第一部分:
kd> !PROCESS fffffa8021520630
PROCESS fffffa8021520630
SessionId: 1 Cid: 01fc Peb: 7fffffd9000 ParentCid: 018c
DirBase: 4fafa000 ObjectTable: fffff8a000e6b920 HandleCount: 0.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 10 Clone 0 Private 15. Modified 0. Locked 0.
DeviceMap 0000000000000000
Token fffff8a000e7c680
ElapsedTime 00:00:00.390
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 13568
QuotaPoolUsage[NonPagedPool] 1080
Working Set Sizes (now,min,max) (21, 50, 345) (84KB, 200KB, 1380KB)
PeakWorkingSetSize 21
VirtualSize 5 Mb
PeakVirtualSize 5 Mb
PageFaultCount 16
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 734
THREAD fffffa802150c660 Cid 01fc.0200 Teb: 000007fffffde000 Win32Thread: 0000000000000000 READY on processor 0
Not impersonating
Owning Process fffffa8021520630 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275087847 Ticks: 25 (0:00:00:00.390)
Context Switch Count 0 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00000000ff3ed124
Stack Init fffff880042dad70 Current fffff880042daa60
Base fffff880042db000 Limit fffff880042d5000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`042daaa0 fffff800`02a6bad7 nt!KiStartUserThread
fffff880`042dabe0 00000000`777b943c nt!KiStartUserThreadReturn (TrapFrame @ fffff880`042dabe0)
00000000`000afac8 00000000`00000000 0x777b943c
第二部分:
kd> t
Breakpoint 9 hit
winlogon!WinMainCRTStartup:
0033:00000000`ff3ed124 ?? ???
kd> kc
Call Site
00 winlogon!WinMainCRTStartup
01 kernel32!BaseThreadInitThunk
02 ntdll!RtlUserThreadStart
kd> kc
Call Site
00 winlogon!WinMainCRTStartup
01 kernel32!BaseThreadInitThunk
02 ntdll!RtlUserThreadStart
kd> pc
winlogon!WinMainCRTStartup+0x4:
0033:00000000`ff3ed128 e8e3020000 call winlogon!_security_init_cookie (00000000`ff3ed410)
kd> p
winlogon!WinMainCRTStartup+0x9:
0033:00000000`ff3ed12d 4883c428 add rsp,28h
kd> pc
winlogon!DbgSetLoggingOption+0xc0:
0033:00000000`ff3ece10 ?? ???
kd> pc
winlogon!DbgSetLoggingOption+0xdd:
0033:00000000`ff3ece2d ff15a544fbff call qword ptr [winlogon!_imp_GetStartupInfoW (00000000`ff3a12d8)]
kd> pc
winlogon!DbgSetLoggingOption+0x16a:
0033:00000000`ff3eceba ffd1 call rcx
kd> r
rax=0000000000000000 rbx=0000000000000000 rcx=00000000ff3ed04c
rdx=00000000000af9d0 rsi=0000000000000000 rdi=00000000ff3a1be8
rip=00000000ff3eceba rsp=00000000000af990 rbp=0000000000000000
r8=00000000002621e0 r9=0000000000000000 r10=0000000000000000
r11=ffffed13852b8d76 r12=00000000ff3a1bf8 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
winlogon!DbgSetLoggingOption+0x16a:
0033:00000000`ff3eceba ffd1 call rcx {winlogon!DbgSetLoggingOption+0x2fc (00000000`ff3ed04c)}
kd> pc
winlogon!DbgSetLoggingOption+0x16a:
0033:00000000`ff3eceba ffd1 call rcx
kd> r
rax=0000000000000000 rbx=0000000000000000 rcx=00000000ff3ed1fc
rdx=00000000ff3a0000 rsi=0000000000000000 rdi=00000000ff3a1bf0
rip=00000000ff3eceba rsp=00000000000af990 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=ffffffffffffffff r12=00000000ff3a1bf8 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
winlogon!DbgSetLoggingOption+0x16a:
0033:00000000`ff3eceba ffd1 call rcx {winlogon!_CxxSetUnhandledExceptionFilter (00000000`ff3ed1fc)}
kd> pc
winlogon!DbgSetLoggingOption+0x1ac:
0033:00000000`ff3ecefc e827040000 call winlogon!initterm (00000000`ff3ed328)
第三部分:
kd> !process fffffa80`21520630
PROCESS fffffa8021520630
SessionId: 1 Cid: 01fc Peb: 7fffffd9000 ParentCid: 018c
DirBase: 4fafa000 ObjectTable: fffff8a000e6b920 HandleCount: 13.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 38 Clone 0 Private 128. Modified 0. Locked 0.
DeviceMap fffff8a000009aa0
Token fffff8a000e7c680
ElapsedTime 00:00:06.177
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 51032
QuotaPoolUsage[NonPagedPool] 4440
Working Set Sizes (now,min,max) (726, 50, 345) (2904KB, 200KB, 1380KB)
PeakWorkingSetSize 726
VirtualSize 22 Mb
PeakVirtualSize 22 Mb
PageFaultCount 738
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 800
THREAD fffffa802150c660 Cid 01fc.0200 Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 RUNNING on processor 0
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa8021520630 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275088243 Ticks: 0
Context Switch Count 89 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:04.742
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422baa0
Base fffff8800422d000 Limit fffff88004225000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0422bd68 fffff800`033730b7 nt!PspCreateThread
fffff880`0422bd70 fffff800`02a70e13 nt!NtCreateThreadEx+0x31f
fffff880`0422c4c0 fffff800`02a6aa40 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422c530)
fffff880`0422c6c8 fffff800`0337f688 nt!KiServiceLinkage
fffff880`0422c6d0 fffff800`0340a02b nt!RtlpCreateUserThreadEx+0x174
fffff880`0422c820 fffff800`03409597 nt!EtwpInjectThread+0xdf
fffff880`0422c8a0 fffff800`034091d0 nt!EtwpQueueNotification+0x3a7
fffff880`0422c940 fffff800`033fd00b nt!EtwpSendDataBlock+0x1f8
fffff880`0422c9f0 fffff800`03401617 nt!EtwpEnableGuid+0x5a7
fffff880`0422cae0 fffff800`02a70e13 nt!NtTraceControl+0x453
fffff880`0422cb70 00000000`7785b9fe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422cbe0)
00000000`000af368 00000000`778240c3 ntdll!NtTraceControl+0x1e
00000000`000af370 000007fe`fe283c32 ntdll!EtwSendNotification+0x8f
00000000`000af490 000007fe`fe2838ef ADVAPI32!EnableTraceEx2+0x326
00000000`000af5b0 000007fe`fe283828 ADVAPI32!EnableTraceEx+0xbb
00000000`000af640 00000000`ff3b1575 ADVAPI32!EnableTrace+0x4c
00000000`000af6a0 00000000`ff3b1a78 winlogon!WppStart+0x4d9
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0x194
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25
第四部分:
kd> g
Breakpoint 14 hit
winlogon!WppStart+0x4d9:
0033:00000000`ff3b1575 89442438 mov dword ptr [rsp+38h],eax
kd> kc
Call Site
00 winlogon!WppStart
01 winlogon!WinMain
02 winlogon!DbgSetLoggingOption
03 kernel32!BaseThreadInitThunk
04 ntdll!RtlUserThreadStart
kd> pc
winlogon!WppStart+0x4fe:
0033:00000000`ff3b159a ff1588a50400 call qword ptr [winlogon!_imp_EnableTrace (00000000`ff3fbb28)]
kd> pc
winlogon!WppStart+0x4fe:
0033:00000000`ff3b159a ff1588a50400 call qword ptr [winlogon!_imp_EnableTrace (00000000`ff3fbb28)]
kd> pc
winlogon!WppStart+0x529:
0033:00000000`ff3b15c5 ff155da50400 call qword ptr [winlogon!_imp_EnableTrace (00000000`ff3fbb28)]
kd> pc
winlogon!WppStart+0x541:
0033:00000000`ff3b15dd ff1515fcfeff call qword ptr [winlogon!_imp_LocalFree (00000000`ff3a11f8)]
kd> pc
winlogon!WppStart+0x554:
0033:00000000`ff3b15f0 e85bbb0300 call winlogon!_security_check_cookie (00000000`ff3ed150)
kd> pc
winlogon!WinMain+0x1a7:
0033:00000000`ff3b1a8b ff1577fefeff call qword ptr [winlogon!_imp_EtwEventRegister (00000000`ff3a1908)]
kd> pc
winlogon!WinMain+0x1ad:
0033:00000000`ff3b1a91 e81e330300 call winlogon!UmsHlprInit (00000000`ff3e4db4)
kd> pc
winlogon!WinMain+0x21e:
0033:00000000`ff3b1b02 ff1558f6feff call qword ptr [winlogon!_imp_HeapCreate (00000000`ff3a1160)]
kd> pc
winlogon!WinMain+0x2a9:
0033:00000000`ff3b1b8d e8eecfffff call winlogon!SetProcessPriority (00000000`ff3aeb80)
kd> pc
winlogon!WinMain+0x325:
0033:00000000`ff3b1c09 ff1551f5feff call qword ptr [winlogon!_imp_HeapCreate (00000000`ff3a1160)]
kd> pc
winlogon!WinMain+0x3c3:
0033:00000000`ff3b1ca7 e8a0950100 call winlogon!JobManagerInitialize (00000000`ff3cb24c)
kd> pc
winlogon!WinMain+0x454:
0033:00000000`ff3b1d38 ff15d2f2feff call qword ptr [winlogon!_imp_RegOpenKeyExW (00000000`ff3a1010)]
kd> pc
winlogon!WinMain+0x466:
0033:00000000`ff3b1d4a ff15b0f2feff call qword ptr [winlogon!_imp_RegCloseKey (00000000`ff3a1000)]
kd> pc
winlogon!WinMain+0x47d:
0033:00000000`ff3b1d61 e862cbffff call winlogon!InitializeData (00000000`ff3ae8c8)
kd> pc
winlogon!WinMain+0x52b:
0033:00000000`ff3b1e0f ff15fbf1feff call qword ptr [winlogon!_imp_RegOpenKeyExW (00000000`ff3a1010)]
第五部分:
kd> pc
winlogon!WinMain+0x67a:
0033:00000000`ff3b1f5e e8911b0100 call winlogon!CGlobalStore::RegQueryWinlogonDWORD (00000000`ff3c3af4)
kd> pc
winlogon!WinMain+0x68a:
0033:00000000`ff3b1f6e e86d3e0300 call winlogon!InitDebugHelpers (00000000`ff3e5de0)
kd> pc
Breakpoint 0 hit
nt!PspCreateThread:
fffff800`03355e40 4c8bdc mov r11,rsp
kd> kc
Call Site
00 nt!PspCreateThread
01 nt!NtCreateThreadEx
02 nt!KiSystemServiceCopyEnd
03 ntdll!NtCreateThreadEx
04 ntdll!RtlpCreateUserThreadEx
05 ntdll!TppWaiterpSpinupThread
06 ntdll!TppWaiterAllocWaitSlot
07 ntdll!TppWaitAlloc
08 ntdll!TppTimerpInitTimerQueueQueue
09 ntdll!TppTimerpAllocTimerQueue
0a ntdll!TppTimerpAcquirePoolTimerQueue
0b ntdll!TppTimerAlloc
0c ntdll!TpAllocTimer
0d ntdll!RtlCreateTimer
0e KERNELBASE!CreateTimerQueueTimer
0f kernel32!SetTimerQueueTimer
10 winlogon!InitDebugHelpers
11 winlogon!WinMain
12 winlogon!DbgSetLoggingOption
13 kernel32!BaseThreadInitThunk
14 ntdll!RtlUserThreadStart
kd> !process fffffa80`21520630
PROCESS fffffa8021520630
SessionId: 1 Cid: 01fc Peb: 7fffffd9000 ParentCid: 018c
DirBase: 4fafa000 ObjectTable: fffff8a000e6b920 HandleCount: 25.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 48 Clone 0 Private 154. Modified 0. Locked 0.
DeviceMap fffff8a000009aa0
Token fffff8a000e7c680
ElapsedTime 00:00:10.062
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 51928
QuotaPoolUsage[NonPagedPool] 5704
Working Set Sizes (now,min,max) (789, 50, 345) (3156KB, 200KB, 1380KB)
PeakWorkingSetSize 789
VirtualSize 26 Mb
PeakVirtualSize 27 Mb
PageFaultCount 801
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 857
THREAD fffffa802150c660 Cid 01fc.0200 Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (WrKeyedEvent) UserMode Non-Alertable
fffffa802150ca20 Semaphore Limit 0x1
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa8021520630 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275088482 Ticks: 10 (0:00:00:00.156)
Context Switch Count 119 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:08.455
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422c860
Base fffff8800422d000 Limit fffff88004225000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0422c8a0 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422c9e0 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422ca30 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422caa0 fffff800`03437116 nt!KeWaitForSingleObject+0x532
fffff880`0422cb40 fffff800`02a70e13 nt!NtWaitForKeyedEvent+0x3b6
fffff880`0422cbe0 00000000`7785bb5e nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422cbe0)
00000000`000af1a8 00000000`77831a69 ntdll!ZwWaitForKeyedEvent+0x1e
00000000`000af1b0 00000000`77831c97 ntdll!TppWaitpSet+0x419
00000000`000af260 00000000`7782e70a ntdll!TpSetWait+0x1bb
00000000`000af360 00000000`7782ea31 ntdll!TppTimerpInitTimerQueueQueue+0x102
00000000`000af3c0 00000000`7782ed76 ntdll!TppTimerpAllocTimerQueue+0x195
00000000`000af420 00000000`7782efc7 ntdll!TppTimerpAcquirePoolTimerQueue+0x52
00000000`000af460 00000000`7782f236 ntdll!TppTimerAlloc+0x19b
00000000`000af4f0 00000000`7783c57e ntdll!TpAllocTimer+0xf6
00000000`000af600 000007fe`fd91d835 ntdll!RtlCreateTimer+0x1b6
00000000`000af6e0 00000000`776e19ac KERNELBASE!CreateTimerQueueTimer+0x61
00000000`000af740 00000000`ff3e5f3d kernel32!SetTimerQueueTimer+0x4c
00000000`000af7a0 00000000`ff3b1f73 winlogon!InitDebugHelpers+0x15d
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0x68f
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
kd> kc
Call Site
00 winlogon!WinMain
01 winlogon!DbgSetLoggingOption
02 kernel32!BaseThreadInitThunk
03 ntdll!RtlUserThreadStart
第六部分:
kd> pc
winlogon!WinMain+0x6e6:
0033:00000000`ff3b1fca e87d3f0300 call winlogon!SetProfilesLocation (00000000`ff3e5f4c)
kd> pc
winlogon!WinMain+0x6ed:
0033:00000000`ff3b1fd1 e822330000 call winlogon!SetupBasicEnvironment (00000000`ff3b52f8)
kd> pc
winlogon!WinMain+0x6f2:
0033:00000000`ff3b1fd6 e8bde20000 call winlogon!AsyncLogoffSupportInit (00000000`ff3c0298)
kd> pc
winlogon!WinMain+0x74c:
0033:00000000`ff3b2030 ?? ???
kd> pc
winlogon!WinMain+0x755:
0033:00000000`ff3b2039 e896290000 call winlogon!WMsgClntInitialize (00000000`ff3b49d4)
kd> pc
Breakpoint 0 hit
nt!PspCreateThread:
fffff800`03355e40 4c8bdc mov r11,rsp
kd> kc
Call Site
00 nt!PspCreateThread
01 nt!NtCreateThreadEx
02 nt!KiSystemServiceCopyEnd
03 nt!KiServiceLinkage
04 nt!RtlpCreateUserThreadEx
05 nt!ExpWorkerFactoryCreateThread
06 nt!ExpWorkerFactoryCheckCreate
07 nt!NtSetInformationWorkerFactory
08 nt!KiSystemServiceCopyEnd
09 ntdll!NtSetInformationWorkerFactory
0a ntdll!TpBindAlpcToDirect
0b ntdll!TppAllocAlpcCompletion
0c ntdll!TpAllocAlpcCompletionEx
0d RPCRT4!RPC_THREAD_POOL::CreateAlpc
0e RPCRT4!LRPC_ADDRESS::ServerStartingToListen
0f RPCRT4!RPC_SERVER::UseRpcProtocolSequence
10 RPCRT4!I_RpcServerUseProtseqEp2W
11 RPCRT4!RpcServerUseProtseqEpExW
12 RPCRT4!RpcServerUseProtseqEpW
13 winlogon!StartWMsgKServer
14 winlogon!WMsgClntInitialize
15 winlogon!WinMain
16 winlogon!DbgSetLoggingOption
17 kernel32!BaseThreadInitThunk
18 ntdll!RtlUserThreadStart
kd> bp 00000000`ff3b203e
kd> g
Breakpoint 16 hit
winlogon!WinMain+0x75a:
0033:00000000`ff3b203e 89442440 mov dword ptr [rsp+40h],eax
kd> pc
winlogon!WinMain+0x7cc:
0033:00000000`ff3b20b0 ff1582f9feff call qword ptr [winlogon!_imp_EtwEventEnabled (00000000`ff3a1a38)]
第七部分:
kd> g
Breakpoint 16 hit
winlogon!WinMain+0x75a:
0033:00000000`ff3b203e 89442440 mov dword ptr [rsp+40h],eax
kd> pc
winlogon!WinMain+0x7cc:
0033:00000000`ff3b20b0 ff1582f9feff call qword ptr [winlogon!_imp_EtwEventEnabled (00000000`ff3a1a38)]
kd> p
winlogon!WinMain+0x7d2:
0033:00000000`ff3b20b6 3ac3 cmp al,bl
kd> pc
winlogon!WinMain+0x7ea:
0033:00000000`ff3b20ce ff156cf9feff call qword ptr [winlogon!_imp_EtwEventWrite (00000000`ff3a1a40)]
kd> pc
winlogon!WinMain+0x81c:
0033:00000000`ff3b2100 e82bfd0000 call winlogon!CSession::CreatePrimaryTerminal (00000000`ff3c1e30)
kd> !PROCESS fffffa8021520630
PROCESS fffffa8021520630
SessionId: 1 Cid: 01fc Peb: 7fffffd9000 ParentCid: 018c
DirBase: 4fafa000 ObjectTable: fffff8a000e6b920 HandleCount: 42.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 55 Clone 0 Private 274. Modified 1. Locked 0.
DeviceMap fffff8a000009aa0
Token fffff8a000e7c680
ElapsedTime 00:00:13.041
UserTime 00:00:00.000
KernelTime 00:00:00.093
QuotaPoolUsage[PagedPool] 51248
QuotaPoolUsage[NonPagedPool] 6544
Working Set Sizes (now,min,max) (1096, 50, 345) (4384KB, 200KB, 1380KB)
PeakWorkingSetSize 1104
VirtualSize 28 Mb
PeakVirtualSize 60 Mb
PageFaultCount 1276
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 991
THREAD fffffa802150c660 Cid 01fc.0200 Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (WrLpcReply) KernelMode Non-Alertable
fffffa802150ca20 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffffa80214e1c70 : queued at port fffffa802150dbd0 : owned by process fffffa801bbc6150
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa8021520630 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275088683 Ticks: 0
Context Switch Count 129 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:10.218
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422b8e0
Base fffff8800422d000 Limit fffff88004224000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0422b920 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422ba60 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422bab0 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422bb20 fffff800`028ef0db nt!KeWaitForSingleObject+0x532
fffff880`0422bbc0 fffff800`031cbd85 nt!AlpcpSignalAndWait+0x277
fffff880`0422bc80 fffff800`03217474 nt!AlpcpReceiveSynchronousReply+0xf9
fffff880`0422bd80 fffff800`031615cd nt!AlpcpProcessSynchronousRequest+0xf10
fffff880`0422beb0 fffff800`03162d51 nt!LpcpRequestWaitReplyPort+0x249
fffff880`0422bf50 fffff960`001e5a13 nt!LpcRequestWaitReplyPort+0x55
fffff880`0422bfa0 fffff960`001e5f80 win32k!xxxInitTerminal+0x267
fffff880`0422c100 fffff960`00183c57 win32k!xxxCreateWindowStation+0x354
fffff880`0422c4f0 fffff800`02a70e13 win32k!NtUserCreateWindowStation+0x457
fffff880`0422cb70 00000000`775c08fa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422cbe0)
00000000`000af098 00000000`77540694 USER32!NtUserCreateWindowStation+0xa
00000000`000af0a0 00000000`7754078b USER32!CommonCreateWindowStation+0x3f4
00000000`000af6f0 00000000`ff3e6a77 USER32!CreateWindowStationW+0x3b
00000000`000af730 00000000`ff3c1fc6 winlogon!CreatePrimaryTerminal+0xbb
00000000`000af7b0 00000000`ff3b2105 winlogon!CSession::CreatePrimaryTerminal+0x196
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0x821
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25
第八部分:
winlogon!CreatePrimaryTerminal
kd> .process
Implicit process is now fffffa80`1da53b30
kd> g
Breakpoint 17 hit
winlogon!WinMain+0x821:
0033:00000000`ff3b2105 89442440 mov dword ptr [rsp+40h],eax
kd> kc
Call Site
00 winlogon!WinMain
01 winlogon!DbgSetLoggingOption
02 kernel32!BaseThreadInitThunk
03 ntdll!RtlUserThreadStart
kd> pc
winlogon!WinMain+0x838:
0033:00000000`ff3b211c ff1516f9feff call qword ptr [winlogon!_imp_EtwEventEnabled (00000000`ff3a1a38)]
kd> pc
winlogon!WinMain+0x856:
0033:00000000`ff3b213a ff1500f9feff call qword ptr [winlogon!_imp_EtwEventWrite (00000000`ff3a1a40)]
kd> pc
winlogon!WinMain+0x959:
0033:00000000`ff3b223d e8faecffff call winlogon!WLEventWrite (00000000`ff3b0f3c)
kd> pc
winlogon!WinMain+0x960:
0033:00000000`ff3b2244 ff156ef3feff call qword ptr [winlogon!_imp_UpdatePerUserSystemParameters (00000000`ff3a15b8)]
第九部分:
kd> pc
winlogon!WinMain+0x96f:
0033:00000000`ff3b2253 e8e4ecffff call winlogon!WLEventWrite (00000000`ff3b0f3c)
kd> pc
winlogon!WinMain+0x99a:
0033:00000000`ff3b227e e8bd530200 call winlogon!SbBootPrompt (00000000`ff3d7640)
kd> pc
winlogon!WinMain+0xa1e:
0033:00000000`ff3b2302 e8d1bfffff call winlogon!WPP_SF_ (00000000`ff3ae2d8)
第十部分:
kd> t
winlogon!WPP_SF_:
0033:00000000`ff3ae2d8 488bc4 mov rax,rsp
kd> pc
winlogon!WPP_SF_+0x21:
0033:00000000`ff3ae2f9 e8f6f20300 call winlogon!EtwTraceMessage (00000000`ff3ed5f4)
kd> pc
winlogon!WinMain+0xa36:
0033:00000000`ff3b231a ff1518f7feff call qword ptr [winlogon!_imp_EtwEventEnabled (00000000`ff3a1a38)]
kd> pc
winlogon!WinMain+0xa54:
0033:00000000`ff3b2338 ff1502f7feff call qword ptr [winlogon!_imp_EtwEventWrite (00000000`ff3a1a40)]
kd> pc
winlogon!WinMain+0xa5a:
0033:00000000`ff3b233e e8afc10300 call winlogon!WinStationWaitForConnect (00000000`ff3ee4f2)
kd> t
Breakpoint 10 hit
winlogon!WinStationWaitForConnect:
0033:00000000`ff3ee4f2 ff252832fbff jmp qword ptr [winlogon!_imp__WinStationWaitForConnect (00000000`ff3a1720)]
kd> kc
Call Site
00 winlogon!WinStationWaitForConnect
01 winlogon!WinMain
02 winlogon!DbgSetLoggingOption
03 kernel32!BaseThreadInitThunk
04 ntdll!RtlUserThreadStart
第十一部分:
kd> pc
WINSTA!WinStationWaitForConnect+0x1d:
0033:000007fe`fcf8de21 e8927a0000 call WINSTA!_DbgPrintMessage (000007fe`fcf958b8)
kd> p
WINSTA!WinStationWaitForConnect+0x22:
0033:000007fe`fcf8de26 e835bc0000 call WINSTA!WaitForLsmStart (000007fe`fcf99a60)
kd> pc
Breakpoint 7 hit
nt!KiStartUserThread:
fffff800`02a6bb3f b901000000 mov ecx,1
kd> !PROCESS fffffa8021520630
PROCESS fffffa8021520630
SessionId: 1 Cid: 01fc Peb: 7fffffd9000 ParentCid: 018c
DirBase: 4fafa000 ObjectTable: fffff8a000e6b920 HandleCount: 52.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 56 Clone 0 Private 287. Modified 3. Locked 0.
DeviceMap fffff8a000009aa0
Token fffff8a000e7c680
ElapsedTime 00:00:14.601
UserTime 00:00:00.000
KernelTime 00:00:00.093
QuotaPoolUsage[PagedPool] 59696
QuotaPoolUsage[NonPagedPool] 6792
Working Set Sizes (now,min,max) (1205, 50, 345) (4820KB, 200KB, 1380KB)
PeakWorkingSetSize 1258
VirtualSize 29 Mb
PeakVirtualSize 60 Mb
PageFaultCount 1575
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 1004
THREAD fffffa802150c660 Cid 01fc.0200 Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa801f3abae0 NotificationEvent
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa8021520630 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275088782 Ticks: 1 (0:00:00:00.015)
Context Switch Count 141 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:11.606
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422c890
Base fffff8800422d000 Limit fffff88004224000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0422c8d0 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422ca10 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422ca60 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422cad0 fffff800`0331f9af nt!KeWaitForSingleObject+0x532
fffff880`0422cb70 fffff800`02a70e13 nt!NtWaitForSingleObject+0xf7
fffff880`0422cbe0 00000000`778589fe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422cbe0)
00000000`000af6c8 000007fe`fd925ee4 ntdll!NtWaitForSingleObject+0x1e
00000000`000af6d0 000007fe`fcf99ad8 KERNELBASE!WaitForSingleObjectEx+0xe4
00000000`000af780 000007fe`fcf8de2b WINSTA!WaitForLsmStart+0x78
00000000`000af7b0 00000000`ff3b2343 WINSTA!WinStationWaitForConnect+0x27
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0xa5f
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25
00000000`000af6d0 000007fe`fcf99ad8 KERNELBASE!WaitForSingleObjectEx+0xe4
00000000`000af780 000007fe`fcf8de2b WINSTA!WaitForLsmStart+0x78
kd> bp 000007fe`fcf99ad8
kd> !PROCESS fffffa801f3f9b30
PROCESS fffffa801f3f9b30
SessionId: 0 Cid: 01e0 Peb: 7fffffdd000 ParentCid: 0194
DirBase: 4daae000 ObjectTable: fffff8a000e782c0 HandleCount: 25.
Image: lsm.exe
VadRoot fffffa801f3ec7a0 Vads 29 Clone 0 Private 168. Modified 0. Locked 0.
DeviceMap fffff8a000009aa0
Token fffff8a000e7d060
ElapsedTime 00:00:16.473
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 24600
QuotaPoolUsage[NonPagedPool] 3360
Working Set Sizes (now,min,max) (655, 50, 345) (2620KB, 200KB, 1380KB)
PeakWorkingSetSize 655
VirtualSize 11 Mb
PeakVirtualSize 12 Mb
PageFaultCount 652
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 844
THREAD fffffa801f3ffb60 Cid 01e0.01e4 Teb: 000007fffffde000 Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
fffffa801f3fff20 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffffa80215a0c70 : queued at port fffffa8021597e40 : owned by process fffffa801da55b30
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa801f3f9b30 Image: lsm.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275088846 Ticks: 15 (0:00:00:00.234)
Context Switch Count 25 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.124
Win32 Start Address lsm!mainCRTStartup (0x00000000ff413e7c)
Stack Init fffff880042c5d70 Current fffff880042c54d0
Base fffff880042c6000 Limit fffff880042c0000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`042c5510 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`042c5650 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`042c56a0 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`042c5710 fffff800`028ef0db nt!KeWaitForSingleObject+0x532
fffff880`042c57b0 fffff800`031cbd85 nt!AlpcpSignalAndWait+0x277
fffff880`042c5870 fffff800`03217474 nt!AlpcpReceiveSynchronousReply+0xf9
fffff880`042c5970 fffff800`0321ae1a nt!AlpcpProcessSynchronousRequest+0xf10
fffff880`042c5aa0 fffff800`02a70e13 nt!NtAlpcSendWaitReceivePort+0x20e
fffff880`042c5b70 00000000`77859a1e nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`042c5be0)
00000000`0014f1d8 000007fe`fe46838d ntdll!NtAlpcSendWaitReceivePort+0x1e
00000000`0014f1e0 000007fe`fe47f5d7 RPCRT4!LRPC_CASSOCIATION::AlpcSendWaitReceivePort+0x249
00000000`0014f260 000007fe`fe47c154 RPCRT4!LRPC_BASE_CCALL::DoSendReceive+0x1cf
00000000`0014f2f0 000007fe`fe484ee1 RPCRT4!LRPC_BASE_CCALL::SendReceive+0xac
00000000`0014f360 000007fe`fe41c421 RPCRT4!LRPC_CCALL::SendReceive+0x31
00000000`0014f390 000007fe`fe4c75ce RPCRT4!I_RpcSendReceive+0xf1
00000000`0014f3c0 000007fe`fe518b54 RPCRT4!NdrSendReceive+0x72
00000000`0014f3f0 000007fe`fe518904 RPCRT4!NdrpClientCall2+0x244
00000000`0014f9d0 000007fe`fe30bd0f RPCRT4!NdrClientCall2+0x28
00000000`0014fa00 00000000`ff3d6d02 sechost!OpenSCManagerW+0x73
00000000`0014fa70 00000000`ff3d6be4 lsm!CService::Start+0x4e
00000000`0014fae0 00000000`ff413d2d lsm!main+0x260
00000000`0014fb50 00000000`776cb701 lsm!CRegistry::WriteRegString+0x255
00000000`0014fb90 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`0014fbc0 00000000`00000000 ntdll!RtlUserThreadStart+0x25
第十二部分:
kd> !PROCESS fffffa8021520630
PROCESS fffffa8021520630
SessionId: 1 Cid: 01fc Peb: 7fffffd9000 ParentCid: 018c
DirBase: 4fafa000 ObjectTable: fffff8a000e6b920 HandleCount: 52.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 56 Clone 0 Private 287. Modified 3. Locked 0.
DeviceMap fffff8a000009aa0
Token fffff8a000e7c680
ElapsedTime 00:00:15.818
UserTime 00:00:00.000
KernelTime 00:00:00.093
QuotaPoolUsage[PagedPool] 59696
QuotaPoolUsage[NonPagedPool] 6792
Working Set Sizes (now,min,max) (1205, 50, 345) (4820KB, 200KB, 1380KB)
PeakWorkingSetSize 1258
VirtualSize 29 Mb
PeakVirtualSize 60 Mb
PageFaultCount 1575
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 1004
THREAD fffffa802150c660 Cid 01fc.0200 Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa801f3abae0 NotificationEvent
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa8021520630 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275088782 Ticks: 79 (0:00:00:01.232)
Context Switch Count 141 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:11.606
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422c890
Base fffff8800422d000 Limit fffff88004224000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0422c8d0 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422ca10 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422ca60 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422cad0 fffff800`0331f9af nt!KeWaitForSingleObject+0x532
fffff880`0422cb70 fffff800`02a70e13 nt!NtWaitForSingleObject+0xf7
fffff880`0422cbe0 00000000`778589fe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422cbe0)
00000000`000af6c8 000007fe`fd925ee4 ntdll!NtWaitForSingleObject+0x1e
00000000`000af6d0 000007fe`fcf99ad8 KERNELBASE!WaitForSingleObjectEx+0xe4
00000000`000af780 000007fe`fcf8de2b WINSTA!WaitForLsmStart+0x78
00000000`000af7b0 00000000`ff3b2343 WINSTA!WinStationWaitForConnect+0x27
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0xa5f
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25
kd> g
Breakpoint 18 hit
WINSTA!WaitForLsmStart+0x78:
0033:000007fe`fcf99ad8 b801000000 mov eax,1
kd> g
Breakpoint 3 hit
ntdll!RtlUserThreadStart:
0033:00000000`777b943c 4c8bdc mov r11,rsp
kd> !process fffffa80`21520630
PROCESS fffffa8021520630
SessionId: 1 Cid: 01fc Peb: 7fffffd9000 ParentCid: 018c
DirBase: 4fafa000 ObjectTable: fffff8a000e6b920 HandleCount: 48.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 56 Clone 0 Private 286. Modified 3. Locked 0.
DeviceMap fffff8a000009aa0
Token fffff8a000e7c680
ElapsedTime 01:38:48.795
UserTime 00:00:00.000
KernelTime 00:00:00.405
QuotaPoolUsage[PagedPool] 59696
QuotaPoolUsage[NonPagedPool] 6792
Working Set Sizes (now,min,max) (1205, 50, 345) (4820KB, 200KB, 1380KB)
PeakWorkingSetSize 1258
VirtualSize 29 Mb
PeakVirtualSize 60 Mb
PageFaultCount 1584
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 1004
THREAD fffffa802150c660 Cid 01fc.0200 Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (Executive) KernelMode Non-Alertable
fffffa801bbda560 NotificationEvent
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa8021520630 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275104493 Ticks: 2 (0:00:00:00.031)
Context Switch Count 143 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:11.637
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422be00
Base fffff8800422d000 Limit fffff88004227000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0422be40 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422bf80 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422bfd0 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422c040 fffff800`030e302b nt!KeWaitForSingleObject+0x532
fffff880`0422c0e0 fffff800`028df3ca nt!DbgkpSendErrorMessage+0x16f
fffff880`0422c230 fffff800`02a71202 nt!KiDispatchException+0x2e6
fffff880`0422ca00 fffff800`02a6f034 nt!KiExceptionDispatch+0xc2
fffff880`0422cbe0 000007fe`fcf8de2c nt!KiBreakpointTrap+0xf4 (TrapFrame @ fffff880`0422cbe0)
00000000`000af7b0 00000000`00000000 WINSTA!WinStationWaitForConnect+0x28
kd> bd 3
kd> g
Breakpoint 18 hit
WINSTA!WaitForLsmStart+0x78:
0033:000007fe`fcf99ad8 b801000000 mov eax,1
kd> kc
Call Site
00 WINSTA!WaitForLsmStart
01 WINSTA!OpenLocalLSM
02 WINSTA!CPublicBinding::GetLSMBinding
03 WINSTA!WinStationIsSessionRemoteable
04 0x0
kd> .process
Implicit process is now fffffa80`1da53b30
kd> bd 0
kd> g
Break instruction exception - code 80000003 (first chance)
WINSTA!WinStationWaitForConnect+0x27:
0033:000007fe`fcf8de2b 33f6 xor esi,esi
kd> bd 0
kd> kc
Call Site
00 WINSTA!WinStationWaitForConnect
01 winlogon!WinMain
02 winlogon!DbgSetLoggingOption
03 kernel32!BaseThreadInitThunk
04 ntdll!RtlUserThreadStart
kd> pc
WINSTA!WinStationWaitForConnect+0x34:
0033:000007fe`fcf8de38 e8611b0100 call WINSTA!operator new (000007fe`fcf9f99e)
kd> pc
Breakpoint 18 hit
WINSTA!WaitForLsmStart+0x78:
0033:000007fe`fcf99ad8 b801000000 mov eax,1
kd> kc
Call Site
00 WINSTA!WaitForLsmStart
01 WINSTA!OpenLocalLSM
02 WINSTA!CPublicBinding::GetLSMBinding
03 WINSTA!WinStationIsSessionRemoteable
04 0x0
kd> pc
WINSTA!WinStationWaitForConnect+0x4b:
0033:000007fe`fcf8de4f e84c77ffff call WINSTA!CPublicBinding::CPublicBinding (000007fe`fcf855a0)
kd> pc
Breakpoint 18 hit
WINSTA!WaitForLsmStart+0x78:
0033:000007fe`fcf99ad8 b801000000 mov eax,1
kd> kc
Call Site
00 WINSTA!WaitForLsmStart
01 WINSTA!OpenLocalLSM
02 WINSTA!CPublicBinding::GetLSMBinding
03 WINSTA!WinStationIsSessionRemoteable
04 0x0
kd> g
Breakpoint 20 hit
WINSTA!WinStationWaitForConnect+0x51:
0033:000007fe`fcf8de55 8bf8 mov edi,eax
kd> p
WINSTA!WinStationWaitForConnect+0x53:
0033:000007fe`fcf8de57 4889442430 mov qword ptr [rsp+30h],rax
kd> pc
WINSTA!WinStationWaitForConnect+0xa6:
0033:000007fe`fcf8deaa e891bf0000 call WINSTA!CPublicBinding::GetLSMBinding (000007fe`fcf99e40)
kd> !process fffffa80`21520630
PROCESS fffffa8021520630
SessionId: 1 Cid: 01fc Peb: 7fffffd9000 ParentCid: 018c
DirBase: 4fafa000 ObjectTable: fffff8a000e6b920 HandleCount: 49.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 55 Clone 0 Private 288. Modified 3. Locked 0.
DeviceMap fffff8a000009aa0
Token fffff8a000e7c680
ElapsedTime 01:39:49.245
UserTime 00:00:00.000
KernelTime 00:00:00.499
QuotaPoolUsage[PagedPool] 59696
QuotaPoolUsage[NonPagedPool] 6672
Working Set Sizes (now,min,max) (1283, 50, 345) (5132KB, 200KB, 1380KB)
PeakWorkingSetSize 1283
VirtualSize 2076 Mb
PeakVirtualSize 2077 Mb
PageFaultCount 1666
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 526300
THREAD fffffa802150c660 Cid 01fc.0200 Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (Executive) KernelMode Non-Alertable
fffffa801bbda560 NotificationEvent
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa8021520630 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275108370 Ticks: 0
Context Switch Count 158 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:12.074
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422be00
Base fffff8800422d000 Limit fffff88004227000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0422be40 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422bf80 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422bfd0 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422c040 fffff800`030e302b nt!KeWaitForSingleObject+0x532
fffff880`0422c0e0 fffff800`028df3ca nt!DbgkpSendErrorMessage+0x16f
fffff880`0422c230 fffff800`02a71202 nt!KiDispatchException+0x2e6
fffff880`0422ca00 fffff800`02a6f034 nt!KiExceptionDispatch+0xc2
fffff880`0422cbe0 000007fe`fcf99ad9 nt!KiBreakpointTrap+0xf4 (TrapFrame @ fffff880`0422cbe0)
00000000`000af6d0 000007fe`fcf99cc5 WINSTA!WaitForLsmStart+0x79
00000000`000af700 000007fe`fcf99ef1 WINSTA!OpenLocalLSM+0xe5
00000000`000af770 000007fe`fcf8deaf WINSTA!CPublicBinding::GetLSMBinding+0xb1
00000000`000af7b0 00000000`ff3b2343 WINSTA!WinStationWaitForConnect+0xab
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0xa5f
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25
第十三部分:
THREAD fffffa801e840b60 Cid 0204.0208 Teb: 000007fffffde000 Win32Thread: fffff900c01184b0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa801e408c70 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa801d44c210 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275087392 Ticks: 44 (0:00:00:00.686)
Context Switch Count 83 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.078
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ffb7d124)
Stack Init fffff88003012d70 Current fffff88003012890
Base fffff88003013000 Limit fffff8800300a000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`030128d0 fffff800`028edeb4 nt!KiSwapContext+0x7a
fffff880`03012a10 fffff800`028ef95d nt!KiSwapThread+0x324
fffff880`03012a60 fffff800`028dbd9a nt!KiCommitThreadWait+0x4e5
fffff880`03012ad0 fffff800`033279af nt!KeWaitForSingleObject+0x532
fffff880`03012b70 fffff800`02a78e13 nt!NtWaitForSingleObject+0xf7
fffff880`03012be0 00000000`777989fe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03012be0)
00000000`001bf1d8 000007fe`fd555ee4 ntdll!NtWaitForSingleObject+0x1e
00000000`001bf1e0 00000000`ffb6cf4d KERNELBASE!WaitForSingleObjectEx+0xe4
00000000`001bf290 00000000`ffb6bb4b winlogon!SignalManagerWaitForSignal+0x201
00000000`001bf2f0 00000000`ffb42cbc winlogon!StateMachineRun+0x54f
00000000`001bf610 00000000`ffb7cf9e winlogon!WinMain+0x13d8
00000000`001bf7a0 00000000`7760b701 winlogon!DbgSetLoggingOption+0x24e
00000000`001bf860 00000000`776f9461 kernel32!BaseThreadInitThunk+0x1d
00000000`001bf890 00000000`00000000 ntdll!RtlUserThreadStart+0x25
THREAD fffffa801e883060 Cid 0204.0234 Teb: 000007fffffd5000 Win32Thread: fffff900c1c7f460 WAIT: (DelayExecution) UserMode Non-Alertable
fffffa801e883420 Semaphore Limit 0x1
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa801d44c210 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275087426 Ticks: 10 (0:00:00:00.156)
Context Switch Count 39 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.031
Win32 Start Address ntdll!TppWorkerThread (0x0000000077778b74)
Stack Init fffff880032bcd70 Current fffff880032bc8e0
Base fffff880032bd000 Limit fffff880032b4000 Call 0000000000000000
Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`032bc920 fffff800`028edeb4 nt!KiSwapContext+0x7a
fffff880`032bca60 fffff800`028ef95d nt!KiSwapThread+0x324
fffff880`032bcab0 fffff800`028da436 nt!KiCommitThreadWait+0x4e5
fffff880`032bcb20 fffff800`0343dc7e nt!KeDelayExecutionThread+0x352
fffff880`032bcba0 fffff800`02a78e13 nt!NtDelayExecution+0x6e
fffff880`032bcbe0 00000000`77798ffe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`032bcbe0)
00000000`00daef38 000007fe`fd559559 ntdll!ZwDelayExecution+0x1e
00000000`00daef40 00000000`ffb6f9c2 KERNELBASE!SleepEx+0xe5
00000000`00daefe0 00000000`ffb70b88 winlogon!ConnectToSubscriber+0x1ce
00000000`00daf060 00000000`ffb4774e winlogon!InternalNotifyExecute+0x458
00000000`00daf410 00000000`ffb6a941 winlogon!WLGeneric_NotifyCreateSession_Execute+0x1d2
00000000`00daf460 00000000`77774186 winlogon!StateMachineWorkerCallback+0x8d
00000000`00daf490 00000000`7777954e ntdll!TppWorkpExecuteCallback+0x1ea
00000000`00daf500 00000000`7760b701 ntdll!TppWorkerThread+0x9da
00000000`00daf820 00000000`776f9461 kernel32!BaseThreadInitThunk+0x1d
00000000`00daf850 00000000`00000000 ntdll!RtlUserThreadStart+0x25
第十四部分:修改administrator密码后,在登录界面的进程快照
THREAD fffffa801d633060 Cid 01c4.01c8 Teb: 000007fffffde000 Win32Thread: fffff900c01184b0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa801d7f5d60 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa801d628b30 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275088542 Ticks: 148 (0:00:00:02.308)
Context Switch Count 227 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.093
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ffd1d124)
Stack Init fffff8800429fd70 Current fffff8800429f890
Base fffff880042a0000 Limit fffff88004296000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0429f8d0 fffff800`02891eb4 nt!KiSwapContext+0x7a
fffff880`0429fa10 fffff800`0289395d nt!KiSwapThread+0x324
fffff880`0429fa60 fffff800`0287fd9a nt!KiCommitThreadWait+0x4e5
fffff880`0429fad0 fffff800`032cb9af nt!KeWaitForSingleObject+0x532
fffff880`0429fb70 fffff800`02a1ce13 nt!NtWaitForSingleObject+0xf7
fffff880`0429fbe0 00000000`778389fe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0429fbe0)
00000000`001df368 000007fe`fd905ee4 ntdll!NtWaitForSingleObject+0x1e
00000000`001df370 00000000`ffd0cf4d KERNELBASE!WaitForSingleObjectEx+0xe4
00000000`001df420 00000000`ffd0bb4b winlogon!SignalManagerWaitForSignal+0x201
00000000`001df480 00000000`ffce2cbc winlogon!StateMachineRun+0x54f
00000000`001df7a0 00000000`ffd1cf9e winlogon!WinMain+0x13d8
00000000`001df930 00000000`776ab701 winlogon!DbgSetLoggingOption+0x24e
00000000`001df9f0 00000000`77799461 kernel32!BaseThreadInitThunk+0x1d
00000000`001dfa20 00000000`00000000 ntdll!RtlUserThreadStart+0x25
THREAD fffffa801d632060 Cid 01c4.01d0 Teb: 000007fffffdc000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa801bbc6d80 SynchronizationTimer
fffffa801bbc6ef0 SynchronizationTimer
fffffa801d635da0 SynchronizationTimer
fffffa801e348150 NotificationEvent
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa801d628b30 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275088542 Ticks: 148 (0:00:00:02.308)
Context Switch Count 8 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x000000007781abb4)
Stack Init fffff88004234d70 Current fffff88004233f50
Base fffff88004235000 Limit fffff8800422f000 Call 0000000000000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`04233f90 fffff800`02891eb4 nt!KiSwapContext+0x7a
fffff880`042340d0 fffff800`0289395d nt!KiSwapThread+0x324
fffff880`04234120 fffff800`0287ee48 nt!KiCommitThreadWait+0x4e5
fffff880`04234190 fffff800`032cbee8 nt!KeWaitForMultipleObjects+0x80c
fffff880`04234450 fffff800`032cc162 nt!ObpWaitForMultipleObjects+0x508
fffff880`04234920 fffff800`02a1ce13 nt!NtWaitForMultipleObjects+0x146
fffff880`04234b70 00000000`778394de nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04234be0)
00000000`00e7f908 00000000`7781afc1 ntdll!NtWaitForMultipleObjects+0x1e
00000000`00e7f910 00000000`776ab701 ntdll!TppWaiterpThread+0x40d
00000000`00e7fc50 00000000`77799461 kernel32!BaseThreadInitThunk+0x1d
00000000`00e7fc80 00000000`00000000 ntdll!RtlUserThreadStart+0x25
THREAD fffffa801d63c060 Cid 01c4.01d4 Teb: 000007fffffda000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa801d608dc0 QueueObject
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa801d628b30 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275088542 Ticks: 148 (0:00:00:02.308)
Context Switch Count 8 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000077818b74)
Stack Init fffff8800428cd70 Current fffff8800428c750
Base fffff8800428d000 Limit fffff88004287000 Call 0000000000000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0428c790 fffff800`02891eb4 nt!KiSwapContext+0x7a
fffff880`0428c8d0 fffff800`0289395d nt!KiSwapThread+0x324
fffff880`0428c920 fffff800`0288727c nt!KiCommitThreadWait+0x4e5
fffff880`0428c990 fffff800`030b19bf nt!KeRemoveQueueEx+0x844
fffff880`0428ca20 fffff800`029f5f02 nt!IoRemoveIoCompletion+0x7b
fffff880`0428cad0 fffff800`02a1ce13 nt!NtWaitForWorkViaWorkerFactory+0x3ca
fffff880`0428cbe0 00000000`7783bb7e nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0428cbe0)
00000000`0138fbe8 00000000`77818f25 ntdll!NtWaitForWorkViaWorkerFactory+0x1e
00000000`0138fbf0 00000000`776ab701 ntdll!TppWorkerThread+0x3b1
00000000`0138ff10 00000000`77799461 kernel32!BaseThreadInitThunk+0x1d
00000000`0138ff40 00000000`00000000 ntdll!RtlUserThreadStart+0x25
THREAD fffffa801d63c600 Cid 01c4.01d8 Teb: 000007fffffd7000 Win32Thread: fffff900c1c7d460 WAIT: (WrLpcReply) UserMode Non-Alertable
fffffa801d63c9c0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffffa801e331c70 : queued at port fffffa801e48b950 : owned by process fffffa801d7bdb30
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa801d628b30 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275088542 Ticks: 148 (0:00:00:02.308)
Context Switch Count 224 IdealProcessor: 0 LargeStack
UserTime 00:00:00.046
KernelTime 00:00:00.280
Win32 Start Address ntdll!TppWorkerThread (0x0000000077818b74)
Stack Init fffff880030a9d70 Current fffff880030a94d0
Base fffff880030aa000 Limit fffff880030a1000 Call 0000000000000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`030a9510 fffff800`02891eb4 nt!KiSwapContext+0x7a
fffff880`030a9650 fffff800`0289395d nt!KiSwapThread+0x324
fffff880`030a96a0 fffff800`0287fd9a nt!KiCommitThreadWait+0x4e5
fffff880`030a9710 fffff800`0289b0db nt!KeWaitForSingleObject+0x532
fffff880`030a97b0 fffff800`03177d85 nt!AlpcpSignalAndWait+0x277
fffff880`030a9870 fffff800`031c3474 nt!AlpcpReceiveSynchronousReply+0xf9
fffff880`030a9970 fffff800`031c6e1a nt!AlpcpProcessSynchronousRequest+0xf10
fffff880`030a9aa0 fffff800`02a1ce13 nt!NtAlpcSendWaitReceivePort+0x20e
fffff880`030a9b70 00000000`77839a1e nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`030a9be0)
00000000`0128eb28 000007fe`feef838d ntdll!NtAlpcSendWaitReceivePort+0x1e
00000000`0128eb30 000007fe`fef0f5d7 RPCRT4!LRPC_CASSOCIATION::AlpcSendWaitReceivePort+0x249
00000000`0128ebb0 000007fe`fef0c154 RPCRT4!LRPC_BASE_CCALL::DoSendReceive+0x1cf
00000000`0128ec40 000007fe`fef14ee1 RPCRT4!LRPC_BASE_CCALL::SendReceive+0xac
00000000`0128ecb0 000007fe`feeac421 RPCRT4!LRPC_CCALL::SendReceive+0x31
00000000`0128ece0 000007fe`fef575ce RPCRT4!I_RpcSendReceive+0xf1
00000000`0128ed10 000007fe`fefa3331 RPCRT4!NdrSendReceive+0x72
00000000`0128ed40 000007fe`fefa3129 RPCRT4!NdrpClientCall3+0x1e5
00000000`0128f000 00000000`ffd1335f RPCRT4!NdrClientCall3+0x89
00000000`0128f380 00000000`ffce807a winlogon!WluiRequestCredentials+0x7b
00000000`0128f3f0 00000000`ffd0a941 winlogon!WLGeneric_Request_Logon_Credz_Execute+0x1ae
00000000`0128f470 00000000`77814186 winlogon!StateMachineWorkerCallback+0x8d
00000000`0128f4a0 00000000`7781954e ntdll!TppWorkpExecuteCallback+0x1ea
00000000`0128f510 00000000`776ab701 ntdll!TppWorkerThread+0x9da
00000000`0128f830 00000000`77799461 kernel32!BaseThreadInitThunk+0x1d
00000000`0128f860 00000000`00000000 ntdll!RtlUserThreadStart+0x25
THREAD fffffa801e24b930 Cid 01c4.037c Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa801d608dc0 QueueObject
Not impersonating
DeviceMap fffff8a000009aa0
Owning Process fffffa801d628b30 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275088542 Ticks: 148 (0:00:00:02.308)
Context Switch Count 11 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000077818b74)
Stack Init fffff880042a6d70 Current fffff880042a6750
Base fffff880042a7000 Limit fffff880042a1000 Call 0000000000000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`042a6790 fffff800`02891eb4 nt!KiSwapContext+0x7a
fffff880`042a68d0 fffff800`0289395d nt!KiSwapThread+0x324
fffff880`042a6920 fffff800`0288727c nt!KiCommitThreadWait+0x4e5
fffff880`042a6990 fffff800`030b19bf nt!KeRemoveQueueEx+0x844
fffff880`042a6a20 fffff800`029f5f02 nt!IoRemoveIoCompletion+0x7b
fffff880`042a6ad0 fffff800`02a1ce13 nt!NtWaitForWorkViaWorkerFactory+0x3ca
fffff880`042a6be0 00000000`7783bb7e nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`042a6be0)
00000000`015bf9b8 00000000`77818f25 ntdll!NtWaitForWorkViaWorkerFactory+0x1e
00000000`015bf9c0 00000000`776ab701 ntdll!TppWorkerThread+0x3b1
00000000`015bfce0 00000000`77799461 kernel32!BaseThreadInitThunk+0x1d
00000000`015bfd10 00000000`00000000 ntdll!RtlUserThreadStart+0x25