Reading Notebook: 20-November-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
SCM executable: services.exe (p. 300) - !process 0 0 shows the start order of processes:
lkd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffa8003bf1040
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00124000 ObjectTable: fffff88000000080 HandleCount: 568.
Image: System
PROCESS fffffa8004710040
SessionId: none Cid: 019c Peb: 7fffffdb000 ParentCid: 0004
DirBase: bc8ef000 ObjectTable: fffff880000eb7e0 HandleCount: 33.
Image: smss.exe
PROCESS fffffa80047cfa40
SessionId: 0 Cid: 01e0 Peb: 7fffffd6000 ParentCid: 01d4
DirBase: b4353000 ObjectTable: fffff88007de31b0 HandleCount: 468.
Image: csrss.exe
PROCESS fffffa80047e7040
SessionId: 0 Cid: 0214 Peb: 7fffffdf000 ParentCid: 019c
DirBase: b31ba000 ObjectTable: fffff88007e66cb0 HandleCount: 789.
Image: psxss.exe
PROCESS fffffa80047f5870
SessionId: 0 Cid: 0238 Peb: 7fffffdf000 ParentCid: 01d4
DirBase: b2919000 ObjectTable: fffff88007df7ed0 HandleCount: 101.
Image: wininit.exe
PROCESS fffffa800481b5e0
SessionId: 0 Cid: 0280 Peb: 7fffffdf000 ParentCid: 0238
DirBase: b1b3d000 ObjectTable: fffff88007eac280 HandleCount: 271.
Image: services.exe
PROCESS fffffa8004820360
SessionId: 0 Cid: 028c Peb: 7fffffdd000 ParentCid: 0238
DirBase: b15eb000 ObjectTable: fffff88007ecbae0 HandleCount: 728.
Image: lsass.exe
PROCESS fffffa80048252d0
SessionId: 0 Cid: 0294 Peb: 7fffffde000 ParentCid: 0238
DirBase: b14f1000 ObjectTable: fffff88007ecf4d0 HandleCount: 178.
Image: lsm.exe
PROCESS fffffa800429f2b0
SessionId: 0 Cid: 0338 Peb: 7fffffdf000 ParentCid: 0280
DirBase: af2a2000 ObjectTable: fffff880082807d0 HandleCount: 306.
Image: svchost.exe
PROCESS fffffa8004a82270
SessionId: 0 Cid: 0374 Peb: 7fffffdb000 ParentCid: 0280
DirBase: aef26000 ObjectTable: fffff88008036e60 HandleCount: 311.
Image: svchost.exe
PROCESS fffffa8004a97c10
SessionId: 0 Cid: 0398 Peb: 7fffffdd000 ParentCid: 0280
DirBase: aebb0000 ObjectTable: fffff88008009950 HandleCount: 379.
Image: svchost.exe
PROCESS fffffa8004adec10
SessionId: 0 Cid: 03f8 Peb: 7fffffdd000 ParentCid: 0280
DirBase: add75000 ObjectTable: fffff88007f3c4d0 HandleCount: 395.
Image: svchost.exe
PROCESS fffffa8004ae8950
SessionId: 0 Cid: 00f8 Peb: 7fffffd9000 ParentCid: 0280
DirBase: ada7a000 ObjectTable: fffff880080d4690 HandleCount: 172.
Image: svchost.exe
PROCESS fffffa8004af2750
SessionId: 0 Cid: 012c Peb: 7fffffdd000 ParentCid: 0280
DirBase: ad83f000 ObjectTable: fffff880080d7b10 HandleCount: 897.
Image: svchost.exe
PROCESS fffffa8004af7040
SessionId: 0 Cid: 0140 Peb: 7fffffdb000 ParentCid: 0280
DirBase: ad5c6000 ObjectTable: fffff880080e3580 HandleCount: 99.
Image: SLsvc.exe
PROCESS fffffa8004b0f500
SessionId: 0 Cid: 0278 Peb: 7fffffd7000 ParentCid: 0280
DirBase: ac4ce000 ObjectTable: fffff8800812d330 HandleCount: 301.
Image: svchost.exe
PROCESS fffffa8004b20770
SessionId: 0 Cid: 0194 Peb: 7fffffd4000 ParentCid: 0280
DirBase: abfd3000 ObjectTable: fffff8800814fd30 HandleCount: 354.
Image: svchost.exe
PROCESS fffffa8004b315c0
SessionId: 0 Cid: 0410 Peb: 7fffffdf000 ParentCid: 0280
DirBase: abc98000 ObjectTable: fffff88008083420 HandleCount: 76.
Image: svchost.exe
PROCESS fffffa8004b4a040
SessionId: 0 Cid: 0448 Peb: 7fffffdd000 ParentCid: 0280
DirBase: ab164000 ObjectTable: fffff880081a42e0 HandleCount: 479.
Image: svchost.exe
PROCESS fffffa8004b9c740
SessionId: 0 Cid: 050c Peb: 7fffffdf000 ParentCid: 03f8
DirBase: a9c86000 ObjectTable: fffff880081e8750 HandleCount: 141.
Image: audiodg.exe
PROCESS fffffa8004ba0880
SessionId: 0 Cid: 0524 Peb: 7fffffd7000 ParentCid: 0280
DirBase: a96a9000 ObjectTable: fffff88008217c10 HandleCount: 269.
Image: svchost.exe
PROCESS fffffa8004c15c10
SessionId: 0 Cid: 0588 Peb: 7fffffda000 ParentCid: 0280
DirBase: a8906000 ObjectTable: fffff8800825a810 HandleCount: 131.
Image: svchost.exe
PROCESS fffffa8004b1c7a0
SessionId: 0 Cid: 0604 Peb: 7fffffdb000 ParentCid: 0280
DirBase: a7598000 ObjectTable: fffff8800827de90 HandleCount: 373.
Image: spoolsv.exe
PROCESS fffffa8004ca4040
SessionId: 0 Cid: 067c Peb: 7efdf000 ParentCid: 0280
DirBase: a6a24000 ObjectTable: fffff8800833af00 HandleCount: 71.
Image: mdm.exe
PROCESS fffffa8004cbd040
SessionId: 0 Cid: 06e8 Peb: 7fffffdf000 ParentCid: 012c
DirBase: a6363000 ObjectTable: fffff880083735f0 HandleCount: 310.
Image: taskeng.exe
PROCESS fffffa8004cda8f0
SessionId: 0 Cid: 0720 Peb: 7fffffd3000 ParentCid: 0280
DirBase: a5dfb000 ObjectTable: fffff8800801ae20 HandleCount: 57.
Image: svchost.exe
PROCESS fffffa8004cfbc10
SessionId: 0 Cid: 0768 Peb: 7fffffdc000 ParentCid: 0280
DirBase: a5400000 ObjectTable: fffff880083c46d0 HandleCount: 54.
Image: svchost.exe
PROCESS fffffa8004cfb7e0
SessionId: 0 Cid: 0774 Peb: 7fffffdb000 ParentCid: 0280
DirBase: a5185000 ObjectTable: fffff880017f9bf0 HandleCount: 131.
Image: svchost.exe
PROCESS fffffa8004cfdc10
SessionId: 0 Cid: 0780 Peb: 7fffffd4000 ParentCid: 0280
DirBase: a51ca000 ObjectTable: fffff880083b0270 HandleCount: 75.
Image: svchost.exe
PROCESS fffffa8004d18c10
SessionId: 0 Cid: 07b4 Peb: 7fffffdb000 ParentCid: 0280
DirBase: a4acf000 ObjectTable: fffff880083de5c0 HandleCount: 147.
Image: svchost.exe
PROCESS fffffa8004d2e4a0
SessionId: 0 Cid: 07d4 Peb: 7fffffdc000 ParentCid: 0280
DirBase: a4554000 ObjectTable: fffff88008404b40 HandleCount: 43.
Image: svchost.exe
PROCESS fffffa8005273830
SessionId: 0 Cid: 0740 Peb: 7fffffdf000 ParentCid: 0280
DirBase: 8ac6a000 ObjectTable: fffff88008ff53f0 HandleCount: 228.
Image: svchost.exe
PROCESS fffffa80052e4b10
SessionId: 0 Cid: 0a50 Peb: 7fffffda000 ParentCid: 0280
DirBase: 87170000 ObjectTable: fffff8800912ced0 HandleCount: 234.
Image: svchost.exe
PROCESS fffffa80054c7770
SessionId: 0 Cid: 09a4 Peb: 7fffffd8000 ParentCid: 0280
DirBase: 129ab5000 ObjectTable: fffff8800973aa40 HandleCount: 163.
Image: msdtc.exe
PROCESS fffffa8005206860
SessionId: 2 Cid: 0b10 Peb: 7fffffd9000 ParentCid: 0310
DirBase: 72584000 ObjectTable: fffff88007ea0ac0 HandleCount: 518.
Image: csrss.exe
PROCESS fffffa8004dfa880
SessionId: 2 Cid: 062c Peb: 7fffffd3000 ParentCid: 0310
DirBase: 70609000 ObjectTable: fffff8800971e5c0 HandleCount: 115.
Image: winlogon.exe
PROCESS fffffa8003c1bc10
SessionId: 2 Cid: 08d4 Peb: 7fffffde000 ParentCid: 012c
DirBase: 6c096000 ObjectTable: fffff880082729b0 HandleCount: 311.
Image: taskeng.exe
PROCESS fffffa80055b32c0
SessionId: 2 Cid: 0990 Peb: 7fffffdb000 ParentCid: 0194
DirBase: 6e1db000 ObjectTable: fffff880092f70d0 HandleCount: 76.
Image: dwm.exe
PROCESS fffffa800521ac10
SessionId: 2 Cid: 0458 Peb: 7fffffd6000 ParentCid: 0840
DirBase: 6f1d2000 ObjectTable: fffff8800a00f580 HandleCount: 644.
Image: explorer.exe
SvcctrlStartEvent_A3752DX and LSA_RPC_SERVER_ACTIVE (pp. 300 - 301) - this is how to check them:
lkd> !object \BaseNamedObjects
Object: fffff88007df3ab0 Type: (fffffa8003bacb00) Directory
ObjectHeader: fffff88007df3a80 (old version)
HandleCount: 32 PointerCount: 143
Directory Object: fffff88000005d50 Name: BaseNamedObjects
Hash Address Type Name
---- ------- ---- ----
[...]
fffffa800482fa30 Event SvcctrlStartEvent_A3752DX
[...]
fffffa80048b33e0 Event LSA_RPC_SERVER_ACTIVE
[...]
fffffa8004858ed0 Event SC_AutoStartComplete
[...]
lkd> dt -r _KEVENT fffffa80048b33e0
ntdll!_KEVENT
+0x000 Header : _DISPATCHER_HEADER
+0x000 Type : 0 ''
+0x001 Abandoned : 0 ''
+0x001 Absolute : 0 ''
+0x001 NpxIrql : 0 ''
+0x001 Signalling : 0 ''
+0x002 Size : 0x6 ''
+0x002 Hand : 0x6 ''
+0x003 Inserted : 0 ''
+0x003 DebugActive : 0 ''
+0x003 DpcActive : 0 ''
+0x000 Lock : 393216
+0×004 SignalState : 1
+0×008 WaitListHead : _LIST_ENTRY [ 0xfffffa80`048b33e8 - 0xfffffa80`048b33e8 ]
WM_DEVICECHANGE (p. 303)
Service startup (pp. 303 - 307) - I use this command to see what functions SvcCtrlMain potentially calls (we can then inspect the called function for its potential calls too):
lkd> .process /r /p fffffa800481b5e0
Implicit process is now fffffa80`0481b5e0
lkd> uf /c SvcCtrlMain
services!SvcctrlMain (00000000`ffe68d18)
services!SvcctrlMain+0x2f (00000000`ffe68d47):
call to kernel32!SetUnhandledExceptionFilter (00000000`77592c40)
services!SvcctrlMain+0x3a (00000000`ffe68d52):
call to kernel32!SetErrorMode (00000000`7758c740)
services!SvcctrlMain+0x48 (00000000`ffe68d60):
call to ntdll!RtlSetProcessIsCritical (00000000`77745f10)
services!SvcctrlMain+0x58 (00000000`ffe68d70):
call to kernel32!HeapSetInformation (00000000`7758f020)
services!SvcctrlMain+0x7a (00000000`ffe68d92):
call to services!ScStartTracingSession (00000000`ffe70920)
services!SvcctrlMain+0x7f (00000000`ffe68d97):
call to services!ScWriteLogHeader (00000000`ffe71178)
services!SvcctrlMain+0x94 (00000000`ffe68dac):
call to ntdll!NtOpenProcessToken (00000000`776e7c70)
services!SvcctrlMain+0xb0 (00000000`ffe68dc8):
call to services!ScRemoveProcessPrivileges (00000000`ffe6ff54)
services!SvcctrlMain+0xf2 (00000000`ffe68e0a):
call to ADVAPI32!RegOpenKeyExW (000007fe`fdd5ace8)
services!SvcctrlMain+0x12c (00000000`ffe68e44):
call to ADVAPI32!RegQueryValueExW (000007fe`fdd5a688)
services!SvcctrlMain+0x152 (00000000`ffe68e57):
call to ADVAPI32!RegCloseKey (000007fe`fdd5a7f0)
services!SvcctrlMain+0x158 (00000000`ffe68e5d):
call to services!ScInitTcpKeepAlive (00000000`ffe7000c)
services!SvcctrlMain+0x164 (00000000`ffe68e69):
call to kernel32!GetModuleHandleW (00000000`7759d860)
services!SvcctrlMain+0x197 (00000000`ffe68e82):
call to kernel32!GetProcAddress (00000000`7759d8a0)
services!SvcctrlMain+0x1ea (00000000`ffe68eaa):
call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
services!SvcctrlMain+0x201 (00000000`ffe68ec1):
call to kernel32!LocalAlloc (00000000`7758ce70)
services!SvcctrlMain+0x243 (00000000`ffe68ee4):
call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
services!SvcctrlMain+0x282 (00000000`ffe68f04):
call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
services!SvcctrlMain+0x299 (00000000`ffe68f1b):
call to kernel32!LocalAlloc (00000000`7758ce70)
services!SvcctrlMain+0x2db (00000000`ffe68f3e):
call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60)
services!SvcctrlMain+0x308 (00000000`ffe68f4c):
call to services!ScCreateWellKnownSids (00000000`ffe70130)
services!SvcctrlMain+0×339 (00000000`ffe68f5e):
call to services!ScCreateAutoStartEvent (00000000`ffe6fe48)
services!SvcctrlMain+0×384 (00000000`ffe68f8a):
call to services!ScRegOpenKeyExW (00000000`ffe626b0)
services!SvcctrlMain+0×397 (00000000`ffe68fa1):
call to kernel32!CreateEventW (00000000`7758be70)
services!SvcctrlMain+0×426 (00000000`ffe68fbf):
call to services!ScGetStartEvent (00000000`ffe6fc94)
services!SvcctrlMain+0×452 (00000000`ffe68fcc):
call to services!ScCreateScManagerObject (00000000`ffe70f40)
services!SvcctrlMain+0×485 (00000000`ffe68fe0):
call to ntdll!RtlGetNtProductType (00000000`776cee90)
services!SvcctrlMain+0×4b3 (00000000`ffe68fef):
call to services!ScCheckLastKnownGood (00000000`ffe6f8a4)
services!SvcctrlMain+0×4df (00000000`ffe68ffc):
call to services!ScGetComputerName (00000000`ffe6fbd8)
services!SvcctrlMain+0×564 (00000000`ffe69062):
call to ntdll!RtlInitializeResource (00000000`776b5d70)
services!SvcctrlMain+0×571 (00000000`ffe6906f):
call to ntdll!RtlInitializeResource (00000000`776b5d70)
services!SvcctrlMain+0×57e (00000000`ffe6907c):
call to ntdll!RtlInitializeResource (00000000`776b5d70)
services!SvcctrlMain+0×584 (00000000`ffe69082):
call to services!ScGenerateServiceDB (00000000`ffe70ca8)
services!SvcctrlMain+0×5b7 (00000000`ffe69096):
call to services!ScGetAccountDomainInfo (00000000`ffe6f36c)
services!SvcctrlMain+0×617 (00000000`ffe690aa):
call to ntdll!RtlInitializeCriticalSection (00000000`776c5d20)
services!SvcctrlMain+0×61d (00000000`ffe690b0):
call to services!ScInitTransactNamedPipe (00000000`ffe6e43c)
services!SvcctrlMain+0×62c (00000000`ffe690bf):
call to kernel32!CreateEventW (00000000`7758be70)
services!SvcctrlMain+0×670 (00000000`ffe690e4):
call to ADVAPI32!RegOpenKeyW (000007fe`fdd52550)
services!SvcctrlMain+0×82b (00000000`ffe690f2):
call to services!ScInitBSM (00000000`ffe6e58c)
services!SvcctrlMain+0×83a (00000000`ffe69101):
call to kernel32!CreateEventW (00000000`7758be70)
services!SvcctrlMain+0×857 (00000000`ffe6911e):
call to ntdll!RtlInitializeCriticalSection (00000000`776c5d20)
services!SvcctrlMain+0×85d (00000000`ffe69124):
call to kernel32!GetCurrentProcessId (00000000`7758cf10)
services!SvcctrlMain+0×865 (00000000`ffe6912c):
call to USER32!RegisterServicesProcess (00000000`774a1010)
services!SvcctrlMain+0×89f (00000000`ffe69148):
call to services!ScLockDatabase (00000000`ffe66244)
services!SvcctrlMain+0×8da (00000000`ffe69155):
call to services!ScEnableRpcInterface (00000000`ffe6e8c4)
services!SvcctrlMain+0×923 (00000000`ffe6917f):
call to services!WPP_SF_ (00000000`ffe62608)
services!SvcctrlMain+0×931 (00000000`ffe6918d):
call to kernel32!SetConsoleCtrlHandler (00000000`7758e660)
services!SvcctrlMain+0×974 (00000000`ffe691a2):
call to kernel32!SetProcessShutdownParameters (00000000`775e4e90)
services!SvcctrlMain+0×9cd (00000000`ffe691cd):
call to services!WPP_SF_ (00000000`ffe62608)
services!SvcctrlMain+0×9d9 (00000000`ffe691d9):
call to services!ScesrvInitializeServer (00000000`ffe6ebe0)
services!SvcctrlMain+0xa14 (00000000`ffe691e6):
call to services!SvcStartRPCProxys (00000000`ffe6f510)
services!SvcctrlMain+0xa19 (00000000`ffe691eb):
call to services!InitNCEvents (00000000`ffe6f0d0)
services!SvcctrlMain+0xa22 (00000000`ffe691f4):
call to services!ScUpdateServiceSidCache (00000000`ffe6ecac)
services!SvcctrlMain+0xa27 (00000000`ffe691f9):
call to services!ScCheckAutostartEventsEnabled (00000000`ffe6eafc)
services!SvcctrlMain+0xa34 (00000000`ffe69206):
call to kernel32!SetEvent (00000000`77586840)
services!SvcctrlMain+0xa70 (00000000`ffe69214):
call to services!ScAutoStartServices (00000000`ffe6c820)
[…]
HKLM\S\CCS\C\W\NoInteractiveServices (p. 305)
HKLM\S\CCS\C\ServicesPipeTimeout (p. 306)
Delayed auto-start services (p. 307)
BootVerificationProgram (p. 309)
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
