Monthly Archive for 7월, 2008

[Debugging Tip]Passive Thread와 Non Passive Thread

Published
by
admin
on 7월 31, 2008
in Debugging Windows
. Comments

가끔 System Process의 Thread 들을 열거해보면 눈에 익는 ( System Process가 기본적으로 가지는 Thread들.. )녀석들이 많습니다. 이러한 녀석들을 분류하면 크게 3가지 정도로 분류 해보면 Non-Passive Core Thread, Exp Passive Worker Thread, Non-Exp Passive Worker Thread 가 있지요.

Non-Passive Core Thread 들은 대부분 Memory, Cache Manager, Process Swap 등과 같은 OS의 정말 중요한 부분의 기능을 담당하고 있습니다.

Not Passive Core Thread

THREAD 8a8ee750 Cid 0004.0008 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable
80569e30 SynchronizationEvent
8056aea0 NotificationTimer
Not impersonating
DeviceMap e1000168
Owning Process 8a8ee9c8 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 1158110 Ticks: 14 (0:00:00:00.218)
Context Switch Count 241570
UserTime 00:00:00.000
KernelTime 00:00:15.468
Start Address nt!Phase1Initialization (0×806b27bf)
Stack Init f789f000 Current f789e798 Base f789f000 Limit f789c000 Call 0
Priority 0 BasePriority 0 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f789e7b0 804e3bc2 nt!KiSwapContext+0×2f (FPO: [Uses EBP] [0,0,4])
f789e7bc 804e3b73 nt!KiSwapThread+0×8a (FPO: [0,0,0])
f789e7f4 804ebaaf nt!KeWaitForMultipleObjects+0×284 (FPO: [Non-Fpo])
f789e840 806b12bd nt!MmZeroPageThread+0×61 (FPO: [Non-Fpo])
f789edac 8057772b nt!Phase1Initialization+0×1287 (FPO: [Non-Fpo])
f789eddc 804ee6c9 nt!PspSystemThreadStartup+0×34 (FPO: [Non-Fpo])
00000000 00000000 nt!KiThreadStartup+0×16

THREAD 8a8e0da8 Cid 0004.00cc Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable
805699f0 NotificationEvent
80565420 NotificationEvent
Not impersonating
DeviceMap e1000168
Owning Process 8a8ee9c8 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 1154066 Ticks: 5028 (0:00:01:18.562)
Context Switch Count 13330
UserTime 00:00:00.000
KernelTime 00:00:00.000
Start Address nt!MiModifiedPageWriter (0×80668602)
Stack Init bafe0000 Current bafdfcd0 Base bafe0000 Limit bafdd000 Call 0
Priority 17 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
bafdfce8 804e3bc2 nt!KiSwapContext+0×2f (FPO: [Uses EBP] [0,0,4])
bafdfcf4 804e3b73 nt!KiSwapThread+0×8a (FPO: [0,0,0])
bafdfd2c 80500be5 nt!KeWaitForMultipleObjects+0×284 (FPO: [Non-Fpo])
bafdfd74 80668767 nt!MiModifiedPageWriterWorker+0×45 (FPO: [Non-Fpo])
bafdfdac 8057772b nt!MiModifiedPageWriter+0×165 (FPO: [Non-Fpo])
bafdfddc 804ee6c9 nt!PspSystemThreadStartup+0×34 (FPO: [Non-Fpo])
00000000 00000000 nt!KiThreadStartup+0×16

THREAD 8a8df020 Cid 0004.00d0 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrVirtualMemory) KernelMode Non-Alertable
805695a0 NotificationEvent
Not impersonating
DeviceMap e1000168
Owning Process 8a8ee9c8 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 1149138 Ticks: 9968 (0:00:02:35.750)
Context Switch Count 1675
UserTime 00:00:00.000
KernelTime 00:00:00.171
Start Address nt!MiMappedPageWriter (0×80504e41)
Stack Init bafdc000 Current bafdbd24 Base bafdc000 Limit bafd9000 Call 0
Priority 17 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
bafdbd3c 804e3bc2 nt!KiSwapContext+0×2f (FPO: [Uses EBP] [0,0,4])
bafdbd48 804e3c0e nt!KiSwapThread+0×8a (FPO: [0,0,0])
bafdbd70 80504e95 nt!KeWaitForSingleObject+0×1c2 (FPO: [Non-Fpo])
bafdbdac 8057772b nt!MiMappedPageWriter+0×54 (FPO: [Non-Fpo])
bafdbddc 804ee6c9 nt!PspSystemThreadStartup+0×34 (FPO: [Non-Fpo])
00000000 00000000 nt!KiThreadStartup+0×16

THREAD 8a8dfda8 Cid 0004.00d4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
bafd7d7c NotificationTimer
805699e0 SynchronizationEvent
Not impersonating
DeviceMap e1000168
Owning Process 8a8ee9c8 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 1159058 Ticks: 60 (0:00:00:00.937)
Context Switch Count 18836
UserTime 00:00:00.000
KernelTime 00:00:00.000
Start Address nt!KeBalanceSetManager (0×804e858f)
Stack Init bafd8000 Current bafd7cbc Base bafd8000 Limit bafd5000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
bafd7cd4 804e3bc2 nt!KiSwapContext+0×2f (FPO: [Uses EBP] [0,0,4])
bafd7ce0 804e3b73 nt!KiSwapThread+0×8a (FPO: [0,0,0])
bafd7d18 804e8604 nt!KeWaitForMultipleObjects+0×284 (FPO: [Non-Fpo])
bafd7dac 8057772b nt!KeBalanceSetManager+0×75 (FPO: [Non-Fpo])
bafd7ddc 804ee6c9 nt!PspSystemThreadStartup+0×34 (FPO: [Non-Fpo])
00000000 00000000 nt!KiThreadStartup+0×16

THREAD 8a8dfb30 Cid 0004.00d8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
80564370 SynchronizationEvent
Not impersonating
DeviceMap e1000168
Owning Process 8a8ee9c8 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 1159054 Ticks: 76 (0:00:00:01.187)
Context Switch Count 154031
UserTime 00:00:00.000
KernelTime 00:00:00.156
Start Address nt!KeSwapProcessOrStack (0×804ea2bc)
Stack Init bafd4000 Current bafd3d48 Base bafd4000 Limit bafd1000 Call 0
Priority 23 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
bafd3d60 804e3bc2 nt!KiSwapContext+0×2f (FPO: [Uses EBP] [0,0,4])
bafd3d6c 804e3c0e nt!KiSwapThread+0×8a (FPO: [0,0,0])
bafd3d94 804ea2e7 nt!KeWaitForSingleObject+0×1c2 (FPO: [Non-Fpo])
bafd3dac 8057772b nt!KeSwapProcessOrStack+0×2b (FPO: [1,0,0])
bafd3ddc 804ee6c9 nt!PspSystemThreadStartup+0×34 (FPO: [Non-Fpo])
00000000 00000000 nt!KiThreadStartup+0×16

THREAD 8a8e68b8 Cid 0004.00c4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
bafe7d78 NotificationTimer
8056c5a0 SynchronizationEvent
8056c590 SynchronizationEvent
Not impersonating
DeviceMap e1000168
Owning Process 8a8ee9c8 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 1159051 Ticks: 20 (0:00:00:00.312)
Context Switch Count 18121
UserTime 00:00:00.000
KernelTime 00:00:00.000
Start Address nt!ExpWorkerThreadBalanceManager (0×8056fe86)
Stack Init bafe8000 Current bafe7ce8 Base bafe8000 Limit bafe5000 Call 0
Priority 14 BasePriority 14 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
bafe7d00 804e3bc2 nt!KiSwapContext+0×2f (FPO: [Uses EBP] [0,0,4])
bafe7d0c 804e3b73 nt!KiSwapThread+0×8a (FPO: [0,0,0])
bafe7d44 8056fee4 nt!KeWaitForMultipleObjects+0×284 (FPO: [Non-Fpo])
bafe7dac 8057772b nt!ExpWorkerThreadBalanceManager+0×5e (FPO: [Non-Fpo])
bafe7ddc 804ee6c9 nt!PspSystemThreadStartup+0×34 (FPO: [Non-Fpo])
00000000 00000000 nt!KiThreadStartup+0×16

위에 보여지는 예 말고도 Non-Passive Thread에는 KiExecuteDpc나 CcQueueLzeWriteScanThread 등의 Function이 보여지는 경우도 있습니다.

Exp Passive Worker Thread

THREAD 8a8ed340 Cid 0004.0020 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
8056c5c0 Unknown
Not impersonating
DeviceMap e1000168
Owning Process 8a8ee9c8 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 1157928 Ticks: 314 (0:00:00:04.906)
Context Switch Count 8486
UserTime 00:00:00.000
KernelTime 00:00:01.109
Start Address nt!ExpWorkerThread (0×804e42e1)
Stack Init f78c7000 Current f78c6d24 Base f78c7000 Limit f78c4000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
f78c6d3c 804e3bc2 nt!KiSwapContext+0×2f (FPO: [Uses EBP] [0,0,4])
f78c6d48 804e42c6 nt!KiSwapThread+0×8a (FPO: [0,0,0])
f78c6d74 804e437e nt!KeRemoveQueue+0×22a (FPO: [Non-Fpo])
f78c6dac 8057772b nt!ExpWorkerThread+0xcc (FPO: [Non-Fpo])
f78c6ddc 804ee6c9 nt!PspSystemThreadStartup+0×34 (FPO: [Non-Fpo])
00000000 00000000 nt!KiThreadStartup+0×16

Non-Exp Passive Worker Thread의 경우는 Function 이름을 통해서 확인이 가능한데 Loger나 Worker, Logging 등의 Substring을 가지고 있는 Function이 스택이 존재한다면 Non-Exp Passive Worker Thread로 판단 할 수 있습니다.

Non-Exp Passive Worker Thread

THREAD 8a1099a8 Cid 0004.0298 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8a511014 Semaphore Limit 0×400
8a109a98 NotificationTimer
Not impersonating
DeviceMap e1000168
Owning Process 8a8ee9c8 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 1159822 Ticks: 54 (0:00:00:00.843)
Context Switch Count 18357
UserTime 00:00:00.000
KernelTime 00:00:00.000
Start Address nt!WmipLogger (0×8064b43f)
Stack Init b6849000 Current b6848d28 Base b6849000 Limit b6846000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
b6848d40 804e3bc2 nt!KiSwapContext+0×2f (FPO: [Uses EBP] [0,0,4])
b6848d4c 804e3c0e nt!KiSwapThread+0×8a (FPO: [0,0,0])
b6848d74 8064b4f7 nt!KeWaitForSingleObject+0×1c2 (FPO: [Non-Fpo])
b6848dac 8057772b nt!WmipLogger+0xb8 (FPO: [Non-Fpo])
b6848ddc 804ee6c9 nt!PspSystemThreadStartup+0×34 (FPO: [Non-Fpo])
00000000 00000000 nt!KiThreadStartup+0×16

THREAD 8a533da8 Cid 0004.0aec Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
b5fcdea8 SynchronizationEvent
Not impersonating
DeviceMap e1000168
Owning Process 8a8ee9c8 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 1161516 Ticks: 1830 (0:00:00:28.593)
Context Switch Count 1478
UserTime 00:00:00.000
KernelTime 00:00:00.000
Start Address HTTP!UlpThreadPoolWorker (0xb5fe49f0)
Stack Init b6276000 Current b6275d30 Base b6276000 Limit b6273000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
b6275d48 804e3bc2 nt!KiSwapContext+0×2f (FPO: [Uses EBP] [0,0,4])
b6275d54 804e3c0e nt!KiSwapThread+0×8a (FPO: [0,0,0])
b6275d7c b5fe4ae9 nt!KeWaitForSingleObject+0×1c2 (FPO: [Non-Fpo])
b6275dac 8057772b HTTP!UlpThreadPoolWorker+0xf9 (FPO: [Non-Fpo])
b6275ddc 804ee6c9 nt!PspSystemThreadStartup+0×34 (FPO: [Non-Fpo])
00000000 00000000 nt!KiThreadStartup+0×16

THREAD 8a539238 Cid 0004.039c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
8a123a44 Unknown
Not impersonating
DeviceMap e1000168
Owning Process 8a8ee9c8 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 3067 Ticks: 1160080 (0:05:02:06.250)
Context Switch Count 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Start Address srv!WorkerThread (0xb662fce4)
Stack Init b680d000 Current b680cd2c Base b680d000 Limit b680a000 Call 0
Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.

THREAD 8a504810 Cid 0004.0148 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable
ba383bac Unknown
Not impersonating
DeviceMap e1000168
Owning Process 8a8ee9c8 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 1129 Ticks: 1161275 (0:05:02:24.921)
Context Switch Count 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Start Address rdpdr!RxBootstrapWorkerThreadDispatcher (0xba395658)
Stack Init baf6c000 Current baf6bd14 Base baf6c000 Limit baf69000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
baf6bd2c 804e3bc2 nt!KiSwapContext+0×2f (FPO: [Uses EBP] [0,0,4])
baf6bd38 804e42c6 nt!KiSwapThread+0×8a (FPO: [0,0,0])
baf6bd64 ba37eefb nt!KeRemoveQueue+0×22a (FPO: [Non-Fpo])
baf6bd9c ba395667 rdpdr!RxpWorkerThreadDispatcher+0×4b (FPO: [Non-Fpo])
baf6bdac 8057772b rdpdr!RxBootstrapWorkerThreadDispatcher+0xf (FPO: [Non-Fpo])
baf6bddc 804ee6c9 nt!PspSystemThreadStartup+0×34 (FPO: [Non-Fpo])
00000000 00000000 nt!KiThreadStartup+0×16

위에 예시된 것들 말고도 PftLoogingWorker나 EtwpLogger 등의 Function이 스택에 보이면 Non-Exp Passive Worker Thread로 판단하시면 됩니다.

디버깅 할때 유심히 관찰하시면 도움이 많이 되고 또 System Hang을 분석할때도 도움이 된답니다.

[windbg] .effmach, wow64exts …

Published
by
admin
on 7월 30, 2008
in Basic Debugging
. Comments

Wow64에서 발생하는 32bit Process의 Dump를 보게되면 마치 wow64.dll에서 발생하는 문제인것 처럼 자동분석이 되는경우가 있습니다. 이러한 경우에는 .effmach Command와 wow64exts Extension DLL을 Load하여 분석을 하는것이 좋습니다. Windbg의 !analyze -v가 잘못된 정보를 보여주는 이유는 바로 32bit Application의 Memory를 정상적으로 찾지 못하게 되기 때문입니다. 측 32bit 단위의 Memory가 아닌64bit 단위로 Memory를 보여주기 때문이죠.

.load wow64exts

.effmach x86

이러한 경우가 발생한다면 꼭 잊지 마시길..

[Blogging] PAGED_CODE(), Spin Lock

Published
by
admin
on 7월 25, 2008
in Inside Windows
. Comments

견우님 블러그에 갔다가 재미 있는 내용을 읽었습니다. PAGED_CODE() mecro를 사용하게 되면 Driver Code를 pagedpool에 올려 놓게 되지요. 그럼 Spin Lock과 이게 무슨 관계일까 ?? 개인적으로는 PAGED_CODE Mecro를 잘 쓰지 않아 좀처럼 볼수 없는 현상인데 견우님이 Blog에 이 둘의 관계에서 발생하는 재미 있는 현상에 관해 써주셨군요

http://cjhnim.egloos.com/3829482

리플에 질럿님이 써주진 이야기가 맞는것 같습니다.

PAGED_CODE()를 이용해서 PagedPool로 내려 간것이 아닌듯 싶내요.

일단 메모리 상주관련해서 #pragma 부분을 체크해봐야할듯 .. 또는 static 여부를 확인해봐야할듯…

[blogging] Desktop Heap Overview

Published
by
admin
on 7월 24, 2008
in Inside Windows
. Comments

드라이버 온라인에 Jeff 님이 굉장히 좋은 글을 번역해 주셨습니다. Desktop Heap이 무엇이가 또 Desktop Heap으로 장해가 발생할 수 있는 상황에는 어떤 것이 있는가에 대한 내용이내요.

원문 : http://blogs.msdn.com/ntdebugging/archive/2007/01/04/desktop-heap-overview.aspx
번역 : http://www.driveronline.org/bbs/view.asp?tb=systembbs&no=126

이런 좋은 글을 읽을때 마다 항상 즐겁군요

[debugging tip] _RTL_RESOURCE Deadlock , services.exe

Published
by
admin
on 7월 23, 2008
in Debugging Windows
. Comments

최근 services.exe Process의 CPU 사용량이 100%까지 올라가는 현상에 대한 Dump를 하나 보게 되었습니다. _RTL_RESOURCE를 통한 동기화에 의해서 발생한 경우 인데요. _RTL_RESOURCE가 그 원인은 아니었지만 꽤 경험하기 힘든 내용이었습니다.

0 Id: 318.330 Suspend: 1 Teb: 7ffde000 Unfrozen
# ChildEBP RetAddr Args to Child
00 0063ff98 7c93d1fc 7c957f02 00000001 0063ffac ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 0063ff9c 7c957f02 00000001 0063ffac 00000000 ntdll!NtDelayExecution+0xc (FPO: [2,0,0])
02 0063ffb4 7c80b713 00000000 0043005c 00720075 ntdll!RtlpTimerThread+0×47 (FPO: [Non-Fpo])
03 0063ffec 00000000 7c957ebb 00000000 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

1 Id: 318.35c Suspend: 1 Teb: 7ffdd000 Unfrozen
# ChildEBP RetAddr Args to Child
00 0067ff88 7c93d1fc 7c9405d9 00000001 0067ffa8 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 0067ff8c 7c9405d9 00000001 0067ffa8 00300030 ntdll!NtDelayExecution+0xc (FPO: [2,0,0])
02 0067ffb4 7c80b713 00097ca8 00300030 00000030 ntdll!RtlpIOWorkerThread+0×3f (FPO: [Non-Fpo])
03 0067ffec 00000000 7c94059a 00097ca8 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

2 Id: 318.360 Suspend: 1 Teb: 7ffdb000 Unfrozen
# ChildEBP RetAddr Args to Child
00 006bfce8 7c93df2c 7c959c96 00000011 006bfd30 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 006bfcec 7c959c96 00000011 006bfd30 00000001 ntdll!NtWaitForMultipleObjects+0xc (FPO: [5,0,0])
02 006bffb4 7c80b713 00000000 00000020 00300030 ntdll!RtlpWaitThread+0×13d (FPO: [Non-Fpo])
03 006bffec 00000000 7c959b6f 00000000 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

3 Id: 318.3a4 Suspend: 1 Teb: 7ffda000 Unfrozen
# ChildEBP RetAddr Args to Child
00 0072e1fc 7c93cfdc 77f64256 00000288 77f6557b ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 0072e200 77f64256 00000288 77f6557b 00000000 ntdll!ZwClose+0xc (FPO: [1,0,0])
02 0072e234 77f655df 000001e0 00000288 00000000 ADVAPI32!LocalBaseRegDeleteKey+0xe2 (FPO: [Non-Fpo])
03 0072e258 7df29bd0 000001e0 0072e4b4 77f6557b ADVAPI32!RegDeleteKeyW+0×76 (FPO: [Non-Fpo])
04 0072e48c 7df29c31 000001e0 0072e4b4 00000000 umpnpmgr!RegDeleteNode+0×3a (FPO: [Non-Fpo])
05 0072e6c0 7df29f83 000002a8 0072eca0 7df2c170 umpnpmgr!RegDeleteNode+0×9b (FPO: [Non-Fpo])
06 0072f25c 7df1d5e5 80000002 0072f420 0072f880 umpnpmgr!DeletePrivateKey+0×182 (FPO: [Non-Fpo])
07 0072fa14 7df254eb 003d1f30 0101aa08 006c72d8 umpnpmgr!UninstallPhantomDevice+0×104 (FPO: [Non-Fpo])
08 0072fed0 01010999 006c734c 00000000 010109fd umpnpmgr!DeleteServicePlugPlayRegKeys+0×1aa (FPO: [Non-Fpo])
09 0072fef4 01010a07 7c957aa2 00000000 7c9ab440 services!DEFER_LIST::Process+0×10c (FPO: [Non-Fpo])
0a 0072fef8 7c957aa2 00000000 7c9ab440 000cdbc8 services!ScDeferredListWorkItem+0xa (FPO: [1,0,0])
0b 0072ff40 7c957ae3 010109fd 00000000 00000000 ntdll!RtlpWorkerCallout+0×70 (FPO: [Non-Fpo])
0c 0072ff60 7c957ba5 00000000 00000000 000cdbc8 ntdll!RtlpExecuteWorkerRequest+0×1a (FPO: [Non-Fpo])
0d 0072ff74 7c957b7c 7c957ac9 00000000 00000000 ntdll!RtlpApcCallout+0×11 (FPO: [Non-Fpo])
0e 0072ffb4 7c80b713 00000000 80000002 0101a654 ntdll!RtlpWorkerThread+0×87 (FPO: [Non-Fpo])
0f 0072ffec 00000000 7c940230 00000000 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

[...]

10 Id: 318.768 Suspend: 1 Teb: 7ff99000 Unfrozen
# ChildEBP RetAddr Args to Child
00 00caf80c 7c93df3c 7c95daac 00000198 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 00caf810 7c95daac 00000198 00000000 7c9ab1e0 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
02 00caf880 01001487 0101a078 00000001 00caf8f8 ntdll!RtlAcquireResourceShared+0×78 (FPO: [Non-Fpo])
03 00caf890 01002947 00caf8c8 00caf8f8 00cafd0c services!CServiceListSharedLock::CServiceListSharedLock+0×12 (FPO: [0,0,0])
04 00caf8a8 01005d10 000d15e0 000cbcb8 00000004 services!ROpenServiceW+0×56 (FPO: [Non-Fpo])
05 00caf8c4 77d899f4 000d15e0 000cbcb8 00000004 services!ROpenServiceA+0×2c (FPO: [Non-Fpo])
06 00caf8e8 77e0421a 01005ce5 00caf8fc 00000004 RPCRT4!Invoke+0×30
07 00cafcf4 77e046ee 00000000 00000000 000b1634 RPCRT4!NdrStubCall2+0×297 (FPO: [Non-Fpo])
08 00cafd10 77d894bd 000b1634 000af8e8 000b1634 RPCRT4!NdrServerCall2+0×19 (FPO: [Non-Fpo])
09 00cafd44 77d89422 01002579 000b1634 00cafdec RPCRT4!DispatchToStubInC+0×38 (FPO: [Non-Fpo])
0a 00cafd98 77d8934e 0000001c 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×113 (FPO: [Non-Fpo])
0b 00cafdbc 77d8be64 000b1634 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStub+0×84 (FPO: [Non-Fpo])
0c 00cafdf8 77d8bcc1 000cb960 000a7470 000b13b0 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0×2db (FPO: [Non-Fpo])
0d 00cafe1c 77d8bc05 000a74ac 00cafe38 000b13b0 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0×16d (FPO: [Non-Fpo])
0e 00caff80 77d86caf 00caffa8 77d86ad1 000a7470 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×310 (FPO: [Non-Fpo])
0f 00caff88 77d86ad1 000a7470 00000048 01001ce4 RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo])
10 00caffa8 77d86c97 000ad2e0 00caffec 7c80b713 RPCRT4!BaseCachedThreadRoutine+0×79 (FPO: [Non-Fpo])
11 00caffb4 7c80b713 000cac90 00000048 01001ce4 RPCRT4!ThreadStartRoutine+0×1a (FPO: [Non-Fpo])
12 00caffec 00000000 77d86c7d 000cac90 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

11 Id: 318.b0 Suspend: 1 Teb: 7ff97000 Unfrozen
# ChildEBP RetAddr Args to Child
00 00d2f80c 7c93df3c 7c95daac 00000198 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 00d2f810 7c95daac 00000198 00000000 7c9ab1e0 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
02 00d2f880 01001487 0101a078 00000001 00d2f8f8 ntdll!RtlAcquireResourceShared+0×78 (FPO: [Non-Fpo])
03 00d2f890 01002947 00d2f8c8 00d2f8f8 00d2fd0c services!CServiceListSharedLock::CServiceListSharedLock+0×12 (FPO: [0,0,0])
04 00d2f8a8 01005d10 000b4ea0 000b6738 000f01ff services!ROpenServiceW+0×56 (FPO: [Non-Fpo])
05 00d2f8c4 77d899f4 000b4ea0 000b6738 000f01ff services!ROpenServiceA+0×2c (FPO: [Non-Fpo])
06 00d2f8e8 77e0421a 01005ce5 00d2f8fc 00000004 RPCRT4!Invoke+0×30
07 00d2fcf4 77e046ee 00000000 00000000 000cf4ec RPCRT4!NdrStubCall2+0×297 (FPO: [Non-Fpo])
08 00d2fd10 77d894bd 000cf4ec 000af8e8 000cf4ec RPCRT4!NdrServerCall2+0×19 (FPO: [Non-Fpo])
09 00d2fd44 77d89422 01002579 000cf4ec 00d2fdec RPCRT4!DispatchToStubInC+0×38 (FPO: [Non-Fpo])
0a 00d2fd98 77d8934e 0000001c 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×113 (FPO: [Non-Fpo])
0b 00d2fdbc 77d8be64 000cf4ec 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStub+0×84 (FPO: [Non-Fpo])
0c 00d2fdf8 77d8bcc1 000ce120 000a7470 000cf290 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0×2db (FPO: [Non-Fpo])
0d 00d2fe1c 77d8bc05 000a74ac 00d2fe38 000cf290 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0×16d (FPO: [Non-Fpo])
0e 00d2ff80 77d86caf 00d2ffa8 77d86ad1 000a7470 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×310 (FPO: [Non-Fpo])
0f 00d2ff88 77d86ad1 000a7470 00000048 01001a4a RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo])
10 00d2ffa8 77d86c97 000ad2e0 00d2ffec 7c80b713 RPCRT4!BaseCachedThreadRoutine+0×79 (FPO: [Non-Fpo])
11 00d2ffb4 7c80b713 000cde40 00000048 01001a4a RPCRT4!ThreadStartRoutine+0×1a (FPO: [Non-Fpo])
12 00d2ffec 00000000 77d86c7d 000cde40 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

[...]

14 Id: 318.d0c Suspend: 1 Teb: 7ffd7000 Unfrozen
# ChildEBP RetAddr Args to Child
00 0007f740 7c93df3c 7c95da4e 000001a4 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 0007f744 7c95da4e 000001a4 00000000 7c9ab1e0 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
02 0007f7b8 0100626e 0101a374 00000001 00000000 ntdll!RtlAcquireResourceExclusive+0×68 (FPO: [Non-Fpo])
03 0007f7c8 010124db 0007f868 00000000 0007fd0c services!CGroupListExclusiveLock::CGroupListExclusiveLock+0×12 (FPO: [0,0,0])
04 0007f800 01014853 000c2b68 000c1c08 000d2860 services!RCreateServiceW+0×162 (FPO: [Non-Fpo])
05 0007f864 77d899f4 000c2b68 000c4640 000c4658 services!RCreateServiceA+0xc1 (FPO: [Non-Fpo])
06 0007f8b8 77e0421a 01014792 0007f8cc 00000010 RPCRT4!Invoke+0×30
07 0007fcf4 77e046ee 00000000 00000000 000cf21c RPCRT4!NdrStubCall2+0×297 (FPO: [Non-Fpo])
08 0007fd10 77d894bd 000cf21c 000af8e8 000cf21c RPCRT4!NdrServerCall2+0×19 (FPO: [Non-Fpo])
09 0007fd44 77d89422 01002579 000cf21c 0007fdec RPCRT4!DispatchToStubInC+0×38 (FPO: [Non-Fpo])
0a 0007fd98 77d8934e 00000018 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×113 (FPO: [Non-Fpo])
0b 0007fdbc 77d8be64 000cf21c 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStub+0×84 (FPO: [Non-Fpo])
0c 0007fdf8 77d8bcc1 000ceeb8 000a7470 000cefc0 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0×2db (FPO: [Non-Fpo])
0d 0007fe1c 77d8bc05 000a74ac 0007fe38 000cefc0 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0×16d (FPO: [Non-Fpo])
0e 0007ff80 77d86caf 0007ffa8 77d86ad1 000a7470 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×310 (FPO: [Non-Fpo])
0f 0007ff88 77d86ad1 000a7470 00090000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo])
10 0007ffa8 77d86c97 000ad2e0 0007ffec 7c80b713 RPCRT4!BaseCachedThreadRoutine+0×79 (FPO: [Non-Fpo])
11 0007ffb4 7c80b713 000c8ca0 00090000 00000000 RPCRT4!ThreadStartRoutine+0×1a (FPO: [Non-Fpo])
12 0007ffec 00000000 77d86c7d 000c8ca0 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

15 Id: 318.230 Suspend: 1 Teb: 7ffd9000 Unfrozen
# ChildEBP RetAddr Args to Child
00 0076f828 7c93df3c 7c95daac 00000198 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 0076f82c 7c95daac 00000198 00000000 7c9ab1e0 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
02 0076f89c 01001487 0101a078 00000001 0076f8f8 ntdll!RtlAcquireResourceShared+0×78 (FPO: [Non-Fpo])
03 0076f8ac 01002947 0076f8c8 0076f8f8 0076fd0c services!CServiceListSharedLock::CServiceListSharedLock+0×12 (FPO: [0,0,0])
04 0076f8c4 77d899f4 000d9ea0 000b1248 00000004 services!ROpenServiceW+0×56 (FPO: [Non-Fpo])
05 0076f8e8 77e0421a 010028fb 0076f8fc 00000004 RPCRT4!Invoke+0×30
06 0076fcf4 77e046ee 00000000 00000000 000cd044 RPCRT4!NdrStubCall2+0×297 (FPO: [Non-Fpo])
07 0076fd10 77d894bd 000cd044 000af8e8 000cd044 RPCRT4!NdrServerCall2+0×19 (FPO: [Non-Fpo])
08 0076fd44 77d89422 01002579 000cd044 0076fdec RPCRT4!DispatchToStubInC+0×38 (FPO: [Non-Fpo])
09 0076fd98 77d8934e 00000010 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×113 (FPO: [Non-Fpo])
0a 0076fdbc 77d8be64 000cd044 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStub+0×84 (FPO: [Non-Fpo])
0b 0076fdf8 77d8bcc1 000b11f0 000a7470 000cd0b8 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0×2db (FPO: [Non-Fpo])
0c 0076fe1c 77d8bc05 000a74ac 0076fe38 000cd0b8 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0×16d (FPO: [Non-Fpo])
0d 0076ff80 77d86caf 0076ffa8 77d86ad1 000a7470 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×310 (FPO: [Non-Fpo])
0e 0076ff88 77d86ad1 000a7470 00000048 0100201a RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo])
0f 0076ffa8 77d86c97 000ad2e0 0076ffec 7c80b713 RPCRT4!BaseCachedThreadRoutine+0×79 (FPO: [Non-Fpo])
10 0076ffb4 7c80b713 000af2b0 00000048 0100201a RPCRT4!ThreadStartRoutine+0×1a (FPO: [Non-Fpo])
11 0076ffec 00000000 77d86c7d 000af2b0 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

16 Id: 318.c00 Suspend: 1 Teb: 7ffd5000 Unfrozen
# ChildEBP RetAddr Args to Child
00 007ef824 7c93df3c 7c95daac 0000018c 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 007ef828 7c95daac 0000018c 00000000 7c9ab1e0 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
02 007ef898 01001554 0101a040 00000001 006c67f0 ntdll!RtlAcquireResourceShared+0×78 (FPO: [Non-Fpo])
03 007ef8a8 01002b3a 007ef8d8 006c67c8 007efd0c services!CServiceRecordSharedLock::CServiceRecordSharedLock+0×12 (FPO: [0,0,0])
04 007ef8bc 01002b03 006c67c8 007efad8 00000000 services!ScQueryServiceStatus+0×3b (FPO: [Non-Fpo])
05 007ef8d4 77d899f4 000c7480 007efad8 02020202 services!RQueryServiceStatus+0×49 (FPO: [Non-Fpo])
06 007ef8f0 77e0421a 01002abe 007ef904 00000002 RPCRT4!Invoke+0×30
07 007efcf4 77e046ee 00000000 00000000 000c343c RPCRT4!NdrStubCall2+0×297 (FPO: [Non-Fpo])
08 007efd10 77d894bd 000c343c 000af8e8 000c343c RPCRT4!NdrServerCall2+0×19 (FPO: [Non-Fpo])
09 007efd44 77d89422 01002579 000c343c 007efdec RPCRT4!DispatchToStubInC+0×38 (FPO: [Non-Fpo])
0a 007efd98 77d8934e 00000006 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×113 (FPO: [Non-Fpo])
0b 007efdbc 77d8be64 000c343c 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStub+0×84 (FPO: [Non-Fpo])
0c 007efdf8 77d8bcc1 000c85c8 000a7470 000c34c8 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0×2db (FPO: [Non-Fpo])
0d 007efe1c 77d8bc05 000a74ac 007efe38 000c34c8 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0×16d (FPO: [Non-Fpo])
0e 007eff80 77d86caf 007effa8 77d86ad1 000a7470 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×310 (FPO: [Non-Fpo])
0f 007eff88 77d86ad1 000a7470 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo])
10 007effa8 77d86c97 000ad2e0 007effec 7c80b713 RPCRT4!BaseCachedThreadRoutine+0×79 (FPO: [Non-Fpo])
11 007effb4 7c80b713 000c9928 00000000 00000000 RPCRT4!ThreadStartRoutine+0×1a (FPO: [Non-Fpo])
12 007effec 00000000 77d86c7d 000c9928 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

17 Id: 318.cac Suspend: 1 Teb: 7ffd4000 Unfrozen
# ChildEBP RetAddr Args to Child
00 0086f828 7c93df3c 7c95daac 00000198 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 0086f82c 7c95daac 00000198 00000000 7c9ab1e0 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
02 0086f89c 01001487 0101a078 00000001 0086f8f8 ntdll!RtlAcquireResourceShared+0×78 (FPO: [Non-Fpo])
03 0086f8ac 01002947 0086f8c8 0086f8f8 0086fd0c services!CServiceListSharedLock::CServiceListSharedLock+0×12 (FPO: [0,0,0])
04 0086f8c4 77d899f4 000b6ef0 000c4a88 80000000 services!ROpenServiceW+0×56 (FPO: [Non-Fpo])
05 0086f8e8 77e0421a 010028fb 0086f8fc 00000004 RPCRT4!Invoke+0×30
06 0086fcf4 77e046ee 00000000 00000000 000ce08c RPCRT4!NdrStubCall2+0×297 (FPO: [Non-Fpo])
07 0086fd10 77d894bd 000ce08c 000af8e8 000ce08c RPCRT4!NdrServerCall2+0×19 (FPO: [Non-Fpo])
08 0086fd44 77d89422 01002579 000ce08c 0086fdec RPCRT4!DispatchToStubInC+0×38 (FPO: [Non-Fpo])
09 0086fd98 77d8934e 00000010 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×113 (FPO: [Non-Fpo])
0a 0086fdbc 77d8be64 000ce08c 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStub+0×84 (FPO: [Non-Fpo])
0b 0086fdf8 77d8bcc1 000c4a30 000a7470 000c34c8 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0×2db (FPO: [Non-Fpo])
0c 0086fe1c 77d8bc05 000a74ac 0086fe38 000c34c8 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0×16d (FPO: [Non-Fpo])
0d 0086ff80 77d86caf 0086ffa8 77d86ad1 000a7470 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×310 (FPO: [Non-Fpo])
0e 0086ff88 77d86ad1 000a7470 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo])
0f 0086ffa8 77d86c97 000ad2e0 0086ffec 7c80b713 RPCRT4!BaseCachedThreadRoutine+0×79 (FPO: [Non-Fpo])
10 0086ffb4 7c80b713 000bd9a0 00000000 00000000 RPCRT4!ThreadStartRoutine+0×1a (FPO: [Non-Fpo])
11 0086ffec 00000000 77d86c7d 000bd9a0 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

18 Id: 318.988 Suspend: 1 Teb: 7ff9d000 Unfrozen
# ChildEBP RetAddr Args to Child
00 009af828 7c93df3c 7c95daac 00000198 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 009af82c 7c95daac 00000198 00000000 7c9ab1e0 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
02 009af89c 01001487 0101a078 00000001 009af8f8 ntdll!RtlAcquireResourceShared+0×78 (FPO: [Non-Fpo])
03 009af8ac 01002947 009af8c8 009af8f8 009afd0c services!CServiceListSharedLock::CServiceListSharedLock+0×12 (FPO: [0,0,0])
04 009af8c4 77d899f4 000cf748 000da6e8 00000014 services!ROpenServiceW+0×56 (FPO: [Non-Fpo])
05 009af8e8 77e0421a 010028fb 009af8fc 00000004 RPCRT4!Invoke+0×30
06 009afcf4 77e046ee 00000000 00000000 000cbc44 RPCRT4!NdrStubCall2+0×297 (FPO: [Non-Fpo])
07 009afd10 77d894bd 000cbc44 000af8e8 000cbc44 RPCRT4!NdrServerCall2+0×19 (FPO: [Non-Fpo])
08 009afd44 77d89422 01002579 000cbc44 009afdec RPCRT4!DispatchToStubInC+0×38 (FPO: [Non-Fpo])
09 009afd98 77d8934e 00000010 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×113 (FPO: [Non-Fpo])
0a 009afdbc 77d8be64 000cbc44 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStub+0×84 (FPO: [Non-Fpo])
0b 009afdf8 77d8bcc1 000da690 000a7470 000c34c8 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0×2db (FPO: [Non-Fpo])
0c 009afe1c 77d8bc05 000a74ac 009afe38 000c34c8 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0×16d (FPO: [Non-Fpo])
0d 009aff80 77d86caf 009affa8 77d86ad1 000a7470 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×310 (FPO: [Non-Fpo])
0e 009aff88 77d86ad1 000a7470 00000048 01001ca8 RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo])
0f 009affa8 77d86c97 000ad2e0 009affec 7c80b713 RPCRT4!BaseCachedThreadRoutine+0×79 (FPO: [Non-Fpo])
10 009affb4 7c80b713 000ba8f8 00000048 01001ca8 RPCRT4!ThreadStartRoutine+0×1a (FPO: [Non-Fpo])
11 009affec 00000000 77d86c7d 000ba8f8 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

[...]

21 Id: 318.59c Suspend: 1 Teb: 7ff98000 Unfrozen
# ChildEBP RetAddr Args to Child
00 00c6f828 7c93df3c 7c95daac 00000198 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 00c6f82c 7c95daac 00000198 00000000 7c9ab1e0 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
02 00c6f89c 01001487 0101a078 00000001 00c6f8f8 ntdll!RtlAcquireResourceShared+0×78 (FPO: [Non-Fpo])
03 00c6f8ac 01002947 00c6f8c8 00c6f8f8 00c6fd0c services!CServiceListSharedLock::CServiceListSharedLock+0×12 (FPO: [0,0,0])
04 00c6f8c4 77d899f4 000c1b10 000c79d8 00000004 services!ROpenServiceW+0×56 (FPO: [Non-Fpo])
05 00c6f8e8 77e0421a 010028fb 00c6f8fc 00000004 RPCRT4!Invoke+0×30
06 00c6fcf4 77e046ee 00000000 00000000 000c7ce4 RPCRT4!NdrStubCall2+0×297 (FPO: [Non-Fpo])
07 00c6fd10 77d894bd 000c7ce4 000af8e8 000c7ce4 RPCRT4!NdrServerCall2+0×19 (FPO: [Non-Fpo])
08 00c6fd44 77d89422 01002579 000c7ce4 00c6fdec RPCRT4!DispatchToStubInC+0×38 (FPO: [Non-Fpo])
09 00c6fd98 77d8934e 00000010 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×113 (FPO: [Non-Fpo])
0a 00c6fdbc 77d8be64 000c7ce4 00000000 0101a150 RPCRT4!RPC_INTERFACE::DispatchToStub+0×84 (FPO: [Non-Fpo])
0b 00c6fdf8 77d8bcc1 000c7980 000a7470 000c7a88 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0×2db (FPO: [Non-Fpo])
0c 00c6fe1c 77d8bc05 000a74ac 00c6fe38 000c7a88 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0×16d (FPO: [Non-Fpo])
0d 00c6ff80 77d86caf 00c6ffa8 77d86ad1 000a7470 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×310 (FPO: [Non-Fpo])
0e 00c6ff88 77d86ad1 000a7470 00000048 7df116de RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo])
0f 00c6ffa8 77d86c97 000ad2e0 00c6ffec 7c80b713 RPCRT4!BaseCachedThreadRoutine+0×79 (FPO: [Non-Fpo])
10 00c6ffb4 7c80b713 000c7d58 00000048 7df116de RPCRT4!ThreadStartRoutine+0×1a (FPO: [Non-Fpo])
11 00c6ffec 00000000 77d86c7d 000c7d58 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

[...]

다수의 Thread가 RTL_RESOUCE를 기다리고 있는 상태이고 0101a078, 0101a040, 0101a374 세개의 RTL_RESOURCE Object가 Release 대기 상태입니다.  이 세개의 Object에 공통점은 모두 Owner Thread가 000003a4 Thread라는 점 입니다.

0:022> dd 0101a078
0101a078 0009ade0 ffffffff 00000000 00000000
0101a088 00000000 00000000 00000198 00000006
0101a098 0000019c 00000000 ffffffff 000003a4
0101a0a8 00000000 0009ae08 00000000 006c1e90
0101a0b8 00000000 00000000 00000000 00000000
0101a0c8 00000000 00000000 00000000 00000000
0101a0d8 00000000 00000000 00000000 00000000
0101a0e8 00000000 00000000 00000000 00000000
0:022> dd 0101a040
0101a040 0009ad90 ffffffff 00000000 00000000
0101a050 000002f8 00000000 0000018c 00000001
0101a060 00000194 00000000 ffffffff 000003a4
0101a070 00000000 0009adb8 0009ade0 ffffffff
0101a080 00000000 00000000 00000000 00000000
0101a090 00000198 00000006 0000019c 00000000
0101a0a0 ffffffff 000003a4 00000000 0009ae08
0101a0b0 00000000 006c1e90 00000000 00000000
0:022> dd 0101a374
0101a374 0009ae30 ffffffff 00000000 00000000
0101a384 000001b8 00000000 000001a0 00000000
0101a394 000001a4 00000001 ffffffff 000003a4
0101a3a4 00000000 0009ae58 000950c0 00000000
0101a3b4 00000000 00000000 00000000 00000000
0101a3c4 00000000 0003d500 0003d968 0003dec0
0101a3d4 0003e420 0003e400 0003ed38 0003f2e0
0101a3e4 0003f858 0003fd98 0003ff88 008707b8

3a4 Thread 의 경우 ZwClose를 호출하였고 Trap이 발생하여 Kernel Mode에서 무엇인가 동작을 하구 있군요 .  그런 실제로 3a4 Thread가 세개의 RTL_RESOURCE가 Aquire 한것일까 ??

3 Id: 318.3a4 Suspend: 1 Teb: 7ffda000 Unfrozen
# ChildEBP RetAddr Args to Child
00 0072e1fc 7c93cfdc 77f64256 00000288 77f6557b ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 0072e200 77f64256 00000288 77f6557b 00000000 ntdll!ZwClose+0xc (FPO: [1,0,0])
02 0072e234 77f655df 000001e0 00000288 00000000 ADVAPI32!LocalBaseRegDeleteKey+0xe2 (FPO: [Non-Fpo])
03 0072e258 7df29bd0 000001e0 0072e4b4 77f6557b ADVAPI32!RegDeleteKeyW+0×76 (FPO: [Non-Fpo])
04 0072e48c 7df29c31 000001e0 0072e4b4 00000000 umpnpmgr!RegDeleteNode+0×3a (FPO: [Non-Fpo])
05 0072e6c0 7df29f83 000002a8 0072eca0 7df2c170 umpnpmgr!RegDeleteNode+0×9b (FPO: [Non-Fpo])
06 0072f25c 7df1d5e5 80000002 0072f420 0072f880 umpnpmgr!DeletePrivateKey+0×182 (FPO: [Non-Fpo])
07 0072fa14 7df254eb 003d1f30 0101aa08 006c72d8 umpnpmgr!UninstallPhantomDevice+0×104 (FPO: [Non-Fpo])
08 0072fed0 01010999 006c734c 00000000 010109fd umpnpmgr!DeleteServicePlugPlayRegKeys+0×1aa (FPO: [Non-Fpo])
09 0072fef4 01010a07 7c957aa2 00000000 7c9ab440 services!DEFER_LIST::Process+0×10c (FPO: [Non-Fpo])
0a 0072fef8 7c957aa2 00000000 7c9ab440 000cdbc8 services!ScDeferredListWorkItem+0xa (FPO: [1,0,0])
0b 0072ff40 7c957ae3 010109fd 00000000 00000000 ntdll!RtlpWorkerCallout+0×70 (FPO: [Non-Fpo])
0c 0072ff60 7c957ba5 00000000 00000000 000cdbc8 ntdll!RtlpExecuteWorkerRequest+0×1a (FPO: [Non-Fpo])
0d 0072ff74 7c957b7c 7c957ac9 00000000 00000000 ntdll!RtlpApcCallout+0×11 (FPO: [Non-Fpo])
0e 0072ffb4 7c80b713 00000000 80000002 0101a654 ntdll!RtlpWorkerThread+0×87 (FPO: [Non-Fpo])
0f 0072ffec 00000000 7c940230 00000000 00000000 kernel32!BaseThreadStart+0×37 (FPO: [Non-Fpo])

0:022> uf services!DEFER_LIST::Process
services!DEFER_LIST::Process:
0101088d 8bff mov edi,edi
0101088f 55 push ebp
01010890 8bec mov ebp,esp
01010892 83ec0c sub esp,0Ch
01010895 53 push ebx
01010896 56 push esi
01010897 57 push edi
01010898 8bf9 mov edi,ecx
0101089a 8d4df4 lea ecx,[ebp-0Ch]
0101089d e8ba59ffff call services!CGroupListExclusiveLock::CGroupListExclusiveLock (0100625c)
010108a2 8d4df4 lea ecx,[ebp-0Ch]
010108a5 e8bfbcffff call services!CServiceListExclusiveLock::CServiceListExclusiveLock (0100c569)
010108aa 8d4df4 lea ecx,[ebp-0Ch]
010108ad e8c90cffff call services!CServiceRecordExclusiveLock::CServiceRecordExclusiveLock (0100157b)
010108b2 8b1de0100001 mov ebx,dword ptr [services!_imp__LocalFree (010010e0)]
010108b8 33f6 xor esi,esi
010108ba 397704 cmp dword ptr [edi+4],esi
010108bd 8975fc mov dword ptr [ebp-4],esi
010108c0 0f8605010000 jbe services!DEFER_LIST::Process+0×13e (010109cb)

services!DEFER_LIST::Process+0×39:
010108c6 8b4708 mov eax,dword ptr [edi+8]
010108c9 8b4dfc mov ecx,dword ptr [ebp-4]
010108cc 8b3488 mov esi,dword ptr [eax+ecx*4]
010108cf 8b461c mov eax,dword ptr [esi+1Ch]
010108d2 85c0 test eax,eax
010108d4 7404 je services!DEFER_LIST::Process+0×4d (010108da)
[...]

0:022> uf services!CServiceListExclusiveLock::CServiceListExclusiveLock
services!CServiceListExclusiveLock::CServiceListExclusiveLock:
0100c569 8bff mov edi,edi
0100c56b 56 push esi
0100c56c 6a01 push 1
0100c56e 6878a00101 push offset services!ScServiceListLock (0101a078)
0100c573 8bf1 mov esi,ecx
0100c575 ff1558130001 call dword ptr [services!_imp__RtlAcquireResourceExclusive (01001358)]
0100c57b 8bc6 mov eax,esi
0100c57d 5e pop esi
0100c57e c3 ret

0:022> uf services!CGroupListExclusiveLock::CGroupListExclusiveLock
services!CGroupListExclusiveLock::CGroupListExclusiveLock:
0100625c 8bff mov edi,edi
0100625e 56 push esi
0100625f 6a01 push 1
01006261 6874a30101 push offset services!ScGroupListLock (0101a374)
01006266 8bf1 mov esi,ecx
01006268 ff1558130001 call dword ptr [services!_imp__RtlAcquireResourceExclusive (01001358)]
0100626e 8bc6 mov eax,esi
01006270 5e pop esi
01006271 c3 ret

0:022> uf services!CServiceRecordExclusiveLock::CServiceRecordExclusiveLock
services!CServiceRecordExclusiveLock::CServiceRecordExclusiveLock:
0100157b 8bff mov edi,edi
0100157d 56 push esi
0100157e 6a01 push 1
01001580 6840a00101 push offset services!ScServiceRecordLock (0101a040)
01001585 8bf1 mov esi,ecx
01001587 ff1558130001 call dword ptr [services!_imp__RtlAcquireResourceExclusive (01001358)]
0100158d 8bc6 mov eax,esi
0100158f 5e pop esi
01001590 c3 ret

services!DEFER_LIST::Process 에서 이 세개의 RTL_RESOURCE를 Aquire 하고 있내요. 이제 이 문제는 Kernel Level에서 왜 Return이 되지 않느냐만 찾으면 해결 되겠군요. ( 실제 Kernel쪽 분석 결과 원인을 찾을 수 있었음. 개인적인 이유에서 그부분 공개는 힘드내요 ^^ )