Software Generalist

Reading Notebook: 03-August-10

Dmitry Vostokov — Tue, 10 Aug 2010 17:04:53 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Scatter/gather (p. 566) - you can find examples of scatter/gather I/O residues left on a thread raw stack in Hardware Activity pattern and corresponding case study:

http://www.dumpanalysis.org/blog/index.php/2010/05/08/crash-dump-analysis-patterns-part-98/

and

http://www.dumpanalysis.org/blog/index.php/2010/06/07/irp-distribution-anomaly-inconsistent-dump-execution-residue-hardware-activity-coincidental-symbolic-information-not-my-version-virtualized-system-pattern-cooperation/

IRP (pp. 566 - 567) - here is an expanded IRP structure from x64 W2K8:

0: kd> dt -r1 _IRP ntdll!_IRP +0x000 Type : Int2B +0x002 Size : Uint2B +0x008 MdlAddress : Ptr64 _MDL +0x000 Next : Ptr64 _MDL +0x008 Size : Int2B +0x00a MdlFlags : Int2B +0x010 Process : Ptr64 _EPROCESS +0x018 MappedSystemVa : Ptr64 Void +0x020 StartVa : Ptr64 Void +0x028 ByteCount : Uint4B +0x02c ByteOffset : Uint4B +0x010 Flags : Uint4B +0x018 AssociatedIrp : +0x000 MasterIrp : Ptr64 _IRP +0x000 IrpCount : Int4B +0x000 SystemBuffer : Ptr64 Void +0x020 ThreadListEntry : _LIST_ENTRY +0x000 Flink : Ptr64 _LIST_ENTRY +0x008 Blink : Ptr64 _LIST_ENTRY +0x030 IoStatus : _IO_STATUS_BLOCK +0x000 Status : Int4B +0x000 Pointer : Ptr64 Void +0x008 Information : Uint8B +0x040 RequestorMode : Char +0x041 PendingReturned : UChar +0x042 StackCount : Char +0x043 CurrentLocation : Char +0x044 Cancel : UChar +0x045 CancelIrql : UChar +0x046 ApcEnvironment : Char +0x047 AllocationFlags : UChar +0x048 UserIosb : Ptr64 _IO_STATUS_BLOCK +0x000 Status : Int4B +0x000 Pointer : Ptr64 Void +0x008 Information : Uint8B +0x050 UserEvent : Ptr64 _KEVENT +0x000 Header : _DISPATCHER_HEADER +0x058 Overlay : +0x000 AsynchronousParameters : +0x000 AllocationSize : _LARGE_INTEGER +0x068 CancelRoutine : Ptr64 void +0x070 UserBuffer : Ptr64 Void +0x078 Tail : +0x000 Overlay : +0x000 Apc : _KAPC +0x000 CompletionKey : Ptr64 Void

IRP stack locations (pp. 568 - 569) - here is a corresponding structure from x64 W2K8:

0: kd> dt _IO_STACK_LOCATION ntdll!_IO_STACK_LOCATION +0x000 MajorFunction : UChar +0x001 MinorFunction : UChar +0x002 Flags : UChar +0x003 Control : UChar +0x008 Parameters : +0x028 DeviceObject : Ptr64 _DEVICE_OBJECT +0x030 FileObject : Ptr64 _FILE_OBJECT +0x038 CompletionRoutine : Ptr64 long +0x040 Context : Ptr64 Void

Buffered I/O (p. 570) - this part of IRP references a buffer (user input data is copied there and device output is copied there):

+0x018 AssociatedIrp : +0x000 MasterIrp : Ptr64 _IRP +0x000 IrpCount : Int4B +0×000 SystemBuffer : Ptr64 Void

These parts of I/O stack location structure handle buffer lengths:

+0x000 DeviceIoControl : +0×000 OutputBufferLength : Uint4B +0×008 InputBufferLength : Uint4B +0×010 IoControlCode : Uint4B +0×018 Type3InputBuffer : Ptr64 Void

+0x000 Read : +0×000 Length : Uint4B +0×008 Key : Uint4B +0×010 ByteOffset : _LARGE_INTEGER

+0x000 Write : +0×000 Length : Uint4B +0×008 Key : Uint4B +0×010 ByteOffset : _LARGE_INTEGER

Direct I/O (p. 570) - these parts of IRP handle IOCTL input data (SystemBuffer, via buffering) and IOCTL output/Read/Write data (MdlAddress):

+0x008 MdlAddress : Ptr64 _MDL +0x000 Next : Ptr64 _MDL +0x008 Size : Int2B +0x00a MdlFlags : Int2B +0x010 Process : Ptr64 _EPROCESS +0x018 MappedSystemVa : Ptr64 Void +0x020 StartVa : Ptr64 Void +0x028 ByteCount : Uint4B +0x02c ByteOffset : Uint4B

+0x018 AssociatedIrp : +0x000 MasterIrp : Ptr64 _IRP +0x000 IrpCount : Int4B +0x000 SystemBuffer : Ptr64 Void

Neither I/O (p. 571) - these parts handle input data (IO_STACK_LOCATION.Parameters.DeviceIoControl.Type3InputBuffer) and output data (IRP.UserBuffer):

+0x000 DeviceIoControl : +0x000 OutputBufferLength : Uint4B +0x008 InputBufferLength : Uint4B +0x010 IoControlCode : Uint4B +0×018 Type3InputBuffer : Ptr64 Void

+0×070 UserBuffer : Ptr64 Void

I/O status block and kernel APC (pp. 575 - 577) - this is a part of IRP structure:

+0x030 IoStatus : _IO_STATUS_BLOCK +0x000 Status : Int4B +0x000 Pointer : Ptr64 Void +0x008 Information : Uint8B

KeSynchronizeExecution (p. 578) - here is a stack trace fragment showing it in action:

[...] b9ada518 8088d661 SCSIPORT!SpStartIoSynchronized+0x14f b9ada550 80a60147 nt!KeSynchronizeExecution+0×21 b9ada57c f72523a6 hal!HalBuildScatterGatherList+0×1c7 b9ada5c8 8081cfa2 SCSIPORT!ScsiPortStartIo+0×36a b9ada5ec f725262f nt!IoStartPacket+0×82 b9ada620 f7252146 SCSIPORT!ScsiPortFdoDispatch+0×270 b9ada63c f7251dc3 SCSIPORT!SpDispatchRequest+0×68 b9ada658 f7251299 SCSIPORT!ScsiPortPdoScsi+0×129 b9ada66c 8081df85 SCSIPORT!ScsiPortGlobalDispatch+0×1d b9ada680 f723e607 nt!IofCallDriver+0×45 b9ada690 f723e2b2 CLASSPNP!SubmitTransferPacket+0xbb b9ada6c4 f723e533 CLASSPNP!ServiceTransferRequest+0×1e4 b9ada6e8 8081df85 CLASSPNP!ClassReadWrite+0×159 b9ada6fc f74c80cf nt!IofCallDriver+0×45 b9ada70c 8081df85 PartMgr!PmReadWrite+0×95 b9ada720 f7317053 nt!IofCallDriver+0×45 b9ada73c 8081df85 ftdisk!FtDiskReadWrite+0×1a9 b9ada750 f72bf8bc nt!IofCallDriver+0×45 b9ada768 8081df85 volsnap!VolSnapRead+0×52 b9ada77c f7163a62 nt!IofCallDriver+0×45 b9ada788 f71638d9 Ntfs!NtfsSingleAsync+0×91 b9ada960 f7164156 Ntfs!NtfsNonCachedIo+0×2db b9adaa4c f7164079 Ntfs!NtfsCommonRead+0xaf5 b9adabf8 8081df85 Ntfs!NtfsFsdRead+0×113 b9adac0c f721cc45 nt!IofCallDriver+0×45 b9adac34 8081df85 fltmgr!FltpDispatch+0×6f b9adac48 bafd5373 nt!IofCallDriver+0×45 […]

IRP and layered drivers (pp. 578 - 586) - here’s a UML-style diagram (#3) for IRP flow:

http://www.dumpanalysis.org/blog/index.php/2006/10/08/uml-and-device-drivers/

Associated IRP (pp. 585 - 586) - this is a part of IRP structure:

+0x018 AssociatedIrp : +0x000 MasterIrp : Ptr64 _IRP

File object vs. thread IRP association (p. 587)

Thread Termination and pending IRP (pp. 589 - 590) - this pattern uses I/O cancellation as an example:

http://www.dumpanalysis.org/blog/index.php/2007/12/14/crash-dump-analysis-patterns-part-42a/

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 19-July-10

Dmitry Vostokov — Thu, 22 Jul 2010 16:23:13 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Viewing the loaded driver list (pp. 546 - 547) - if we don’t see company information in lmv command output we can examine raw driver data like in this pattern: http://www.dumpanalysis.org/blog/index.php/2007/08/16/crash-dump-analysis-patterns-part-22/

DriverEntry (p. 548) - consider this as similar to main (console) or WinMain (Win32). For example, if you are writing a Windows service you have to register certain functions with SCM.

Dispatch routines (p. 548) - if you know C++ consider them as class functions for a device object where DeviceObject is a this parameter (C++ class function implementation in C where an implicit this becomes the first function argument):

NTSTATUS (*PDRIVER_DISPATCH) (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

and a driver object can be seen as a container for a virtual function table (vtable) for a device object (purely from implementation perspective): devObj->DriverObject->MajorFunction[IRP_MJ_XXX]

Relationship between device and driver objects (pp. 553 - 554) - long time ago when I was preparing a presentation about Windows drivers for escalation engineers I created some UML diagrams you can see in the following blog post: http://www.dumpanalysis.org/blog/index.php/2006/10/08/uml-and-device-drivers/

AttachedDevice vs. AttachedTo (p.554)

File object structure and extension (pp. 556 - 557) - Here are driver, device and file object structures from x64 W2K8:

0: kd> dt _DRIVER_OBJECT ntdll!_DRIVER_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT +0x010 Flags : Uint4B +0x018 DriverStart : Ptr64 Void +0x020 DriverSize : Uint4B +0x028 DriverSection : Ptr64 Void +0x030 DriverExtension : Ptr64 _DRIVER_EXTENSION +0x038 DriverName : _UNICODE_STRING +0x048 HardwareDatabase : Ptr64 _UNICODE_STRING +0x050 FastIoDispatch : Ptr64 _FAST_IO_DISPATCH +0x058 DriverInit : Ptr64 long +0x060 DriverStartIo : Ptr64 void +0x068 DriverUnload : Ptr64 void +0x070 MajorFunction : [28] Ptr64 long

0: kd> dt _DEVICE_OBJECT ntdll!_DEVICE_OBJECT +0x000 Type : Int2B +0x002 Size : Uint2B +0x004 ReferenceCount : Int4B +0x008 DriverObject : Ptr64 _DRIVER_OBJECT +0x010 NextDevice : Ptr64 _DEVICE_OBJECT +0x018 AttachedDevice : Ptr64 _DEVICE_OBJECT +0x020 CurrentIrp : Ptr64 _IRP +0x028 Timer : Ptr64 _IO_TIMER +0x030 Flags : Uint4B +0x034 Characteristics : Uint4B +0x038 Vpb : Ptr64 _VPB +0x040 DeviceExtension : Ptr64 Void +0x048 DeviceType : Uint4B +0x04c StackSize : Char +0x050 Queue : +0x098 AlignmentRequirement : Uint4B +0x0a0 DeviceQueue : _KDEVICE_QUEUE +0x0c8 Dpc : _KDPC +0x108 ActiveThreadCount : Uint4B +0x110 SecurityDescriptor : Ptr64 Void +0x118 DeviceLock : _KEVENT +0x130 SectorSize : Uint2B +0x132 Spare1 : Uint2B +0x138 DeviceObjectExtension : Ptr64 _DEVOBJ_EXTENSION +0x140 Reserved : Ptr64 Void

0: kd> dt _FILE_OBJECT ntdll!_FILE_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT +0x010 Vpb : Ptr64 _VPB +0x018 FsContext : Ptr64 Void +0x020 FsContext2 : Ptr64 Void +0x028 SectionObjectPointer : Ptr64 _SECTION_OBJECT_POINTERS +0x030 PrivateCacheMap : Ptr64 Void +0x038 FinalStatus : Int4B +0x040 RelatedFileObject : Ptr64 _FILE_OBJECT +0x048 LockOperation : UChar +0x049 DeletePending : UChar +0x04a ReadAccess : UChar +0x04b WriteAccess : UChar +0x04c DeleteAccess : UChar +0x04d SharedRead : UChar +0x04e SharedWrite : UChar +0x04f SharedDelete : UChar +0x050 Flags : Uint4B +0x058 FileName : _UNICODE_STRING +0x068 CurrentByteOffset : _LARGE_INTEGER +0x070 Waiters : Uint4B +0x074 Busy : Uint4B +0x078 LastLock : Ptr64 Void +0x080 Lock : _KEVENT +0x098 Event : _KEVENT +0x0b0 CompletionContext : Ptr64 _IO_COMPLETION_CONTEXT +0x0b8 IrpListLock : Uint8B +0x0c0 IrpList : _LIST_ENTRY +0x0d0 FileObjectExtension : Ptr64 Void

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 12-July-10

Dmitry Vostokov — Mon, 12 Jul 2010 16:53:34 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

File and registry virtualization is for 32-bit apps only (p. 522)

Files (as locations) with executable extensions are excluded from virtualization (p. 524)

luafv.sys - filesystem virtualization driver (pp. 524 - 525)

\Users\\AppData\Local\VirtualStore\Windows\*.* (p. 525)

Admin Approval Mode, over-the-shoulder and consent elevations (p. 529)

appinfo.dll -> consent.exe (p. 529)

Process reparenting (p. 531)

Running regedt32.exe to get virtualized registry view (p. 533)

Typical I/O request flow (pp. 540 - 541) - here is a stack trace example from x64 Windows for a remote file request that reaches network drivers (some irrelevant 3rd-party filter drivers like antivirus were skipped):

Child-SP RetAddr Call Site fffffadf`25d92ff0 fffffadf`28ec5b97 NetworkCardVendor!send_packet+0x33c fffffadf`25d93250 fffffadf`28ec5903 NDIS!ndisMProcessSGList+0x8e fffffadf`25d932e0 fffffadf`28e85618 NDIS!ndisMAllocSGList+0x17c fffffadf`25d933a0 fffffadf`26ab57c4 NDIS!ndisMSendX+0x21e fffffadf`25d934d0 fffffadf`26ab5999 tcpip!ARPSendData+0x23a fffffadf`25d93540 fffffadf`26ab20ea tcpip!ARPTransmit+0x151 fffffadf`25d935d0 fffffadf`26aaecad tcpip!IPTransmit+0xaf5 fffffadf`25d93850 fffffadf`26aa94c6 tcpip!TCPSend+0x8d5 fffffadf`25d93930 fffffadf`26aafa8c tcpip!TdiSend+0x344 fffffadf`25d939a0 fffffadf`26a4085c tcpip!TCPSendData+0xee fffffadf`25d93a00 fffffadf`26a4845b netbt!NTSend+0x227 fffffadf`25d93ac0 fffffadf`269a546d netbt!NbtDispatchInternalCtrl+0x38 fffffadf`25d93c50 fffffadf`269cea18 rdbss!RxTdiSend+0x1a2 fffffadf`25d93cf0 fffffadf`2693efcf rdbss!RxCeSend+0x98 fffffadf`25d93d80 fffffadf`268d82fd mrxsmb!VctTranceive+0xa6 fffffadf`25d93de0 fffffadf`2693fea9 mrxsmb!SmbCeTranceive+0x483 fffffadf`25d93e70 fffffadf`2693e94b mrxsmb!SmbTransactExchangeStart+0x558 fffffadf`25d93f20 fffffadf`26940abf mrxsmb!SmbCeInitiateExchange+0x2fd fffffadf`25d93f70 fffffadf`26940c5b mrxsmb!SmbCeSubmitTransactionRequest+0x148 fffffadf`25d93fe0 fffffadf`269412e0 mrxsmb!_SmbCeTransact+0x1a1 fffffadf`25d940c0 fffffadf`26941625 mrxsmb!MRxSmbQueryFileInformation+0x811 fffffadf`25d94220 fffffadf`26941dfa mrxsmb!MRxSmbQueryFileInformationFromPseudoOpen+0x116 fffffadf`25d94260 fffffadf`2693e94b mrxsmb!SmbPseExchangeStart_Create+0x2da fffffadf`25d94300 fffffadf`2693f50c mrxsmb!SmbCeInitiateExchange+0x2fd fffffadf`25d94350 fffffadf`269cc4c1 mrxsmb!MRxSmbCreate+0x5d6 fffffadf`25d94430 fffffadf`269cc730 rdbss!RxCollapseOrCreateSrvOpen+0x154 fffffadf`25d944d0 fffffadf`269c7a92 rdbss!RxCreateFromNetRoot+0x399 fffffadf`25d94570 fffffadf`269a2a77 rdbss!RxCommonCreate+0x49a fffffadf`25d94680 fffffadf`269343e8 rdbss!RxFsdCommonDispatch+0x51c fffffadf`25d94780 fffffadf`290bfdb3 mrxsmb!MRxSmbFsdDispatch+0x211 fffffadf`25d947d0 fffffadf`290bfdb3 fltmgr!FltpCreate+0x353 [...] fffffadf`25d98460 fffff800`012840b4 nt!IopParseDevice+0x1088 fffffadf`25d98610 fffff800`012887d7 nt!ObpLookupObjectName+0x931 fffffadf`25d98720 fffff800`01295dad nt!ObOpenObjectByName+0x180 fffffadf`25d98910 fffff800`0129cd87 nt!IopCreateFile+0x630 fffffadf`25d98aa0 fffff800`012987f9 nt!IoCreateFile+0x12f fffffadf`25d98b80 fffff800`0102e5fd nt!NtOpenFile+0x49 fffffadf`25d98c00 00000000`77ef0d1a nt!KiSystemServiceCopyEnd+0x3 00000000`000ac568 00000000`77d6f7c9 ntdll!NtCreateFile+0xa 00000000`000ac570 000007ff`7fd535c3 kernel32!CreateFileW+0x511

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 16-June-10

Dmitry Vostokov — Fri, 18 Jun 2010 09:29:17 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Local security policy audit (pp. 511 - 512) - I used in the past to recommend process audit to track process launch sequences for debugging purposes

Access tokens have separate ACL (pp. 512 - 513)

MSV1_0 - local authentication package (p. 513)

Default credential providers authui.dll amd SmartcardCredentialProvider.dll (p. 514) - Here are stack traces from x64 LogonUI.exe:

THREAD fffffa8013dde9d0 Cid 0238.04f8 Teb: 000007fffffd7000 Win32Thread: fffff900c0679d50 WAIT: (UserRequest) UserMode Non-Alertable fffffa8013ddee60 SynchronizationEvent fffffa8013dde810 SynchronizationEvent Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa80296ecae0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 26019 Ticks: 402642 (0:01:44:41.255) Context Switch Count 170 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.046 Win32 Start Address authui!CCredentialProviderThread::_sThreadProc (0x000007fefc6d151c) Stack Init fffffa6008efadb0 Current fffffa6008efa230 Base fffffa6008efb000 Limit fffffa6008ef5000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 2 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffffa60`08efa270 fffff800`01a6b9fa nt!KiSwapContext+0x7f fffffa60`08efa3b0 fffff800`01a712db nt!KiSwapThread+0x13a fffffa60`08efa420 fffff800`01cd160e nt!KeWaitForMultipleObjects+0x2eb fffffa60`08efa4a0 fffff800`01cd1c53 nt!ObpWaitForMultipleObjects+0x26e fffffa60`08efa960 fffff800`01a69233 nt!NtWaitForMultipleObjects+0xe2 fffffa60`08efabb0 00000000`778c72ca nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`08efac20) 00000000`0211f978 00000000`7769bc03 ntdll!ZwWaitForMultipleObjects+0xa 00000000`0211f980 00000000`777ce2b5 kernel32!WaitForMultipleObjectsEx+0x10b 00000000`0211fa90 00000000`777ce32e USER32!RealMsgWaitForMultipleObjectsEx+0x129 00000000`0211fb30 000007fe`fe4fb196 USER32!MsgWaitForMultipleObjectsEx+0x46 00000000`0211fb70 000007fe`fe608d42 ole32!CCliModalLoop::BlockFn+0xb6 00000000`0211fbb0 000007fe`fc6d07ad ole32!CoWaitForMultipleHandles+0x102 00000000`0211fcb0 000007fe`fc6d15d4 authui!InternalCoWaitForSingleHandle+0x31 00000000`0211fcf0 000007fe`fc6d1525 authui!CCredentialProviderThread::_vThreadProc+0xa0 00000000`0211fd30 00000000`7769be3d authui!CCredentialProviderThread::_sThreadProc+0x9 00000000`0211fd60 00000000`778a6a51 kernel32!BaseThreadInitThunk+0xd 00000000`0211fd90 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8013e48060 Cid 0238.0610 Teb: 000007fffffa0000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable fffffa8013e4ab50 NotificationEvent fffffa8013e425b0 SynchronizationEvent Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa80296ecae0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 13245 Ticks: 415416 (0:01:48:00.531) Context Switch Count 29 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address SmartcardCredentialProvider!I_ReaderMonitorThreadProc (0x000007fefc481db0) Stack Init fffffa6009181db0 Current fffffa6009181230 Base fffffa6009182000 Limit fffffa600917c000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 2 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffffa60`09181270 fffff800`01a6b9fa nt!KiSwapContext+0x7f fffffa60`091813b0 fffff800`01a712db nt!KiSwapThread+0x13a fffffa60`09181420 fffff800`01cd160e nt!KeWaitForMultipleObjects+0x2eb fffffa60`091814a0 fffff800`01cd1c53 nt!ObpWaitForMultipleObjects+0x26e fffffa60`09181960 fffff800`01a69233 nt!NtWaitForMultipleObjects+0xe2 fffffa60`09181bb0 00000000`778c72ca nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`09181c20) 00000000`045efa48 00000000`7769bc03 ntdll!ZwWaitForMultipleObjects+0xa 00000000`045efa50 00000000`77691aa1 kernel32!WaitForMultipleObjectsEx+0x10b 00000000`045efb60 000007fe`fc4819bb kernel32!WaitForMultipleObjects+0x11 00000000`045efba0 000007fe`fc481de1 SmartcardCredentialProvider!I_ReaderMonitorWorker+0x8f 00000000`045efc30 00000000`7769be3d SmartcardCredentialProvider!I_ReaderMonitorThreadProc+0x31 00000000`045efc70 00000000`778a6a51 kernel32!BaseThreadInitThunk+0xd 00000000`045efca0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Win32k.sys sends keyboard messages to LogonUI.exe via RPC (p. 514)

Secondary authentication providers in LogonUI.exe, SSON (p. 515)

wininit.exe is for session 0 legacy GUI processes (p. 516)

Raw input thread (p. 516) - here’re 3 kinds of csrss.exe (different IRPs):

session 0 (no IRP)

THREAD fffffa8013a7d980 Cid 02ec.0338 Teb: 000007fffffae000 Win32Thread: fffff900c00da010 WAIT: (WrUserRequest) KernelMode Alertable fffffa8013665d00 SynchronizationEvent fffffa8013037df0 NotificationTimer fffffa8013665c80 SynchronizationTimer fffff80001bb9f60 NotificationEvent Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa8029668710 Image: csrss.exe Attached Process N/A Image: N/A Wait Start TickCount 428616 Ticks: 45 (0:00:00:00.702) Context Switch Count 317 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x000007fefde7c3b0) Stack Init fffffa6002c33db0 Current fffffa6002c33890 Base fffffa6002c34000 Limit fffffa6002c2e000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`02c338d0 fffff800`01a6b9fa nt!KiSwapContext+0x7f fffffa60`02c33a10 fffff800`01a712db nt!KiSwapThread+0x13a fffffa60`02c33a80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0x2eb fffffa60`02c33b00 fffff960`00068317 win32k!RawInputThread+0x79c fffffa60`02c33bc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0x67 fffffa60`02c33bf0 fffff800`01a69233 win32k!NtUserCallNoParam+0x36 fffffa60`02c33c20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`02c33c20) 00000000`002afd98 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa 00000000`002afda0 00000000`778e2f6c winsrv!StartCreateSystemThreads+0x19 00000000`002afdd0 00000000`00000000 ntdll!RtlUserThreadStart+0x29

session 1 (console, keyboard IRP)

THREAD fffffa80296821d0 Cid 0324.0370 Teb: 000007fffffd3000 Win32Thread: fffff900c00e33b0 WAIT: (WrUserRequest) KernelMode Alertable fffffa80137c6430 SynchronizationEvent fffffa802967fc30 NotificationTimer fffffa8029680360 SynchronizationTimer fffffa802967f970 SynchronizationEvent IRP List: fffffa802968b2e0: (0006,03a0) Flags: 00060970 Mdl: 00000000 fffffa802960d4c0: (0006,03a0) Flags: 00060970 Mdl: 00000000 fffffa8012ec7470: (0006,03a0) Flags: 00060970 Mdl: 00000000 Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa8029672c10 Image: csrss.exe Attached Process N/A Image: N/A Wait Start TickCount 428605 Ticks: 56 (0:00:00:00.873) Context Switch Count 24934 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0×000007fefde7c3b0) Stack Init fffffa6008bd0db0 Current fffffa6008bd0890 Base fffffa6008bd1000 Limit fffffa6008bcb000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`08bd08d0 fffff800`01a6b9fa nt!KiSwapContext+0×7f fffffa60`08bd0a10 fffff800`01a712db nt!KiSwapThread+0×13a fffffa60`08bd0a80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0×2eb fffffa60`08bd0b00 fffff960`00068317 win32k!RawInputThread+0×79c fffffa60`08bd0bc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0×67 fffffa60`08bd0bf0 fffff800`01a69233 win32k!NtUserCallNoParam+0×36 fffffa60`08bd0c20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`08bd0c20) 00000000`014afab8 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa 00000000`014afac0 00000000`778e2f6c winsrv!StartCreateSystemThreads+0×19 00000000`014afaf0 00000000`00000000 ntdll!RtlUserThreadStart+0×29

15: kd> !irp fffffa802968b2e0 Irp is active with 7 stacks 7 is current (= 0xfffffa802968b560) No Mdl: System buffer=fffffa8029688790: Thread fffffa80296821d0: Irp stack trace. cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ 3, 0] 0 1 fffffa8013703ce0 fffffa8029687670 00000000-00000000 pending \Driver\kbdclass Args: 00000078 00000000 00000000 00000000

15: kd> !irp fffffa802960d4c0 Irp is active with 10 stacks 10 is current (= 0xfffffa802960d818) No Mdl: System buffer=fffffa8029681010: Thread fffffa80296821d0: Irp stack trace. cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ 3, 0] 0 1 fffffa801392ace0 fffffa8029686880 00000000-00000000 pending \Driver\kbdclass Args: 00000078 00000000 00000000 00000000

15: kd> !irp fffffa8012ec7470 Irp is active with 3 stacks 3 is current (= 0xfffffa8012ec75d0) No Mdl: System buffer=fffffa8029687010: Thread fffffa80296821d0: Irp stack trace. cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ 3, 0] 0 1 fffffa8013722060 fffffa8029680200 00000000-00000000 pending \Driver\kbdclass Args: 00000078 00000000 00000000 00000000

session N (terminal services, termdd IRP)

THREAD fffffa80168fbac0 Cid 175c.533c Teb: 000007fffffae000 Win32Thread: fffff900c018d010 WAIT: (WrUserRequest) KernelMode Alertable fffffa8015355e70 SynchronizationEvent fffffa8016442950 NotificationTimer fffffa80156f9f70 SynchronizationTimer fffffa8016967a50 SynchronizationEvent IRP List: fffffa801501ba30: (0006,0118) Flags: 00060900 Mdl: 00000000 Not impersonating DeviceMap fffff88000008e00 Owning Process fffffa802b33ac10 Image: csrss.exe Attached Process N/A Image: N/A Wait Start TickCount 428641 Ticks: 20 (0:00:00:00.312) Context Switch Count 32238 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.218 Win32 Start Address winsrv!StartCreateSystemThreads (0×000007fefde7c3b0) Stack Init fffffa601ccdbdb0 Current fffffa601ccdb890 Base fffffa601ccdc000 Limit fffffa601ccd6000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`1ccdb8d0 fffff800`01a6b9fa nt!KiSwapContext+0×7f fffffa60`1ccdba10 fffff800`01a712db nt!KiSwapThread+0×13a fffffa60`1ccdba80 fffff960`000ed088 nt!KeWaitForMultipleObjects+0×2eb fffffa60`1ccdbb00 fffff960`00068317 win32k!RawInputThread+0×79c fffffa60`1ccdbbc0 fffff960`000eddc6 win32k!xxxCreateSystemThreads+0×67 fffffa60`1ccdbbf0 fffff800`01a69233 win32k!NtUserCallNoParam+0×36 fffffa60`1ccdbc20 000007fe`fde7c3da nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`1ccdbc20) 00000000`0137f878 000007fe`fde7c3c9 winsrv!ZwUserCallNoParam+0xa 00000000`0137f880 00000000`778e2f6c winsrv!StartCreateSystemThreads+0×19 00000000`0137f8b0 00000000`00000000 ntdll!RtlUserThreadStart+0×29

15: kd> !irp fffffa801501ba30 Irp is active with 1 stacks 1 is current (= 0xfffffa801501bb00) No Mdl: No System Buffer: Thread fffffa80168fbac0: Irp stack trace. cmd flg cl Device File Completion-Context >[ 3, 0] 0 1 fffffa801370adb0 fffffa801705ef20 00000000-00000000 pending \Driver\TermDD Args: 00000078 00000000 00000000 00000000

Half-hash caching of passwords (p. 517)

logonsessions tool (pp. 519 - 520)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 31-May-10

Dmitry Vostokov — Mon, 31 May 2010 18:03:10 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Objects vs. account attributes, privilege vs. account right (p. 501)

NtRaiseHardError requires SeShutdownPrivilege (p. 508)

firmware environment variables (p. 508) - some more info: http://msdn.microsoft.com/en-us/library/ms724325(VS.85).aspx

Implication of Bypass Traverse Checking (SeNotifyPrivilege) (p. 509)

Elevated priviliges don’t extend past machine boundaries (p. 510)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 26-May-10

Dmitry Vostokov — Thu, 27 May 2010 10:57:54 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Explicit ACE are ahead of inherited (p. 491)

Differences of inheritable ACE propagation AD objects (p. 491)

Ntmarta.dll: security inheritance support DLL (p. 492)

SeAccessCheck optimization: integrity check -> DACL check (p. 492)

Low and medium integrity processes can read high integrity objects (p. 493)

UIPI safe messages, shatter attacks, blocked (journal) hooks (pp. 493 - 494)

Owner Rights SID (pp. 495 - 496)

Importance of ACE ordering (pp. 497 - 498)

Security editors place Deny ACE on top, Advanced Settings and Effective Permissions (pp. 498 - 500)

AuthZ API: security model in user mode (pp. 500 - 501)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 25-May-10

Dmitry Vostokov — Tue, 25 May 2010 19:53:10 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

No share access for impersonation: we need logon (p. 481)

S(ecure)QOS levels, SECURITY_CONTEXT_TRACKING (p. 482)

Integrity Level (client) <= Integrity Level (server) (pp. 482 - 483)

Restricted tokens -> filtered admin tokens (logon as admin with UAC) (pp. 483 - 484)

Callback, allowed(denied)-object (GUID-based for AD) ACEs (p. 487)

No DACL: full access, empty DACL: no access (p. 487)

System audit-object ACEs (p. 488)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 24-May-10

Dmitry Vostokov — Mon, 24 May 2010 19:09:09 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Process integrity levels as SIDs (pp. 464 - 465)

Protected mode IE startup sequence (pp. 467 - 470) - ieuser.exe might block several iexplore.exe instances: http://www.dumpanalysis.org/blog/index.php/2009/02/11/stack-trace-collection-blocked-thread-and-coupled-processes-pattern-cooperation/

Integrity levels and mandatory policies for objects (pp. 471- 473)

Many faces of an Administrator, filtered admin tokens (p. 474)

CreateProcessWithLogonW (p. 474)

The token source field (p. 476)

Token authentication and modified IDs (pp. 476 - 477) - token structure from x64 Windows Server R2:

0: kd> dt _TOKEN nt!_TOKEN +0x000 TokenSource : _TOKEN_SOURCE +0x010 TokenId : _LUID +0x018 AuthenticationId : _LUID +0x020 ParentTokenId : _LUID +0x028 ExpirationTime : _LARGE_INTEGER +0x030 TokenLock : Ptr64 _ERESOURCE +0x038 ModifiedId : _LUID +0x040 Privileges : _SEP_TOKEN_PRIVILEGES +0x058 AuditPolicy : _SEP_AUDIT_POLICY +0x074 SessionId : Uint4B +0x078 UserAndGroupCount : Uint4B +0x07c RestrictedSidCount : Uint4B +0x080 VariableLength : Uint4B +0x084 DynamicCharged : Uint4B +0x088 DynamicAvailable : Uint4B +0x08c DefaultOwnerIndex : Uint4B +0x090 UserAndGroups : Ptr64 _SID_AND_ATTRIBUTES +0x098 RestrictedSids : Ptr64 _SID_AND_ATTRIBUTES +0x0a0 PrimaryGroup : Ptr64 Void +0x0a8 DynamicPart : Ptr64 Uint4B +0x0b0 DefaultDacl : Ptr64 _ACL +0x0b8 TokenType : _TOKEN_TYPE +0x0bc ImpersonationLevel : _SECURITY_IMPERSONATION_LEVEL +0x0c0 TokenFlags : Uint4B +0x0c4 TokenInUse : UChar +0x0c8 IntegrityLevelIndex : Uint4B +0x0cc MandatoryPolicy : Uint4B +0x0d0 LogonSession : Ptr64 _SEP_LOGON_SESSION_REFERENCES +0x0d8 OriginatingLogonSession : _LUID +0x0e0 SidHash : _SID_AND_ATTRIBUTES_HASH +0x1f0 RestrictedSidHash : _SID_AND_ATTRIBUTES_HASH +0x300 pSecurityAttributes : Ptr64 _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION +0x308 VariablePart : Uint8B

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 12-May-10

Dmitry Vostokov — Thu, 13 May 2010 22:44:01 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SAS -> winlogon.exe starts LogonUI.exe (p. 455) - Here are winlogon.exe threads on x64 W2K8 R2 before SAS:

THREAD fffffa8003cf7060 Cid 01d0.01d4 Teb: 000007fffffdd000 Win32Thread: fffff900c00df900 WAIT: (UserRequest) UserMode Non-Alertable fffffa8004991c90 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8003cf65a0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 8831 Ticks: 21731 (0:00:05:39.005) Context Switch Count 424 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.015 Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff36ec08) Stack Init fffff88003595db0 Current fffff88003595900 Base fffff88003596000 Limit fffff8800358c000 Call 0 Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffff880`03595940 fffff800`01ac3752 nt!KiSwapContext+0x7a fffff880`03595a80 fffff800`01ac58af nt!KiCommitThreadWait+0x1d2 fffff880`03595b10 fffff800`01db7db2 nt!KeWaitForSingleObject+0x19f fffff880`03595bb0 fffff800`01abb853 nt!NtWaitForSingleObject+0xb2 fffff880`03595c20 00000000`77bafefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03595c20) 00000000`0018f778 000007fe`fdc910ac ntdll!NtWaitForSingleObject+0xa 00000000`0018f780 00000000`ff3619ad KERNELBASE!WaitForSingleObjectEx+0x79 00000000`0018f820 00000000`ff3616e8 winlogon!SignalManagerWaitForSignal+0x135 00000000`0018f860 00000000`ff36b8b0 winlogon!StateMachineRun+0x404 00000000`0018fb80 00000000`ff36ed85 winlogon!WinMain+0x13a3 00000000`0018fcf0 00000000`77a5f56d winlogon!I_WMsgkSendMessage+0x252 00000000`0018fdb0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd 00000000`0018fde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800498a060 Cid 01d0.0320 Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa800497bef0 SynchronizationTimer fffffa8004988060 SynchronizationTimer fffffa8004bfe2a0 NotificationEvent fffffa8003c783b0 SynchronizationEvent fffffa8003c78310 SynchronizationEvent fffffa8003c78450 SynchronizationEvent fffffa80049894c0 SynchronizationTimer Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8003cf65a0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 19271 Ticks: 11291 (0:00:02:56.140) Context Switch Count 16 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x0000000077b79a90) Stack Init fffff88004006db0 Current fffff88004005fd0 Base fffff88004007000 Limit fffff88004001000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`04006010 fffff800`01ac3752 nt!KiSwapContext+0x7a fffff880`04006150 fffff800`01abfc4b nt!KiCommitThreadWait+0x1d2 fffff880`040061e0 fffff800`01db8ecf nt!KeWaitForMultipleObjects+0x271 fffff880`04006490 fffff800`01db97d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`04006960 fffff800`01abb853 nt!NtWaitForMultipleObjects+0xe5 fffff880`04006bb0 00000000`77bb046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04006c20) 00000000`0139f848 00000000`77b79bd7 ntdll!NtWaitForMultipleObjects+0xa 00000000`0139f850 00000000`77a5f56d ntdll!TppWaiterpThread+0x14d 00000000`0139faf0 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd 00000000`0139fb20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8004ed7060 Cid 01d0.0a58 Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa800489ac20 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8003cf65a0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 27861 Ticks: 2701 (0:00:00:42.135) Context Switch Count 4 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000077b78f00) Stack Init fffff88003555db0 Current fffff880035557d0 Base fffff88003556000 Limit fffff88003550000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`03555810 fffff800`01ac3752 nt!KiSwapContext+0x7a fffff880`03555950 fffff800`01ac71c1 nt!KiCommitThreadWait+0x1d2 fffff880`035559e0 fffff800`01db89d7 nt!KeRemoveQueueEx+0x301 fffff880`03555a90 fffff800`01acc996 nt!IoRemoveIoCompletion+0x47 fffff880`03555b20 fffff800`01abb853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`03555c20 00000000`77bb17ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03555c20) 00000000`00dcfa18 00000000`77b7914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`00dcfa20 00000000`77a5f56d ntdll!TppWorkerThread+0x2c9 00000000`00dcfd20 00000000`77b93281 kernel32!BaseThreadInitThunk+0xd 00000000`00dcfd50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Here are main threads from both processes on x64 W2K8 R2 after SAS (I brought change password dialog):

THREAD fffffa8004888770 Cid 01c0.01c4 Teb: 000007fffffde000 Win32Thread: fffff900c00d9c30 WAIT: (UserRequest) UserMode Non-Alertable fffffa80049c25c0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 3202 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.218 Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ffc2ec08) Stack Init fffff880031acdb0 Current fffff880031ac900 Base fffff880031ad000 Limit fffff880031a7000 Call 0 Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`031ac940 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`031aca80 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2 fffff880`031acb10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0x19f fffff880`031acbb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2 fffff880`031acc20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`031acc20) 00000000`0023f398 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa 00000000`0023f3a0 00000000`ffc219ad KERNELBASE!WaitForSingleObjectEx+0x79 00000000`0023f440 00000000`ffc216e8 winlogon!SignalManagerWaitForSignal+0x135 00000000`0023f480 00000000`ffc2b8b0 winlogon!StateMachineRun+0x404 00000000`0023f7a0 00000000`ffc2ed85 winlogon!WinMain+0x13a3 00000000`0023f910 00000000`76bdf56d winlogon!I_WMsgkSendMessage+0x252 00000000`0023f9d0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0023fa00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80049ba060 Cid 01c0.0304 Teb: 000007fffffd7000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa80049b87e0 SynchronizationTimer fffffa80049b4650 SynchronizationTimer fffffa8004e81e20 NotificationEvent fffffa8004edcbf0 SynchronizationEvent fffffa8004edcb50 SynchronizationEvent fffffa8004edcc90 SynchronizationEvent fffffa80049b8670 SynchronizationTimer Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34428081 Ticks: 238645 (0:01:02:02.885) Context Switch Count 175 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90) Stack Init fffff88004193db0 Current fffff88004192fd0 Base fffff88004194000 Limit fffff8800418e000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffff880`04193010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`04193150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`041931e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`04193490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`04193960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`04193bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04193c20) 00000000`00d2fb38 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa 00000000`00d2fb40 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d 00000000`00d2fde0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`00d2fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005b8e810 Cid 01c0.12d4 Teb: 000007fffffdc000 Win32Thread: fffff900c37a6250 WAIT: (WrLpcReply) UserMode Non-Alertable fffffa8005b8ebd0 Semaphore Limit 0x1 Waiting for reply to ALPC Message fffff8a00c87e750 : queued at port fffffa800661ec60 : owned by process fffffa8005f442b0 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 150 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00) Stack Init fffff88006c8edb0 Current fffff88006c8e620 Base fffff88006c8f000 Limit fffff88006c87000 Call 0 Priority 14 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`06c8e660 fffff800`01ad6752 nt!KiSwapContext+0×7a fffff880`06c8e7a0 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2 fffff880`06c8e830 fffff800`01aedbef nt!KeWaitForSingleObject+0×19f fffff880`06c8e8d0 fffff800`01dd6a36 nt!AlpcpSignalAndWait+0×8f fffff880`06c8e980 fffff800`01dd49c0 nt!AlpcpReceiveSynchronousReply+0×46 fffff880`06c8e9e0 fffff800`01dd1f3b nt!AlpcpProcessSynchronousRequest+0×33d fffff880`06c8eb00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0×1ab fffff880`06c8ebb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`06c8ec20) 00000000`0103f298 000007fe`fea8aa76 ntdll!ZwAlpcSendWaitReceivePort+0xa 00000000`0103f2a0 000007fe`feb2cb64 RPCRT4!LRPC_CCALL::SendReceive+0×156 00000000`0103f360 000007fe`feb2cd55 RPCRT4!NdrpClientCall3+0×244 00000000`0103f620 00000000`ffc24979 RPCRT4!NdrClientCall3+0xf2 00000000`0103f9b0 00000000`ffc4e781 winlogon!WluiRequestCredentials+0×71 00000000`0103fa20 00000000`ffc21d04 winlogon!WLGeneric_Request_Change_Credz_Execute+0xa5 00000000`0103fa90 00000000`76df0fb4 winlogon!StateMachineWorkerCallback+0×7f 00000000`0103fac0 00000000`76df4b1f ntdll!TppWorkpExecuteCallback+0xa4 00000000`0103fb20 00000000`76bdf56d ntdll!TppWorkerThread+0×6c9 00000000`0103fe20 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0103fe50 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8006480640 Cid 01c0.131c Teb: 000007fffffd9000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa80042479a0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664380 Ticks: 2346 (0:00:00:36.597) Context Switch Count 2 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff8800715ddb0 Current fffff8800715d7d0 Base fffff8800715e000 Limit fffff88007158000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0715d810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0715d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`0715d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`0715da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`0715db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`0715dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0715dc20) 00000000`010bf908 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`010bf910 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`010bfc10 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`010bfc40 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005916290 Cid 01c0.0c04 Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa80042479a0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80048879d0 Image: winlogon.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 3 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff88007126db0 Current fffff880071267d0 Base fffff88007127000 Limit fffff88007121000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`07126810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`07126950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`071269e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`07126a90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`07126b20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`07126c20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07126c20) 00000000`009cfaa8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`009cfab0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`009cfdb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`009cfde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

We now see the new thread fffffa8005b8e810 waiting for an ALPC message fffff8a00c87e750:

0: kd> !alpc /m fffff8a00c87e750

Message @ fffff8a00c87e750 MessageID : 0x0534 (1332) CallbackID : 0x14152C5 (21058245) SequenceNumber : 0x00000006 (6) Type : LPC_REQUEST DataLength : 0x0060 (96) TotalLength : 0x0088 (136) Canceled : No Release : No ReplyWaitReply : No Continuation : Yes OwnerPort : fffffa80065696c0 [ALPC_CLIENT_COMMUNICATION_PORT] WaitingThread : fffffa8005b8e810 QueueType : ALPC_MSGQUEUE_PENDING QueuePort : fffffa800661ec60 [ALPC_CONNECTION_PORT] QueuePortOwnerProcess : fffffa8005f442b0 (LogonUI.exe) ServerThread : fffffa8005a9b2a0 QuotaCharged : No CancelQueuePort : 0000000000000000 CancelSequencePort : 0000000000000000 CancelSequenceNumber : 0×00000000 (0) ClientContext : 00000000003f5b30 ServerContext : 0000000000000000 PortContext : 00000000015e2640 CancelPortContext : 0000000000000000 SecurityData : 0000000000000000 View : 0000000000000000

The server thread is fffffa8005a9b2a0 and is owned by LogonUI.exe. Here are all threads in that process where I highlighted credential providers:

THREAD fffffa8005f47b60 Cid 06d0.13e0 Teb: 000007fffffde000 Win32Thread: fffff900c1d6ec30 WAIT: (UserRequest) UserMode Non-Alertable fffffa80065be260 SynchronizationEvent fffffa8005bf6240 SynchronizationEvent fffffa8005bcbc70 SynchronizationEvent fffffa80052a9dc0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34666693 Ticks: 33 (0:00:00:00.514) Context Switch Count 722 LargeStack UserTime 00:00:00.171 KernelTime 00:00:00.140 Win32 Start Address LogonUI!wWinMainCRTStartup (0x00000000ffb45c58) Stack Init fffff88004911db0 Current fffff88004910fd0 Base fffff88004912000 Limit fffff88004908000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`04911010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`04911150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`049111e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`04911490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`04911960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`04911bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04911c20) 00000000`001bf708 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`001bf710 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`001bf810 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`001bf8a0 000007fe`fae19ecd USER32!RealMsgWaitForMultipleObjectsEx+0x12a 00000000`001bf940 000007fe`fae19d8e DUser!CoreSC::DUIMsgWaitForMultipleObjectsEx+0x17c 00000000`001bf9f0 00000000`76cf9079 DUser!MphMsgWaitForMultipleObjectsEx+0x7a 00000000`001bfa30 000007fe`fb8e407b USER32!MsgWaitForMultipleObjectsEx+0x37 00000000`001bfa70 000007fe`fb8e4f6c authui!CLogonFrame::DoModal+0×67 00000000`001bfaf0 000007fe`fb8e50cf authui!CLogonUI_CreateThenDoModalThenDestroy+0×299 00000000`001bfb50 00000000`ffb454df authui!CLogonUI::DoModal+0×73 00000000`001bfb80 00000000`ffb45ae6 LogonUI!wWinMain+0xfb 00000000`001bfbe0 00000000`76bdf56d LogonUI!ParseCommandLineToStringArrayLocalAlloc+0×33a 00000000`001bfca0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`001bfcd0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8006595720 Cid 06d0.1158 Teb: 000007fffffdc000 Win32Thread: fffff900c35105f0 WAIT: (UserRequest) UserMode Non-Alertable fffffa8005cad160 SynchronizationEvent fffffa8005618d30 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664381 Ticks: 2345 (0:00:00:36.582) Context Switch Count 2 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address msvcrt!endthreadex (0x000007feff0573fc) Stack Init fffff88005638db0 Current fffff88005637fd0 Base fffff88005639000 Limit fffff88005632000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05638010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`05638150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`056381e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`05638490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`05638960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`05638bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05638c20) 00000000`00eaf4d8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`00eaf4e0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`00eaf5e0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`00eaf670 000007fe`fae114e6 USER32!RealMsgWaitForMultipleObjectsEx+0x12a 00000000`00eaf710 000007fe`fae116b2 DUser!CoreSC::Wait+0x62 00000000`00eaf760 000007fe`fae205dd DUser!CoreSC::xwProcessNL+0xed 00000000`00eaf7d0 000007fe`fae20500 DUser!GetMessageExA+0x7b 00000000`00eaf820 000007fe`ff0542bf DUser!ResourceManager::SharedThreadProc+0xe8 00000000`00eaf8b0 000007fe`ff057459 msvcrt!endthreadex+0x47 00000000`00eaf8e0 00000000`76bdf56d msvcrt!endthreadex+0xe0 00000000`00eaf910 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`00eaf940 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8006646060 Cid 06d0.1174 Teb: 000007fffffda000 Win32Thread: fffff900c397bc30 WAIT: (UserRequest) UserMode Non-Alertable fffffa80059522e0 SynchronizationEvent fffffa80061cf2d0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664855 Ticks: 1871 (0:00:00:29.187) Context Switch Count 101 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.015 Win32 Start Address authui!CCredentialProviderThread::_sThreadProc (0x000007fefb8e51c0) Stack Init fffff880057addb0 Current fffff880057acfd0 Base fffff880057ae000 Limit fffff880057a6000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`057ad010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`057ad150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`057ad1e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`057ad490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`057ad960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`057adbb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`057adc20) 00000000`02c5f9b8 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`02c5f9c0 00000000`76be3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`02c5fac0 00000000`76cfbc3d kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`02c5fb50 00000000`76cf905a USER32!RealMsgWaitForMultipleObjectsEx+0x12a 00000000`02c5fbf0 000007fe`febdb46a USER32!MsgWaitForMultipleObjectsEx+0x46 00000000`02c5fc30 000007fe`fecfa542 ole32!CCliModalLoop::BlockFn+0xc2 00000000`02c5fc80 000007fe`fb8e4bc1 ole32!CoWaitForMultipleHandles+0x102 00000000`02c5fd90 000007fe`fb8e4a4a authui!InternalCoWaitForSingleHandle+0×31 00000000`02c5fdd0 000007fe`fb8e51c9 authui!CCredentialProviderThread::_vThreadProc+0xbf 00000000`02c5fe10 00000000`76bdf56d authui!CCredentialProviderThread::_sThreadProc+0×9 00000000`02c5fe40 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02c5fe70 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8005a9b2a0 Cid 06d0.1248 Teb: 000007fffffd4000 Win32Thread: fffff900c397b850 WAIT: (UserRequest) UserMode Non-Alertable fffffa800559c800 NotificationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664851 Ticks: 1875 (0:00:00:29.250) Context Switch Count 12 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0×0000000076df8f00) Stack Init fffff88005871db0 Current fffff88005871900 Base fffff88005872000 Limit fffff8800586b000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05871940 fffff800`01ad6752 nt!KiSwapContext+0×7a fffff880`05871a80 fffff800`01ad88af nt!KiCommitThreadWait+0×1d2 fffff880`05871b10 fffff800`01dcadb2 nt!KeWaitForSingleObject+0×19f fffff880`05871bb0 fffff800`01ace853 nt!NtWaitForSingleObject+0xb2 fffff880`05871c20 00000000`76e2fefa nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffff880`05871c20) 00000000`02aee898 000007fe`fd0810ac ntdll!NtWaitForSingleObject+0xa 00000000`02aee8a0 000007fe`fb8e4586 KERNELBASE!WaitForSingleObjectEx+0×79 00000000`02aee940 000007fe`fb8e891c authui!InternalWaitForSingleObject+0×26 00000000`02aee980 000007fe`fb8e8ac4 authui!WPP_SF_qqddd+0×157d 00000000`02aee9e0 000007fe`fea7c7f5 authui!WluirRequestCredentials+0×44 00000000`02aeea20 000007fe`feb2b62e RPCRT4!Invoke+0×65 00000000`02aeeaa0 000007fe`fea74070 RPCRT4!Ndr64StubWorker+0×61b 00000000`02aef060 000007fe`fea79c24 RPCRT4!NdrServerCallAll+0×40 00000000`02aef0b0 000007fe`fea79d86 RPCRT4!DispatchToStubInCNoAvrf+0×14 00000000`02aef0e0 000007fe`fea7c44b RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×146 00000000`02aef200 000007fe`fea7c38b RPCRT4!RPC_INTERFACE::DispatchToStub+0×9b 00000000`02aef240 000007fe`fea7c322 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0×5b 00000000`02aef2c0 000007fe`fea7a11d RPCRT4!LRPC_SCALL::DispatchRequest+0×422 00000000`02aef3a0 000007fe`fea87ddf RPCRT4!LRPC_SCALL::HandleRequest+0×20d 00000000`02aef4d0 000007fe`fea87995 RPCRT4!LRPC_ADDRESS::ProcessIO+0×3bf 00000000`02aef610 00000000`76dfb43b RPCRT4!LrpcIoComplete+0xa5 00000000`02aef6a0 00000000`76df923f ntdll!TppAlpcpExecuteCallback+0×26b 00000000`02aef730 00000000`76bdf56d ntdll!TppWorkerThread+0×3f8 00000000`02aefa30 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02aefa60 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

THREAD fffffa8005941a10 Cid 06d0.0f10 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa800663a9a0 SynchronizationTimer fffffa8005881650 SynchronizationTimer fffffa8006577ef0 SynchronizationTimer fffffa8005a93bd0 NotificationEvent fffffa80063f6450 SynchronizationEvent fffffa80058fe4c0 SynchronizationEvent fffffa80064c0290 SynchronizationEvent fffffa8004e49e90 NotificationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664421 Ticks: 2305 (0:00:00:35.958) Context Switch Count 11 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x0000000076df9a90) Stack Init fffff88006946db0 Current fffff88006945fd0 Base fffff88006947000 Limit fffff88006941000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`06946010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`06946150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`069461e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`06946490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`06946960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`06946bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06946c20) 00000000`02dbf718 00000000`76df9bd7 ntdll!NtWaitForMultipleObjects+0xa 00000000`02dbf720 00000000`76bdf56d ntdll!TppWaiterpThread+0x14d 00000000`02dbf9c0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02dbf9f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80056de060 Cid 06d0.0ba8 Teb: 000007fffffac000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8005f7d3e0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664389 Ticks: 2337 (0:00:00:36.457) Context Switch Count 5 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff8800569ddb0 Current fffff8800569d7d0 Base fffff8800569e000 Limit fffff88005698000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0569d810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0569d950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`0569d9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`0569da90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`0569db20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`0569dc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0569dc20) 00000000`035cfbb8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`035cfbc0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`035cfec0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`035cfef0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa8005ccfa10 Cid 06d0.03a0 Teb: 000007fffffd8000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8005f7d3e0 QueueObject Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664420 Ticks: 2306 (0:00:00:35.973) Context Switch Count 7 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x0000000076df8f00) Stack Init fffff8800459bdb0 Current fffff8800459b7d0 Base fffff8800459c000 Limit fffff88004596000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0459b810 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0459b950 fffff800`01ada1c1 nt!KiCommitThreadWait+0x1d2 fffff880`0459b9e0 fffff800`01dcb9d7 nt!KeRemoveQueueEx+0x301 fffff880`0459ba90 fffff800`01adf996 nt!IoRemoveIoCompletion+0x47 fffff880`0459bb20 fffff800`01ace853 nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`0459bc20 00000000`76e317ba nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0459bc20) 00000000`02e5f8c8 00000000`76df914b ntdll!NtWaitForWorkViaWorkerFactory+0xa 00000000`02e5f8d0 00000000`76bdf56d ntdll!TppWorkerThread+0x2c9 00000000`02e5fbd0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02e5fc00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800662a800 Cid 06d0.0a54 Teb: 000007fffffaa000 Win32Thread: 0000000000000000 WAIT: (DelayExecution) UserMode Non-Alertable fffffa800662aad8 Semaphore Limit 0x2 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664389 Ticks: 2337 (0:00:00:36.457) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ole32!CRpcThreadCache::RpcWorkerThreadEntry (0x000007fefebf3570) Stack Init fffff8800568fdb0 Current fffff8800568f970 Base fffff88005690000 Limit fffff8800568a000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0568f9b0 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`0568faf0 fffff800`01ad8e56 nt!KiCommitThreadWait+0x1d2 fffff880`0568fb80 fffff800`01dcacee nt!KeDelayExecutionThread+0x186 fffff880`0568fbf0 fffff800`01ace853 nt!NtDelayExecution+0x59 fffff880`0568fc20 00000000`76e301fa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0568fc20) 00000000`0371fa68 000007fe`fd081203 ntdll!NtDelayExecution+0xa 00000000`0371fa70 000007fe`febeea00 KERNELBASE!SleepEx+0xab 00000000`0371fb10 000007fe`febf2046 ole32!CROIDTable::WorkerThreadLoop+0x10 00000000`0371fb40 000007fe`febf358a ole32!CRpcThread::WorkerLoop+0x1e 00000000`0371fb80 00000000`76bdf56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a 00000000`0371fbb0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0371fbe0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa80063a4490 Cid 06d0.0ca0 Teb: 000007fffffa8000 Win32Thread: fffff900c1fffc30 WAIT: (WrLpcReceive) UserMode Non-Alertable fffffa80063a4850 Semaphore Limit 0x1 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664404 Ticks: 2322 (0:00:00:36.223) Context Switch Count 11 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address MSCTF!CCtfServerPort::StaticServerThread (0x000007fefe959274) Stack Init fffff88005b30db0 Current fffff88005b30750 Base fffff88005b31000 Limit fffff88005b2a000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05b30790 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`05b308d0 fffff800`01ad88af nt!KiCommitThreadWait+0x1d2 fffff880`05b30960 fffff800`01dcf329 nt!KeWaitForSingleObject+0x19f fffff880`05b30a00 fffff800`01dd0a37 nt!AlpcpReceiveMessagePort+0x189 fffff880`05b30a60 fffff800`01dd1f76 nt!AlpcpReceiveMessage+0x2d4 fffff880`05b30b00 fffff800`01ace853 nt!NtAlpcSendWaitReceivePort+0x1e6 fffff880`05b30bb0 00000000`76e3070a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05b30c20) 00000000`0390e7b8 000007fe`fe9426a9 ntdll!ZwAlpcSendWaitReceivePort+0xa 00000000`0390e7c0 000007fe`fe959417 MSCTF!CCtfServerPort::ServerLoop+0x16c 00000000`0390f8e0 000007fe`fe959296 MSCTF!CCtfServerPort::ServerThread+0x15b 00000000`0390fc20 00000000`76bdf56d MSCTF!CCtfServerPort::StaticServerThread+0x28 00000000`0390fc50 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`0390fc80 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

THREAD fffffa800489eb60 Cid 06d0.13b8 Teb: 000007fffffa6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable fffffa8005833be0 NotificationEvent fffffa8005a03ad0 SynchronizationEvent Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8005f442b0 Image: LogonUI.exe Attached Process N/A Image: N/A Wait Start TickCount 34664421 Ticks: 2305 (0:00:00:35.958) Context Switch Count 19 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address SmartcardCredentialProvider!I_ReaderMonitorThreadProc (0x000007feed747028) Stack Init fffff88005894db0 Current fffff88005893fd0 Base fffff88005895000 Limit fffff8800588f000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 1 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`05894010 fffff800`01ad6752 nt!KiSwapContext+0x7a fffff880`05894150 fffff800`01ad2c4b nt!KiCommitThreadWait+0x1d2 fffff880`058941e0 fffff800`01dcbecf nt!KeWaitForMultipleObjects+0x271 fffff880`05894490 fffff800`01dcc7d6 nt!ObpWaitForMultipleObjects+0x294 fffff880`05894960 fffff800`01ace853 nt!NtWaitForMultipleObjects+0xe5 fffff880`05894bb0 00000000`76e3046a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05894c20) 00000000`02d1f948 000007fe`fd0813a6 ntdll!NtWaitForMultipleObjects+0xa 00000000`02d1f950 00000000`76bcf190 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`02d1fa50 000007fe`ed746b84 kernel32!WaitForMultipleObjects+0xb0 00000000`02d1fae0 000007fe`ed747059 SmartcardCredentialProvider!I_ReaderMonitorWorker+0×9c 00000000`02d1fb80 00000000`76bdf56d SmartcardCredentialProvider!I_ReaderMonitorThreadProc+0×31 00000000`02d1fbc0 00000000`76e13281 kernel32!BaseThreadInitThunk+0xd 00000000`02d1fbf0 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

So according to memory dump analysis pattern terminology these 2 processes are strongly coupled and this fact can be used for analysis logon problems in terminal services environments: http://www.dumpanalysis.org/blog/index.php/2007/09/26/crash-dump-analysis-patterns-part-28/

intrauser isolation (p. 459)

file object security (p. 460) - here is an example from x64 W2K8 R2:

0: kd> !handle [...] 0008: Object: fffffa800658e070 GrantedAccess: 00100020 Entry: fffff8a00445d020 Object: fffffa800658e070 Type: (fffffa8003c0dde0) File ObjectHeader: fffffa800658e040 (new version) HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \DL\Notmyfault\exe\x64\Release {HarddiskVolume2} […] 001c: Object: fffffa8005f44ee0 GrantedAccess: 001f0003 (Protected) Entry: fffff8a00445d070 Object: fffffa8005f44ee0 Type: (fffffa8003c00570) Event ObjectHeader: fffffa8005f44eb0 (new version) HandleCount: 1 PointerCount: 2 […]

0: kd> dt _OBJECT_TYPE fffffa8003c0dde0 ntdll!_OBJECT_TYPE +0x000 TypeList : _LIST_ENTRY [ 0xfffffa80`03c0dde0 - 0xfffffa80`03c0dde0 ] +0x010 Name : _UNICODE_STRING "File" +0x020 DefaultObject : 0x00000000`00000098 +0x028 Index : 0x1c '' +0x02c TotalNumberOfObjects : 0x5645 +0x030 TotalNumberOfHandles : 0x89e +0x034 HighWaterNumberOfObjects : 0x5baf +0x038 HighWaterNumberOfHandles : 0x8b5 +0×040 TypeInfo : _OBJECT_TYPE_INITIALIZER +0×0b0 TypeLock : _EX_PUSH_LOCK +0×0b8 Key : 0×656c6946 +0×0c0 CallbackList : _LIST_ENTRY [ 0xfffffa80`03c0dea0 - 0xfffffa80`03c0dea0 ]

0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c0dde0+40 ntdll!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x70 +0x002 ObjectTypeFlags : 0x11 '' +0x002 CaseInsensitive : 0y1 +0x002 UnnamedObjectsOnly : 0y0 +0x002 UseDefaultObject : 0y0 +0x002 SecurityRequired : 0y0 +0x002 MaintainHandleCount : 0y1 +0x002 MaintainTypeList : 0y0 +0x002 SupportsObjectCallbacks : 0y0 +0x004 ObjectTypeCode : 1 +0x008 InvalidAttributes : 0x130 +0x00c GenericMapping : _GENERIC_MAPPING +0x01c ValidAccessMask : 0x1f01ff +0x020 RetainAccess : 0 +0x024 PoolType : 0 ( NonPagedPool ) +0x028 DefaultPagedPoolCharge : 0x400 +0x02c DefaultNonPagedPoolCharge : 0x180 +0x030 DumpProcedure : (null) +0x038 OpenProcedure : (null) +0x040 CloseProcedure : 0xfffff800`01de6890 void nt!IopCloseFile+0 +0x048 DeleteProcedure : 0xfffff800`01de6610 void nt!IopDeleteFile+0 +0x050 ParseProcedure : 0xfffff800`01df7370 long nt!IopParseFile+0 +0×058 SecurityProcedure : 0xfffff800`01db7130 long nt!IopGetSetSecurityObject+0 +0×060 QueryNameProcedure : 0xfffff800`01db7470 long nt!IopQueryName+0<> +0×068 OkayToCloseProcedure : (null)

0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa8003c00570+40 ntdll!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x70 +0x002 ObjectTypeFlags : 0 '' +0x002 CaseInsensitive : 0y0 +0x002 UnnamedObjectsOnly : 0y0 +0x002 UseDefaultObject : 0y0 +0x002 SecurityRequired : 0y0 +0x002 MaintainHandleCount : 0y0 +0x002 MaintainTypeList : 0y0 +0x002 SupportsObjectCallbacks : 0y0 +0x004 ObjectTypeCode : 2 +0x008 InvalidAttributes : 0x100 +0x00c GenericMapping : _GENERIC_MAPPING +0x01c ValidAccessMask : 0x1f0003 +0x020 RetainAccess : 0 +0x024 PoolType : 0 ( NonPagedPool ) +0x028 DefaultPagedPoolCharge : 0 +0x02c DefaultNonPagedPoolCharge : 0x70 +0x030 DumpProcedure : (null) +0x038 OpenProcedure : (null) +0x040 CloseProcedure : (null) +0x048 DeleteProcedure : (null) +0x050 ParseProcedure : (null) +0×058 SecurityProcedure : 0xfffff800`01d97070 long nt!SeDefaultObjectMethod+0 +0×060 QueryNameProcedure : (null) +0×068 OkayToCloseProcedure : (null)

SID = SVAS*-RID, S-Version-Authority-Subauthority*-RelativeID (pp. 461 - 462)

PsGetSid (p. 463)

Administrator SID = Machine SID + ‘-500′ (p. 463) - here’s my test (real computer name has been changed to COMPUTER):

C:\PsTools>PsGetSid COMPUTER

SID for COMPUTER\COMPUTER: S-1-5-21-30...49-19...94-15...96

C:\PsTools>PsGetSid S-1-5-21-30...49-19...94-15...96-500

Account for COMPUTER\S-1-5-21-30...49-19...94-15...96-500: User: COMPUTER\Administrator

- Dmitry Vostokov @ SoftwareGeneralist.com -

100 posts

Dmitry Vostokov — Sat, 10 Apr 2010 00:30:53 +0000

Established 2 years ago, in April 2008, Software Generalist blog celebrates its 100th post.

- Dmitry Vostokov @ SoftwareGeneralist.com -