Reading Notebook: 24-July-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Windows subsystem components (p. 54) - Never attach WinDbg to your session csrss.exe. Your session will freeze (input and graphics). However you can attach noninvasively to session 0 (non-interactive) on Vista and W2K8. You won’t be able to contact MS symbol server because Internet connections are not allowed in that session so prepare your symbols before. Also, once you invoke a secure desktop, it will freeze too, so be careful and detach as soon as possible. Here is the list thread stacks that give a picture of component relationships:
0:000> ~*kc
. 0 Id: 1e4.1f4 Suspend: 1 Teb: 000007ff`fffdb000 Unfrozen
Call Site
ntdll!NtRequestWaitReplyPort
winsrv
ntdll!RtlUserThreadStart
1 Id: 1e4.1f8 Suspend: 1 Teb: 000007ff`fffd9000 Unfrozen
Call Site
ntdll!ZwWaitForMultipleObjects
winsrv
ntdll!RtlUserThreadStart
2 Id: 1e4.1fc Suspend: 1 Teb: 000007ff`fffd7000 Unfrozen
Call Site
ntdll!ZwAlpcSendWaitReceivePort
CSRSRV!CsrReplyToMessage
ntdll!RtlUserThreadStart
3 Id: 1e4.200 Suspend: 1 Teb: 000007ff`fffd5000 Unfrozen
Call Site
ntdll!NtReplyWaitReceivePort
CSRSRV!CsrUnhandledExceptionFilter
ntdll!RtlUserThreadStart
4 Id: 1e4.220 Suspend: 1 Teb: 000007ff`fffdd000 Unfrozen
Call Site
ntdll!ZwAlpcSendWaitReceivePort
CSRSRV!CsrReplyToMessage
ntdll!RtlUserThreadStart
5 Id: 1e4.23c Suspend: 1 Teb: 000007ff`fffd3000 Unfrozen
Call Site
winsrv
winsrv
ntdll!RtlUserThreadStart
6 Id: 1e4.240 Suspend: 1 Teb: 000007ff`fffae000 Unfrozen
Call Site
winsrv
winsrv
ntdll!RtlUserThreadStart
7 Id: 1e4.280 Suspend: 1 Teb: 000007ff`fffac000 Unfrozen
Call Site
ntdll!ZwAlpcSendWaitReceivePort
CSRSRV!CsrReplyToMessage
ntdll!RtlUserThreadStart
8 Id: 1e4.284 Suspend: 1 Teb: 000007ff`fffaa000 Unfrozen
Call Site
winsrv
winsrv
ntdll!RtlUserThreadStart
9 Id: 1e4.288 Suspend: 1 Teb: 000007ff`fffa8000 Unfrozen
Call Site
USER32!ZwUserGetMessage
USER32!GetMessageW
winsrv
ntdll!RtlUserThreadStart
10 Id: 1e4.848 Suspend: 1 Teb: 000007ff`fffa6000 Unfrozen
Call Site
USER32!ZwUserGetMessage
USER32!GetMessageW
winsrv
ntdll!RtlUserThreadStart
11 Id: 1e4.b80 Suspend: 1 Teb: 000007ff`fffa4000 Unfrozen
Call Site
USER32!ZwUserGetMessage
USER32!GetMessageW
winsrv
ntdll!RtlUserThreadStart
USER and GDI functions (pp. 54 - 55) - Long time ago I created a UML component diagram depicting component dependencies extracted from stack traces: http://www.dumpanalysis.org/blog/index.php/2006/10/24/reverse-engineering-citrix-thinwire/
fork function (p. 56) - Windows NT/2000 Native API Reference
SUA provides mixed-mode support (we can call POSIX along with Windows API) (pp. 56 - 57) - Seems there are also Windows Server 2003 R2 UNIX interoperability components and seems it is also called SUA for W2K3 R2. This is the link for Windows Server 2008: http://technet.microsoft.com/en-us/library/cc771672.aspx
ntdll.dll functions (pp. 57 - 58) - we can list all functions by attaching WinDbg to a process and run this command: x ntdll!*. Some API is explained in Windows NT/2000 Native API Reference
Executive / kernel bipartition of ntoskrnl.exe (pp. 58 - 65) - we can list functions in any kernel memory dump by this WinDbg command: x nt!*
ALPC (p. 60) - seems it replaces LPC on Vista and W2K8. See also http://www.dumpanalysis.org/blog/index.php/2009/03/20/advanced-local-procedure-call-windbg-extension/
TxR and TxF, transactional registry and NTFS (p. 60)
Diagnostic Infrastructure (p. 61) - more here: http://technet.microsoft.com/en-us/library/cc774650(WS.10).aspx
Hardware Error Architecture (p. 62) - I found this WHEA presentation: http://download.microsoft.com/download/9/8/f/98f3fe47-dfc3-4e74-92a3-088782200fe7/TWAR05008_WinHEC05.ppt
Executive object encapsulates kernel objects and adds policies like security and handles (p. 61)
x86 / x64 access to KPCR: [FS] / [GS] (p. 62) - here is how to see _KPCR and _KPRCB manually using base WinDbg commands:
0: kd> dt _KPCR
nt!_KPCR
+0x000 NtTib : _NT_TIB
+0x000 GdtBase : Ptr64 _KGDTENTRY64
+0x008 TssBase : Ptr64 _KTSS64
+0x010 UserRsp : Uint8B
+0×018 Self : Ptr64 _KPCR
+0×020 CurrentPrcb : Ptr64 _KPRCB
+0×028 LockArray : Ptr64 _KSPIN_LOCK_QUEUE
+0×030 Used_Self : Ptr64 Void
+0×038 IdtBase : Ptr64 _KIDTENTRY64
+0×040 Unused : [2] Uint8B
+0×050 Irql : UChar
+0×051 SecondLevelCacheAssociativity : UChar
+0×052 ObsoleteNumber : UChar
+0×053 Fill0 : UChar
+0×054 Unused0 : [3] Uint4B
+0×060 MajorVersion : Uint2B
+0×062 MinorVersion : Uint2B
+0×064 StallScaleFactor : Uint4B
+0×068 Unused1 : [3] Ptr64 Void
+0×080 KernelReserved : [15] Uint4B
+0×0bc SecondLevelCacheSize : Uint4B
+0×0c0 HalReserved : [16] Uint4B
+0×100 Unused2 : Uint4B
+0×108 KdVersionBlock : Ptr64 Void
+0×110 Unused3 : Ptr64 Void
+0×118 PcrAlign1 : [24] Uint4B
+0×180 Prcb : _KPRCB
0: kd> dq gs:0+18 l1
002b:00000000`00000018 fffff800`01987500
0: kd> dt _KPCR fffff800`01987500
nt!_KPCR
+0x000 NtTib : _NT_TIB
+0x000 GdtBase : 0xfffff800`03e77000 _KGDTENTRY64
+0x008 TssBase : 0xfffff800`03e78070 _KTSS64
+0x010 UserRsp : 0x12f5c8
+0x018 Self : 0xfffff800`01987500 _KPCR
+0x020 CurrentPrcb : 0xfffff800`01987680 _KPRCB
+0x028 LockArray : 0xfffff800`01987cf0 _KSPIN_LOCK_QUEUE
+0x030 Used_Self : 0x000007ff`fffde000
+0x038 IdtBase : 0xfffff800`03e77070 _KIDTENTRY64
+0x040 Unused : [2] 0
+0x050 Irql : 0 ''
+0x051 SecondLevelCacheAssociativity : 0x8 ''
+0x052 ObsoleteNumber : 0 ''
+0x053 Fill0 : 0 ''
+0x054 Unused0 : [3] 0
+0x060 MajorVersion : 1
+0x062 MinorVersion : 1
+0x064 StallScaleFactor : 0x702
+0x068 Unused1 : [3] (null)
+0x080 KernelReserved : [15] 0
+0x0bc SecondLevelCacheSize : 0x200000
+0x0c0 HalReserved : [16] 0x6af178d0
+0x100 Unused2 : 0
+0x108 KdVersionBlock : (null)
+0x110 Unused3 : (null)
+0x118 PcrAlign1 : [24] 0
+0x180 Prcb : _KPRCB
0: kd> dt _KPRCB fffff800`01987500+180
nt!_KPRCB
+0×000 MxCsr : 0×1f80
+0×004 Number : 0
+0×006 InterruptRequest : 0 ”
+0×007 IdleHalt : 0 ”
+0×008 CurrentThread : 0xfffffa80`05844060 _KTHREAD
+0×010 NextThread : (null)
+0×018 IdleThread : 0xfffff800`0198cb80 _KTHREAD
+0×020 NestingLevel : 0 ”
+0×021 Group : 0 ”
+0×022 PrcbPad00 : [6] “”
+0×028 RspBase : 0xfffffa60`05435db0
+0×030 PrcbLock : 0
+0×038 SetMember : 1
+0×040 ProcessorState : _KPROCESSOR_STATE
+0×5f0 CpuType : 6 ”
+0×5f1 CpuID : 1 ”
+0×5f2 CpuStep : 0xf02
+0×5f2 CpuStepping : 0×2 ”
+0×5f3 CpuModel : 0xf ”
+0×5f4 MHz : 0×702
+0×5f8 HalReserved : [8] 0
+0×638 MinorVersion : 1
+0×63a MajorVersion : 1
+0×63c BuildType : 0 ”
+0×63d CpuVendor : 0×2 ”
+0×63e CoresPerPhysicalProcessor : 0×2 ”
+0×63f LogicalProcessorsPerCore : 0×1 ”
+0×640 ApicMask : 0xfffffffe
+0×644 CFlushSize : 0×40
+0×648 AcpiReserved : (null)
+0×650 InitialApicId : 0
+0×654 Stride : 2
+0×658 PrcbPad01 : [3] 0
+0×670 LockQueue : [49] _KSPIN_LOCK_QUEUE
+0×980 PPLookasideList : [16] _PP_LOOKASIDE_LIST
+0xa80 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0×1680 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0×2280 PacketBarrier : 0
+0×2288 DeferredReadyListHead : _SINGLE_LIST_ENTRY
+0×2290 MmPageFaultCount : 104442883
+0×2294 MmCopyOnWriteCount : 79492
+0×2298 MmTransitionCount : 7930741
+0×229c MmDemandZeroCount : 37175835
+0×22a0 MmPageReadCount : 30484924
+0×22a4 MmPageReadIoCount : 1842657
+0×22a8 MmDirtyPagesWriteCount : 69757
+0×22ac MmDirtyWriteIoCount : 291
+0×22b0 MmMappedPagesWriteCount : 92208
+0×22b4 MmMappedWriteIoCount : 778
+0×22b8 KeSystemCalls : 0×7ef91c13
+0×22bc KeContextSwitches : 0×407f5553
+0×22c0 CcFastReadNoWait : 0
+0×22c4 CcFastReadWait : 0×17da4d
+0×22c8 CcFastReadNotPossible : 0
+0×22cc CcCopyReadNoWait : 0×171
+0×22d0 CcCopyReadWait : 0×187402
+0×22d4 CcCopyReadNoWaitMiss : 0×12
+0×22d8 LookasideIrpFloat : 916
+0×22dc IoReadOperationCount : 3898535
+0×22e0 IoWriteOperationCount : 1424180
+0×22e4 IoOtherOperationCount : 10511442
+0×22e8 IoReadTransferCount : _LARGE_INTEGER 0×2a`779e962f
+0×22f0 IoWriteTransferCount : _LARGE_INTEGER 0xe`d374c96a
+0×22f8 IoOtherTransferCount : _LARGE_INTEGER 0×2`bccbbfe4
+0×2300 TargetSet : 0
+0×2308 IpiFrozen : 0
+0×230c PrcbPad3 : [116] “”
+0×2380 RequestMailbox : [64] _REQUEST_MAILBOX
+0×3380 SenderSummary : 0
+0×3388 PrcbPad4 : [120] “”
+0×3400 DpcData : [2] _KDPC_DATA
+0×3440 DpcStack : 0xfffff800`03e84fb0
+0×3448 SparePtr0 : (null)
+0×3450 MaximumDpcQueueDepth : 4
+0×3454 DpcRequestRate : 1
+0×3458 MinimumDpcRate : 3
+0×345c DpcInterruptRequested : 0 ”
+0×345d DpcThreadRequested : 0 ”
+0×345e DpcRoutineActive : 0 ”
+0×345f DpcThreadActive : 0 ”
+0×3460 TimerHand : 0
+0×3460 TimerRequest : 0
+0×3468 TickOffset : 48366
+0×346c MasterOffset : 48366
+0×3470 DpcLastCount : 0×3487538
+0×3474 ThreadDpcEnable : 0×1 ”
+0×3475 QuantumEnd : 0 ”
+0×3476 PrcbPad50 : 0 ”
+0×3477 IdleSchedule : 0 ”
+0×3478 DpcSetEventRequest : 0
+0×347c KeExceptionDispatchCount : 0×1e44d8
+0×3480 DpcEvent : _KEVENT
+0×3498 PrcbPad51 : (null)
+0×34a0 CallDpc : _KDPC
+0×34e0 ClockKeepAlive : 2
+0×34e4 ClockCheckSlot : 0×1 ”
+0×34e5 ClockPollCycle : 0×8 ”
+0×34e6 PrcbPad6 : [2] “”
+0×34e8 DpcWatchdogPeriod : 1924
+0×34ec DpcWatchdogCount : 1767
+0×34f0 PrcbPad70 : [2] 0
+0×3500 WaitListHead : _LIST_ENTRY [ 0xfffffa80`04e9fc48 - 0xfffffa80`03bfc0d8 ]
+0×3510 WaitLock : 0
+0×3518 ReadySummary : 0
+0×351c QueueIndex : 1
+0×3520 PrcbPad71 : [12] 0
+0×3580 DispatcherReadyListHead : [32] _LIST_ENTRY [ 0xfffff800`0198ac00 - 0xfffff800`0198ac00 ]
+0×3780 InterruptCount : 0×127a01d4
+0×3784 KernelTime : 0×20af69a
+0×3788 UserTime : 0×8182f
+0×378c DpcTime : 0xce05
+0×3790 InterruptTime : 0×26cf
+0×3794 AdjustDpcThreshold : 5
+0×3798 SkipTick : 0 ”
+0×3799 DebuggerSavedIRQL : 0×2 ”
+0×379a PollSlot : 0 ”
+0×379b PrcbPad80 : [5] “”
+0×37a0 DpcTimeCount : 0
+0×37a4 DpcTimeLimit : 0×282
+0×37a8 PeriodicCount : 0
+0×37ac PeriodicBias : 0
+0×37b0 PrcbPad81 : [2] 0
+0×37c0 ParentNode : 0xfffff800`0198b640 _KNODE
+0×37c8 MultiThreadProcessorSet : 3
+0×37d0 MultiThreadSetMaster : 0xfffff800`01987680 _KPRCB
+0×37d8 StartCycles : 0×375f7`ea78a322
+0×37e0 MmSpinLockOrdering : 0
+0×37e4 PageColor : 0×7064
+0×37e8 NodeColor : 0
+0×37ec NodeShiftedColor : 0
+0×37f0 SecondaryColorMask : 0×3f
+0×37f4 Sleeping : 1
+0×37f8 CycleTime : 0×4f0`4392cb00
+0×3800 CcFastMdlReadNoWait : 0
+0×3804 CcFastMdlReadWait : 0
+0×3808 CcFastMdlReadNotPossible : 0
+0×380c CcMapDataNoWait : 0
+0×3810 CcMapDataWait : 0×8e0ad8
+0×3814 CcPinMappedDataCount : 0×1523da
+0×3818 CcPinReadNoWait : 0
+0×381c CcPinReadWait : 0xddb5c
+0×3820 CcMdlReadNoWait : 0
+0×3824 CcMdlReadWait : 0×98e
+0×3828 CcLazyWriteHotSpots : 0×464
+0×382c CcLazyWriteIos : 0×2e39b
+0×3830 CcLazyWritePages : 0×561520
+0×3834 CcDataFlushes : 0×70b8c
+0×3838 CcDataPages : 0xc0c0e0
+0×383c CcLostDelayedWrites : 0
+0×3840 CcFastReadResourceMiss : 0
+0×3844 CcCopyReadWaitMiss : 0×12f3a0d
+0×3848 CcFastMdlReadResourceMiss : 0
+0×384c CcMapDataNoWaitMiss : 0
+0×3850 CcMapDataWaitMiss : 0×69bc
+0×3854 CcPinReadNoWaitMiss : 0×7dfb0
+0×3858 CcPinReadWaitMiss : 0×1796
+0×385c CcMdlReadNoWaitMiss : 0
+0×3860 CcMdlReadWaitMiss : 0
+0×3864 CcReadAheadIos : 0×8e7589
+0×3868 MmCacheTransitionCount : 0
+0×386c MmCacheReadCount : 0
+0×3870 MmCacheIoCount : 0
+0×3874 PrcbPad91 : [3] 0
+0×3880 PowerState : _PROCESSOR_POWER_STATE
+0×3998 KeAlignmentFixupCount : 0
+0×399c VendorString : [13] “GenuineIntel”
+0×39a9 PrcbPad10 : [3] “”
+0×39ac FeatureBits : 0×20193ffe
+0×39b0 UpdateSignature : _LARGE_INTEGER 0×56`00000000
+0×39b8 DpcWatchdogDpc : _KDPC
+0×39f8 DpcWatchdogTimer : _KTIMER
+0×3a38 Cache : [5] _CACHE_DESCRIPTOR
+0×3a74 CacheCount : 3
+0×3a78 CachedCommit : 0×65
+0×3a7c CachedResidentAvailable : 0×1a
+0×3a80 HyperPte : 0xfffffa60`00400027
+0×3a88 WheaInfo : 0xfffffa80`03d63b30
+0×3a90 EtwSupport : 0xfffffa80`03bbf290
+0×3aa0 InterruptObjectPool : _SLIST_HEADER
+0×3ab0 HypercallPageList : _SLIST_HEADER
+0×3ac0 HypercallPageVirtual : (null)
+0×3ac8 VirtualApicAssist : (null)
+0×3ad0 StatisticsPage : (null)
+0×3ad8 RateControl : 0xfffffa80`03fb0420
+0×3ae0 CacheProcessorMask : [5] 1
+0×3b08 PackageProcessorSet : 3
+0×3b10 CoreProcessorSet : 1
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
