当前位置: 首页 > news >正文

win7下winlogon.exe调试记录

news 2025/10/6 8:43:59


第一部分:

kd> !PROCESS  fffffa8021520630
PROCESS fffffa8021520630
SessionId: 1  Cid: 01fc    Peb: 7fffffd9000  ParentCid: 018c
DirBase: 4fafa000  ObjectTable: fffff8a000e6b920  HandleCount:   0.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 10 Clone 0 Private 15. Modified 0. Locked 0.
DeviceMap 0000000000000000
Token                             fffff8a000e7c680
ElapsedTime                       00:00:00.390
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         13568
QuotaPoolUsage[NonPagedPool]      1080
Working Set Sizes (now,min,max)  (21, 50, 345) (84KB, 200KB, 1380KB)
PeakWorkingSetSize                21
VirtualSize                       5 Mb
PeakVirtualSize                   5 Mb
PageFaultCount                    16
MemoryPriority                    BACKGROUND
BasePriority                      8
CommitCharge                      734

        THREAD fffffa802150c660  Cid 01fc.0200  Teb: 000007fffffde000 Win32Thread: 0000000000000000 READY on processor 0
Not impersonating
Owning Process            fffffa8021520630       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275087847      Ticks: 25 (0:00:00:00.390)
Context Switch Count      0              IdealProcessor: 0             
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x00000000ff3ed124
Stack Init fffff880042dad70 Current fffff880042daa60
Base fffff880042db000 Limit fffff880042d5000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`042daaa0 fffff800`02a6bad7 nt!KiStartUserThread
fffff880`042dabe0 00000000`777b943c nt!KiStartUserThreadReturn (TrapFrame @ fffff880`042dabe0)
00000000`000afac8 00000000`00000000 0x777b943c

第二部分:


kd> t
Breakpoint 9 hit
winlogon!WinMainCRTStartup:
0033:00000000`ff3ed124 ??              ???
kd> kc
# Call Site
00 winlogon!WinMainCRTStartup
01 kernel32!BaseThreadInitThunk
02 ntdll!RtlUserThreadStart

kd> kc
# Call Site
00 winlogon!WinMainCRTStartup
01 kernel32!BaseThreadInitThunk
02 ntdll!RtlUserThreadStart
kd> pc
winlogon!WinMainCRTStartup+0x4:
0033:00000000`ff3ed128 e8e3020000      call    winlogon!_security_init_cookie (00000000`ff3ed410)
kd> p
winlogon!WinMainCRTStartup+0x9:
0033:00000000`ff3ed12d 4883c428        add     rsp,28h
kd> pc
winlogon!DbgSetLoggingOption+0xc0:
0033:00000000`ff3ece10 ??              ???
kd> pc
winlogon!DbgSetLoggingOption+0xdd:
0033:00000000`ff3ece2d ff15a544fbff    call    qword ptr [winlogon!_imp_GetStartupInfoW (00000000`ff3a12d8)]
kd> pc
winlogon!DbgSetLoggingOption+0x16a:
0033:00000000`ff3eceba ffd1            call    rcx
kd> r
rax=0000000000000000 rbx=0000000000000000 rcx=00000000ff3ed04c
rdx=00000000000af9d0 rsi=0000000000000000 rdi=00000000ff3a1be8
rip=00000000ff3eceba rsp=00000000000af990 rbp=0000000000000000
r8=00000000002621e0  r9=0000000000000000 r10=0000000000000000
r11=ffffed13852b8d76 r12=00000000ff3a1bf8 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
winlogon!DbgSetLoggingOption+0x16a:
0033:00000000`ff3eceba ffd1            call    rcx {winlogon!DbgSetLoggingOption+0x2fc (00000000`ff3ed04c)}
kd> pc
winlogon!DbgSetLoggingOption+0x16a:
0033:00000000`ff3eceba ffd1            call    rcx
kd> r
rax=0000000000000000 rbx=0000000000000000 rcx=00000000ff3ed1fc
rdx=00000000ff3a0000 rsi=0000000000000000 rdi=00000000ff3a1bf0
rip=00000000ff3eceba rsp=00000000000af990 rbp=0000000000000000
r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=ffffffffffffffff r12=00000000ff3a1bf8 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
winlogon!DbgSetLoggingOption+0x16a:
0033:00000000`ff3eceba ffd1            call    rcx {winlogon!_CxxSetUnhandledExceptionFilter (00000000`ff3ed1fc)}
kd> pc
winlogon!DbgSetLoggingOption+0x1ac:
0033:00000000`ff3ecefc e827040000      call    winlogon!initterm (00000000`ff3ed328)

第三部分:


kd> !process  fffffa80`21520630
PROCESS fffffa8021520630
SessionId: 1  Cid: 01fc    Peb: 7fffffd9000  ParentCid: 018c
DirBase: 4fafa000  ObjectTable: fffff8a000e6b920  HandleCount:  13.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 38 Clone 0 Private 128. Modified 0. Locked 0.
DeviceMap fffff8a000009aa0
Token                             fffff8a000e7c680
ElapsedTime                       00:00:06.177
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         51032
QuotaPoolUsage[NonPagedPool]      4440
Working Set Sizes (now,min,max)  (726, 50, 345) (2904KB, 200KB, 1380KB)
PeakWorkingSetSize                726
VirtualSize                       22 Mb
PeakVirtualSize                   22 Mb
PageFaultCount                    738
MemoryPriority                    BACKGROUND
BasePriority                      8
CommitCharge                      800

        THREAD fffffa802150c660  Cid 01fc.0200  Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 RUNNING on processor 0
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa8021520630       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275088243      Ticks: 0
Context Switch Count      89             IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:04.742
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422baa0
Base fffff8800422d000 Limit fffff88004225000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0422bd68 fffff800`033730b7 nt!PspCreateThread
fffff880`0422bd70 fffff800`02a70e13 nt!NtCreateThreadEx+0x31f
fffff880`0422c4c0 fffff800`02a6aa40 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422c530)
fffff880`0422c6c8 fffff800`0337f688 nt!KiServiceLinkage
fffff880`0422c6d0 fffff800`0340a02b nt!RtlpCreateUserThreadEx+0x174
fffff880`0422c820 fffff800`03409597 nt!EtwpInjectThread+0xdf
fffff880`0422c8a0 fffff800`034091d0 nt!EtwpQueueNotification+0x3a7
fffff880`0422c940 fffff800`033fd00b nt!EtwpSendDataBlock+0x1f8
fffff880`0422c9f0 fffff800`03401617 nt!EtwpEnableGuid+0x5a7
fffff880`0422cae0 fffff800`02a70e13 nt!NtTraceControl+0x453
fffff880`0422cb70 00000000`7785b9fe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422cbe0)
00000000`000af368 00000000`778240c3 ntdll!NtTraceControl+0x1e
00000000`000af370 000007fe`fe283c32 ntdll!EtwSendNotification+0x8f
00000000`000af490 000007fe`fe2838ef ADVAPI32!EnableTraceEx2+0x326
00000000`000af5b0 000007fe`fe283828 ADVAPI32!EnableTraceEx+0xbb
00000000`000af640 00000000`ff3b1575 ADVAPI32!EnableTrace+0x4c
00000000`000af6a0 00000000`ff3b1a78 winlogon!WppStart+0x4d9
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0x194
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25

第四部分:

kd> g
Breakpoint 14 hit
winlogon!WppStart+0x4d9:
0033:00000000`ff3b1575 89442438        mov     dword ptr [rsp+38h],eax
kd> kc
# Call Site
00 winlogon!WppStart
01 winlogon!WinMain
02 winlogon!DbgSetLoggingOption
03 kernel32!BaseThreadInitThunk
04 ntdll!RtlUserThreadStart
kd> pc
winlogon!WppStart+0x4fe:
0033:00000000`ff3b159a ff1588a50400    call    qword ptr [winlogon!_imp_EnableTrace (00000000`ff3fbb28)]


kd> pc
winlogon!WppStart+0x4fe:
0033:00000000`ff3b159a ff1588a50400    call    qword ptr [winlogon!_imp_EnableTrace (00000000`ff3fbb28)]
kd> pc
winlogon!WppStart+0x529:
0033:00000000`ff3b15c5 ff155da50400    call    qword ptr [winlogon!_imp_EnableTrace (00000000`ff3fbb28)]
kd> pc
winlogon!WppStart+0x541:
0033:00000000`ff3b15dd ff1515fcfeff    call    qword ptr [winlogon!_imp_LocalFree (00000000`ff3a11f8)]
kd> pc
winlogon!WppStart+0x554:
0033:00000000`ff3b15f0 e85bbb0300      call    winlogon!_security_check_cookie (00000000`ff3ed150)
kd> pc
winlogon!WinMain+0x1a7:
0033:00000000`ff3b1a8b ff1577fefeff    call    qword ptr [winlogon!_imp_EtwEventRegister (00000000`ff3a1908)]
kd> pc
winlogon!WinMain+0x1ad:
0033:00000000`ff3b1a91 e81e330300      call    winlogon!UmsHlprInit (00000000`ff3e4db4)
kd> pc
winlogon!WinMain+0x21e:
0033:00000000`ff3b1b02 ff1558f6feff    call    qword ptr [winlogon!_imp_HeapCreate (00000000`ff3a1160)]
kd> pc
winlogon!WinMain+0x2a9:
0033:00000000`ff3b1b8d e8eecfffff      call    winlogon!SetProcessPriority (00000000`ff3aeb80)
kd> pc
winlogon!WinMain+0x325:
0033:00000000`ff3b1c09 ff1551f5feff    call    qword ptr [winlogon!_imp_HeapCreate (00000000`ff3a1160)]
kd> pc
winlogon!WinMain+0x3c3:
0033:00000000`ff3b1ca7 e8a0950100      call    winlogon!JobManagerInitialize (00000000`ff3cb24c)

kd> pc
winlogon!WinMain+0x454:
0033:00000000`ff3b1d38 ff15d2f2feff    call    qword ptr [winlogon!_imp_RegOpenKeyExW (00000000`ff3a1010)]
kd> pc
winlogon!WinMain+0x466:
0033:00000000`ff3b1d4a ff15b0f2feff    call    qword ptr [winlogon!_imp_RegCloseKey (00000000`ff3a1000)]
kd> pc
winlogon!WinMain+0x47d:
0033:00000000`ff3b1d61 e862cbffff      call    winlogon!InitializeData (00000000`ff3ae8c8)
kd> pc
winlogon!WinMain+0x52b:
0033:00000000`ff3b1e0f ff15fbf1feff    call    qword ptr [winlogon!_imp_RegOpenKeyExW (00000000`ff3a1010)]


第五部分:

kd> pc
winlogon!WinMain+0x67a:
0033:00000000`ff3b1f5e e8911b0100      call    winlogon!CGlobalStore::RegQueryWinlogonDWORD (00000000`ff3c3af4)
kd> pc
winlogon!WinMain+0x68a:
0033:00000000`ff3b1f6e e86d3e0300      call    winlogon!InitDebugHelpers (00000000`ff3e5de0)


kd> pc
Breakpoint 0 hit
nt!PspCreateThread:
fffff800`03355e40 4c8bdc          mov     r11,rsp
kd> kc
# Call Site
00 nt!PspCreateThread
01 nt!NtCreateThreadEx
02 nt!KiSystemServiceCopyEnd
03 ntdll!NtCreateThreadEx
04 ntdll!RtlpCreateUserThreadEx
05 ntdll!TppWaiterpSpinupThread
06 ntdll!TppWaiterAllocWaitSlot
07 ntdll!TppWaitAlloc
08 ntdll!TppTimerpInitTimerQueueQueue
09 ntdll!TppTimerpAllocTimerQueue
0a ntdll!TppTimerpAcquirePoolTimerQueue
0b ntdll!TppTimerAlloc
0c ntdll!TpAllocTimer
0d ntdll!RtlCreateTimer
0e KERNELBASE!CreateTimerQueueTimer
0f kernel32!SetTimerQueueTimer
10 winlogon!InitDebugHelpers
11 winlogon!WinMain
12 winlogon!DbgSetLoggingOption
13 kernel32!BaseThreadInitThunk
14 ntdll!RtlUserThreadStart

kd> !process  fffffa80`21520630
PROCESS fffffa8021520630
SessionId: 1  Cid: 01fc    Peb: 7fffffd9000  ParentCid: 018c
DirBase: 4fafa000  ObjectTable: fffff8a000e6b920  HandleCount:  25.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 48 Clone 0 Private 154. Modified 0. Locked 0.
DeviceMap fffff8a000009aa0
Token                             fffff8a000e7c680
ElapsedTime                       00:00:10.062
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         51928
QuotaPoolUsage[NonPagedPool]      5704
Working Set Sizes (now,min,max)  (789, 50, 345) (3156KB, 200KB, 1380KB)
PeakWorkingSetSize                789
VirtualSize                       26 Mb
PeakVirtualSize                   27 Mb
PageFaultCount                    801
MemoryPriority                    BACKGROUND
BasePriority                      13
CommitCharge                      857

        THREAD fffffa802150c660  Cid 01fc.0200  Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (WrKeyedEvent) UserMode Non-Alertable
fffffa802150ca20  Semaphore Limit 0x1
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa8021520630       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275088482      Ticks: 10 (0:00:00:00.156)
Context Switch Count      119            IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:08.455
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422c860
Base fffff8800422d000 Limit fffff88004225000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0422c8a0 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422c9e0 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422ca30 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422caa0 fffff800`03437116 nt!KeWaitForSingleObject+0x532
fffff880`0422cb40 fffff800`02a70e13 nt!NtWaitForKeyedEvent+0x3b6
fffff880`0422cbe0 00000000`7785bb5e nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422cbe0)
00000000`000af1a8 00000000`77831a69 ntdll!ZwWaitForKeyedEvent+0x1e
00000000`000af1b0 00000000`77831c97 ntdll!TppWaitpSet+0x419
00000000`000af260 00000000`7782e70a ntdll!TpSetWait+0x1bb
00000000`000af360 00000000`7782ea31 ntdll!TppTimerpInitTimerQueueQueue+0x102
00000000`000af3c0 00000000`7782ed76 ntdll!TppTimerpAllocTimerQueue+0x195
00000000`000af420 00000000`7782efc7 ntdll!TppTimerpAcquirePoolTimerQueue+0x52
00000000`000af460 00000000`7782f236 ntdll!TppTimerAlloc+0x19b
00000000`000af4f0 00000000`7783c57e ntdll!TpAllocTimer+0xf6
00000000`000af600 000007fe`fd91d835 ntdll!RtlCreateTimer+0x1b6
00000000`000af6e0 00000000`776e19ac KERNELBASE!CreateTimerQueueTimer+0x61
00000000`000af740 00000000`ff3e5f3d kernel32!SetTimerQueueTimer+0x4c
00000000`000af7a0 00000000`ff3b1f73 winlogon!InitDebugHelpers+0x15d
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0x68f
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25

   

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
kd> kc
# Call Site
00 winlogon!WinMain
01 winlogon!DbgSetLoggingOption
02 kernel32!BaseThreadInitThunk
03 ntdll!RtlUserThreadStart


第六部分:

kd> pc
winlogon!WinMain+0x6e6:
0033:00000000`ff3b1fca e87d3f0300      call    winlogon!SetProfilesLocation (00000000`ff3e5f4c)
kd> pc
winlogon!WinMain+0x6ed:
0033:00000000`ff3b1fd1 e822330000      call    winlogon!SetupBasicEnvironment (00000000`ff3b52f8)
kd> pc
winlogon!WinMain+0x6f2:
0033:00000000`ff3b1fd6 e8bde20000      call    winlogon!AsyncLogoffSupportInit (00000000`ff3c0298)
kd> pc
winlogon!WinMain+0x74c:
0033:00000000`ff3b2030 ??              ???
kd> pc
winlogon!WinMain+0x755:
0033:00000000`ff3b2039 e896290000      call    winlogon!WMsgClntInitialize (00000000`ff3b49d4)
kd> pc
Breakpoint 0 hit
nt!PspCreateThread:
fffff800`03355e40 4c8bdc          mov     r11,rsp
kd> kc
# Call Site
00 nt!PspCreateThread
01 nt!NtCreateThreadEx
02 nt!KiSystemServiceCopyEnd
03 nt!KiServiceLinkage
04 nt!RtlpCreateUserThreadEx
05 nt!ExpWorkerFactoryCreateThread
06 nt!ExpWorkerFactoryCheckCreate
07 nt!NtSetInformationWorkerFactory
08 nt!KiSystemServiceCopyEnd
09 ntdll!NtSetInformationWorkerFactory
0a ntdll!TpBindAlpcToDirect
0b ntdll!TppAllocAlpcCompletion
0c ntdll!TpAllocAlpcCompletionEx
0d RPCRT4!RPC_THREAD_POOL::CreateAlpc
0e RPCRT4!LRPC_ADDRESS::ServerStartingToListen
0f RPCRT4!RPC_SERVER::UseRpcProtocolSequence
10 RPCRT4!I_RpcServerUseProtseqEp2W
11 RPCRT4!RpcServerUseProtseqEpExW
12 RPCRT4!RpcServerUseProtseqEpW
13 winlogon!StartWMsgKServer
14 winlogon!WMsgClntInitialize
15 winlogon!WinMain
16 winlogon!DbgSetLoggingOption
17 kernel32!BaseThreadInitThunk
18 ntdll!RtlUserThreadStart


kd> bp 00000000`ff3b203e
kd> g
Breakpoint 16 hit
winlogon!WinMain+0x75a:
0033:00000000`ff3b203e 89442440        mov     dword ptr [rsp+40h],eax
kd> pc
winlogon!WinMain+0x7cc:
0033:00000000`ff3b20b0 ff1582f9feff    call    qword ptr [winlogon!_imp_EtwEventEnabled (00000000`ff3a1a38)]


第七部分:

kd> g
Breakpoint 16 hit
winlogon!WinMain+0x75a:
0033:00000000`ff3b203e 89442440        mov     dword ptr [rsp+40h],eax
kd> pc
winlogon!WinMain+0x7cc:
0033:00000000`ff3b20b0 ff1582f9feff    call    qword ptr [winlogon!_imp_EtwEventEnabled (00000000`ff3a1a38)]
kd> p
winlogon!WinMain+0x7d2:
0033:00000000`ff3b20b6 3ac3            cmp     al,bl
kd> pc
winlogon!WinMain+0x7ea:
0033:00000000`ff3b20ce ff156cf9feff    call    qword ptr [winlogon!_imp_EtwEventWrite (00000000`ff3a1a40)]
kd> pc
winlogon!WinMain+0x81c:
0033:00000000`ff3b2100 e82bfd0000      call    winlogon!CSession::CreatePrimaryTerminal (00000000`ff3c1e30)


kd> !PROCESS  fffffa8021520630
PROCESS fffffa8021520630
SessionId: 1  Cid: 01fc    Peb: 7fffffd9000  ParentCid: 018c
DirBase: 4fafa000  ObjectTable: fffff8a000e6b920  HandleCount:  42.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 55 Clone 0 Private 274. Modified 1. Locked 0.
DeviceMap fffff8a000009aa0
Token                             fffff8a000e7c680
ElapsedTime                       00:00:13.041
UserTime                          00:00:00.000
KernelTime                        00:00:00.093
QuotaPoolUsage[PagedPool]         51248
QuotaPoolUsage[NonPagedPool]      6544
Working Set Sizes (now,min,max)  (1096, 50, 345) (4384KB, 200KB, 1380KB)
PeakWorkingSetSize                1104
VirtualSize                       28 Mb
PeakVirtualSize                   60 Mb
PageFaultCount                    1276
MemoryPriority                    BACKGROUND
BasePriority                      13
CommitCharge                      991

        THREAD fffffa802150c660  Cid 01fc.0200  Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (WrLpcReply) KernelMode Non-Alertable
fffffa802150ca20  Semaphore Limit 0x1
Waiting for reply to ALPC Message fffffa80214e1c70 : queued at port fffffa802150dbd0 : owned by process fffffa801bbc6150
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa8021520630       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275088683      Ticks: 0
Context Switch Count      129            IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:10.218
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422b8e0
Base fffff8800422d000 Limit fffff88004224000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0422b920 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422ba60 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422bab0 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422bb20 fffff800`028ef0db nt!KeWaitForSingleObject+0x532
fffff880`0422bbc0 fffff800`031cbd85 nt!AlpcpSignalAndWait+0x277
fffff880`0422bc80 fffff800`03217474 nt!AlpcpReceiveSynchronousReply+0xf9
fffff880`0422bd80 fffff800`031615cd nt!AlpcpProcessSynchronousRequest+0xf10
fffff880`0422beb0 fffff800`03162d51 nt!LpcpRequestWaitReplyPort+0x249
fffff880`0422bf50 fffff960`001e5a13 nt!LpcRequestWaitReplyPort+0x55
fffff880`0422bfa0 fffff960`001e5f80 win32k!xxxInitTerminal+0x267
fffff880`0422c100 fffff960`00183c57 win32k!xxxCreateWindowStation+0x354
fffff880`0422c4f0 fffff800`02a70e13 win32k!NtUserCreateWindowStation+0x457
fffff880`0422cb70 00000000`775c08fa nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422cbe0)
00000000`000af098 00000000`77540694 USER32!NtUserCreateWindowStation+0xa
00000000`000af0a0 00000000`7754078b USER32!CommonCreateWindowStation+0x3f4
00000000`000af6f0 00000000`ff3e6a77 USER32!CreateWindowStationW+0x3b
00000000`000af730 00000000`ff3c1fc6 winlogon!CreatePrimaryTerminal+0xbb
00000000`000af7b0 00000000`ff3b2105 winlogon!CSession::CreatePrimaryTerminal+0x196
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0x821
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25


第八部分:


winlogon!CreatePrimaryTerminal

kd> .process
Implicit process is now fffffa80`1da53b30
kd> g
Breakpoint 17 hit
winlogon!WinMain+0x821:
0033:00000000`ff3b2105 89442440        mov     dword ptr [rsp+40h],eax
kd> kc
# Call Site
00 winlogon!WinMain
01 winlogon!DbgSetLoggingOption
02 kernel32!BaseThreadInitThunk
03 ntdll!RtlUserThreadStart

kd> pc
winlogon!WinMain+0x838:
0033:00000000`ff3b211c ff1516f9feff    call    qword ptr [winlogon!_imp_EtwEventEnabled (00000000`ff3a1a38)]
kd> pc
winlogon!WinMain+0x856:
0033:00000000`ff3b213a ff1500f9feff    call    qword ptr [winlogon!_imp_EtwEventWrite (00000000`ff3a1a40)]
kd> pc
winlogon!WinMain+0x959:
0033:00000000`ff3b223d e8faecffff      call    winlogon!WLEventWrite (00000000`ff3b0f3c)
kd> pc
winlogon!WinMain+0x960:
0033:00000000`ff3b2244 ff156ef3feff    call    qword ptr [winlogon!_imp_UpdatePerUserSystemParameters (00000000`ff3a15b8)]


第九部分:

kd> pc
winlogon!WinMain+0x96f:
0033:00000000`ff3b2253 e8e4ecffff      call    winlogon!WLEventWrite (00000000`ff3b0f3c)
kd> pc
winlogon!WinMain+0x99a:
0033:00000000`ff3b227e e8bd530200      call    winlogon!SbBootPrompt (00000000`ff3d7640)


kd> pc
winlogon!WinMain+0xa1e:
0033:00000000`ff3b2302 e8d1bfffff      call    winlogon!WPP_SF_ (00000000`ff3ae2d8)


第十部分:


kd> t
winlogon!WPP_SF_:
0033:00000000`ff3ae2d8 488bc4          mov     rax,rsp
kd> pc
winlogon!WPP_SF_+0x21:
0033:00000000`ff3ae2f9 e8f6f20300      call    winlogon!EtwTraceMessage (00000000`ff3ed5f4)
kd> pc
winlogon!WinMain+0xa36:
0033:00000000`ff3b231a ff1518f7feff    call    qword ptr [winlogon!_imp_EtwEventEnabled (00000000`ff3a1a38)]
kd> pc
winlogon!WinMain+0xa54:
0033:00000000`ff3b2338 ff1502f7feff    call    qword ptr [winlogon!_imp_EtwEventWrite (00000000`ff3a1a40)]
kd> pc
winlogon!WinMain+0xa5a:
0033:00000000`ff3b233e e8afc10300      call    winlogon!WinStationWaitForConnect (00000000`ff3ee4f2)


kd> t
Breakpoint 10 hit
winlogon!WinStationWaitForConnect:
0033:00000000`ff3ee4f2 ff252832fbff    jmp     qword ptr [winlogon!_imp__WinStationWaitForConnect (00000000`ff3a1720)]
kd> kc
# Call Site
00 winlogon!WinStationWaitForConnect
01 winlogon!WinMain
02 winlogon!DbgSetLoggingOption
03 kernel32!BaseThreadInitThunk
04 ntdll!RtlUserThreadStart


第十一部分:

kd> pc
WINSTA!WinStationWaitForConnect+0x1d:
0033:000007fe`fcf8de21 e8927a0000      call    WINSTA!_DbgPrintMessage (000007fe`fcf958b8)
kd> p
WINSTA!WinStationWaitForConnect+0x22:
0033:000007fe`fcf8de26 e835bc0000      call    WINSTA!WaitForLsmStart (000007fe`fcf99a60)
kd> pc
Breakpoint 7 hit
nt!KiStartUserThread:
fffff800`02a6bb3f b901000000      mov     ecx,1

kd> !PROCESS  fffffa8021520630
PROCESS fffffa8021520630
SessionId: 1  Cid: 01fc    Peb: 7fffffd9000  ParentCid: 018c
DirBase: 4fafa000  ObjectTable: fffff8a000e6b920  HandleCount:  52.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 56 Clone 0 Private 287. Modified 3. Locked 0.
DeviceMap fffff8a000009aa0
Token                             fffff8a000e7c680
ElapsedTime                       00:00:14.601
UserTime                          00:00:00.000
KernelTime                        00:00:00.093
QuotaPoolUsage[PagedPool]         59696
QuotaPoolUsage[NonPagedPool]      6792
Working Set Sizes (now,min,max)  (1205, 50, 345) (4820KB, 200KB, 1380KB)
PeakWorkingSetSize                1258
VirtualSize                       29 Mb
PeakVirtualSize                   60 Mb
PageFaultCount                    1575
MemoryPriority                    BACKGROUND
BasePriority                      13
CommitCharge                      1004

        THREAD fffffa802150c660  Cid 01fc.0200  Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa801f3abae0  NotificationEvent
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa8021520630       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275088782      Ticks: 1 (0:00:00:00.015)
Context Switch Count      141            IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:11.606
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422c890
Base fffff8800422d000 Limit fffff88004224000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0422c8d0 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422ca10 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422ca60 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422cad0 fffff800`0331f9af nt!KeWaitForSingleObject+0x532
fffff880`0422cb70 fffff800`02a70e13 nt!NtWaitForSingleObject+0xf7
fffff880`0422cbe0 00000000`778589fe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422cbe0)
00000000`000af6c8 000007fe`fd925ee4 ntdll!NtWaitForSingleObject+0x1e
00000000`000af6d0 000007fe`fcf99ad8 KERNELBASE!WaitForSingleObjectEx+0xe4
        00000000`000af780 000007fe`fcf8de2b WINSTA!WaitForLsmStart+0x78
00000000`000af7b0 00000000`ff3b2343 WINSTA!WinStationWaitForConnect+0x27
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0xa5f
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25


00000000`000af6d0 000007fe`fcf99ad8 KERNELBASE!WaitForSingleObjectEx+0xe4
00000000`000af780 000007fe`fcf8de2b WINSTA!WaitForLsmStart+0x78


kd> bp 000007fe`fcf99ad8


kd> !PROCESS  fffffa801f3f9b30
PROCESS fffffa801f3f9b30
SessionId: 0  Cid: 01e0    Peb: 7fffffdd000  ParentCid: 0194
DirBase: 4daae000  ObjectTable: fffff8a000e782c0  HandleCount:  25.
Image: lsm.exe
VadRoot fffffa801f3ec7a0 Vads 29 Clone 0 Private 168. Modified 0. Locked 0.
DeviceMap fffff8a000009aa0
Token                             fffff8a000e7d060
ElapsedTime                       00:00:16.473
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         24600
QuotaPoolUsage[NonPagedPool]      3360
Working Set Sizes (now,min,max)  (655, 50, 345) (2620KB, 200KB, 1380KB)
PeakWorkingSetSize                655
VirtualSize                       11 Mb
PeakVirtualSize                   12 Mb
PageFaultCount                    652
MemoryPriority                    BACKGROUND
BasePriority                      8
CommitCharge                      844

        THREAD fffffa801f3ffb60  Cid 01e0.01e4  Teb: 000007fffffde000 Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
fffffa801f3fff20  Semaphore Limit 0x1
Waiting for reply to ALPC Message fffffa80215a0c70 : queued at port fffffa8021597e40 : owned by process fffffa801da55b30
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa801f3f9b30       Image:         lsm.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275088846      Ticks: 15 (0:00:00:00.234)
Context Switch Count      25             IdealProcessor: 0             
UserTime                  00:00:00.000
KernelTime                00:00:00.124
Win32 Start Address lsm!mainCRTStartup (0x00000000ff413e7c)
Stack Init fffff880042c5d70 Current fffff880042c54d0
Base fffff880042c6000 Limit fffff880042c0000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`042c5510 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`042c5650 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`042c56a0 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`042c5710 fffff800`028ef0db nt!KeWaitForSingleObject+0x532
fffff880`042c57b0 fffff800`031cbd85 nt!AlpcpSignalAndWait+0x277
fffff880`042c5870 fffff800`03217474 nt!AlpcpReceiveSynchronousReply+0xf9
fffff880`042c5970 fffff800`0321ae1a nt!AlpcpProcessSynchronousRequest+0xf10
fffff880`042c5aa0 fffff800`02a70e13 nt!NtAlpcSendWaitReceivePort+0x20e
fffff880`042c5b70 00000000`77859a1e nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`042c5be0)
00000000`0014f1d8 000007fe`fe46838d ntdll!NtAlpcSendWaitReceivePort+0x1e
00000000`0014f1e0 000007fe`fe47f5d7 RPCRT4!LRPC_CASSOCIATION::AlpcSendWaitReceivePort+0x249
00000000`0014f260 000007fe`fe47c154 RPCRT4!LRPC_BASE_CCALL::DoSendReceive+0x1cf
00000000`0014f2f0 000007fe`fe484ee1 RPCRT4!LRPC_BASE_CCALL::SendReceive+0xac
00000000`0014f360 000007fe`fe41c421 RPCRT4!LRPC_CCALL::SendReceive+0x31
00000000`0014f390 000007fe`fe4c75ce RPCRT4!I_RpcSendReceive+0xf1
00000000`0014f3c0 000007fe`fe518b54 RPCRT4!NdrSendReceive+0x72
00000000`0014f3f0 000007fe`fe518904 RPCRT4!NdrpClientCall2+0x244
00000000`0014f9d0 000007fe`fe30bd0f RPCRT4!NdrClientCall2+0x28
        00000000`0014fa00 00000000`ff3d6d02 sechost!OpenSCManagerW+0x73
00000000`0014fa70 00000000`ff3d6be4 lsm!CService::Start+0x4e
00000000`0014fae0 00000000`ff413d2d lsm!main+0x260
00000000`0014fb50 00000000`776cb701 lsm!CRegistry::WriteRegString+0x255
00000000`0014fb90 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`0014fbc0 00000000`00000000 ntdll!RtlUserThreadStart+0x25


第十二部分:

kd> !PROCESS  fffffa8021520630
PROCESS fffffa8021520630
SessionId: 1  Cid: 01fc    Peb: 7fffffd9000  ParentCid: 018c
DirBase: 4fafa000  ObjectTable: fffff8a000e6b920  HandleCount:  52.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 56 Clone 0 Private 287. Modified 3. Locked 0.
DeviceMap fffff8a000009aa0
Token                             fffff8a000e7c680
ElapsedTime                       00:00:15.818
UserTime                          00:00:00.000
KernelTime                        00:00:00.093
QuotaPoolUsage[PagedPool]         59696
QuotaPoolUsage[NonPagedPool]      6792
Working Set Sizes (now,min,max)  (1205, 50, 345) (4820KB, 200KB, 1380KB)
PeakWorkingSetSize                1258
VirtualSize                       29 Mb
PeakVirtualSize                   60 Mb
PageFaultCount                    1575
MemoryPriority                    BACKGROUND
BasePriority                      13
CommitCharge                      1004

        THREAD fffffa802150c660  Cid 01fc.0200  Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa801f3abae0  NotificationEvent
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa8021520630       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275088782      Ticks: 79 (0:00:00:01.232)
Context Switch Count      141            IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:11.606
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422c890
Base fffff8800422d000 Limit fffff88004224000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0422c8d0 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422ca10 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422ca60 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422cad0 fffff800`0331f9af nt!KeWaitForSingleObject+0x532
fffff880`0422cb70 fffff800`02a70e13 nt!NtWaitForSingleObject+0xf7
fffff880`0422cbe0 00000000`778589fe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0422cbe0)
00000000`000af6c8 000007fe`fd925ee4 ntdll!NtWaitForSingleObject+0x1e
00000000`000af6d0 000007fe`fcf99ad8 KERNELBASE!WaitForSingleObjectEx+0xe4
00000000`000af780 000007fe`fcf8de2b WINSTA!WaitForLsmStart+0x78
00000000`000af7b0 00000000`ff3b2343 WINSTA!WinStationWaitForConnect+0x27
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0xa5f
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25

kd> g
Breakpoint 18 hit
WINSTA!WaitForLsmStart+0x78:
0033:000007fe`fcf99ad8 b801000000      mov     eax,1
kd> g
Breakpoint 3 hit
ntdll!RtlUserThreadStart:
0033:00000000`777b943c 4c8bdc          mov     r11,rsp

kd> !process fffffa80`21520630
PROCESS fffffa8021520630
SessionId: 1  Cid: 01fc    Peb: 7fffffd9000  ParentCid: 018c
DirBase: 4fafa000  ObjectTable: fffff8a000e6b920  HandleCount:  48.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 56 Clone 0 Private 286. Modified 3. Locked 0.
DeviceMap fffff8a000009aa0
Token                             fffff8a000e7c680
ElapsedTime                       01:38:48.795
UserTime                          00:00:00.000
KernelTime                        00:00:00.405
QuotaPoolUsage[PagedPool]         59696
QuotaPoolUsage[NonPagedPool]      6792
Working Set Sizes (now,min,max)  (1205, 50, 345) (4820KB, 200KB, 1380KB)
PeakWorkingSetSize                1258
VirtualSize                       29 Mb
PeakVirtualSize                   60 Mb
PageFaultCount                    1584
MemoryPriority                    BACKGROUND
BasePriority                      13
CommitCharge                      1004

        THREAD fffffa802150c660  Cid 01fc.0200  Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (Executive) KernelMode Non-Alertable
fffffa801bbda560  NotificationEvent
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa8021520630       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275104493      Ticks: 2 (0:00:00:00.031)
Context Switch Count      143            IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:11.637
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422be00
Base fffff8800422d000 Limit fffff88004227000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0422be40 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422bf80 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422bfd0 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422c040 fffff800`030e302b nt!KeWaitForSingleObject+0x532
fffff880`0422c0e0 fffff800`028df3ca nt!DbgkpSendErrorMessage+0x16f
fffff880`0422c230 fffff800`02a71202 nt!KiDispatchException+0x2e6
fffff880`0422ca00 fffff800`02a6f034 nt!KiExceptionDispatch+0xc2
fffff880`0422cbe0 000007fe`fcf8de2c nt!KiBreakpointTrap+0xf4 (TrapFrame @ fffff880`0422cbe0)
00000000`000af7b0 00000000`00000000 WINSTA!WinStationWaitForConnect+0x28


kd> bd 3
kd> g
Breakpoint 18 hit
WINSTA!WaitForLsmStart+0x78:
0033:000007fe`fcf99ad8 b801000000      mov     eax,1
kd> kc
# Call Site
00 WINSTA!WaitForLsmStart
01 WINSTA!OpenLocalLSM
02 WINSTA!CPublicBinding::GetLSMBinding
03 WINSTA!WinStationIsSessionRemoteable
04 0x0
kd> .process
Implicit process is now fffffa80`1da53b30

kd> bd 0
kd> g
Break instruction exception - code 80000003 (first chance)
WINSTA!WinStationWaitForConnect+0x27:
0033:000007fe`fcf8de2b 33f6            xor     esi,esi
kd> bd 0
kd> kc
# Call Site
00 WINSTA!WinStationWaitForConnect
01 winlogon!WinMain
02 winlogon!DbgSetLoggingOption
03 kernel32!BaseThreadInitThunk
04 ntdll!RtlUserThreadStart
kd> pc
WINSTA!WinStationWaitForConnect+0x34:
0033:000007fe`fcf8de38 e8611b0100      call    WINSTA!operator new (000007fe`fcf9f99e)


kd> pc
Breakpoint 18 hit
WINSTA!WaitForLsmStart+0x78:
0033:000007fe`fcf99ad8 b801000000      mov     eax,1
kd> kc
# Call Site
00 WINSTA!WaitForLsmStart
01 WINSTA!OpenLocalLSM
02 WINSTA!CPublicBinding::GetLSMBinding
03 WINSTA!WinStationIsSessionRemoteable
04 0x0


kd> pc
WINSTA!WinStationWaitForConnect+0x4b:
0033:000007fe`fcf8de4f e84c77ffff      call    WINSTA!CPublicBinding::CPublicBinding (000007fe`fcf855a0)
kd> pc
Breakpoint 18 hit
WINSTA!WaitForLsmStart+0x78:
0033:000007fe`fcf99ad8 b801000000      mov     eax,1
kd> kc
# Call Site
00 WINSTA!WaitForLsmStart
01 WINSTA!OpenLocalLSM
02 WINSTA!CPublicBinding::GetLSMBinding
03 WINSTA!WinStationIsSessionRemoteable
04 0x0

kd> g
Breakpoint 20 hit
WINSTA!WinStationWaitForConnect+0x51:
0033:000007fe`fcf8de55 8bf8            mov     edi,eax
kd> p
WINSTA!WinStationWaitForConnect+0x53:
0033:000007fe`fcf8de57 4889442430      mov     qword ptr [rsp+30h],rax
kd> pc
WINSTA!WinStationWaitForConnect+0xa6:
0033:000007fe`fcf8deaa e891bf0000      call    WINSTA!CPublicBinding::GetLSMBinding (000007fe`fcf99e40)


kd> !process  fffffa80`21520630
PROCESS fffffa8021520630
SessionId: 1  Cid: 01fc    Peb: 7fffffd9000  ParentCid: 018c
DirBase: 4fafa000  ObjectTable: fffff8a000e6b920  HandleCount:  49.
Image: winlogon.exe
VadRoot fffffa8021522d30 Vads 55 Clone 0 Private 288. Modified 3. Locked 0.
DeviceMap fffff8a000009aa0
Token                             fffff8a000e7c680
ElapsedTime                       01:39:49.245
UserTime                          00:00:00.000
KernelTime                        00:00:00.499
QuotaPoolUsage[PagedPool]         59696
QuotaPoolUsage[NonPagedPool]      6672
Working Set Sizes (now,min,max)  (1283, 50, 345) (5132KB, 200KB, 1380KB)
PeakWorkingSetSize                1283
VirtualSize                       2076 Mb
PeakVirtualSize                   2077 Mb
PageFaultCount                    1666
MemoryPriority                    BACKGROUND
BasePriority                      13
CommitCharge                      526300

        THREAD fffffa802150c660  Cid 01fc.0200  Teb: 000007fffffde000 Win32Thread: fffff900c011d3a0 WAIT: (Executive) KernelMode Non-Alertable
fffffa801bbda560  NotificationEvent
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa8021520630       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275108370      Ticks: 0
Context Switch Count      158            IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:12.074
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ff3ed124)
Stack Init fffff8800422cd70 Current fffff8800422be00
Base fffff8800422d000 Limit fffff88004227000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0422be40 fffff800`028e5eb4 nt!KiSwapContext+0x7a
fffff880`0422bf80 fffff800`028e795d nt!KiSwapThread+0x324
fffff880`0422bfd0 fffff800`028d3d9a nt!KiCommitThreadWait+0x4e5
fffff880`0422c040 fffff800`030e302b nt!KeWaitForSingleObject+0x532
fffff880`0422c0e0 fffff800`028df3ca nt!DbgkpSendErrorMessage+0x16f
fffff880`0422c230 fffff800`02a71202 nt!KiDispatchException+0x2e6
fffff880`0422ca00 fffff800`02a6f034 nt!KiExceptionDispatch+0xc2
fffff880`0422cbe0 000007fe`fcf99ad9 nt!KiBreakpointTrap+0xf4 (TrapFrame @ fffff880`0422cbe0)
00000000`000af6d0 000007fe`fcf99cc5 WINSTA!WaitForLsmStart+0x79
00000000`000af700 000007fe`fcf99ef1 WINSTA!OpenLocalLSM+0xe5
00000000`000af770 000007fe`fcf8deaf WINSTA!CPublicBinding::GetLSMBinding+0xb1
00000000`000af7b0 00000000`ff3b2343 WINSTA!WinStationWaitForConnect+0xab
00000000`000af800 00000000`ff3ecf9e winlogon!WinMain+0xa5f
00000000`000af990 00000000`776cb701 winlogon!DbgSetLoggingOption+0x24e
00000000`000afa50 00000000`777b9461 kernel32!BaseThreadInitThunk+0x1d
00000000`000afa80 00000000`00000000 ntdll!RtlUserThreadStart+0x25


第十三部分:


THREAD fffffa801e840b60  Cid 0204.0208  Teb: 000007fffffde000 Win32Thread: fffff900c01184b0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa801e408c70  SynchronizationEvent
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa801d44c210       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275087392      Ticks: 44 (0:00:00:00.686)
Context Switch Count      83             IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.078
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ffb7d124)
Stack Init fffff88003012d70 Current fffff88003012890
Base fffff88003013000 Limit fffff8800300a000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`030128d0 fffff800`028edeb4 nt!KiSwapContext+0x7a
fffff880`03012a10 fffff800`028ef95d nt!KiSwapThread+0x324
fffff880`03012a60 fffff800`028dbd9a nt!KiCommitThreadWait+0x4e5
fffff880`03012ad0 fffff800`033279af nt!KeWaitForSingleObject+0x532
fffff880`03012b70 fffff800`02a78e13 nt!NtWaitForSingleObject+0xf7
fffff880`03012be0 00000000`777989fe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03012be0)
00000000`001bf1d8 000007fe`fd555ee4 ntdll!NtWaitForSingleObject+0x1e
00000000`001bf1e0 00000000`ffb6cf4d KERNELBASE!WaitForSingleObjectEx+0xe4
00000000`001bf290 00000000`ffb6bb4b winlogon!SignalManagerWaitForSignal+0x201
        00000000`001bf2f0 00000000`ffb42cbc winlogon!StateMachineRun+0x54f
00000000`001bf610 00000000`ffb7cf9e winlogon!WinMain+0x13d8
00000000`001bf7a0 00000000`7760b701 winlogon!DbgSetLoggingOption+0x24e
00000000`001bf860 00000000`776f9461 kernel32!BaseThreadInitThunk+0x1d
00000000`001bf890 00000000`00000000 ntdll!RtlUserThreadStart+0x25


THREAD fffffa801e883060  Cid 0204.0234  Teb: 000007fffffd5000 Win32Thread: fffff900c1c7f460 WAIT: (DelayExecution) UserMode Non-Alertable
fffffa801e883420  Semaphore Limit 0x1
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa801d44c210       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275087426      Ticks: 10 (0:00:00:00.156)
Context Switch Count      39             IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.031
Win32 Start Address ntdll!TppWorkerThread (0x0000000077778b74)
Stack Init fffff880032bcd70 Current fffff880032bc8e0
Base fffff880032bd000 Limit fffff880032b4000 Call 0000000000000000
Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`032bc920 fffff800`028edeb4 nt!KiSwapContext+0x7a
fffff880`032bca60 fffff800`028ef95d nt!KiSwapThread+0x324
fffff880`032bcab0 fffff800`028da436 nt!KiCommitThreadWait+0x4e5
fffff880`032bcb20 fffff800`0343dc7e nt!KeDelayExecutionThread+0x352
fffff880`032bcba0 fffff800`02a78e13 nt!NtDelayExecution+0x6e
fffff880`032bcbe0 00000000`77798ffe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`032bcbe0)
00000000`00daef38 000007fe`fd559559 ntdll!ZwDelayExecution+0x1e
00000000`00daef40 00000000`ffb6f9c2 KERNELBASE!SleepEx+0xe5
        00000000`00daefe0 00000000`ffb70b88 winlogon!ConnectToSubscriber+0x1ce
00000000`00daf060 00000000`ffb4774e winlogon!InternalNotifyExecute+0x458
00000000`00daf410 00000000`ffb6a941 winlogon!WLGeneric_NotifyCreateSession_Execute+0x1d2
        00000000`00daf460 00000000`77774186 winlogon!StateMachineWorkerCallback+0x8d
00000000`00daf490 00000000`7777954e ntdll!TppWorkpExecuteCallback+0x1ea
00000000`00daf500 00000000`7760b701 ntdll!TppWorkerThread+0x9da
00000000`00daf820 00000000`776f9461 kernel32!BaseThreadInitThunk+0x1d
00000000`00daf850 00000000`00000000 ntdll!RtlUserThreadStart+0x25

第十四部分:修改administrator密码后,在登录界面的进程快照

     THREAD fffffa801d633060  Cid 01c4.01c8  Teb: 000007fffffde000 Win32Thread: fffff900c01184b0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa801d7f5d60  SynchronizationEvent
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa801d628b30       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275088542      Ticks: 148 (0:00:00:02.308)
Context Switch Count      227            IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.093
Win32 Start Address winlogon!WinMainCRTStartup (0x00000000ffd1d124)
Stack Init fffff8800429fd70 Current fffff8800429f890
Base fffff880042a0000 Limit fffff88004296000 Call 0000000000000000
Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0429f8d0 fffff800`02891eb4 nt!KiSwapContext+0x7a
fffff880`0429fa10 fffff800`0289395d nt!KiSwapThread+0x324
fffff880`0429fa60 fffff800`0287fd9a nt!KiCommitThreadWait+0x4e5
fffff880`0429fad0 fffff800`032cb9af nt!KeWaitForSingleObject+0x532
fffff880`0429fb70 fffff800`02a1ce13 nt!NtWaitForSingleObject+0xf7
fffff880`0429fbe0 00000000`778389fe nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0429fbe0)
00000000`001df368 000007fe`fd905ee4 ntdll!NtWaitForSingleObject+0x1e
00000000`001df370 00000000`ffd0cf4d KERNELBASE!WaitForSingleObjectEx+0xe4
00000000`001df420 00000000`ffd0bb4b winlogon!SignalManagerWaitForSignal+0x201
        00000000`001df480 00000000`ffce2cbc winlogon!StateMachineRun+0x54f
00000000`001df7a0 00000000`ffd1cf9e winlogon!WinMain+0x13d8
00000000`001df930 00000000`776ab701 winlogon!DbgSetLoggingOption+0x24e
00000000`001df9f0 00000000`77799461 kernel32!BaseThreadInitThunk+0x1d
00000000`001dfa20 00000000`00000000 ntdll!RtlUserThreadStart+0x25

        THREAD fffffa801d632060  Cid 01c4.01d0  Teb: 000007fffffdc000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa801bbc6d80  SynchronizationTimer
fffffa801bbc6ef0  SynchronizationTimer
fffffa801d635da0  SynchronizationTimer
fffffa801e348150  NotificationEvent
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa801d628b30       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275088542      Ticks: 148 (0:00:00:02.308)
Context Switch Count      8              IdealProcessor: 0             
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x000000007781abb4)
Stack Init fffff88004234d70 Current fffff88004233f50
Base fffff88004235000 Limit fffff8800422f000 Call 0000000000000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`04233f90 fffff800`02891eb4 nt!KiSwapContext+0x7a
fffff880`042340d0 fffff800`0289395d nt!KiSwapThread+0x324
fffff880`04234120 fffff800`0287ee48 nt!KiCommitThreadWait+0x4e5
fffff880`04234190 fffff800`032cbee8 nt!KeWaitForMultipleObjects+0x80c
fffff880`04234450 fffff800`032cc162 nt!ObpWaitForMultipleObjects+0x508
fffff880`04234920 fffff800`02a1ce13 nt!NtWaitForMultipleObjects+0x146
fffff880`04234b70 00000000`778394de nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04234be0)
00000000`00e7f908 00000000`7781afc1 ntdll!NtWaitForMultipleObjects+0x1e
00000000`00e7f910 00000000`776ab701 ntdll!TppWaiterpThread+0x40d
00000000`00e7fc50 00000000`77799461 kernel32!BaseThreadInitThunk+0x1d
00000000`00e7fc80 00000000`00000000 ntdll!RtlUserThreadStart+0x25

        THREAD fffffa801d63c060  Cid 01c4.01d4  Teb: 000007fffffda000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa801d608dc0  QueueObject
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa801d628b30       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275088542      Ticks: 148 (0:00:00:02.308)
Context Switch Count      8              IdealProcessor: 0             
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000077818b74)
Stack Init fffff8800428cd70 Current fffff8800428c750
Base fffff8800428d000 Limit fffff88004287000 Call 0000000000000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`0428c790 fffff800`02891eb4 nt!KiSwapContext+0x7a
fffff880`0428c8d0 fffff800`0289395d nt!KiSwapThread+0x324
fffff880`0428c920 fffff800`0288727c nt!KiCommitThreadWait+0x4e5
fffff880`0428c990 fffff800`030b19bf nt!KeRemoveQueueEx+0x844
fffff880`0428ca20 fffff800`029f5f02 nt!IoRemoveIoCompletion+0x7b
fffff880`0428cad0 fffff800`02a1ce13 nt!NtWaitForWorkViaWorkerFactory+0x3ca
fffff880`0428cbe0 00000000`7783bb7e nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0428cbe0)
00000000`0138fbe8 00000000`77818f25 ntdll!NtWaitForWorkViaWorkerFactory+0x1e
00000000`0138fbf0 00000000`776ab701 ntdll!TppWorkerThread+0x3b1
00000000`0138ff10 00000000`77799461 kernel32!BaseThreadInitThunk+0x1d
00000000`0138ff40 00000000`00000000 ntdll!RtlUserThreadStart+0x25

        THREAD fffffa801d63c600  Cid 01c4.01d8  Teb: 000007fffffd7000 Win32Thread: fffff900c1c7d460 WAIT: (WrLpcReply) UserMode Non-Alertable
fffffa801d63c9c0  Semaphore Limit 0x1
Waiting for reply to ALPC Message fffffa801e331c70 : queued at port fffffa801e48b950 : owned by process fffffa801d7bdb30
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa801d628b30       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275088542      Ticks: 148 (0:00:00:02.308)
Context Switch Count      224            IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.046
KernelTime                00:00:00.280
Win32 Start Address ntdll!TppWorkerThread (0x0000000077818b74)
Stack Init fffff880030a9d70 Current fffff880030a94d0
Base fffff880030aa000 Limit fffff880030a1000 Call 0000000000000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`030a9510 fffff800`02891eb4 nt!KiSwapContext+0x7a
fffff880`030a9650 fffff800`0289395d nt!KiSwapThread+0x324
fffff880`030a96a0 fffff800`0287fd9a nt!KiCommitThreadWait+0x4e5
fffff880`030a9710 fffff800`0289b0db nt!KeWaitForSingleObject+0x532
fffff880`030a97b0 fffff800`03177d85 nt!AlpcpSignalAndWait+0x277
fffff880`030a9870 fffff800`031c3474 nt!AlpcpReceiveSynchronousReply+0xf9
fffff880`030a9970 fffff800`031c6e1a nt!AlpcpProcessSynchronousRequest+0xf10
fffff880`030a9aa0 fffff800`02a1ce13 nt!NtAlpcSendWaitReceivePort+0x20e
fffff880`030a9b70 00000000`77839a1e nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`030a9be0)
00000000`0128eb28 000007fe`feef838d ntdll!NtAlpcSendWaitReceivePort+0x1e
00000000`0128eb30 000007fe`fef0f5d7 RPCRT4!LRPC_CASSOCIATION::AlpcSendWaitReceivePort+0x249
00000000`0128ebb0 000007fe`fef0c154 RPCRT4!LRPC_BASE_CCALL::DoSendReceive+0x1cf
00000000`0128ec40 000007fe`fef14ee1 RPCRT4!LRPC_BASE_CCALL::SendReceive+0xac
00000000`0128ecb0 000007fe`feeac421 RPCRT4!LRPC_CCALL::SendReceive+0x31
00000000`0128ece0 000007fe`fef575ce RPCRT4!I_RpcSendReceive+0xf1
00000000`0128ed10 000007fe`fefa3331 RPCRT4!NdrSendReceive+0x72
00000000`0128ed40 000007fe`fefa3129 RPCRT4!NdrpClientCall3+0x1e5
00000000`0128f000 00000000`ffd1335f RPCRT4!NdrClientCall3+0x89
        00000000`0128f380 00000000`ffce807a winlogon!WluiRequestCredentials+0x7b
00000000`0128f3f0 00000000`ffd0a941 winlogon!WLGeneric_Request_Logon_Credz_Execute+0x1ae
00000000`0128f470 00000000`77814186 winlogon!StateMachineWorkerCallback+0x8d
00000000`0128f4a0 00000000`7781954e ntdll!TppWorkpExecuteCallback+0x1ea
00000000`0128f510 00000000`776ab701 ntdll!TppWorkerThread+0x9da
00000000`0128f830 00000000`77799461 kernel32!BaseThreadInitThunk+0x1d
00000000`0128f860 00000000`00000000 ntdll!RtlUserThreadStart+0x25

        THREAD fffffa801e24b930  Cid 01c4.037c  Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa801d608dc0  QueueObject
Not impersonating
DeviceMap                 fffff8a000009aa0
Owning Process            fffffa801d628b30       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      275088542      Ticks: 148 (0:00:00:02.308)
Context Switch Count      11             IdealProcessor: 0             
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000077818b74)
Stack Init fffff880042a6d70 Current fffff880042a6750
Base fffff880042a7000 Limit fffff880042a1000 Call 0000000000000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffff880`042a6790 fffff800`02891eb4 nt!KiSwapContext+0x7a
fffff880`042a68d0 fffff800`0289395d nt!KiSwapThread+0x324
fffff880`042a6920 fffff800`0288727c nt!KiCommitThreadWait+0x4e5
fffff880`042a6990 fffff800`030b19bf nt!KeRemoveQueueEx+0x844
fffff880`042a6a20 fffff800`029f5f02 nt!IoRemoveIoCompletion+0x7b
fffff880`042a6ad0 fffff800`02a1ce13 nt!NtWaitForWorkViaWorkerFactory+0x3ca
fffff880`042a6be0 00000000`7783bb7e nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`042a6be0)
00000000`015bf9b8 00000000`77818f25 ntdll!NtWaitForWorkViaWorkerFactory+0x1e
00000000`015bf9c0 00000000`776ab701 ntdll!TppWorkerThread+0x3b1
00000000`015bfce0 00000000`77799461 kernel32!BaseThreadInitThunk+0x1d
00000000`015bfd10 00000000`00000000 ntdll!RtlUserThreadStart+0x25

http://www.dtcms.com/a/446398.html

相关文章:

  • 网站 做 app开发wordpress插件开发
  • 昆明做网站哪家便宜怎么让付费网站免费
  • 《C++进阶之C++11》【智能指针】(下)
  • 桐城网站定制软件开发的学校有哪些
  • 海南省工程建设定额网站简单网站首页
  • K230基础-特征检测
  • 宁波网站建设内容深圳网站开发建设服务公司
  • CTFHub 信息泄露通关笔记11:HG泄露(4种方法)
  • 网站采用什么方法建设wordpress获取文章信息
  • 上海网站建设公司招聘wordpress用手机写博客
  • 网站为什么要更新wordpress保护插件
  • Maixcam学习笔记-寻址色块和直线
  • 您正在 GUI 下运行 Fcitx,但是 fcitx-config-qt 未被找到。该软件包名称通常为 fcitx5-configtool。现在将打开配置目录
  • 速通web全栈开发
  • 网站建设虚拟服务器赣州新闻最新消息
  • 33.搜索旋转排序数组;153.寻找旋转排序数组中的最小值 4. 寻找两个正序数组的中位数
  • 4准则下,2可加模糊测度满足单调性和有界性约束。假设没有任何其他先验信息,基于Marichal熵最大的目标,求解莫比乌斯参数。
  • 果洛州wap网站建设公司wordpress用哪个国外空间
  • 【IMX6ULL驱动学习】INPUT子系统
  • 上海做网站建设公司代理注册公司流程和费用
  • spring6学习笔记
  • 资料代做网站网站建设维护合同
  • 【Linux】 开启关闭MediaMTX服务
  • 网站qq启动链接怎么做宁波seo网络推广定制多少钱
  • 下载站用什么cms公众号微网站建设
  • 南阳做网站 汉狮公司wordpress游客
  • 网站建设比较好的律所无锡专业网站营销
  • 建设网站要注意哪些成都网站关键词
  • 违规管理系统后端接口文档
  • 月票车本地数据API后端实现文档