smss!SmpStartCsr函数分析之SmpLoadSubSystemsForMuSession3389远程桌面新进程csrss.exe的由来

smss!SmpStartCsr函数分析之SmpLoadSubSystemsForMuSession3389远程桌面新进程csrss.exe的由来

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
0: kd> kc
#
00 smss!SmpStartCsr
01 smss!SmpApiLoop
0: kd> dv
SmApiMsg = 0x0030fea8
CallingClient = 0x001637b8
CallPort = 0x00000010
State = 0x00000000
InitialCommandProcessId = 0
InitialCommandProcess = 0x77f2f6e8
InitialCommand = ""
DefaultInitialCommand = ""
WindowsSubSysProcessId = 0x2e8
MuSessionId = 0x30fea8
0: kd> dx -r1 ((smss!_SMAPIMSG *)0x30fea8)
((smss!_SMAPIMSG *)0x30fea8)                 : 0x30fea8 [Type: _SMAPIMSG *]
[+0x000] h                [Type: _PORT_MESSAGE]
[+0x018] ApiNumber        : SmStartCsrApi (5) [Type: _SMAPINUMBER]
[+0x01c] ReturnedStatus   : 259 [Type: long]
[+0x020] u                [Type: __unnamed]
0: kd> dx -r1 (*((smss!__unnamed *)0x30fec8))
(*((smss!__unnamed *)0x30fec8))                 [Type: __unnamed]
[+0x000] CreateForeignSession [Type: _SMCREATEFOREIGNSESSION]
[+0x000] SessionComplete  [Type: _SMSESSIONCOMPLETE]
[+0x000] TerminateForeignComplete [Type: _SMTERMINATEFOREIGNSESSION]
[+0x000] ExecPgm          [Type: _SMEXECPGM]
[+0x000] LoadDefered      [Type: _SMLOADDEFERED]
[+0x000] StartCsr         [Type: _SMSTARTCSR]
[+0x000] StopCsr          [Type: _SMSTOPCSR]
0: kd> dx -r1 (*((smss!_SMSTARTCSR *)0x30fec8))
(*((smss!_SMSTARTCSR *)0x30fec8))                 [Type: _SMSTARTCSR]
[+0x000] MuSessionId      : 0xffffffff [Type: unsigned long]
[+0x004] InitialCommandLength : 0x0 [Type: unsigned long]
[+0x008] InitialCommand   [Type: unsigned short [128]]
[+0x108] InitialCommandProcessId : 0x0 [Type: unsigned long]
[+0x10c] WindowsSubSysProcessId : 0xdba90 [Type: unsigned long]

0: kd> dv
SmApiMsg = 0x0030fea8
CallingClient = 0x001637b8
CallPort = 0x00000010
State = 0x00000000
InitialCommandProcessId = 0
InitialCommandProcess = 0x77f2f6e8
InitialCommand = ""
DefaultInitialCommand = ""
WindowsSubSysProcessId = 0x2e8
MuSessionId = 0x30fea8
0: kd> dx -r1 ((smss!_SMAPIMSG *)0x30fea8)
((smss!_SMAPIMSG *)0x30fea8)                 : 0x30fea8 [Type: _SMAPIMSG *]
[+0x000] h                [Type: _PORT_MESSAGE]
[+0x018] ApiNumber        : SmStartCsrApi (5) [Type: _SMAPINUMBER]
[+0x01c] ReturnedStatus   : 259 [Type: long]
[+0x020] u                [Type: __unnamed]
0: kd> dx -r1 (*((smss!__unnamed *)0x30fec8))
(*((smss!__unnamed *)0x30fec8))                 [Type: __unnamed]
[+0x000] CreateForeignSession [Type: _SMCREATEFOREIGNSESSION]
[+0x000] SessionComplete  [Type: _SMSESSIONCOMPLETE]
[+0x000] TerminateForeignComplete [Type: _SMTERMINATEFOREIGNSESSION]
[+0x000] ExecPgm          [Type: _SMEXECPGM]
[+0x000] LoadDefered      [Type: _SMLOADDEFERED]
[+0x000] StartCsr         [Type: _SMSTARTCSR]
[+0x000] StopCsr          [Type: _SMSTOPCSR]
0: kd> dx -r1 (*((smss!_SMSTARTCSR *)0x30fec8))
(*((smss!_SMSTARTCSR *)0x30fec8))                 [Type: _SMSTARTCSR]
[+0x000] MuSessionId      : 0xffffffff [Type: unsigned long]
[+0x004] InitialCommandLength : 0x0 [Type: unsigned long]
[+0x008] InitialCommand   [Type: unsigned short [128]]
[+0x108] InitialCommandProcessId : 0x0 [Type: unsigned long]
[+0x10c] WindowsSubSysProcessId : 0xdba90 [Type: unsigned long]

    //
// Load subsystems for this session.
//

    WindowsSubSysProcessId = 0;

    Status = SmpLoadSubSystemsForMuSession (&MuSessionId,
&WindowsSubSysProcessId,

0: kd> t
smss!SmpLoadSubSystemsForMuSession:
001b:4858aa7c 55              push    ebp
0: kd> dv
pMuSessionId = 0x0030fe50
pWindowsSubSysProcessId = 0x0030fe3c
InitialCommand = 0x0030fe28 ""
Status = 0n0
FileName = struct _UNICODE_STRING "--- memory read error at address 0x00000010 ---"
Win32kFileName = struct _UNICODE_STRING ""
State = 0x00000018
DelayTime = {68722687656}

0: kd> gu
GDI: VerifierInitialization: failed to get info from ntoskrnl

(s: 0 0x180.18c smss.exe) USRK-[Wrn] *** win32k: DBCS:[0] IME:[0] MiddleEast:[0] CTFIME:[0]
Installed
Installed
Breakpoint 4 hit
nt!PspCreateProcess:
80d3a1c0 6834010000      push    134h
0: kd> kc
#
00 nt!PspCreateProcess
01 nt!NtCreateProcessEx
02 nt!NtCreateProcess
03 nt!_KiSystemService
04 SharedUserData!SystemCallStub
05 ntdll!NtCreateProcess
06 ntdll!RtlCreateUserProcess
07 smss!SmpExecuteImage
08 smss!SmpLoadSubSystem
09 smss!SmpExecuteCommand
0a smss!SmpLoadSubSystemsForMuSession
0b smss!SmpStartCsr
0c smss!SmpApiLoop
0: kd> dv

0: kd> gu
nt!NtCreateProcessEx+0xae:
80d3af36 eb05            jmp     nt!NtCreateProcessEx+0xb5 (80d3af3d)
0: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 899a2278  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
DirBase: 0a200000  ObjectTable: e1000e38  HandleCount: 320.
Image: System

PROCESS 894ddd88  SessionId: none  Cid: 0180    Peb: 7ffdf000  ParentCid: 0004
DirBase: 7b189000  ObjectTable: e1278720  HandleCount:  20.
Image: smss.exe

PROCESS 8940cd88  SessionId: 0  Cid: 01b0    Peb: 7ffdf000  ParentCid: 0180
DirBase: 7aa43000  ObjectTable: e1458b40  HandleCount: 304.
Image: csrss.exe

PROCESS 898c8250  SessionId: 0  Cid: 01c8    Peb: 7ffdf000  ParentCid: 0180
DirBase: 7a448000  ObjectTable: e1457ad0  HandleCount: 479.
Image: winlogon.exe

PROCESS 897f5250  SessionId: 0  Cid: 01f4    Peb: 7ffdf000  ParentCid: 01c8
DirBase: 7a1cc000  ObjectTable: e1669ec0  HandleCount: 301.
Image: services.exe

PROCESS 8988a020  SessionId: 0  Cid: 0200    Peb: 7ffdf000  ParentCid: 01c8
DirBase: 7a2d4000  ObjectTable: e16dc8e0  HandleCount: 395.
Image: lsass.exe

PROCESS 898618d0  SessionId: 0  Cid: 02c4    Peb: 7ffdf000  ParentCid: 01f4
DirBase: 79bc2000  ObjectTable: e144df68  HandleCount: 160.
Image: svchost.exe

PROCESS 8954f3f0  SessionId: 0  Cid: 02fc    Peb: 7ffdf000  ParentCid: 01f4
DirBase: 79ca0000  ObjectTable: e144dfb8  HandleCount: 190.
Image: svchost.exe

PROCESS 894d0c10  SessionId: 0  Cid: 0388    Peb: 7ffdf000  ParentCid: 01f4
DirBase: 09fea000  ObjectTable: e142f830  HandleCount: 130.
Image: svchost.exe

PROCESS 895d98c0  SessionId: 0  Cid: 03bc    Peb: 7ffdf000  ParentCid: 01f4
DirBase: 796af000  ObjectTable: e1439930  HandleCount:  79.
Image: svchost.exe

PROCESS 895e0c10  SessionId: 0  Cid: 03d8    Peb: 7ffdf000  ParentCid: 01f4
DirBase: 79575000  ObjectTable: e1439aa8  HandleCount: 589.
Image: svchost.exe

PROCESS 895538c0  SessionId: 0  Cid: 04a4    Peb: 7ffdf000  ParentCid: 01f4
DirBase: 79347000  ObjectTable: e17da1f8  HandleCount: 125.
Image: spoolsv.exe

PROCESS 8988bbf8  SessionId: 0  Cid: 04c0    Peb: 7ffdf000  ParentCid: 01f4
DirBase: 7908d000  ObjectTable: e17cab78  HandleCount: 159.
Image: msdtc.exe

PROCESS 894153f8  SessionId: 0  Cid: 052c    Peb: 7ffdf000  ParentCid: 01f4
DirBase: 79413000  ObjectTable: e13d0140  HandleCount:  55.
Image: svchost.exe

PROCESS 89484950  SessionId: 0  Cid: 0594    Peb: 7ffdf000  ParentCid: 01f4
DirBase: 78f9b000  ObjectTable: e17e30e8  HandleCount:  36.
Image: svchost.exe

PROCESS 894fbd88  SessionId: 0  Cid: 05bc    Peb: 7ffdf000  ParentCid: 01f4
DirBase: 78da1000  ObjectTable: e1294788  HandleCount:  42.
Image: tftpd6.exe

PROCESS 8984fd88  SessionId: 0  Cid: 06a8    Peb: 7ffdf000  ParentCid: 01f4
DirBase: 788c2000  ObjectTable: e1770838  HandleCount:  51.
Image: dfssvc.exe

PROCESS 896b7538  SessionId: 1  Cid: 06d4    Peb: 7ffdf000  ParentCid: 0180
DirBase: 7880e000  ObjectTable: e188c460  HandleCount:   0.
Image: csrss.exe                        

Image: csrss.exe    新的csrss.exe进程！！！父进程是smss！！！ParentCid: 0180