-
windbg를 활용한 프로세스, 스레드 정보 분석Pentesting/Windows 2020. 2. 10. 18:10
1. 커널 디버깅을 시작한다.
2. 아래의 명령어는 EPROCESS 구조체를 이용하여 정보를 표시한다.
3. svchost 중 하나의 주소인 870285a8을 상세히 정보 분석한다.
kd> !process 870285a8 7 PROCESS 870285a8 SessionId: 0 Cid: 03c8 Peb: 7ffdf000 ParentCid: 01f4 DirBase: bf248200 ObjectTable: 8f8ed080 HandleCount: 887. Image: svchost.exe VadRoot 8704be80 Vads 273 Clone 0 Private 2363. Modified 1562. Locked 2. DeviceMap 8c8088a8 Token 8f8f4030 ElapsedTime 00:06:56.474 UserTime 00:00:00.234 KernelTime 00:00:00.265 QuotaPoolUsage[PagedPool] 167140 QuotaPoolUsage[NonPagedPool] 21596 Working Set Sizes (now,min,max) (5093, 50, 345) (20372KB, 200KB, 1380KB) PeakWorkingSetSize 5198 VirtualSize 88 Mb PeakVirtualSize 92 Mb PageFaultCount 12489 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 2731 THREAD 87025918 Cid 03c8.03cc Teb: 7ffde000 Win32Thread: fe9bdbe0 WAIT: (UserRequest) UserMode Non-Alertable 87029030 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22097 Ticks: 1180 (0:00:00:18.437) Context Switch Count 97 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x00a42104 Stack Init 90663ed0 Current 90663ac8 Base 90664000 Limit 90661000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 90663ae0 82eb887d 87025918 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 90663b18 82eb76db 870259d8 87025918 87029030 nt!KiSwapThread+0x266 90663b40 82eb0f6f 87025918 870259d8 00000000 nt!KiCommitThreadWait+0x1df 90663bb8 83066532 87029030 00000006 00010001 nt!KeWaitForSingleObject+0x393 90663c20 82e77a06 000000b4 00000000 00000000 nt!NtWaitForSingleObject+0xc6 90663c20 771370d4 000000b4 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 90663c34) 0013fd20 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 8702a030 Cid 03c8.03d0 Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 87024280 SynchronizationTimer 87024348 SynchronizationTimer 87050970 SynchronizationEvent 8705c318 SynchronizationEvent 86f17d28 ProcessObject 86f29b10 SynchronizationEvent 85adc998 SynchronizationEvent 870b3a00 SynchronizationEvent 869e79a8 SynchronizationEvent 85a54a00 SynchronizationEvent 85daa930 SynchronizationEvent 870ae5f8 SynchronizationEvent 86a168b8 SynchronizationEvent 86f973e8 SynchronizationEvent 86a250e0 SynchronizationEvent 86a27650 SynchronizationEvent 86a47d48 SynchronizationEvent 86a50668 SynchronizationEvent 86a55c60 SynchronizationEvent 86f42468 SynchronizationEvent 85abf098 SynchronizationEvent 85abe608 SynchronizationEvent 85b2c318 SynchronizationEvent 86a7e6e8 SynchronizationEvent 85b2fe78 SynchronizationEvent 86a79b28 SynchronizationEvent 85abe700 SynchronizationEvent 86a7a748 SynchronizationEvent 86a7a678 SynchronizationEvent 86a80800 SynchronizationEvent 86a87cd0 SynchronizationEvent 86a73210 SynchronizationEvent 86f00d60 SynchronizationEvent 8733d820 SynchronizationEvent 87320368 SynchronizationEvent 872ca9e0 SynchronizationTimer 8735ab40 NotificationEvent 8735a788 NotificationEvent 8734e710 SynchronizationEvent 86a59620 SynchronizationEvent 86a20b50 SynchronizationEvent 8735ad48 SynchronizationEvent 8735a680 SynchronizationEvent 87350030 SynchronizationEvent 87350ff0 SynchronizationEvent 87350fb0 SynchronizationEvent 873501e8 SynchronizationEvent 8735de38 SynchronizationEvent 8735aeb8 SynchronizationEvent 87350908 SynchronizationEvent 8734cf70 SynchronizationEvent 85abf030 SynchronizationEvent 8734cc20 SynchronizationEvent 8731f130 SynchronizationEvent 8734c7d8 SynchronizationEvent 8734b480 SynchronizationEvent 8735d790 SynchronizationEvent 85b2d1a8 SynchronizationEvent 8734cdc8 SynchronizationEvent 8734c8b0 SynchronizationEvent 8733eb28 SynchronizationEvent 8733eb78 SynchronizationEvent 87024168 SynchronizationTimer 872c9878 SynchronizationTimer Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22126 Ticks: 1151 (0:00:00:17.984) Context Switch Count 258 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x7711fcf7) Stack Init 9066fed0 Current 9066f648 Base 90670000 Limit 9066d000 Call 00000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 9066f660 82eb887d 8702a030 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 9066f698 82eb76db 872c9878 8702a030 8735a65c nt!KiSwapThread+0x266 9066f6c0 82eb34b4 8702a030 8735a050 00000000 nt!KiCommitThreadWait+0x1df 9066f83c 8306711b 00000040 9066f974 00000001 nt!KeWaitForMultipleObjects+0x535 9066fac8 83066e88 00000040 9066fbf4 00000001 nt!ObpWaitForMultipleObjects+0x262 9066fc18 82e77a06 00000040 001fa838 00000001 nt!NtWaitForMultipleObjects+0xcd 9066fc18 771370d4 00000040 001fa838 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9066fc34) 0041fe94 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87029340 Cid 03c8.03dc Teb: 7ffda000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Alertable 87029574 Semaphore Limit 0x1 Impersonation token: 8f8f7030 (Level Delegation) Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22895 Ticks: 382 (0:00:00:05.968) Context Switch Count 1209 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587) Stack Init 9067bed0 Current 9067bb08 Base 9067c000 Limit 90679000 Call 00000000 Priority 27 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 9067bb20 82eb887d 87029340 00000000 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 9067bb58 82eb76db 00000000 87029340 80000000 nt!KiSwapThread+0x266 9067bb80 82eb73b9 87029340 87029400 000000ce nt!KiCommitThreadWait+0x1df 9067bbd8 83067382 0097f701 00000001 9067bbfc nt!KeDelayExecutionThread+0x2aa 9067bc24 82e77a06 00000001 73a81a90 0097fa64 nt!NtDelayExecution+0x8d 9067bc24 771370d4 00000001 73a81a90 0097fa64 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9067bc34) 0097fa64 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 8702b648 Cid 03c8.03e0 Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 8702b9f8 NotificationEvent 8701cc70 Semaphore Limit 0x7fffffff 8702b930 NotificationTimer Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22893 Ticks: 384 (0:00:00:06.000) Context Switch Count 295 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x73a82e57 Stack Init 9067fed0 Current 9067f648 Base 90680000 Limit 9067d000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 9067f660 82eb887d 8702b648 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 9067f698 82eb76db 8702b930 8702b648 8702b75c nt!KiSwapThread+0x266 9067f6c0 82eb34b4 8702b648 8702b708 00000000 nt!KiCommitThreadWait+0x1df 9067f83c 8306711b 00000003 9067f974 00000001 nt!KeWaitForMultipleObjects+0x535 9067fac8 83066e88 00000003 9067fb00 00000001 nt!ObpWaitForMultipleObjects+0x262 9067fc18 82e77a06 00000003 00e2fb70 00000001 nt!NtWaitForMultipleObjects+0xcd 9067fc18 771370d4 00000003 00e2fb70 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9067fc34) 00e2fcf0 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 870485b0 Cid 03c8.0454 Teb: 7ffd8000 Win32Thread: ffb72dc8 WAIT: (UserRequest) UserMode Non-Alertable 8704fc78 NotificationEvent 87050be8 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062) Context Switch Count 55 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587) Stack Init 906cfed0 Current 906cf648 Base 906d0000 Limit 906cd000 Call 00000000 Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 906cf660 82eb887d 870485b0 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 906cf698 82eb76db 87050be8 870485b0 870486ac nt!KiSwapThread+0x266 906cf6c0 82eb34b4 870485b0 87048670 00000000 nt!KiCommitThreadWait+0x1df 906cf83c 8306711b 00000002 906cf974 00000001 nt!KeWaitForMultipleObjects+0x535 906cfac8 83066e88 00000002 906cfafc 00000001 nt!ObpWaitForMultipleObjects+0x262 906cfc18 82e77a06 00000002 00e7f76c 00000001 nt!NtWaitForMultipleObjects+0xcd 906cfc18 771370d4 00000002 00e7f76c 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 906cfc34) 00e7f7b8 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87049030 Cid 03c8.0458 Teb: 7ffd7000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 87049264 Semaphore Limit 0x1 Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 23056 Ticks: 221 (0:00:00:03.453) Context Switch Count 215 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587) Stack Init 906d3ed0 Current 906d3a08 Base 906d4000 Limit 906d1000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 906d3a20 82eb887d 87049030 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 906d3a58 82eb76db 870490f0 87049030 87049264 nt!KiSwapThread+0x266 906d3a80 82eb0f6f 87049030 870490f0 00000000 nt!KiCommitThreadWait+0x1df 906d3afc 8307485b 87049264 00000010 00000101 nt!KeWaitForSingleObject+0x393 906d3b2c 8307703b 00000101 00000000 00000000 nt!AlpcpReceiveMessagePort+0x245 906d3b94 83076e5c 8704e5d0 0048f6d8 00000000 nt!AlpcpReceiveLegacyMessage+0x198 906d3c00 830771ee 00000144 0048f6cc 00000000 nt!NtReplyWaitReceivePortEx+0x10e 906d3c1c 82e77a06 00000144 0048f6cc 00000000 nt!NtReplyWaitReceivePort+0x18 906d3c1c 771370d4 00000144 0048f6cc 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 906d3c34) 0048f7dc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87050030 Cid 03c8.0464 Teb: 7ffd6000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Non-Alertable 87050264 Semaphore Limit 0x1 Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 19912 Ticks: 3365 (0:00:00:52.578) Context Switch Count 14 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ole32!CRpcThreadCache::RpcWorkerThreadEntry (0x75a6d844) Stack Init 906e3ed0 Current 906e3b08 Base 906e4000 Limit 906e1000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 906e3b20 82eb887d 87050030 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 906e3b58 82eb76db 00000000 87050030 ffffffff nt!KiSwapThread+0x266 906e3b80 82eb73b9 87050030 870500f0 000000c8 nt!KiCommitThreadWait+0x1df 906e3bd8 83067382 00000001 00000000 906e3bfc nt!KeDelayExecutionThread+0x2aa 906e3c24 82e77a06 00000000 00ddfa80 00ddfaa4 nt!NtDelayExecution+0x8d 906e3c24 771370d4 00000000 00ddfa80 00ddfaa4 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 906e3c34) 00ddfaa4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 870a32d8 Cid 03c8.0518 Teb: 7ffd5000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 87092dc0 NotificationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22097 Ticks: 1180 (0:00:00:18.437) Context Switch Count 184 IdealProcessor: 0 UserTime 00:00:00.015 KernelTime 00:00:00.015 Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587) Stack Init 9075ded0 Current 9075dac8 Base 9075e000 Limit 9075b000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 9075dae0 82eb887d 870a32d8 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 9075db18 82eb76db 870a3398 870a32d8 87092dc0 nt!KiSwapThread+0x266 9075db40 82eb0f6f 870a32d8 870a3398 00000000 nt!KiCommitThreadWait+0x1df 9075dbb8 83066532 87092dc0 00000006 87024401 nt!KeWaitForSingleObject+0x393 9075dc20 82e77a06 00000214 00000000 00000000 nt!NtWaitForSingleObject+0xc6 9075dc20 771370d4 00000214 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9075dc34) 010af8e8 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 870a5d48 Cid 03c8.051c Teb: 7ffd4000 Win32Thread: ffa00648 WAIT: (UserRequest) UserMode Non-Alertable 85adc130 SynchronizationEvent 86ac9098 SynchronizationEvent 865803e0 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 4864 Ticks: 18413 (0:00:04:47.703) Context Switch Count 768 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.031 Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587) Stack Init 90765ed0 Current 90765648 Base 90766000 Limit 90763000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 90765660 82eb887d 870a5d48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 90765698 82eb76db 00000000 870a5d48 870a5e5c nt!KiSwapThread+0x266 907656c0 82eb34b4 870a5d48 870a5e08 00000000 nt!KiCommitThreadWait+0x1df 9076583c 8306711b 00000003 90765974 00000001 nt!KeWaitForMultipleObjects+0x535 90765ac8 83066e88 00000003 90765b00 00000001 nt!ObpWaitForMultipleObjects+0x262 90765c18 82e77a06 00000003 0123f440 00000001 nt!NtWaitForMultipleObjects+0xcd 90765c18 771370d4 00000003 0123f440 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 90765c34) 0123f48c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 870b03b0 Cid 03c8.0530 Teb: 7ffd3000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable 870b0040 QueueObject Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 16217 Ticks: 7060 (0:00:01:50.312) Context Switch Count 20 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x771203cf) Stack Init 9076ded0 Current 9076da60 Base 9076e000 Limit 9076b000 Call 00000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 9076da78 82eb887d 870b03b0 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 9076dab0 82eb76db 870b0470 870b03b0 870b0040 nt!KiSwapThread+0x266 9076dad8 82eb83cd 870b03b0 870b0470 00000000 nt!KiCommitThreadWait+0x1df 9076db38 830666ae 870b0040 87349301 00000001 nt!KeRemoveQueueEx+0x4f8 9076db90 82ebe90a 870b0040 9076dbc8 9076dbf0 nt!IoRemoveIoCompletion+0x23 9076dc24 82e77a06 00000324 00a1f740 00a1f7ec nt!NtWaitForWorkViaWorkerFactory+0x1a1 9076dc24 771370d4 00000324 00a1f740 00a1f7ec nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9076dc34) 00a1f7ec 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 870b36b8 Cid 03c8.0538 Teb: 7ff9e000 Win32Thread: ffa944e8 WAIT: (WrQueue) UserMode Alertable 870244c0 QueueObject Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 23057 Ticks: 220 (0:00:00:03.437) Context Switch Count 847 IdealProcessor: 0 UserTime 00:00:00.046 KernelTime 00:00:00.046 Win32 Start Address ntdll!TppWorkerThread (0x771203cf) Stack Init 90769ed0 Current 90769a60 Base 9076a000 Limit 90767000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 90769a78 82eb887d 870b36b8 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 90769ab0 82eb76db 870b3778 870b36b8 870244c0 nt!KiSwapThread+0x266 90769ad8 82eb83cd 870b36b8 870b3778 000000d1 nt!KiCommitThreadWait+0x1df 90769b38 830666ae 870244c0 87024401 00000001 nt!KeRemoveQueueEx+0x4f8 90769b90 82ebe90a 870244c0 90769bc8 90769bf0 nt!IoRemoveIoCompletion+0x23 90769c24 82e77a06 00000084 011efc30 011efcdc nt!NtWaitForWorkViaWorkerFactory+0x1a1 90769c24 771370d4 00000084 011efc30 011efcdc nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 90769c34) 011efcdc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 869e7c60 Cid 03c8.0568 Teb: 7ff9c000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 86f29b50 SynchronizationEvent 865803a0 NotificationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062) Context Switch Count 5 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x71b4794d Stack Init 90791ed0 Current 90791648 Base 90792000 Limit 9078f000 Call 00000000 Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 90791660 82eb887d 869e7c60 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 90791698 82eb76db 865803a0 869e7c60 869e7d5c nt!KiSwapThread+0x266 907916c0 82eb34b4 869e7c60 869e7d20 00000000 nt!KiCommitThreadWait+0x1df 9079183c 8306711b 00000002 90791974 00000001 nt!KeWaitForMultipleObjects+0x535 90791ac8 83066e88 00000002 90791afc 00000001 nt!ObpWaitForMultipleObjects+0x262 90791c18 82e77a06 00000002 00fdf7b4 00000001 nt!NtWaitForMultipleObjects+0xcd 90791c18 771370d4 00000002 00fdf7b4 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 90791c34) 00fdf800 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 869e9840 Cid 03c8.0584 Teb: 7ff9b000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 86edb510 SynchronizationEvent 86edae78 SynchronizationEvent 86edb550 SynchronizationEvent 869ea240 SynchronizationTimer 869ea178 SynchronizationTimer IRP List: 86f287b8: (0006,01d8) Flags: 00060000 Mdl: 00000000 Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062) Context Switch Count 14 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x71a22135 Stack Init 907a1ed0 Current 907a1648 Base 907a2000 Limit 9079f000 Call 00000000 Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 907a1660 82eb887d 869e9840 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 907a1698 82eb76db 869ea178 869e9840 8705caec nt!KiSwapThread+0x266 907a16c0 82eb34b4 869e9840 8705ca68 00000000 nt!KiCommitThreadWait+0x1df 907a183c 8306711b 00000005 907a1974 00000001 nt!KeWaitForMultipleObjects+0x535 907a1ac8 83066e88 00000005 907a1b08 00000001 nt!ObpWaitForMultipleObjects+0x262 907a1c18 82e77a06 00000005 013ff6fc 00000001 nt!NtWaitForMultipleObjects+0xcd 907a1c18 771370d4 00000005 013ff6fc 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 907a1c34) 013ff748 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 86a7dd48 Cid 03c8.0700 Teb: 7ff98000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 85abfd70 NotificationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062) Context Switch Count 4 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x74e154aa Stack Init 8e148ed0 Current 8e148ac8 Base 8e149000 Limit 8e146000 Call 00000000 Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8e148ae0 82eb887d 86a7dd48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 8e148b18 82eb76db 86a7de08 86a7dd48 85abfd70 nt!KiSwapThread+0x266 8e148b40 82eb0f6f 86a7dd48 86a7de08 00000000 nt!KiCommitThreadWait+0x1df 8e148bb8 83066532 85abfd70 00000006 82ee7b01 nt!KeWaitForSingleObject+0x393 8e148c20 82e77a06 0000051c 00000000 00000000 nt!NtWaitForSingleObject+0xc6 8e148c20 771370d4 0000051c 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 8e148c34) 0133f814 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 85b2dd48 Cid 03c8.0720 Teb: 7ff97000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable 85b2ee00 QueueObject Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062) Context Switch Count 6 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x771203cf) Stack Init 98ad1ed0 Current 98ad1a60 Base 98ad2000 Limit 98acf000 Call 00000000 Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 98ad1a78 82eb887d 85b2dd48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 98ad1ab0 82eb76db 85b2de08 85b2dd48 85b2ee00 nt!KiSwapThread+0x266 98ad1ad8 82eb83cd 85b2dd48 85b2de08 00000000 nt!KiCommitThreadWait+0x1df 98ad1b38 830666ae 85b2ee00 82ef8d01 00000001 nt!KeRemoveQueueEx+0x4f8 98ad1b90 82ebe90a 85b2ee00 98ad1bc8 98ad1bf0 nt!IoRemoveIoCompletion+0x23 98ad1c24 82e77a06 00000598 017cf720 017cf7cc nt!NtWaitForWorkViaWorkerFactory+0x1a1 98ad1c24 771370d4 00000598 017cf720 017cf7cc nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98ad1c34) 017cf7cc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87328d48 Cid 03c8.0114 Teb: 7ff99000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 8733a6e0 NotificationEvent 8733e7d8 SynchronizationEvent 8733ef28 SynchronizationEvent 8733e6c4 NotificationEvent IRP List: 86d66a18: (0006,01d8) Flags: 00060000 Mdl: 00000000 Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 4682 Ticks: 18595 (0:00:04:50.546) Context Switch Count 55 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.015 Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587) Stack Init 98b7ded0 Current 98b7d648 Base 98b7e000 Limit 98b7b000 Call 00000000 Priority 11 BasePriority 10 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 98b7d660 82eb887d 87328d48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 98b7d698 82eb76db 8733e6c4 87328d48 85b97654 nt!KiSwapThread+0x266 98b7d6c0 82eb34b4 87328d48 85b975e8 00000000 nt!KiCommitThreadWait+0x1df 98b7d83c 8306711b 00000004 98b7d974 00000001 nt!KeWaitForMultipleObjects+0x535 98b7dac8 83066e88 00000004 98b7db04 00000001 nt!ObpWaitForMultipleObjects+0x262 98b7dc18 82e77a06 00000004 0184f8ec 00000001 nt!NtWaitForMultipleObjects+0xcd 98b7dc18 771370d4 00000004 0184f8ec 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98b7dc34) 0184f938 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87320d48 Cid 03c8.0244 Teb: 7ff94000 Win32Thread: fe976008 WAIT: (UserRequest) UserMode Non-Alertable 8731fca0 SynchronizationEvent 86a06678 SynchronizationEvent 874e91d0 SynchronizationEvent 8737cb90 SynchronizationEvent 87545790 SynchronizationEvent 875659c8 SynchronizationEvent 874e8250 SynchronizationEvent 874e34c8 SynchronizationEvent 8731fc60 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 19491 Ticks: 3786 (0:00:00:59.156) Context Switch Count 251 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587) Stack Init 98bb1ed0 Current 98bb1648 Base 98bb2000 Limit 98baf000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 98bb1660 82eb887d 87320d48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 98bb1698 82eb76db 00000000 87320d48 861af934 nt!KiSwapThread+0x266 98bb16c0 82eb34b4 87320d48 861af850 000000b3 nt!KiCommitThreadWait+0x1df 98bb183c 8306711b 00000009 98bb1974 00000001 nt!KeWaitForMultipleObjects+0x535 98bb1ac8 83066e88 00000009 98bb1b18 00000001 nt!ObpWaitForMultipleObjects+0x262 98bb1c18 82e77a06 00000009 01d04428 00000001 nt!NtWaitForMultipleObjects+0xcd 98bb1c18 771370d4 00000009 01d04428 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98bb1c34) 01edfaec 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 8734d888 Cid 03c8.0240 Teb: 7ff92000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 87347518 SynchronizationEvent 86f1baa0 SynchronizationEvent IRP List: 875126c8: (0006,0244) Flags: 00060070 Mdl: 00000000 Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 5513 Ticks: 17764 (0:00:04:37.562) Context Switch Count 8 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address advapi32!WmipEventPump (0x75d2a452) Stack Init 98bc9ed0 Current 98bc9648 Base 98bca000 Limit 98bc7000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 98bc9660 82eb887d 8734d888 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 98bc9698 82eb76db 00000000 8734d888 8734d984 nt!KiSwapThread+0x266 98bc96c0 82eb34b4 8734d888 8734d948 00000089 nt!KiCommitThreadWait+0x1df 98bc983c 8306711b 00000002 98bc9974 00000001 nt!KeWaitForMultipleObjects+0x535 98bc9ac8 83066e88 00000002 98bc9afc 00000001 nt!ObpWaitForMultipleObjects+0x262 98bc9c18 82e77a06 00000002 01e9fe44 00000001 nt!NtWaitForMultipleObjects+0xcd 98bc9c18 771370d4 00000002 01e9fe44 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98bc9c34) 01e9fe94 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87350b48 Cid 03c8.02c8 Teb: 7ff90000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 87350eb0 NotificationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062) Context Switch Count 4 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x74e154aa Stack Init 98bcded0 Current 98bcdac8 Base 98bce000 Limit 98bcb000 Call 00000000 Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 98bcdae0 82eb887d 87350b48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 98bcdb18 82eb76db 87350c08 87350b48 87350eb0 nt!KiSwapThread+0x266 98bcdb40 82eb0f6f 87350b48 87350c08 00000000 nt!KiCommitThreadWait+0x1df 98bcdbb8 83066532 87350eb0 00000006 82ee7b01 nt!KeWaitForSingleObject+0x393 98bcdc20 82e77a06 00000848 00000000 00000000 nt!NtWaitForSingleObject+0xc6 98bcdc20 771370d4 00000848 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98bcdc34) 0150fbac 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87349310 Cid 03c8.03f0 Teb: 7ff8c000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 873495f8 SynchronizationTimer 87349700 SynchronizationEvent 87362558 SynchronizationEvent 87369030 SynchronizationTimer 8736d868 SynchronizationEvent 872d4c98 SynchronizationEvent 8737b738 SynchronizationEvent 86f9d638 ProcessObject 86f9d638 ProcessObject 86f9d638 ProcessObject 86f9d638 ProcessObject 85b17670 NotificationEvent 86a792d8 NotificationEvent 8735b5d8 ProcessObject 873684b0 SynchronizationEvent 87435648 SynchronizationEvent 874cdf08 SynchronizationEvent 8649a138 SynchronizationEvent 8753e3e8 SynchronizationEvent 8737ac18 SynchronizationEvent 873679c8 SynchronizationEvent 87529d90 SynchronizationEvent 87325ff0 SynchronizationEvent 874e30f0 SynchronizationEvent 8736b218 SynchronizationEvent 86574498 SynchronizationEvent 86acf8e8 SynchronizationEvent 875476f8 SynchronizationEvent 8757f030 ProcessObject 87368578 SynchronizationEvent 87369f68 SynchronizationTimer Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 16217 Ticks: 7060 (0:00:01:50.312) Context Switch Count 113 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x7711fcf7) Stack Init 98beeed0 Current 98bee648 Base 98bef000 Limit 98bec000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 98bee660 82eb887d 87349310 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 98bee698 82eb76db 87369f68 87349310 86a342fc nt!KiSwapThread+0x266 98bee6c0 82eb34b4 87349310 86a34008 00000000 nt!KiCommitThreadWait+0x1df 98bee83c 8306711b 0000001f 98bee974 00000001 nt!KeWaitForMultipleObjects+0x535 98beeac8 83066e88 0000001f 98beeb70 00000001 nt!ObpWaitForMultipleObjects+0x262 98beec18 82e77a06 0000001f 002be408 00000001 nt!NtWaitForMultipleObjects+0xcd 98beec18 771370d4 0000001f 002be408 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98beec34) 0128fe3c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87362230 Cid 03c8.04b0 Teb: 7ff8a000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 873ca698 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062) Context Switch Count 14 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x771203cf) Stack Init 9ba03ed0 Current 9ba03ac8 Base 9ba04000 Limit 9ba01000 Call 00000000 Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 9ba03ae0 82eb887d 87362230 00000000 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 9ba03b18 82eb76db 873622f0 87362230 873ca698 nt!KiSwapThread+0x266 9ba03b40 82eb0f6f 87362230 873622f0 00000000 nt!KiCommitThreadWait+0x1df 9ba03bb8 83066532 873ca698 00000006 00000001 nt!KeWaitForSingleObject+0x393 9ba03c20 82e77a06 00000bbc 00000001 00000000 nt!NtWaitForSingleObject+0xc6 9ba03c20 771370d4 00000bbc 00000001 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9ba03c34) 022bfaa8 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87366030 Cid 03c8.04a8 Teb: 7ff8d000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable 87342340 QueueObject Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22126 Ticks: 1151 (0:00:00:17.984) Context Switch Count 27 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x771203cf) Stack Init 98bd5ed0 Current 98bd5a60 Base 98bd6000 Limit 98bd3000 Call 00000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 98bd5a78 82eb887d 87366030 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 98bd5ab0 82eb76db 873660f0 87366030 87342340 nt!KiSwapThread+0x266 98bd5ad8 82eb83cd 87366030 873660f0 0000002e nt!KiCommitThreadWait+0x1df 98bd5b38 830666ae 87342340 ffffff01 00000001 nt!KeRemoveQueueEx+0x4f8 98bd5b90 82ebe90a 87342340 98bd5bc8 98bd5bf0 nt!IoRemoveIoCompletion+0x23 98bd5c24 82e77a06 000006a0 0236f9e4 0236fa90 nt!NtWaitForWorkViaWorkerFactory+0x1a1 98bd5c24 771370d4 000006a0 0236f9e4 0236fa90 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98bd5c34) 0236fa90 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 873bdd48 Cid 03c8.0144 Teb: 7ff81000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 873bdf7c Semaphore Limit 0x1 Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 21524 Ticks: 1753 (0:00:00:27.390) Context Switch Count 9 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x734d1917 Stack Init 9ba8fed0 Current 9ba8fa10 Base 9ba90000 Limit 9ba8d000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 9ba8fa28 82eb887d 873bdd48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 9ba8fa60 82eb76db 873bde08 873bdd48 873bdf7c nt!KiSwapThread+0x266 9ba8fa88 82eb0f6f 873bdd48 873bde08 00000014 nt!KiCommitThreadWait+0x1df 9ba8fb04 8307485b 873bdf7c 00000010 00000001 nt!KeWaitForSingleObject+0x393 9ba8fb34 83074e9e 00000001 8f8ed000 9ba8fb60 nt!AlpcpReceiveMessagePort+0x245 9ba8fbb4 83090d3c 87303608 02ba0048 02b9fe58 nt!AlpcpReceiveMessage+0x1b8 9ba8fc0c 82e77a06 00000b7c 00000000 00000000 nt!NtAlpcSendWaitReceivePort+0x12d 9ba8fc0c 771370d4 00000b7c 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9ba8fc34) 02b9fe70 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87018900 Cid 03c8.0138 Teb: 7ff80000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable 87064f00 QueueObject Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 21525 Ticks: 1752 (0:00:00:27.375) Context Switch Count 30 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x771203cf) Stack Init 9ba9bed0 Current 9ba9ba60 Base 9ba9c000 Limit 9ba99000 Call 00000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 9ba9ba78 82eb887d 87018900 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 9ba9bab0 82eb76db 870189c0 87018900 87064f00 nt!KiSwapThread+0x266 9ba9bad8 82eb83cd 87018900 870189c0 00000000 nt!KiCommitThreadWait+0x1df 9ba9bb38 830666ae 87064f00 00000801 00000001 nt!KeRemoveQueueEx+0x4f8 9ba9bb90 82ebe90a 87064f00 9ba9bbc8 9ba9bbf0 nt!IoRemoveIoCompletion+0x23 9ba9bc24 82e77a06 00000ba0 0282fd5c 0282fe08 nt!NtWaitForWorkViaWorkerFactory+0x1a1 9ba9bc24 771370d4 00000ba0 0282fd5c 0282fe08 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9ba9bc34) 0282fe08 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87348540 Cid 03c8.075c Teb: 7ff84000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 861b0c80 NotificationEvent 86f3ea18 NotificationEvent IRP List: 8651a3d0: (0006,0094) Flags: 00060800 Mdl: 00000000 Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 7685 Ticks: 15592 (0:00:04:03.625) Context Switch Count 9 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x70542f39 Stack Init a5d65ed0 Current a5d65648 Base a5d66000 Limit a5d63000 Call 00000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a5d65660 82eb887d 87348540 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a5d65698 82eb76db 86f3ea18 87348540 8734863c nt!KiSwapThread+0x266 a5d656c0 82eb34b4 87348540 87348600 00000000 nt!KiCommitThreadWait+0x1df a5d6583c 8306711b 00000002 a5d65974 00000001 nt!KeWaitForMultipleObjects+0x535 a5d65ac8 83066e88 00000002 a5d65afc 00000001 nt!ObpWaitForMultipleObjects+0x262 a5d65c18 82e77a06 00000002 028bf678 00000001 nt!NtWaitForMultipleObjects+0xcd a5d65c18 771370d4 00000002 028bf678 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d65c34) 028bf6c4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 8744ad48 Cid 03c8.0920 Teb: 7ff82000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 87446030 NotificationEvent 873df360 NotificationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 7685 Ticks: 15592 (0:00:04:03.625) Context Switch Count 5 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x6e8d1df9 Stack Init a5d71ed0 Current a5d71648 Base a5d72000 Limit a5d6f000 Call 00000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a5d71660 82eb887d 8744ad48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a5d71698 82eb76db 873df360 8744ad48 8744ae44 nt!KiSwapThread+0x266 a5d716c0 82eb34b4 8744ad48 8744ae08 00000000 nt!KiCommitThreadWait+0x1df a5d7183c 8306711b 00000002 a5d71974 00000001 nt!KeWaitForMultipleObjects+0x535 a5d71ac8 83066e88 00000002 a5d71afc 00000001 nt!ObpWaitForMultipleObjects+0x262 a5d71c18 82e77a06 00000002 0294faf8 00000001 nt!NtWaitForMultipleObjects+0xcd a5d71c18 771370d4 00000002 0294faf8 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d71c34) 0294fb44 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 87569d48 Cid 03c8.093c Teb: 7ff7f000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 86fdbfa8 NotificationEvent 87372cc8 NotificationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 7685 Ticks: 15592 (0:00:04:03.625) Context Switch Count 1 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x6e8d1df9 Stack Init a5d75ed0 Current a5d75648 Base a5d76000 Limit a5d73000 Call 00000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a5d75660 82eb887d 87569d48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a5d75698 82eb76db 87372cc8 87569d48 87569e44 nt!KiSwapThread+0x266 a5d756c0 82eb34b4 87569d48 87569e08 00000000 nt!KiCommitThreadWait+0x1df a5d7583c 8306711b 00000002 a5d75974 00000001 nt!KeWaitForMultipleObjects+0x535 a5d75ac8 83066e88 00000002 a5d75afc 00000001 nt!ObpWaitForMultipleObjects+0x262 a5d75c18 82e77a06 00000002 0177f948 00000001 nt!NtWaitForMultipleObjects+0xcd a5d75c18 771370d4 00000002 0177f948 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d75c34) 0177f994 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 85d03b30 Cid 03c8.05e8 Teb: 7ffdc000 Win32Thread: ffa00dc8 WAIT: (WrQueue) UserMode Alertable 870244c0 QueueObject Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 21388 Ticks: 1889 (0:00:00:29.515) Context Switch Count 493 IdealProcessor: 0 UserTime 00:00:00.031 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x771203cf) Stack Init 8fdd0ed0 Current 8fdd0a60 Base 8fdd1000 Limit 8fdce000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8fdd0a78 82eb887d 85d03b30 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 8fdd0ab0 82eb76db 85d03bf0 85d03b30 870244c0 nt!KiSwapThread+0x266 8fdd0ad8 82eb83cd 85d03b30 85d03bf0 0000004c nt!KiCommitThreadWait+0x1df 8fdd0b38 830666ae 870244c0 87024401 00000001 nt!KeRemoveQueueEx+0x4f8 8fdd0b90 82ebe90a 870244c0 8fdd0bc8 8fdd0bf0 nt!IoRemoveIoCompletion+0x23 8fdd0c24 82e77a06 00000084 01dbf9f4 01dbfaa0 nt!NtWaitForWorkViaWorkerFactory+0x1a1 8fdd0c24 771370d4 00000084 01dbf9f4 01dbfaa0 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 8fdd0c34) 01dbfaa0 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 873cd520 Cid 03c8.089c Teb: 7ff95000 Win32Thread: ffa98260 WAIT: (WrQueue) UserMode Alertable 870244c0 QueueObject Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 23057 Ticks: 220 (0:00:00:03.437) Context Switch Count 254 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x771203cf) Stack Init 9badbed0 Current 9badba60 Base 9badc000 Limit 9bad9000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 9badba78 82eb887d 873cd520 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) 9badbab0 82eb76db 873cd5e0 873cd520 870244c0 nt!KiSwapThread+0x266 9badbad8 82eb83cd 873cd520 873cd5e0 000000d1 nt!KiCommitThreadWait+0x1df 9badbb38 830666ae 870244c0 87024401 00000001 nt!KeRemoveQueueEx+0x4f8 9badbb90 82ebe90a 870244c0 9badbbc8 9badbbf0 nt!IoRemoveIoCompletion+0x23 9badbc24 82e77a06 00000084 009df950 009df9fc nt!NtWaitForWorkViaWorkerFactory+0x1a1 9badbc24 771370d4 00000084 009df950 009df9fc nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9badbc34) 009df9fc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 8705b7e8 Cid 03c8.0cf8 Teb: 7ff9f000 Win32Thread: fe9b9770 WAIT: (WrQueue) UserMode Alertable 870244c0 QueueObject Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22670 Ticks: 607 (0:00:00:09.484) Context Switch Count 149 IdealProcessor: 0 UserTime 00:00:00.015 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x771203cf) Stack Init a57d5ed0 Current a57d5a60 Base a57d6000 Limit a57d3000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a57d5a78 82eb887d 8705b7e8 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a57d5ab0 82eb76db 8705b8a8 8705b7e8 870244c0 nt!KiSwapThread+0x266 a57d5ad8 82eb83cd 8705b7e8 8705b8a8 0000004e nt!KiCommitThreadWait+0x1df a57d5b38 830666ae 870244c0 87024401 00000001 nt!KeRemoveQueueEx+0x4f8 a57d5b90 82ebe90a 870244c0 a57d5bc8 a57d5bf0 nt!IoRemoveIoCompletion+0x23 a57d5c24 82e77a06 00000084 01fefea0 01feff4c nt!NtWaitForWorkViaWorkerFactory+0x1a1 a57d5c24 771370d4 00000084 01fefea0 01feff4c nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a57d5c34) 01feff4c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 875b6be0 Cid 03c8.0734 Teb: 7ff93000 Win32Thread: fe994dc8 WAIT: (WrQueue) UserMode Alertable 870244c0 QueueObject Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 23056 Ticks: 221 (0:00:00:03.453) Context Switch Count 173 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x771203cf) Stack Init a57e9ed0 Current a57e9a60 Base a57ea000 Limit a57e7000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a57e9a78 82eb887d 875b6be0 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a57e9ab0 82eb76db 875b6ca0 875b6be0 870244c0 nt!KiSwapThread+0x266 a57e9ad8 82eb83cd 875b6be0 875b6ca0 000000d0 nt!KiCommitThreadWait+0x1df a57e9b38 830666ae 870244c0 00000001 00000001 nt!KeRemoveQueueEx+0x4f8 a57e9b90 82ebe90a 870244c0 a57e9bc8 a57e9bf0 nt!IoRemoveIoCompletion+0x23 a57e9c24 82e77a06 00000084 0222fc48 0222fcf4 nt!NtWaitForWorkViaWorkerFactory+0x1a1 a57e9c24 771370d4 00000084 0222fc48 0222fcf4 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a57e9c34) 0222fcf4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 85da2308 Cid 03c8.0748 Teb: 7ffdb000 Win32Thread: fe994a70 WAIT: (UserRequest) UserMode Non-Alertable 85b99bc8 SynchronizationEvent 85da25f0 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22671 Ticks: 606 (0:00:00:09.468) Context Switch Count 16 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x6ef9239b Stack Init a5d47ed0 Current a5d47648 Base a5d48000 Limit a5d45000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a5d47660 82eb887d 85da2308 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a5d47698 82eb76db 00000000 85da2308 85da2404 nt!KiSwapThread+0x266 a5d476c0 82eb34b4 85da2308 85da23c8 0000008f nt!KiCommitThreadWait+0x1df a5d4783c 8306711b 00000002 a5d47974 00000001 nt!KeWaitForMultipleObjects+0x535 a5d47ac8 83066e88 00000002 a5d47afc 00000001 nt!ObpWaitForMultipleObjects+0x262 a5d47c18 82e77a06 00000002 01e5f750 00000001 nt!NtWaitForMultipleObjects+0xcd a5d47c18 771370d4 00000002 01e5f750 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d47c34) 01e5f79c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 85b20658 Cid 03c8.035c Teb: 7ff9d000 Win32Thread: fe9a9b88 WAIT: (UserRequest) UserMode Non-Alertable 87492538 SynchronizationEvent 873cc7e8 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22670 Ticks: 607 (0:00:00:09.484) Context Switch Count 16 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x6ef9239b Stack Init a5d3bed0 Current a5d3b648 Base a5d3c000 Limit a5d39000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a5d3b660 82eb887d 85b20658 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a5d3b698 82eb76db 00000000 85b20658 85b20754 nt!KiSwapThread+0x266 a5d3b6c0 82eb34b4 85b20658 85b20718 0000008e nt!KiCommitThreadWait+0x1df a5d3b83c 8306711b 00000002 a5d3b974 00000001 nt!KeWaitForMultipleObjects+0x535 a5d3bac8 83066e88 00000002 a5d3bafc 00000001 nt!ObpWaitForMultipleObjects+0x262 a5d3bc18 82e77a06 00000002 0207f878 00000001 nt!NtWaitForMultipleObjects+0xcd a5d3bc18 771370d4 00000002 0207f878 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d3bc34) 0207f8c4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 8707d030 Cid 03c8.0f74 Teb: 7ff9a000 Win32Thread: fe994830 WAIT: (UserRequest) UserMode Non-Alertable 875bde60 SynchronizationEvent 85b99750 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22670 Ticks: 607 (0:00:00:09.484) Context Switch Count 16 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.015 Win32 Start Address 0x6ef9239b Stack Init a5d1bed0 Current a5d1b648 Base a5d1c000 Limit a5d19000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a5d1b660 82eb887d 8707d030 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a5d1b698 82eb76db 00000000 8707d030 8707d12c nt!KiSwapThread+0x266 a5d1b6c0 82eb34b4 8707d030 8707d0f0 0000008e nt!KiCommitThreadWait+0x1df a5d1b83c 8306711b 00000002 a5d1b974 00000001 nt!KeWaitForMultipleObjects+0x535 a5d1bac8 83066e88 00000002 a5d1bafc 00000001 nt!ObpWaitForMultipleObjects+0x262 a5d1bc18 82e77a06 00000002 01f1fd00 00000001 nt!NtWaitForMultipleObjects+0xcd a5d1bc18 771370d4 00000002 01f1fd00 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d1bc34) 01f1fd4c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 86acdd48 Cid 03c8.0614 Teb: 7ff96000 Win32Thread: fe9a9dc8 WAIT: (UserRequest) UserMode Non-Alertable 85dd7a10 SynchronizationEvent 85de2638 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22670 Ticks: 607 (0:00:00:09.484) Context Switch Count 2 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x6ef9239b Stack Init a5d53ed0 Current a5d53648 Base a5d54000 Limit a5d51000 Call 00000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a5d53660 82eb887d 86acdd48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a5d53698 82eb76db 00000000 86acdd48 86acde44 nt!KiSwapThread+0x266 a5d536c0 82eb34b4 86acdd48 86acde08 0000008e nt!KiCommitThreadWait+0x1df a5d5383c 8306711b 00000002 a5d53974 00000001 nt!KeWaitForMultipleObjects+0x535 a5d53ac8 83066e88 00000002 a5d53afc 00000001 nt!ObpWaitForMultipleObjects+0x262 a5d53c18 82e77a06 00000002 021efbd0 00000001 nt!NtWaitForMultipleObjects+0xcd a5d53c18 771370d4 00000002 021efbd0 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d53c34) 021efc1c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 873027f0 Cid 03c8.07ac Teb: 7ff91000 Win32Thread: fe99adc8 WAIT: (UserRequest) UserMode Non-Alertable 85ddb1e8 SynchronizationEvent 85b99850 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22671 Ticks: 606 (0:00:00:09.468) Context Switch Count 1 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x6ef9239b Stack Init a5c60ed0 Current a5c60648 Base a5c61000 Limit a5c5e000 Call 00000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a5c60660 82eb887d 873027f0 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a5c60698 82eb76db 00000000 873027f0 873028ec nt!KiSwapThread+0x266 a5c606c0 82eb34b4 873027f0 873028b0 0000008f nt!KiCommitThreadWait+0x1df a5c6083c 8306711b 00000002 a5c60974 00000001 nt!KeWaitForMultipleObjects+0x535 a5c60ac8 83066e88 00000002 a5c60afc 00000001 nt!ObpWaitForMultipleObjects+0x262 a5c60c18 82e77a06 00000002 0137fbe0 00000001 nt!NtWaitForMultipleObjects+0xcd a5c60c18 771370d4 00000002 0137fbe0 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5c60c34) 0137fc2c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 8754f0c8 Cid 03c8.09d8 Teb: 7ff8f000 Win32Thread: fe99ab88 WAIT: (UserRequest) UserMode Non-Alertable 85ddb498 SynchronizationEvent 85b99c08 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22671 Ticks: 606 (0:00:00:09.468) Context Switch Count 1 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x6ef9239b Stack Init a5d2bed0 Current a5d2b648 Base a5d2c000 Limit a5d29000 Call 00000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a5d2b660 82eb887d 8754f0c8 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a5d2b698 82eb76db 00000000 8754f0c8 8754f1c4 nt!KiSwapThread+0x266 a5d2b6c0 82eb34b4 8754f0c8 8754f188 0000008f nt!KiCommitThreadWait+0x1df a5d2b83c 8306711b 00000002 a5d2b974 00000001 nt!KeWaitForMultipleObjects+0x535 a5d2bac8 83066e88 00000002 a5d2bafc 00000001 nt!ObpWaitForMultipleObjects+0x262 a5d2bc18 82e77a06 00000002 029ef860 00000001 nt!NtWaitForMultipleObjects+0xcd a5d2bc18 771370d4 00000002 029ef860 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d2bc34) 029ef8ac 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 85da29f0 Cid 03c8.0e54 Teb: 7ff8e000 Win32Thread: fe98ddc8 WAIT: (UserRequest) UserMode Non-Alertable 866cc8a0 SynchronizationEvent 85b99cc8 SynchronizationEvent Not impersonating DeviceMap 8c8088a8 Owning Process 870285a8 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 22671 Ticks: 606 (0:00:00:09.468) Context Switch Count 1 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x6ef9239b Stack Init a5c6fed0 Current a5c6f648 Base a5c70000 Limit a5c6d000 Call 00000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child a5c6f660 82eb887d 85da29f0 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) a5c6f698 82eb76db 00000000 85da29f0 85da2aec nt!KiSwapThread+0x266 a5c6f6c0 82eb34b4 85da29f0 85da2ab0 0000008f nt!KiCommitThreadWait+0x1df a5c6f83c 8306711b 00000002 a5c6f974 00000001 nt!KeWaitForMultipleObjects+0x535 a5c6fac8 83066e88 00000002 a5c6fafc 00000001 nt!ObpWaitForMultipleObjects+0x262 a5c6fc18 82e77a06 00000002 00abfc48 00000001 nt!NtWaitForMultipleObjects+0xcd a5c6fc18 771370d4 00000002 00abfc48 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5c6fc34) 00abfc94 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])4. 명령어 옵션 값이 7이라 스레드 정보까지 출력해서 양이 많다. -1 옵션을 주면 현재 실행 중인 프로세스 정보까지만 확인할 수 있다.
kd> !process -1 PROCESS 85a567c8 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00185000 ObjectTable: 8c801b28 HandleCount: 539. Image: System VadRoot 865119f0 Vads 9 Clone 0 Private 4. Modified 9379. Locked 64. DeviceMap 8c8088a8 Token 8c801248 ElapsedTime 00:07:00.802 UserTime 00:00:00.000 KernelTime 00:00:00.953 QuotaPoolUsage[PagedPool] 0 QuotaPoolUsage[NonPagedPool] 0 Working Set Sizes (now,min,max) (157, 0, 0) (628KB, 0KB, 0KB) PeakWorkingSetSize 1499 VirtualSize 2 Mb PeakVirtualSize 7 Mb PageFaultCount 13349 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 12 THREAD 85a564f0 Cid 0004.0008 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable 82f863f0 Gate THREAD 85b0dd48 Cid 0004.000c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 82f7e5d0 SynchronizationEvent THREAD 85b0da70 Cid 0004.0010 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 82f7eac0 Semaphore Limit 0x7fffffff THREAD 85af1d48 Cid 0004.0014 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 82f7eac0 Semaphore Limit 0x7fffffff THREAD 85af17f0 Cid 0004.0018 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f77480 QueueObject THREAD 85aedd48 Cid 0004.001c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f77480 QueueObject THREAD 85aeda70 Cid 0004.0020 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f77480 QueueObject THREAD 85ae1d48 Cid 0004.0024 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f77480 QueueObject THREAD 85ae1a70 Cid 0004.0028 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f77480 QueueObject THREAD 85acdd48 Cid 0004.002c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f774bc QueueObject THREAD 85acda70 Cid 0004.0030 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f774bc QueueObject THREAD 85afd858 Cid 0004.0034 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f774bc QueueObject THREAD 85afd580 Cid 0004.0038 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f774bc QueueObject THREAD 85ae5960 Cid 0004.003c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f774bc QueueObject THREAD 85ae5688 Cid 0004.0040 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f774bc QueueObject THREAD 85ae53b0 Cid 0004.0044 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f774bc QueueObject THREAD 85ac9d48 Cid 0004.0048 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 82f774f8 QueueObject THREAD 85ac9a70 Cid 0004.004c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8e103c28 NotificationTimer 82f77460 SynchronizationEvent 82f77450 SynchronizationEvent THREAD 85b09020 Cid 0004.0050 Teb: 00000000 Win32Thread: 00000000 WAIT: (Suspended) KernelMode Non-Alertable 82f68740 Gate THREAD 85b09730 Cid 0004.0054 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrVirtualMemory) UserMode Non-Alertable 82f861e0 Semaphore Limit 0x7fffffff 82f86260 NotificationEvent 82f862f0 NotificationEvent 82f85c60 NotificationEvent 82f85c80 SynchronizationEvent THREAD 85b09390 Cid 0004.0058 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable 82f85390 Gate THREAD 85b13d48 Cid 0004.005c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8e113bf0 SynchronizationEvent 82f85d90 SynchronizationEvent THREAD 85b13a70 Cid 0004.0060 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 82fa1090 SynchronizationEvent THREAD 85b0fc80 Cid 0004.0068 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable 82fa5100 SynchronizationEvent 82fa50f0 SynchronizationEvent 82fa50e0 SynchronizationEvent 82fa50d0 SynchronizationEvent THREAD 85b0c788 Cid 0004.006c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 82fa41a0 QueueObject THREAD 85b0c4b0 Cid 0004.0070 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 82fa41c8 QueueObject THREAD 85b0b660 Cid 0004.0074 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 85b0b894 Semaphore Limit 0x1 THREAD 85abebf8 Cid 0004.007c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable 82f85ee0 SynchronizationEvent 82f85ef0 SynchronizationEvent 82f85f00 SynchronizationEvent 82f85f10 SynchronizationEvent 82f85f20 SynchronizationEvent 82f85f30 SynchronizationEvent 82f85f40 SynchronizationEvent 82f85f50 SynchronizationEvent 82f85f60 SynchronizationEvent 82f85f70 SynchronizationEvent 82f85f80 SynchronizationEvent 82f85f90 SynchronizationEvent 82f85fa0 SynchronizationEvent 82f85fb0 SynchronizationEvent 82f85fc0 SynchronizationEvent 82f85fd0 SynchronizationEvent 82f85fe0 SynchronizationEvent THREAD 85ac0308 Cid 0004.0080 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 85ac075c SynchronizationEvent 85ac0770 SynchronizationTimer THREAD 85b10d48 Cid 0004.0084 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 85b1019c SynchronizationEvent 85b101b0 SynchronizationTimer THREAD 85b67020 Cid 0004.0088 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 85b465dc SynchronizationEvent 85b465f0 SynchronizationTimer THREAD 85b67d48 Cid 0004.008c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 85b4631c SynchronizationEvent 85b46330 SynchronizationTimer THREAD 85b92d48 Cid 0004.0090 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 85b8fedc SynchronizationEvent 85b8fef0 SynchronizationTimer THREAD 85b9c020 Cid 0004.0094 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 85b93a5c SynchronizationEvent THREAD 85ba05c8 Cid 0004.0098 Teb: 00000000 Win32Thread: 00000000 WAIT: (DelayExecution) KernelMode Non-Alertable 00000000 NotificationEvent THREAD 85a556f0 Cid 0004.009c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8b8566d0 NotificationEvent 8b8566c0 NotificationEvent THREAD 868b03d0 Cid 0004.00a4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 85ac294c SynchronizationEvent 85ac293c SynchronizationEvent THREAD 8695e750 Cid 0004.00a8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 85f9c030 SynchronizationEvent 85f9c040 SynchronizationEvent THREAD 85cfc750 Cid 0004.00ac Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Alertable 8b95e864 NotificationEvent 8b95e884 Semaphore Limit 0x7fffffff THREAD 85d0b750 Cid 0004.00b0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Alertable 86515014 NotificationEvent 86515028 SynchronizationTimer THREAD 864be268 Cid 0004.00b4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8bcf66a0 SynchronizationTimer THREAD 864e4d48 Cid 0004.00b8 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 8bcf66e0 QueueObject THREAD 864e4a70 Cid 0004.00bc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8bcf59d0 NotificationEvent THREAD 86519540 Cid 0004.00c0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8650b644 Semaphore Limit 0x7fffffff THREAD 86517020 Cid 0004.00c4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8650b658 Semaphore Limit 0x7fffffff THREAD 86517d48 Cid 0004.00c8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8650b66c Semaphore Limit 0x7fffffff THREAD 86517a70 Cid 0004.00cc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8650b680 Semaphore Limit 0x7fffffff THREAD 86517798 Cid 0004.00d0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8650b694 Semaphore Limit 0x7fffffff THREAD 86517420 Cid 0004.00d4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8650b6a8 Semaphore Limit 0x7fffffff THREAD 86514020 Cid 0004.00d8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8650b6bc Semaphore Limit 0x7fffffff THREAD 86514ca8 Cid 0004.00dc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8650b6d0 Semaphore Limit 0x7fffffff THREAD 86514930 Cid 0004.00e0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8650b6e4 Semaphore Limit 0x7fffffff THREAD 86618928 Cid 0004.00e8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 90c74230 SynchronizationEvent THREAD 86632bb8 Cid 0004.00ec Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 90e2503c NotificationEvent THREAD 866436b0 Cid 0004.00f0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 86643aa8 NotificationEvent THREAD 86646d48 Cid 0004.00f4 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 86646f7c Semaphore Limit 0x1 THREAD 86650940 Cid 0004.0128 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 91c3c468 SynchronizationTimer THREAD 86670b30 Cid 0004.012c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 85af4f70 SynchronizationEvent THREAD 866d6a78 Cid 0004.0140 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8667bef0 NotificationEvent THREAD 86cd22d0 Cid 0004.0148 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 90ddf3e0 SynchronizationEvent 90ddf3c0 SynchronizationEvent THREAD 85ac32c0 Cid 0004.0168 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 86d80ad8 SynchronizationEvent 86d80aa8 SynchronizationEvent 86d80b38 SynchronizationEvent THREAD 86f28d48 Cid 0004.01bc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 86f298dc SynchronizationEvent THREAD 86f3e030 Cid 0004.01d8 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Alertable 86f2a200 QueueObject THREAD 86faa978 Cid 0004.02b4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 86fac5a0 NotificationEvent 86fac5b0 SynchronizationEvent 86fac5e0 NotificationEvent THREAD 86fd4d48 Cid 0004.0328 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 86fd2b9c SynchronizationEvent THREAD 86fddcf8 Cid 0004.0338 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 86fd8e9c SynchronizationEvent THREAD 86febd48 Cid 0004.0358 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 86fe749c SynchronizationEvent THREAD 86ffcd48 Cid 0004.0360 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 86ff0e9c SynchronizationEvent THREAD 86ffad48 Cid 0004.0364 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 86ff8e9c SynchronizationEvent THREAD 86f7b938 Cid 0004.0478 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 90e96740 NotificationEvent 90e96770 NotificationEvent 90e96750 NotificationEvent THREAD 87057b50 Cid 0004.047c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 90e96740 NotificationEvent 90e96780 NotificationEvent 90e96760 NotificationEvent THREAD 86a16988 Cid 0004.0610 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 90e24f3c QueueObject THREAD 86a20d48 Cid 0004.0628 Teb: 00000000 Win32Thread: 00000000 WAIT: (DelayExecution) KernelMode Non-Alertable 00000000 NotificationEvent THREAD 86a77d48 Cid 0004.06f8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 86a7719c SynchronizationEvent 86a771b0 SynchronizationTimer THREAD 87370388 Cid 0004.04f4 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 8736f808 QueueObject THREAD 87372418 Cid 0004.04e0 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 8736e3c8 QueueObject THREAD 87373020 Cid 0004.0520 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 8736e270 QueueObject THREAD 87378d48 Cid 0004.052c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 87373764 QueueObject THREAD 87379740 Cid 0004.05b8 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 87373504 QueueObject THREAD 8737ad48 Cid 0004.05c0 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 9b62fa4c QueueObject THREAD 8704da08 Cid 0004.0678 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 870aab68 QueueObject THREAD 86fd9d48 Cid 0004.0078 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 870aabcc QueueObject THREAD 8735f020 Cid 0004.0330 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 82f77480 QueueObject THREAD 8668c030 Cid 0004.0958 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8668d8dc SynchronizationEvent THREAD 87449af8 Cid 0004.09f0 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 90e24f3c QueueObject THREAD 8707fb78 Cid 0004.09f8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 9b6a9164 NotificationEvent 874a6018 NotificationEvent 874a8048 NotificationEvent 874aa078 NotificationEvent 874ac0a8 NotificationEvent THREAD 874ed020 Cid 0004.0a98 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 874ec488 SynchronizationEvent THREAD 874ed7c0 Cid 0004.0a9c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 874ec388 SynchronizationEvent THREAD 874ed4e8 Cid 0004.0aa0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 9b724d60 NotificationEvent 9b724d50 NotificationEvent 85aed678 NotificationEvent 9b724d70 NotificationEvent THREAD 874ecc58 Cid 0004.0bfc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 874ec688 SynchronizationEvent THREAD 87306d48 Cid 0004.0c1c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 90e24e94 QueueObject THREAD 861af1e8 Cid 0004.0efc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8731c7dc SynchronizationEvent THREAD 8705dc40 Cid 0004.0f24 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 874ec588 SynchronizationEvent THREAD 87048020 Cid 0004.0f28 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 874ec588 SynchronizationEvent'Pentesting > Windows' 카테고리의 다른 글
MASM32를 이용한 Hello world 메시지 박스 생성 (0) 2020.02.13 vmware를 이용한 windows 7 커널 디버깅 (0) 2020.02.10 Windows PoC code (0) 2019.02.13 windbg 명령어 정리 (0) 2019.02.13 댓글