winlogon!SASWndProc函数分析之win+L键的处理
winlogon!SASWndProc函数分析之win+L键的处理
Breakpoint 14 hit
eax=c0000000 ebx=00000000 ecx=00000000 edx=00000000 esi=01019e08 edi=0006fcc0
eip=01019e08 esp=0006fc4c ebp=0006fc74 iopl=0 nv up ei pl nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000207
winlogon!SASWndProc:
001b:01019e08 55 push ebp
1: kd> dv
hwnd = 0x0001001c
message = 0x312
wParam = 5
lParam = 0n4980744
szDesktop = unsigned short [260]
InfoData = struct _WINSTATIONINFORMATIONW
Length = 0xce4320
szTaskMgr = unsigned short [12]
val = 0x4c0008
bSecure = 0n5
Desktop = 0x77bf4827
Value = char [10] "???"
dwSize = 0x312
dwType = 0x6f578
esi = 0x4c0008
h = 0x0006f578
ScEvent = 0n4980744 (No matching enumerant)
ScData = 0x0006f578
bRestart = 0n4980744
hKey = 0x77bf4827
dwType = 0xce4320
val = 5
pchData = 0x0006f578
1: kd> kc
#
00 winlogon!SASWndProc
01 USER32!InternalCallWinProc
02 USER32!UserCallWinProcCheckWow
03 USER32!DispatchMessageWorker
04 USER32!DispatchMessageW
05 USER32!DialogBox2
06 USER32!InternalDialogBox
07 USER32!DialogBoxIndirectParamAorW
08 USER32!DialogBoxParamW
09 USER32!DialogBoxParamW_wrapper
0a winlogon!Fusion_DialogBoxParam
0b winlogon!TimeoutDialogBoxParam
0c winlogon!WlxDialogBoxParam
0d winlogon!BlockWaitForUserAction
0e winlogon!MainLoop
0f winlogon!WinMain
10 winlogon!WinMainCRTStartup
1: kd> p
eax=00077418 ebx=00000000 ecx=77cc44d2 edx=00000000 esi=0001001c edi=0006fcc0
eip=01019e28 esp=0006f53c ebp=0006fc48 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286
winlogon!SASWndProc+0x20:
001b:01019e28 8b550c mov edx,dword ptr [ebp+0Ch] ss:0023:0006fc54=00000312
1: kd> dt TERMINAL 00077418
winlogon!TERMINAL
+0x000 CheckMark : 0x7465726d
+0x004 pNext : (null)
+0x008 pWinStaWinlogon : 0x000788e0 _WINDOWSTATION
+0x00c pszDesktop : 0x00101a58 -> 0x44
+0x010 DesktopLength : 0x10
+0x014 hwndSAS : 0x0001001c HWND__
+0x018 IniRef : 1
+0x01c UserLoggedOn : 0n1
+0x020 LogoffFlags : 0
+0x024 TickCount : 0xffc9ac88
+0x028 ForwardCAD : 0n1
+0x02c EnableSC : 0n0
+0x030 SafeMode : 0n0
+0x034 SasType : 1
+0x038 LastGinaRet : 8
+0x03c hToken : 0x000000a0 Void
+0x040 hGPOEvent : 0x0000074c Void
+0x044 hGPOThread : 0x00000204 Void
+0x048 hGPONotifyEvent : 0x000007ec Void
+0x04c hGPOWaitEvent : 0x012328f0 Void
+0x050 hAutoEnrollmentHandler : (null)
+0x054 ErrorMode : 0
+0x058 SmartCardTid : 0
+0x05c CurrentScEvent : 0 ( ScNone )
+0x060 CurrentScData : (null)
+0x064 CurrentScCritSect : _RTL_CRITICAL_SECTION
+0x07c WinlogonState : 6 ( Winsta_LoggedOnUser )
+0x080 PreviousWinlogonState : 0 ( Winsta_PreLoad )
+0x084 ScreenSaverActive : 0n0
+0x088 ShutdownStarted : 0n0
+0x08c bIgnoreScreenSaverRequest : 0n0
+0x090 Mappers : [32] _WindowMapper
+0x310 cActiveWindow : 1
+0x314 PendingSasEvents : [32] 2
+0x394 PendingSasHead : 3
+0x398 PendingSasTail : 3
+0x39c MessageBoxActive : 0n0
+0x3a0 Gina : _GINASESSION
+0x404 MuGlobals : _MUGLOBALS
+0x1478 IgnoreAutoLogon : 0n0
+0x147c fUseLastGinaRet : 0n0
+0x1480 field_1480 : 0n0
+0x1484 field_1484 : 0n0
1: kd> kc
#
00 winlogon!SASWndProc
01 USER32!InternalCallWinProc
02 USER32!UserCallWinProcCheckWow
03 USER32!SendMessageWorker
04 USER32!SendMessageW
05 USER32!SendMessageW_wrapper
06 winlogon!SASWndProc
07 USER32!InternalCallWinProc
08 USER32!UserCallWinProcCheckWow
09 USER32!DispatchMessageWorker
0a USER32!DispatchMessageW
0b USER32!DialogBox2
0c USER32!InternalDialogBox
0d USER32!DialogBoxIndirectParamAorW
0e USER32!DialogBoxParamW
0f USER32!DialogBoxParamW_wrapper
10 winlogon!Fusion_DialogBoxParam
11 winlogon!TimeoutDialogBoxParam
12 winlogon!WlxDialogBoxParam
13 winlogon!BlockWaitForUserAction
14 winlogon!MainLoop
15 winlogon!WinMain
16 winlogon!WinMainCRTStartup
1: kd> dv
hwnd = 0x0001001c
message = 0x4c
wParam = 5
lParam = 0n0
szDesktop = unsigned short [260]
InfoData = struct _WINSTATIONINFORMATIONW
Length = 0
szTaskMgr = unsigned short [12]
val = 0
bSecure = 0n5
Desktop = 0x705c3aa9
Value = char [10] "-???"
dwSize = 0x4c
dwType = 0x6ed14
esi = 0
h = 0x0006ed14
ScEvent = ScNone (0n0)
ScData = 0x0006ed14
bRestart = 0n0
hKey = 0x705c3aa9
dwType = 0
val = 5
pchData = 0x0006ed14
case WM_LOGONNOTIFY: // A private notification from Windows
DebugLog((DEB_TRACE_SAS, "LOGONNOTIFY message %d\n", wParam ));
switch (wParam)
{
case LOGON_LOCKWORKSTATION:
g_fWaitForLockWksMsgFromWin32k = FALSE;
if (pTerm->UserLoggedOn &&
pTerm->Gina.pWlxIsLockOk(pTerm->Gina.pGinaContext) &&
(!IsLocked(pTerm->WinlogonState)) &&
(pTerm->WinlogonState == Winsta_LoggedOnUser || pTerm->WinlogonState == Winsta_LoggedOn_SAS) &&
NeedsLockWorkstation(lParam)) {
DWORD esi = 0;
ShellSwitchWhenInteractiveReady(2, 0);
if (ShellIsFriendlyUIActive() && ShellIsMultipleUsersEnabled()) {
HANDLE h;
h = ImpersonateUser(&pTerm->pWinStaWinlogon->UserProcessData, 0);
if (h) {
if (!ShellSwitchUser(1)) {
g_fWaitForSwitchUser = TRUE;
esi = 1;
}
StopImpersonating(h);
}
}
if (esi)
break;
ShellStatusHostEnd(0);
if (pTerm->ScreenSaverActive) {
pTerm->field_1484 = TRUE;
SendSasToTopWindow(pTerm, 3);
break;
}
if (pTerm->WinlogonState == Winsta_LoggedOn_SAS) {
SendSasToTopWindow(pTerm, 0);
}
SetActiveDesktop(pTerm, Desktop_Winlogon);
if (DoLockWksta (pTerm, FALSE) == 4) {
SASRouter(pTerm, 4);
return FALSE;
}
}
break;
D:\srv03rtm\public/internal/windows/inc/winuserp.h:1701:#define LOGON_LOCKWORKSTATION 5
1: kd> p
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserLockWindowStation, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserTranslateAccelerator, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserOpenInputDesktop, retval = e7c
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserTranslateAccelerator, retval = 0
(s: 0 0x1bc.1e8 csrss.exe) USRK-[VWPL] VWPL 00000000 => NULL (empty)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetObjectInformation, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserTranslateAccelerator, retval = 0
468.472> Winlogon-Trace: Source desktop was Default
(s: 0 0x37c.404 svchost.exe) USRK-[StubReturn] NtUserGetMessage, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserTranslateAccelerator, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] xxxSetForegroundWindow2 by 0XE141BE18 to 00000000-00000000
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[VWPL] VWPL 00000000 + 0XBC6773EC
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
(s: 0 0x1bc.1ec csrss.exe) USRK-[Callout] Mapping desktop 0x897D7570 into process 0x8973A2E0
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserKillTimer, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] xxxActivateWindow temporarly set TIF 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] xxxSetForegroundWindow FRemoveForegroundActivate 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FRemoveForegroundActivate clear TIF 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FRemoveForegroundActivate clear W32PF 0XE165D9A0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] xxxSetForegroundWindow2 by 0XE141BE18 to 0XBC640DD4-0XE1689258
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[KBD] SetGlobalKeyboardTableInfo:Changing KL NLS Table: new HKL=0X04090409
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[KBD] SetGlobalKeyboardTableInfo: new gpKbdNlsTbl=00000000
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] xxxActivateWindow set TIF 0XE141BE18
(s: 0 0x1bc.1ec csrss.exe) USRK-[VWPL] VWPL 0XE1745E40 - 0XBC640DD4
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0xE1689258 sets ptiSL 0xE1689258 to pq 0xE1425388 ; old ptiSL 0x00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 0XE185FAF0 to pq 0XE1425388 ; old id 00000000
-> msg 0 hwnd 00000000 w 00000000 l 0X00010004 pti 0XE1689258
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 5 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 0XE185FAF0
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 0XE18F0AE0 to pq 0XE1425388 ; old id 00000000
-> msg 200 hwnd 00000000 w 00000000 l 0X01250138 pti 0XE1689258
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 0XE18F0AE0
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0xE1689258 sets ptiSL 0x00000000 to pq 0xE1425388 ; old ptiSL 0xE1689258
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 1 pti 0xE178AD58 sets ptiSL 0x00000000 to pq 0xE17737E8 ; old ptiSL 0xE178AD58
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 3 pti 0xE178AD58 sets ptiSL 0xE178AD58 to pq 0xE17737E8 ; old ptiSL 0x00000000
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 2 pti 0XE178AD58 sets id 00000000 to pq 0XE17737E8 ; old id 00000000
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 3 pti 0XE178AD58 sets id 0XE17884B8 to pq 0XE17737E8 ; old id 00000000
-> msg 101 hwnd 00000000 w 0X0000004C l 0X00260001 pti 0XE178AD58
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 1 pti 0XE178AD58 sets id 00000000 to pq 0XE17737E8 ; old id 0XE17884B8
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] xxxSetForegroundWindow2 by 0XE141BE18 to 00000000-00000000
(s: 0 0x1d4.1d8 csrss.exe) USRK-[Callout] Unmapping desktop 0x897D7570 from process 0x89DD5240 (0x0 <-> 0x0)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSwitchDesktop, retval = 1
468.472> Winlogon-Trace: Switching desktop from Application to Winlogon
eax=00000001 ebx=00077418 ecx=e0cdfdc2 edx=00000048 esi=00000001 edi=00000000
eip=0101a7b8 esp=0006ecf4 ebp=0006f400 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
winlogon!SASWndProc+0x9b0:
001b:0101a7b8 57 push edi
1: kd> kc
#
00 winlogon!SASWndProc
01 USER32!InternalCallWinProc
02 USER32!UserCallWinProcCheckWow
03 USER32!SendMessageWorker
04 USER32!SendMessageW
05 USER32!SendMessageW_wrapper
06 winlogon!SASWndProc
07 USER32!InternalCallWinProc
08 USER32!UserCallWinProcCheckWow
09 USER32!DispatchMessageWorker
0a USER32!DispatchMessageW
0b USER32!DialogBox2
0c USER32!InternalDialogBox
0d USER32!DialogBoxIndirectParamAorW
0e USER32!DialogBoxParamW
0f USER32!DialogBoxParamW_wrapper
10 winlogon!Fusion_DialogBoxParam
11 winlogon!TimeoutDialogBoxParam
12 winlogon!WlxDialogBoxParam
13 winlogon!BlockWaitForUserAction
14 winlogon!MainLoop
15 winlogon!WinMain
16 winlogon!WinMainCRTStartup
1: kd> dv
hwnd = 0x0001001c
message = 0x4c
wParam = 5
lParam = 0n0
1: kd> dv
hwnd = 0x0001001c
message = 0x4c
wParam = 5
lParam = 0n0
szDesktop = unsigned short [260]
InfoData = struct _WINSTATIONINFORMATIONW
Length = 0
szTaskMgr = unsigned short [12]
val = 0
bSecure = 0n5
Desktop = 0x705c3aa9
Value = char [10] "-???"
dwSize = 0x4c
dwType = 0x6ed14
esi = 0
h = 0x0006ed14
ScEvent = ScNone (0n0)
ScData = 0x0006ed14
bRestart = 0n0
hKey = 0x705c3aa9
dwType = 0
val = 5
pchData = 0x0006ed14
1: kd> p
Breakpoint 15 hit
eax=00000001 ebx=00077418 ecx=e0cdfdc2 edx=00000048 esi=00000001 edi=00000000
eip=0102840b esp=0006ece8 ebp=0006f400 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
winlogon!DoLockWksta:
001b:0102840b 55 push ebp
1: kd> kc
#
00 winlogon!DoLockWksta
01 winlogon!SASWndProc
02 USER32!InternalCallWinProc
03 USER32!UserCallWinProcCheckWow
04 USER32!SendMessageWorker
05 USER32!SendMessageW
06 USER32!SendMessageW_wrapper
07 winlogon!SASWndProc
08 USER32!InternalCallWinProc
09 USER32!UserCallWinProcCheckWow
0a USER32!DispatchMessageWorker
0b USER32!DispatchMessageW
0c USER32!DialogBox2
0d USER32!InternalDialogBox
0e USER32!DialogBoxIndirectParamAorW
0f USER32!DialogBoxParamW
10 USER32!DialogBoxParamW_wrapper
11 winlogon!Fusion_DialogBoxParam
12 winlogon!TimeoutDialogBoxParam
13 winlogon!WlxDialogBoxParam
14 winlogon!BlockWaitForUserAction
15 winlogon!MainLoop
16 winlogon!WinMain
17 winlogon!WinMainCRTStartup
pTerm->WinlogonState = Winsta_Locked;
1: kd> p
468.472> Winlogon-Trace-State: DoLockWksta: Setting state to Locked
eax=00000000 ebx=00077418 ecx=e0cdfdc2 edx=00000044 esi=00077418 edi=000788e0
eip=01028439 esp=0006ecd8 ebp=0006ece4 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
winlogon!DoLockWksta+0x2e:
001b:01028439 6a00 push 0
LockWindowStation(pWS->hwinsta);
1: kd> p
eax=00000001 ebx=00077418 ecx=e0cdfdc2 edx=00000044 esi=00077418 edi=000788e0
eip=01028441 esp=0006ecd8 ebp=0006ece4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
winlogon!DoLockWksta+0x36:
001b:01028441 ff7704 push dword ptr [edi+4] ds:0023:000788e4=0000029c
1: kd> p
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0xE1689258 sets ptiSL 0xE1689258 to pq 0xE1425388 ; old ptiSL 0x00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 0XE17884B8 to pq 0XE1425388 ; old id 00000000
-> msg 0 hwnd 00000000 w 00000000 l 00000000 pti 0XE1689258
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 5 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 0XE17884B8
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 0XE18F0AE0 to pq 0XE1425388 ; old id 00000000
-> msg 0 hwnd 00000000 w 0XE118ABE0 l 00000000 pti 0XE1689258
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 5 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 0XE18F0AE0
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 4 pti 0xE1689258 sets ptiSL 0x00000000 to pq 0xE1425388 ; old ptiSL 0xE1689258
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserLockWindowStation, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] eax=00000001 ebx=00077418 ecx=0006eccc edx=7ffe0304 esi=00077418 edi=000788e0
eip=0102844a esp=0006ecd8 ebp=0006ece4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
winlogon!DoLockWksta+0x3f:
001b:0102844a 6a01 push 1
LockUnlockNotification(pTerm, TRUE);
0: kd> p
NtUserTranslateMessage, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubThunk] Thunk fnDWORD, FNID_DEFWINDOWPROC(WM_KEYUP)
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 1 pti 0xE178AD58 sets ptiSL 0x00000000 to pq 0xE17737E8 ; old ptiSL 0xE178AD58
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 3 pti 0xE178AD58 sets ptiSL 0xE178AD58 to pq 0xE17737E8 ; old ptiSL 0x00000000
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 2 pti 0XE178AD58 sets id 00000000 to pq 0XE17737E8 ; old id 00000000
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 3 pti 0XE178AD58 sets id 0XE10CD738 to pq 0XE17737E8 ; old id 00000000
-> msg 101 hwnd 00000000 w 0X0000005B l 0X015B0001 pti 0XE178AD58
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 1 pti 0XE178AD58 sets id 00000000 to pq 0XE17737E8 ; old id 0XE10CD738
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserTranslateMessage, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubThunk] Thunk fnDWORD, FNID_DEFWINDOWPROC(WM_KEYUP)
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 1 pti 0xE178AD58 sets ptiSL 0x00000000 to pq 0xE17737E8 ; old ptiSL 0xE178AD58
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 3 pti 0xE178AD58 sets ptiSL 0xE178AD58 to pq 0xE17737E8 ; old ptiSL 0x00000000
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 2 pti 0XE178AD58 sets id 00000000 to pq 0XE17737E8 ; old id 00000000
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 3 pti 0XE178AD58 sets id 0XE1967AA8 to pq 0XE17737E8 ; old id 00000000
-> msg 0 hwnd 00000000 w 00000000 l 00000000 pti 0XE178AD58
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 5 pti 0XE178AD58 sets id 00000000 to pq 0XE17737E8 ; old id 0XE1967AA8
(s: 0 0x64c.650 explorer.exe) USRK-[StubThunk] Thunk fnDWORD, FNID_DEFWINDOWPROC(WM_NCACTIVATE)
(s: 0 0x64c.650 explorer.exe) USRK-[VWPL] VWPL 0XE1745E40 - 0XBC6773EC
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] fnDWORD, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserMessageCall, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_NCACTIVATE), retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATE), retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATEAPP), retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATEAPP), retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATEAPP), retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATEAPP), retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATEAPP), retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserKillTimer, retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserRedrawWindow, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserGetUpdateRect, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserBeginPaint, retval = 1010055
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserEndPaint, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_PAINT), retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] xxxUpdateWindow, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] xxxUpdateWindow, retval = 1
(s: 0 0x64c.650 explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_KILLFOCUS), retval = 0
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 2 pti 0XE178AD58 sets id 00000000 to pq 0XE17737E8 ; old id 00000000
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 3 pti 0XE178AD58 sets id 00000000 to pq 0XE17737E8 ; old id 00000000
(s: 0 0x64c.650 explorer.exe) USRK-[SysPeek] 4 pti 0xE178AD58 sets ptiSL 0x00000000 to pq 0xE17737E8 ; old ptiSL 0xE178AD58
(s: 0 0x64c.650 explorer.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 0
20:57:18.593 8960CF7C.E17D83C0 TERMSRV: -|--------------------------------------------|-
20:57:18.593 8960CF7C.E17D83C0 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:57:18.593 8960CF7C.E17D83C0 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:57:18.593 8960CF7C.E17D83C0 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:57:18.593 8960CF7C.E17D83C0 TERMSRV: -|--------------------------------------------|-
20:57:18.593 8960CF7C.E17D83C0 TERMSRV: WinStationSetInformation LogonId=0, Class=28
20:57:18.593 8960CF7C.E17D83C0 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error
20:57:18.593 8960CF7C.E17D83C0 TERMSRV: WinStationSetInformation LogonId=0, Class=28, Status=0x0
eax=7ffdf000 ebx=00000004 ecx=00000000 edx=01055be0 esi=00077418 edi=000788e0
eip=01028455 esp=0006ecd8 ebp=0006ece4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
winlogon!DoLockWksta+0x4a:
001b:01028455 c7467c09000000 mov dword ptr [esi+7Ch],9 ds:0023:00077494=00000008
DebugLog((DEB_TRACE_STATE, "DoLockWksta: Setting state to %s\n",
GetState(Winsta_Locked_Display)));
1: kd> p
eax=7ffdf000 ebx=00000004 ecx=00000000 edx=01055be0 esi=00077418 edi=000788e0
eip=0102845c esp=0006ecd8 ebp=0006ece4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
winlogon!DoLockWksta+0x51:
001b:0102845c ff35ac450501 push dword ptr [winlogon!StateNames+0x24 (010545ac)] ds:0023:010545ac={winlogon!`string' (0100ce10)}
1: kd> p
468.472> Winlogon-Trace-State: DoLockWksta: Setting state to Locked_Display
eax=00000000 ebx=00000004 ecx=e0cdfdc2 edx=0000004c esi=00077418 edi=000788e0
eip=01028471 esp=0006ecd8 ebp=0006ece4 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
winlogon!DoLockWksta+0x66:
001b:01028471 f605c482050140 test byte ptr [winlogon!GinaBreakFlags (010582c4)],40h ds:0023:010582c4=00
VOID
WINAPI
WlxDisplayLockedNotice(
PVOID pWlxContext
)
{
PGLOBALS pGlobals;
pGlobals = (PGLOBALS) pWlxContext;
GetSystemTimeAsFileTime( (LPFILETIME) &pGlobals->LockTime);
pWlxFuncs->WlxSetTimeout(pGlobals->hGlobalWlx, LOGON_TIMEOUT);
pWlxFuncs->WlxDialogBoxParam( pGlobals->hGlobalWlx,
hDllInstance,
(LPWSTR) MAKEINTRESOURCE(IDD_LOCKED_DIALOG),
NULL,
LockedDlgProc,
(LPARAM) pGlobals );
}
1: kd> kc
#
00 winlogon!WlxDialogBoxParam
01 MSGINA!WlxDisplayLockedNotice
02 winlogon!DoLockWksta
03 winlogon!SASWndProc
04 USER32!InternalCallWinProc
05 USER32!UserCallWinProcCheckWow
06 USER32!SendMessageWorker
07 USER32!SendMessageW
08 USER32!SendMessageW_wrapper
09 winlogon!SASWndProc
0a USER32!InternalCallWinProc
0b USER32!UserCallWinProcCheckWow
0c USER32!DispatchMessageWorker
0d USER32!DispatchMessageW
0e USER32!DialogBox2
0f USER32!InternalDialogBox
10 USER32!DialogBoxIndirectParamAorW
11 USER32!DialogBoxParamW
12 USER32!DialogBoxParamW_wrapper
13 winlogon!Fusion_DialogBoxParam
14 winlogon!TimeoutDialogBoxParam
15 winlogon!WlxDialogBoxParam
16 winlogon!BlockWaitForUserAction
17 winlogon!MainLoop
18 winlogon!WinMain
19 winlogon!WinMainCRTStartup
1: kd> dv
hWlx = 0x00077418
hInstance = 0x75080000
lpsz1 = 0x0000076c
hWnd = 0x00000000
dlgproc = 0x75094990
lParam = 0n1414304
MapTerminal = struct _WindowMapperTerminal
1: kd> u 75094990
MSGINA!LockedDlgProc [d:\srv03rtm\ds\security\gina\msgina\mslock.c @ 227]:
75094990 55 push ebp
75094991 8bec mov ebp,esp
75094993 57 push edi
75094994 8b7d08 mov edi,dword ptr [ebp+8]
75094997 6aeb push 0FFFFFFEBh
75094999 57 push edi
7509499a ff1514150875 call dword ptr [MSGINA!_imp__GetWindowLongW (75081514)]
750949a0 8b450c mov eax,dword ptr [ebp+0Ch]
int WINAPI
WlxDialogBoxParam(
HANDLE hWlx,
HANDLE hInstance,
LPWSTR lpsz1,
HWND hWnd,
DLGPROC dlgproc,
LPARAM lParam)
{
PWindowMapper pMap;
PTERMINAL pTerm;
int res;
WindowMapperTerminal MapTerminal;
if (!(pTerm = VerifyHandle(hWlx)))
{
DebugLog((DEB_ERROR, "Invalid hWlx handle\n"));
SetLastErrorEx(ERROR_INVALID_HANDLE, SLE_ERROR);
return(-1);
}
pMap = AllocWindowMapper(pTerm);
if (!pMap)
{
ASSERTMSG("Too many nested windows? send mail to richardw", pMap);
DebugLog((DEB_ERROR, "Too many nested windows?!?\n"));
SetLastError(ERROR_OUTOFMEMORY);
return(-1);
}
pMap->InitialParameter = lParam;
pMap->DlgProc = dlgproc;
pMap->fMapper |= MAPPERFLAG_DIALOG;
MapTerminal.pMap = pMap;
MapTerminal.pTerm = pTerm;
//res = DialogBoxParam(hInstance, lpsz1, hWnd, RootDlgProc, (LPARAM) pMap);
res = TimeoutDialogBoxParam(pTerm, hInstance, lpsz1, hWnd,
RootDlgProc, (LPARAM) &MapTerminal,
pTerm->Gina.cTimeout | TIMEOUT_SS_NOTIFY);
FreeWindowMapper(pMap, pTerm);
return(res);
}
1: kd> t
eax=00000001 ebx=00000004 ecx=e0cdfdc2 edx=00000042 esi=77f7a58c edi=0000076c
eip=0102e8da esp=0006ec30 ebp=0006ec70 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
winlogon!Fusion_DialogBoxParam:
001b:0102e8da 55 push ebp
1: kd> kc
#
00 winlogon!Fusion_DialogBoxParam
01 winlogon!TimeoutDialogBoxParam
02 winlogon!WlxDialogBoxParam
03 MSGINA!WlxDisplayLockedNotice
04 winlogon!DoLockWksta
05 winlogon!SASWndProc
06 USER32!InternalCallWinProc
07 USER32!UserCallWinProcCheckWow
08 USER32!SendMessageWorker
09 USER32!SendMessageW
0a USER32!SendMessageW_wrapper
0b winlogon!SASWndProc
0c USER32!InternalCallWinProc
0d USER32!UserCallWinProcCheckWow
0e USER32!DispatchMessageWorker
0f USER32!DispatchMessageW
10 USER32!DialogBox2
11 USER32!InternalDialogBox
12 USER32!DialogBoxIndirectParamAorW
13 USER32!DialogBoxParamW
14 USER32!DialogBoxParamW_wrapper
15 winlogon!Fusion_DialogBoxParam
16 winlogon!TimeoutDialogBoxParam
17 winlogon!WlxDialogBoxParam
18 winlogon!BlockWaitForUserAction
19 winlogon!MainLoop
1a winlogon!WinMain
1b winlogon!WinMainCRTStartup
1: kd> dv
hInstance = 0x75080000
lpTemplateName = 0x0000076c
hWndParent = 0x00000000
lpDialogFunc = 0x0102c230
dwInitParam = 0n453792
activator = class CContextActivation
INT_PTR Fusion_DialogBoxParam(HINSTANCE hInstance, LPCWSTR lpTemplateName, HWND hWndParent, DLGPROC lpDialogFunc, LPARAM dwInitParam) {
CContextActivation activator;
return DialogBoxParamW(hInstance, lpTemplateName, hWndParent, lpDialogFunc, dwInitParam);
}
1: kd> p
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserFindExistingCursorIcon, retval = 10007
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetCursor, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USER-[IMM] CreateDlgFont: fUseShellFont2=TRUE
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetAtomName, retval = 6
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowFNID, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] SetDialogPointer, retval = 1230408
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnINLPCREATESTRUCT, FNID_DEFWINDOWPROC(WM_NCCREATE)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnINLPCREATESTRUCT, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_NCCREATE), retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnINOUTNCCALCSIZE, FNID_DEFWINDOWPROC(WM_NCCALCSIZE)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnINOUTNCCALCSIZE, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINOUTNCCALCSIZE, Unknown(WM_NCCALCSIZE), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_CREATE), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_SIZE), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_MOVE), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserCreateWindowEx, retval = e00b4
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetAtomName, retval = 6
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowFNID, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowLongPtr, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnINLPCREATESTRUCT, FNID_DEFWINDOWPROC(WM_NCCREATE)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnINLPCREATESTRUCT, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_NCCREATE), retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_CREATE), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserCreateWindowEx, retval = 900e6
(s: 0 0x1bc.1e8 csrss.exe) USRK-[VWPL] VWPL 00000000 => NULL (empty)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetAtomName, retval = 6
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowFNID, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowLongPtr, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnINLPCREATESTRUCT, FNID_DEFWINDOWPROC(WM_NCCREATE)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnINLPCREATESTRUCT, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_NCCREATE), retval = 1
(s: 0 0x1d4.6c0 winlogon.exe) USRK-[Callout(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_CREATE), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserCreateWindowEx, retval = 900e4
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetAtomName, retval = 6
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowFNID, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowLongPtr, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnINLPCREATESTRUCT, FNID_DEFWINDOWPROC(WM_NCCREATE)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnINLPCREATESTRUCT, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_NCCREATE), retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_CREATE), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserCreateWindowEx, retval = 800d6
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetAtomName, retval = 6
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowFNID, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowLongPtr, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnINLPCREATESTRUCT, FNID_DEFWINDOWPROC(WM_NCCREATE)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnINLPCREATESTRUCT, retval = 1
] (s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 1
W32: Process Callout for W32P 0XE165D9A0 EP 0X89903BA8 called for Creation
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_NCCREATE), retval = 1
(s: 0 0x1d4.6c0 winlogon.exe) USRK-[Callout] W32: Thread Callout for ETHREAD 892b55d0 called for Initialization
(s: 0 0x1d4.6c0 winlogon.exe) USRK-[Callout] PID = 1d4 TID = 6c0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_CREATE), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserCreateWindowEx, retval = 800d4
(s: 0 0x1d4.6c0 winlogon.exe) USRK-[Vrbs] WinLogon, second or other thread. pti=0XE10B5550
(s: 0 0x1d4.6c0 winlogon.exe) USRK-[Vrbs] xxxResolveDesktop: to hwinsta=0X0000029C desktop=0X000002A4
(s: 0 0x1d4.6c0 winlogon.exe) USRK-[Callout] Mapping desktop 0x897D7570 into process 0x89903BA8
(s: 0 0x1d4.6c0 winlogon.exe) USRK-[FOREGROUND] xxxCreateThreadInfo set TIF 0XE10B5550
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowLongPtr, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowLongPtr, retval = 0
468.1728> Winlogon-Trace-Notify: Executing C:\WINDOWS\system32\WlNotify.dll : Lock
(s: 0 0x1d4.4e8 winlogon.exe) USRK-[Callout] W32: Process Callout for W32P 0XE165D9A0 EP 0X89903BA8 called for Creation
(s: 0 0x1d4.4e8 winlogon.exe) USRK-[Callout] W32: Thread Callout for ETHREAD 8967cda0 called for Initialization
(s: 0 0x1d4.4e8 winlogon.exe) USRK-[Callout] PID = 1d4 TID = 4e8
(s: 0 0x1d4.4e8 winlogon.exe) USRK-[Vrbs] WinLogon, second or other thread. pti=0XE17DCD40
(s: 0 0x1d4.4e8 winlogon.exe) USRK-[Vrbs] xxxResolveDesktop: to hwinsta=0X0000029C desktop=0X000002A4
(s: 0 0x1d4.4e8 winlogon.exe) USRK-[Callout] Mapping desktop 0x897D7570 into process 0x89903BA8
(s: 0 0x1d4.4e8 winlogon.exe) USRK-[FOREGROUND] xxxCreateThreadInfo set TIF 0XE17DCD40
468.1256> Winlogon-Trace-Notify: Executing C:\WINDOWS\system32\wlnotify.dll : Lock
(s: 0 0x1d4.6c0 winlogon.exe) USRK-[Callout] W32: Thread Callout for ETHREAD 892b55d0 called for Exit
(s: 0 0x1d4.6c0 winlogon.exe) USRK-[Callout] PID = 1d4 TID = 6c0
(s: 0 0x1d4.4e8 winlogon.exe) USRK-[Callout] W32: Thread Callout for ETHREAD 8967cda0 called for Exit
(s: 0 0x1d4.4e8 winlogon.exe) USRK-[Callout] PID = 1d4 TID = 4e8
AudioSrv: 20:57:20.718 892D35E4.E1981138 TERMSRV: -|--------------------------------------------|-
GFX_SessionChange: Unhandled EventType=7
20:57:20.718 892D35E4.E1981138 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:57:20.718 892D35E4.E1981138 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:57:20.718 892D35E4.E1981138 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:57:20.718 892D35E4.E1981138 TERMSRV: -|--------------------------------------------|-
20:57:20.718 892D35E4.E1981138 TERMSRV: WinStationQueryInformation LogonId=0, Class=6
20:57:20.718 892D35E4.E1981138 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error
20:57:20.718 892D35E4.E1981138 TERMSRV: WinStationQueryInformation LogonId=0, Class=6, Status=0x0
(s: 0 0x64c.65c explorer.exe) USRK-[StubReturn] NtUserPostMessage, retval = 1
(s: 0 0x64c.6fc explorer.exe) USRK-[StubReturn] NtUserGetMessage, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserDefSetText, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USER-[Vrbs=1421]
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetSystemMenu, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0xE1689258 sets ptiSL 0xE1689258 to pq 0xE1425388 ; old ptiSL 0x00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 0XE10CD738 to pq 0XE1425388 ; old id 00000000
-> msg 200 hwnd 00000000 w 00000000 l 0X01250138 pti 0XE1689258
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 0XE10CD738
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0xE1689258 sets ptiSL 0x00000000 to pq 0xE1425388 ; old ptiSL 0xE1689258
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0xE1689258 sets ptiSL 0xE1689258 to pq 0xE1425388 ; old ptiSL 0x00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 0XE10CD738 to pq 0XE1425388 ; old id 00000000
-> msg 200 hwnd 00000000 w 00000000 l 0X01250138 pti 0XE1689258
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 0XE10CD738
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0xE1689258 sets ptiSL 0x00000000 to pq 0xE1425388 ; old ptiSL 0xE1689258
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnINOUTLPWINDOWPOS, FNID_DEFWINDOWPROC(WM_WINDOWPOSCHANGING)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnINOUTLPWINDOWPOS, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINOUTLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGING), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnINOUTNCCALCSIZE, FNID_DEFWINDOWPROC(WM_NCCALCSIZE)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnINOUTNCCALCSIZE, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINOUTNCCALCSIZE, Unknown(WM_NCCALCSIZE), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FAllowForegroundActivate FRemoveForegroundActivate 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FRemoveForegroundActivate clear TIF 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FRemoveForegroundActivate clear W32PF 0XE165D9A0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] xxxActivateWindow temporarly set TIF 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] xxxSetForegroundWindow FRemoveForegroundActivate 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FRemoveForegroundActivate clear TIF 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FRemoveForegroundActivate clear W32PF 0XE165D9A0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] xxxSetForegroundWindow2 by 0XE141BE18 to 0XBC646104-0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[KBD] SetGlobalKeyboardTableInfo:Changing KL NLS Table: new HKL=0X04090409
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[KBD] SetGlobalKeyboardTableInfo: new gpKbdNlsTbl=00000000
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINOUTLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGING), retval = 0
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0xE1689258 sets ptiSL 0xE1689258 to pq 0xE1425388 ; old ptiSL 0x00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 0XE10CD738 to pq 0XE1425388 ; old id 00000000
-> msg 200 hwnd 00000000 w 00000000 l 0X01250138 pti 0XE1689258
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 0XE10CD738
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0xE1689258 sets ptiSL 0x00000000 to pq 0xE1425388 ; old ptiSL 0xE1689258
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATEAPP), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATEAPP), retval = 0
Breakpoint 14 hit
eax=c0000000 ebx=00000000 ecx=00000000 edx=00000000 esi=01019e08 edi=0006e604
eip=01019e08 esp=0006e590 ebp=0006e5b8 iopl=0 nv up ei pl nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000207
winlogon!SASWndProc:
001b:01019e08 55 push ebp
1: kd> dv
hwnd = 0x0001001c
message = 0x1c
wParam = 1
lParam = 0n0
szDesktop = unsigned short [260]
InfoData = struct _WINSTATIONINFORMATIONW
Length = 0x6de78
szTaskMgr = unsigned short [12]
val = 0
bSecure = 0n1
Desktop = 0x0006ea24
Value = char [10] ""
dwSize = 0x1c
dwType = 0
esi = 0
h = 0x00000000
ScEvent = ScNone (0n0)
ScData = 0x00000000
bRestart = 0n0
hKey = 0x0006ea24
dwType = 0
val = 1
pchData = 0x00000000
1: kd> kc
#
00 winlogon!SASWndProc
01 USER32!InternalCallWinProc
02 USER32!UserCallWinProcCheckWow
03 USER32!DispatchClientMessage
04 USER32!__fnDWORD
05 ntdll!KiUserCallbackDispatcher
06 nt!KiCallUserMode
07 nt!KeUserModeCallback
08 win32k!SfnDWORD
09 win32k!xxxSendMessageToClient
0a win32k!xxxSendMessageTimeout
0b win32k!xxxSendMessage
0c win32k!xxxActivateApp
0d win32k!xxxInternalEnumWindow
0e win32k!xxxActivateThisWindow
0f win32k!xxxSetForegroundWindow2
10 win32k!xxxSetForegroundWindow
11 win32k!xxxActivateWindow
12 win32k!xxxSwpActivate
13 win32k!xxxEndDeferWindowPosEx
14 win32k!xxxSetWindowPos
15 win32k!NtUserSetWindowPos
16 nt!_KiSystemService
17 SharedUserData!SystemCallStub
18 ntdll!KiUserCallbackDispatcher
19 USER32!NtUserSetWindowPos
1a MSGINA!SizeForBranding
1b MSGINA!LockedDlgInit
1c MSGINA!LockedDlgProc
1d winlogon!RootDlgProc
1e USER32!InternalCallWinProc
1f USER32!UserCallDlgProcCheckWow
20 USER32!DefDlgProcWorker
21 USER32!SendMessageWorker
22 USER32!InternalCreateDialog
23 USER32!InternalDialogBox
24 USER32!DialogBoxIndirectParamAorW
25 USER32!DialogBoxParamW
26 USER32!DialogBoxParamW_wrapper
27 winlogon!Fusion_DialogBoxParam
28 winlogon!TimeoutDialogBoxParam
29 winlogon!WlxDialogBoxParam
2a MSGINA!WlxDisplayLockedNotice
2b winlogon!DoLockWksta
2c winlogon!SASWndProc
2d USER32!InternalCallWinProc
2e USER32!UserCallWinProcCheckWow
2f USER32!SendMessageWorker
30 USER32!SendMessageW
31 USER32!SendMessageW_wrapper
32 winlogon!SASWndProc
33 USER32!InternalCallWinProc
34 USER32!UserCallWinProcCheckWow
35 USER32!DispatchMessageWorker
36 USER32!DispatchMessageW
37 USER32!DialogBox2
38 USER32!InternalDialogBox
39 USER32!DialogBoxIndirectParamAorW
3a USER32!DialogBoxParamW
3b USER32!DialogBoxParamW_wrapper
3c winlogon!Fusion_DialogBoxParam
3d winlogon!TimeoutDialogBoxParam
3e winlogon!WlxDialogBoxParam
3f winlogon!BlockWaitForUserAction
40 winlogon!MainLoop
41 winlogon!WinMain
42 winlogon!WinMainCRTStartup
1: kd> kv
# ChildEBP RetAddr Args to Child
00 0006e58c 77ce7ee3 0001001c 0000001c 00000001 winlogon!SASWndProc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\sas.c @ 1216]
01 0006e5b8 77cf2bff 01019e08 0001001c 0000001c USER32!InternalCallWinProc+0x1b [d:\srv03rtm\windows\core\ntuser\client\i386\callproc.asm @ 102]
02 0006e630 77cbe5f7 00000000 01019e08 0001001c USER32!UserCallWinProcCheckWow+0x151 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 165]
03 0006e68c 77cbe80c 007d3244 0000001c 00000001 USER32!DispatchClientMessage+0x166 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\client.c @ 3037]
04 0006e6b4 77f5448f 0006e6c4 00000018 007d3244 USER32!__fnDWORD+0x22 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\inc\ntcb.h @ 639]
05 0006e6b4 80a3f168 0006e6c4 00000018 007d3244 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0]) [d:\srv03rtm\base\ntos\rtl\i386\userdisp.asm @ 153]
06 ba72b7f4 80cc5b26 ba72b8bc ba72b8c0 e141be18 nt!KiCallUserMode+0x4 (FPO: [2,3,4]) [d:\srv03rtm\base\ntos\ke\i386\callout.asm @ 109]
07 ba72b84c bf807bfa 00000002 ba72b89c 00000018 nt!KeUserModeCallback+0xc6 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\i386\callback.c @ 127]
08 ba72b8e4 bf8fa60b bc643244 0000001c 00000001 win32k!SfnDWORD+0x121 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\inc\ntcb.h @ 618]
09 ba72b93c bf804176 02643244 0000001c 00000001 win32k!xxxSendMessageToClient+0x151 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\sendmsg.c @ 839]
0a ba72b98c bf80edea bc643244 0000001c 00000001 win32k!xxxSendMessageTimeout+0x22d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\sendmsg.c @ 1039]
0b ba72b9b0 bf85bd00 bc643244 0000001c 00000001 win32k!xxxSendMessage+0x19 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\sendmsg.c @ 760]
0c ba72b9cc bf85bc96 bc643244 ba72baac bc646104 win32k!xxxActivateApp+0x3e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\focusact.c @ 348]
0d ba72ba04 bf826cc6 00000001 bf85bcc2 ba72baac win32k!xxxInternalEnumWindow+0x51 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\enumwin.c @ 69]
0e ba72bab8 bf865581 00000000 00000000 00000001 win32k!xxxActivateThisWindow+0x4fa (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\focusact.c @ 801]
0f ba72bb68 bf8ce20e bc646104 e141be18 00000000 win32k!xxxSetForegroundWindow2+0x643 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\focusact.c @ 1648]
10 ba72bba8 bf83a27e bc646104 00000001 bf9f6c74 win32k!xxxSetForegroundWindow+0x23d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\focusact.c @ 1279]
11 ba72bbe4 bf81f1c4 00000001 00000001 00000000 win32k!xxxActivateWindow+0x1ff (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\focusact.c @ 2247]
12 ba72bbfc bf81c031 bc646104 00000000 bc646104 win32k!xxxSwpActivate+0x4a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\swp.c @ 1660]
13 ba72bca0 bf81c188 bfa71460 bc646104 bf9dab54 win32k!xxxEndDeferWindowPosEx+0x41c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\swp.c @ 5154]
14 ba72bcc0 bf81e941 bc646104 00000000 00000000 win32k!xxxSetWindowPos+0xed (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\swp.c @ 1584]
15 ba72bd34 80afbcb2 00000000 00000000 00000000 win32k!NtUserSetWindowPos+0x21c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 2547]
16 ba72bd34 7ffe0304 00000000 00000000 00000000 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ ba72bd64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
17 0006e6b4 77f5448f 0006e6c4 00000018 007d3244 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
18 0006e6d8 77cc0b0c 7508a4f5 000e00b4 00000000 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0]) [d:\srv03rtm\base\ntos\rtl\i386\userdisp.asm @ 153]
19 0006e71c 7508acf4 000e00b4 00000000 00000048 USER32!NtUserSetWindowPos+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\umode\daytona\obj\i386\usrstubs.c @ 4443]
1a 0006e730 750939a7 000e00b4 00000000 000e00b4 MSGINA!SizeForBranding+0x21 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\msgina\brand.c @ 704]
1b 0006e950 75094a3d 000e00b4 001594a0 000774bc MSGINA!LockedDlgInit+0x3b (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\msgina\mslock.c @ 308]
1c 0006e968 0102c2bd 000e00b4 00000110 000900e6 MSGINA!LockedDlgProc+0xad (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\msgina\mslock.c @ 249]
1d 0006e98c 77ce7ee3 000e00b4 00000110 000900e6 winlogon!RootDlgProc+0x8d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\wlxutil.c @ 343]
1e 0006e9b8 77cf2d66 0102c230 000e00b4 00000110 USER32!InternalCallWinProc+0x1b [d:\srv03rtm\windows\core\ntuser\client\i386\callproc.asm @ 102]
1f 0006ea34 77cd4af3 00000000 0102c230 000e00b4 USER32!UserCallDlgProcCheckWow+0x147 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 228]
20 0006ea7c 77cbf93f 00000000 00000110 000900e6 USER32!DefDlgProcWorker+0x11f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\dlgmgr.c @ 511]
21 0006eaac 77cd5e88 007d6104 007d241c 000900e6 USER32!SendMessageWorker+0x42a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 674]
22 0006eb68 77cff432 75080000 750b757e 00000000 USER32!InternalCreateDialog+0xc8d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\dlgbegin.c @ 1309]
23 0006eb9c 77ce5e58 75080000 750b73e8 00000000 USER32!InternalDialogBox+0xe1 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\dlgmgr.c @ 1339]
24 0006ebbc 77ce76e7 75080000 750b73e8 00000000 USER32!DialogBoxIndirectParamAorW+0x67 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 806]
25 0006ebe0 77cf607b 75080000 0000076c 00000000 USER32!DialogBoxParamW+0x3d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 954]
26 0006ec08 0102e8fc 75080000 0000076c 00000000 USER32!DialogBoxParamW_wrapper+0x5a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 933]
27 0006ec2c 010221e2 75080000 0000076c 00000000 winlogon!Fusion_DialogBoxParam+0x22 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\fusion.cpp @ 39]
28 0006ec70 0102c860 00077418 75080000 0000076c winlogon!TimeoutDialogBoxParam+0x36 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\timeout.c @ 1092]
29 0006eca8 75094aa4 00077418 75080000 0000076c winlogon!WlxDialogBoxParam+0xb7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\wlxutil.c @ 898]
2a 0006eccc 010284a8 001594a0 00000000 00000001 MSGINA!WlxDisplayLockedNotice+0x3f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\msgina\mslock.c @ 400]
2b 0006ece4 0101a7bf 00000006 00000000 0006f478 winlogon!DoLockWksta+0x9d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\wlx.c @ 2228]
2c 0006f400 77ce7ee3 0001001c 0000004c 00000005 winlogon!SASWndProc+0x9b7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\sas.c @ 1708]
2d 0006f42c 77cf2bff 01019e08 0001001c 0000004c USER32!InternalCallWinProc+0x1b [d:\srv03rtm\windows\core\ntuser\client\i386\callproc.asm @ 102]
2e 0006f4a4 77cbfa0f 00000000 01019e08 0001001c USER32!UserCallWinProcCheckWow+0x151 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 165]
2f 0006f4e0 77cc0743 007d3244 007d310c 00000005 USER32!SendMessageWorker+0x4fa (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 697]
30 0006f500 77cf1522 0001001c 0000004c 00000005 USER32!SendMessageW+0x70 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\cltxt.h @ 809]
31 0006f524 0101aa94 0001001c 0000004c 00000005 USER32!SendMessageW_wrapper+0x54 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\cltxt.h @ 755]
32 0006fc48 77ce7ee3 0001001c 00000312 00000005 winlogon!SASWndProc+0xc8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\sas.c @ 1318]
33 0006fc74 77cf2bff 01019e08 0001001c 00000312 USER32!InternalCallWinProc+0x1b [d:\srv03rtm\windows\core\ntuser\client\i386\callproc.asm @ 102]
34 0006fcec 77cbe3db 00000000 01019e08 0001001c USER32!UserCallWinProcCheckWow+0x151 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 165]
35 0006fd54 77cc4014 0006fd7c 00000000 0006fd9c USER32!DispatchMessageWorker+0x3e3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 2497]
36 0006fd64 77cdff53 0006fd7c 00000000 00000000 USER32!DispatchMessageW+0xd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\cltxt.h @ 1046]
37 0006fd9c 77cff459 00050020 00000000 00000010 USER32!DialogBox2+0x158 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\dlgmgr.c @ 1196]
38 0006fdc4 77ce5e58 01000000 01059dd0 00000000 USER32!InternalDialogBox+0x108 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\dlgmgr.c @ 1353]
39 0006fde4 77ce76e7 01000000 01059dd0 00000000 USER32!DialogBoxIndirectParamAorW+0x67 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 806]
3a 0006fe08 77cf607b 01000000 00000578 00000000 USER32!DialogBoxParamW+0x3d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 954]
3b 0006fe30 0102e8fc 01000000 00000578 00000000 USER32!DialogBoxParamW_wrapper+0x5a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 933]
3c 0006fe54 010221e2 01000000 00000578 00000000 winlogon!Fusion_DialogBoxParam+0x22 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\fusion.cpp @ 39]
3d 0006fe98 0102c860 00077418 01000000 00000578 winlogon!TimeoutDialogBoxParam+0x36 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\timeout.c @ 1092]
3e 0006fed0 01029579 00077418 01000000 00000578 winlogon!WlxDialogBoxParam+0xb7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\wlxutil.c @ 898]
3f 0006fef4 010299f3 00077418 00077418 00000004 winlogon!BlockWaitForUserAction+0x38 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\wlx.c @ 3105]
40 0006ff14 01026637 00077418 ffffffff 00000000 winlogon!MainLoop+0x44c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\wlx.c @ 3665]
41 0006ff50 0102edc6 000a7c48 00000000 00072f0c winlogon!WinMain+0x4c7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\winlogon.c @ 1350]
42 0006fff4 00000000 7ffdf000 0000018a 000001dc winlogon!WinMainCRTStartup+0x182 (FPO: [Non-Fpo]) (CONV: cdecl) [d:\srv03rtm\base\crts\crtw32\dllstuff\crtexe.c @ 493]
1: kd> bp 75094a3d
1: kd> g
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATEAPP), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnDWORD, FNID_DEFWINDOWPROC(WM_NCACTIVATE)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnDWORD, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_NCACTIVATE), retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATE), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_KILLFOCUS), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetFocus, retval = e00b4
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_SETFOCUS), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] xxxActivateWindow set TIF 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGED), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1bc.1e8 csrss.exe) USRK-[VWPL] VWPL 00000000 => NULL (empty)
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0xE1689258 sets ptiSL 0xE1689258 to pq 0xE1425388 ; old ptiSL 0x00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 0XE10CD738 to pq 0XE1425388 ; old id 00000000
-> msg 200 hwnd 00000000 w 00000000 l 0X01250138 pti 0XE1689258
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 0XE10CD738
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0xE1689258 sets ptiSL 0x00000000 to pq 0xE1425388 ; old ptiSL 0xE1689258
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnINOUTLPWINDOWPOS, FNID_DEFWINDOWPROC(WM_WINDOWPOSCHANGING)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnINOUTLPWINDOWPOS, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINOUTLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGING), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnINOUTNCCALCSIZE, FNID_DEFWINDOWPROC(WM_NCCALCSIZE)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnINOUTNCCALCSIZE, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINOUTNCCALCSIZE, Unknown(WM_NCCALCSIZE), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGED), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0xE1689258 sets ptiSL 0xE1689258 to pq 0xE1425388 ; old ptiSL 0x00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 0XE10CD738 to pq 0XE1425388 ; old id 00000000
-> msg 200 hwnd 00000000 w 00000000 l 0X01250138 pti 0XE1689258
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 0XE10CD738
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0xE1689258 sets ptiSL 0x00000000 to pq 0xE1425388 ; old ptiSL 0xE1689258
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetIconSize, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetCursorFrameInfo, retval = 2005b
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserInvalidateRect, retval = 1
468.472> Winlogon-Trace-SC: Start listening called
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0xE1689258 sets ptiSL 0xE1689258 to pq 0xE1425388 ; old ptiSL 0x00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 0XE10CD738 to pq 0XE1425388 ; old id 00000000
-> msg 200 hwnd 00000000 w 00000000 l 0X01250138 pti 0XE1689258
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 0XE10CD738
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0xE1689258 sets ptiSL 0x00000000 to pq 0xE1425388 ; old ptiSL 0xE1689258
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINOUTLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGING), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGED), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetWindowPos, retval = 1
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0xE1689258 sets ptiSL 0xE1689258 to pq 0xE1425388 ; old ptiSL 0x00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 2 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 00000000
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 3 pti 0XE1689258 sets id 0XE10CD738 to pq 0XE1425388 ; old id 00000000
-> msg 200 hwnd 00000000 w 00000000 l 0X01250138 pti 0XE1689258
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0XE1689258 sets id 00000000 to pq 0XE1425388 ; old id 0XE10CD738
(s: 0 0x1bc.1ec csrss.exe) USRK-[SysPeek] 1 pti 0xE1689258 sets ptiSL 0x00000000 to pq 0xE1425388 ; old ptiSL 0xE1689258
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FAllowForegroundActivate FRemoveForegroundActivate 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FRemoveForegroundActivate clear TIF 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FRemoveForegroundActivate clear W32PF 0XE165D9A0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FAllowForegroundActivate FALSE due to addtional checks
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] xxxStubSetForegroundWindow, retval = 1
Breakpoint 16 hit
eax=00000001 ebx=000e00b4 ecx=7bdcc217 edx=7ffe0304 esi=001594a0 edi=000e00b4
eip=75094a3d esp=0006e960 ebp=0006e968 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
MSGINA!LockedDlgProc+0xad:
001b:75094a3d 85c0 test eax,eax
1: kd> kv
# ChildEBP RetAddr Args to Child
00 0006ea34 77cd4af3 00000000 0102c230 000e00b4 USER32!UserCallDlgProcCheckWow+0x147 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 228]
01 0006ea7c 77cbf93f 00000000 00000110 000900e6 USER32!DefDlgProcWorker+0x11f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\dlgmgr.c @ 511]
02 0006eaac 77cd5e88 007d6104 007d241c 000900e6 USER32!SendMessageWorker+0x42a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 674]
03 0006eb68 77cff432 75080000 750b757e 00000000 USER32!InternalCreateDialog+0xc8d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\dlgbegin.c @ 1309]
04 0006eb9c 77ce5e58 75080000 750b73e8 00000000 USER32!InternalDialogBox+0xe1 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\dlgmgr.c @ 1339]
05 0006ebbc 77ce76e7 75080000 750b73e8 00000000 USER32!DialogBoxIndirectParamAorW+0x67 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 806]
06 0006ebe0 77cf607b 75080000 0000076c 00000000 USER32!DialogBoxParamW+0x3d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 954]
07 0006ec08 0102e8fc 75080000 0000076c 00000000 USER32!DialogBoxParamW_wrapper+0x5a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 933]
08 0006ec2c 010221e2 75080000 0000076c 00000000 winlogon!Fusion_DialogBoxParam+0x22 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\fusion.cpp @ 39]
09 0006ec70 0102c860 00077418 75080000 0000076c winlogon!TimeoutDialogBoxParam+0x36 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\timeout.c @ 1092]
0a 0006eca8 75094aa4 00077418 75080000 0000076c winlogon!WlxDialogBoxParam+0xb7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\wlxutil.c @ 898]
0b 0006eccc 010284a8 001594a0 00000000 00000001 MSGINA!WlxDisplayLockedNotice+0x3f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\msgina\mslock.c @ 400]
0c 0006ece4 0101a7bf 00000006 00000000 0006f478 winlogon!DoLockWksta+0x9d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\wlx.c @ 2228]
0d 0006f400 77ce7ee3 0001001c 0000004c 00000005 winlogon!SASWndProc+0x9b7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\sas.c @ 1708]
0e 0006f42c 77cf2bff 01019e08 0001001c 0000004c USER32!InternalCallWinProc+0x1b [d:\srv03rtm\windows\core\ntuser\client\i386\callproc.asm @ 102]
0f 0006f4a4 77cbfa0f 00000000 01019e08 0001001c USER32!UserCallWinProcCheckWow+0x151 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 165]
10 0006f4e0 77cc0743 007d3244 007d310c 00000005 USER32!SendMessageWorker+0x4fa (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 697]
11 0006f500 77cf1522 0001001c 0000004c 00000005 USER32!SendMessageW+0x70 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\cltxt.h @ 809]
12 0006f524 0101aa94 0001001c 0000004c 00000005 USER32!SendMessageW_wrapper+0x54 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\cltxt.h @ 755]
13 0006fc48 77ce7ee3 0001001c 00000312 00000005 winlogon!SASWndProc+0xc8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\sas.c @ 1318]
14 0006fc74 77cf2bff 01019e08 0001001c 00000312 USER32!InternalCallWinProc+0x1b [d:\srv03rtm\windows\core\ntuser\client\i386\callproc.asm @ 102]
15 0006fcec 77cbe3db 00000000 01019e08 0001001c USER32!UserCallWinProcCheckWow+0x151 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 165]
16 0006fd54 77cc4014 0006fd7c 00000000 0006fd9c USER32!DispatchMessageWorker+0x3e3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 2497]
17 0006fd64 77cdff53 0006fd7c 00000000 00000000 USER32!DispatchMessageW+0xd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\cltxt.h @ 1046]
18 0006fd9c 77cff459 00050020 00000000 00000010 USER32!DialogBox2+0x158 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\dlgmgr.c @ 1196]
19 0006fdc4 77ce5e58 01000000 01059dd0 00000000 USER32!InternalDialogBox+0x108 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\dlgmgr.c @ 1353]
1a 0006fde4 77ce76e7 01000000 01059dd0 00000000 USER32!DialogBoxIndirectParamAorW+0x67 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 806]
1b 0006fe08 77cf607b 01000000 00000578 00000000 USER32!DialogBoxParamW+0x3d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 954]
1c 0006fe30 0102e8fc 01000000 00000578 00000000 USER32!DialogBoxParamW_wrapper+0x5a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clres.c @ 933]
1d 0006fe54 010221e2 01000000 00000578 00000000 winlogon!Fusion_DialogBoxParam+0x22 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\fusion.cpp @ 39]
1e 0006fe98 0102c860 00077418 01000000 00000578 winlogon!TimeoutDialogBoxParam+0x36 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\timeout.c @ 1092]
1f 0006fed0 01029579 00077418 01000000 00000578 winlogon!WlxDialogBoxParam+0xb7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\wlxutil.c @ 898]
20 0006fef4 010299f3 00077418 00077418 00000004 winlogon!BlockWaitForUserAction+0x38 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\wlx.c @ 3105]
21 0006ff14 01026637 00077418 ffffffff 00000000 winlogon!MainLoop+0x44c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\wlx.c @ 3665]
22 0006ff50 0102edc6 000a7c48 00000000 00072f0c winlogon!WinMain+0x4c7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\gina\winlogon\winlogon.c @ 1350]
23 0006fff4 00000000 7ffdf000 0000018a 000001dc winlogon!WinMainCRTStartup+0x182 (FPO: [Non-Fpo]) (CONV: cdecl) [d:\srv03rtm\base\crts\crtw32\dllstuff\crtexe.c @ 493]
1: kd> bp 77cff432
1: kd> g
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserSetFocus, retval = 900e6
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_SHOWWINDOW), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[FOREGROUND] FAllowForegroundActivate FRemoveForegroundActivate 0XE141BE18
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINOUTLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGING), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[VWPL] VWPL 00000000 + 0XBC646104
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnDWORD, FNID_DEFWINDOWPROC(WM_NCPAINT)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnOUTSTRING, Unknown(WM_GETTEXT), retval = f
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_NCPAINT), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ERASEBKGND), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[VWPL] VWPL 0XE196C858 - 0XBC646104
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnINLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGED), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserShowWindow, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubThunk] Thunk fnDWORD, FNID_DEFWINDOWPROC(WM_PAINT)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_PAINT), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ERASEBKGND), retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[VWPL] VWPL 00000000 - 0XBC646224
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserBeginPaint, retval = 1010052
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_CTLCOLORSTATIC), retval = 1100058
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetControlBrush, retval = 1100058
(s: 0 0x1bc.1e8 csrss.exe) USRK-[VWPL] VWPL 00000000 => NULL (empty)
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserEndPaint, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_PAINT), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ERASEBKGND), retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[VWPL] VWPL 00000000 - 0XBC646324
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserBeginPaint, retval = 1010052
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_CTLCOLORSTATIC), retval = 1100058
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetControlBrush, retval = 1100058
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserEndPaint, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_PAINT), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ERASEBKGND), retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[VWPL] VWPL 00000000 - 0XBC646424
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserBeginPaint, retval = 1010052
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_CTLCOLORSTATIC), retval = 1100058
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetControlBrush, retval = 1100058
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserEndPaint, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_PAINT), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ERASEBKGND), retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[VWPL] VWPL 00000000 - 0XBC646524
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserBeginPaint, retval = 1010052
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_CTLCOLORSTATIC), retval = 1100058
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserGetControlBrush, retval = 1100058
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserDrawIconEx, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] NtUserEndPaint, retval = 1
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_PAINT), retval = 0
(s: 0 0x1d4.1d8 winlogon.exe) USRK-[StubReturn] xxxUpdateWindow, retval = 1
/*
* Creates the dialog. Frees the menu if this routine fails.
*/
hwnd = InternalCreateDialog(hModule, lpdt, 0, hwndOwner,
pfnDialog, lParam, fSCDLGFlags);
if (hwnd == NULL) {
/*
* The dialog creation failed. Re-enable the window, destroy the
* menu, ie., fail gracefully.
*/
if (!fDisabled && hwndOwner != NULL)
NtUserEnableWindow(hwndOwner, TRUE);
if (fUnlockOwner)
ThreadUnlock(&tlpwndOwner);
return -1;
}
i = DialogBox2(hwnd, hwndOwner, fDisabled, fOwnerIsActiveWindow);
if (fUnlockOwner)
ThreadUnlock(&tlpwndOwner);
return i;
}
1: kd> kc
#
00 USER32!InternalDialogBox
01 USER32!DialogBoxIndirectParamAorW
02 USER32!DialogBoxParamW
03 USER32!DialogBoxParamW_wrapper
04 winlogon!Fusion_DialogBoxParam
05 winlogon!TimeoutDialogBoxParam
06 winlogon!WlxDialogBoxParam
07 MSGINA!WlxDisplayLockedNotice
08 winlogon!DoLockWksta
09 winlogon!SASWndProc
0a USER32!InternalCallWinProc
0b USER32!UserCallWinProcCheckWow
0c USER32!SendMessageWorker
0d USER32!SendMessageW
0e USER32!SendMessageW_wrapper
0f winlogon!SASWndProc
10 USER32!InternalCallWinProc
11 USER32!UserCallWinProcCheckWow
12 USER32!DispatchMessageWorker
13 USER32!DispatchMessageW
14 USER32!DialogBox2
15 USER32!InternalDialogBox
16 USER32!DialogBoxIndirectParamAorW
17 USER32!DialogBoxParamW
18 USER32!DialogBoxParamW_wrapper
19 winlogon!Fusion_DialogBoxParam
1a winlogon!TimeoutDialogBoxParam
1b winlogon!WlxDialogBoxParam
1c winlogon!BlockWaitForUserAction
1d winlogon!MainLoop
1e winlogon!WinMain
1f winlogon!WinMainCRTStart