We define abstraction as selective ignorance. 


kd> $$><e:\windbg_main\app_thread\kthread_main.txt ==> Write these codes as you write novels!
Closing open log file e:\windbg_main\logs\kthread_main.log
Opened log file 'e:\windbg_main\logs\kthread_main.log'
  Alias            Value  
 -------          ------- 
 $SafetyCheck     "Written by Takashi Toyota";        
 $arg0            e:\windbg_main\app_thread\kthread_main.txt 


Started ...

System(0x81341830) has 0x00000046 active threads
	Thread: 0x813415a8
		Wait Reason: 00000008 Ignore details now! Get a bigger pic instead! 
		State: 00000001 Not in wait state.
		Wait Mode: 00000000 Kernel mode
	Thread: 0x8133eda8
		Wait Reason: 0000000f Ignore details now! Get a bigger pic instead!
		State: 00000005 In wait state.
		Wait Mode: 00000001 User mode
	Thread: 0x8133eb20
		Wait Reason: 0000000f
		State: 00000005
		Wait Mode: 00000001


[---]


blinksvc.exe(0xfea51728) has 0x0000001a active threads
	Thread: 0xfe9eb328
		Wait Reason: 00000000
		State: 00000005
		Wait Mode: 00000001
	Thread: 0xfe9f48e0
		Wait Reason: 00000006
		State: 00000005
		Wait Mode: 00000001
	Thread: 0xfea32cd8
		Wait Reason: 0000000d
		State: 00000005
		Wait Mode: 00000001

[---]


wmiprvse.exe(0xfd812488) has 0x00000000 active threads  This process has no active threads!


[---]


Ended ...


kd> $$><e:\WinDbg_main\app_ads\activeandinactivethreads_1.txt ==> Write these codes as you write novels!
Closing open log file e:\windbg_main\logs\activeandinactivethreads_1.log
Opened log file 'e:\windbg_main\logs\activeandinactivethreads_1.log
  Alias            Value  
 -------          ------- 
 $SafetyCheck     "Written by Takashi Toyota";        
 $arg0            e:\WinDbg_main\app_ads\activeandinactivethreads_1.txt 


System(0x81341830) has 0x00000046 active threads
	 Terminated Thread(0x8133e030)
	 *** InactiveThreads *** 0x00000001 

smss.exe(0x811de030) has 0x00000003 active threads
csrss.exe(0xfea668b0) has 0x0000000a active threads
winlogon.exe(0xfea5eaf8) has 0x00000017 active threads
	 Terminated Thread(0xfea78c70)
	 Terminated Thread(0xfdb94da8)
	 Terminated Thread(0xfd894940)
	 *** InactiveThreads *** 0x00000003 

[---]


wmiprvse.exe(0xfd812488) has 0x00000000 active threads  No active threads. Already terminated?
	 Terminated Thread(0xfd801d00)  Already terminated but instance still in memory.
	 *** InactiveThreads *** 0x00000001 

hkcmd.exe(0xfe9ec2e8) has 0x00000001 active threads
	 Terminated Thread(0x811e8da8)
	 *** InactiveThreads *** 0x00000001 

jusched.exe(0xfea564f8) has 0x00000001 active threads
reader_sl.exe(0xfd7fa4b0) has 0x00000002 active threads
ctfmon.exe(0xfd30e578) has 0x00000001 active threads
BLINK.EXE(0xfc257a40) has 0x00000008 active threads


kd> !process 0xfd812488
PROCESS fd812488  SessionId: 0  Cid: 05d4    Peb: 7ffdf000  ParentCid: 02d4
    DirBase: 08f20000  ObjectTable: 00000000  HandleCount:   0. 
This process has no open handles! Plus it has no entry point to the object name space!
    Image: wmiprvse.exe
    VadRoot fd808f00 Vads 3 Clone 0 Private 3. Modified 36. Locked 0.
    DeviceMap e15eec70
    Token                             e120dcc8
    ElapsedTime                       00:05:07.732
    UserTime                          00:00:00.320
    KernelTime                        00:00:00.961
    QuotaPoolUsage[PagedPool]         328
    QuotaPoolUsage[NonPagedPool]      120
    Working Set Sizes (now,min,max)  (7, 50, 345) (28KB, 200KB, 1380KB)
    PeakWorkingSetSize                1914
    VirtualSize                       40 Mb
    PeakVirtualSize                   48 Mb
    PageFaultCount                    3503
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      41
    Job                               81298e80

[---]

kd> !thread 0xfd801d00
THREAD fd801d00  Cid 05d4.04dc  Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
Very strange. This thread is not active but reported RUNNING! 
Not impersonating 
DeviceMap                 e15eec70
Owning Process            0       Image:         
Attached Process          fd812488       Image:         wmiprvse.exe
Wait Start TickCount      54564          Ticks: 0
Context Switch Count      754                 LargeStack
UserTime                  00:00:00.030
KernelTime                00:00:00.821
Win32 Start Address 0x01024636
Start Address 0x7c810665
Stack Init f38f7000 Current f38f66ac Base f38f7000 Limit f38f3000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr  Args to Child              
f38f5d68 8051f6ef 0000008e c0000005 80568ecc nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f38f6130 804e1235 f38f614c 00000000 f38f61a0 nt!KiDispatchException+0x3b1 (FPO: [Non-Fpo])
f38f6198 804e11e6 f38f6238 80568ecc badb0d00 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
f38f61dc 80566237 fd801d00 8056dc7c f38f63c4 nt!KiExceptionExit+0x18a
f38f6238 80568fd1 00000000 f38f6250 00000000 nt!ObpIncrementHandleCount+0x3c0 (FPO: [Non-Fpo])
f38f6254 80566338 00000000 f38f6288 00000000 nt!ExCreateHandle+0x19 (FPO: [Non-Fpo])
f38f62a8 8056dc49 00000001 e120dcc8 00000000 nt!ObpCreateHandle+0x3f7 (FPO: [Non-Fpo])
f38f6378 8056e2b6 e120dcc8 00000000 00000000 nt!ObOpenObjectByPointer+0xa4 (FPO: [Non-Fpo])
f38f63d4 8056e056 8000067c 00020008 00000000 nt!NtOpenProcessTokenEx+0x94 (FPO: [Non-Fpo])
f38f63ec 804e07ec 8000067c 00020008 f38f6564 nt!NtOpenProcessToken+0x15 (FPO: [Non-Fpo])
f38f63ec 804df069 8000067c 00020008 f38f6564 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f38f6400)
f38f6470 f92b265b 8000067c 00020008 f38f6564 nt!ZwOpenProcessToken+0x11 (FPO: [3,0,0])
WARNING: Stack unwind information not available. Following frames may be wrong.
f38f65a8 f92b2ad5 fda702b0 fedee898 fea06afc PROCMON12+0x165b
f38f65c4 f92b3bd9 000005d4 00000001 ff37d6f8 PROCMON12+0x1ad5
f38f65fc baf24888 fea06afc 0000002e f38f664c PROCMON12+0x2bd9
f38f665c baf262a0 008f66a4 00000000 f38f66a4 fltmgr!FltpPerformPreCallbacks+0x2d4 (FPO: [Non-Fpo])
f38f6670 baf26c48 f38f66a4 00000000 813512b8 fltmgr!FltpPassThroughInternal+0x32 (FPO: [Non-Fpo])
f38f668c baf27059 f38f6601 fedf5d01 812f4828 fltmgr!FltpPassThrough+0x1c2 (FPO: [Non-Fpo])
f38f66bc 804e57f7 813512b8 81f2ee48 806ef2a4 fltmgr!FltpDispatch+0x10d (FPO: [Non-Fpo])
f38f66cc 8066bfc5 fea6b970 05048000 fedf5dc8 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f38f66f0 804fbc23 fd801d00 fedf5db8 fedf5dc8 nt!IovCallDriver+0xa0 (FPO: [Non-Fpo])
f38f6704 804fbc4a 813512b8 fedf5d09 fedf5dd0 nt!IopPageReadInternal+0xf4 (FPO: [Non-Fpo])
f38f6724 804fb8af fea6b970 fedf5df0 fedf5dd0 nt!IoPageRead+0x1b (FPO: [Non-Fpo])
f38f6798 804eb01e 0f58f884 c0081000 c0300204 nt!MiDispatchFault+0x274 (FPO: [Non-Fpo])
f38f67e8 80578d1b 00000000 c0081000 00000000 nt!MmAccessFault+0xc09 (FPO: [Non-Fpo])
f38f6810 80524241 c0300204 20400000 f38f68dc nt!MiMakeSystemAddressValid+0x51 (FPO: [Non-Fpo])
f38f6820 804f7a20 c0300204 fd812488 00000001 nt!MiDoesPdeExistAndMakeValid+0x34 (FPO: [Non-Fpo])
f38f68dc 804f7244 e17df038 2055ffff 00000000 nt!MiDeleteVirtualAddresses+0x208 (FPO: [Non-Fpo])
f38f6988 805013dd fd812488 812bd2c0 fd8125c0 nt!MiRemoveMappedView+0x212 (FPO: [Non-Fpo])
f38f69c4 805869a3 01812488 fd801d00 fd801f48 nt!MmCleanProcessAddressSpace+0x264 (FPO: [Non-Fpo])
f38f6a6c 8057d746 00000000 fd801d00 00000000 nt!PspExitThread+0x680 (FPO: [Non-Fpo])
f38f6a8c 80586828 fd801d00 00000000 ffffffff nt!PspTerminateThreadByPointer+0x52 (FPO: [Non-Fpo])
f38f6ab8 f4a89786 00000000 00000000 f38f6d64 nt!NtTerminateProcess+0x118 (FPO: [Non-Fpo])
f38f6d54 804e07ec ffffffff 00000000 0007fee4 eeyeh+0xa786
f38f6d54 7c94eb94 ffffffff 00000000 0007fee4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f38f6d64)
0007fee4 00000000 00000000 00000000 00000000 0x7c94eb94


HOME Windows Crash Dump Analysis Basics


Copyright©Takashi Toyota 2004- 2012
It is 2012-05-20 today.