Software Generalist

Reading Notebook: 25-May-10

Tuesday, May 25th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

No share access for impersonation: we need logon (p. 481)

S(ecure)QOS levels, SECURITY_CONTEXT_TRACKING (p. 482)

Integrity Level (client) <= Integrity Level (server) (pp. 482 - 483)

Restricted tokens -> filtered admin tokens (logon as admin with UAC) (pp. 483 - 484)

Callback, allowed(denied)-object (GUID-based for AD) ACEs (p. 487)

No DACL: full access, empty DACL: no access (p. 487)

System audit-object ACEs (p. 488)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 24-May-10

Monday, May 24th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Process integrity levels as SIDs (pp. 464 - 465)

Protected mode IE startup sequence (pp. 467 - 470) - ieuser.exe might block several iexplore.exe instances: http://www.dumpanalysis.org/blog/index.php/2009/02/11/stack-trace-collection-blocked-thread-and-coupled-processes-pattern-cooperation/

Integrity levels and mandatory policies for objects (pp. 471- 473)

Many faces of an Administrator, filtered admin tokens (p. 474)

CreateProcessWithLogonW (p. 474)

The token source field (p. 476)

Token authentication and modified IDs (pp. 476 - 477) - token structure from x64 Windows Server R2:

0: kd> dt _TOKEN nt!_TOKEN +0x000 TokenSource : _TOKEN_SOURCE +0x010 TokenId : _LUID +0x018 AuthenticationId : _LUID +0x020 ParentTokenId : _LUID +0x028 ExpirationTime : _LARGE_INTEGER +0x030 TokenLock : Ptr64 _ERESOURCE +0x038 ModifiedId : _LUID +0x040 Privileges : _SEP_TOKEN_PRIVILEGES +0x058 AuditPolicy : _SEP_AUDIT_POLICY +0x074 SessionId : Uint4B +0x078 UserAndGroupCount : Uint4B +0x07c RestrictedSidCount : Uint4B +0x080 VariableLength : Uint4B +0x084 DynamicCharged : Uint4B +0x088 DynamicAvailable : Uint4B +0x08c DefaultOwnerIndex : Uint4B +0x090 UserAndGroups : Ptr64 _SID_AND_ATTRIBUTES +0x098 RestrictedSids : Ptr64 _SID_AND_ATTRIBUTES +0x0a0 PrimaryGroup : Ptr64 Void +0x0a8 DynamicPart : Ptr64 Uint4B +0x0b0 DefaultDacl : Ptr64 _ACL +0x0b8 TokenType : _TOKEN_TYPE +0x0bc ImpersonationLevel : _SECURITY_IMPERSONATION_LEVEL +0x0c0 TokenFlags : Uint4B +0x0c4 TokenInUse : UChar +0x0c8 IntegrityLevelIndex : Uint4B +0x0cc MandatoryPolicy : Uint4B +0x0d0 LogonSession : Ptr64 _SEP_LOGON_SESSION_REFERENCES +0x0d8 OriginatingLogonSession : _LUID +0x0e0 SidHash : _SID_AND_ATTRIBUTES_HASH +0x1f0 RestrictedSidHash : _SID_AND_ATTRIBUTES_HASH +0x300 pSecurityAttributes : Ptr64 _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION +0x308 VariablePart : Uint8B

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 12-May-10

Thursday, May 13th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SAS -> winlogon.exe starts LogonUI.exe (p. 455) - Here are winlogon.exe threads on x64 W2K8 R2 before SAS:

THREAD fffffa8003cf7060 Cid 01d0.01d4 Teb: 000007fffffdd000 Win32Thread: fffff900c00df900 WAIT: (UserRequest) UserMode Non-Alertable fffffa8004991c90 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8003cf65a0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 8831 Ticks: 21731 (0:00:05:39.005) Context Switch Count 424 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.015 Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff36ec08) Stack Init fffff88003595db0 Current fffff88003595900 Base fffff88003596000 Limit fffff8800358c000 Call 0 Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffff880`03595940 fffff800`01ac3752 nt!KiSwapContext+0x7a fffff880`03595a80 fffff800`01ac58af nt!KiCommitThreadWait+0x1d2 fffff880`03595b10 fffff800`01db7db2 nt!KeWaitForSingleObject+0x19f fffff880`03595bb0 fffff800`01abb853 nt!NtWaitForSingleObject+0xb2 fffff880`03595c20 00000000`77bafefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03595c20) 00000000`0018f778 000007fe`fdc910ac ntdll!NtWaitForSingleObject+0xa 00000000`0018f780 00000000`ff3619ad KERNELBASE!WaitForSingleObjectEx+0x79 00000000`0018f820 00000000`ff3616e8 winlogon!SignalManagerWaitForSignal+0x135 00000000`0018f860 00000000`ff36b8b0 winlogon!StateMachineRun+0x404 00000000`0018fb80 00000000`ff36ed85 winlogon!WinMain+0x13a3 00000000`0018fcf0 00000000`77a5f56d winlogon!I_WMsgkSendMessage+0x252 00000000`0018fdb0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd 00000000`0018fde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800498a060 Cid 01d0.0320 Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa800497bef0 SynchronizationTimer fffffa8004988060 SynchronizationTimer fffffa8004bfe2a0 NotificationEvent fffffa8003c783b0 SynchronizationEvent fffffa8003c78310 SynchronizationEvent fffffa8003c78450 SynchronizationEvent fffffa80049894c0 SynchronizationTimer Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8003cf65a0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 19271 Ticks: 11291 (0:00:02:56.140) Context Switch Count 16 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x0000000077b79a90) Stack Init fffff88004006db0 Current fffff88004005fd0 Base fffff88004007000 Limit fffff88004001000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`04006010 fffff800`01ac3752 nt!KiSwapContext+0x7a fffff880`04006150 fffff800`01abfc4b nt!KiCommitThreadWait+0x1d2 fffff880`040061e0 fffff800`01db8ecf nt!KeWaitForMultipleObjects+0x271 fffff880`04006490 fffff800`01db97d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`04006960 fffff800`01abb853 nt!NtWaitForMultipleObjects+0xe5 fffff880`04006bb0 00000000`77bb046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04006c20) 00000000`0139f848 00000000`77b79bd7 ntdll!NtWaitForMultipleObjects+0xa 00000000`0139f850 00000000`77a5f56d ntdll!TppWaiterpThread+0x14d 00000000`0139faf0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd 00000000`0139fb20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8004ed7060 Cid 01d0.0a58 Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa800489ac20 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8003cf65a0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 27861 Ticks: 2701 (0:00:00:42.135) Context Switch Count 4 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000077b78f00) Stack Init fffff88003555db0 Current fffff880035557d0 Base fffff88003556000 Limit fffff88003550000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`03555810 fffff800`01ac3752 nt!KiSwapContext+0x7a fffff880`03555950 fffff800`01ac71c1 nt!KiCommitThreadWait+0x1d2 fffff880`035559e0 fffff800`01db89d7 nt!KeRemoveQueueEx+0x301 fffff880`03555a90 fffff800`01acc996 nt!IoRemoveIoCompletion+0x47 fffff880`03555b20 fffff800`01abb853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`03555c20 00000000`77bb17ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03555c20) 00000000`00dcfa18 00000000`77b7914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`00dcfa20 00000000`77a5f56d ntdll!TppWorkerThread+0x2c9 00000000`00dcfd20 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd 00000000`00dcfd50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Here are main threads from both processes on x64 W2K8 R2 after SAS (I brought change password dialog):

THREAD fffffa8004888770 Cid 01c0.01c4 Teb: 000007fffffde000 Win32Thread: fffff900c00d9c30 WAIT: (UserRequest) UserMode Non-Alertable fffffa80049c25c0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 3202 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.218 Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ffc2ec08) Stack Init fffff880031acdb0 Current fffff880031ac900 Base fffff880031ad000 Limit fffff880031a7000 Call 0 Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`031ac940 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`031aca80 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2 fffff880`031acb10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0x19f fffff880`031acbb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2 fffff880`031acc20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`031acc20) 00000000`0023f398 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa 00000000`0023f3a0 00000000`ffc219ad KERNELBASE!WaitForSingleObjectEx+0x79 00000000`0023f440 00000000`ffc216e8 winlogon!SignalManagerWaitForSignal+0x135 00000000`0023f480 00000000`ffc2b8b0 winlogon!StateMachineRun+0x404 00000000`0023f7a0 00000000`ffc2ed85 winlogon!WinMain+0x13a3 00000000`0023f910 00000000`76bdf56d winlogon!I_WMsgkSendMessage+0x252 00000000`0023f9d0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0023fa00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80049ba060 Cid 01c0.0304 Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa80049b87e0 SynchronizationTimer fffffa80049b4650 SynchronizationTimer fffffa8004e81e20 NotificationEvent fffffa8004edcbf0 SynchronizationEvent fffffa8004edcb50 SynchronizationEvent fffffa8004edcc90 SynchronizationEvent fffffa80049b8670 SynchronizationTimer Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34428081 Ticks: 238645 (0:01:02:02.885) Context Switch Count 175 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90) Stack Init fffff88004193db0 Current fffff88004192fd0 Base fffff88004194000 Limit fffff8800418e000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffff880`04193010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`04193150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`041931e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`04193490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`04193960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`04193bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04193c20) 00000000`00d2fb38 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa 00000000`00d2fb40 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d 00000000`00d2fde0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`00d2fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005b8e810 Cid 01c0.12d4 Teb: 000007fffffdc000 Win32Thread: fffff900c37a6250 WAIT: (WrLpcReply) UserMode Non-Alertable fffffa8005b8ebd0 Semaphore Limit 0x1 Waiting for reply to ALPC Message fffff8a00c87e750 : queued at port fffffa800661ec60 : owned by process fffffa8005f442b0 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 150 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00) Stack Init fffff88006c8edb0 Current fffff88006c8e620 Base fffff88006c8f000 Limit fffff88006c87000 Call 0 Priority 14 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`06c8e660 fffff800`01ad6752 nt!KiSwapContext+0×7a fffff880`06c8e7a0 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2 fffff880`06c8e830 fffff800`01aedbef nt!KeWaitForSingleObject+0×19f fffff880`06c8e8d0 fffff800`01dd6a36 nt!AlpcpSignalAndWait+0×8f fffff880`06c8e980 fffff800`01dd49c0 nt!AlpcpReceiveSynchronousReply+0×46 fffff880`06c8e9e0 fffff800`01dd1f3b nt!AlpcpProcessSynchronousRequest+0×33d fffff880`06c8eb00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0×1ab fffff880`06c8ebb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`06c8ec20) 00000000`0103f298 000007fe`fea8aa76 ntdll!ZwAlpcSendWaitReceivePort+0xa 00000000`0103f2a0 000007fe`feb2cb64 RPCRT4!LRPC_CCALL::SendReceive+0×156 00000000`0103f360 000007fe`feb2cd55 RPCRT4!NdrpClientCall3+0×244 00000000`0103f620 00000000`ffc24979 RPCRT4!NdrClientCall3+0xf2 00000000`0103f9b0 00000000`ffc4e781 winlogon!WluiRequestCredentials+0×71 00000000`0103fa20 00000000`ffc21d04 winlogon!WLGeneric_Request_Change_Credz_Execute+0xa5 00000000`0103fa90 00000000`76df0fb4 winlogon!StateMachineWorkerCallback+0×7f 00000000`0103fac0 00000000`76df4b1f ntdll!TppWorkpExecuteCallback+0xa4 00000000`0103fb20 00000000`76bdf56d ntdll!TppWorkerThread+0×6c9 00000000`0103fe20 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0103fe50 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8006480640 Cid 01c0.131c Teb: 000007fffffd9000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa80042479a0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664380 Ticks: 2346 (0:00:00:36.597) Context Switch Count 2 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff8800715ddb0 Current fffff8800715d7d0 Base fffff8800715e000 Limit fffff88007158000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0715d810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0715d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`0715d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`0715da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`0715db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`0715dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0715dc20) 00000000`010bf908 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`010bf910 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`010bfc10 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`010bfc40 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005916290 Cid 01c0.0c04 Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa80042479a0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 3 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff88007126db0 Current fffff880071267d0 Base fffff88007127000 Limit fffff88007121000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`07126810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`07126950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`071269e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`07126a90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`07126b20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`07126c20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07126c20) 00000000`009cfaa8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`009cfab0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`009cfdb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`009cfde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

We now see the new thread fffffa8005b8e810 waiting for an ALPC message fffff8a00c87e750:

0: kd> !alpc /m fffff8a00c87e750

Message @ fffff8a00c87e750 MessageID : 0x0534 (1332) CallbackID : 0x14152C5 (21058245) SequenceNumber : 0x00000006 (6) Type : LPC_REQUEST DataLength : 0x0060 (96) TotalLength : 0x0088 (136) Canceled : No Release : No ReplyWaitReply : No Continuation : Yes OwnerPort : fffffa80065696c0 [ALPC_CLIENT_COMMUNICATION_PORT] WaitingThread : fffffa8005b8e810 QueueType : ALPC_MSGQUEUE_PENDING QueuePort : fffffa800661ec60 [ALPC_CONNECTION_PORT] QueuePortOwnerProcess : fffffa8005f442b0 (LogonUI.exe) ServerThread : fffffa8005a9b2a0 QuotaCharged : No CancelQueuePort : 0000000000000000 CancelSequencePort : 0000000000000000 CancelSequenceNumber : 0×00000000 (0) ClientContext : 00000000003f5b30 ServerContext : 0000000000000000 PortContext : 00000000015e2640 CancelPortContext : 0000000000000000 SecurityData : 0000000000000000 View : 0000000000000000

The server thread is fffffa8005a9b2a0 and is owned by LogonUI.exe. Here are all threads in that process where I highlighted credential providers:

THREAD fffffa8005f47b60 Cid 06d0.13e0 Teb: 000007fffffde000 Win32Thread: fffff900c1d6ec30 WAIT: (UserRequest) UserMode Non-Alertable fffffa80065be260 SynchronizationEvent fffffa8005bf6240 SynchronizationEvent fffffa8005bcbc70 SynchronizationEvent fffffa80052a9dc0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34666693 Ticks: 33 (0:00:00:00.514) Context Switch Count 722 LargeStack UserTime 00:00:00.171 KernelTime 00:00:00.140 Win32 Start Address LogonUI!wWinMainCRTStartup (0x00000000ffb45c58) Stack Init fffff88004911db0 Current fffff88004910fd0 Base fffff88004912000 Limit fffff88004908000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`04911010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`04911150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`049111e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`04911490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`04911960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`04911bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04911c20) 00000000`001bf708 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`001bf710 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`001bf810 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`001bf8a0 000007fe`fae19ecd USER32!RealMsgWaitForMultipleObjectsEx+0x12a 00000000`001bf940 000007fe`fae19d8e DUser!CoreSC::DUIMsgWaitForMultipleObjectsEx+0x17c 00000000`001bf9f0 00000000`76cf9079 DUser!MphMsgWaitForMultipleObjectsEx+0x7a 00000000`001bfa30 000007fe`fb8e407b USER32!MsgWaitForMultipleObjectsEx+0x37 00000000`001bfa70 000007fe`fb8e4f6c authui!CLogonFrame::DoModal+0×67 00000000`001bfaf0 000007fe`fb8e50cf authui!CLogonUI_CreateThenDoModalThenDestroy+0×299 00000000`001bfb50 00000000`ffb454df authui!CLogonUI::DoModal+0×73 00000000`001bfb80 00000000`ffb45ae6 LogonUI!wWinMain+0xfb 00000000`001bfbe0 00000000`76bdf56d LogonUI!ParseCommandLineToStringArrayLocalAlloc+0×33a 00000000`001bfca0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`001bfcd0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8006595720 Cid 06d0.1158 Teb: 000007fffffdc000 Win32Thread: fffff900c35105f0 WAIT: (UserRequest) UserMode Non-Alertable fffffa8005cad160 SynchronizationEvent fffffa8005618d30 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664381 Ticks: 2345 (0:00:00:36.582) Context Switch Count 2 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address msvcrt!endthreadex (0x000007feff0573fc) Stack Init fffff88005638db0 Current fffff88005637fd0 Base fffff88005639000 Limit fffff88005632000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05638010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`05638150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`056381e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`05638490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`05638960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`05638bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05638c20) 00000000`00eaf4d8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`00eaf4e0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`00eaf5e0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`00eaf670 000007fe`fae114e6 USER32!RealMsgWaitForMultipleObjectsEx+0x12a 00000000`00eaf710 000007fe`fae116b2 DUser!CoreSC::Wait+0x62 00000000`00eaf760 000007fe`fae205dd DUser!CoreSC::xwProcessNL+0xed 00000000`00eaf7d0 000007fe`fae20500 DUser!GetMessageExA+0x7b 00000000`00eaf820 000007fe`ff0542bf DUser!ResourceManager::SharedThreadProc+0xe8 00000000`00eaf8b0 000007fe`ff057459 msvcrt!endthreadex+0x47 00000000`00eaf8e0 00000000`76bdf56d msvcrt!endthreadex+0xe0 00000000`00eaf910 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`00eaf940 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8006646060 Cid 06d0.1174 Teb: 000007fffffda000 Win32Thread: fffff900c397bc30 WAIT: (UserRequest) UserMode Non-Alertable fffffa80059522e0 SynchronizationEvent fffffa80061cf2d0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664855 Ticks: 1871 (0:00:00:29.187) Context Switch Count 101 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.015 Win32 Start Address authui!CCredentialProviderThread::_sThreadProc (0x000007fefb8e51c0) Stack Init fffff880057addb0 Current fffff880057acfd0 Base fffff880057ae000 Limit fffff880057a6000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`057ad010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`057ad150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`057ad1e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`057ad490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`057ad960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`057adbb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`057adc20) 00000000`02c5f9b8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`02c5f9c0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`02c5fac0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`02c5fb50 00000000`76cf905a USER32!RealMsgWaitForMultipleObjectsEx+0x12a 00000000`02c5fbf0 000007fe`febdb46a USER32!MsgWaitForMultipleObjectsEx+0x46 00000000`02c5fc30 000007fe`fecfa542 ole32!CCliModalLoop::BlockFn+0xc2 00000000`02c5fc80 000007fe`fb8e4bc1 ole32!CoWaitForMultipleHandles+0x102 00000000`02c5fd90 000007fe`fb8e4a4a authui!InternalCoWaitForSingleHandle+0×31 00000000`02c5fdd0 000007fe`fb8e51c9 authui!CCredentialProviderThread::_vThreadProc+0xbf 00000000`02c5fe10 00000000`76bdf56d authui!CCredentialProviderThread::_sThreadProc+0×9 00000000`02c5fe40 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02c5fe70 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8005a9b2a0 Cid 06d0.1248 Teb: 000007fffffd4000 Win32Thread: fffff900c397b850 WAIT: (UserRequest) UserMode Non-Alertable fffffa800559c800 NotificationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 12 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00) Stack Init fffff88005871db0 Current fffff88005871900 Base fffff88005872000 Limit fffff8800586b000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05871940 fffff800`01ad6752 nt!KiSwapContext+0×7a fffff880`05871a80 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2 fffff880`05871b10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0×19f fffff880`05871bb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2 fffff880`05871c20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`05871c20) 00000000`02aee898 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa 00000000`02aee8a0 000007fe`fb8e4586 KERNELBASE!WaitForSingleObjectEx+0×79 00000000`02aee940 000007fe`fb8e891c authui!InternalWaitForSingleObject+0×26 00000000`02aee980 000007fe`fb8e8ac4 authui!WPP_SF_qqddd+0×157d 00000000`02aee9e0 000007fe`fea7c7f5 authui!WluirRequestCredentials+0×44 00000000`02aeea20 000007fe`feb2b62e RPCRT4!Invoke+0×65 00000000`02aeeaa0 000007fe`fea74070 RPCRT4!Ndr64StubWorker+0×61b 00000000`02aef060 000007fe`fea79c24 RPCRT4!NdrServerCallAll+0×40 00000000`02aef0b0 000007fe`fea79d86 RPCRT4!DispatchToStubInCNoAvrf+0×14 00000000`02aef0e0 000007fe`fea7c44b RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×146 00000000`02aef200 000007fe`fea7c38b RPCRT4!RPC_INTERFACE::DispatchToStub+0×9b 00000000`02aef240 000007fe`fea7c322 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0×5b 00000000`02aef2c0 000007fe`fea7a11d RPCRT4!LRPC_SCALL::DispatchRequest+0×422 00000000`02aef3a0 000007fe`fea87ddf RPCRT4!LRPC_SCALL::HandleRequest+0×20d 00000000`02aef4d0 000007fe`fea87995 RPCRT4!LRPC_ADDRESS::ProcessIO+0×3bf 00000000`02aef610 00000000`76dfb43b RPCRT4!LrpcIoComplete+0xa5 00000000`02aef6a0 00000000`76df923f ntdll!TppAlpcpExecuteCallback+0×26b 00000000`02aef730 00000000`76bdf56d ntdll!TppWorkerThread+0×3f8 00000000`02aefa30 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02aefa60 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8005941a10 Cid 06d0.0f10 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa800663a9a0 SynchronizationTimer fffffa8005881650 SynchronizationTimer fffffa8006577ef0 SynchronizationTimer fffffa8005a93bd0 NotificationEvent fffffa80063f6450 SynchronizationEvent fffffa80058fe4c0 SynchronizationEvent fffffa80064c0290 SynchronizationEvent fffffa8004e49e90 NotificationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664421 Ticks: 2305 (0:00:00:35.958) Context Switch Count 11 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90) Stack Init fffff88006946db0 Current fffff88006945fd0 Base fffff88006947000 Limit fffff88006941000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`06946010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`06946150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`069461e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`06946490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`06946960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`06946bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06946c20) 00000000`02dbf718 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa 00000000`02dbf720 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d 00000000`02dbf9c0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02dbf9f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80056de060 Cid 06d0.0ba8 Teb: 000007fffffac000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8005f7d3e0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664389 Ticks: 2337 (0:00:00:36.457) Context Switch Count 5 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff8800569ddb0 Current fffff8800569d7d0 Base fffff8800569e000 Limit fffff88005698000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0569d810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0569d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`0569d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`0569da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`0569db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`0569dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0569dc20) 00000000`035cfbb8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`035cfbc0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`035cfec0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`035cfef0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005ccfa10 Cid 06d0.03a0 Teb: 000007fffffd8000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8005f7d3e0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664420 Ticks: 2306 (0:00:00:35.973) Context Switch Count 7 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff8800459bdb0 Current fffff8800459b7d0 Base fffff8800459c000 Limit fffff88004596000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0459b810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0459b950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`0459b9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`0459ba90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`0459bb20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`0459bc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0459bc20) 00000000`02e5f8c8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`02e5f8d0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`02e5fbd0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02e5fc00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800662a800 Cid 06d0.0a54 Teb: 000007fffffaa000 Win32Thread: 0000000000000000 WAIT: (DelayExecution) UserMode Non-Alertable fffffa800662aad8 Semaphore Limit 0x2 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664389 Ticks: 2337 (0:00:00:36.457) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ole32!CRpcThreadCache::RpcWorkerThreadEntry (0x000007fefebf3570) Stack Init fffff8800568fdb0 Current fffff8800568f970 Base fffff88005690000 Limit fffff8800568a000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0568f9b0 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0568faf0 fffff800`01ad8e56 nt!KiCommitThreadWait+0x1d2 fffff880`0568fb80 fffff800`01dcacee nt!KeDelayExecutionThread+0x186 fffff880`0568fbf0 fffff800`01ace853 nt!NtDelayExecution+0x59 fffff880`0568fc20 00000000`76e301fa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0568fc20) 00000000`0371fa68 000007fe`fd081203 ntdll!NtDelayExecution+0xa 00000000`0371fa70 000007fe`febeea00 KERNELBASE!SleepEx+0xab 00000000`0371fb10 000007fe`febf2046 ole32!CROIDTable::WorkerThreadLoop+0x10 00000000`0371fb40 000007fe`febf358a ole32!CRpcThread::WorkerLoop+0x1e 00000000`0371fb80 00000000`76bdf56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a 00000000`0371fbb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0371fbe0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80063a4490 Cid 06d0.0ca0 Teb: 000007fffffa8000 Win32Thread: fffff900c1fffc30 WAIT: (WrLpcReceive) UserMode Non-Alertable fffffa80063a4850 Semaphore Limit 0x1 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664404 Ticks: 2322 (0:00:00:36.223) Context Switch Count 11 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address MSCTF!CCtfServerPort::StaticServerThread (0x000007fefe959274) Stack Init fffff88005b30db0 Current fffff88005b30750 Base fffff88005b31000 Limit fffff88005b2a000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05b30790 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`05b308d0 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2 fffff880`05b30960 fffff800`01dcf329 nt!KeWaitForSingleObject+0x19f fffff880`05b30a00 fffff800`01dd0a37 nt!AlpcpReceiveMessagePort+0x189 fffff880`05b30a60 fffff800`01dd1f76 nt!AlpcpReceiveMessage+0x2d4 fffff880`05b30b00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0x1e6 fffff880`05b30bb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05b30c20) 00000000`0390e7b8 000007fe`fe9426a9 ntdll!ZwAlpcSendWaitReceivePort+0xa 00000000`0390e7c0 000007fe`fe959417 MSCTF!CCtfServerPort::ServerLoop+0x16c 00000000`0390f8e0 000007fe`fe959296 MSCTF!CCtfServerPort::ServerThread+0x15b 00000000`0390fc20 00000000`76bdf56d MSCTF!CCtfServerPort::StaticServerThread+0x28 00000000`0390fc50 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0390fc80 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800489eb60 Cid 06d0.13b8 Teb: 000007fffffa6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable fffffa8005833be0 NotificationEvent fffffa8005a03ad0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664421 Ticks: 2305 (0:00:00:35.958) Context Switch Count 19 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address SmartcardCredentialProvider!I_ReaderMonitorThreadProc (0x000007feed747028) Stack Init fffff88005894db0 Current fffff88005893fd0 Base fffff88005895000 Limit fffff8800588f000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05894010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`05894150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`058941e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`05894490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`05894960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`05894bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05894c20) 00000000`02d1f948 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`02d1f950 00000000`76bcf190 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`02d1fa50 000007fe`ed746b84 kernel32!WaitForMultipleObjects+0xb0 00000000`02d1fae0 000007fe`ed747059 SmartcardCredentialProvider!I_ReaderMonitorWorker+0×9c 00000000`02d1fb80 00000000`76bdf56d SmartcardCredentialProvider!I_ReaderMonitorThreadProc+0×31 00000000`02d1fbc0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02d1fbf0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

So according to memory dump analysis pattern terminology these 2 processes are strongly coupled and this fact can be used for analysis logon problems in terminal services environments: http://www.dumpanalysis.org/blog/index.php/2007/09/26/crash-dump-analysis-patterns-part-28/

intrauser isolation (p. 459)

file object security (p. 460) - here is an example from x64 W2K8 R2:

0: kd> !handle [...] 0008: Object: fffffa800658e070 GrantedAccess: 00100020 Entry: fffff8a00445d020 Object: fffffa800658e070 Type: (fffffa8003c0dde0) File ObjectHeader: fffffa800658e040 (new version) HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \DL\Notmyfault\exe\x64\Release {HarddiskVolume2} […] 001c: Object: fffffa8005f44ee0 GrantedAccess: 001f0003 (Protected) Entry: fffff8a00445d070 Object: fffffa8005f44ee0 Type: (fffffa8003c00570) Event ObjectHeader: fffffa8005f44eb0 (new version) HandleCount: 1 PointerCount: 2 […]

0: kd> dt _OBJECT_TYPE fffffa8003c0dde0 ntdll!_OBJECT_TYPE +0x000 TypeList : _LIST_ENTRY [ 0xfffffa80`03c0dde0 - 0xfffffa80`03c0dde0 ] +0x010 Name : _UNICODE_STRING "File" +0x020 DefaultObject : 0x00000000`00000098 +0x028 Index : 0x1c '' +0x02c TotalNumberOfObjects : 0x5645 +0x030 TotalNumberOfHandles : 0x89e +0x034 HighWaterNumberOfObjects : 0x5baf +0x038 HighWaterNumberOfHandles : 0x8b5 +0×040 TypeInfo : _OBJECT_TYPE_INITIALIZER +0×0b0 TypeLock : _EX_PUSH_LOCK +0×0b8 Key : 0×656c6946 +0×0c0 CallbackList : _LIST_ENTRY [ 0xfffffa80`03c0dea0 - 0xfffffa80`03c0dea0 ]

0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c0dde0+40 ntdll!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x70 +0x002 ObjectTypeFlags : 0x11 '' +0x002 CaseInsensitive : 0y1 +0x002 UnnamedObjectsOnly : 0y0 +0x002 UseDefaultObject : 0y0 +0x002 SecurityRequired : 0y0 +0x002 MaintainHandleCount : 0y1 +0x002 MaintainTypeList : 0y0 +0x002 SupportsObjectCallbacks : 0y0 +0x004 ObjectTypeCode : 1 +0x008 InvalidAttributes : 0x130 +0x00c GenericMapping : _GENERIC_MAPPING +0x01c ValidAccessMask : 0x1f01ff +0x020 RetainAccess : 0 +0x024 PoolType : 0 ( NonPagedPool ) +0x028 DefaultPagedPoolCharge : 0x400 +0x02c DefaultNonPagedPoolCharge : 0x180 +0x030 DumpProcedure : (null) +0x038 OpenProcedure : (null) +0x040 CloseProcedure : 0xfffff800`01de6890 void nt!IopCloseFile+0 +0x048 DeleteProcedure : 0xfffff800`01de6610 void nt!IopDeleteFile+0 +0x050 ParseProcedure : 0xfffff800`01df7370 long nt!IopParseFile+0 +0×058 SecurityProcedure : 0xfffff800`01db7130 long nt!IopGetSetSecurityObject+0 +0×060 QueryNameProcedure : 0xfffff800`01db7470 long nt!IopQueryName+0<> +0×068 OkayToCloseProcedure : (null)

0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c00570+40 ntdll!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x70 +0x002 ObjectTypeFlags : 0 '' +0x002 CaseInsensitive : 0y0 +0x002 UnnamedObjectsOnly : 0y0 +0x002 UseDefaultObject : 0y0 +0x002 SecurityRequired : 0y0 +0x002 MaintainHandleCount : 0y0 +0x002 MaintainTypeList : 0y0 +0x002 SupportsObjectCallbacks : 0y0 +0x004 ObjectTypeCode : 2 +0x008 InvalidAttributes : 0x100 +0x00c GenericMapping : _GENERIC_MAPPING +0x01c ValidAccessMask : 0x1f0003 +0x020 RetainAccess : 0 +0x024 PoolType : 0 ( NonPagedPool ) +0x028 DefaultPagedPoolCharge : 0 +0x02c DefaultNonPagedPoolCharge : 0x70 +0x030 DumpProcedure : (null) +0x038 OpenProcedure : (null) +0x040 CloseProcedure : (null) +0x048 DeleteProcedure : (null) +0x050 ParseProcedure : (null) +0×058 SecurityProcedure : 0xfffff800`01d97070 long nt!SeDefaultObjectMethod+0 +0×060 QueryNameProcedure : (null) +0×068 OkayToCloseProcedure : (null)

SID = SVAS*-RID, S-Version-Authority-Subauthority*-RelativeID (pp. 461 - 462)

PsGetSid (p. 463)

Administrator SID = Machine SID + ‘-500′ (p. 463) - here’s my test (real computer name has been changed to COMPUTER):

C:\PsTools>PsGetSid COMPUTER

SID for COMPUTER\COMPUTER: S-1-5-21-30...49-19...94-15...96

C:\PsTools>PsGetSid S-1-5-21-30...49-19...94-15...96-500

Account for COMPUTER\S-1-5-21-30...49-19...94-15...96-500: User: COMPUTER\Administrator

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 09-April-10

Saturday, April 10th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Hard CPU limits per-session, -user and -system (pp. 444-445)

Security and user-interface limits on jobs (p. 447)

job objects (pp. 447 - 450) - we can dump all processes via !process 0 1 command and look for “Job ” in the output as on my x64 W2K8 system:

1: kd> !process 0 1

PROCESS fffffa8004e28c10 SessionId: 1 Cid: 0a70 Peb: 7fffffd8000 ParentCid: 09ec DirBase: 93cfb000 ObjectTable: fffff88008ec2a20 HandleCount: 405. Image: MSASCui.exe VadRoot fffffa8004de0390 Vads 106 Clone 0 Private 1932. Modified 352. Locked 0. DeviceMap fffff88008479c90 Token fffff88008edb060 ElapsedTime 00:03:15.554 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 197440 QuotaPoolUsage[NonPagedPool] 21728 Working Set Sizes (now,min,max) (3259, 50, 345) (13036KB, 200KB, 1380KB) PeakWorkingSetSize 3259 VirtualSize 96 Mb PeakVirtualSize 96 Mb PageFaultCount 5245 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 2214 Job fffffa80050f8860

PROCESS fffffa800511b260 SessionId: 1 Cid: 0a78 Peb: 7fffffd3000 ParentCid: 09ec DirBase: 93dcb000 ObjectTable: fffff880089d4ae0 HandleCount: 128. Image: wmdSync.exe VadRoot fffffa800511aba0 Vads 77 Clone 0 Private 436. Modified 0. Locked 0. DeviceMap fffff88008479c90 Token fffff88008ee1060 ElapsedTime 00:03:15.429 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 150088 QuotaPoolUsage[NonPagedPool] 7296 Working Set Sizes (now,min,max) (1554, 50, 345) (6216KB, 200KB, 1380KB) PeakWorkingSetSize 1558 VirtualSize 75 Mb PeakVirtualSize 76 Mb PageFaultCount 1643 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 584 Job fffffa80050f8860

PROCESS fffffa8005120a30 SessionId: 1 Cid: 0a88 Peb: 7efdf000 ParentCid: 09ec DirBase: 923cd000 ObjectTable: fffff88008e29560 HandleCount: 99. Image: daemon.exe VadRoot fffffa8004a8cba0 Vads 96 Clone 0 Private 843. Modified 0. Locked 0. DeviceMap fffff88008479c90 Token fffff88008eed730 ElapsedTime 00:03:14.976 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 175272 QuotaPoolUsage[NonPagedPool] 9024 Working Set Sizes (now,min,max) (2608, 50, 345) (10432KB, 200KB, 1380KB) PeakWorkingSetSize 2615 VirtualSize 92 Mb PeakVirtualSize 94 Mb PageFaultCount 3463 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 1397 Job fffffa80050f8860

PROCESS fffffa80051b5640 SessionId: 1 Cid: 0b98 Peb: 7efdf000 ParentCid: 09ec DirBase: 8e371000 ObjectTable: fffff8800910ced0 HandleCount: 59. Image: WZQKPICK.EXE VadRoot fffffa80051c1630 Vads 58 Clone 0 Private 215. Modified 0. Locked 0. DeviceMap fffff88008479c90 Token fffff8800910c860 ElapsedTime 00:03:00.903 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 123744 QuotaPoolUsage[NonPagedPool] 5376 Working Set Sizes (now,min,max) (1274, 50, 345) (5096KB, 200KB, 1380KB) PeakWorkingSetSize 1274 VirtualSize 62 Mb PeakVirtualSize 63 Mb PageFaultCount 1304 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 331 Job fffffa80050f8860

PROCESS fffffa800530e040 SessionId: 0 Cid: 0bcc Peb: 7fffffd6000 ParentCid: 0328 DirBase: 12c7cc000 ObjectTable: fffff880097c19e0 HandleCount: 193. Image: WmiPrvSE.exe VadRoot fffffa80053864c0 Vads 107 Clone 0 Private 766. Modified 0. Locked 0. DeviceMap fffff88007fe7530 Token fffff8800995f060 ElapsedTime 00:00:27.349 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 102888 QuotaPoolUsage[NonPagedPool] 10176 Working Set Sizes (now,min,max) (2338, 50, 345) (9352KB, 200KB, 1380KB) PeakWorkingSetSize 2338 VirtualSize 56 Mb PeakVirtualSize 56 Mb PageFaultCount 2724 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 1359 Job fffffa8004d71560

1: kd> !job fffffa8004d71560 Job at fffffa8004d71560 TotalPageFaultCount 0 TotalProcesses 1 ActiveProcesses 1 TotalTerminatedProcesses 0 LimitFlags 2b08 MinimumWorkingSetSize 0 MaximumWorkingSetSize 0 ActiveProcessLimit 20 PriorityClass 0 UIRestrictionsClass 0 SecurityLimitFlags 0 Token 0000000000000000

1: kd> !job fffffa80050f8860 Job at fffffa80050f8860 TotalPageFaultCount 0 TotalProcesses 4 ActiveProcesses 4 TotalTerminatedProcesses 0 LimitFlags 1000 MinimumWorkingSetSize 0 MaximumWorkingSetSize 0 ActiveProcessLimit 0 PriorityClass 0 UIRestrictionsClass 0 SecurityLimitFlags 0 Token 0000000000000000

1: kd> dt _EJOB fffffa80050f8860 nt!_EJOB +0x000 Event : _KEVENT +0x018 JobLinks : _LIST_ENTRY [ 0xfffff800`019c2450 - 0xfffffa80`04d71578 ] +0x028 ProcessListHead : _LIST_ENTRY [ 0xfffffa80`04e28e58 - 0xfffffa80`051b5888 ] +0x038 JobLock : _ERESOURCE +0x0a0 TotalUserTime : _LARGE_INTEGER 0x0 +0x0a8 TotalKernelTime : _LARGE_INTEGER 0x0 +0x0b0 ThisPeriodTotalUserTime : _LARGE_INTEGER 0x0 +0x0b8 ThisPeriodTotalKernelTime : _LARGE_INTEGER 0x0 +0x0c0 TotalPageFaultCount : 0 +0x0c4 TotalProcesses : 4 +0x0c8 ActiveProcesses : 4 +0x0cc TotalTerminatedProcesses : 0 +0x0d0 PerProcessUserTimeLimit : _LARGE_INTEGER 0x0 +0x0d8 PerJobUserTimeLimit : _LARGE_INTEGER 0x0 +0x0e0 LimitFlags : 0x1000 +0x0e8 MinimumWorkingSetSize : 0 +0x0f0 MaximumWorkingSetSize : 0 +0x0f8 ActiveProcessLimit : 0 +0x100 Affinity : 0 +0x108 PriorityClass : 0 '' +0x110 AccessState : (null) +0x118 UIRestrictionsClass : 0 +0x11c EndOfJobTimeAction : 0 +0x120 CompletionPort : (null) +0x128 CompletionKey : (null) +0x130 SessionId : 1 +0x134 SchedulingClass : 5 +0x138 ReadOperationCount : 0 +0x140 WriteOperationCount : 0 +0x148 OtherOperationCount : 0 +0x150 ReadTransferCount : 0 +0x158 WriteTransferCount : 0 +0x160 OtherTransferCount : 0 +0x168 ProcessMemoryLimit : 0 +0x170 JobMemoryLimit : 0 +0x178 PeakProcessMemoryUsed : 0x912 +0x180 PeakJobMemoryUsed : 0x11b3 +0x188 CurrentJobMemoryUsed : 0x11ae +0x190 MemoryLimitsLock : _EX_PUSH_LOCK +0x198 JobSetLinks : _LIST_ENTRY [ 0xfffffa80`050f89f8 - 0xfffffa80`050f89f8 ] +0x1a8 MemberLevel : 0 +0x1ac JobFlags : 1

C2 reqs: SLF - DAC - SAC - ORP (p. 452) - mnemonic to remember perhaps for security exams like CISSP

B reqs: TPF - TFM (p. 453)

Security targets and protection profiles (p. 453)

Advanced .NET Debugging by M. Hewardt:

type handle as a pointer to method table (p. 53) - I liked managed heap - execution engine boundary and propose this colored space diagram (will add this to Dictionary of Debugging soon as a tripartite “virtual” memory division) :

!DumpModule command (p. 57)

!U command (pp. 58 - 59)

!DumpMT command (p. 59)

!DumpMT -md to dump type method descriptors (p. 60)

!DumpMD command (p. 60)

m_CodeOrIL: 00920070 (p. 61) - the address looks like as UNICODE string but I belive this is just a coincidence, the false positive of Wild Pointer pattern: http://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Advanced .NET Debugging, Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 30-March-10

Saturday, April 3rd, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

per-PRCB queued, system-wide dispatcher, system-wide context swap and per-thread spinlocks (pp. 434-435)

physical over logical processor preference for scheduling (p. 435)

!smt command (p. 436) - here is the putput from x64 machine (from the output we can infer the following relationship logical processor -> core -> physical processor):

1: kd> !smt SMT Summary: ------------ KeActiveProcessors: **-------------------------------------------------------------- (0000000000000003) KiIdleSummary: -*-------------------------------------------------------------- (0000000000000002) No PRCB SMT Set APIC Id 0 fffff80001991680 **-------------------------------------------------------------- (0000000000000003) 0x00000000 1 fffffa60005ec180 **-------------------------------------------------------------- (0000000000000003) 0x00000001

Maximum cores per physical processor: 2 Maximum logical processors per core: 1

NUMA (pp. 436 - 438) - I can see NUMA even on my small desktop system

1: kd> !numa NUMA Summary: ------------ Number of NUMA nodes : 1 Number of Processors : 2 MmAvailablePages : 0x000C7CB9 KeActiveProcessors : (3)

NODE 0 (FFFFF80001995640): ProcessorMask : (3) Color : 0x00000000 MmShiftedColor : 0x00000000 Seed : 0x00000001 Right : 0x00000000 Left : 0x00000001 Zeroed Page Count: 0x0000000000000000 Free Page Count : 0x0000000000000000

Thread affinity (pp. 438 - 440) - see also Affine Thread crash dump analysis pattern: http://www.dumpanalysis.org/blog/index.php/2008/06/27/crash-dump-analysis-patterns-part-68/

uniprocessor flag as a workaround for multithreading defects (p. 439)

Set(Query)ProcessAffinityUpdateMode and dynamic processor changes (p. 442)

choosing a processor (idle ideal -> idle current -> idle previous -> current -> ideal running less priority thread) (pp. 433 - 444)

no guarantee to run all highest priority threads vs. always runs the highest priority thread (p. 444)

Advanced .NET Debugging by M. Hewardt:

value vs. reference types (p. 42)

sosex!bpsc (p. 46)

per frame managed stack trace: !ClrStack -a (p. 46)

d* for simple local value types, !dumpobj for references, !dumpvc for value type fields (pp. 46 - 47)

sync blocks (pp. 49 - 52) - here is the output from my x64 test program:

0:000> !ClrStack -a OS Thread Id: 0x6e8 (0)

000000000013ed10 000007ff001ac709 System.IO.TextReader+SyncTextReader.ReadLine() PARAMETERS: this = 0x0000000002a2b568

0:000> !dumpobj 0x0000000002a2b568 Name: System.IO.TextReader+SyncTextReader MethodTable: 000007feee67bea8 EEClass: 000007feedb851e0 Size: 32(0x20) bytes (C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll) Fields: MT Field Offset Type VT Attr Value Name 000007feede86048 400018a 8 System.Object 0 instance 0000000000000000 __identity 000007feedecd198 4001c87 b18 System.IO.TextReader 0 shared static Null >> Domain:Value 0000000000220840:0000000002a2b060 << 000007feedecd198 4001c88 10 System.IO.TextReader 0 instance 0000000002a2af28 _in ThinLock owner 1 (0000000000000000), Recursive 0

0:000> dq 0x0000000002a2b568-8 00000000`02a2b560 00000001`00000000 000007fe`ee67bea8 00000000`02a2b570 00000000`00000000 00000000`02a2af28 00000000`02a2b580 00000000`00000000 00000000`00000000 00000000`02a2b590 00000000`00000000 00000000`00000000 00000000`02a2b5a0 00000000`00000000 00000000`00000000 00000000`02a2b5b0 00000000`00000000 00000000`00000000 00000000`02a2b5c0 00000000`00000000 00000000`00000000 00000000`02a2b5d0 00000000`00000000 00000000`00000000

0:000> !syncblk 1 Index SyncBlock MonitorHeld Recursion Owning Thread Info SyncBlock Owner 1 0000000000259bf8 0 0 0000000000000000 none 0000000002a28030 System.EventHandler ----------------------------- Total 1 CCW 0 RCW 0 ComClassFactory 0 Free 0

thin sync blocks (p. 52)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Advanced .NET Debugging, Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 26-March-10

Friday, March 26th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Impossibility to disable foreground after-wait priority boosts (p. 423)

CPU Stress tool (pp. 423 - 425, 428 - 430) - Good tool to model CPU spikes. See also Modeling CPU Spikes article I co-authored for Debugging Expert magazine: http://www.debuggingexperts.com/debugged-june-09

CPU starvation prevention via balance set manager thread (p. 427)

MMCSS priority boosts (p. 432)

Network throttling to prevent DPC activity interrupting MMCSS boosting (p. 433)

Advanced .NET Debugging by M. Hewardt:

System | shared | def app := bookkeeping, precreation | mscorlib | app code (pp. 37 - 38) - here we check that mscorlib assembly belongs to the shared domain:

0:003> !dumpdomain -------------------------------------- System Domain: 000007fef00f8ef0 LowFrequencyHeap: 000007fef00f8f38 HighFrequencyHeap: 000007fef00f8fc8 StubHeap: 000007fef00f9058 Stage: OPEN Name: None -------------------------------------- Shared Domain: 000007fef00f9860 LowFrequencyHeap: 000007fef00f98a8 HighFrequencyHeap: 000007fef00f9938 StubHeap: 000007fef00f99c8 Stage: OPEN Name: None Assembly: 00000000003a2d10 ————————————– Domain 1: 0000000000390840 LowFrequencyHeap: 0000000000390888 HighFrequencyHeap: 0000000000390918 StubHeap: 00000000003909a8 Stage: OPEN SecurityDescriptor: 00000000003930e0 Name: TestCLR.exe

[...]

Assembly: 00000000003a2d10[C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll] ClassLoader: 00000000003a2dd0 SecurityDescriptor: 00000000003a2110 Module Name 000007feeda51000 C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

0:003> !dumpassembly 00000000003a2d10 Parent Domain: 000007fef00f9860 Name: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll ClassLoader: 00000000003a2dd0 SecurityDescriptor: 000000000335db78 Module Name 000007feeda51000 C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

Multimodule assemblies with separate PE file for a manifest (p. 40)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Advanced .NET Debugging, Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 22-March-10

Wednesday, March 24th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Processor mode doesn’t affect thread scheduling (p. 414)

Preemption can be before a quantum ends and in that case the preempted thread is pushed at the front of a ready queue (pp. 414 - 415)

Clock interval extension of quanta for interrupted threads (pp. 416 - 417)

Context Switching (p. 418) - just noticed (never paid attention to before) that WinDbg shows empty context for the preempted thread:

x86 W2K3:

0: kd> kL ChildEBP RetAddr ba3a2a44 80833ed1 nt!KiSwapContext+0x26 ba3a2a70 80829c14 nt!KiSwapThread+0x2e5 ba3a2ab8 b9c5674d nt!KeWaitForSingleObject+0x346 [...]

0: kd> r Last set context: eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000 eip=8088f77e esp=ba3a2a38 ebp=ba3a2a70 iopl=0 nv up di pl nz na po nc cs=0008 ss=0010 ds=0000 es=0000 fs=0000 gs=0000 efl=00000000 nt!KiSwapContext+0×26: 8088f77e 8b2c24 mov ebp,dword ptr [esp] ss:0010:ba3a2a38=ba3a2a70

0: kd> uf nt!KiSwapContext nt!KiSwapContext: 8088f758 sub esp,10h 8088f75b mov dword ptr [esp+0Ch],ebx 8088f75f mov dword ptr [esp+8],esi 8088f763 mov dword ptr [esp+4],edi 8088f767 mov dword ptr [esp],ebp 8088f76a mov ebx,dword ptr fs:[1Ch] 8088f771 mov edi,ecx 8088f773 mov esi,edx 8088f775 movzx ecx,byte ptr [edi+4Eh] 8088f779 call nt!SwapContext (8088f880) 8088f77e mov ebp,dword ptr [esp] 8088f781 mov edi,dword ptr [esp+4] 8088f785 mov esi,dword ptr [esp+8] 8088f789 mov ebx,dword ptr [esp+0Ch] 8088f78d add esp,10h 8088f790 ret

x64 W2K8:

1: kd> kL *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site fffffa60`02ddc7c0 fffff800`0187a6fa nt!KiSwapContext+0x7f fffffa60`02ddc900 fffff800`0186f35b nt!KiSwapThread+0x13a fffffa60`02ddc970 fffff800`01ad9e57 nt!KeWaitForSingleObject+0x2cb fffffa60`02ddca00 fffff800`01ad9219 nt!AlpcpReceiveMessagePort+0x287 fffffa60`02ddca60 fffff800`01ada58a nt!AlpcpReceiveMessage+0x245 fffffa60`02ddcb00 fffff800`01877ef3 nt!NtAlpcSendWaitReceivePort+0x1da fffffa60`02ddcbb0 00000000`7747756a nt!KiSystemServiceCopyEnd+0x13 00000000`0020f5a8 00000000`00000000 ntdll!ZwAlpcSendWaitReceivePort+0xa

1: kd> r Last set context: rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8000187ac7f rsp=fffffa6002ddc7c0 rbp=fffffa80047ca290 r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up di pl nz na pe nc cs=0000 ss=0000 ds=0000 es=0000 fs=0000 gs=0000 efl=00000000 nt!KiSwapContext+0×7f: fffff800`0187ac7f 488d8c2400010000 lea rcx,[rsp+100h]

1: kd> uf nt!KiSwapContext nt!KiSwapContext: fffff800`0187ac00 sub rsp,138h fffff800`0187ac07 lea rax,[rsp+100h] fffff800`0187ac0f movaps xmmword ptr [rsp+30h],xmm6 fffff800`0187ac14 movaps xmmword ptr [rsp+40h],xmm7 fffff800`0187ac19 movaps xmmword ptr [rsp+50h],xmm8 fffff800`0187ac1f movaps xmmword ptr [rsp+60h],xmm9 fffff800`0187ac25 movaps xmmword ptr [rsp+70h],xmm10 fffff800`0187ac2b movdqa xmmword ptr [rax-80h],xmm11 fffff800`0187ac31 movdqa xmmword ptr [rax-70h],xmm12 fffff800`0187ac37 movdqa xmmword ptr [rax-60h],xmm13 fffff800`0187ac3d movdqa xmmword ptr [rax-50h],xmm14 fffff800`0187ac43 movdqa xmmword ptr [rax-40h],xmm15 fffff800`0187ac49 mov qword ptr [rax],rbx fffff800`0187ac4c mov qword ptr [rax+8],rdi fffff800`0187ac50 mov qword ptr [rax+10h],rsi fffff800`0187ac54 mov qword ptr [rax+18h],r12 fffff800`0187ac58 mov qword ptr [rax+20h],r13 fffff800`0187ac5c mov qword ptr [rax+28h],r14 fffff800`0187ac60 mov qword ptr [rax+30h],r15 fffff800`0187ac64 mov rbx,qword ptr gs:[20h] fffff800`0187ac6d mov rdi,rcx fffff800`0187ac70 mov rsi,rdx fffff800`0187ac73 movzx ecx,byte ptr [rdi+156h] fffff800`0187ac7a call nt!SwapContext (fffff800`0187af50) fffff800`0187ac7f lea rcx,[rsp+100h] fffff800`0187ac87 movdqa xmm6,xmmword ptr [rsp+30h] fffff800`0187ac8d movdqa xmm7,xmmword ptr [rsp+40h] fffff800`0187ac93 movdqa xmm8,xmmword ptr [rsp+50h] fffff800`0187ac9a movdqa xmm9,xmmword ptr [rsp+60h] fffff800`0187aca1 movdqa xmm10,xmmword ptr [rsp+70h] fffff800`0187aca8 movdqa xmm11,xmmword ptr [rcx-80h] fffff800`0187acae movdqa xmm12,xmmword ptr [rcx-70h] fffff800`0187acb4 movdqa xmm13,xmmword ptr [rcx-60h] fffff800`0187acba movdqa xmm14,xmmword ptr [rcx-50h] fffff800`0187acc0 movdqa xmm15,xmmword ptr [rcx-40h] fffff800`0187acc6 mov rbx,qword ptr [rcx] fffff800`0187acc9 mov rdi,qword ptr [rcx+8] fffff800`0187accd mov rsi,qword ptr [rcx+10h] fffff800`0187acd1 mov r12,qword ptr [rcx+18h] fffff800`0187acd5 mov r13,qword ptr [rcx+20h] fffff800`0187acd9 mov r14,qword ptr [rcx+28h] fffff800`0187acdd mov r15,qword ptr [rcx+30h] fffff800`0187ace1 add rsp,138h fffff800`0187ace8 ret

We also see that if there is an attempt to switch from a DPC we get a bugcheck

1: kd> uf nt!SwapContext nt!SwapContext: fffff800`0187af50 sub rsp,38h fffff800`0187af54 mov qword ptr [rsp+30h],rbp fffff800`0187af59 mov byte ptr [rsp+28h],cl fffff800`0187af5d cmp byte ptr [rsi+95h],0 fffff800`0187af64 jne nt!SwapContext+0x1cb (fffff800`0187b11b)

[...]

nt!SwapContext+0x1b2: fffff800`0187b102 xor r9,r9 fffff800`0187b105 mov qword ptr [rsp+20h],r9 fffff800`0187b10a mov r8,rsi fffff800`0187b10d mov rdx,rdi fffff800`0187b110 mov ecx,0B8h fffff800`0187b115 call nt!KeBugCheckEx (fffff800`01878450) fffff800`0187b11a ret

It happens infrequently: http://www.dumpanalysis.org/blog/index.php/2008/03/12/bug-check-frequencies/

Idle process and threads can have NULL fields (pp. 418 - 419) - on x64 W2K8:

1: kd> !process poi(PsIdleProcess) PROCESS fffff800019970c0 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000 DirBase: 00124000 ObjectTable: fffff88000000080 HandleCount: 551. Image: Idle VadRoot fffffa8003b97c70 Vads 1 Clone 0 Private 1. Modified 0. Locked 0. DeviceMap 0000000000000000 Token fffff88000003330 ElapsedTime 00:00:00.000 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 0 QuotaPoolUsage[NonPagedPool] 0 Working Set Sizes (now,min,max) (6, 50, 450) (24KB, 200KB, 1800KB) PeakWorkingSetSize 6 VirtualSize 0 Mb PeakVirtualSize 0 Mb PageFaultCount 1 MemoryPriority BACKGROUND BasePriority 0 CommitCharge 0

THREAD fffff80001996b80 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap fffff88000007310 Owning Process fffff800019970c0 Image: Idle Attached Process fffffa8003bf1040 Image: System Wait Start TickCount 16846 Ticks: 1721 (0:00:00:26.847) Context Switch Count 229608 UserTime 00:00:00.000 KernelTime 00:04:13.532 Win32 Start Address nt!KiIdleLoop (0xfffff8000187c880) Stack Init fffff80002bdadb0 Current fffff80002bdad40 Base fffff80002bdb000 Limit fffff80002bd5000 Call 0 Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site fffff800`02bdad80 fffff800`01a49860 nt!KiIdleLoop+0x11b fffff800`02bdadb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

THREAD fffffa60005f5d40 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1 Not impersonating DeviceMap fffff88000007310 Owning Process fffff800019970c0 Image: Idle Attached Process fffffa8003bf1040 Image: System Wait Start TickCount 0 Ticks: 18567 (0:00:04:49.647) Context Switch Count 241262 UserTime 00:00:00.000 KernelTime 00:04:23.501 Win32 Start Address nt!KiIdleLoop (0xfffff8000187c880) Stack Init fffffa600191bdb0 Current fffffa600191bd40 Base fffffa600191c000 Limit fffffa6001916000 Call 0 Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site fffffa60`0191bcd8 fffffa60`00f07685 intelppm!C1Halt+0x2 fffffa60`0191bce0 fffff800`0187cb83 intelppm!C1Idle+0x9 fffffa60`0191bd10 fffff800`0187c8a1 nt!PoIdle+0x183 fffffa60`0191bd80 fffff800`01a49860 nt!KiIdleLoop+0x21 fffffa60`0191bdb0 00000000`fffffa60 nt!zzz_AsmCodeRange_End+0x4 fffffa60`005efd00 00000000`00000000 0xfffffa60

MMCSS (MultiMedia Class Schedular Service) and priority boosts in Vista (p. 420)

Priority boosts never go beyond level 15 (p. 421) - looks like addition of velocities in relativity, where v1 > c/2, v2 > c/2 but v1+v2 < c (where c is the speed of light)

Priority boosts for low prioroty _ERESOURCE owners (pp. 422 - 423)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 18-March-10

Friday, March 19th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Deferred ready and standby thread states (p. 400)

Gait waiting (p. 401)

Transition state as state with paged out kernel stack (p. 401) - flattening thread state transition diagram for ready state:

deferred ready -> ready <-> running

Thread state counter in Performance Monitor (pp. 402 - 404)

Per-processor ready queues and O(1) (pp. 404 - 405)

PRCB (p. 404) - rather a huge structure on x64 W2K8:

0: kd> dt nt!_KPRCB +0x000 MxCsr : Uint4B +0x004 Number : Uint2B +0x006 InterruptRequest : UChar +0x007 IdleHalt : UChar +0x008 CurrentThread : Ptr64 _KTHREAD +0x010 NextThread : Ptr64 _KTHREAD +0x018 IdleThread : Ptr64 _KTHREAD +0x020 NestingLevel : UChar +0x021 Group : UChar +0x022 PrcbPad00 : [6] UChar +0x028 RspBase : Uint8B +0x030 PrcbLock : Uint8B +0x038 SetMember : Uint8B +0x040 ProcessorState : _KPROCESSOR_STATE +0x5f0 CpuType : Char +0x5f1 CpuID : Char +0x5f2 CpuStep : Uint2B +0x5f2 CpuStepping : UChar +0x5f3 CpuModel : UChar +0x5f4 MHz : Uint4B +0x5f8 HalReserved : [8] Uint8B +0x638 MinorVersion : Uint2B +0x63a MajorVersion : Uint2B +0x63c BuildType : UChar +0x63d CpuVendor : UChar +0x63e CoresPerPhysicalProcessor : UChar +0x63f LogicalProcessorsPerCore : UChar +0x640 ApicMask : Uint4B +0x644 CFlushSize : Uint4B +0x648 AcpiReserved : Ptr64 Void +0x650 InitialApicId : Uint4B +0x654 Stride : Uint4B +0x658 PrcbPad01 : [3] Uint8B +0x670 LockQueue : [49] _KSPIN_LOCK_QUEUE +0x980 PPLookasideList : [16] _PP_LOOKASIDE_LIST +0xa80 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL +0x1680 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL +0x2280 PacketBarrier : Uint8B +0×2288 DeferredReadyListHead : _SINGLE_LIST_ENTRY +0×2290 MmPageFaultCount : Int4B +0×2294 MmCopyOnWriteCount : Int4B +0×2298 MmTransitionCount : Int4B +0×229c MmDemandZeroCount : Int4B +0×22a0 MmPageReadCount : Int4B +0×22a4 MmPageReadIoCount : Int4B +0×22a8 MmDirtyPagesWriteCount : Int4B +0×22ac MmDirtyWriteIoCount : Int4B +0×22b0 MmMappedPagesWriteCount : Int4B +0×22b4 MmMappedWriteIoCount : Int4B +0×22b8 KeSystemCalls : Uint4B +0×22bc KeContextSwitches : Uint4B +0×22c0 CcFastReadNoWait : Uint4B +0×22c4 CcFastReadWait : Uint4B +0×22c8 CcFastReadNotPossible : Uint4B +0×22cc CcCopyReadNoWait : Uint4B +0×22d0 CcCopyReadWait : Uint4B +0×22d4 CcCopyReadNoWaitMiss : Uint4B +0×22d8 LookasideIrpFloat : Int4B +0×22dc IoReadOperationCount : Int4B +0×22e0 IoWriteOperationCount : Int4B +0×22e4 IoOtherOperationCount : Int4B +0×22e8 IoReadTransferCount : _LARGE_INTEGER +0×22f0 IoWriteTransferCount : _LARGE_INTEGER +0×22f8 IoOtherTransferCount : _LARGE_INTEGER +0×2300 TargetSet : Uint8B +0×2308 IpiFrozen : Uint4B +0×230c PrcbPad3 : [116] UChar +0×2380 RequestMailbox : [64] _REQUEST_MAILBOX +0×3380 SenderSummary : Uint8B +0×3388 PrcbPad4 : [120] UChar +0×3400 DpcData : [2] _KDPC_DATA +0×3440 DpcStack : Ptr64 Void +0×3448 SparePtr0 : Ptr64 Void +0×3450 MaximumDpcQueueDepth : Int4B +0×3454 DpcRequestRate : Uint4B +0×3458 MinimumDpcRate : Uint4B +0×345c DpcInterruptRequested : UChar +0×345d DpcThreadRequested : UChar +0×345e DpcRoutineActive : UChar +0×345f DpcThreadActive : UChar +0×3460 TimerHand : Uint8B +0×3460 TimerRequest : Uint8B +0×3468 TickOffset : Int4B +0×346c MasterOffset : Int4B +0×3470 DpcLastCount : Uint4B +0×3474 ThreadDpcEnable : UChar +0×3475 QuantumEnd : UChar +0×3476 PrcbPad50 : UChar +0×3477 IdleSchedule : UChar +0×3478 DpcSetEventRequest : Int4B +0×347c KeExceptionDispatchCount : Uint4B +0×3480 DpcEvent : _KEVENT +0×3498 PrcbPad51 : Ptr64 Void +0×34a0 CallDpc : _KDPC +0×34e0 ClockKeepAlive : Int4B +0×34e4 ClockCheckSlot : UChar +0×34e5 ClockPollCycle : UChar +0×34e6 PrcbPad6 : [2] UChar +0×34e8 DpcWatchdogPeriod : Int4B +0×34ec DpcWatchdogCount : Int4B +0×34f0 PrcbPad70 : [2] Uint8B +0×3500 WaitListHead : _LIST_ENTRY +0×3510 WaitLock : Uint8B +0×3518 ReadySummary : Uint4B +0×351c QueueIndex : Uint4B +0×3520 PrcbPad71 : [12] Uint8B +0×3580 DispatcherReadyListHead : [32] _LIST_ENTRY +0×3780 InterruptCount : Uint4B +0×3784 KernelTime : Uint4B +0×3788 UserTime : Uint4B +0×378c DpcTime : Uint4B +0×3790 InterruptTime : Uint4B +0×3794 AdjustDpcThreshold : Uint4B +0×3798 SkipTick : UChar +0×3799 DebuggerSavedIRQL : UChar +0×379a PollSlot : UChar +0×379b PrcbPad80 : [5] UChar +0×37a0 DpcTimeCount : Uint4B +0×37a4 DpcTimeLimit : Uint4B +0×37a8 PeriodicCount : Uint4B +0×37ac PeriodicBias : Uint4B +0×37b0 PrcbPad81 : [2] Uint8B +0×37c0 ParentNode : Ptr64 _KNODE +0×37c8 MultiThreadProcessorSet : Uint8B +0×37d0 MultiThreadSetMaster : Ptr64 _KPRCB +0×37d8 StartCycles : Uint8B +0×37e0 MmSpinLockOrdering : Int4B +0×37e4 PageColor : Uint4B +0×37e8 NodeColor : Uint4B +0×37ec NodeShiftedColor : Uint4B +0×37f0 SecondaryColorMask : Uint4B +0×37f4 Sleeping : Int4B +0×37f8 CycleTime : Uint8B +0×3800 CcFastMdlReadNoWait : Uint4B +0×3804 CcFastMdlReadWait : Uint4B +0×3808 CcFastMdlReadNotPossible : Uint4B +0×380c CcMapDataNoWait : Uint4B +0×3810 CcMapDataWait : Uint4B +0×3814 CcPinMappedDataCount : Uint4B +0×3818 CcPinReadNoWait : Uint4B +0×381c CcPinReadWait : Uint4B +0×3820 CcMdlReadNoWait : Uint4B +0×3824 CcMdlReadWait : Uint4B +0×3828 CcLazyWriteHotSpots : Uint4B +0×382c CcLazyWriteIos : Uint4B +0×3830 CcLazyWritePages : Uint4B +0×3834 CcDataFlushes : Uint4B +0×3838 CcDataPages : Uint4B +0×383c CcLostDelayedWrites : Uint4B +0×3840 CcFastReadResourceMiss : Uint4B +0×3844 CcCopyReadWaitMiss : Uint4B +0×3848 CcFastMdlReadResourceMiss : Uint4B +0×384c CcMapDataNoWaitMiss : Uint4B +0×3850 CcMapDataWaitMiss : Uint4B +0×3854 CcPinReadNoWaitMiss : Uint4B +0×3858 CcPinReadWaitMiss : Uint4B +0×385c CcMdlReadNoWaitMiss : Uint4B +0×3860 CcMdlReadWaitMiss : Uint4B +0×3864 CcReadAheadIos : Uint4B +0×3868 MmCacheTransitionCount : Int4B +0×386c MmCacheReadCount : Int4B +0×3870 MmCacheIoCount : Int4B +0×3874 PrcbPad91 : [3] Uint4B +0×3880 PowerState : _PROCESSOR_POWER_STATE +0×3998 KeAlignmentFixupCount : Uint4B +0×399c VendorString : [13] UChar +0×39a9 PrcbPad10 : [3] UChar +0×39ac FeatureBits : Uint4B +0×39b0 UpdateSignature : _LARGE_INTEGER +0×39b8 DpcWatchdogDpc : _KDPC +0×39f8 DpcWatchdogTimer : _KTIMER +0×3a38 Cache : [5] _CACHE_DESCRIPTOR +0×3a74 CacheCount : Uint4B +0×3a78 CachedCommit : Uint4B +0×3a7c CachedResidentAvailable : Uint4B +0×3a80 HyperPte : Ptr64 Void +0×3a88 WheaInfo : Ptr64 Void +0×3a90 EtwSupport : Ptr64 Void +0×3aa0 InterruptObjectPool : _SLIST_HEADER +0×3ab0 HypercallPageList : _SLIST_HEADER +0×3ac0 HypercallPageVirtual : Ptr64 Void +0×3ac8 VirtualApicAssist : Ptr64 Void +0×3ad0 StatisticsPage : Ptr64 Uint8B +0×3ad8 RateControl : Ptr64 Void +0×3ae0 CacheProcessorMask : [5] Uint8B +0×3b08 PackageProcessorSet : Uint8B +0×3b10 CoreProcessorSet : Uint8B

Changed thread quantum accounting in Vista (now: clock cycles), quantum targets, partial quantum decay (pp. 406 - 407)

The mystery of huge number in KiCyclesPerClockQuantum (p. 408) - here is an output on my PC:

0: kd> dd KiCyclesPerClockQuantum l1 fffff800`01a45170 008e58db

0: kd> !cpuinfo CP F/M/S Manufacturer MHz PRCB Signature MSR 8B Signature Features 0 6,15,2 GenuineIntel 1794 0000005600000000 20193ffe 1 6,15,2 GenuineIntel 1794 0000005600000000 20193ffe Cached Update Signature 0000005a00000000 Initial Update Signature 0000005600000000

C:\>C:\DL\Clockres.exe

Maximum timer interval: 15.600 ms Minimum timer interval: 0.500 ms Current timer interval: 1.000 ms

HKLM\S\CCS\C\PriorityControl\Win32PrioritySeparation vs. PsPrioritySeperation - looks like a misprint that needs fixing in the next version of Windows Why it was a deliberate misspelling (p. 411) we can only guess…

0: kd> dd PsPrioritySeperation l1 fffff800`01a45228 00000002

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | 1 Comment »

Reading Notebook: 15-March-10

Tuesday, March 16th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Limiting high-priority ready threads by a processor affinity (p. 391)

Thread dispatch reasons: ready, leaves running state, priority change, processor affinity change (p. 392)

Thread vs. process scheduling granularity (pp. 392 - 393)

Thread priority level 0 is reserved for zero page thread (p. 393)

2 pespectives on thread priority levels (pp. 393 - 394)

Changing CPU-intensive process base priority instead of priority of individual threads (p. 395)

Increased based priority for special processes (p. 395) - here is a comparison of base priorities between lsm.exe and smss.exe from x64 W2K8:

0: kd> !process fffffa80047ffc10 PROCESS fffffa80047ffc10 SessionId: 0 Cid: 0294 Peb: 7fffffd6000 ParentCid: 0238 DirBase: b1c4e000 ObjectTable: fffff88007f05cd0 HandleCount: 173. Image: lsm.exe VadRoot fffffa80046dd720 Vads 68 Clone 0 Private 462. Modified 0. Locked 0. DeviceMap fffff88000007310 Token fffff88007f376f0 ElapsedTime 00:04:17.552 UserTime 00:00:00.015 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 69000 QuotaPoolUsage[NonPagedPool] 7072 Working Set Sizes (now,min,max) (1314, 50, 345) (5256KB, 200KB, 1380KB) PeakWorkingSetSize 1318 VirtualSize 36 Mb PeakVirtualSize 38 Mb PageFaultCount 1375 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 756

0: kd> !process fffffa80046d9040 PROCESS fffffa80046d9040 SessionId: none Cid: 019c Peb: 7fffffdf000 ParentCid: 0004 DirBase: bccd5000 ObjectTable: fffff880005f45b0 HandleCount: 33. Image: smss.exe VadRoot fffffa80046d97e0 Vads 19 Clone 0 Private 96. Modified 24. Locked 0. DeviceMap fffff88000007310 Token fffff88000964af0 ElapsedTime 00:04:40.343 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 10392 QuotaPoolUsage[NonPagedPool] 1728 Working Set Sizes (now,min,max) (254, 50, 345) (1016KB, 200KB, 1380KB) PeakWorkingSetSize 254 VirtualSize 6 Mb PeakVirtualSize 16 Mb PageFaultCount 458 MemoryPriority BACKGROUND BasePriority 11 CommitCharge 127

Sleep(0) to relinquish the rest of quantum (p. 396)

Realtime Notepad (pp. 397 - 398) - I’m often asked why it doesn’t affect performance? This is because most threads in a system are waiting and notepad is waiting for window messages to process like keyboard and mouse. It is more noticeable when a realtime thread starts looping - it becomes scheduled every time

WSRM (Windows System Resource Manager) (pp. 398 - 399) - Looks good to prevent CPU spikes and memory leaks to come out of control

Thread priorities and IRQL (pp. 399 - 400) - in another words these concepts are orthogonal (independent from each other)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »