Reading Notebook: 30-July-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Idle process (p. 75) - in a dump we cannot see it in the process list !process 0 0 but if we have one such idle thread running on a processor we can see it attached to System process (args to functions are omitted for clarity):
0: kd> !running
System Processors 3 (affinity mask)
 Idle Processors 2
Prcbs Current          Next          Â
 0   fffff80001987680 fffffa8005844060                   ................
0: kd> ~1s
1: kd> !thread
THREAD fffffa60005f5d40Â Cid 0000.0000Â Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap                fffff88000007400
Owning Process           fffff8000198d0c0      Image:        Idle
Attached Process         fffffa8003bcd0b0      Image:        System
Wait Start TickCount     0             Ticks: 34803400 (6:06:48:56.519)
Context Switch Count     271743713           Â
UserTime                 00:00:00.000
KernelTime               6 Days 01:31:19.718
Win32 Start Address nt!KiIdleLoop (0xfffff80001871e10)
Stack Init fffffa600171bdb0 Current fffffa600171bd40
Base fffffa600171c000 Limit fffffa6001716000 Call 0
Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP         RetAddr          : Call Site
fffffa60`0171bce8 fffffa60`00d9e685 : intelppm!C1Halt+0×2
fffffa60`0171bcf0 fffff800`01882ac8 : intelppm!C1Idle+0×9
fffffa60`0171bd20 fffff800`01871e31 : nt!PoIdle+0×148
fffffa60`0171bd80 fffff800`01a405c0 : nt!KiIdleLoop+0×21
fffffa60`0171bdb0 00000000`fffffa60 : nt!zzz_AsmCodeRange_End+0×4
fffffa60`005efd00 00000000`00000000 : 0xfffffa60
Interrupt and DPC time is added to system idle time in Task Manager (p. 75) - in a kernel dump we can use !prcb command:
1: kd> !prcb
PRCB for Processor 1 at fffffa60005ec180:
Current IRQL -- 0
Threads--Â Current fffffa60005f5d40 Next 0000000000000000 Idle fffffa60005f5d40
Number 1 SetMember 2
Interrupt Count -- 121fe4dc
Times — Dpc   0000029d Interrupt 0000089b
        Kernel 0205b773 User     000d5745
and we can use !whattime to convert ticks to standard time:
1: kd> !whattime 0000ce05+000026cf
62676 Ticks in Standard Time: 16:17.751s
System threads can be created in the context of any process and not just System (p. 76) - sometimes we can see nt!PspSystemThreadStartup in stack traces when we list process threads
STATUS_SYSTEM_PROCESS_TERMINATED (C000021A) (p. 79) - I remember in the past support personnel used to kill csrss.exe in order to get manual kernel or complete memory dump.Â
LogonUI process and SAS (p. 79) - I was wondering where are GUI dialog threads in W2K8 winlogon.exe and they seem are gone to that separately launched process
winlogon -> userinit -> shell (p. 80) - We can use Citrix CDF traces to learn about process launch sequence in Citrix terminal service environments: http://www.dumpanalysis.org/blog/index.php/2008/03/31/cdf-traces-analyzing-process-launch-sequence/Â
3 names of window services (p. 81) - In order to dump terminal service we need its PID. Here is the article: http://support.citrix.com/article/ctx106035
Many to one mapping: service - process (pp. 82 - 83) - I noticed that the number of ADVAPI32!ScSvcctrlThreadA(W) threads corresponds to the number of services in a service host process.Â
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
