10e2 81ca2d00 f4ab12dc 81ecb430 nt!KeAttachProcess+0x42
(FPO:
[Non-Fpo])
f4396b74 f4ab12dc 81ecb430 81ca2da8 003e0000
vsdatant!UnmapAddressInProcess+0x42 (FPO: [3,0,0])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @ 182] f4396b8c
f4a9af9c 04008020 003e0000 00016a00 vsdatant!UnmapDataInProcess+0x2c
(FPO: [4,0,2]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsutilnt.c @
271] f4396bd4 f4a9b214 04008020 00000000 81c8ee60 vsdatant!HookFree+0xac
(FPO:
[Non-Fpo]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 1845]
f4396bec f4a9b6e8 81eeeeb8 00000001 04008020
vsdatant!DriverFastIoDispatch+0x1e4 (FPO: [EBP 0x00000010] [9,0,3])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2037] f4396c24
f4a9b75b 81daed20 81c8ee48 81c31978 vsdatant!DriverDeviceDispatch+0x68
(FPO: [EBP 0xf4396c58] [2,0,4])
[c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @ 2301] f4396c34
804e5d53 81daed20 81c8ee48 8069c43c vsdatant!DriverDispatch+0x2a
(FPO: [2,0,1]) [c:\builds\wsmain\wsmain\src\tv\vsdatant\vsdatant.c @
2320] f4396c44 80556870 81eeeeb8 81c8eeb8 81c8ee48
nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f4396c58 8055759b 81daed20 81c8ee48 81eeeeb8
nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo]) f4396d00 8055045c
00000330 00000000 00000000 nt!IopXxxControlFile+0x5a5 f4396d34 805283c1
00000330 00000000 00000000 nt!NtDeviceIoControlFile+0x28
(FPO: [Non-Fpo])
f4396d34 7ffe0304 00000330 00000000 00000000 nt!KiSystemService+0xc4
(FPO: [0,0] TrapFrame @ f4396d64) 0173ff20 00000000 00000000 00000000
00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
//Only one IRP
kd> !irp 81c8ee48 1
Irp is active with 1 stacks 1 is current (= 0x81c8eeb8)
No Mdl Thread 81ef2da8: Irp stack trace.
Flags = 00000000
ThreadListEntry.Flink = 81ef2fb8
ThreadListEntry.Blink = 81ef2fb8
IoStatus.Status = 00000000
IoStatus.Information = 00000010
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0173fefc
UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine =
00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000
UserBuffer = 04008020 &Tail.Overlay.DeviceQueueEntry = 81c8ee88
Tail.Overlay.Thread = 81ef2da8 Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink =
00000000 Tail.Overlay.CurrentStackLocation = 81c8eeb8
Tail.Overlay.OriginalFileObject = 81eeeeb8 Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[e, 0] 0 0 81daed20 81eeeeb8 00000000-00000000
\Driver\vsdatant
Args: 00000010 00000010 84000017 04008020
-----Original Message-----
From: Prokash Sinha
Sent: Friday, October 18, 2002 9:07 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
That is certainly the case, at least somewhat…
I will provide more about the stack soon …
From the crash dump (windbg-ed loaded), !process, I get
TYPE mismatch for process object at 81ca2da8. The process is gone!!!
!process 0 0 // does not show this PEB.
!threads shows the stack of the faulting thread,
that has the owner process 81ca2da8.
Yes we muck around with undoc. Stuff.
Scenario
--------
Some partial clean goes on, the service issues an IOCTL to the driver,
the driver finds the current process, and try to do the cleanup after
attaching to the current process.
Since the above steps are at PASSIVE LEVEL, I suppose this current
process is a dieing process, AND THERE IS NO GURANTEE THAT BY THE TIME
WE TRY TO ATTACH TO THIS IS STILL VALID!!!
Help me if I am wrong about the concept.
-prokash
-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, October 17, 2002 6:03 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Thread Ownership2
Well it’s certainly possible that the driver did a stack attach to a
different process and forgot to detach before returning to user-mode.
Bug in the driver in that case. What does !process show on the owning
process for the thread now?
-----Original Message-----
From: xxxxx@garlic.com [mailto:xxxxx@garlic.com]
Sent: Thursday, October 17, 2002 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] Thread Ownership2
Hi All,
I’ve an NT service that is he main interface to a krnl-mode driver.
The service has threading, so it can have some theads, when the system
bugechecks, and I look thru !process under windbg, I see a thread of
this service is owned by a different process, that no longer exist in
the process table(list) dump.
IS THERE SOME WAY TAT THREAD OWNERSHIP CAN BE CHANGED ???
-THANX IN ADV.
-PROKASH
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntdev as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%