Software Generalist

Reading Notebook: 19-July-10

Thursday, July 22nd, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Viewing the loaded driver list (pp. 546 - 547) - if we don’t see company information in lmv command output we can examine raw driver data like in this pattern: http://www.dumpanalysis.org/blog/index.php/2007/08/16/crash-dump-analysis-patterns-part-22/

DriverEntry (p. 548) - consider this as similar to main (console) or WinMain (Win32). For example, if you are writing a Windows service you have to register certain functions with SCM.

Dispatch routines (p. 548) - if you know C++ consider them as class functions for a device object where DeviceObject is a this parameter (C++ class function implementation in C where an implicit this becomes the first function argument):

NTSTATUS (*PDRIVER_DISPATCH) (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

and a driver object can be seen as a container for a virtual function table (vtable) for a device object (purely from implementation perspective): devObj->DriverObject->MajorFunction[IRP_MJ_XXX]

Relationship between device and driver objects (pp. 553 - 554) - long time ago when I was preparing a presentation about Windows drivers for escalation engineers I created some UML diagrams you can see in the following blog post: http://www.dumpanalysis.org/blog/index.php/2006/10/08/uml-and-device-drivers/

AttachedDevice vs. AttachedTo (p.554)

File object structure and extension (pp. 556 - 557) - Here are driver, device and file object structures from x64 W2K8:

0: kd> dt _DRIVER_OBJECT ntdll!_DRIVER_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT +0x010 Flags : Uint4B +0x018 DriverStart : Ptr64 Void +0x020 DriverSize : Uint4B +0x028 DriverSection : Ptr64 Void +0x030 DriverExtension : Ptr64 _DRIVER_EXTENSION +0x038 DriverName : _UNICODE_STRING +0x048 HardwareDatabase : Ptr64 _UNICODE_STRING +0x050 FastIoDispatch : Ptr64 _FAST_IO_DISPATCH +0x058 DriverInit : Ptr64 long +0x060 DriverStartIo : Ptr64 void +0x068 DriverUnload : Ptr64 void +0x070 MajorFunction : [28] Ptr64 long

0: kd> dt _DEVICE_OBJECT ntdll!_DEVICE_OBJECT +0x000 Type : Int2B +0x002 Size : Uint2B +0x004 ReferenceCount : Int4B +0x008 DriverObject : Ptr64 _DRIVER_OBJECT +0x010 NextDevice : Ptr64 _DEVICE_OBJECT +0x018 AttachedDevice : Ptr64 _DEVICE_OBJECT +0x020 CurrentIrp : Ptr64 _IRP +0x028 Timer : Ptr64 _IO_TIMER +0x030 Flags : Uint4B +0x034 Characteristics : Uint4B +0x038 Vpb : Ptr64 _VPB +0x040 DeviceExtension : Ptr64 Void +0x048 DeviceType : Uint4B +0x04c StackSize : Char +0x050 Queue : <unnamed-tag> +0x098 AlignmentRequirement : Uint4B +0x0a0 DeviceQueue : _KDEVICE_QUEUE +0x0c8 Dpc : _KDPC +0x108 ActiveThreadCount : Uint4B +0x110 SecurityDescriptor : Ptr64 Void +0x118 DeviceLock : _KEVENT +0x130 SectorSize : Uint2B +0x132 Spare1 : Uint2B +0x138 DeviceObjectExtension : Ptr64 _DEVOBJ_EXTENSION +0x140 Reserved : Ptr64 Void

0: kd> dt _FILE_OBJECT ntdll!_FILE_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT +0x010 Vpb : Ptr64 _VPB +0x018 FsContext : Ptr64 Void +0x020 FsContext2 : Ptr64 Void +0x028 SectionObjectPointer : Ptr64 _SECTION_OBJECT_POINTERS +0x030 PrivateCacheMap : Ptr64 Void +0x038 FinalStatus : Int4B +0x040 RelatedFileObject : Ptr64 _FILE_OBJECT +0x048 LockOperation : UChar +0x049 DeletePending : UChar +0x04a ReadAccess : UChar +0x04b WriteAccess : UChar +0x04c DeleteAccess : UChar +0x04d SharedRead : UChar +0x04e SharedWrite : UChar +0x04f SharedDelete : UChar +0x050 Flags : Uint4B +0x058 FileName : _UNICODE_STRING +0x068 CurrentByteOffset : _LARGE_INTEGER +0x070 Waiters : Uint4B +0x074 Busy : Uint4B +0x078 LastLock : Ptr64 Void +0x080 Lock : _KEVENT +0x098 Event : _KEVENT +0x0b0 CompletionContext : Ptr64 _IO_COMPLETION_CONTEXT +0x0b8 IrpListLock : Uint8B +0x0c0 IrpList : _LIST_ENTRY +0x0d0 FileObjectExtension : Ptr64 Void

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 12-July-10

Monday, July 12th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

File and registry virtualization is for 32-bit apps only (p. 522)

Files (as locations) with executable extensions are excluded from virtualization (p. 524)

luafv.sys - filesystem virtualization driver (pp. 524 - 525)

\Users\<user>\AppData\Local\VirtualStore\Windows\*.* (p. 525)

Admin Approval Mode, over-the-shoulder and consent elevations (p. 529)

appinfo.dll -> consent.exe (p. 529)

Process reparenting (p. 531)

Running regedt32.exe to get virtualized registry view (p. 533)

Typical I/O request flow (pp. 540 - 541) - here is a stack trace example from x64 Windows for a remote file request that reaches network drivers (some irrelevant 3rd-party filter drivers like antivirus were skipped):

Child-SP RetAddr Call Site fffffadf`25d92ff0 fffffadf`28ec5b97 NetworkCardVendor!send_packet+0x33c fffffadf`25d93250 fffffadf`28ec5903 NDIS!ndisMProcessSGList+0x8e fffffadf`25d932e0 fffffadf`28e85618 NDIS!ndisMAllocSGList+0x17c fffffadf`25d933a0 fffffadf`26ab57c4 NDIS!ndisMSendX+0x21e fffffadf`25d934d0 fffffadf`26ab5999 tcpip!ARPSendData+0x23a fffffadf`25d93540 fffffadf`26ab20ea tcpip!ARPTransmit+0x151 fffffadf`25d935d0 fffffadf`26aaecad tcpip!IPTransmit+0xaf5 fffffadf`25d93850 fffffadf`26aa94c6 tcpip!TCPSend+0x8d5 fffffadf`25d93930 fffffadf`26aafa8c tcpip!TdiSend+0x344 fffffadf`25d939a0 fffffadf`26a4085c tcpip!TCPSendData+0xee fffffadf`25d93a00 fffffadf`26a4845b netbt!NTSend+0x227 fffffadf`25d93ac0 fffffadf`269a546d netbt!NbtDispatchInternalCtrl+0x38 fffffadf`25d93c50 fffffadf`269cea18 rdbss!RxTdiSend+0x1a2 fffffadf`25d93cf0 fffffadf`2693efcf rdbss!RxCeSend+0x98 fffffadf`25d93d80 fffffadf`268d82fd mrxsmb!VctTranceive+0xa6 fffffadf`25d93de0 fffffadf`2693fea9 mrxsmb!SmbCeTranceive+0x483 fffffadf`25d93e70 fffffadf`2693e94b mrxsmb!SmbTransactExchangeStart+0x558 fffffadf`25d93f20 fffffadf`26940abf mrxsmb!SmbCeInitiateExchange+0x2fd fffffadf`25d93f70 fffffadf`26940c5b mrxsmb!SmbCeSubmitTransactionRequest+0x148 fffffadf`25d93fe0 fffffadf`269412e0 mrxsmb!_SmbCeTransact+0x1a1 fffffadf`25d940c0 fffffadf`26941625 mrxsmb!MRxSmbQueryFileInformation+0x811 fffffadf`25d94220 fffffadf`26941dfa mrxsmb!MRxSmbQueryFileInformationFromPseudoOpen+0x116 fffffadf`25d94260 fffffadf`2693e94b mrxsmb!SmbPseExchangeStart_Create+0x2da fffffadf`25d94300 fffffadf`2693f50c mrxsmb!SmbCeInitiateExchange+0x2fd fffffadf`25d94350 fffffadf`269cc4c1 mrxsmb!MRxSmbCreate+0x5d6 fffffadf`25d94430 fffffadf`269cc730 rdbss!RxCollapseOrCreateSrvOpen+0x154 fffffadf`25d944d0 fffffadf`269c7a92 rdbss!RxCreateFromNetRoot+0x399 fffffadf`25d94570 fffffadf`269a2a77 rdbss!RxCommonCreate+0x49a fffffadf`25d94680 fffffadf`269343e8 rdbss!RxFsdCommonDispatch+0x51c fffffadf`25d94780 fffffadf`290bfdb3 mrxsmb!MRxSmbFsdDispatch+0x211 fffffadf`25d947d0 fffffadf`290bfdb3 fltmgr!FltpCreate+0x353 [...] fffffadf`25d98460 fffff800`012840b4 nt!IopParseDevice+0x1088 fffffadf`25d98610 fffff800`012887d7 nt!ObpLookupObjectName+0x931 fffffadf`25d98720 fffff800`01295dad nt!ObOpenObjectByName+0x180 fffffadf`25d98910 fffff800`0129cd87 nt!IopCreateFile+0x630 fffffadf`25d98aa0 fffff800`012987f9 nt!IoCreateFile+0x12f fffffadf`25d98b80 fffff800`0102e5fd nt!NtOpenFile+0x49 fffffadf`25d98c00 00000000`77ef0d1a nt!KiSystemServiceCopyEnd+0x3 00000000`000ac568 00000000`77d6f7c9 ntdll!NtCreateFile+0xa 00000000`000ac570 000007ff`7fd535c3 kernel32!CreateFileW+0x511

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 16-June-10

Friday, June 18th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Local security policy audit (pp. 511 - 512) - I used in the past to recommend process audit to track process launch sequences for debugging purposes

Access tokens have separate ACL (pp. 512 - 513)

MSV1_0 - local authentication package (p. 513)

Default credential providers authui.dll amd SmartcardCredentialProvider.dll (p. 514) - Here are stack traces from x64 LogonUI.exe:

THREAD fffffa8013dde9d0 Cid 0238.04f8 Teb: 000007fffffd7000 Win32Thread: fffff900c0679d50 WAIT: (UserRequest) UserMode Non-Alertable fffffa8013ddee60 SynchronizationEvent fffffa8013dde810 SynchronizationEvent Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa80296ecae0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 26019 Ticks: 402642 (0:01:44:41.255) Context Switch Count 170 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.046 Win32 Start Address authui!CCredentialProviderThread::_sThreadProc (0x000007fefc6d151c) Stack Init fffffa6008efadb0 Current fffffa6008efa230 Base fffffa6008efb000 Limit fffffa6008ef5000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 2 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffffa60`08efa270 fffff800`01a6b9fa nt!KiSwapContext+0x7f fffffa60`08efa3b0 fffff800`01a712db nt!KiSwapThread+0x13a fffffa60`08efa420 fffff800`01cd160e nt!KeWaitForMultipleObjects+0x2eb fffffa60`08efa4a0 fffff800`01cd1c53 nt!ObpWaitForMultipleObjects+0x26e fffffa60`08efa960 fffff800`01a69233 nt!NtWaitForMultipleObjects+0xe2 fffffa60`08efabb0 00000000`778c72ca nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`08efac20) 00000000`0211f978 00000000`7769bc03 ntdll!ZwWaitForMultipleObjects+0xa 00000000`0211f980 00000000`777ce2b5 kernel32!WaitForMultipleObjectsEx+0x10b 00000000`0211fa90 00000000`777ce32e USER32!RealMsgWaitForMultipleObjectsEx+0x129 00000000`0211fb30 000007fe`fe4fb196 USER32!MsgWaitForMultipleObjectsEx+0x46 00000000`0211fb70 000007fe`fe608d42 ole32!CCliModalLoop::BlockFn+0xb6 00000000`0211fbb0 000007fe`fc6d07ad ole32!CoWaitForMultipleHandles+0x102 00000000`0211fcb0 000007fe`fc6d15d4 authui!InternalCoWaitForSingleHandle+0x31 00000000`0211fcf0 000007fe`fc6d1525 authui!CCredentialProviderThread::_vThreadProc+0xa0 00000000`0211fd30 00000000`7769be3d authui!CCredentialProviderThread::_sThreadProc+0x9 00000000`0211fd60 00000000`778a6a51 kernel32!BaseThreadInitThunk+0xd 00000000`0211fd90 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8013e48060 Cid 0238.0610 Teb: 000007fffffa0000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable fffffa8013e4ab50 NotificationEvent fffffa8013e425b0 SynchronizationEvent Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa80296ecae0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 13245 Ticks: 415416 (0:01:48:00.531) Context Switch Count 29 � UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address SmartcardCredentialProvider!I_ReaderMonitorThreadProc (0x000007fefc481db0) Stack Init fffffa6009181db0 Current fffffa6009181230 Base fffffa6009182000 Limit fffffa600917c000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 2 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffffa60`09181270 fffff800`01a6b9fa nt!KiSwapContext+0x7f fffffa60`091813b0 fffff800`01a712db nt!KiSwapThread+0x13a fffffa60`09181420 fffff800`01cd160e nt!KeWaitForMultipleObjects+0x2eb fffffa60`091814a0 fffff800`01cd1c53 nt!ObpWaitForMultipleObjects+0x26e fffffa60`09181960 fffff800`01a69233 nt!NtWaitForMultipleObjects+0xe2 fffffa60`09181bb0 00000000`778c72ca nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`09181c20) 00000000`045efa48 00000000`7769bc03 ntdll!ZwWaitForMultipleObjects+0xa 00000000`045efa50 00000000`77691aa1 kernel32!WaitForMultipleObjectsEx+0x10b 00000000`045efb60 000007fe`fc4819bb kernel32!WaitForMultipleObjects+0x11 00000000`045efba0 000007fe`fc481de1 SmartcardCredentialProvider!I_ReaderMonitorWorker+0x8f 00000000`045efc30 00000000`7769be3d SmartcardCredentialProvider!I_ReaderMonitorThreadProc+0x31 00000000`045efc70 00000000`778a6a51 kernel32!BaseThreadInitThunk+0xd 00000000`045efca0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Win32k.sys sends keyboard messages to LogonUI.exe via RPC (p. 514)

Secondary authentication providers in LogonUI.exe, SSON (p. 515)

wininit.exe is for session 0 legacy GUI processes (p. 516)

Raw input thread (p. 516) - here’re 3 kinds of csrss.exe (different IRPs):

session 0 (no IRP)

THREAD fffffa8013a7d980 Cid 02ec.0338 Teb: 000007fffffae000 Win32Thread: fffff900c00da010 WAIT: (WrUserRequest) KernelMode Alertable fffffa8013665d00 SynchronizationEvent fffffa8013037df0 NotificationTimer fffffa8013665c80 SynchronizationTimer fffff80001bb9f60 NotificationEvent Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa8029668710 Image: csrss.exe Attached Process N/A Image: N/A Wait Start TickCount 428616 Ticks: 45 (0:00:00:00.702) Context Switch Count 317 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x000007fefde7c3b0) Stack Init fffffa6002c33db0 Current fffffa6002c33890 Base fffffa6002c34000 Limit fffffa6002c2e000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`02c338d0 fffff800`01a6b9fa nt!KiSwapContext+0x7f fffffa60`02c33a10 fffff800`01a712db nt!KiSwapThread+0x13a fffffa60`02c33a80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0x2eb fffffa60`02c33b00 fffff960`00068317 win32k!RawInputThread+0x79c fffffa60`02c33bc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0x67 fffffa60`02c33bf0 fffff800`01a69233 win32k!NtUserCallNoParam+0x36 fffffa60`02c33c20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`02c33c20) 00000000`002afd98 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa 00000000`002afda0 00000000`778e2f6c winsrv!StartCreateSystemThreads+0x19 00000000`002afdd0 00000000`00000000 ntdll!RtlUserThreadStart+0x29

session 1 (console, keyboard IRP)

THREAD fffffa80296821d0 Cid 0324.0370 Teb: 000007fffffd3000 Win32Thread: fffff900c00e33b0 WAIT: (WrUserRequest) KernelMode Alertable fffffa80137c6430 SynchronizationEvent fffffa802967fc30 NotificationTimer fffffa8029680360 SynchronizationTimer fffffa802967f970 SynchronizationEvent IRP List: fffffa802968b2e0: (0006,03a0) Flags: 00060970 Mdl: 00000000 fffffa802960d4c0: (0006,03a0) Flags: 00060970 Mdl: 00000000 fffffa8012ec7470: (0006,03a0) Flags: 00060970 Mdl: 00000000 Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa8029672c10 Image: csrss.exe Attached Process N/A Image: N/A Wait Start TickCount 428605 Ticks: 56 (0:00:00:00.873) Context Switch Count 24934 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0×000007fefde7c3b0) Stack Init fffffa6008bd0db0 Current fffffa6008bd0890 Base fffffa6008bd1000 Limit fffffa6008bcb000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`08bd08d0 fffff800`01a6b9fa nt!KiSwapContext+0×7f fffffa60`08bd0a10 fffff800`01a712db nt!KiSwapThread+0×13a fffffa60`08bd0a80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0×2eb fffffa60`08bd0b00 fffff960`00068317 win32k!RawInputThread+0×79c fffffa60`08bd0bc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0×67 fffffa60`08bd0bf0 fffff800`01a69233 win32k!NtUserCallNoParam+0×36 fffffa60`08bd0c20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`08bd0c20) 00000000`014afab8 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa 00000000`014afac0 00000000`778e2f6c winsrv!StartCreateSystemThreads+0×19 00000000`014afaf0 00000000`00000000 ntdll!RtlUserThreadStart+0×29

15: kd> !irp fffffa802968b2e0 Irp is active with 7 stacks 7 is current (= 0xfffffa802968b560) No Mdl: System buffer=fffffa8029688790: Thread fffffa80296821d0: Irp stack trace.� cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ 3, 0] 0 1 fffffa8013703ce0 fffffa8029687670 00000000-00000000 pending \Driver\kbdclass Args: 00000078 00000000 00000000 00000000

15: kd> !irp fffffa802960d4c0 Irp is active with 10 stacks 10 is current (= 0xfffffa802960d818) No Mdl: System buffer=fffffa8029681010: Thread fffffa80296821d0: Irp stack trace.� cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ 3, 0] 0 1 fffffa801392ace0 fffffa8029686880 00000000-00000000 pending \Driver\kbdclass Args: 00000078 00000000 00000000 00000000

15: kd> !irp fffffa8012ec7470 Irp is active with 3 stacks 3 is current (= 0xfffffa8012ec75d0) No Mdl: System buffer=fffffa8029687010: Thread fffffa80296821d0: Irp stack trace.� cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ 3, 0] 0 1 fffffa8013722060 fffffa8029680200 00000000-00000000 pending \Driver\kbdclass Args: 00000078 00000000 00000000 00000000

session N (terminal services, termdd IRP)

THREAD fffffa80168fbac0 Cid 175c.533c Teb: 000007fffffae000 Win32Thread: fffff900c018d010 WAIT: (WrUserRequest) KernelMode Alertable fffffa8015355e70 SynchronizationEvent fffffa8016442950 NotificationTimer fffffa80156f9f70 SynchronizationTimer fffffa8016967a50 SynchronizationEvent IRP List: fffffa801501ba30: (0006,0118) Flags: 00060900 Mdl: 00000000 Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa802b33ac10 Image: csrss.exe Attached Process N/A Image: N/A Wait Start TickCount 428641 Ticks: 20 (0:00:00:00.312) Context Switch Count 32238 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.218 Win32 Start Address winsrv!StartCreateSystemThreads (0×000007fefde7c3b0) Stack Init fffffa601ccdbdb0 Current fffffa601ccdb890 Base fffffa601ccdc000 Limit fffffa601ccd6000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`1ccdb8d0 fffff800`01a6b9fa nt!KiSwapContext+0×7f fffffa60`1ccdba10 fffff800`01a712db nt!KiSwapThread+0×13a fffffa60`1ccdba80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0×2eb fffffa60`1ccdbb00 fffff960`00068317 win32k!RawInputThread+0×79c fffffa60`1ccdbbc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0×67 fffffa60`1ccdbbf0 fffff800`01a69233 win32k!NtUserCallNoParam+0×36 fffffa60`1ccdbc20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`1ccdbc20) 00000000`0137f878 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa 00000000`0137f880 00000000`778e2f6c winsrv!StartCreateSystemThreads+0×19 00000000`0137f8b0 00000000`00000000 ntdll!RtlUserThreadStart+0×29

15: kd> !irp fffffa801501ba30 Irp is active with 1 stacks 1 is current (= 0xfffffa801501bb00) No Mdl: No System Buffer: Thread fffffa80168fbac0: Irp stack trace.� cmd flg cl Device File Completion-Context >[ 3, 0] 0 1 fffffa801370adb0 fffffa801705ef20 00000000-00000000 pending \Driver\TermDD Args: 00000078 00000000 00000000 00000000

Half-hash caching of passwords (p. 517)

logonsessions tool (pp. 519 - 520)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 31-May-10

Monday, May 31st, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Objects vs. account attributes, privilege vs. account right (p. 501)

NtRaiseHardError requires SeShutdownPrivilege (p. 508)

firmware environment variables (p. 508) - some more info: http://msdn.microsoft.com/en-us/library/ms724325(VS.85).aspx

Implication of Bypass Traverse Checking (SeNotifyPrivilege) (p. 509)

Elevated priviliges don’t extend past machine boundaries (p. 510)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 26-May-10

Thursday, May 27th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Explicit ACE are ahead of inherited (p. 491)

Differences of inheritable ACE propagation AD objects (p. 491)

Ntmarta.dll: security inheritance support DLL (p. 492)

SeAccessCheck optimization: integrity check -> DACL check (p. 492)

Low and medium integrity processes can read high integrity objects (p. 493)

UIPI safe messages, shatter attacks, blocked (journal) hooks (pp. 493 - 494)

Owner Rights SID (pp. 495 - 496)

Importance of ACE ordering (pp. 497 - 498)

Security editors place Deny ACE on top, Advanced Settings and Effective Permissions (pp. 498 - 500)

AuthZ API: security model in user mode (pp. 500 - 501)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 25-May-10

Tuesday, May 25th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

No share access for impersonation: we need logon (p. 481)

S(ecure)QOS levels, SECURITY_CONTEXT_TRACKING (p. 482)

Integrity Level (client) <= Integrity Level (server) (pp. 482 - 483)

Restricted tokens -> filtered admin tokens (logon as admin with UAC) (pp. 483 - 484)

Callback, allowed(denied)-object (GUID-based for AD) ACEs (p. 487)

No DACL: full access, empty DACL: no access (p. 487)

System audit-object ACEs (p. 488)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 24-May-10

Monday, May 24th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Process integrity levels as SIDs (pp. 464 - 465)

Protected mode IE startup sequence (pp. 467 - 470) - ieuser.exe might block several iexplore.exe instances: http://www.dumpanalysis.org/blog/index.php/2009/02/11/stack-trace-collection-blocked-thread-and-coupled-processes-pattern-cooperation/

Integrity levels and mandatory policies for objects (pp. 471- 473)

Many faces of an Administrator, filtered admin tokens (p. 474)

CreateProcessWithLogonW (p. 474)

The token source field (p. 476)

Token authentication and modified IDs (pp. 476 - 477) - token structure from x64 Windows Server R2:

0: kd> dt _TOKEN nt!_TOKEN +0x000 TokenSource : _TOKEN_SOURCE +0x010 TokenId : _LUID +0x018 AuthenticationId : _LUID +0x020 ParentTokenId : _LUID +0x028 ExpirationTime : _LARGE_INTEGER +0x030 TokenLock : Ptr64 _ERESOURCE +0x038 ModifiedId : _LUID +0x040 Privileges : _SEP_TOKEN_PRIVILEGES +0x058 AuditPolicy : _SEP_AUDIT_POLICY +0x074 SessionId : Uint4B +0x078 UserAndGroupCount : Uint4B +0x07c RestrictedSidCount : Uint4B +0x080 VariableLength : Uint4B +0x084 DynamicCharged : Uint4B +0x088 DynamicAvailable : Uint4B +0x08c DefaultOwnerIndex : Uint4B +0x090 UserAndGroups : Ptr64 _SID_AND_ATTRIBUTES +0x098 RestrictedSids : Ptr64 _SID_AND_ATTRIBUTES +0x0a0 PrimaryGroup : Ptr64 Void +0x0a8 DynamicPart : Ptr64 Uint4B +0x0b0 DefaultDacl : Ptr64 _ACL +0x0b8 TokenType : _TOKEN_TYPE +0x0bc ImpersonationLevel : _SECURITY_IMPERSONATION_LEVEL +0x0c0 TokenFlags : Uint4B +0x0c4 TokenInUse : UChar +0x0c8 IntegrityLevelIndex : Uint4B +0x0cc MandatoryPolicy : Uint4B +0x0d0 LogonSession : Ptr64 _SEP_LOGON_SESSION_REFERENCES +0x0d8 OriginatingLogonSession : _LUID +0x0e0 SidHash : _SID_AND_ATTRIBUTES_HASH +0x1f0 RestrictedSidHash : _SID_AND_ATTRIBUTES_HASH +0x300 pSecurityAttributes : Ptr64 _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION +0x308 VariablePart : Uint8B

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 12-May-10

Thursday, May 13th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SAS -> winlogon.exe starts LogonUI.exe (p. 455) - Here are winlogon.exe threads on x64 W2K8 R2 before SAS:

THREAD fffffa8003cf7060 Cid 01d0.01d4 Teb: 000007fffffdd000 Win32Thread: fffff900c00df900 WAIT: (UserRequest) UserMode Non-Alertable fffffa8004991c90 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8003cf65a0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 8831 Ticks: 21731 (0:00:05:39.005) Context Switch Count 424 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.015 Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff36ec08) Stack Init fffff88003595db0 Current fffff88003595900 Base fffff88003596000 Limit fffff8800358c000 Call 0 Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffff880`03595940 fffff800`01ac3752 nt!KiSwapContext+0x7a fffff880`03595a80 fffff800`01ac58af nt!KiCommitThreadWait+0x1d2 fffff880`03595b10 fffff800`01db7db2 nt!KeWaitForSingleObject+0x19f fffff880`03595bb0 fffff800`01abb853 nt!NtWaitForSingleObject+0xb2 fffff880`03595c20 00000000`77bafefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03595c20) 00000000`0018f778 000007fe`fdc910ac ntdll!NtWaitForSingleObject+0xa 00000000`0018f780 00000000`ff3619ad KERNELBASE!WaitForSingleObjectEx+0x79 00000000`0018f820 00000000`ff3616e8 winlogon!SignalManagerWaitForSignal+0x135 00000000`0018f860 00000000`ff36b8b0 winlogon!StateMachineRun+0x404 00000000`0018fb80 00000000`ff36ed85 winlogon!WinMain+0x13a3 00000000`0018fcf0 00000000`77a5f56d winlogon!I_WMsgkSendMessage+0x252 00000000`0018fdb0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd 00000000`0018fde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800498a060 Cid 01d0.0320 Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa800497bef0 SynchronizationTimer fffffa8004988060 SynchronizationTimer fffffa8004bfe2a0 NotificationEvent fffffa8003c783b0 SynchronizationEvent fffffa8003c78310 SynchronizationEvent fffffa8003c78450 SynchronizationEvent fffffa80049894c0 SynchronizationTimer Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8003cf65a0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 19271 Ticks: 11291 (0:00:02:56.140) Context Switch Count 16 � UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x0000000077b79a90) Stack Init fffff88004006db0 Current fffff88004005fd0 Base fffff88004007000 Limit fffff88004001000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`04006010 fffff800`01ac3752 nt!KiSwapContext+0x7a fffff880`04006150 fffff800`01abfc4b nt!KiCommitThreadWait+0x1d2 fffff880`040061e0 fffff800`01db8ecf nt!KeWaitForMultipleObjects+0x271 fffff880`04006490 fffff800`01db97d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`04006960 fffff800`01abb853 nt!NtWaitForMultipleObjects+0xe5 fffff880`04006bb0 00000000`77bb046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04006c20) 00000000`0139f848 00000000`77b79bd7 ntdll!NtWaitForMultipleObjects+0xa 00000000`0139f850 00000000`77a5f56d ntdll!TppWaiterpThread+0x14d 00000000`0139faf0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd 00000000`0139fb20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8004ed7060 Cid 01d0.0a58 Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa800489ac20 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8003cf65a0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 27861 Ticks: 2701 (0:00:00:42.135) Context Switch Count 4 � UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000077b78f00) Stack Init fffff88003555db0 Current fffff880035557d0 Base fffff88003556000 Limit fffff88003550000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`03555810 fffff800`01ac3752 nt!KiSwapContext+0x7a fffff880`03555950 fffff800`01ac71c1 nt!KiCommitThreadWait+0x1d2 fffff880`035559e0 fffff800`01db89d7 nt!KeRemoveQueueEx+0x301 fffff880`03555a90 fffff800`01acc996 nt!IoRemoveIoCompletion+0x47 fffff880`03555b20 fffff800`01abb853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`03555c20 00000000`77bb17ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03555c20) 00000000`00dcfa18 00000000`77b7914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`00dcfa20 00000000`77a5f56d ntdll!TppWorkerThread+0x2c9 00000000`00dcfd20 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd 00000000`00dcfd50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Here are main threads from both processes on x64 W2K8 R2 after SAS (I brought change password dialog):

THREAD fffffa8004888770 Cid 01c0.01c4 Teb: 000007fffffde000 Win32Thread: fffff900c00d9c30 WAIT: (UserRequest) UserMode Non-Alertable fffffa80049c25c0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 3202 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.218 Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ffc2ec08) Stack Init fffff880031acdb0 Current fffff880031ac900 Base fffff880031ad000 Limit fffff880031a7000 Call 0 Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`031ac940 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`031aca80 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2 fffff880`031acb10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0x19f fffff880`031acbb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2 fffff880`031acc20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`031acc20) 00000000`0023f398 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa 00000000`0023f3a0 00000000`ffc219ad KERNELBASE!WaitForSingleObjectEx+0x79 00000000`0023f440 00000000`ffc216e8 winlogon!SignalManagerWaitForSignal+0x135 00000000`0023f480 00000000`ffc2b8b0 winlogon!StateMachineRun+0x404 00000000`0023f7a0 00000000`ffc2ed85 winlogon!WinMain+0x13a3 00000000`0023f910 00000000`76bdf56d winlogon!I_WMsgkSendMessage+0x252 00000000`0023f9d0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0023fa00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80049ba060 Cid 01c0.0304 Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa80049b87e0 SynchronizationTimer fffffa80049b4650 SynchronizationTimer fffffa8004e81e20 NotificationEvent fffffa8004edcbf0 SynchronizationEvent fffffa8004edcb50 SynchronizationEvent fffffa8004edcc90 SynchronizationEvent fffffa80049b8670 SynchronizationTimer Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34428081 Ticks: 238645 (0:01:02:02.885) Context Switch Count 175 � UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90) Stack Init fffff88004193db0 Current fffff88004192fd0 Base fffff88004194000 Limit fffff8800418e000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffff880`04193010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`04193150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`041931e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`04193490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`04193960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`04193bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04193c20) 00000000`00d2fb38 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa 00000000`00d2fb40 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d 00000000`00d2fde0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`00d2fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005b8e810 Cid 01c0.12d4 Teb: 000007fffffdc000 Win32Thread: fffff900c37a6250 WAIT: (WrLpcReply) UserMode Non-Alertable fffffa8005b8ebd0 Semaphore Limit 0x1 Waiting for reply to ALPC Message fffff8a00c87e750 : queued at port fffffa800661ec60 : owned by process fffffa8005f442b0 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 150 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00) Stack Init fffff88006c8edb0 Current fffff88006c8e620 Base fffff88006c8f000 Limit fffff88006c87000 Call 0 Priority 14 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`06c8e660 fffff800`01ad6752 nt!KiSwapContext+0×7a fffff880`06c8e7a0 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2 fffff880`06c8e830 fffff800`01aedbef nt!KeWaitForSingleObject+0×19f fffff880`06c8e8d0 fffff800`01dd6a36 nt!AlpcpSignalAndWait+0×8f fffff880`06c8e980 fffff800`01dd49c0 nt!AlpcpReceiveSynchronousReply+0×46 fffff880`06c8e9e0 fffff800`01dd1f3b nt!AlpcpProcessSynchronousRequest+0×33d fffff880`06c8eb00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0×1ab fffff880`06c8ebb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`06c8ec20) 00000000`0103f298 000007fe`fea8aa76 ntdll!ZwAlpcSendWaitReceivePort+0xa 00000000`0103f2a0 000007fe`feb2cb64 RPCRT4!LRPC_CCALL::SendReceive+0×156 00000000`0103f360 000007fe`feb2cd55 RPCRT4!NdrpClientCall3+0×244 00000000`0103f620 00000000`ffc24979 RPCRT4!NdrClientCall3+0xf2 00000000`0103f9b0 00000000`ffc4e781 winlogon!WluiRequestCredentials+0×71 00000000`0103fa20 00000000`ffc21d04 winlogon!WLGeneric_Request_Change_Credz_Execute+0xa5 00000000`0103fa90 00000000`76df0fb4 winlogon!StateMachineWorkerCallback+0×7f 00000000`0103fac0 00000000`76df4b1f ntdll!TppWorkpExecuteCallback+0xa4 00000000`0103fb20 00000000`76bdf56d ntdll!TppWorkerThread+0×6c9 00000000`0103fe20 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0103fe50 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8006480640 Cid 01c0.131c Teb: 000007fffffd9000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa80042479a0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664380 Ticks: 2346 (0:00:00:36.597) Context Switch Count 2 � UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff8800715ddb0 Current fffff8800715d7d0 Base fffff8800715e000 Limit fffff88007158000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0715d810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0715d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`0715d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`0715da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`0715db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`0715dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0715dc20) 00000000`010bf908 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`010bf910 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`010bfc10 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`010bfc40 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005916290 Cid 01c0.0c04 Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa80042479a0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 3 � UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff88007126db0 Current fffff880071267d0 Base fffff88007127000 Limit fffff88007121000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`07126810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`07126950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`071269e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`07126a90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`07126b20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`07126c20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07126c20) 00000000`009cfaa8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`009cfab0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`009cfdb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`009cfde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

We now see the new thread fffffa8005b8e810 waiting for an ALPC message fffff8a00c87e750:

0: kd> !alpc /m fffff8a00c87e750

Message @ fffff8a00c87e750 MessageID : 0x0534 (1332) CallbackID : 0x14152C5 (21058245) SequenceNumber : 0x00000006 (6) Type : LPC_REQUEST DataLength : 0x0060 (96) TotalLength : 0x0088 (136) Canceled : No Release : No ReplyWaitReply : No Continuation : Yes OwnerPort : fffffa80065696c0 [ALPC_CLIENT_COMMUNICATION_PORT] WaitingThread : fffffa8005b8e810 QueueType : ALPC_MSGQUEUE_PENDING QueuePort : fffffa800661ec60 [ALPC_CONNECTION_PORT] QueuePortOwnerProcess : fffffa8005f442b0 (LogonUI.exe) ServerThread : fffffa8005a9b2a0 QuotaCharged : No CancelQueuePort : 0000000000000000 CancelSequencePort : 0000000000000000 CancelSequenceNumber : 0×00000000 (0) ClientContext : 00000000003f5b30 ServerContext : 0000000000000000 PortContext : 00000000015e2640 CancelPortContext : 0000000000000000 SecurityData : 0000000000000000 View : 0000000000000000

The server thread is ;”>fffffa8005a9b2a0 and is owned by LogonUI.exe. Here are all threads in that process where I highlighted credential providers:

THREAD fffffa8005f47b60 Cid 06d0.13e0 Teb: 000007fffffde000 Win32Thread: fffff900c1d6ec30 WAIT: (UserRequest) UserMode Non-Alertable fffffa80065be260 SynchronizationEvent fffffa8005bf6240 SynchronizationEvent fffffa8005bcbc70 SynchronizationEvent fffffa80052a9dc0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34666693 Ticks: 33 (0:00:00:00.514) Context Switch Count 722 LargeStack UserTime 00:00:00.171 KernelTime 00:00:00.140 Win32 Start Address LogonUI!wWinMainCRTStartup (0x00000000ffb45c58) Stack Init fffff88004911db0 Current fffff88004910fd0 Base fffff88004912000 Limit fffff88004908000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`04911010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`04911150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`049111e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`04911490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`04911960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`04911bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04911c20) 00000000`001bf708 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`001bf710 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`001bf810 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`001bf8a0 000007fe`fae19ecd USER32!RealMsgWaitForMultipleObjectsEx+0x12a 00000000`001bf940 000007fe`fae19d8e DUser!CoreSC::DUIMsgWaitForMultipleObjectsEx+0x17c 00000000`001bf9f0 00000000`76cf9079 DUser!MphMsgWaitForMultipleObjectsEx+0x7a 00000000`001bfa30 000007fe`fb8e407b USER32!MsgWaitForMultipleObjectsEx+0x37 00000000`001bfa70 000007fe`fb8e4f6c authui!CLogonFrame::DoModal+0×67 00000000`001bfaf0 000007fe`fb8e50cf authui!CLogonUI_CreateThenDoModalThenDestroy+0×299 00000000`001bfb50 00000000`ffb454df authui!CLogonUI::DoModal+0×73 00000000`001bfb80 00000000`ffb45ae6 LogonUI!wWinMain+0xfb 00000000`001bfbe0 00000000`76bdf56d LogonUI!ParseCommandLineToStringArrayLocalAlloc+0×33a 00000000`001bfca0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`001bfcd0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8006595720 Cid 06d0.1158 Teb: 000007fffffdc000 Win32Thread: fffff900c35105f0 WAIT: (UserRequest) UserMode Non-Alertable fffffa8005cad160 SynchronizationEvent fffffa8005618d30 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664381 Ticks: 2345 (0:00:00:36.582) Context Switch Count 2 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address msvcrt!endthreadex (0x000007feff0573fc) Stack Init fffff88005638db0 Current fffff88005637fd0 Base fffff88005639000 Limit fffff88005632000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05638010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`05638150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`056381e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`05638490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`05638960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`05638bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05638c20) 00000000`00eaf4d8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`00eaf4e0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`00eaf5e0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`00eaf670 000007fe`fae114e6 USER32!RealMsgWaitForMultipleObjectsEx+0x12a 00000000`00eaf710 000007fe`fae116b2 DUser!CoreSC::Wait+0x62 00000000`00eaf760 000007fe`fae205dd DUser!CoreSC::xwProcessNL+0xed 00000000`00eaf7d0 000007fe`fae20500 DUser!GetMessageExA+0x7b 00000000`00eaf820 000007fe`ff0542bf DUser!ResourceManager::SharedThreadProc+0xe8 00000000`00eaf8b0 000007fe`ff057459 msvcrt!endthreadex+0x47 00000000`00eaf8e0 00000000`76bdf56d msvcrt!endthreadex+0xe0 00000000`00eaf910 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`00eaf940 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8006646060 Cid 06d0.1174 Teb: 000007fffffda000 Win32Thread: fffff900c397bc30 WAIT: (UserRequest) UserMode Non-Alertable fffffa80059522e0 SynchronizationEvent fffffa80061cf2d0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664855 Ticks: 1871 (0:00:00:29.187) Context Switch Count 101 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.015 Win32 Start Address authui!CCredentialProviderThread::_sThreadProc (0x000007fefb8e51c0) Stack Init fffff880057addb0 Current fffff880057acfd0 Base fffff880057ae000 Limit fffff880057a6000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`057ad010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`057ad150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`057ad1e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`057ad490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`057ad960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`057adbb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`057adc20) 00000000`02c5f9b8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`02c5f9c0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`02c5fac0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`02c5fb50 00000000`76cf905a USER32!RealMsgWaitForMultipleObjectsEx+0x12a 00000000`02c5fbf0 000007fe`febdb46a USER32!MsgWaitForMultipleObjectsEx+0x46 00000000`02c5fc30 000007fe`fecfa542 ole32!CCliModalLoop::BlockFn+0xc2 00000000`02c5fc80 000007fe`fb8e4bc1 ole32!CoWaitForMultipleHandles+0x102 00000000`02c5fd90 000007fe`fb8e4a4a authui!InternalCoWaitForSingleHandle+0×31 00000000`02c5fdd0 000007fe`fb8e51c9 authui!CCredentialProviderThread::_vThreadProc+0xbf 00000000`02c5fe10 00000000`76bdf56d authui!CCredentialProviderThread::_sThreadProc+0×9 00000000`02c5fe40 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02c5fe70 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8005a9b2a0 Cid 06d0.1248 Teb: 000007fffffd4000 Win32Thread: fffff900c397b850 WAIT: (UserRequest) UserMode Non-Alertable fffffa800559c800 NotificationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 12 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00) Stack Init fffff88005871db0 Current fffff88005871900 Base fffff88005872000 Limit fffff8800586b000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05871940 fffff800`01ad6752 nt!KiSwapContext+0×7a fffff880`05871a80 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2 fffff880`05871b10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0×19f fffff880`05871bb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2 fffff880`05871c20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`05871c20) 00000000`02aee898 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa 00000000`02aee8a0 000007fe`fb8e4586 KERNELBASE!WaitForSingleObjectEx+0×79 00000000`02aee940 000007fe`fb8e891c authui!InternalWaitForSingleObject+0×26 00000000`02aee980 000007fe`fb8e8ac4 authui!WPP_SF_qqddd+0×157d 00000000`02aee9e0 000007fe`fea7c7f5 authui!WluirRequestCredentials+0×44 00000000`02aeea20 000007fe`feb2b62e RPCRT4!Invoke+0×65 00000000`02aeeaa0 000007fe`fea74070 RPCRT4!Ndr64StubWorker+0×61b 00000000`02aef060 000007fe`fea79c24 RPCRT4!NdrServerCallAll+0×40 00000000`02aef0b0 000007fe`fea79d86 RPCRT4!DispatchToStubInCNoAvrf+0×14 00000000`02aef0e0 000007fe`fea7c44b RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×146 00000000`02aef200 000007fe`fea7c38b RPCRT4!RPC_INTERFACE::DispatchToStub+0×9b 00000000`02aef240 000007fe`fea7c322 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0×5b 00000000`02aef2c0 000007fe`fea7a11d RPCRT4!LRPC_SCALL::DispatchRequest+0×422 00000000`02aef3a0 000007fe`fea87ddf RPCRT4!LRPC_SCALL::HandleRequest+0×20d 00000000`02aef4d0 000007fe`fea87995 RPCRT4!LRPC_ADDRESS::ProcessIO+0×3bf 00000000`02aef610 00000000`76dfb43b RPCRT4!LrpcIoComplete+0xa5 00000000`02aef6a0 00000000`76df923f ntdll!TppAlpcpExecuteCallback+0×26b 00000000`02aef730 00000000`76bdf56d ntdll!TppWorkerThread+0×3f8 00000000`02aefa30 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02aefa60 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8005941a10 Cid 06d0.0f10 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa800663a9a0 SynchronizationTimer fffffa8005881650 SynchronizationTimer fffffa8006577ef0 SynchronizationTimer fffffa8005a93bd0 NotificationEvent fffffa80063f6450 SynchronizationEvent fffffa80058fe4c0 SynchronizationEvent fffffa80064c0290 SynchronizationEvent fffffa8004e49e90 NotificationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664421 Ticks: 2305 (0:00:00:35.958) Context Switch Count 11 � UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90) Stack Init fffff88006946db0 Current fffff88006945fd0 Base fffff88006947000 Limit fffff88006941000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`06946010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`06946150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`069461e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`06946490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`06946960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`06946bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06946c20) 00000000`02dbf718 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa 00000000`02dbf720 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d 00000000`02dbf9c0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02dbf9f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80056de060 Cid 06d0.0ba8 Teb: 000007fffffac000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8005f7d3e0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664389 Ticks: 2337 (0:00:00:36.457) Context Switch Count 5 � UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff8800569ddb0 Current fffff8800569d7d0 Base fffff8800569e000 Limit fffff88005698000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0569d810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0569d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`0569d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`0569da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`0569db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`0569dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0569dc20) 00000000`035cfbb8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`035cfbc0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`035cfec0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`035cfef0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005ccfa10 Cid 06d0.03a0 Teb: 000007fffffd8000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8005f7d3e0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664420 Ticks: 2306 (0:00:00:35.973) Context Switch Count 7 � UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff8800459bdb0 Current fffff8800459b7d0 Base fffff8800459c000 Limit fffff88004596000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0459b810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0459b950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`0459b9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`0459ba90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`0459bb20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`0459bc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0459bc20) 00000000`02e5f8c8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`02e5f8d0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`02e5fbd0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02e5fc00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800662a800 Cid 06d0.0a54 Teb: 000007fffffaa000 Win32Thread: 0000000000000000 WAIT: (DelayExecution) UserMode Non-Alertable fffffa800662aad8 Semaphore Limit 0x2 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664389 Ticks: 2337 (0:00:00:36.457) Context Switch Count 1 � UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ole32!CRpcThreadCache::RpcWorkerThreadEntry (0x000007fefebf3570) Stack Init fffff8800568fdb0 Current fffff8800568f970 Base fffff88005690000 Limit fffff8800568a000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0568f9b0 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0568faf0 fffff800`01ad8e56 nt!KiCommitThreadWait+0x1d2 fffff880`0568fb80 fffff800`01dcacee nt!KeDelayExecutionThread+0x186 fffff880`0568fbf0 fffff800`01ace853 nt!NtDelayExecution+0x59 fffff880`0568fc20 00000000`76e301fa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0568fc20) 00000000`0371fa68 000007fe`fd081203 ntdll!NtDelayExecution+0xa 00000000`0371fa70 000007fe`febeea00 KERNELBASE!SleepEx+0xab 00000000`0371fb10 000007fe`febf2046 ole32!CROIDTable::WorkerThreadLoop+0x10 00000000`0371fb40 000007fe`febf358a ole32!CRpcThread::WorkerLoop+0x1e 00000000`0371fb80 00000000`76bdf56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a 00000000`0371fbb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0371fbe0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80063a4490 Cid 06d0.0ca0 Teb: 000007fffffa8000 Win32Thread: fffff900c1fffc30 WAIT: (WrLpcReceive) UserMode Non-Alertable fffffa80063a4850 Semaphore Limit 0x1 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664404 Ticks: 2322 (0:00:00:36.223) Context Switch Count 11 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address MSCTF!CCtfServerPort::StaticServerThread (0x000007fefe959274) Stack Init fffff88005b30db0 Current fffff88005b30750 Base fffff88005b31000 Limit fffff88005b2a000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05b30790 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`05b308d0 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2 fffff880`05b30960 fffff800`01dcf329 nt!KeWaitForSingleObject+0x19f fffff880`05b30a00 fffff800`01dd0a37 nt!AlpcpReceiveMessagePort+0x189 fffff880`05b30a60 fffff800`01dd1f76 nt!AlpcpReceiveMessage+0x2d4 fffff880`05b30b00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0x1e6 fffff880`05b30bb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05b30c20) 00000000`0390e7b8 000007fe`fe9426a9 ntdll!ZwAlpcSendWaitReceivePort+0xa 00000000`0390e7c0 000007fe`fe959417 MSCTF!CCtfServerPort::ServerLoop+0x16c 00000000`0390f8e0 000007fe`fe959296 MSCTF!CCtfServerPort::ServerThread+0x15b 00000000`0390fc20 00000000`76bdf56d MSCTF!CCtfServerPort::StaticServerThread+0x28 00000000`0390fc50 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0390fc80 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800489eb60 Cid 06d0.13b8 Teb: 000007fffffa6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable fffffa8005833be0 NotificationEvent fffffa8005a03ad0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664421 Ticks: 2305 (0:00:00:35.958) Context Switch Count 19 � UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address SmartcardCredentialProvider!I_ReaderMonitorThreadProc (0x000007feed747028) Stack Init fffff88005894db0 Current fffff88005893fd0 Base fffff88005895000 Limit fffff8800588f000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05894010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`05894150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`058941e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`05894490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`05894960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`05894bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05894c20) 00000000`02d1f948 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`02d1f950 00000000`76bcf190 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`02d1fa50 000007fe`ed746b84 kernel32!WaitForMultipleObjects+0xb0 00000000`02d1fae0 000007fe`ed747059 SmartcardCredentialProvider!I_ReaderMonitorWorker+0×9c 00000000`02d1fb80 00000000`76bdf56d SmartcardCredentialProvider!I_ReaderMonitorThreadProc+0×31 00000000`02d1fbc0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02d1fbf0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

So according to memory dump analysis pattern terminology these 2 processes are strongly coupled and this fact can be used for analysis logon problems in terminal services environments: http://www.dumpanalysis.org/blog/index.php/2007/09/26/crash-dump-analysis-patterns-part-28/

intrauser isolation (p. 459)

file object security (p. 460) - here is an example from x64 W2K8 R2:

0: kd> !handle [...] 0008: Object: fffffa800658e070 GrantedAccess: 00100020 Entry: fffff8a00445d020 Object: fffffa800658e070 Type: (fffffa8003c0dde0) File ObjectHeader: fffffa800658e040 (new version) HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \DL\Notmyfault\exe\x64\Release {HarddiskVolume2} […] 001c: Object: fffffa8005f44ee0 GrantedAccess: 001f0003 (Protected) Entry: fffff8a00445d070 Object: fffffa8005f44ee0 Type: (fffffa8003c00570) Event ObjectHeader: fffffa8005f44eb0 (new version) HandleCount: 1 PointerCount: 2 […]

0: kd> dt _OBJECT_TYPE fffffa8003c0dde0 ntdll!_OBJECT_TYPE +0x000 TypeList : _LIST_ENTRY [ 0xfffffa80`03c0dde0 - 0xfffffa80`03c0dde0 ] +0x010 Name : _UNICODE_STRING "File" +0x020 DefaultObject : 0x00000000`00000098 +0x028 Index : 0x1c '' +0x02c TotalNumberOfObjects : 0x5645 +0x030 TotalNumberOfHandles : 0x89e +0x034 HighWaterNumberOfObjects : 0x5baf +0x038 HighWaterNumberOfHandles : 0x8b5 +0×040 TypeInfo : _OBJECT_TYPE_INITIALIZER +0×0b0 TypeLock : _EX_PUSH_LOCK +0×0b8 Key : 0×656c6946 +0×0c0 CallbackList : _LIST_ENTRY [ 0xfffffa80`03c0dea0 - 0xfffffa80`03c0dea0 ]

0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c0dde0+40 ntdll!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x70 +0x002 ObjectTypeFlags : 0x11 '' +0x002 CaseInsensitive : 0y1 +0x002 UnnamedObjectsOnly : 0y0 +0x002 UseDefaultObject : 0y0 +0x002 SecurityRequired : 0y0 +0x002 MaintainHandleCount : 0y1 +0x002 MaintainTypeList : 0y0 +0x002 SupportsObjectCallbacks : 0y0 +0x004 ObjectTypeCode : 1 +0x008 InvalidAttributes : 0x130 +0x00c GenericMapping : _GENERIC_MAPPING +0x01c ValidAccessMask : 0x1f01ff +0x020 RetainAccess : 0 +0x024 PoolType : 0 ( NonPagedPool ) +0x028 DefaultPagedPoolCharge : 0x400 +0x02c DefaultNonPagedPoolCharge : 0x180 +0x030 DumpProcedure : (null) +0x038 OpenProcedure : (null) +0x040 CloseProcedure : 0xfffff800`01de6890 void nt!IopCloseFile+0 +0x048 DeleteProcedure : 0xfffff800`01de6610 void nt!IopDeleteFile+0 +0x050 ParseProcedure : 0xfffff800`01df7370 long nt!IopParseFile+0 +0×058 SecurityProcedure : 0xfffff800`01db7130 long nt!IopGetSetSecurityObject+0 +0×060 QueryNameProcedure : 0xfffff800`01db7470 long nt!IopQueryName+0<> +0×068 OkayToCloseProcedure : (null)

0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c00570+40 ntdll!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x70 +0x002 ObjectTypeFlags : 0 '' +0x002 CaseInsensitive : 0y0 +0x002 UnnamedObjectsOnly : 0y0 +0x002 UseDefaultObject : 0y0 +0x002 SecurityRequired : 0y0 +0x002 MaintainHandleCount : 0y0 +0x002 MaintainTypeList : 0y0 +0x002 SupportsObjectCallbacks : 0y0 +0x004 ObjectTypeCode : 2 +0x008 InvalidAttributes : 0x100 +0x00c GenericMapping : _GENERIC_MAPPING +0x01c ValidAccessMask : 0x1f0003 +0x020 RetainAccess : 0 +0x024 PoolType : 0 ( NonPagedPool ) +0x028 DefaultPagedPoolCharge : 0 +0x02c DefaultNonPagedPoolCharge : 0x70 +0x030 DumpProcedure : (null) +0x038 OpenProcedure : (null) +0x040 CloseProcedure : (null) +0x048 DeleteProcedure : (null) +0x050 ParseProcedure : (null) +0×058 SecurityProcedure : 0xfffff800`01d97070 long nt!SeDefaultObjectMethod+0 +0×060 QueryNameProcedure : (null) +0×068 OkayToCloseProcedure : (null)

SID = SVAS*-RID, S-Version-Authority-Subauthority*-RelativeID (pp. 461 - 462)

PsGetSid (p. 463)

Administrator SID = Machine SID + ‘-500′ (p. 463) - here’s my test (real computer name has been changed to COMPUTER):

C:\PsTools>PsGetSid COMPUTER

SID for COMPUTER\COMPUTER: S-1-5-21-30...49-19...94-15...96

C:\PsTools>PsGetSid S-1-5-21-30...49-19...94-15...96-500

Account for COMPUTER\S-1-5-21-30...49-19...94-15...96-500: User: COMPUTER\Administrator

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 09-April-10

Saturday, April 10th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Hard CPU limits per-session, -user and -system (pp. 444-445)

Security and user-interface limits on jobs (p. 447)

job objects (pp. 447 - 450) - we can dump all processes via !process 0 1 command and look for “Job ” in the output as on my x64 W2K8 system:

1: kd> !process 0 1

PROCESS fffffa8004e28c10 SessionId: 1 Cid: 0a70 Peb: 7fffffd8000 ParentCid: 09ec DirBase: 93cfb000 ObjectTable: fffff88008ec2a20 HandleCount: 405. Image: MSASCui.exe VadRoot fffffa8004de0390 Vads 106 Clone 0 Private 1932. Modified 352. Locked 0. DeviceMap fffff88008479c90 Token fffff88008edb060 ElapsedTime 00:03:15.554 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 197440 QuotaPoolUsage[NonPagedPool] 21728 Working Set Sizes (now,min,max) (3259, 50, 345) (13036KB, 200KB, 1380KB) PeakWorkingSetSize 3259 VirtualSize 96 Mb PeakVirtualSize 96 Mb PageFaultCount 5245 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 2214 Job fffffa80050f8860

PROCESS fffffa800511b260 SessionId: 1 Cid: 0a78 Peb: 7fffffd3000 ParentCid: 09ec DirBase: 93dcb000 ObjectTable: fffff880089d4ae0 HandleCount: 128. Image: wmdSync.exe VadRoot fffffa800511aba0 Vads 77 Clone 0 Private 436. Modified 0. Locked 0. DeviceMap fffff88008479c90 Token fffff88008ee1060 ElapsedTime 00:03:15.429 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 150088 QuotaPoolUsage[NonPagedPool] 7296 Working Set Sizes (now,min,max) (1554, 50, 345) (6216KB, 200KB, 1380KB) PeakWorkingSetSize 1558 VirtualSize 75 Mb PeakVirtualSize 76 Mb PageFaultCount 1643 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 584 Job fffffa80050f8860

PROCESS fffffa8005120a30 SessionId: 1 Cid: 0a88 Peb: 7efdf000 ParentCid: 09ec DirBase: 923cd000 ObjectTable: fffff88008e29560 HandleCount: 99. Image: daemon.exe VadRoot fffffa8004a8cba0 Vads 96 Clone 0 Private 843. Modified 0. Locked 0. DeviceMap fffff88008479c90 Token fffff88008eed730 ElapsedTime 00:03:14.976 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 175272 QuotaPoolUsage[NonPagedPool] 9024 Working Set Sizes (now,min,max) (2608, 50, 345) (10432KB, 200KB, 1380KB) PeakWorkingSetSize 2615 VirtualSize 92 Mb PeakVirtualSize 94 Mb PageFaultCount 3463 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 1397 Job fffffa80050f8860

PROCESS fffffa80051b5640 SessionId: 1 Cid: 0b98 Peb: 7efdf000 ParentCid: 09ec DirBase: 8e371000 ObjectTable: fffff8800910ced0 HandleCount: 59. Image: WZQKPICK.EXE VadRoot fffffa80051c1630 Vads 58 Clone 0 Private 215. Modified 0. Locked 0. DeviceMap fffff88008479c90 Token fffff8800910c860 ElapsedTime 00:03:00.903 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 123744 QuotaPoolUsage[NonPagedPool] 5376 Working Set Sizes (now,min,max) (1274, 50, 345) (5096KB, 200KB, 1380KB) PeakWorkingSetSize 1274 VirtualSize 62 Mb PeakVirtualSize 63 Mb PageFaultCount 1304 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 331 Job fffffa80050f8860

PROCESS fffffa800530e040 SessionId: 0 Cid: 0bcc Peb: 7fffffd6000 ParentCid: 0328 DirBase: 12c7cc000 ObjectTable: fffff880097c19e0 HandleCount: 193. Image: WmiPrvSE.exe VadRoot fffffa80053864c0 Vads 107 Clone 0 Private 766. Modified 0. Locked 0. DeviceMap fffff88007fe7530 Token fffff8800995f060 ElapsedTime 00:00:27.349 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 102888 QuotaPoolUsage[NonPagedPool] 10176 Working Set Sizes (now,min,max) (2338, 50, 345) (9352KB, 200KB, 1380KB) PeakWorkingSetSize 2338 VirtualSize 56 Mb PeakVirtualSize 56 Mb PageFaultCount 2724 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 1359 Job fffffa8004d71560

1: kd> !job fffffa8004d71560 Job at fffffa8004d71560 TotalPageFaultCount 0 TotalProcesses 1 ActiveProcesses 1 TotalTerminatedProcesses 0 LimitFlags 2b08 MinimumWorkingSetSize 0 MaximumWorkingSetSize 0 ActiveProcessLimit 20 PriorityClass 0 UIRestrictionsClass 0 SecurityLimitFlags 0 Token 0000000000000000

1: kd> !job fffffa80050f8860 Job at fffffa80050f8860 TotalPageFaultCount 0 TotalProcesses 4 ActiveProcesses 4 TotalTerminatedProcesses 0 LimitFlags 1000 MinimumWorkingSetSize 0 MaximumWorkingSetSize 0 ActiveProcessLimit 0 PriorityClass 0 UIRestrictionsClass 0 SecurityLimitFlags 0 Token 0000000000000000

1: kd> dt _EJOB fffffa80050f8860 nt!_EJOB +0x000 Event : _KEVENT +0x018 JobLinks : _LIST_ENTRY [ 0xfffff800`019c2450 - 0xfffffa80`04d71578 ] +0x028 ProcessListHead : _LIST_ENTRY [ 0xfffffa80`04e28e58 - 0xfffffa80`051b5888 ] +0x038 JobLock : _ERESOURCE +0x0a0 TotalUserTime : _LARGE_INTEGER 0x0 +0x0a8 TotalKernelTime : _LARGE_INTEGER 0x0 +0x0b0 ThisPeriodTotalUserTime : _LARGE_INTEGER 0x0 +0x0b8 ThisPeriodTotalKernelTime : _LARGE_INTEGER 0x0 +0x0c0 TotalPageFaultCount : 0 +0x0c4 TotalProcesses : 4 +0x0c8 ActiveProcesses : 4 +0x0cc TotalTerminatedProcesses : 0 +0x0d0 PerProcessUserTimeLimit : _LARGE_INTEGER 0x0 +0x0d8 PerJobUserTimeLimit : _LARGE_INTEGER 0x0 +0x0e0 LimitFlags : 0x1000 +0x0e8 MinimumWorkingSetSize : 0 +0x0f0 MaximumWorkingSetSize : 0 +0x0f8 ActiveProcessLimit : 0 +0x100 Affinity : 0 +0x108 PriorityClass : 0 '' +0x110 AccessState : (null) +0x118 UIRestrictionsClass : 0 +0x11c EndOfJobTimeAction : 0 +0x120 CompletionPort : (null) +0x128 CompletionKey : (null) +0x130 SessionId : 1 +0x134 SchedulingClass : 5 +0x138 ReadOperationCount : 0 +0x140 WriteOperationCount : 0 +0x148 OtherOperationCount : 0 +0x150 ReadTransferCount : 0 +0x158 WriteTransferCount : 0 +0x160 OtherTransferCount : 0 +0x168 ProcessMemoryLimit : 0 +0x170 JobMemoryLimit : 0 +0x178 PeakProcessMemoryUsed : 0x912 +0x180 PeakJobMemoryUsed : 0x11b3 +0x188 CurrentJobMemoryUsed : 0x11ae +0x190 MemoryLimitsLock : _EX_PUSH_LOCK +0x198 JobSetLinks : _LIST_ENTRY [ 0xfffffa80`050f89f8 - 0xfffffa80`050f89f8 ] +0x1a8 MemberLevel : 0 +0x1ac JobFlags : 1

C2 reqs: SLF - DAC - SAC - ORP (p. 452) - mnemonic to remember perhaps for security exams like CISSP

B reqs: TPF - TFM (p. 453)

Security targets and protection profiles (p. 453)

Advanced .NET Debugging by M. Hewardt:

type handle as a pointer to method table (p. 53) - I liked managed heap - execution engine boundary and propose this colored space diagram (will add this to Dictionary of Debugging soon as a tripartite “virtual” memory division) :

!DumpModule command (p. 57)

!U command (pp. 58 - 59)

!DumpMT command (p. 59)

!DumpMT -md to dump type method descriptors (p. 60)

!DumpMD command (p. 60)

m_CodeOrIL: 00920070 (p. 61) - the address looks like as UNICODE string but I belive this is just a coincidence, the false positive of Wild Pointer pattern: http://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Advanced .NET Debugging, Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 30-March-10

Saturday, April 3rd, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

per-PRCB queued, system-wide dispatcher, system-wide context swap and per-thread spinlocks (pp. 434-435)

physical over logical processor preference for scheduling (p. 435)

!smt command (p. 436) - here is the putput from x64 machine (from the output we can infer the following relationship logical processor -> core -> physical processor):

1: kd> !smt SMT Summary: ------------ KeActiveProcessors: **-------------------------------------------------------------- (0000000000000003) KiIdleSummary: -*-------------------------------------------------------------- (0000000000000002) No PRCB SMT Set APIC Id 0 fffff80001991680 **-------------------------------------------------------------- (0000000000000003) 0x00000000 1 fffffa60005ec180 **-------------------------------------------------------------- (0000000000000003) 0x00000001

Maximum cores per physical processor: 2 Maximum logical processors per core: 1

NUMA (pp. 436 - 438) - I can see NUMA even on my small desktop system

1: kd> !numa NUMA Summary: ------------ Number of NUMA nodes : 1 Number of Processors : 2 MmAvailablePages : 0x000C7CB9 KeActiveProcessors : (3)

NODE 0 (FFFFF80001995640): ProcessorMask : (3) Color : 0x00000000 MmShiftedColor : 0x00000000 Seed : 0x00000001 Right : 0x00000000 Left : 0x00000001 Zeroed Page Count: 0x0000000000000000 Free Page Count : 0x0000000000000000

Thread affinity (pp. 438 - 440) - see also Affine Thread crash dump analysis pattern: http://www.dumpanalysis.org/blog/index.php/2008/06/27/crash-dump-analysis-patterns-part-68/

uniprocessor flag as a workaround for multithreading defects (p. 439)

Set(Query)ProcessAffinityUpdateMode and dynamic processor changes (p. 442)

choosing a processor (idle ideal -> idle current -> idle previous -> current -> ideal running less priority thread) (pp. 433 - 444)

no guarantee to run all highest priority threads vs. always runs the highest priority thread (p. 444)

Advanced .NET Debugging by M. Hewardt:

value vs. reference types (p. 42)

sosex!bpsc (p. 46)

per frame managed stack trace: !ClrStack -a (p. 46)

d* for simple local value types, !dumpobj for references, !dumpvc for value type fields (pp. 46 - 47)

sync blocks (pp. 49 - 52) - here is the output from my x64 test program:

0:000> !ClrStack -a OS Thread Id: 0x6e8 (0)

000000000013ed10 000007ff001ac709 System.IO.TextReader+SyncTextReader.ReadLine() PARAMETERS: this = 0x0000000002a2b568

0:000> !dumpobj 0x0000000002a2b568 Name: System.IO.TextReader+SyncTextReader MethodTable: 000007feee67bea8 EEClass: 000007feedb851e0 Size: 32(0x20) bytes (C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll) Fields: MT Field Offset Type VT Attr Value Name 000007feede86048 400018a 8 System.Object 0 instance 0000000000000000 __identity 000007feedecd198 4001c87 b18 System.IO.TextReader 0 shared static Null >> Domain:Value 0000000000220840:0000000002a2b060 << 000007feedecd198 4001c88 10 System.IO.TextReader 0 instance 0000000002a2af28 _in ThinLock owner 1 (0000000000000000), Recursive 0

0:000> dq 0x0000000002a2b568-8 00000000`02a2b560 00000001`00000000 000007fe`ee67bea8 00000000`02a2b570 00000000`00000000 00000000`02a2af28 00000000`02a2b580 00000000`00000000 00000000`00000000 00000000`02a2b590 00000000`00000000 00000000`00000000 00000000`02a2b5a0 00000000`00000000 00000000`00000000 00000000`02a2b5b0 00000000`00000000 00000000`00000000 00000000`02a2b5c0 00000000`00000000 00000000`00000000 00000000`02a2b5d0 00000000`00000000 00000000`00000000

0:000> !syncblk 1 Index SyncBlock MonitorHeld Recursion Owning Thread Info SyncBlock Owner 1 0000000000259bf8 0 0 0000000000000000 none 0000000002a28030 System.EventHandler ----------------------------- Total 1 CCW 0 RCW 0 ComClassFactory 0 Free 0

thin sync blocks (p. 52)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Advanced .NET Debugging, Notes on Windows Internals, Reading Notebook | No Comments »

Archive for the ‘Notes on Windows Internals’ Category

Reading Notebook: 19-July-10

Reading Notebook: 12-July-10

Reading Notebook: 16-June-10

Reading Notebook: 31-May-10

Reading Notebook: 26-May-10

Reading Notebook: 25-May-10

Reading Notebook: 24-May-10

Reading Notebook: 12-May-10

Reading Notebook: 09-April-10

Reading Notebook: 30-March-10

Pages

Archives

Categories