kd> .process
Implicit process is now 81ea2030
kd> kc
00 RPCRT4!NdrClientCall2
01 winlogon!ClientWluirDisplayStatus
02 winlogon!WluiDisplayStatus
03 winlogon!WlDisplayStatus
04 winlogon!WlDisplayStatusByResourceId
05 winlogon!WLGeneric_Authenticating_Execute
06 winlogon!StateMachineWorkerCallback
07 ntdll!TppWorkpExecuteCallback
08 ntdll!TppWorkerThread
09 kernel32!BaseThreadInitThunk
0a ntdll!__RtlUserThreadStart
0b ntdll!_RtlUserThreadStart
kd> kc
00 SspiCli!LsaLogonUser
01 winlogon!AuthenticateUser
02 winlogon!WLGeneric_Authenticating_Execute
03 winlogon!StateMachineWorkerCallback
04 ntdll!TppWorkpExecuteCallback
05 ntdll!TppWorkerThread
06 kernel32!BaseThreadInitThunk
07 ntdll!__RtlUserThreadStart
08 ntdll!_RtlUserThreadStart
kd> kc
00 SspiCli!SspirLogonUser
01 SspiCli!SspipLogonUser
02 winlogon!AuthenticateUser
03 winlogon!WLGeneric_Authenticating_Execute
04 winlogon!StateMachineWorkerCallback
05 ntdll!TppWorkpExecuteCallback
06 ntdll!TppWorkerThread
07 kernel32!BaseThreadInitThunk
08 ntdll!__RtlUserThreadStart
09 ntdll!_RtlUserThreadStart
kd> kc
00 RPCRT4!Invoke
01 RPCRT4!NdrStubCall2
02 RPCRT4!NdrServerCall2
03 RPCRT4!DispatchToStubInCNoAvrf
04 RPCRT4!RPC_INTERFACE::DispatchToStubWorker
05 RPCRT4!RPC_INTERFACE::DispatchToStub
06 RPCRT4!LRPC_SCALL::DispatchRequest
07 RPCRT4!LRPC_SCALL::QueueOrDispatchCall
08 RPCRT4!LRPC_SCALL::HandleRequest
09 RPCRT4!LRPC_SASSOCIATION::HandleRequest
0a RPCRT4!LRPC_ADDRESS::HandleRequest
0b RPCRT4!LRPC_ADDRESS::ProcessIO
0c RPCRT4!LrpcServerIoHandler
0d RPCRT4!LrpcIoComplete
0e ntdll!TppAlpcpExecuteCallback
0f ntdll!TppWorkerThread
10 kernel32!BaseThreadInitThunk
11 ntdll!__RtlUserThreadStart
12 ntdll!_RtlUserThreadStart
kd> .process
Implicit process is now 898ac998
kd> !process 898ac998
PROCESS 898ac998 SessionId: 0 Cid: 01e0 Peb: 7ffd5000 ParentCid: 0190
DirBase: 7cc9e0e0 ObjectTable: 8c00f530 HandleCount: 523.
Image: lsass.exe
VadRoot 89089550 Vads 122 Clone 0 Private 1022. Modified 205. Locked 14.
DeviceMap 8ba09a00
Token 8c015510
ElapsedTime 17:11:04.313
UserTime 00:00:00.436
KernelTime 00:00:00.967
QuotaPoolUsage[PagedPool] 99748
QuotaPoolUsage[NonPagedPool] 13512
Working Set Sizes (now,min,max) (2777, 50, 345) (11108KB, 200KB, 1380KB)
PeakWorkingSetSize 2887
VirtualSize 36 Mb
PeakVirtualSize 37 Mb
PageFaultCount 3607
MemoryPriority BACKGROUND
BasePriority 9
CommitCharge 1160
kd> r
eax=747c2ad8 ebx=0000000c ecx=747c1b9c edx=00000000 esi=00000010 edi=0131f740
eip=7712ab24 esp=0131f558 ebp=0131f95c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
RPCRT4!Invoke:
001b:7712ab24 55 push ebp
kd> dd 0131f558
0131f558 77136482 747c2ad8 0131f740 00000010
0131f568 201a4c3a 00f5b000 00000000 00f9c548
0131f578 00f9c548 00213210 00213058 00213210
0131f588 002131a8 00000000 00000018 002131a8
0131f598 00000000 00000000 00000000 00000000
0131f5a8 00000000 00000000 00000002 00000020
0131f5b8 00000000 00000008 747c2008 747c2029
0131f5c8 0131f740 00f9c04c 0131f678 8a885d04
kd> u 747c2ad8
SspiSrv!SspirLogonUser:
747c2ad8 8bff mov edi,edi
747c2ada 55 push ebp
747c2adb 8bec mov ebp,esp
747c2add 83ec34 sub esp,34h
747c2ae0 53 push ebx
747c2ae1 33db xor ebx,ebx
747c2ae3 56 push esi
747c2ae4 57 push edi
kd> kc
00 SspiSrv!SspirLogonUser
01 RPCRT4!Invoke
02 RPCRT4!NdrStubCall2
03 RPCRT4!NdrServerCall2
04 RPCRT4!DispatchToStubInCNoAvrf
05 RPCRT4!RPC_INTERFACE::DispatchToStubWorker
06 RPCRT4!RPC_INTERFACE::DispatchToStub
07 RPCRT4!LRPC_SCALL::DispatchRequest
08 RPCRT4!LRPC_SCALL::QueueOrDispatchCall
09 RPCRT4!LRPC_SCALL::HandleRequest
0a RPCRT4!LRPC_SASSOCIATION::HandleRequest
0b RPCRT4!LRPC_ADDRESS::HandleRequest
0c RPCRT4!LRPC_ADDRESS::ProcessIO
0d RPCRT4!LrpcServerIoHandler
0e RPCRT4!LrpcIoComplete
0f ntdll!TppAlpcpExecuteCallback
10 ntdll!TppWorkerThread
11 kernel32!BaseThreadInitThunk
12 ntdll!__RtlUserThreadStart
13 ntdll!_RtlUserThreadStart
kd> r
eax=747c2ad8 ebx=0000000c ecx=00000000 edx=00000000 esi=0131f73c edi=0131f504
eip=747c2ad8 esp=0131f504 ebp=0131f554 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
SspiSrv!SspirLogonUser:
001b:747c2ad8 8bff mov edi,edi
kd> dd 0131f504
0131f504 7712ab4e 0089b2e0 00213070 00213080
0131f514 00000002 00000000 00899a80 00213190
0131f524 002131a8 00000080 002131f0 00fa2f50
0131f534 00fa2f60 00fa2f70 00fa2f80 00fa2f90
0131f544 00fa2fa0 00000202 00000010 0131f740
0131f554 0131f95c 77136482 747c2ad8 0131f740
0131f564 00000010 201a4c3a 00f5b000 00000000
0131f574 00f9c548 00f9c548 00213210 00213058
kd> db 00213080
00213080 08 00 09 00 50 9a 89 00-09 00 00 00 00 00 00 00 ....P...........
00213090 08 00 00 00 57 69 6e 6c-6f 67 6f 6e 02 00 00 00 ....Winlogon....
002130a0 00 00 00 00 00 00 00 00-ce 00 00 00 00 00 00 00 ................
002130b0 00 00 1a 00 00 00 00 00-c0 30 21 00 ce 00 00 00 .........0!.....
002130c0 02 00 00 00 1e 00 1e 00-24 00 00 00 1a 00 1a 00 ........$.......
002130d0 42 00 00 00 72 00 72 00-5c 00 00 00 00 00 00 00 B...r.r.\.......
002130e0 00 00 00 00 57 00 49 00-4e 00 2d 00 33 00 53 00 ....W.I.N.-.3.S.
002130f0 50 00 47 00 32 00 44 00-4b 00 48 00 55 00 4b 00 P.G.2.D.K.H.U.K.
kd> db 00213080+80
00213100 4b 00 41 00 64 00 6d 00-69 00 6e 00 69 00 73 00 K.A.d.m.i.n.i.s.
00213110 74 00 72 00 61 00 74 00-6f 00 72 00 40 00 40 00 t.r.a.t.o.r.@.@.
00213120 44 00 07 00 08 00 0c 00-0a 00 0d 00 67 00 41 00 D...........g.A.
00213130 41 00 41 00 41 00 41 00-6e 00 50 00 41 00 41 00 A.A.A.A.n.P.A.A.
00213140 41 00 41 00 41 00 41 00-41 00 41 00 67 00 50 00 A.A.A.A.A.A.g.P.
00213150 30 00 37 00 54 00 57 00-48 00 6e 00 46 00 79 00 0.7.T.W.H.n.F.y.
00213160 66 00 49 00 31 00 4a 00-36 00 53 00 44 00 23 00 f.I.1.J.6.S.D.#.
00213170 39 00 36 00 38 00 51 00-31 00 4b 00 51 00 4b 00 9.6.8.Q.1.K.Q.K.
kd> db 00213080+80*2
00213180 58 00 76 00 48 00 45 00-32 00 39 00 46 00 00 00 X.v.H.E.2.9.F...
00213190 55 73 65 72 33 32 20 00-cd cd 0c 00 00 00 00 00 User32 .........
002131a0 a8 31 21 00 02 00 00 00-02 00 00 00 c0 31 21 00 .1!..........1!.
002131b0 07 00 00 c0 d8 31 21 00-07 00 00 00 03 00 00 00 .....1!.........
kd> g
Breakpoint 11 hit
eax=0131ec48 ebx=00000000 ecx=74c26c9f edx=00000358 esi=771d1981 edi=0000003a
eip=771d1981 esp=0131ec14 ebp=0131ec54 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ADVAPI32!CredUnprotectW:
001b:771d1981 8bff mov edi,edi
kd> kc
00 ADVAPI32!CredUnprotectW
01 kerberos!KerbDecodeSecret
02 kerberos!LsaApLogonUserEx2
03 lsasrv!NegLogonUserEx2Worker
04 lsasrv!NegLogonUserEx2
05 lsasrv!LsapCallAuthPackageForLogon
06 lsasrv!LsapAuApiDispatchLogonUser
07 lsasrv!SspiExLogonUser
08 SspiSrv!SspirLogonUser
09 RPCRT4!Invoke
0a RPCRT4!NdrStubCall2
0b RPCRT4!NdrServerCall2
0c RPCRT4!DispatchToStubInCNoAvrf
0d RPCRT4!RPC_INTERFACE::DispatchToStubWorker
0e RPCRT4!RPC_INTERFACE::DispatchToStub
0f RPCRT4!LRPC_SCALL::DispatchRequest
10 RPCRT4!LRPC_SCALL::QueueOrDispatchCall
11 RPCRT4!LRPC_SCALL::HandleRequest
12 RPCRT4!LRPC_SASSOCIATION::HandleRequest
13 RPCRT4!LRPC_ADDRESS::HandleRequest
14 RPCRT4!LRPC_ADDRESS::ProcessIO
15 RPCRT4!LrpcServerIoHandler
16 RPCRT4!LrpcIoComplete
17 ntdll!TppAlpcpExecuteCallback
18 ntdll!TppWorkerThread
19 kernel32!BaseThreadInitThunk
1a ntdll!__RtlUserThreadStart
1b ntdll!_RtlUserThreadStart
kd> .process
Implicit process is now 898ac998
kd> r
eax=0131ec48 ebx=00000000 ecx=74c26c9f edx=00000358 esi=771d1981 edi=0000003a
eip=771d1981 esp=0131ec14 ebp=0131ec54 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ADVAPI32!CredUnprotectW:
001b:771d1981 8bff mov edi,edi
kd> dd 0131ec14
0131ec14 743a56dd 00000000 00899b98 0000003a
0131ec24 00000000 0131ec48 00899ab8 00899acc
0131ec34 00000000 00000000 00000000 00000002
0131ec44 00000000 00000000 00000000 00899acc
0131ec54 0131ef38 743ae5b4 00899b98 00000000
0131ec64 0131ee5c 00000010 761951f4 c000005e
0131ec74 0000174c 00001c00 000004b4 00000000
0131ec84 76d7421e 0003174c 41c8e6fc 0131ece0
kd> db 00899b98
00899b98 40 00 40 00 44 00 07 00-08 00 0c 00 0a 00 0d 00 @.@.D...........
00899ba8 67 00 41 00 41 00 41 00-41 00 41 00 6e 00 50 00 g.A.A.A.A.A.n.P.
00899bb8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00899bc8 67 00 50 00 30 00 37 00-54 00 57 00 48 00 6e 00 g.P.0.7.T.W.H.n.
00899bd8 46 00 79 00 66 00 49 00-31 00 4a 00 36 00 53 00 F.y.f.I.1.J.6.S.
00899be8 44 00 23 00 39 00 36 00-38 00 51 00 31 00 4b 00 D.#.9.6.8.Q.1.K.
00899bf8 51 00 4b 00 58 00 76 00-48 00 45 00 32 00 39 00 Q.K.X.v.H.E.2.9.
00899c08 46 00 00 00 00 00 00 00-2c 00 00 00 11 00 00 00 F.......,.......
kd> dd 0131ec48
0131ec48 00000000 00000000 00899acc 0131ef38
0131ec58 743ae5b4 00899b98 00000000 0131ee5c
0131ec68 00000010 761951f4 c000005e 0000174c
0131ec78 00001c00 000004b4 00000000 76d7421e
0131ec88 0003174c 41c8e6fc 0131ece0 76ce2cf2
0131ec98 0131edc4 0000006c 00000001 0131ed30
0131eca8 0003174c c0150008 00000000 000004b4
0131ecb8 00000002 0131ed34 c0150008 00000000
kd> gu
eax=00000000 ebx=00000000 ecx=00000000 edx=0000007a esi=771d1981 edi=0000003a
eip=743a56dd esp=0131ec2c ebp=0131ec54 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
kerberos!KerbDecodeSecret+0x13b:
001b:743a56dd 85c0 test eax,eax
kd> dd 0131ec48
0131ec48 00000009 00000000 00899acc 0131ef38
0131ec58 743ae5b4 00899b98 00000000 0131ee5c
0131ec68 00000010 761951f4 c000005e 0000174c
0131ec78 00001c00 000004b4 00000000 76d7421e
0131ec88 0003174c 41c8e6fc 0131ece0 76ce2cf2
0131ec98 0131edc4 0000006c 00000001 0131ed30
0131eca8 0003174c c0150008 00000000 000004b4
0131ecb8 00000002 0131ed34 c0150008 00000000
kd> db 00899b98
00899b98 40 00 40 00 44 00 07 00-08 00 0c 00 0a 00 0d 00 @.@.D...........
00899ba8 67 00 41 00 41 00 41 00-41 00 41 00 6e 00 50 00 g.A.A.A.A.A.n.P.
00899bb8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00899bc8 67 00 50 00 30 00 37 00-54 00 57 00 48 00 6e 00 g.P.0.7.T.W.H.n.
00899bd8 46 00 79 00 66 00 49 00-31 00 4a 00 36 00 53 00 F.y.f.I.1.J.6.S.
00899be8 44 00 23 00 39 00 36 00-38 00 51 00 31 00 4b 00 D.#.9.6.8.Q.1.K.
00899bf8 51 00 4b 00 58 00 76 00-48 00 45 00 32 00 39 00 Q.K.X.v.H.E.2.9.
00899c08 46 00 00 00 00 00 00 00-2c 00 00 00 11 00 00 00 F.......,.......
kd> g
Breakpoint 11 hit
eax=00899c20 ebx=00000000 ecx=0131ec48 edx=00000000 esi=771d1981 edi=0000003a
eip=771d1981 esp=0131ec14 ebp=0131ec54 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ADVAPI32!CredUnprotectW:
001b:771d1981 8bff mov edi,edi
kd> kc
00 ADVAPI32!CredUnprotectW
01 kerberos!KerbDecodeSecret
02 kerberos!LsaApLogonUserEx2
03 lsasrv!NegLogonUserEx2Worker
04 lsasrv!NegLogonUserEx2
05 lsasrv!LsapCallAuthPackageForLogon
06 lsasrv!LsapAuApiDispatchLogonUser
07 lsasrv!SspiExLogonUser
08 SspiSrv!SspirLogonUser
09 RPCRT4!Invoke
0a RPCRT4!NdrStubCall2
0b RPCRT4!NdrServerCall2
0c RPCRT4!DispatchToStubInCNoAvrf
0d RPCRT4!RPC_INTERFACE::DispatchToStubWorker
0e RPCRT4!RPC_INTERFACE::DispatchToStub
0f RPCRT4!LRPC_SCALL::DispatchRequest
10 RPCRT4!LRPC_SCALL::QueueOrDispatchCall
11 RPCRT4!LRPC_SCALL::HandleRequest
12 RPCRT4!LRPC_SASSOCIATION::HandleRequest
13 RPCRT4!LRPC_ADDRESS::HandleRequest
14 RPCRT4!LRPC_ADDRESS::ProcessIO
15 RPCRT4!LrpcServerIoHandler
16 RPCRT4!LrpcIoComplete
17 ntdll!TppAlpcpExecuteCallback
18 ntdll!TppWorkerThread
19 kernel32!BaseThreadInitThunk
1a ntdll!__RtlUserThreadStart
1b ntdll!_RtlUserThreadStart
kd> r
eax=00899c20 ebx=00000000 ecx=0131ec48 edx=00000000 esi=771d1981 edi=0000003a
eip=771d1981 esp=0131ec14 ebp=0131ec54 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ADVAPI32!CredUnprotectW:
001b:771d1981 8bff mov edi,edi
kd> dd d0131ec14
0131ec14 743a571f 00000000 00899b98 0000003a
0131ec24 00899c20 0131ec48 00899ab8 00899acc
0131ec34 00000000 00000000 00000000 00000002
0131ec44 00000012 00000009 00899c20 00899acc
0131ec54 0131ef38 743ae5b4 00899b98 00000000
0131ec64 0131ee5c 00000010 761951f4 c000005e
0131ec74 0000174c 00001c00 000004b4 00000000
0131ec84 76d7421e 0003174c 41c8e6fc 0131ece0
kd> dd 00899c20
00899c20 00000000 00000000 00000000 00000000
00899c30 00000000 00000000 00000027 00000005
00899c40 0089e6e8 00893078 00000000 00000000
00899c50 00000000 00000000 00000000 00000000
00899c60 00000000 00000000 00000021 00000022
00899c70 0089ec10 00899a70 00899c90 00000000
00899c80 0000001e 00000043 0089eaa0 0089e718
00899c90 00000001 00000000 00000000 00000000
kd> dd 0131ec48
0131ec48 00000009 00899c20 00899acc 0131ef38
0131ec58 743ae5b4 00899b98 00000000 0131ee5c
0131ec68 00000010 761951f4 c000005e 0000174c
0131ec78 00001c00 000004b4 00000000 76d7421e
0131ec88 0003174c 41c8e6fc 0131ece0 76ce2cf2
0131ec98 0131edc4 0000006c 00000001 0131ed30
0131eca8 0003174c c0150008 00000000 000004b4
0131ecb8 00000002 0131ed34 c0150008 00000000
kd> gu
eax=00000001 ebx=00000000 ecx=74c26c9f edx=00000358 esi=771d1981 edi=0000003a
eip=743a571f esp=0131ec2c ebp=0131ec54 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
kerberos!KerbDecodeSecret+0x17d:
001b:743a571f 85c0 test eax,eax
kd> dd 00899c20
00899c20 00320031 00340033 00360035 00380037
00899c30 00000000 00000000 00000027 00000005
00899c40 0089e6e8 00893078 00000000 00000000
00899c50 00000000 00000000 00000000 00000000
00899c60 00000000 00000000 00000021 00000022
00899c70 0089ec10 00899a70 00899c90 00000000
00899c80 0000001e 00000043 0089eaa0 0089e718
00899c90 00000001 00000000 00000000 00000000
kd> db 00899c20
00899c20 31 00 32 00 33 00 34 00-35 00 36 00 37 00 38 00 1.2.3.4.5.6.7.8.
00899c30 00 00 00 00 00 00 00 00-27 00 00 00 05 00 00 00 ........'.......
00899c40 e8 e6 89 00 78 30 89 00-00 00 00 00 00 00 00 00 ....x0..........
kd> g
480.856> Kerb-Error: LogonUser returned c000005e, 0
Breakpoint 19 hit
eax=000d3d68 ebx=c000005e ecx=00000001 edx=00000002 esi=761951f4 edi=0000000a
eip=7429554f esp=0131ef3c ebp=0131f00c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
msv1_0!LsaApLogonUserEx2:
001b:7429554f 8bff mov edi,edi
kd> kc
00 msv1_0!LsaApLogonUserEx2
01 lsasrv!NegLogonUserEx2Worker
02 lsasrv!NegLogonUserEx2
03 lsasrv!LsapCallAuthPackageForLogon
04 lsasrv!LsapAuApiDispatchLogonUser
05 lsasrv!SspiExLogonUser
06 SspiSrv!SspirLogonUser
07 RPCRT4!Invoke
08 RPCRT4!NdrStubCall2
09 RPCRT4!NdrServerCall2
0a RPCRT4!DispatchToStubInCNoAvrf
0b RPCRT4!RPC_INTERFACE::DispatchToStubWorker
0c RPCRT4!RPC_INTERFACE::DispatchToStub
0d RPCRT4!LRPC_SCALL::DispatchRequest
0e RPCRT4!LRPC_SCALL::QueueOrDispatchCall
0f RPCRT4!LRPC_SCALL::HandleRequest
10 RPCRT4!LRPC_SASSOCIATION::HandleRequest
11 RPCRT4!LRPC_ADDRESS::HandleRequest
12 RPCRT4!LRPC_ADDRESS::ProcessIO
13 RPCRT4!LrpcServerIoHandler
14 RPCRT4!LrpcIoComplete
15 ntdll!TppAlpcpExecuteCallback
16 ntdll!TppWorkerThread
17 kernel32!BaseThreadInitThunk
18 ntdll!__RtlUserThreadStart
19 ntdll!_RtlUserThreadStart
kd> r
eax=000d3d68 ebx=c000005e ecx=00000001 edx=00000002 esi=761951f4 edi=0000000a
eip=7429554f esp=0131ef3c ebp=0131f00c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
msv1_0!LsaApLogonUserEx2:
001b:7429554f 8bff mov edi,edi
kd> dd 0131ef3c
0131ef3c 746ea808 0131f394 00000002 00899ab8
0131ef4c 001a0000 000000ce 0131f314 0131f318
0131ef5c 0131f320 0131f310 0131f26c 0131f280
0131ef6c 0131f27c 0131f278 0131f240 0131f18c
0131ef7c 0131f238 6b637453 00890000 000c8140
0131ef8c 000d3d68 5552890b fffffffe 7477c0a1
0131ef9c 7477c0a1 746ea5c3 0131f08c 000c70b8
0131efac 000000ce 000fc9b8 00000002 000fc9b7
THREAD 81ec5930 Cid 0708.0de8 Teb: 7ffdd000 Win32Thread: ff2b2dd0 WAIT: (WrLpcReply) UserMode Non-Alertable
81ec5b64 Semaphore Limit 0x1
Waiting for reply to ALPC Message 9a7db848 : queued at port 8c26ebf8 : owned by process 898ac998
Not impersonating
DeviceMap 8ba09a00
Owning Process 81ea2030 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275120916 Ticks: 10 (0:00:00:00.156)
Context Switch Count 142 IdealProcessor: 0
UserTime 00:00:00.015
KernelTime 00:00:00.592
Win32 Start Address ntdll!TppWorkerThread (0x76d612fe)
Stack Init 8255afd0 Current 8255aaa0 Base 8255b000 Limit 82558000 Call 00000000
Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr
8255aab8 82877fae nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8255aaf0 82879583 nt!KiSwapThread+0x394
8255ab18 8286aa1d nt!KiCommitThreadWait+0x461
8255ab8c 8287db0c nt!KeWaitForSingleObject+0x505
8255abbc 82dbcd1a nt!AlpcpSignalAndWait+0x142
8255abfc 82df4fa3 nt!AlpcpReceiveSynchronousReply+0x8e
8255aca0 82df7b81 nt!AlpcpProcessSynchronousRequest+0xaf9
8255ad0c 829ad913 nt!NtAlpcSendWaitReceivePort+0x1a9
8255ad0c 76cea084 nt!KiFastCallEntry+0x163 (FPO: [0,3] TrapFrame @ 8255ad34)
00c4ef04 76cc03c0 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
00c4ef08 770caf06 ntdll!ZwAlpcSendWaitReceivePort+0xc (FPO: [8,0,0])
00c4ef40 770ddb19 RPCRT4!LRPC_CASSOCIATION::AlpcSendWaitReceivePort+0xcb
00c4ef90 770db93d RPCRT4!LRPC_BASE_CCALL::DoSendReceive+0xf2
00c4efb4 770e11c5 RPCRT4!LRPC_BASE_CCALL::SendReceive+0x8f
00c4efc4 7709619e RPCRT4!LRPC_CCALL::SendReceive+0x1e
00c4efe4 77109adf RPCRT4!I_RpcSendReceive+0xad
00c4f000 771107e0 RPCRT4!NdrSendReceive+0x50
00c4f010 77135bb2 RPCRT4!NdrpSendReceive+0xc (FPO: [0,1,0])
00c4f428 748a45e3 RPCRT4!NdrClientCall2+0x1ce
00c4f444 74897168 SspiCli!SspirLogonUser+0x1a (FPO: [Non-Fpo])
00c4f544 0058706e SspiCli!SspipLogonUser+0x138 (FPO: [Non-Fpo])
00c4f668 00587c91 winlogon!AuthenticateUser+0x840 (FPO: [Non-Fpo])
00c4f780 0059e996 winlogon!WLGeneric_Authenticating_Execute+0x1b3 (FPO: [Non-Fpo])
00c4f798 76d5dda1 winlogon!StateMachineWorkerCallback+0x67 (FPO: [Non-Fpo])
00c4f7bc 76d618e5 ntdll!TppWorkpExecuteCallback+0x121 (FPO: [Non-Fpo])
00c4f920 76197647 ntdll!TppWorkerThread+0x5e7 (FPO: [Non-Fpo])
00c4f92c 76cf0683 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
00c4f96c 76cf08df ntdll!__RtlUserThreadStart+0x23 (FPO: [Non-Fpo])
00c4f984 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])