Software Generalist

Reading Notebook: 17-May-2012

Dmitry Vostokov — Fri, 18 May 2012 07:37:08 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Mac OS X Internals by A. Singh:

kextstat command (p. 49) - here’s the output from my system:

MacBook-Air:~ DumpAnalysis$ kextstat Index Refs Address Size Wired Name (Version) 1 78 0xffffff7f80739000 0x683c 0x683c com.apple.kpi.bsd (11.3.0) 2 6 0xffffff7f807de000 0x3d0 0x3d0 com.apple.kpi.dsep (11.3.0) 3 104 0xffffff7f80744000 0x1b9d8 0x1b9d8 com.apple.kpi.iokit (11.3.0) 4 109 0xffffff7f8072f000 0x9b54 0x9b54 com.apple.kpi.libkern (11.3.0) 5 93 0xffffff7f80740000 0x88c 0x88c com.apple.kpi.mach (11.3.0) 6 37 0xffffff7f80760000 0x4938 0x4938 com.apple.kpi.private (11.3.0) 7 53 0xffffff7f80741000 0x22a0 0x22a0 com.apple.kpi.unsupported (11.3.0) 8 19 0xffffff7f80bc6000 0x7000 0x7000 com.apple.iokit.IOACPIFamily (1.4) <7 6 4 3> 9 27 0xffffff7f80765000 0x1e000 0x1e000 com.apple.iokit.IOPCIFamily (2.6.8) <7 6 5 4 3> 10 2 0xffffff7f81ba4000 0x58000 0x58000 com.apple.driver.AppleACPIPlatform (1.4) <9 8 7 6 5 4 3 1> 11 1 0xffffff7f809cc000 0xc000 0xc000 com.apple.driver.AppleKeyStore (28.18) <7 6 5 4 3 1> 12 9 0xffffff7f807e2000 0x25000 0x25000 com.apple.iokit.IOStorageFamily (1.7) <7 6 5 4 3 1> 13 0 0xffffff7f80c4c000 0x19000 0x19000 com.apple.driver.DiskImages (331.3) <12 7 6 5 4 3 1> 14 0 0xffffff7f818e6000 0x2a000 0x2a000 com.apple.driver.AppleIntelCPUPowerManagement (167.3.0) <7 6 5 4 3 1> 15 0 0xffffff7f807df000 0x3000 0x3000 com.apple.security.TMSafetyNet (7) <7 6 5 4 2 1> 16 2 0xffffff7f80846000 0x4000 0x4000 com.apple.kext.AppleMatch (1.0.0d1) <4 1> 17 1 0xffffff7f8084a000 0x11000 0x11000 com.apple.security.sandbox (177.3) <16 7 6 5 4 3 2 1> 18 0 0xffffff7f8085b000 0x5000 0x5000 com.apple.security.quarantine (1.1) <17 16 7 6 5 4 2 1> 19 0 0xffffff7f81c0b000 0x8000 0x8000 com.apple.nke.applicationfirewall (3.2.30) <7 6 5 4 3 1> 20 0 0xffffff7f818e2000 0x3000 0x3000 com.apple.driver.AppleIntelCPUPowerManagementClient (167.3.0) <7 6 5 4 3 1> 21 0 0xffffff7f81b81000 0x3000 0x3000 com.apple.driver.AppleAPIC (1.5) <4 3> 22 3 0xffffff7f80b62000 0x4000 0x4000 com.apple.iokit.IOSMBusFamily (1.1) <5 4 3> 23 0 0xffffff7f81bfc000 0x7000 0x7000 com.apple.driver.AppleACPIEC (1.4) <22 10 8 5 4 3> 24 0 0xffffff7f816da000 0x4000 0x4000 com.apple.driver.AppleSMBIOS (1.7) <7 4 3> 25 0 0xffffff7f81918000 0x3000 0x3000 com.apple.driver.AppleHPET (1.6) <8 7 5 4 3> 26 0 0xffffff7f816ff000 0x7000 0x7000 com.apple.driver.AppleRTC (1.4) <8 5 4 3 1> 27 6 0xffffff7f809d8000 0x6b000 0x6b000 com.apple.iokit.IOHIDFamily (1.7.1) <11 7 6 5 4 3 2 1> 28 0 0xffffff7f81c05000 0x4000 0x4000 com.apple.driver.AppleACPIButtons (1.4) <27 10 8 7 6 5 4 3 1> 29 1 0xffffff7f81b57000 0x4000 0x4000 com.apple.driver.AppleEFIRuntime (1.5.0) <7 6 5 4 3> 30 13 0xffffff7f80783000 0x4f000 0x4f000 com.apple.iokit.IOUSBFamily (4.5.8) <9 7 5 4 3 1> 32 0 0xffffff7f80a8e000 0x17000 0x17000 com.apple.driver.AppleUSBEHCI (4.5.8) <30 9 7 5 4 3 1> 33 2 0xffffff7f80dc8000 0xa000 0xa000 com.apple.iokit.IOAHCIFamily (2.0.7) <5 4 3 1> 34 0 0xffffff7f81b85000 0x18000 0x18000 com.apple.driver.AppleAHCIPort (2.2.0) <33 9 5 4 3 1> 35 0 0xffffff7f816df000 0x8000 0x8000 com.apple.driver.AppleSmartBatteryManager (161.0.0) <22 8 5 4 3 1> 36 0 0xffffff7f81b5b000 0x7000 0x7000 com.apple.driver.AppleEFINVRAM (1.5.0) <29 7 5 4 3> 37 5 0xffffff7f80986000 0x29000 0x29000 com.apple.iokit.IONetworkingFamily (2.0) <7 6 5 4 3 1> 38 1 0xffffff7f80dfb000 0x38000 0x38000 com.apple.iokit.IO80211Family (412.2) <37 7 5 4 3 1> 39 0 0xffffff7f80e33000 0x1e0000 0x1e0000 com.apple.driver.AirPort.Brcm4331 (513.20.19) <38 37 9 7 5 4 3 1> 40 0 0xffffff7f809c9000 0x3000 0x3000 com.apple.iokit.IOUSBUserClient (4.5.8) <30 7 5 4 3 1> 41 0 0xffffff7f80a79000 0x11000 0x11000 com.apple.driver.AppleUSBHub (4.5.0) <30 5 4 3 1> 42 4 0xffffff7f80ab2000 0x9e000 0x9e000 com.apple.iokit.IOThunderboltFamily (1.7.4) <5 4 3 1> 43 0 0xffffff7f8163e000 0x12000 0x12000 com.apple.driver.AppleThunderboltNHI (1.3.2) <42 9 8 5 4 3 1> 44 0 0xffffff7f80dde000 0x15000 0x15000 com.apple.iokit.IOAHCIBlockStorage (2.0.1) <33 12 5 4 3 1> 45 0 0xffffff7f815b2000 0x4000 0x4000 com.apple.driver.XsanFilter (403) <12 5 4 3 1> 46 0 0xffffff7f81342000 0x9000 0x9000 com.apple.BootCache (33) <7 6 5 4 3 1> 47 0 0xffffff7f81b46000 0x5000 0x5000 com.apple.AppleFSCompression.AppleFSCompressionTypeZlib (1.0.0d1) <6 4 3 2 1> 48 0 0xffffff7f81b4d000 0x5000 0x5000 com.apple.AppleFSCompression.AppleFSCompressionTypeDataless (1.0.0d1) <7 6 4 3 2 1> 49 1 0xffffff7f807d2000 0x6000 0x6000 com.apple.driver.AppleUSBComposite (4.5.8) <30 4 3 1> 50 0 0xffffff7f807d8000 0x6000 0x6000 com.apple.driver.AppleUSBMergeNub (4.5.3) <49 30 4 3 1> 51 3 0xffffff7f80a43000 0x8000 0x8000 com.apple.iokit.IOUSBHIDDriver (4.4.5) <30 27 5 4 3 1> 52 0 0xffffff7f815de000 0x4000 0x4000 com.apple.driver.AppleUSBTCKeyboard (225.2) <51 30 27 7 6 5 4 3 1> 55 2 0xffffff7f80cc1000 0x76000 0x76000 com.apple.iokit.IOBluetoothFamily (4.0.3f12) <7 5 4 3 1> 56 1 0xffffff7f80d57000 0xe000 0xe000 com.apple.driver.AppleUSBBluetoothHCIController (4.0.3f12) <55 30 7 5 4 3> 57 0 0xffffff7f80d6d000 0x9000 0x9000 com.apple.driver.BroadcomUSBBluetoothHCIController (4.0.3f12) <56 55 30 5 4 3> 58 0 0xffffff7f81632000 0x4000 0x4000 com.apple.driver.AppleThunderboltPCIDownAdapter (1.2.1) <42 9 4 3> 59 0 0xffffff7f815e7000 0x13000 0x13000 com.apple.driver.AppleUSBMultitouch (227.1) <51 30 27 6 5 4 3 1> 60 1 0xffffff7f81650000 0x8000 0x8000 com.apple.driver.AppleThunderboltDPAdapterFamily (1.5.9) <42 9 8 5 4 3> 61 0 0xffffff7f81658000 0x4000 0x4000 com.apple.driver.AppleThunderboltDPInAdapter (1.5.9) <60 42 9 8 5 4 3> 62 0 0xffffff7f815e3000 0x3000 0x3000 com.apple.driver.AppleUSBTCButtons (225.2) <51 30 27 7 6 5 4 3 1> 64 3 0xffffff7f80861000 0x2b000 0x2b000 com.apple.iokit.IOSCSIArchitectureModelFamily (3.0.3) <5 4 3 1> 65 1 0xffffff7f809b8000 0x11000 0x11000 com.apple.iokit.IOUSBMassStorageClass (3.0.1) <64 30 12 5 4 3 1> 67 14 0xffffff7f80c02000 0x38000 0x38000 com.apple.iokit.IOGraphicsFamily (2.3.2) <9 7 5 4 3> 68 0 0xffffff7f817a8000 0x3a000 0x3a000 com.apple.driver.AppleIntelSNBGraphicsFB (7.1.8) <67 9 8 7 6 5 4 3 1> 72 7 0xffffff7f80c3a000 0x12000 0x12000 com.apple.iokit.IONDRVSupport (2.3.2) <67 9 7 5 4 3> 73 1 0xffffff7f81b1c000 0x3000 0x3000 com.apple.driver.AppleBacklightExpert (1.0.3) <72 67 9 5 4 3> 74 0 0xffffff7f81b71000 0x5000 0x5000 com.apple.driver.AppleBacklight (170.1.9) <73 72 67 9 5 4 3> 75 1 0xffffff7f81b0a000 0x3000 0x3000 com.apple.driver.AppleGraphicsControl (3.0.16) <72 67 9 8 7 5 4 3 1> 77 0 0xffffff7f8179b000 0x3000 0x3000 com.apple.driver.AppleLPC (1.5.3) <9 5 4 3> 78 0 0xffffff7f816c9000 0x3000 0x3000 com.apple.driver.AppleSMBusPCI (1.0.10d0) <9 5 4 3> 79 1 0xffffff7f80bcd000 0x13000 0x13000 com.apple.driver.IOPlatformPluginFamily (4.7.5d4) <8 7 6 5 4 3> 80 3 0xffffff7f80be0000 0xc000 0xc000 com.apple.driver.AppleSMC (3.1.1d8) <8 7 5 4 3> 81 0 0xffffff7f80bec000 0x11000 0x11000 com.apple.driver.ACPI_SMC_PlatformPlugin (4.7.5d4) <80 79 9 8 7 6 5 4 3> 82 0 0xffffff7f81b0d000 0xf000 0xf000 com.apple.driver.ApplePolicyControl (3.0.16) <75 72 67 9 8 7 5 4 3 1> 83 2 0xffffff7f8135c000 0x6000 0x6000 com.apple.kext.OSvKernDSPLib (1.3) <5 4> 84 4 0xffffff7f81362000 0x2a000 0x2a000 com.apple.iokit.IOAudioFamily (1.8.6fc6) <83 5 4 3 1> 85 0 0xffffff7f8138c000 0x4000 0x4000 com.apple.driver.AudioIPCDriver (1.2.2) <84 5 4 3 1> 86 0 0xffffff7f812a6000 0x5000 0x5000 com.apple.Dont_Steal_Mac_OS_X (7.0.0) <80 7 4 3 1> 87 2 0xffffff7f81931000 0xc000 0xc000 com.apple.iokit.IOHDAFamily (2.1.7f9) <5 4 3 1> 88 1 0xffffff7f8196c000 0x1a000 0x1a000 com.apple.driver.AppleHDAController (2.1.7f9) <87 67 9 6 5 4 3 1> 89 1 0xffffff7f80d76000 0x5000 0x5000 com.apple.iokit.IOEthernetAVBController (1.0.0d5) <37 5 4 3 1> 90 0 0xffffff7f80d7b000 0x9000 0x9000 com.apple.iokit.IOAVBFamily (1.0.0d22) <89 37 5 4 3 1> 91 1 0xffffff7f80b66000 0xe000 0xe000 com.apple.iokit.IOSerialFamily (10.0.5) <7 6 5 4 3 1> 92 0 0xffffff7f80d49000 0xe000 0xe000 com.apple.iokit.IOBluetoothSerialManager (4.0.3f12) <91 7 5 4 3 1> 93 0 0xffffff7f816c2000 0x5000 0x5000 com.apple.driver.AppleSMCLMU (2.0.1d2) <80 67 5 4 3> 94 0 0xffffff7f80b50000 0x12000 0x12000 com.apple.iokit.IOSurface (80.0) <7 5 4 3 1> 95 0 0xffffff7f809af000 0x6000 0x6000 com.apple.iokit.IOUserEthernet (1.0.0d1) <37 6 5 4 3 1> 96 0 0xffffff7f817e2000 0xe1000 0xe1000 com.apple.driver.AppleIntelHD3000Graphics (7.1.8) <72 67 9 7 5 4 3 1> 97 1 0xffffff7f816cc000 0xe000 0xe000 com.apple.driver.AppleSMBusController (1.0.10d0) <22 9 8 5 4 3> 98 0 0xffffff7f81afb000 0xb000 0xb000 com.apple.driver.AGPM (100.12.42) <72 67 9 5 4 3> 100 0 0xffffff7f8174b000 0x4000 0x4000 com.apple.driver.ApplePlatformEnabler (2.0.4d2) <7 5 4 3> 101 0 0xffffff7f81392000 0x5000 0x5000 com.apple.driver.AudioAUUC (1.59) <84 67 9 8 7 5 4 3 1> 102 0 0xffffff7f81b77000 0xa000 0xa000 com.apple.driver.AppleAVBAudio (1.0.0d11) <5 4 3 1> 103 0 0xffffff7f8176c000 0xa000 0xa000 com.apple.driver.AppleMCCSControl (1.0.26) <67 9 7 5 4 3 1> 104 0 0xffffff7f81601000 0x5000 0x5000 com.apple.driver.AppleUpstreamUserClient (3.5.9) <67 9 8 7 5 4 3 1> 105 0 0xffffff7f8193d000 0x22000 0x22000 com.apple.driver.AppleMikeyDriver (2.1.7f9) <97 8 5 4 3 1> 106 1 0xffffff7f81986000 0xa4000 0xa4000 com.apple.driver.DspFuncLib (2.1.7f9) <84 83 5 4 3 1> 107 0 0xffffff7f81a2a000 0xaf000 0xaf000 com.apple.driver.AppleHDA (2.1.7f9) <106 88 87 84 72 67 6 5 4 3 1> 109 0 0xffffff7f81761000 0x3000 0x3000 com.apple.driver.AppleMikeyHIDDriver (122) <27 7 4 3 1> 110 1 0xffffff7f8134c000 0x5000 0x5000 com.apple.kext.triggers (1.0) <7 6 5 4 3 1> 111 0 0xffffff7f81351000 0x9000 0x9000 com.apple.filesystems.autofs (3.0) <110 7 6 5 4 3 1> 116 3 0xffffff7f80b8a000 0xd000 0xd000 com.apple.iokit.IOCDStorageFamily (1.7) <12 5 4 3 1> 117 2 0xffffff7f80b97000 0xb000 0xb000 com.apple.iokit.IODVDStorageFamily (1.7) <116 12 5 4 3 1> 118 1 0xffffff7f80ba2000 0xa000 0xa000 com.apple.iokit.IOBDStorageFamily (1.6) <117 116 12 5 4 3 1> 119 0 0xffffff7f80bac000 0x1a000 0x1a000 com.apple.iokit.IOSCSIMultimediaCommandsDevice (3.0.3) <118 117 116 64 12 5 4 3 1> 121 0 0xffffff7f81911000 0x5000 0x5000 com.apple.driver.AppleHWSensor (1.9.4d0) <5 4 3> 122 7 0xffffff7f81c20000 0x46000 0x46000 com.apple.iokit.AppleProfileFamily (85.2) <9 7 6 5 4 3 1> 123 0 0xffffff7f81c66000 0x7000 0x7000 com.apple.driver.AppleIntelProfile (85.2) <122 6 4 3> 124 0 0xffffff7f81c6f000 0x4000 0x4000 com.apple.driver.AppleProfileCallstackAction (85.2) <122 6 5 4 3 1> 125 0 0xffffff7f81c73000 0x3000 0x3000 com.apple.driver.AppleProfileKEventAction (85.2) <122 4 3 1> 126 0 0xffffff7f81c76000 0x4000 0x4000 com.apple.driver.AppleProfileReadCounterAction (85.2) <122 6 4 3> 127 0 0xffffff7f81c7a000 0x3000 0x3000 com.apple.driver.AppleProfileRegisterStateAction (85.2) <122 4 3 1> 128 0 0xffffff7f81c7d000 0x4000 0x4000 com.apple.driver.AppleProfileThreadInfoAction (85.2) <122 6 4 3 1> 129 0 0xffffff7f81c81000 0x4000 0x4000 com.apple.driver.AppleProfileTimestampAction (85.2) <122 5 4 3 1> 130 0 0xffffff7f80807000 0xc000 0xc000 com.apple.nke.ppp (1.7) <7 6 5 4 3 1> 313 0 0xffffff7f808ff000 0x2000 0x2000 com.apple.driver.AppleUSBODD (3.0.1) <65 64 30 12 5 4 3 1> 315 0 0xffffff7f8147b000 0x35000 0x35000 com.apple.filesystems.udf (2.2) <7 5 4 1>

XNU is not a microkernel (p. 50) - Windows Internals book also mentions that about itself at the beginning

u-area (p. 52) - in Windows the equivalent can be TEB and PEB structures

UBC (p. 52) - looks like in Windows we have the same unification of file cache and virtual memory subsystems

- Dmitry Vostokov @ SoftwareGeneralist.com -

Software as Means of Production

Dmitry Vostokov — Mon, 23 Apr 2012 11:57:36 +0000

The cover of the latest Economist issue arrived today picturing a third industrial revolution prompted me to write about Software as means of production that I was thinking for sometime and even created a Software Generalist Party you are welcome to join. Software generalists are the future driving force of society change and I started working on a work comparable to Marx’s Capital called Software, Volume 1 subtitled as A Critical Analysis of Industrial Production (ISBN: 978-1908043375). It will also include an analysis of new emerging commodities such as memories.

- Dmitry Vostokov @ SoftwareGeneralist.com -

Resuming Reading Notebook

Dmitry Vostokov — Fri, 13 Apr 2012 09:49:32 +0000

Finally the book has arrived and I plan to continue my close reading with relevant comments pointing to DumpAnalysis.org and any additional experiments if needed, for example, to cover x64 Windows (the new edition is still 32-bit oriented in WinDbg examples).

Windows Internals, Part 1: Covering Windows Server 2008 R2 and Windows 7

- Dmitry Vostokov @ SoftwareGeneralist.com -

A History of Software in 64 Programs

Dmitry Vostokov — Mon, 14 Nov 2011 23:15:15 +0000

This is a new exiting book project I’m working on now scheduled for release in 2012 with ISBN 978-1908043337. If your company would like to have its programs considered for inclusion please let me know and send a copy just in case I would need to include screenshots. I’ll update about this project soon.

- Dmitry Vostokov @ SoftwareGeneralist.com -

MVC Worldview and The Origin of Economic Order

Dmitry Vostokov — Wed, 07 Sep 2011 13:24:21 +0000

A few weeks ago when I was asked about my opinion whether the current economic crisis will deepen an idea came to me that Cloud Computing is the last Model piece of MVC (Model-View-Controller) where View is Social Media such as Facebook, LinkedIn, Twitter, etc. and Controller is Internet itself. With the final piece of the puzzle the World needs new MVC Revolution in order to get back on track.

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 04-March-11

Dmitry Vostokov — Thu, 10 Mar 2011 21:38:28 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

HKLM\S\MountedDevices and basic disk volume partition offset (pp. 667 - 668)

General reparse points; symbolic links and mount points as their applications (p. 669)

Device object -> VPB, !vpb WinDbg command (p. 670) - here’s on my x64 W2K8 system:

0: kd> dt _DEVICE_OBJECT ntdll!_DEVICE_OBJECT +0x000 Type : Int2B +0x002 Size : Uint2B +0x004 ReferenceCount : Int4B +0x008 DriverObject : Ptr64 _DRIVER_OBJECT +0x010 NextDevice : Ptr64 _DEVICE_OBJECT +0x018 AttachedDevice : Ptr64 _DEVICE_OBJECT +0x020 CurrentIrp : Ptr64 _IRP +0x028 Timer : Ptr64 _IO_TIMER +0x030 Flags : Uint4B +0x034 Characteristics : Uint4B +0×038 Vpb : Ptr64 _VPB +0×040 DeviceExtension : Ptr64 Void +0×048 DeviceType : Uint4B +0×04c StackSize : Char +0×050 Queue : +0×098 AlignmentRequirement : Uint4B +0×0a0 DeviceQueue : _KDEVICE_QUEUE +0×0c8 Dpc : _KDPC +0×108 ActiveThreadCount : Uint4B +0×110 SecurityDescriptor : Ptr64 Void +0×118 DeviceLock : _KEVENT +0×130 SectorSize : Uint2B +0×132 Spare1 : Uint2B +0×138 DeviceObjectExtension : Ptr64 _DEVOBJ_EXTENSION +0×140 Reserved : Ptr64 Void

0: kd> dt _VPB ntdll!_VPB +0x000 Type : Int2B +0x002 Size : Int2B +0x004 Flags : Uint2B +0x006 VolumeLabelLength : Uint2B +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT +0x010 RealDevice : Ptr64 _DEVICE_OBJECT +0x018 SerialNumber : Uint4B +0x01c ReferenceCount : Uint4B +0x020 VolumeLabel : [32] Wchar

FS -> Volume I/O (pp. 674 - 675) - we can also see driver stack from IRP I/O stack locations:

2: kd> !irp fffffa8017492b80 [...] cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ 4,34] 1c e0 fffffa800dfe2060 00000000 fffff88001186f30-00000000 Success Error Cancel \Driver\Disk partmgr!PmReadWriteCompletion Args: 00001000 00000000 b99a9000 00000000 [ 4, 0] 1c e0 fffffa800dfe2b90 00000000 fffff88001197180-fffffa800da89e20 Success Error Cancel \Driver\partmgr volmgr!VmpReadWriteCompletionRoutine Args: 148ce8c5bed 00000000 b99a9000 00000000 [ 4, 0] c e0 fffffa800da89cd0 00000000 fffff88001968150-fffffa800dfe7190 Success Error Cancel \Driver\volmgr volsnap!VspRefCountCompletionRoutine Args: 00001000 00000000 148ce8c5be9 00000000 [ 4, 0] c e1 fffffa800dfe7040 00000000 fffff88001a464f4-fffff88002777a10 Success Error Cancel pending \Driver\volsnap Ntfs!NtfsMasterIrpSyncCompletionRoutine Args: 00001000 00000000 b996a000 00000000 [ 4, 0] 0 0 fffffa800dfed030 fffffa800da958e0 00000000-00000000 \FileSystem\Ntfs Args: 00001000 00000000 01afc000 00000000 […]

BitLocker architecture diagram (p.678) - parts can be seen from IRP I/O stack locations:

kd> !irp 85e7ee00 [...] cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ 3,34] 10 e0 857b9030 00000000 8353724e-00000000 Success Error Cancel \Driver\Disk partmgr!PmReadWriteCompletion Args: 00001000 00000000 400d6000 00000000 [ 3, 0] 10 0 857b9d18 00000000 00000000-00000000 \Driver\partmgr Args: 6bad71d7 00000000 400d6000 00000000 [ 3, 0] 10 e0 8478b5f0 00000000 835487a4-857bc2f0 Success Error Cancel \Driver\DriverA volmgr!VmpReadWriteCompletionRoutine Args: 00001000 00000000 400d6000 00000000 [ 3, 0] 0 e0 857bc238 00000000 872c83e2-857bfb70 Success Error Cancel \Driver\volmgr fvevol!FvePassThroughCompletion Args: 00001000 00000000 6bad70ba 00000000 [ 3, 0] 0 e0 857bfab8 00000000 8709807a-859a2118 Success Error Cancel \Driver\fvevol Ntfs!NtfsMasterIrpAsyncCompletionRoutine Args: 00001000 00000000 40097000 00000000 [ 3, 0] 0 1 857e2020 8584ca40 00000000-00000000 pending \FileSystem\Ntfs Args: 00001000 00000000 0329e000 00000000 […]

VMK -> FVEK: possibility for rekeying (p. 679)

Maximum protection: TPM+USB+PIN (p. 679)

Diffuser to protect from manipulations with AES-encrypted ciphertext (p. 681)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 23-February-11

Dmitry Vostokov — Thu, 24 Feb 2011 20:55:39 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

The distinction between class, port and miniport components in storage stack (pp. 646 - 647)

Example: disk.sys as a class driver, ataport.sys and atapi.sys as port and miniport drivers (pp. 647 - 448)

MPIO (multi path I/O), DSM (device-specific modules) and storage stack (pp. 649 - 650)

Old and new naming convention (DRX) for disk device objects (p. 650)

Win32 API disk drive naming (p. 651)

Partition device objects (p. 652)

Volume manager as a bus driver (p. 655)

System vs. boot volume (p. 660)

Volmgr.sys vs. Volmgrx.sys (p. 661)

The advantages of storing volume metadata in a file (p. 662)

Spanned, striped (RAID-0), mirrored (RAID-1), RAID-5 (striped with rotated parity) (pp. 662 - 667)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 21-February-11

Dmitry Vostokov — Mon, 21 Feb 2011 21:31:40 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Differences between driver and service loading (p. 623)

Tag value precedence redefinition (p. 624)

Verbose !devnode command options (pp. 627 - 628)

DID=VID.PID and DIID=DID.IID (p. 630)

Hybrid sleep (pp. 637-638)

Power dispatch routine (p. 639) - Here’s a dispatch routine for a PCI driver from my x64 W2K8R2 system:

0: kd> !devnode 0 3 Dumping IopRootDeviceNode (= 0xfffffa8003c1ed90) DevNode 0xfffffa8003c1ed90 for PDO 0xfffffa8003c1db10 InstancePath is "HTREE\ROOT\0" State = DeviceNodeStarted (0x308) Previous State = DeviceNodeEnumerateCompletion (0x30d)

[...]

DevNode 0xfffffa8003e91b10 for PDO 0xfffffa8003e40a20 InstancePath is “PCI\VEN_8086&DEV_2810&SUBSYS_00000000&REV_02\3&172e68dd&0&F8″ ServiceName is “msisadrv” State = DeviceNodeStarted (0×308) Previous State = DeviceNodeEnumerateCompletion (0×30d)

[...]

0: kd> !devobj 0xfffffa8003e40a20 Device object (fffffa8003e40a20) is for: NTPNP_PCI0013 \Driver\pci DriverObject fffffa8003cfe270 Current Irp 00000000 RefCount 0 Type 00000022 Flags 00001040 Dacl fffff9a10008b231 DevExt fffffa8003e40b70 DevObjExt fffffa8003e40f90 DevNode fffffa8003e91b10 ExtensionFlags (0×00000800) Unknown flags 0×00000800 AttachedDevice (Upper) fffffa8003e3f800 \Driver\ACPI Device queue is not busy.

0: kd> !drvobj fffffa8003cfe270 f Driver object (fffffa8003cfe270) is for: \Driver\pci Driver Extension List: (id , addr)

Device Object list: fffffa8003e9da20 fffffa8003e9a060 fffffa8003e99a20 fffffa8003e939f0 fffffa8003e93040 fffffa8003e92660 fffffa8003e92cb0 fffffa8003e42060 fffffa8003e41a20 fffffa8003e41060 fffffa8003e40a20 fffffa8003e40060 fffffa8003e3fa20 fffffa8003e3f060 fffffa8003e3ea20 fffffa8003e3e060 fffffa8003e3da20 fffffa8003e3d060 fffffa8003e3ca20 fffffa8003e3c060 fffffa8003e3ba20 fffffa8003e3b060 fffffa8003e3aa20 fffffa8003e3a060 fffffa8003e37530

DriverEntry: fffff880013ae1a0 pci!GsDriverEntry DriverStartIo: 00000000� DriverUnload: fffff880013a2fec pci!PciDriverUnload AddDevice: fffff8800139ae54 pci!PciAddDevice

Dispatch routines: [00] IRP_MJ_CREATE fffff80001ab5cfc nt!IopInvalidDeviceRequest [01] IRP_MJ_CREATE_NAMED_PIPE fffff80001ab5cfc nt!IopInvalidDeviceRequest [02] IRP_MJ_CLOSE fffff80001ab5cfc nt!IopInvalidDeviceRequest [03] IRP_MJ_READ fffff80001ab5cfc nt!IopInvalidDeviceRequest [04] IRP_MJ_WRITE fffff80001ab5cfc nt!IopInvalidDeviceRequest [05] IRP_MJ_QUERY_INFORMATION fffff80001ab5cfc nt!IopInvalidDeviceRequest [06] IRP_MJ_SET_INFORMATION fffff80001ab5cfc nt!IopInvalidDeviceRequest [07] IRP_MJ_QUERY_EA fffff80001ab5cfc nt!IopInvalidDeviceRequest [08] IRP_MJ_SET_EA fffff80001ab5cfc nt!IopInvalidDeviceRequest [09] IRP_MJ_FLUSH_BUFFERS fffff80001ab5cfc nt!IopInvalidDeviceRequest [0a] IRP_MJ_QUERY_VOLUME_INFORMATION fffff80001ab5cfc nt!IopInvalidDeviceRequest [0b] IRP_MJ_SET_VOLUME_INFORMATION fffff80001ab5cfc nt!IopInvalidDeviceRequest [0c] IRP_MJ_DIRECTORY_CONTROL fffff80001ab5cfc nt!IopInvalidDeviceRequest [0d] IRP_MJ_FILE_SYSTEM_CONTROL fffff80001ab5cfc nt!IopInvalidDeviceRequest [0e] IRP_MJ_DEVICE_CONTROL fffff8800139e6d0 pci!PciDispatchDeviceControl [0f] IRP_MJ_INTERNAL_DEVICE_CONTROL fffff80001ab5cfc nt!IopInvalidDeviceRequest [10] IRP_MJ_SHUTDOWN fffff80001ab5cfc nt!IopInvalidDeviceRequest [11] IRP_MJ_LOCK_CONTROL fffff80001ab5cfc nt!IopInvalidDeviceRequest [12] IRP_MJ_CLEANUP fffff80001ab5cfc nt!IopInvalidDeviceRequest [13] IRP_MJ_CREATE_MAILSLOT fffff80001ab5cfc nt!IopInvalidDeviceRequest [14] IRP_MJ_QUERY_SECURITY fffff80001ab5cfc nt!IopInvalidDeviceRequest [15] IRP_MJ_SET_SECURITY fffff80001ab5cfc nt!IopInvalidDeviceRequest [16] IRP_MJ_POWER fffff880013848fc pci!PciDispatchPnpPower [17] IRP_MJ_SYSTEM_CONTROL fffff8800139e66c pci!PciDispatchSystemControl [18] IRP_MJ_DEVICE_CHANGE fffff80001ab5cfc nt!IopInvalidDeviceRequest [19] IRP_MJ_QUERY_QUOTA fffff80001ab5cfc nt!IopInvalidDeviceRequest [1a] IRP_MJ_SET_QUOTA fffff80001ab5cfc nt!IopInvalidDeviceRequest [1b] IRP_MJ_PNP fffff880013848fc pci!PciDispatchPnpPower

!pocaps and !popolicy WinDbg commands (pp. 641 - 643)

Unlike other PnP operations like normal eject power cannot be vetoed by drivers and apps (pp. 643 - 644)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Software Generalist View of Religion (Part 1)

Dmitry Vostokov — Wed, 13 Oct 2010 20:58:09 +0000

In seeking spritual faith a software generalist views various religious worldviews as packages providing interfaces (IReligion). The methods of such interface will be discussed in the next part but for now I show a UML diagram:

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 20-September-10

Dmitry Vostokov — Tue, 28 Sep 2010 16:41:25 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

I/O Completion Ports (pp. 592 - 598) - my own architectural investigation from a complete memory dump perspective: http://www.dumpanalysis.org/blog/index.php/2007/11/27/understanding-io-completion-ports/

Lock contention (p. 594) - some patterns: http://www.dumpanalysis.org/blog/index.php/2010/09/21/contention-patterns/

Concurrency value may exceed concurrently limit for I/O CP (p. 595)

KeRemoveQueueEx (p. 596) - see also Passive System Thread pattern: http://www.dumpanalysis.org/blog/index.php/2007/11/20/crash-dump-analysis-patterns-part-31a/

I/O priority queues and strategies for IRP (p. 599) - priority fields in _EPROCESS and _ETHREAD structures from x64 W2K8 R2:

1: kd> dt _EPROCESS ntdll!_EPROCESS +0x000 Pcb : _KPROCESS [...] +0x438 DefaultIoPriority : Pos 27, 3 Bits [...]

1: kd> dt _ETHREAD ntdll!_ETHREAD +0x000 Tcb : _KTHREAD [...] +0x448 ThreadIoPriority : Pos 10, 3 Bits [...]

Driver Verifier (pp. 604 - 606) - see also Instrumentation Information pattern: http://www.dumpanalysis.org/blog/index.php/2010/09/27/crash-dump-analysis-patterns-part-107/

WDF book (p. 607) - there is also another book coming soon: http://www.dumpanalysis.org/blog/index.php/2010/08/19/windows-7-device-driver-book/

Listing KMDF drivers (p. 608) - here’s the output from x64 W2K8 R2 system:

1: kd> !wdfkd.wdfldr LoadedModuleList 0xfffff8800115a2d8 ---------------------------------- LIBRARY_MODULE fffffa8003bc8d10 Version v1.9 build(7600) Service \Registry\Machine\System\CurrentControlSet\Services\Wdf01000 ImageName Wdf01000.sys ImageAddress 0xfffff880010ae000 ImageSize 0xa4000 Associated Clients: 10

ImageName Version WdfGlobals FxGlobals ImageAddress ImageSize peauth.sys v1.7(6001) 0xfffffa8004bf6510 0xfffffa8004bf63c0 0xfffff88004600000 0x000a6000 monitor.sys v1.9(7600) 0xfffffa80048f55d0 0xfffffa80048f5480 0xfffff88003752000 0x0000e000 umbus.sys v1.9(7600) 0xfffffa8004371160 0xfffffa8004371010 0xfffff88002db0000 0x00012000 CompositeBus.sys v1.9(7600) 0xfffffa8004440800 0xfffffa80044406b0 0xfffff88002a45000 0x00010000 HDAudBus.sys v1.7(6001) 0xfffffa80043c9160 0xfffffa80043c9010 0xfffff88002b48000 0x00024000 intelppm.sys v1.9(7600) 0xfffffa8004271dd0 0xfffffa8004271c80 0xfffff88002ab0000 0x00016000 cdrom.sys v1.9(7600) 0xfffffa80041f3fc0 0xfffffa80041f3e70 0xfffff88001400000 0x0002a000 vmstorfl.sys v1.5(6000) 0xfffffa80040129e0 0xfffffa8004012890 0xfffff88001750000 0x00010000 msisadrv.sys v1.9(7600) 0xfffffa8003ebb910 0xfffffa8003ebb7c0 0xfffff880012c6000 0x0000a000 vdrvroot.sys v1.9(7600) 0xfffffa8003d3fa00 0xfffffa8003d3f8b0 0xfffff88001262000 0x0000d000 ---------------------------------- Total: 1 library loaded

Extension of device extension extension into object context in KMDF (pp. 611 - 612)

UMDF reflectors (p. 617)

WUDFHost.exe (p. 618) - here’s its stack trace collection from x64 W2K8 R2 after I inserted an USB flash drive and attached WinDbg non-invasilvely:

0:000> ~*k

. 0 Id: 58c.12f4 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen Child-SP RetAddr Call Site 00000000`0018f988 000007fe`fd8510ac ntdll!ZwWaitForSingleObject+0xa 00000000`0018f990 00000000`ff3bba44 KERNELBASE!WaitForSingleObjectEx+0x9c 00000000`0018fa30 00000000`ff3b8ce7 WUDFHost!CLpcNotification::Run+0x1c 00000000`0018fa60 00000000`ff3d2cb1 WUDFHost!wmain+0xc7b 00000000`0018fc60 00000000`7746f56d WUDFHost!ConvertStringSidToSidW+0x19b 00000000`0018fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`0018fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

1 Id: 58c.1304 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen Child-SP RetAddr Call Site 00000000`00c4f918 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa 00000000`00c4f920 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6 00000000`00c4f990 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f 00000000`00c4f9e0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4 00000000`00c4fa70 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119 00000000`00c4fc20 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127 00000000`00c4fc70 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62 00000000`00c4fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`00c4fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

2 Id: 58c.6e8 Suspend: 1 Teb: 000007ff`fffda000 Unfrozen Child-SP RetAddr Call Site 00000000`00dfe988 000007fe`fd853ef8 ntdll!NtQueryAttributesFile+0xa 00000000`00dfe990 000007fe`f3be9970 KERNELBASE!GetFileAttributesW+0x78 00000000`00dfea30 000007fe`f27ce8c9 WpdFs!COperationGetFastBasicProperties::OnImpersonate+0x1c0 00000000`00dfea70 000007fe`f3be9734 WUDFx!CWdfIoRequest::Impersonate+0x151 00000000`00dfeae0 000007fe`f3bda26b WpdFs!COperationGetFastBasicProperties::Invoke+0x2c4 00000000`00dfeb50 000007fe`f3bd8837 WpdFs!WpdObjectProperties::GetValues+0x3f7 00000000`00dfecd0 000007fe`f3bd8344 WpdFs!WpdObjectProperties::OnGetValues+0x10b 00000000`00dfed50 000007fe`f3bcf974 WpdFs!WpdObjectProperties::DispatchWpdMessage+0x1a0 00000000`00dfee10 000007fe`f3bcd51a WpdFs!WpdBaseDriver::DispatchWpdMessage+0x4c0 00000000`00dfef60 000007fe`f3bcdd6c WpdFs!CQueue::ProcessWpdMessage+0x29a 00000000`00dff010 000007fe`f27bf610 WpdFs!CQueue::OnDeviceIoControl+0x494 00000000`00dff160 000007fe`f27c0b5a WUDFx!CWdfIoQueue::SubmitRequest+0x358 00000000`00dff1f0 000007fe`f27c0955 WUDFx!CWdfIoQueue::DispatchRequestToDriver+0x86 00000000`00dff240 000007fe`f27bff83 WUDFx!CWdfIoQueue::DispatchEvents+0x3cd 00000000`00dff2b0 000007fe`f27b61b5 WUDFx!CWdfIoQueue::QueueRequest+0x2c3 00000000`00dff300 000007fe`f27b6f20 WUDFx!CWdfDevice::DispatchRequest+0x149 00000000`00dff350 00000000`ff3ccbb6 WUDFx!CWdfDevice::DeviceControl+0x1a8 00000000`00dff3c0 00000000`ff3c2f92 WUDFHost!CWudfIoIrp::Dispatch+0x13e 00000000`00dff420 00000000`ff3bad47 WUDFHost!CWudfDeviceStack::Forward+0x41a 00000000`00dff490 000007fe`fb87da6a WUDFHost!CLpcNotification::Message+0xd9b 00000000`00dff6c0 000007fe`fb87c848 WUDFPlatform!WdfLpcPort::ProcessMessage+0x3be 00000000`00dff760 000007fe`fb87b299 WUDFPlatform!WdfLpcCommPort::ProcessMessage+0x214 00000000`00dff7b0 000007fe`fb87b900 WUDFPlatform!WdfLpcConnPort::ProcessMessage+0xf9 00000000`00dff830 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x178 00000000`00dff880 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62 00000000`00dff8b0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`00dff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

3 Id: 58c.2e4 Suspend: 1 Teb: 000007ff`fffd8000 Unfrozen Child-SP RetAddr Call Site 00000000`00d7f5e8 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa 00000000`00d7f5f0 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6 00000000`00d7f660 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f 00000000`00d7f6b0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4 00000000`00d7f740 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119 00000000`00d7f8f0 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127 00000000`00d7f940 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62 00000000`00d7f970 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`00d7f9a0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

4 Id: 58c.12b4 Suspend: 1 Teb: 000007ff`fffd6000 Unfrozen Child-SP RetAddr Call Site 00000000`00f8fa58 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa 00000000`00f8fa60 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6 00000000`00f8fad0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f 00000000`00f8fb20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4 00000000`00f8fbb0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119 00000000`00f8fd60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127 00000000`00f8fdb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62 00000000`00f8fde0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`00f8fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x21

5 Id: 58c.106c Suspend: 1 Teb: 000007ff`fffd3000 Unfrozen Child-SP RetAddr Call Site 00000000`00f0f958 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa 00000000`00f0f960 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6 00000000`00f0f9d0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f 00000000`00f0fa20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4 00000000`00f0fab0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119 00000000`00f0fc60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127 00000000`00f0fcb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62 00000000`00f0fce0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`00f0fd10 00000000`00000000 ntdll!RtlUserThreadStart+0x21

6 Id: 58c.8fc Suspend: 1 Teb: 000007ff`fffae000 Unfrozen Child-SP RetAddr Call Site 00000000`0136f8c8 00000000`7758c95e USER32!NtUserGetMessage+0xa 00000000`0136f8d0 000007fe`f3bd26e5 USER32!GetMessageW+0x34 00000000`0136f900 00000000`7746f56d WpdFs!CDiskNotifier::NotificationThreadWorker+0x245 00000000`0136fa50 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`0136fa80 00000000`00000000 ntdll!RtlUserThreadStart+0x21

7 Id: 58c.520 Suspend: 1 Teb: 000007ff`fffac000 Unfrozen Child-SP RetAddr Call Site 00000000`0152f6f8 00000000`77689bd7 ntdll!ZwWaitForMultipleObjects+0xa 00000000`0152f700 00000000`7746f56d ntdll!EtwTraceMessageVa+0xe07 00000000`0152f9a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`0152f9d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

8 Id: 58c.89c Suspend: 1 Teb: 000007ff`fffaa000 Unfrozen Child-SP RetAddr Call Site 00000000`012df9b8 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa 00000000`012df9c0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b 00000000`012dfcc0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`012dfcf0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

9 Id: 58c.1394 Suspend: 1 Teb: 000007ff`fffa8000 Unfrozen Child-SP RetAddr Call Site 00000000`0140f498 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa 00000000`0140f4a0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b 00000000`0140f7a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`0140f7d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

10 Id: 58c.1294 Suspend: 1 Teb: 000007ff`fffa6000 Unfrozen Child-SP RetAddr Call Site 00000000`0182f758 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa 00000000`0182f760 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b 00000000`0182fa60 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`0182fa90 00000000`00000000 ntdll!RtlUserThreadStart+0x21

11 Id: 58c.a98 Suspend: 1 Teb: 000007ff`fffa4000 Unfrozen Child-SP RetAddr Call Site 00000000`0170f708 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa 00000000`0170f710 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b 00000000`0170fa10 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`0170fa40 00000000`00000000 ntdll!RtlUserThreadStart+0x21

12 Id: 58c.121c Suspend: 1 Teb: 000007ff`fffa2000 Unfrozen Child-SP RetAddr Call Site 00000000`0179fd68 000007fe`fd851203 ntdll!NtDelayExecution+0xa 00000000`0179fd70 000007fe`fe2cea00 KERNELBASE!SleepEx+0xb3 00000000`0179fe10 000007fe`fe2d2046 ole32!CROIDTable::WorkerThreadLoop+0x10 00000000`0179fe40 000007fe`fe2d358a ole32!CRpcThread::WorkerLoop+0x1e 00000000`0179fe80 00000000`7746f56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a 00000000`0179feb0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd 00000000`0179fee0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

- Dmitry Vostokov @ SoftwareGeneralist.com -