Pentesting/Windows
windbg를 활용한 프로세스, 스레드 정보 분석
scent2d
2020. 2. 10. 18:10
1. 커널 디버깅을 시작한다.
2. 아래의 명령어는 EPROCESS 구조체를 이용하여 정보를 표시한다.
3. svchost 중 하나의 주소인 870285a8을 상세히 정보 분석한다.
kd> !process 870285a8 7
PROCESS 870285a8 SessionId: 0 Cid: 03c8 Peb: 7ffdf000 ParentCid: 01f4
DirBase: bf248200 ObjectTable: 8f8ed080 HandleCount: 887.
Image: svchost.exe
VadRoot 8704be80 Vads 273 Clone 0 Private 2363. Modified 1562. Locked 2.
DeviceMap 8c8088a8
Token 8f8f4030
ElapsedTime 00:06:56.474
UserTime 00:00:00.234
KernelTime 00:00:00.265
QuotaPoolUsage[PagedPool] 167140
QuotaPoolUsage[NonPagedPool] 21596
Working Set Sizes (now,min,max) (5093, 50, 345) (20372KB, 200KB, 1380KB)
PeakWorkingSetSize 5198
VirtualSize 88 Mb
PeakVirtualSize 92 Mb
PageFaultCount 12489
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 2731
THREAD 87025918 Cid 03c8.03cc Teb: 7ffde000 Win32Thread: fe9bdbe0 WAIT: (UserRequest) UserMode Non-Alertable
87029030 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22097 Ticks: 1180 (0:00:00:18.437)
Context Switch Count 97 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00a42104
Stack Init 90663ed0 Current 90663ac8 Base 90664000 Limit 90661000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
90663ae0 82eb887d 87025918 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
90663b18 82eb76db 870259d8 87025918 87029030 nt!KiSwapThread+0x266
90663b40 82eb0f6f 87025918 870259d8 00000000 nt!KiCommitThreadWait+0x1df
90663bb8 83066532 87029030 00000006 00010001 nt!KeWaitForSingleObject+0x393
90663c20 82e77a06 000000b4 00000000 00000000 nt!NtWaitForSingleObject+0xc6
90663c20 771370d4 000000b4 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 90663c34)
0013fd20 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 8702a030 Cid 03c8.03d0 Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
87024280 SynchronizationTimer
87024348 SynchronizationTimer
87050970 SynchronizationEvent
8705c318 SynchronizationEvent
86f17d28 ProcessObject
86f29b10 SynchronizationEvent
85adc998 SynchronizationEvent
870b3a00 SynchronizationEvent
869e79a8 SynchronizationEvent
85a54a00 SynchronizationEvent
85daa930 SynchronizationEvent
870ae5f8 SynchronizationEvent
86a168b8 SynchronizationEvent
86f973e8 SynchronizationEvent
86a250e0 SynchronizationEvent
86a27650 SynchronizationEvent
86a47d48 SynchronizationEvent
86a50668 SynchronizationEvent
86a55c60 SynchronizationEvent
86f42468 SynchronizationEvent
85abf098 SynchronizationEvent
85abe608 SynchronizationEvent
85b2c318 SynchronizationEvent
86a7e6e8 SynchronizationEvent
85b2fe78 SynchronizationEvent
86a79b28 SynchronizationEvent
85abe700 SynchronizationEvent
86a7a748 SynchronizationEvent
86a7a678 SynchronizationEvent
86a80800 SynchronizationEvent
86a87cd0 SynchronizationEvent
86a73210 SynchronizationEvent
86f00d60 SynchronizationEvent
8733d820 SynchronizationEvent
87320368 SynchronizationEvent
872ca9e0 SynchronizationTimer
8735ab40 NotificationEvent
8735a788 NotificationEvent
8734e710 SynchronizationEvent
86a59620 SynchronizationEvent
86a20b50 SynchronizationEvent
8735ad48 SynchronizationEvent
8735a680 SynchronizationEvent
87350030 SynchronizationEvent
87350ff0 SynchronizationEvent
87350fb0 SynchronizationEvent
873501e8 SynchronizationEvent
8735de38 SynchronizationEvent
8735aeb8 SynchronizationEvent
87350908 SynchronizationEvent
8734cf70 SynchronizationEvent
85abf030 SynchronizationEvent
8734cc20 SynchronizationEvent
8731f130 SynchronizationEvent
8734c7d8 SynchronizationEvent
8734b480 SynchronizationEvent
8735d790 SynchronizationEvent
85b2d1a8 SynchronizationEvent
8734cdc8 SynchronizationEvent
8734c8b0 SynchronizationEvent
8733eb28 SynchronizationEvent
8733eb78 SynchronizationEvent
87024168 SynchronizationTimer
872c9878 SynchronizationTimer
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22126 Ticks: 1151 (0:00:00:17.984)
Context Switch Count 258 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x7711fcf7)
Stack Init 9066fed0 Current 9066f648 Base 90670000 Limit 9066d000 Call 00000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
9066f660 82eb887d 8702a030 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
9066f698 82eb76db 872c9878 8702a030 8735a65c nt!KiSwapThread+0x266
9066f6c0 82eb34b4 8702a030 8735a050 00000000 nt!KiCommitThreadWait+0x1df
9066f83c 8306711b 00000040 9066f974 00000001 nt!KeWaitForMultipleObjects+0x535
9066fac8 83066e88 00000040 9066fbf4 00000001 nt!ObpWaitForMultipleObjects+0x262
9066fc18 82e77a06 00000040 001fa838 00000001 nt!NtWaitForMultipleObjects+0xcd
9066fc18 771370d4 00000040 001fa838 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9066fc34)
0041fe94 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87029340 Cid 03c8.03dc Teb: 7ffda000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Alertable
87029574 Semaphore Limit 0x1
Impersonation token: 8f8f7030 (Level Delegation)
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22895 Ticks: 382 (0:00:00:05.968)
Context Switch Count 1209 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587)
Stack Init 9067bed0 Current 9067bb08 Base 9067c000 Limit 90679000 Call 00000000
Priority 27 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
9067bb20 82eb887d 87029340 00000000 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
9067bb58 82eb76db 00000000 87029340 80000000 nt!KiSwapThread+0x266
9067bb80 82eb73b9 87029340 87029400 000000ce nt!KiCommitThreadWait+0x1df
9067bbd8 83067382 0097f701 00000001 9067bbfc nt!KeDelayExecutionThread+0x2aa
9067bc24 82e77a06 00000001 73a81a90 0097fa64 nt!NtDelayExecution+0x8d
9067bc24 771370d4 00000001 73a81a90 0097fa64 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9067bc34)
0097fa64 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 8702b648 Cid 03c8.03e0 Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
8702b9f8 NotificationEvent
8701cc70 Semaphore Limit 0x7fffffff
8702b930 NotificationTimer
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22893 Ticks: 384 (0:00:00:06.000)
Context Switch Count 295 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x73a82e57
Stack Init 9067fed0 Current 9067f648 Base 90680000 Limit 9067d000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
9067f660 82eb887d 8702b648 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
9067f698 82eb76db 8702b930 8702b648 8702b75c nt!KiSwapThread+0x266
9067f6c0 82eb34b4 8702b648 8702b708 00000000 nt!KiCommitThreadWait+0x1df
9067f83c 8306711b 00000003 9067f974 00000001 nt!KeWaitForMultipleObjects+0x535
9067fac8 83066e88 00000003 9067fb00 00000001 nt!ObpWaitForMultipleObjects+0x262
9067fc18 82e77a06 00000003 00e2fb70 00000001 nt!NtWaitForMultipleObjects+0xcd
9067fc18 771370d4 00000003 00e2fb70 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9067fc34)
00e2fcf0 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 870485b0 Cid 03c8.0454 Teb: 7ffd8000 Win32Thread: ffb72dc8 WAIT: (UserRequest) UserMode Non-Alertable
8704fc78 NotificationEvent
87050be8 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062)
Context Switch Count 55 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587)
Stack Init 906cfed0 Current 906cf648 Base 906d0000 Limit 906cd000 Call 00000000
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr Args to Child
906cf660 82eb887d 870485b0 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
906cf698 82eb76db 87050be8 870485b0 870486ac nt!KiSwapThread+0x266
906cf6c0 82eb34b4 870485b0 87048670 00000000 nt!KiCommitThreadWait+0x1df
906cf83c 8306711b 00000002 906cf974 00000001 nt!KeWaitForMultipleObjects+0x535
906cfac8 83066e88 00000002 906cfafc 00000001 nt!ObpWaitForMultipleObjects+0x262
906cfc18 82e77a06 00000002 00e7f76c 00000001 nt!NtWaitForMultipleObjects+0xcd
906cfc18 771370d4 00000002 00e7f76c 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 906cfc34)
00e7f7b8 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87049030 Cid 03c8.0458 Teb: 7ffd7000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
87049264 Semaphore Limit 0x1
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 23056 Ticks: 221 (0:00:00:03.453)
Context Switch Count 215 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587)
Stack Init 906d3ed0 Current 906d3a08 Base 906d4000 Limit 906d1000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
906d3a20 82eb887d 87049030 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
906d3a58 82eb76db 870490f0 87049030 87049264 nt!KiSwapThread+0x266
906d3a80 82eb0f6f 87049030 870490f0 00000000 nt!KiCommitThreadWait+0x1df
906d3afc 8307485b 87049264 00000010 00000101 nt!KeWaitForSingleObject+0x393
906d3b2c 8307703b 00000101 00000000 00000000 nt!AlpcpReceiveMessagePort+0x245
906d3b94 83076e5c 8704e5d0 0048f6d8 00000000 nt!AlpcpReceiveLegacyMessage+0x198
906d3c00 830771ee 00000144 0048f6cc 00000000 nt!NtReplyWaitReceivePortEx+0x10e
906d3c1c 82e77a06 00000144 0048f6cc 00000000 nt!NtReplyWaitReceivePort+0x18
906d3c1c 771370d4 00000144 0048f6cc 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 906d3c34)
0048f7dc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87050030 Cid 03c8.0464 Teb: 7ffd6000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Non-Alertable
87050264 Semaphore Limit 0x1
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 19912 Ticks: 3365 (0:00:00:52.578)
Context Switch Count 14 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ole32!CRpcThreadCache::RpcWorkerThreadEntry (0x75a6d844)
Stack Init 906e3ed0 Current 906e3b08 Base 906e4000 Limit 906e1000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
906e3b20 82eb887d 87050030 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
906e3b58 82eb76db 00000000 87050030 ffffffff nt!KiSwapThread+0x266
906e3b80 82eb73b9 87050030 870500f0 000000c8 nt!KiCommitThreadWait+0x1df
906e3bd8 83067382 00000001 00000000 906e3bfc nt!KeDelayExecutionThread+0x2aa
906e3c24 82e77a06 00000000 00ddfa80 00ddfaa4 nt!NtDelayExecution+0x8d
906e3c24 771370d4 00000000 00ddfa80 00ddfaa4 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 906e3c34)
00ddfaa4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 870a32d8 Cid 03c8.0518 Teb: 7ffd5000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
87092dc0 NotificationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22097 Ticks: 1180 (0:00:00:18.437)
Context Switch Count 184 IdealProcessor: 0
UserTime 00:00:00.015
KernelTime 00:00:00.015
Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587)
Stack Init 9075ded0 Current 9075dac8 Base 9075e000 Limit 9075b000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
9075dae0 82eb887d 870a32d8 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
9075db18 82eb76db 870a3398 870a32d8 87092dc0 nt!KiSwapThread+0x266
9075db40 82eb0f6f 870a32d8 870a3398 00000000 nt!KiCommitThreadWait+0x1df
9075dbb8 83066532 87092dc0 00000006 87024401 nt!KeWaitForSingleObject+0x393
9075dc20 82e77a06 00000214 00000000 00000000 nt!NtWaitForSingleObject+0xc6
9075dc20 771370d4 00000214 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9075dc34)
010af8e8 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 870a5d48 Cid 03c8.051c Teb: 7ffd4000 Win32Thread: ffa00648 WAIT: (UserRequest) UserMode Non-Alertable
85adc130 SynchronizationEvent
86ac9098 SynchronizationEvent
865803e0 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 4864 Ticks: 18413 (0:00:04:47.703)
Context Switch Count 768 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.031
Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587)
Stack Init 90765ed0 Current 90765648 Base 90766000 Limit 90763000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr Args to Child
90765660 82eb887d 870a5d48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
90765698 82eb76db 00000000 870a5d48 870a5e5c nt!KiSwapThread+0x266
907656c0 82eb34b4 870a5d48 870a5e08 00000000 nt!KiCommitThreadWait+0x1df
9076583c 8306711b 00000003 90765974 00000001 nt!KeWaitForMultipleObjects+0x535
90765ac8 83066e88 00000003 90765b00 00000001 nt!ObpWaitForMultipleObjects+0x262
90765c18 82e77a06 00000003 0123f440 00000001 nt!NtWaitForMultipleObjects+0xcd
90765c18 771370d4 00000003 0123f440 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 90765c34)
0123f48c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 870b03b0 Cid 03c8.0530 Teb: 7ffd3000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable
870b0040 QueueObject
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 16217 Ticks: 7060 (0:00:01:50.312)
Context Switch Count 20 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x771203cf)
Stack Init 9076ded0 Current 9076da60 Base 9076e000 Limit 9076b000 Call 00000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
9076da78 82eb887d 870b03b0 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
9076dab0 82eb76db 870b0470 870b03b0 870b0040 nt!KiSwapThread+0x266
9076dad8 82eb83cd 870b03b0 870b0470 00000000 nt!KiCommitThreadWait+0x1df
9076db38 830666ae 870b0040 87349301 00000001 nt!KeRemoveQueueEx+0x4f8
9076db90 82ebe90a 870b0040 9076dbc8 9076dbf0 nt!IoRemoveIoCompletion+0x23
9076dc24 82e77a06 00000324 00a1f740 00a1f7ec nt!NtWaitForWorkViaWorkerFactory+0x1a1
9076dc24 771370d4 00000324 00a1f740 00a1f7ec nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9076dc34)
00a1f7ec 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 870b36b8 Cid 03c8.0538 Teb: 7ff9e000 Win32Thread: ffa944e8 WAIT: (WrQueue) UserMode Alertable
870244c0 QueueObject
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 23057 Ticks: 220 (0:00:00:03.437)
Context Switch Count 847 IdealProcessor: 0
UserTime 00:00:00.046
KernelTime 00:00:00.046
Win32 Start Address ntdll!TppWorkerThread (0x771203cf)
Stack Init 90769ed0 Current 90769a60 Base 9076a000 Limit 90767000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
90769a78 82eb887d 870b36b8 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
90769ab0 82eb76db 870b3778 870b36b8 870244c0 nt!KiSwapThread+0x266
90769ad8 82eb83cd 870b36b8 870b3778 000000d1 nt!KiCommitThreadWait+0x1df
90769b38 830666ae 870244c0 87024401 00000001 nt!KeRemoveQueueEx+0x4f8
90769b90 82ebe90a 870244c0 90769bc8 90769bf0 nt!IoRemoveIoCompletion+0x23
90769c24 82e77a06 00000084 011efc30 011efcdc nt!NtWaitForWorkViaWorkerFactory+0x1a1
90769c24 771370d4 00000084 011efc30 011efcdc nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 90769c34)
011efcdc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 869e7c60 Cid 03c8.0568 Teb: 7ff9c000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
86f29b50 SynchronizationEvent
865803a0 NotificationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062)
Context Switch Count 5 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x71b4794d
Stack Init 90791ed0 Current 90791648 Base 90792000 Limit 9078f000 Call 00000000
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr Args to Child
90791660 82eb887d 869e7c60 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
90791698 82eb76db 865803a0 869e7c60 869e7d5c nt!KiSwapThread+0x266
907916c0 82eb34b4 869e7c60 869e7d20 00000000 nt!KiCommitThreadWait+0x1df
9079183c 8306711b 00000002 90791974 00000001 nt!KeWaitForMultipleObjects+0x535
90791ac8 83066e88 00000002 90791afc 00000001 nt!ObpWaitForMultipleObjects+0x262
90791c18 82e77a06 00000002 00fdf7b4 00000001 nt!NtWaitForMultipleObjects+0xcd
90791c18 771370d4 00000002 00fdf7b4 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 90791c34)
00fdf800 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 869e9840 Cid 03c8.0584 Teb: 7ff9b000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
86edb510 SynchronizationEvent
86edae78 SynchronizationEvent
86edb550 SynchronizationEvent
869ea240 SynchronizationTimer
869ea178 SynchronizationTimer
IRP List:
86f287b8: (0006,01d8) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062)
Context Switch Count 14 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x71a22135
Stack Init 907a1ed0 Current 907a1648 Base 907a2000 Limit 9079f000 Call 00000000
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr Args to Child
907a1660 82eb887d 869e9840 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
907a1698 82eb76db 869ea178 869e9840 8705caec nt!KiSwapThread+0x266
907a16c0 82eb34b4 869e9840 8705ca68 00000000 nt!KiCommitThreadWait+0x1df
907a183c 8306711b 00000005 907a1974 00000001 nt!KeWaitForMultipleObjects+0x535
907a1ac8 83066e88 00000005 907a1b08 00000001 nt!ObpWaitForMultipleObjects+0x262
907a1c18 82e77a06 00000005 013ff6fc 00000001 nt!NtWaitForMultipleObjects+0xcd
907a1c18 771370d4 00000005 013ff6fc 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 907a1c34)
013ff748 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 86a7dd48 Cid 03c8.0700 Teb: 7ff98000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
85abfd70 NotificationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062)
Context Switch Count 4 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x74e154aa
Stack Init 8e148ed0 Current 8e148ac8 Base 8e149000 Limit 8e146000 Call 00000000
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr Args to Child
8e148ae0 82eb887d 86a7dd48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8e148b18 82eb76db 86a7de08 86a7dd48 85abfd70 nt!KiSwapThread+0x266
8e148b40 82eb0f6f 86a7dd48 86a7de08 00000000 nt!KiCommitThreadWait+0x1df
8e148bb8 83066532 85abfd70 00000006 82ee7b01 nt!KeWaitForSingleObject+0x393
8e148c20 82e77a06 0000051c 00000000 00000000 nt!NtWaitForSingleObject+0xc6
8e148c20 771370d4 0000051c 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 8e148c34)
0133f814 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 85b2dd48 Cid 03c8.0720 Teb: 7ff97000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable
85b2ee00 QueueObject
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062)
Context Switch Count 6 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x771203cf)
Stack Init 98ad1ed0 Current 98ad1a60 Base 98ad2000 Limit 98acf000 Call 00000000
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr Args to Child
98ad1a78 82eb887d 85b2dd48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
98ad1ab0 82eb76db 85b2de08 85b2dd48 85b2ee00 nt!KiSwapThread+0x266
98ad1ad8 82eb83cd 85b2dd48 85b2de08 00000000 nt!KiCommitThreadWait+0x1df
98ad1b38 830666ae 85b2ee00 82ef8d01 00000001 nt!KeRemoveQueueEx+0x4f8
98ad1b90 82ebe90a 85b2ee00 98ad1bc8 98ad1bf0 nt!IoRemoveIoCompletion+0x23
98ad1c24 82e77a06 00000598 017cf720 017cf7cc nt!NtWaitForWorkViaWorkerFactory+0x1a1
98ad1c24 771370d4 00000598 017cf720 017cf7cc nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98ad1c34)
017cf7cc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87328d48 Cid 03c8.0114 Teb: 7ff99000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
8733a6e0 NotificationEvent
8733e7d8 SynchronizationEvent
8733ef28 SynchronizationEvent
8733e6c4 NotificationEvent
IRP List:
86d66a18: (0006,01d8) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 4682 Ticks: 18595 (0:00:04:50.546)
Context Switch Count 55 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587)
Stack Init 98b7ded0 Current 98b7d648 Base 98b7e000 Limit 98b7b000 Call 00000000
Priority 11 BasePriority 10 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr Args to Child
98b7d660 82eb887d 87328d48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
98b7d698 82eb76db 8733e6c4 87328d48 85b97654 nt!KiSwapThread+0x266
98b7d6c0 82eb34b4 87328d48 85b975e8 00000000 nt!KiCommitThreadWait+0x1df
98b7d83c 8306711b 00000004 98b7d974 00000001 nt!KeWaitForMultipleObjects+0x535
98b7dac8 83066e88 00000004 98b7db04 00000001 nt!ObpWaitForMultipleObjects+0x262
98b7dc18 82e77a06 00000004 0184f8ec 00000001 nt!NtWaitForMultipleObjects+0xcd
98b7dc18 771370d4 00000004 0184f8ec 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98b7dc34)
0184f938 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87320d48 Cid 03c8.0244 Teb: 7ff94000 Win32Thread: fe976008 WAIT: (UserRequest) UserMode Non-Alertable
8731fca0 SynchronizationEvent
86a06678 SynchronizationEvent
874e91d0 SynchronizationEvent
8737cb90 SynchronizationEvent
87545790 SynchronizationEvent
875659c8 SynchronizationEvent
874e8250 SynchronizationEvent
874e34c8 SynchronizationEvent
8731fc60 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 19491 Ticks: 3786 (0:00:00:59.156)
Context Switch Count 251 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address sechost!ScSvcctrlThreadW (0x759a7587)
Stack Init 98bb1ed0 Current 98bb1648 Base 98bb2000 Limit 98baf000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
98bb1660 82eb887d 87320d48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
98bb1698 82eb76db 00000000 87320d48 861af934 nt!KiSwapThread+0x266
98bb16c0 82eb34b4 87320d48 861af850 000000b3 nt!KiCommitThreadWait+0x1df
98bb183c 8306711b 00000009 98bb1974 00000001 nt!KeWaitForMultipleObjects+0x535
98bb1ac8 83066e88 00000009 98bb1b18 00000001 nt!ObpWaitForMultipleObjects+0x262
98bb1c18 82e77a06 00000009 01d04428 00000001 nt!NtWaitForMultipleObjects+0xcd
98bb1c18 771370d4 00000009 01d04428 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98bb1c34)
01edfaec 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 8734d888 Cid 03c8.0240 Teb: 7ff92000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
87347518 SynchronizationEvent
86f1baa0 SynchronizationEvent
IRP List:
875126c8: (0006,0244) Flags: 00060070 Mdl: 00000000
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 5513 Ticks: 17764 (0:00:04:37.562)
Context Switch Count 8 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address advapi32!WmipEventPump (0x75d2a452)
Stack Init 98bc9ed0 Current 98bc9648 Base 98bca000 Limit 98bc7000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
98bc9660 82eb887d 8734d888 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
98bc9698 82eb76db 00000000 8734d888 8734d984 nt!KiSwapThread+0x266
98bc96c0 82eb34b4 8734d888 8734d948 00000089 nt!KiCommitThreadWait+0x1df
98bc983c 8306711b 00000002 98bc9974 00000001 nt!KeWaitForMultipleObjects+0x535
98bc9ac8 83066e88 00000002 98bc9afc 00000001 nt!ObpWaitForMultipleObjects+0x262
98bc9c18 82e77a06 00000002 01e9fe44 00000001 nt!NtWaitForMultipleObjects+0xcd
98bc9c18 771370d4 00000002 01e9fe44 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98bc9c34)
01e9fe94 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87350b48 Cid 03c8.02c8 Teb: 7ff90000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
87350eb0 NotificationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062)
Context Switch Count 4 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x74e154aa
Stack Init 98bcded0 Current 98bcdac8 Base 98bce000 Limit 98bcb000 Call 00000000
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr Args to Child
98bcdae0 82eb887d 87350b48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
98bcdb18 82eb76db 87350c08 87350b48 87350eb0 nt!KiSwapThread+0x266
98bcdb40 82eb0f6f 87350b48 87350c08 00000000 nt!KiCommitThreadWait+0x1df
98bcdbb8 83066532 87350eb0 00000006 82ee7b01 nt!KeWaitForSingleObject+0x393
98bcdc20 82e77a06 00000848 00000000 00000000 nt!NtWaitForSingleObject+0xc6
98bcdc20 771370d4 00000848 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98bcdc34)
0150fbac 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87349310 Cid 03c8.03f0 Teb: 7ff8c000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
873495f8 SynchronizationTimer
87349700 SynchronizationEvent
87362558 SynchronizationEvent
87369030 SynchronizationTimer
8736d868 SynchronizationEvent
872d4c98 SynchronizationEvent
8737b738 SynchronizationEvent
86f9d638 ProcessObject
86f9d638 ProcessObject
86f9d638 ProcessObject
86f9d638 ProcessObject
85b17670 NotificationEvent
86a792d8 NotificationEvent
8735b5d8 ProcessObject
873684b0 SynchronizationEvent
87435648 SynchronizationEvent
874cdf08 SynchronizationEvent
8649a138 SynchronizationEvent
8753e3e8 SynchronizationEvent
8737ac18 SynchronizationEvent
873679c8 SynchronizationEvent
87529d90 SynchronizationEvent
87325ff0 SynchronizationEvent
874e30f0 SynchronizationEvent
8736b218 SynchronizationEvent
86574498 SynchronizationEvent
86acf8e8 SynchronizationEvent
875476f8 SynchronizationEvent
8757f030 ProcessObject
87368578 SynchronizationEvent
87369f68 SynchronizationTimer
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 16217 Ticks: 7060 (0:00:01:50.312)
Context Switch Count 113 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x7711fcf7)
Stack Init 98beeed0 Current 98bee648 Base 98bef000 Limit 98bec000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
98bee660 82eb887d 87349310 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
98bee698 82eb76db 87369f68 87349310 86a342fc nt!KiSwapThread+0x266
98bee6c0 82eb34b4 87349310 86a34008 00000000 nt!KiCommitThreadWait+0x1df
98bee83c 8306711b 0000001f 98bee974 00000001 nt!KeWaitForMultipleObjects+0x535
98beeac8 83066e88 0000001f 98beeb70 00000001 nt!ObpWaitForMultipleObjects+0x262
98beec18 82e77a06 0000001f 002be408 00000001 nt!NtWaitForMultipleObjects+0xcd
98beec18 771370d4 0000001f 002be408 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98beec34)
0128fe3c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87362230 Cid 03c8.04b0 Teb: 7ff8a000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
873ca698 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 2473 Ticks: 20804 (0:00:05:25.062)
Context Switch Count 14 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x771203cf)
Stack Init 9ba03ed0 Current 9ba03ac8 Base 9ba04000 Limit 9ba01000 Call 00000000
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr Args to Child
9ba03ae0 82eb887d 87362230 00000000 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
9ba03b18 82eb76db 873622f0 87362230 873ca698 nt!KiSwapThread+0x266
9ba03b40 82eb0f6f 87362230 873622f0 00000000 nt!KiCommitThreadWait+0x1df
9ba03bb8 83066532 873ca698 00000006 00000001 nt!KeWaitForSingleObject+0x393
9ba03c20 82e77a06 00000bbc 00000001 00000000 nt!NtWaitForSingleObject+0xc6
9ba03c20 771370d4 00000bbc 00000001 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9ba03c34)
022bfaa8 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87366030 Cid 03c8.04a8 Teb: 7ff8d000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable
87342340 QueueObject
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22126 Ticks: 1151 (0:00:00:17.984)
Context Switch Count 27 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x771203cf)
Stack Init 98bd5ed0 Current 98bd5a60 Base 98bd6000 Limit 98bd3000 Call 00000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
98bd5a78 82eb887d 87366030 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
98bd5ab0 82eb76db 873660f0 87366030 87342340 nt!KiSwapThread+0x266
98bd5ad8 82eb83cd 87366030 873660f0 0000002e nt!KiCommitThreadWait+0x1df
98bd5b38 830666ae 87342340 ffffff01 00000001 nt!KeRemoveQueueEx+0x4f8
98bd5b90 82ebe90a 87342340 98bd5bc8 98bd5bf0 nt!IoRemoveIoCompletion+0x23
98bd5c24 82e77a06 000006a0 0236f9e4 0236fa90 nt!NtWaitForWorkViaWorkerFactory+0x1a1
98bd5c24 771370d4 000006a0 0236f9e4 0236fa90 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 98bd5c34)
0236fa90 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 873bdd48 Cid 03c8.0144 Teb: 7ff81000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
873bdf7c Semaphore Limit 0x1
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 21524 Ticks: 1753 (0:00:00:27.390)
Context Switch Count 9 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x734d1917
Stack Init 9ba8fed0 Current 9ba8fa10 Base 9ba90000 Limit 9ba8d000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
9ba8fa28 82eb887d 873bdd48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
9ba8fa60 82eb76db 873bde08 873bdd48 873bdf7c nt!KiSwapThread+0x266
9ba8fa88 82eb0f6f 873bdd48 873bde08 00000014 nt!KiCommitThreadWait+0x1df
9ba8fb04 8307485b 873bdf7c 00000010 00000001 nt!KeWaitForSingleObject+0x393
9ba8fb34 83074e9e 00000001 8f8ed000 9ba8fb60 nt!AlpcpReceiveMessagePort+0x245
9ba8fbb4 83090d3c 87303608 02ba0048 02b9fe58 nt!AlpcpReceiveMessage+0x1b8
9ba8fc0c 82e77a06 00000b7c 00000000 00000000 nt!NtAlpcSendWaitReceivePort+0x12d
9ba8fc0c 771370d4 00000b7c 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9ba8fc34)
02b9fe70 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87018900 Cid 03c8.0138 Teb: 7ff80000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable
87064f00 QueueObject
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 21525 Ticks: 1752 (0:00:00:27.375)
Context Switch Count 30 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x771203cf)
Stack Init 9ba9bed0 Current 9ba9ba60 Base 9ba9c000 Limit 9ba99000 Call 00000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
9ba9ba78 82eb887d 87018900 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
9ba9bab0 82eb76db 870189c0 87018900 87064f00 nt!KiSwapThread+0x266
9ba9bad8 82eb83cd 87018900 870189c0 00000000 nt!KiCommitThreadWait+0x1df
9ba9bb38 830666ae 87064f00 00000801 00000001 nt!KeRemoveQueueEx+0x4f8
9ba9bb90 82ebe90a 87064f00 9ba9bbc8 9ba9bbf0 nt!IoRemoveIoCompletion+0x23
9ba9bc24 82e77a06 00000ba0 0282fd5c 0282fe08 nt!NtWaitForWorkViaWorkerFactory+0x1a1
9ba9bc24 771370d4 00000ba0 0282fd5c 0282fe08 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9ba9bc34)
0282fe08 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87348540 Cid 03c8.075c Teb: 7ff84000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
861b0c80 NotificationEvent
86f3ea18 NotificationEvent
IRP List:
8651a3d0: (0006,0094) Flags: 00060800 Mdl: 00000000
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 7685 Ticks: 15592 (0:00:04:03.625)
Context Switch Count 9 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x70542f39
Stack Init a5d65ed0 Current a5d65648 Base a5d66000 Limit a5d63000 Call 00000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a5d65660 82eb887d 87348540 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a5d65698 82eb76db 86f3ea18 87348540 8734863c nt!KiSwapThread+0x266
a5d656c0 82eb34b4 87348540 87348600 00000000 nt!KiCommitThreadWait+0x1df
a5d6583c 8306711b 00000002 a5d65974 00000001 nt!KeWaitForMultipleObjects+0x535
a5d65ac8 83066e88 00000002 a5d65afc 00000001 nt!ObpWaitForMultipleObjects+0x262
a5d65c18 82e77a06 00000002 028bf678 00000001 nt!NtWaitForMultipleObjects+0xcd
a5d65c18 771370d4 00000002 028bf678 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d65c34)
028bf6c4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 8744ad48 Cid 03c8.0920 Teb: 7ff82000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
87446030 NotificationEvent
873df360 NotificationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 7685 Ticks: 15592 (0:00:04:03.625)
Context Switch Count 5 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x6e8d1df9
Stack Init a5d71ed0 Current a5d71648 Base a5d72000 Limit a5d6f000 Call 00000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a5d71660 82eb887d 8744ad48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a5d71698 82eb76db 873df360 8744ad48 8744ae44 nt!KiSwapThread+0x266
a5d716c0 82eb34b4 8744ad48 8744ae08 00000000 nt!KiCommitThreadWait+0x1df
a5d7183c 8306711b 00000002 a5d71974 00000001 nt!KeWaitForMultipleObjects+0x535
a5d71ac8 83066e88 00000002 a5d71afc 00000001 nt!ObpWaitForMultipleObjects+0x262
a5d71c18 82e77a06 00000002 0294faf8 00000001 nt!NtWaitForMultipleObjects+0xcd
a5d71c18 771370d4 00000002 0294faf8 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d71c34)
0294fb44 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 87569d48 Cid 03c8.093c Teb: 7ff7f000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
86fdbfa8 NotificationEvent
87372cc8 NotificationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 7685 Ticks: 15592 (0:00:04:03.625)
Context Switch Count 1 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x6e8d1df9
Stack Init a5d75ed0 Current a5d75648 Base a5d76000 Limit a5d73000 Call 00000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a5d75660 82eb887d 87569d48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a5d75698 82eb76db 87372cc8 87569d48 87569e44 nt!KiSwapThread+0x266
a5d756c0 82eb34b4 87569d48 87569e08 00000000 nt!KiCommitThreadWait+0x1df
a5d7583c 8306711b 00000002 a5d75974 00000001 nt!KeWaitForMultipleObjects+0x535
a5d75ac8 83066e88 00000002 a5d75afc 00000001 nt!ObpWaitForMultipleObjects+0x262
a5d75c18 82e77a06 00000002 0177f948 00000001 nt!NtWaitForMultipleObjects+0xcd
a5d75c18 771370d4 00000002 0177f948 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d75c34)
0177f994 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 85d03b30 Cid 03c8.05e8 Teb: 7ffdc000 Win32Thread: ffa00dc8 WAIT: (WrQueue) UserMode Alertable
870244c0 QueueObject
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 21388 Ticks: 1889 (0:00:00:29.515)
Context Switch Count 493 IdealProcessor: 0
UserTime 00:00:00.031
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x771203cf)
Stack Init 8fdd0ed0 Current 8fdd0a60 Base 8fdd1000 Limit 8fdce000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
8fdd0a78 82eb887d 85d03b30 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8fdd0ab0 82eb76db 85d03bf0 85d03b30 870244c0 nt!KiSwapThread+0x266
8fdd0ad8 82eb83cd 85d03b30 85d03bf0 0000004c nt!KiCommitThreadWait+0x1df
8fdd0b38 830666ae 870244c0 87024401 00000001 nt!KeRemoveQueueEx+0x4f8
8fdd0b90 82ebe90a 870244c0 8fdd0bc8 8fdd0bf0 nt!IoRemoveIoCompletion+0x23
8fdd0c24 82e77a06 00000084 01dbf9f4 01dbfaa0 nt!NtWaitForWorkViaWorkerFactory+0x1a1
8fdd0c24 771370d4 00000084 01dbf9f4 01dbfaa0 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 8fdd0c34)
01dbfaa0 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 873cd520 Cid 03c8.089c Teb: 7ff95000 Win32Thread: ffa98260 WAIT: (WrQueue) UserMode Alertable
870244c0 QueueObject
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 23057 Ticks: 220 (0:00:00:03.437)
Context Switch Count 254 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x771203cf)
Stack Init 9badbed0 Current 9badba60 Base 9badc000 Limit 9bad9000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
9badba78 82eb887d 873cd520 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
9badbab0 82eb76db 873cd5e0 873cd520 870244c0 nt!KiSwapThread+0x266
9badbad8 82eb83cd 873cd520 873cd5e0 000000d1 nt!KiCommitThreadWait+0x1df
9badbb38 830666ae 870244c0 87024401 00000001 nt!KeRemoveQueueEx+0x4f8
9badbb90 82ebe90a 870244c0 9badbbc8 9badbbf0 nt!IoRemoveIoCompletion+0x23
9badbc24 82e77a06 00000084 009df950 009df9fc nt!NtWaitForWorkViaWorkerFactory+0x1a1
9badbc24 771370d4 00000084 009df950 009df9fc nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9badbc34)
009df9fc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 8705b7e8 Cid 03c8.0cf8 Teb: 7ff9f000 Win32Thread: fe9b9770 WAIT: (WrQueue) UserMode Alertable
870244c0 QueueObject
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22670 Ticks: 607 (0:00:00:09.484)
Context Switch Count 149 IdealProcessor: 0
UserTime 00:00:00.015
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x771203cf)
Stack Init a57d5ed0 Current a57d5a60 Base a57d6000 Limit a57d3000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a57d5a78 82eb887d 8705b7e8 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a57d5ab0 82eb76db 8705b8a8 8705b7e8 870244c0 nt!KiSwapThread+0x266
a57d5ad8 82eb83cd 8705b7e8 8705b8a8 0000004e nt!KiCommitThreadWait+0x1df
a57d5b38 830666ae 870244c0 87024401 00000001 nt!KeRemoveQueueEx+0x4f8
a57d5b90 82ebe90a 870244c0 a57d5bc8 a57d5bf0 nt!IoRemoveIoCompletion+0x23
a57d5c24 82e77a06 00000084 01fefea0 01feff4c nt!NtWaitForWorkViaWorkerFactory+0x1a1
a57d5c24 771370d4 00000084 01fefea0 01feff4c nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a57d5c34)
01feff4c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 875b6be0 Cid 03c8.0734 Teb: 7ff93000 Win32Thread: fe994dc8 WAIT: (WrQueue) UserMode Alertable
870244c0 QueueObject
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 23056 Ticks: 221 (0:00:00:03.453)
Context Switch Count 173 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x771203cf)
Stack Init a57e9ed0 Current a57e9a60 Base a57ea000 Limit a57e7000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a57e9a78 82eb887d 875b6be0 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a57e9ab0 82eb76db 875b6ca0 875b6be0 870244c0 nt!KiSwapThread+0x266
a57e9ad8 82eb83cd 875b6be0 875b6ca0 000000d0 nt!KiCommitThreadWait+0x1df
a57e9b38 830666ae 870244c0 00000001 00000001 nt!KeRemoveQueueEx+0x4f8
a57e9b90 82ebe90a 870244c0 a57e9bc8 a57e9bf0 nt!IoRemoveIoCompletion+0x23
a57e9c24 82e77a06 00000084 0222fc48 0222fcf4 nt!NtWaitForWorkViaWorkerFactory+0x1a1
a57e9c24 771370d4 00000084 0222fc48 0222fcf4 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a57e9c34)
0222fcf4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 85da2308 Cid 03c8.0748 Teb: 7ffdb000 Win32Thread: fe994a70 WAIT: (UserRequest) UserMode Non-Alertable
85b99bc8 SynchronizationEvent
85da25f0 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22671 Ticks: 606 (0:00:00:09.468)
Context Switch Count 16 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x6ef9239b
Stack Init a5d47ed0 Current a5d47648 Base a5d48000 Limit a5d45000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a5d47660 82eb887d 85da2308 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a5d47698 82eb76db 00000000 85da2308 85da2404 nt!KiSwapThread+0x266
a5d476c0 82eb34b4 85da2308 85da23c8 0000008f nt!KiCommitThreadWait+0x1df
a5d4783c 8306711b 00000002 a5d47974 00000001 nt!KeWaitForMultipleObjects+0x535
a5d47ac8 83066e88 00000002 a5d47afc 00000001 nt!ObpWaitForMultipleObjects+0x262
a5d47c18 82e77a06 00000002 01e5f750 00000001 nt!NtWaitForMultipleObjects+0xcd
a5d47c18 771370d4 00000002 01e5f750 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d47c34)
01e5f79c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 85b20658 Cid 03c8.035c Teb: 7ff9d000 Win32Thread: fe9a9b88 WAIT: (UserRequest) UserMode Non-Alertable
87492538 SynchronizationEvent
873cc7e8 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22670 Ticks: 607 (0:00:00:09.484)
Context Switch Count 16 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x6ef9239b
Stack Init a5d3bed0 Current a5d3b648 Base a5d3c000 Limit a5d39000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a5d3b660 82eb887d 85b20658 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a5d3b698 82eb76db 00000000 85b20658 85b20754 nt!KiSwapThread+0x266
a5d3b6c0 82eb34b4 85b20658 85b20718 0000008e nt!KiCommitThreadWait+0x1df
a5d3b83c 8306711b 00000002 a5d3b974 00000001 nt!KeWaitForMultipleObjects+0x535
a5d3bac8 83066e88 00000002 a5d3bafc 00000001 nt!ObpWaitForMultipleObjects+0x262
a5d3bc18 82e77a06 00000002 0207f878 00000001 nt!NtWaitForMultipleObjects+0xcd
a5d3bc18 771370d4 00000002 0207f878 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d3bc34)
0207f8c4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 8707d030 Cid 03c8.0f74 Teb: 7ff9a000 Win32Thread: fe994830 WAIT: (UserRequest) UserMode Non-Alertable
875bde60 SynchronizationEvent
85b99750 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22670 Ticks: 607 (0:00:00:09.484)
Context Switch Count 16 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address 0x6ef9239b
Stack Init a5d1bed0 Current a5d1b648 Base a5d1c000 Limit a5d19000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a5d1b660 82eb887d 8707d030 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a5d1b698 82eb76db 00000000 8707d030 8707d12c nt!KiSwapThread+0x266
a5d1b6c0 82eb34b4 8707d030 8707d0f0 0000008e nt!KiCommitThreadWait+0x1df
a5d1b83c 8306711b 00000002 a5d1b974 00000001 nt!KeWaitForMultipleObjects+0x535
a5d1bac8 83066e88 00000002 a5d1bafc 00000001 nt!ObpWaitForMultipleObjects+0x262
a5d1bc18 82e77a06 00000002 01f1fd00 00000001 nt!NtWaitForMultipleObjects+0xcd
a5d1bc18 771370d4 00000002 01f1fd00 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d1bc34)
01f1fd4c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 86acdd48 Cid 03c8.0614 Teb: 7ff96000 Win32Thread: fe9a9dc8 WAIT: (UserRequest) UserMode Non-Alertable
85dd7a10 SynchronizationEvent
85de2638 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22670 Ticks: 607 (0:00:00:09.484)
Context Switch Count 2 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x6ef9239b
Stack Init a5d53ed0 Current a5d53648 Base a5d54000 Limit a5d51000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a5d53660 82eb887d 86acdd48 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a5d53698 82eb76db 00000000 86acdd48 86acde44 nt!KiSwapThread+0x266
a5d536c0 82eb34b4 86acdd48 86acde08 0000008e nt!KiCommitThreadWait+0x1df
a5d5383c 8306711b 00000002 a5d53974 00000001 nt!KeWaitForMultipleObjects+0x535
a5d53ac8 83066e88 00000002 a5d53afc 00000001 nt!ObpWaitForMultipleObjects+0x262
a5d53c18 82e77a06 00000002 021efbd0 00000001 nt!NtWaitForMultipleObjects+0xcd
a5d53c18 771370d4 00000002 021efbd0 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d53c34)
021efc1c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 873027f0 Cid 03c8.07ac Teb: 7ff91000 Win32Thread: fe99adc8 WAIT: (UserRequest) UserMode Non-Alertable
85ddb1e8 SynchronizationEvent
85b99850 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22671 Ticks: 606 (0:00:00:09.468)
Context Switch Count 1 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x6ef9239b
Stack Init a5c60ed0 Current a5c60648 Base a5c61000 Limit a5c5e000 Call 00000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a5c60660 82eb887d 873027f0 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a5c60698 82eb76db 00000000 873027f0 873028ec nt!KiSwapThread+0x266
a5c606c0 82eb34b4 873027f0 873028b0 0000008f nt!KiCommitThreadWait+0x1df
a5c6083c 8306711b 00000002 a5c60974 00000001 nt!KeWaitForMultipleObjects+0x535
a5c60ac8 83066e88 00000002 a5c60afc 00000001 nt!ObpWaitForMultipleObjects+0x262
a5c60c18 82e77a06 00000002 0137fbe0 00000001 nt!NtWaitForMultipleObjects+0xcd
a5c60c18 771370d4 00000002 0137fbe0 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5c60c34)
0137fc2c 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 8754f0c8 Cid 03c8.09d8 Teb: 7ff8f000 Win32Thread: fe99ab88 WAIT: (UserRequest) UserMode Non-Alertable
85ddb498 SynchronizationEvent
85b99c08 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22671 Ticks: 606 (0:00:00:09.468)
Context Switch Count 1 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x6ef9239b
Stack Init a5d2bed0 Current a5d2b648 Base a5d2c000 Limit a5d29000 Call 00000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a5d2b660 82eb887d 8754f0c8 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a5d2b698 82eb76db 00000000 8754f0c8 8754f1c4 nt!KiSwapThread+0x266
a5d2b6c0 82eb34b4 8754f0c8 8754f188 0000008f nt!KiCommitThreadWait+0x1df
a5d2b83c 8306711b 00000002 a5d2b974 00000001 nt!KeWaitForMultipleObjects+0x535
a5d2bac8 83066e88 00000002 a5d2bafc 00000001 nt!ObpWaitForMultipleObjects+0x262
a5d2bc18 82e77a06 00000002 029ef860 00000001 nt!NtWaitForMultipleObjects+0xcd
a5d2bc18 771370d4 00000002 029ef860 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5d2bc34)
029ef8ac 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 85da29f0 Cid 03c8.0e54 Teb: 7ff8e000 Win32Thread: fe98ddc8 WAIT: (UserRequest) UserMode Non-Alertable
866cc8a0 SynchronizationEvent
85b99cc8 SynchronizationEvent
Not impersonating
DeviceMap 8c8088a8
Owning Process 870285a8 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22671 Ticks: 606 (0:00:00:09.468)
Context Switch Count 1 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x6ef9239b
Stack Init a5c6fed0 Current a5c6f648 Base a5c70000 Limit a5c6d000 Call 00000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
a5c6f660 82eb887d 85da29f0 82f6a008 82f66e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a5c6f698 82eb76db 00000000 85da29f0 85da2aec nt!KiSwapThread+0x266
a5c6f6c0 82eb34b4 85da29f0 85da2ab0 0000008f nt!KiCommitThreadWait+0x1df
a5c6f83c 8306711b 00000002 a5c6f974 00000001 nt!KeWaitForMultipleObjects+0x535
a5c6fac8 83066e88 00000002 a5c6fafc 00000001 nt!ObpWaitForMultipleObjects+0x262
a5c6fc18 82e77a06 00000002 00abfc48 00000001 nt!NtWaitForMultipleObjects+0xcd
a5c6fc18 771370d4 00000002 00abfc48 00000001 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ a5c6fc34)
00abfc94 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
4. 명령어 옵션 값이 7이라 스레드 정보까지 출력해서 양이 많다. -1 옵션을 주면 현재 실행 중인 프로세스 정보까지만 확인할 수 있다.
kd> !process -1
PROCESS 85a567c8 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00185000 ObjectTable: 8c801b28 HandleCount: 539.
Image: System
VadRoot 865119f0 Vads 9 Clone 0 Private 4. Modified 9379. Locked 64.
DeviceMap 8c8088a8
Token 8c801248
ElapsedTime 00:07:00.802
UserTime 00:00:00.000
KernelTime 00:00:00.953
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (157, 0, 0) (628KB, 0KB, 0KB)
PeakWorkingSetSize 1499
VirtualSize 2 Mb
PeakVirtualSize 7 Mb
PageFaultCount 13349
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 12
THREAD 85a564f0 Cid 0004.0008 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable
82f863f0 Gate
THREAD 85b0dd48 Cid 0004.000c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
82f7e5d0 SynchronizationEvent
THREAD 85b0da70 Cid 0004.0010 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
82f7eac0 Semaphore Limit 0x7fffffff
THREAD 85af1d48 Cid 0004.0014 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
82f7eac0 Semaphore Limit 0x7fffffff
THREAD 85af17f0 Cid 0004.0018 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f77480 QueueObject
THREAD 85aedd48 Cid 0004.001c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f77480 QueueObject
THREAD 85aeda70 Cid 0004.0020 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f77480 QueueObject
THREAD 85ae1d48 Cid 0004.0024 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f77480 QueueObject
THREAD 85ae1a70 Cid 0004.0028 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f77480 QueueObject
THREAD 85acdd48 Cid 0004.002c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f774bc QueueObject
THREAD 85acda70 Cid 0004.0030 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f774bc QueueObject
THREAD 85afd858 Cid 0004.0034 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f774bc QueueObject
THREAD 85afd580 Cid 0004.0038 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f774bc QueueObject
THREAD 85ae5960 Cid 0004.003c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f774bc QueueObject
THREAD 85ae5688 Cid 0004.0040 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f774bc QueueObject
THREAD 85ae53b0 Cid 0004.0044 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f774bc QueueObject
THREAD 85ac9d48 Cid 0004.0048 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
82f774f8 QueueObject
THREAD 85ac9a70 Cid 0004.004c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8e103c28 NotificationTimer
82f77460 SynchronizationEvent
82f77450 SynchronizationEvent
THREAD 85b09020 Cid 0004.0050 Teb: 00000000 Win32Thread: 00000000 WAIT: (Suspended) KernelMode Non-Alertable
82f68740 Gate
THREAD 85b09730 Cid 0004.0054 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrVirtualMemory) UserMode Non-Alertable
82f861e0 Semaphore Limit 0x7fffffff
82f86260 NotificationEvent
82f862f0 NotificationEvent
82f85c60 NotificationEvent
82f85c80 SynchronizationEvent
THREAD 85b09390 Cid 0004.0058 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable
82f85390 Gate
THREAD 85b13d48 Cid 0004.005c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8e113bf0 SynchronizationEvent
82f85d90 SynchronizationEvent
THREAD 85b13a70 Cid 0004.0060 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
82fa1090 SynchronizationEvent
THREAD 85b0fc80 Cid 0004.0068 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable
82fa5100 SynchronizationEvent
82fa50f0 SynchronizationEvent
82fa50e0 SynchronizationEvent
82fa50d0 SynchronizationEvent
THREAD 85b0c788 Cid 0004.006c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
82fa41a0 QueueObject
THREAD 85b0c4b0 Cid 0004.0070 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
82fa41c8 QueueObject
THREAD 85b0b660 Cid 0004.0074 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
85b0b894 Semaphore Limit 0x1
THREAD 85abebf8 Cid 0004.007c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable
82f85ee0 SynchronizationEvent
82f85ef0 SynchronizationEvent
82f85f00 SynchronizationEvent
82f85f10 SynchronizationEvent
82f85f20 SynchronizationEvent
82f85f30 SynchronizationEvent
82f85f40 SynchronizationEvent
82f85f50 SynchronizationEvent
82f85f60 SynchronizationEvent
82f85f70 SynchronizationEvent
82f85f80 SynchronizationEvent
82f85f90 SynchronizationEvent
82f85fa0 SynchronizationEvent
82f85fb0 SynchronizationEvent
82f85fc0 SynchronizationEvent
82f85fd0 SynchronizationEvent
82f85fe0 SynchronizationEvent
THREAD 85ac0308 Cid 0004.0080 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
85ac075c SynchronizationEvent
85ac0770 SynchronizationTimer
THREAD 85b10d48 Cid 0004.0084 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
85b1019c SynchronizationEvent
85b101b0 SynchronizationTimer
THREAD 85b67020 Cid 0004.0088 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
85b465dc SynchronizationEvent
85b465f0 SynchronizationTimer
THREAD 85b67d48 Cid 0004.008c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
85b4631c SynchronizationEvent
85b46330 SynchronizationTimer
THREAD 85b92d48 Cid 0004.0090 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
85b8fedc SynchronizationEvent
85b8fef0 SynchronizationTimer
THREAD 85b9c020 Cid 0004.0094 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
85b93a5c SynchronizationEvent
THREAD 85ba05c8 Cid 0004.0098 Teb: 00000000 Win32Thread: 00000000 WAIT: (DelayExecution) KernelMode Non-Alertable
00000000 NotificationEvent
THREAD 85a556f0 Cid 0004.009c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8b8566d0 NotificationEvent
8b8566c0 NotificationEvent
THREAD 868b03d0 Cid 0004.00a4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
85ac294c SynchronizationEvent
85ac293c SynchronizationEvent
THREAD 8695e750 Cid 0004.00a8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
85f9c030 SynchronizationEvent
85f9c040 SynchronizationEvent
THREAD 85cfc750 Cid 0004.00ac Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Alertable
8b95e864 NotificationEvent
8b95e884 Semaphore Limit 0x7fffffff
THREAD 85d0b750 Cid 0004.00b0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Alertable
86515014 NotificationEvent
86515028 SynchronizationTimer
THREAD 864be268 Cid 0004.00b4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8bcf66a0 SynchronizationTimer
THREAD 864e4d48 Cid 0004.00b8 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
8bcf66e0 QueueObject
THREAD 864e4a70 Cid 0004.00bc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8bcf59d0 NotificationEvent
THREAD 86519540 Cid 0004.00c0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8650b644 Semaphore Limit 0x7fffffff
THREAD 86517020 Cid 0004.00c4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8650b658 Semaphore Limit 0x7fffffff
THREAD 86517d48 Cid 0004.00c8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8650b66c Semaphore Limit 0x7fffffff
THREAD 86517a70 Cid 0004.00cc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8650b680 Semaphore Limit 0x7fffffff
THREAD 86517798 Cid 0004.00d0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8650b694 Semaphore Limit 0x7fffffff
THREAD 86517420 Cid 0004.00d4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8650b6a8 Semaphore Limit 0x7fffffff
THREAD 86514020 Cid 0004.00d8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8650b6bc Semaphore Limit 0x7fffffff
THREAD 86514ca8 Cid 0004.00dc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8650b6d0 Semaphore Limit 0x7fffffff
THREAD 86514930 Cid 0004.00e0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8650b6e4 Semaphore Limit 0x7fffffff
THREAD 86618928 Cid 0004.00e8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
90c74230 SynchronizationEvent
THREAD 86632bb8 Cid 0004.00ec Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
90e2503c NotificationEvent
THREAD 866436b0 Cid 0004.00f0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
86643aa8 NotificationEvent
THREAD 86646d48 Cid 0004.00f4 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
86646f7c Semaphore Limit 0x1
THREAD 86650940 Cid 0004.0128 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
91c3c468 SynchronizationTimer
THREAD 86670b30 Cid 0004.012c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
85af4f70 SynchronizationEvent
THREAD 866d6a78 Cid 0004.0140 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8667bef0 NotificationEvent
THREAD 86cd22d0 Cid 0004.0148 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
90ddf3e0 SynchronizationEvent
90ddf3c0 SynchronizationEvent
THREAD 85ac32c0 Cid 0004.0168 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
86d80ad8 SynchronizationEvent
86d80aa8 SynchronizationEvent
86d80b38 SynchronizationEvent
THREAD 86f28d48 Cid 0004.01bc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
86f298dc SynchronizationEvent
THREAD 86f3e030 Cid 0004.01d8 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Alertable
86f2a200 QueueObject
THREAD 86faa978 Cid 0004.02b4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
86fac5a0 NotificationEvent
86fac5b0 SynchronizationEvent
86fac5e0 NotificationEvent
THREAD 86fd4d48 Cid 0004.0328 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
86fd2b9c SynchronizationEvent
THREAD 86fddcf8 Cid 0004.0338 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
86fd8e9c SynchronizationEvent
THREAD 86febd48 Cid 0004.0358 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
86fe749c SynchronizationEvent
THREAD 86ffcd48 Cid 0004.0360 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
86ff0e9c SynchronizationEvent
THREAD 86ffad48 Cid 0004.0364 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
86ff8e9c SynchronizationEvent
THREAD 86f7b938 Cid 0004.0478 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
90e96740 NotificationEvent
90e96770 NotificationEvent
90e96750 NotificationEvent
THREAD 87057b50 Cid 0004.047c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
90e96740 NotificationEvent
90e96780 NotificationEvent
90e96760 NotificationEvent
THREAD 86a16988 Cid 0004.0610 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
90e24f3c QueueObject
THREAD 86a20d48 Cid 0004.0628 Teb: 00000000 Win32Thread: 00000000 WAIT: (DelayExecution) KernelMode Non-Alertable
00000000 NotificationEvent
THREAD 86a77d48 Cid 0004.06f8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
86a7719c SynchronizationEvent
86a771b0 SynchronizationTimer
THREAD 87370388 Cid 0004.04f4 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
8736f808 QueueObject
THREAD 87372418 Cid 0004.04e0 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
8736e3c8 QueueObject
THREAD 87373020 Cid 0004.0520 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
8736e270 QueueObject
THREAD 87378d48 Cid 0004.052c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
87373764 QueueObject
THREAD 87379740 Cid 0004.05b8 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
87373504 QueueObject
THREAD 8737ad48 Cid 0004.05c0 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
9b62fa4c QueueObject
THREAD 8704da08 Cid 0004.0678 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
870aab68 QueueObject
THREAD 86fd9d48 Cid 0004.0078 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
870aabcc QueueObject
THREAD 8735f020 Cid 0004.0330 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
82f77480 QueueObject
THREAD 8668c030 Cid 0004.0958 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8668d8dc SynchronizationEvent
THREAD 87449af8 Cid 0004.09f0 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
90e24f3c QueueObject
THREAD 8707fb78 Cid 0004.09f8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
9b6a9164 NotificationEvent
874a6018 NotificationEvent
874a8048 NotificationEvent
874aa078 NotificationEvent
874ac0a8 NotificationEvent
THREAD 874ed020 Cid 0004.0a98 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
874ec488 SynchronizationEvent
THREAD 874ed7c0 Cid 0004.0a9c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
874ec388 SynchronizationEvent
THREAD 874ed4e8 Cid 0004.0aa0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
9b724d60 NotificationEvent
9b724d50 NotificationEvent
85aed678 NotificationEvent
9b724d70 NotificationEvent
THREAD 874ecc58 Cid 0004.0bfc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
874ec688 SynchronizationEvent
THREAD 87306d48 Cid 0004.0c1c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
90e24e94 QueueObject
THREAD 861af1e8 Cid 0004.0efc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8731c7dc SynchronizationEvent
THREAD 8705dc40 Cid 0004.0f24 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
874ec588 SynchronizationEvent
THREAD 87048020 Cid 0004.0f28 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
874ec588 SynchronizationEvent