All threads in blocked state before vista login window appears
in [Win32 Kernel]
|
Prev: variable name conflict in a C file gnerated by MIDL
Next: ERROR_BAD_IMPERSONATION_LEVEL with Vista SP1, any workaround?
From: unicell on 19 Sep 2008 04:47 Hi, I'm running Vista on a modified XEN kernel. And there is a rare case (probably 1~2 out of 100 booting), that windows hangs before user login window appears. When it happens, there is a mouse cursor (movable by mouse) on black screen, and then just hangs there for hours. I'm tring to find out the reason using WinDbg tool, and seems all threads are in blocked/wait state. There is no apparant locks or deadlock from the output of !locks, !deadlock. And I'm not really a windows guy, could anyone here kindly give me some clue of where to look into? Full process list attached below. Thanks in advance!! -- Yu 0: kd> !process 0 17 **** NT ACTIVE PROCESS DUMP **** PROCESS 8313bd90 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00122000 ObjectTable: 87000238 HandleCount: 261. Image: System VadRoot 83ff6608 Vads 362 Clone 0 Private 932. Modified 7183. Locked 0. DeviceMap 87003058 Token 87003890 ElapsedTime 1 Day 18:08:22.437 UserTime 00:00:00.000 KernelTime 00:00:00.609 QuotaPoolUsage[PagedPool] 0 QuotaPoolUsage[NonPagedPool] 0 Working Set Sizes (now,min,max) (988, 0, 0) (3952KB, 0KB, 0KB) PeakWorkingSetSize 2999 VirtualSize 4 Mb PeakVirtualSize 12 Mb PageFaultCount 15429 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 942 THREAD 8313bae8 Cid 0004.0008 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable 81d08e40 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 38658 Ticks: 1731 (0:00:00:27.046) Context Switch Count 1395 UserTime 00:00:00.000 KernelTime 00:00:02.281 Win32 Start Address nt!Phase1Initialization (0x81d43553) Stack Init 86641000 Current 86640c70 Base 86641000 Limit 8663e000 Call 0 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86640c88 81c699de 8313bb70 8313bae8 8313bba0 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86640cc4 81c67434 8313bae8 00000000 00000000 nt!KiSwapThread +0x36d 86640d24 81c9fbc7 81d08e40 00000008 00000000 nt! KeWaitForSingleObject+0x414 86640d74 81d43565 86640dc0 81dafafd 80806ea0 nt! MmZeroPageThread+0x10d 86640d7c 81dafafd 80806ea0 8664b680 00000000 nt! Phase1Initialization+0x12 86640dc0 81c9a2c6 81d43553 80806ea0 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 8317f020 Cid 0004.0010 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 81d00d30 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 68 Ticks: 40321 (0:00:10:30.015) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!PopIrpWorkerControl (0x81c05775) Stack Init 86615000 Current 86614c98 Base 86615000 Limit 86612000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 2 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86614cb0 81c699de 8317f0a8 8317f020 8317f0d8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86614cec 81c67434 8317f020 00000000 81d00d00 nt!KiSwapThread +0x36d 86614d4c 81c0579a 81d00d30 00000000 00000000 nt! KeWaitForSingleObject+0x414 86614d7c 81dafafd 00000000 8661f680 00000000 nt! PopIrpWorkerControl+0x25 86614dc0 81c9a2c6 81c05775 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 8317fd78 Cid 0004.0014 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 81d01280 Semaphore Limit 0x7fffffff Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 869 Ticks: 39520 (0:00:10:17.500) Context Switch Count 13 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!PopIrpWorker (0x81c0691f) Stack Init 86611000 Current 86610c60 Base 86611000 Limit 8660e000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 2 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86610c78 81c699de 8317fe00 8317fd78 8317fe30 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86610cb4 81c67434 8317fd78 00000000 81d00d00 nt!KiSwapThread +0x36d 86610d14 81c06a48 81d01280 00000000 00000000 nt! KeWaitForSingleObject+0x414 86610d7c 81dafafd 00000000 8661b680 00000000 nt!PopIrpWorker +0x129 86610dc0 81c9a2c6 81c0691f 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 8317fad0 Cid 0004.0018 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 81d01280 Semaphore Limit 0x7fffffff Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 610 Ticks: 39779 (0:00:10:21.546) Context Switch Count 12 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!PopIrpWorker (0x81c0691f) Stack Init 8660d000 Current 8660cc60 Base 8660d000 Limit 8660a000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 2 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8660cc78 81c699de 8317fb58 8317fad0 8317fb88 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8660ccb4 81c67434 8317fad0 00000000 81d00d00 nt!KiSwapThread +0x36d 8660cd14 81c06a48 81d01280 00000000 00000000 nt! KeWaitForSingleObject+0x414 8660cd7c 81dafafd 00000000 86607680 00000000 nt!PopIrpWorker +0x129 8660cdc0 81c9a2c6 81c0691f 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 8317f718 Cid 0004.001c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 81cf5600 QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 423 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865d9000 Current 865d8c90 Base 865d9000 Limit 865d6000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 865d8ca8 81c699de 8317f718 86600120 8317f7a0 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865d8ce4 81c617d5 8317f718 81cf5600 8317f718 nt!KiSwapThread +0x36d 865d8d30 81c6b6fa 81cf5600 00000001 00000000 nt!KeRemoveQueueEx +0x568 865d8d7c 81dafafd 84561940 865d3680 00000000 nt!ExpWorkerThread +0xd5 865d8dc0 81c9a2c6 81c6b625 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 8317f470 Cid 0004.0020 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 81cf5600 QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 1488 Ticks: 38901 (0:00:10:07.828) Context Switch Count 8 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865d5000 Current 865d4c90 Base 865d5000 Limit 865d2000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 865d4ca8 81c699de 8317f470 81cec820 8317f4f8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865d4ce4 81c617d5 8317f470 81cf5600 8317f470 nt!KiSwapThread +0x36d 865d4d30 81c6b6fa 81cf5600 00000001 00000000 nt!KeRemoveQueueEx +0x568 865d4d7c 81dafafd 83fde820 865df680 00000000 nt!ExpWorkerThread +0xd5 865d4dc0 81c9a2c6 81c6b625 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83183020 Cid 0004.0024 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 81cf5600 QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 1240 Ticks: 39149 (0:00:10:11.703) Context Switch Count 85 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865d1000 Current 865d0c90 Base 865d1000 Limit 865ce000 Call 0 Priority 13 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 865d0ca8 81c699de 83183020 86600120 831830a8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865d0ce4 81c617d5 83183020 81cf5600 83183020 nt!KiSwapThread +0x36d 865d0d30 81c6b6fa 81cf5600 00000001 00000000 nt!KeRemoveQueueEx +0x568 865d0d7c 81dafafd 8469b7b0 865db680 00000000 nt!ExpWorkerThread +0xd5 865d0dc0 81c9a2c6 81c6b625 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83183d78 Cid 0004.0028 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 81cf5600 QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 1240 Ticks: 39149 (0:00:10:11.703) Context Switch Count 570 UserTime 00:00:00.000 KernelTime 00:00:01.500 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865cd000 Current 865ccc90 Base 865cd000 Limit 865ca000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 865ccca8 81c699de 83183d78 86600120 83183e00 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865ccce4 81c617d5 83183d78 81cf5600 83183d78 nt!KiSwapThread +0x36d 865ccd30 81c6b6fa 81cf5600 00000001 00000000 nt!KeRemoveQueueEx +0x568 865ccd7c 81dafafd 846882d0 865c7680 00000000 nt!ExpWorkerThread +0xd5 865ccdc0 81c9a2c6 81c6b625 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83183ad0 Cid 0004.002c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 81cf5600 QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 829 UserTime 00:00:00.000 KernelTime 00:00:01.406 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865c9000 Current 865c8c90 Base 865c9000 Limit 865c6000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 865c8ca8 81c699de 83183ad0 86600120 83183b58 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865c8ce4 81c617d5 83183ad0 81cf5600 83183ad0 nt!KiSwapThread +0x36d 865c8d30 81c6b6fa 81cf5600 00000001 00000000 nt!KeRemoveQueueEx +0x568 865c8d7c 81dafafd 85236f60 865c3680 00000000 nt!ExpWorkerThread +0xd5 865c8dc0 81c9a2c6 81c6b625 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83183828 Cid 0004.0030 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 81cf563c QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 1103 Ticks: 39286 (0:00:10:13.843) Context Switch Count 217 UserTime 00:00:00.000 KernelTime 00:00:00.031 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865c5000 Current 865c4c90 Base 865c5000 Limit 865c2000 Call 0 Priority 13 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 865c4ca8 81c699de 83183828 81cec820 831838b0 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865c4ce4 81c617d5 83183828 81cf563c 83183828 nt!KiSwapThread +0x36d 865c4d30 81c6b6fa 81cf563c 00000001 00000000 nt!KeRemoveQueueEx +0x568 865c4d7c 81dafafd 8442f6b8 865cf680 00000000 nt!ExpWorkerThread +0xd5 865c4dc0 81c9a2c6 81c6b625 00000001 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83183580 Cid 0004.0034 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 81cf563c QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 3945 UserTime 00:00:00.000 KernelTime 00:00:00.078 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865c1000 Current 865c0c90 Base 865c1000 Limit 865be000 Call 0 Priority 12 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 865c0ca8 81c699de 83183580 86600120 83183608 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865c0ce4 81c617d5 83183580 81cf563c 83183580 nt!KiSwapThread +0x36d 865c0d30 81c6b6fa 81cf563c 00000001 00000000 nt!KeRemoveQueueEx +0x568 865c0d7c 81dafafd 8519e0c0 865cb680 00000000 nt!ExpWorkerThread +0xd5 865c0dc0 81c9a2c6 81c6b625 00000001 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 831832d8 Cid 0004.0038 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 851ae9cc NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 2842 Ticks: 37547 (0:00:09:46.671) Context Switch Count 1747 UserTime 00:00:00.000 KernelTime 00:00:03.265 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865bd000 Current 865bc8c0 Base 865bd000 Limit 865ba000 Call 0 Priority 14 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 865bc8d8 81c699de 83183360 831832d8 83183390 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865bc914 81c67434 831832d8 851ae9cc 851ad000 nt!KiSwapThread +0x36d 865bc970 8ac9b5e2 851ae9cc 00000000 00000000 nt! KeWaitForSingleObject+0x414 WARNING: Stack unwind information not available. Following frames may be wrong. 865bca04 8aca0876 865bca1c 81c35628 85250368 DRVNDDM+0x5e2 865bcadc 8aca07c3 00000030 00000000 865bcb18 DRVNDDM! EdmScanDevices+0x64 865bcaec 8ac9c330 85250368 85252000 00000000 DRVNDDM! EdmDeviceRefresh+0x163 865bcb18 81d55542 85250368 85252000 00000000 DRVNDDM+0x1330 865bccfc 81d55d08 00000001 00000000 865bcd24 nt!IopLoadDriver +0x7ec 865bcd44 81c6b722 8a553d00 00000000 831832d8 nt! IopLoadUnloadDriver+0x70 865bcd7c 81dafafd 8a553d00 865b7680 00000000 nt!ExpWorkerThread +0xfd 865bcdc0 81c9a2c6 81c6b625 00000001 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83182020 Cid 0004.003c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 81cf563c QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 27136 Ticks: 13253 (0:00:03:27.078) Context Switch Count 219 UserTime 00:00:00.000 KernelTime 00:00:00.062 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865b9000 Current 865b8c90 Base 865b9000 Limit 865b6000 Call 0 Priority 15 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 865b8ca8 81c699de 83182020 86600120 831820a8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865b8ce4 81c617d5 83182020 81cf563c 83182020 nt!KiSwapThread +0x36d 865b8d30 81c6b6fa 81cf563c 00000001 00000000 nt!KeRemoveQueueEx +0x568 865b8d7c 81dafafd 8523a588 865b3680 00000000 nt!ExpWorkerThread +0xd5 865b8dc0 81c9a2c6 81c6b625 00000001 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83182d78 Cid 0004.0040 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 81cf563c QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 1489 Ticks: 38900 (0:00:10:07.812) Context Switch Count 252 UserTime 00:00:00.000 KernelTime 00:00:00.015 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865b5000 Current 865b4c90 Base 865b5000 Limit 865b2000 Call 0 Priority 13 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 865b4ca8 81c699de 83182d78 86600120 83182e00 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865b4ce4 81c617d5 83182d78 81cf563c 83182d78 nt!KiSwapThread +0x36d 865b4d30 81c6b6fa 81cf563c 00000001 00000000 nt!KeRemoveQueueEx +0x568 865b4d7c 81dafafd 83fcb528 865bf680 00000000 nt!ExpWorkerThread +0xd5 865b4dc0 81c9a2c6 81c6b625 00000001 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83182ad0 Cid 0004.0044 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 81cf563c QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 2432 UserTime 00:00:00.000 KernelTime 00:00:00.078 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865b1000 Current 865b0c90 Base 865b1000 Limit 865ae000 Call 0 Priority 13 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 865b0ca8 81c699de 83182ad0 86600120 83182b58 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865b0ce4 81c617d5 83182ad0 81cf563c 83182ad0 nt!KiSwapThread +0x36d 865b0d30 81c6b6fa 81cf563c 00000001 00000000 nt!KeRemoveQueueEx +0x568 865b0d7c 81dafafd 8442d858 865bb680 00000000 nt!ExpWorkerThread +0xd5 865b0dc0 81c9a2c6 81c6b625 00000001 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83182828 Cid 0004.0048 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 81cf563c QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 1555 Ticks: 38834 (0:00:10:06.781) Context Switch Count 34 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865ad000 Current 865acc90 Base 865ad000 Limit 865aa000 Call 0 Priority 13 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 865acca8 81c699de 83182828 81cec820 831828b0 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865acce4 81c617d5 83182828 81cf563c 83182828 nt!KiSwapThread +0x36d 865acd30 81c6b6fa 81cf563c 00000001 00000000 nt!KeRemoveQueueEx +0x568 865acd7c 81dafafd 83fcb9f8 865a7680 00000000 nt!ExpWorkerThread +0xd5 865acdc0 81c9a2c6 81c6b625 00000001 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83182580 Cid 0004.004c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 81cf5678 QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 37250 Ticks: 3139 (0:00:00:49.046) Context Switch Count 94 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!ExpWorkerThread (0x81c6b625) Stack Init 865a9000 Current 865a8c90 Base 865a9000 Limit 865a6000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 865a8ca8 81c699de 83182580 86600120 83182608 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865a8ce4 81c617d5 83182580 81cf5678 83182580 nt!KiSwapThread +0x36d 865a8d30 81c6b6fa 81cf5678 00000000 00000000 nt!KeRemoveQueueEx +0x568 865a8d7c 81dafafd 00000000 865a3680 00000000 nt!ExpWorkerThread +0xd5 865a8dc0 81c9a2c6 81c6b625 00000002 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 831822d8 Cid 0004.0050 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 865a4d50 NotificationTimer 81cf55e0 SynchronizationEvent 81cf55d0 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 627 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!ExpWorkerThreadBalanceManager (0x81ddd76a) Stack Init 865a5000 Current 865a4c68 Base 865a5000 Limit 865a2000 Call 0 Priority 14 BasePriority 14 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 865a4c80 81c699de 83182360 831822d8 00000003 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865a4cbc 81c4a235 831822d8 00000000 81cf56e0 nt!KiSwapThread +0x36d 865a4d08 81ddd7d2 00000003 865a4d44 00000001 nt! KeWaitForMultipleObjects+0x47d 865a4d7c 81dafafd 00000000 865af680 00000000 nt! ExpWorkerThreadBalanceManager+0x68 865a4dc0 81c9a2c6 81ddd76a 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 831841f8 Cid 0004.0054 Teb: 00000000 Win32Thread: 00000000 WAIT: (Suspended) KernelMode Non-Alertable 81cee1d0 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 39617 Ticks: 772 (0:00:00:12.062) Context Switch Count 44 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!KiExecuteDpc (0x81cb0fb7) Stack Init 865a1000 Current 865a0c70 Base 865a1000 Limit 8659e000 Call 0 Priority 31 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 865a0c88 81c699de 83184280 831841f8 831842b0 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 865a0cc4 81c67434 831841f8 81cee6f0 81cee19c nt!KiSwapThread +0x36d 865a0d24 81cb1111 81cee1d0 00000005 00000000 nt! KeWaitForSingleObject+0x414 865a0d7c 81dafafd 81cec820 865ab680 00000000 nt!KiExecuteDpc +0x15a 865a0dc0 81c9a2c6 81cb0fb7 81cec820 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83185020 Cid 0004.0058 Teb: 00000000 Win32Thread: 00000000 WAIT: (Suspended) KernelMode Non-Alertable 86601ad0 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 39617 Ticks: 772 (0:00:00:12.062) Context Switch Count 43 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!KiExecuteDpc (0x81cb0fb7) Stack Init 8659d000 Current 8659cc70 Base 8659d000 Limit 8659a000 Call 0 Priority 31 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8659cc88 81c699de 831850a8 83185020 831850d8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8659ccc4 81c67434 83185020 86601ff0 86601a9c nt!KiSwapThread +0x36d 8659cd24 81cb1111 86601ad0 00000005 00000000 nt! KeWaitForSingleObject+0x414 8659cd7c 81dafafd 86600120 86597680 00000000 nt!KiExecuteDpc +0x15a 8659cdc0 81c9a2c6 81cb0fb7 86600120 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83188d78 Cid 0004.005c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrVirtualMemory) UserMode Non-Alertable 81d08e60 Semaphore Limit 0x7fffffff 81d08ed0 NotificationEvent 81d08f70 NotificationEvent 81d088f0 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 72 Ticks: 40317 (0:00:10:29.953) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!MiDereferenceSegmentThread (0x81c9df98) Stack Init 86599000 Current 86598c98 Base 86599000 Limit 86596000 Call 0 Priority 18 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 86598cb0 81c699de 83188e00 83188d78 81cee248 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86598cec 81c4a235 83188d78 00000000 00000000 nt!KiSwapThread +0x36d 86598d38 81c9dff5 00000004 86598d68 00000001 nt! KeWaitForMultipleObjects+0x47d 86598d7c 81dafafd 00000000 86593680 00000000 nt! MiDereferenceSegmentThread+0x5d 86598dc0 81c9a2c6 81c9df98 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83188960 Cid 0004.0060 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable 81d08330 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 72 Ticks: 40317 (0:00:10:29.953) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!MiModifiedPageWriter (0x81c82f1d) Stack Init 86595000 Current 86594c88 Base 86595000 Limit 86592000 Call 0 Priority 17 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86594ca0 81c699de 831889e8 83188960 83188a18 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86594cdc 81c67434 83188960 00000000 83188960 nt!KiSwapThread +0x36d 86594d3c 81c82f5d 81d08330 00000008 00000000 nt! KeWaitForSingleObject+0x414 86594d7c 81dafafd 00000000 8659f680 00000000 nt! MiModifiedPageWriter+0x40 86594dc0 81c9a2c6 81c82f1d 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 831884c0 Cid 0004.0064 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable 81d08ba0 SynchronizationEvent 81d08bb0 SynchronizationEvent 81d08bc0 SynchronizationEvent 81d08bd0 SynchronizationEvent 81d08be0 SynchronizationEvent 81d08bf0 SynchronizationEvent 81d08c00 SynchronizationEvent 81d08c10 SynchronizationEvent 81d08c20 SynchronizationEvent 81d08c30 SynchronizationEvent 81d08c40 SynchronizationEvent 81d08c50 SynchronizationEvent 81d08c60 SynchronizationEvent 81d08c70 SynchronizationEvent 81d08c80 SynchronizationEvent 81d08c90 SynchronizationEvent 81d08ca0 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 72 Ticks: 40317 (0:00:10:29.953) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!MiMappedPageWriter (0x81c204f5) Stack Init 86591000 Current 86590c58 Base 86591000 Limit 8658e000 Call 0 Priority 17 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86590c70 81c699de 83188548 831884c0 00000011 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86590cac 81c4a235 831884c0 831884c0 831884c0 nt!KiSwapThread +0x36d 86590cf8 81c2055b 00000011 86590d30 00000001 nt! KeWaitForMultipleObjects+0x47d 86590d7c 81dafafd 00000000 8659b680 00000000 nt! MiMappedPageWriter+0x66 86590dc0 81c9a2c6 81c204f5 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83187020 Cid 0004.0068 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8658cd20 SynchronizationTimer 81d089d0 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 626 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!KeBalanceSetManager (0x81c6caf4) Stack Init 8658d000 Current 8658cc18 Base 8658d000 Limit 8658a000 Call 0 Priority 16 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8658cc30 81c699de 831870a8 83187020 00000002 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8658cc6c 81c4a235 83187020 00000001 00000000 nt!KiSwapThread +0x36d 8658ccb8 81c6cbc0 00000002 8658ccf8 00000001 nt! KeWaitForMultipleObjects+0x47d 8658cd7c 81dafafd 00000000 86587680 00000000 nt! KeBalanceSetManager+0xcc 8658cdc0 81c9a2c6 81c6caf4 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83187d78 Cid 0004.006c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 81d1f7f0 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 40323 Ticks: 66 (0:00:00:01.031) Context Switch Count 155 UserTime 00:00:00.000 KernelTime 00:00:00.031 Win32 Start Address nt!KeSwapProcessOrStack (0x81c7142d) Stack Init 86589000 Current 86588ca8 Base 86589000 Limit 86586000 Call 0 Priority 23 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86588cc0 81c699de 83187e00 83187d78 83187e30 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86588cfc 81c67434 83187d78 00000000 83187d78 nt!KiSwapThread +0x36d 86588d5c 81c71460 81d1f7f0 00000000 00000000 nt! KeWaitForSingleObject+0x414 86588d7c 81dafafd 00000000 86583680 00000000 nt! KeSwapProcessOrStack+0x33 86588dc0 81c9a2c6 81c7142d 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83187898 Cid 0004.0070 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable 81d26c70 SynchronizationEvent 81d26c60 SynchronizationEvent 81d26c50 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 39362 Ticks: 1027 (0:00:00:16.046) Context Switch Count 118 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!CcQueueLazyWriteScanThread (0x81c2ff31) Stack Init 86465000 Current 86464c90 Base 86465000 Limit 86462000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86464ca8 81c699de 83187920 83187898 00000003 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86464ce4 81c4a235 83187898 00000001 00000000 nt!KiSwapThread +0x36d 86464d30 81c2ff73 00000003 86464d6c 00000001 nt! KeWaitForMultipleObjects+0x47d 86464d7c 81dafafd 00000000 8646f680 00000000 nt! CcQueueLazyWriteScanThread+0x42 86464dc0 81c9a2c6 81c2ff31 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 8317c668 Cid 0004.0074 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 81d25c40 QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 96 Ticks: 40293 (0:00:10:29.578) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!FsRtlWorkerThread (0x81c0148b) Stack Init 86461000 Current 86460cb0 Base 86461000 Limit 8645e000 Call 0 Priority 16 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86460cc8 81c699de 8317c668 86600120 8317c6f0 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86460d04 81c617d5 8317c668 81f9b104 00000000 nt!KiSwapThread +0x36d 86460d50 81c014cc 81d25c40 00000000 00000000 nt!KeRemoveQueueEx +0x568 86460d7c 81dafafd 81d25c40 8646b680 00000000 nt! FsRtlWorkerThread+0x41 86460dc0 81c9a2c6 81c0148b 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 8317c3c0 Cid 0004.0078 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 81d25c68 QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 81 Ticks: 40308 (0:00:10:29.812) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!FsRtlWorkerThread (0x81c0148b) Stack Init 8645d000 Current 8645ccb0 Base 8645d000 Limit 8645a000 Call 0 Priority 17 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8645ccc8 81c699de 8317c3c0 81cec820 8317c448 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8645cd04 81c617d5 8317c3c0 81f9b104 00000028 nt!KiSwapThread +0x36d 8645cd50 81c014cc 81d25c68 00000000 00000000 nt!KeRemoveQueueEx +0x568 8645cd7c 81dafafd 81d25c68 86457680 00000000 nt! FsRtlWorkerThread+0x41 8645cdc0 81c9a2c6 81c0148b 00000001 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83134d78 Cid 0004.0080 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 83134164 SynchronizationEvent 83134e00 NotificationTimer Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 640 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!EtwpLogger (0x81ddbce2) Stack Init 86455000 Current 86454c78 Base 86455000 Limit 86452000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86454c90 81c699de 83134e00 83134d78 83134e30 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86454ccc 81c67434 83134d78 00000000 83134008 nt!KiSwapThread +0x36d 86454d2c 81ddbda9 83134164 00000000 00000000 nt! KeWaitForSingleObject+0x414 86454d7c 81dafafd 83134008 8645f680 00000000 nt!EtwpLogger +0xc7 86454dc0 81c9a2c6 81ddbce2 83134008 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 831347d0 Cid 0004.0084 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 83134be4 SynchronizationEvent 83134858 NotificationTimer Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 637 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!EtwpLogger (0x81ddbce2) Stack Init 86451000 Current 86450c78 Base 86451000 Limit 8644e000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86450c90 81c699de 83134858 831347d0 83134888 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86450ccc 81c67434 831347d0 00000000 83134a88 nt!KiSwapThread +0x36d 86450d2c 81ddbda9 83134be4 00000000 00000000 nt! KeWaitForSingleObject+0x414 86450d7c 81dafafd 83134a88 8645b680 00000000 nt!EtwpLogger +0xc7 86450dc0 81c9a2c6 81ddbce2 83134a88 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 8315ad78 Cid 0004.0088 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8315a164 SynchronizationEvent 8315ae00 NotificationTimer Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 634 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!EtwpLogger (0x81ddbce2) Stack Init 8644d000 Current 8644cc78 Base 8644d000 Limit 8644a000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8644cc90 81c699de 8315ae00 8315ad78 8315ae30 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8644cccc 81c67434 8315ad78 00000000 8315a008 nt!KiSwapThread +0x36d 8644cd2c 81ddbda9 8315a164 00000000 00000000 nt! KeWaitForSingleObject+0x414 8644cd7c 81dafafd 8315a008 86447680 00000000 nt!EtwpLogger +0xc7 8644cdc0 81c9a2c6 81ddbce2 8315a008 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 8315a7d0 Cid 0004.008c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8315abe4 SynchronizationEvent 8315a858 NotificationTimer Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 633 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!EtwpLogger (0x81ddbce2) Stack Init 86449000 Current 86448c78 Base 86449000 Limit 86446000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86448c90 81c699de 8315a858 8315a7d0 8315a888 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86448ccc 81c67434 8315a7d0 00000000 8315aa88 nt!KiSwapThread +0x36d 86448d2c 81ddbda9 8315abe4 00000000 00000000 nt! KeWaitForSingleObject+0x414 86448d7c 81dafafd 8315aa88 86443680 00000000 nt!EtwpLogger +0xc7 86448dc0 81c9a2c6 81ddbce2 8315aa88 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 835ff398 Cid 0004.0090 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 835ff7a4 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 97 Ticks: 40292 (0:00:10:29.562) Context Switch Count 2 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!EtwpLogger (0x81ddbce2) Stack Init 86445000 Current 86444c78 Base 86445000 Limit 86442000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86444c90 81c699de 835ff420 835ff398 835ff450 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86444ccc 81c67434 835ff398 00000000 835ff648 nt!KiSwapThread +0x36d 86444d2c 81ddbd48 835ff7a4 00000000 00000000 nt! KeWaitForSingleObject+0x414 86444d7c 81dafafd 835ff648 8644f680 00000000 nt!EtwpLogger +0x66 86444dc0 81c9a2c6 81ddbce2 835ff648 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83604d78 Cid 0004.0094 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 83604164 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 97 Ticks: 40292 (0:00:10:29.562) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!EtwpLogger (0x81ddbce2) Stack Init 86441000 Current 86440c78 Base 86441000 Limit 8643e000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86440c90 81c699de 83604e00 83604d78 83604e30 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86440ccc 81c67434 83604d78 00000000 83604008 nt!KiSwapThread +0x36d 86440d2c 81ddbd48 83604164 00000000 00000000 nt! KeWaitForSingleObject+0x414 86440d7c 81dafafd 83604008 8644b680 00000000 nt!EtwpLogger +0x66 86440dc0 81c9a2c6 81ddbce2 83604008 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83604670 Cid 0004.0098 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 83604a64 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 97 Ticks: 40292 (0:00:10:29.562) Context Switch Count 2 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!EtwpLogger (0x81ddbce2) Stack Init 8643d000 Current 8643cc78 Base 8643d000 Limit 8643a000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8643cc90 81c699de 836046f8 83604670 83604728 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8643cccc 81c67434 83604670 00000000 83604908 nt!KiSwapThread +0x36d 8643cd2c 81ddbd48 83604a64 00000000 00000000 nt! KeWaitForSingleObject+0x414 8643cd7c 81dafafd 83604908 86437680 00000000 nt!EtwpLogger +0x66 8643cdc0 81c9a2c6 81ddbce2 83604908 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83685d78 Cid 0004.009c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 83685164 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 2588 Ticks: 37801 (0:00:09:50.640) Context Switch Count 8 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!EtwpLogger (0x81ddbce2) Stack Init 86439000 Current 86438c78 Base 86439000 Limit 86436000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86438c90 81c699de 83685e00 83685d78 83685e30 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86438ccc 81c67434 83685d78 00000000 83685008 nt!KiSwapThread +0x36d 86438d2c 81ddbda9 83685164 00000000 00000000 nt! KeWaitForSingleObject+0x414 86438d7c 81dafafd 83685008 86433680 00000000 nt!EtwpLogger +0xc7 86438dc0 81c9a2c6 81ddbce2 83685008 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83685510 Cid 0004.00a0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 83685924 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 1251 Ticks: 39138 (0:00:10:11.531) Context Switch Count 10 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!EtwpLogger (0x81ddbce2) Stack Init 86435000 Current 86434c78 Base 86435000 Limit 86432000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86434c90 81c699de 83685598 83685510 836855c8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86434ccc 81c67434 83685510 00000000 836857c8 nt!KiSwapThread +0x36d 86434d2c 81ddbda9 83685924 00000000 00000000 nt! KeWaitForSingleObject+0x414 86434d7c 81dafafd 836857c8 8643f680 00000000 nt!EtwpLogger +0xc7 86434dc0 81c9a2c6 81ddbce2 836857c8 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83e9a278 Cid 0004.00a4 Teb: 00000000 Win32Thread: 00000000 WAIT: (DelayExecution) KernelMode Non-Alertable 83e9a300 NotificationTimer Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 38656 Ticks: 1733 (0:00:00:27.078) Context Switch Count 15 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!WdipSemCheckTimeout (0x81d9bc2d) Stack Init 86431000 Current 86430c40 Base 86431000 Limit 8642e000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86430c58 81c699de 83e9a300 83e9a278 86600120 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86430c94 81c62b20 83e9a278 81cfb724 81cfb724 nt!KiSwapThread +0x36d 86430cf4 81d9be53 00000000 00000000 86430d30 nt! KeDelayExecutionThread+0x397 86430d7c 81dafafd 00000000 8643b680 00000000 nt! WdipSemCheckTimeout+0x226 86430dc0 81c9a2c6 81d9bc2d 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83e9e7f8 Cid 0004.00a8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 80496600 NotificationEvent 804965f0 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 1820 Ticks: 38569 (0:00:10:02.640) Context Switch Count 872 UserTime 00:00:00.000 KernelTime 00:00:00.062 Win32 Start Address acpi!ACPIWorkerThread (0x8048306e) Stack Init 86427000 Current 86426c98 Base 86427000 Limit 86424000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86426cb0 81c699de 83e9e880 83e9e7f8 00000002 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86426cec 81c4a235 83e9e7f8 804965e8 00000000 nt!KiSwapThread +0x36d 86426d3c 804830b5 00000002 86426d70 00000001 nt! KeWaitForMultipleObjects+0x47d 86426d7c 81dafafd 00000000 8642d680 00000000 acpi! ACPIWorkerThread+0x47 (FPO: [Non-Fpo]) 86426dc0 81c9a2c6 8048306e 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 831328f0 Cid 0004.00ac Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 83133e64 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 38658 Ticks: 1731 (0:00:00:27.046) Context Switch Count 32 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!EtwpLogger (0x81ddbce2) Stack Init 86459000 Current 86458c78 Base 86459000 Limit 86456000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86458c90 81c699de 83132978 831328f0 831329a8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86458ccc 81c67434 831328f0 00000000 83133d08 nt!KiSwapThread +0x36d 86458d2c 81ddbda9 83133e64 00000000 00000000 nt! KeWaitForSingleObject+0x414 86458d7c 81dafafd 83133d08 86453680 00000000 nt!EtwpLogger +0xc7 86458dc0 81c9a2c6 81ddbce2 83133d08 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83189618 Cid 0004.00b0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8318c6bc SynchronizationEvent 8318c6ac SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 114 Ticks: 40275 (0:00:10:29.296) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address acpi! PciRootBusBiosMethodDispatcherOnResume (0x8047d9fc) Stack Init 8641a000 Current 86419ca0 Base 8641a000 Limit 86417000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86419cb8 81c699de 831896a0 83189618 00000002 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86419cf4 81c4a235 83189618 8318c618 00000000 nt!KiSwapThread +0x36d 86419d44 8047da2c 00000002 86419d74 00000001 nt! KeWaitForMultipleObjects+0x47d 86419d7c 81dafafd 8318c618 86412680 00000000 acpi! PciRootBusBiosMethodDispatcherOnResume+0x30 (FPO: [Non-Fpo]) 86419dc0 81c9a2c6 8047d9fc 8318c618 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83f07020 Cid 0004.00b4 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 86259da8 QueueObject Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 1251 Ticks: 39138 (0:00:10:11.531) Context Switch Count 9 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ndis!ndisWorkerThread (0x862fd690) Stack Init 86404000 Current 86403ca0 Base 86404000 Limit 86401000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86403cb8 81c699de 83f07020 86600120 83f070a8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86403cf4 81c617d5 83f07020 846ad0ac 86259000 nt!KiSwapThread +0x36d 86403d40 81c9568a 86259da8 00000000 00000000 nt!KeRemoveQueueEx +0x568 86403d60 862fd6ce 86259da8 00000000 00000000 nt!KeRemoveQueue +0x1b 86403d7c 81dafafd 8000013c 86408680 00000000 ndis! ndisWorkerThread+0x3e (FPO: [Non-Fpo]) 86403dc0 81c9a2c6 862fd690 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83edf7b0 Cid 0004.00b8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 8625a530 NotificationEvent 83edf838 NotificationTimer Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 38656 Ticks: 1733 (0:00:00:27.078) Context Switch Count 21 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ndis!ndisCmWaitThread (0x86225aa0) Stack Init 86646000 Current 86645c98 Base 86646000 Limit 86643000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 86645cb0 81c699de 83edf838 83edf7b0 83edf868 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 86645cec 81c67434 83edf7b0 00000102 81c6701e nt!KiSwapThread +0x36d 86645d4c 86225afb 8625a530 00000000 00000000 nt! KeWaitForSingleObject+0x414 86645d7c 81dafafd 00000000 8664e680 00000000 ndis! ndisCmWaitThread+0x5b (FPO: [Non-Fpo]) 86645dc0 81c9a2c6 86225aa0 00000000 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83edf508 Cid 0004.00bc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 867de41c NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 219 Ticks: 40170 (0:00:10:27.656) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ecache!EcCacheIoWorker (0x867d86fa) Stack Init 87800000 Current 877ffbe0 Base 87800000 Limit 877fd000 Call 0 Priority 12 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 877ffbf8 81c699de 83edf590 83edf508 83edf5c0 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 877ffc34 81c67434 83edf508 00000000 00000000 nt!KiSwapThread +0x36d 877ffc90 867d873b 867de41c 00000000 00000000 nt! KeWaitForSingleObject+0x414 877ffd7c 81dafafd 867de360 877f4680 00000000 ecache! EcCacheIoWorker+0x41 (FPO: [Non-Fpo]) 877ffdc0 81c9a2c6 867d86fa 867de360 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83edf260 Cid 0004.00c0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 867de480 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 221 Ticks: 40168 (0:00:10:27.625) Context Switch Count 2 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ecache!EcCacheIoWatchdog (0x867d708c) Stack Init 877fc000 Current 877fbc50 Base 877fc000 Limit 877f9000 Call 0 Priority 13 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 877fbc68 81c699de 83edf2e8 83edf260 83edf318 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 877fbca4 81c67434 83edf260 00000000 867de480 nt!KiSwapThread +0x36d 877fbd04 867d7459 867de480 00000000 00000000 nt! KeWaitForSingleObject+0x414 877fbd7c 81dafafd 867de360 877f0680 00000000 ecache! EcCacheIoWatchdog+0x3cd (FPO: [Non-Fpo]) 877fbdc0 81c9a2c6 867d708c 867de360 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 83fc3318 Cid 0004.00c4 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 860f5698 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 39618 Ticks: 771 (0:00:00:12.046) Context Switch Count 82 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address Ntfs!TxfPrivateThreadWorkerRoutine (0x860d31db) Stack Init 877e4000 Current 877e3ca8 Base 877e4000 Limit 877e1000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 877e3cc0 81c699de 83fc33a0 83fc3318 83fc33d0 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 877e3cfc 81c67434 83fc3318 00000000 83f2bb18 nt!KiSwapThread +0x36d 877e3d58 860d31fb 860f5698 00000000 00000000 nt! KeWaitForSingleObject+0x414 877e3d7c 81dafafd 860f5620 877e8680 00000000 Ntfs! TxfPrivateThreadWorkerRoutine+0x20 (FPO: [Non-Fpo]) 877e3dc0 81c9a2c6 860d31db 860f5620 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 84045880 Cid 0004.00cc Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 875f90a0 SynchronizationTimer Not impersonating DeviceMap 87003058 Owning Process 8313bd90 Image: System Wait Start TickCount 427 Ticks: 39962 (0:00:10:24.406) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address dxgkrnl!DpiPdoPollingThread (0x87645ea5) Stack Init 8773f000 Current 8773ec90 Base 8773f000 Limit 8773c000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 IoPri
From: unicell on 19 Sep 2008 04:48 (process list continued) PROCESS 84311d90 SessionId: none Cid: 0174 Peb: 7ffd8000 ParentCid: 0004 DirBase: 5a5b4000 ObjectTable: 88dda090 HandleCount: 26. Image: smss.exe VadRoot 846b9a48 Vads 15 Clone 0 Private 50. Modified 3. Locked 0. DeviceMap 87003058 Token 88ddd6a0 ElapsedTime 1 Day 18:08:03.578 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 7288 QuotaPoolUsage[NonPagedPool] 720 Working Set Sizes (now,min,max) (172, 50, 345) (688KB, 200KB, 1380KB) PeakWorkingSetSize 172 VirtualSize 4 Mb PeakVirtualSize 14 Mb PageFaultCount 253 MemoryPriority BACKGROUND BasePriority 11 CommitCharge 71 THREAD 846bed78 Cid 0174.0178 Teb: 7ffdf000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 8479b980 ProcessObject 85175690 ProcessObject Not impersonating DeviceMap 87003058 Owning Process 84311d90 Image: smss.exe Wait Start TickCount 2011 Ticks: 38378 (0:00:09:59.656) Context Switch Count 269 UserTime 00:00:00.000 KernelTime 00:00:00.187 Loading symbols for 47760000 smss.exe -> smss.exe Win32 Start Address smss!NtProcessStartupW (0x4776d757) Stack Init 8a658000 Current 8a6578d0 Base 8a658000 Limit 8a655000 Call 0 Priority 12 BasePriority 11 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Loading symbols for 775c0000 ntdll.dll -> ntdll.dll ChildEBP RetAddr Args to Child 8a6578e8 81c699de 846bee00 846bed78 81cee248 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a657924 81c4a235 846bed78 00000000 00000002 nt!KiSwapThread +0x36d 8a657970 81de2ca7 00000002 8a657aa8 00000001 nt! KeWaitForMultipleObjects+0x47d 8a657bfc 81de2a16 00000002 00000001 00000000 nt! ObpWaitForMultipleObjects+0x256 8a657d48 81c461ca 00000002 4776f47c 00000001 nt! NtWaitForMultipleObjects+0xcc 8a657d48 77620f34 00000002 4776f47c 00000001 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a657d64) 002efd64 77620690 4776b583 00000002 4776f47c ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 002efd68 4776b583 00000002 4776f47c 00000001 ntdll! ZwWaitForMultipleObjects+0xc (FPO: [5,0,0]) 002efe00 4776d73d 00000000 003c1a60 003c1a68 smss!wmain+0x211 (FPO: [Non-Fpo]) 002efe44 775d6329 7ffd8000 002ed879 00000000 smss! NtProcessStartupW_AfterSecurityCookieInitialized+0x1fe (FPO: [Non- Fpo]) 002efe84 00000000 4776d757 7ffd8000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 83fdb280 Cid 0174.01a8 Teb: 7ffde000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 83fdb494 Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 84311d90 Image: smss.exe Wait Start TickCount 2036 Ticks: 38353 (0:00:09:59.265) Context Switch Count 8 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address smss!SmpCreateInitialSession (0x4776b2a2) Stack Init 8a644000 Current 8a643b78 Base 8a644000 Limit 8a641000 Call 0 Priority 12 BasePriority 11 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a643b90 81c699de 83fdb308 83fdb280 83fdb338 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a643bcc 81c67434 83fdb280 84314f08 83fdb280 nt!KiSwapThread +0x36d 8a643c2c 81de127c 83fdb494 00000010 8c26b701 nt! KeWaitForSingleObject+0x414 8a643c64 81de5bc0 8c26b701 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a643ce0 81de5930 84314f08 00010000 001ef838 nt! AlpcpReceiveMessage+0x163 8a643d3c 81c461ca 0000002c 00010000 001ef838 nt! NtAlpcSendWaitReceivePort+0x11c 8a643d3c 77620f34 0000002c 00010000 001ef838 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a643d64) 001ef7bc 7761f2c0 47769f99 0000002c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 001ef7c0 47769f99 0000002c 00010000 001ef838 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 001ef984 4776b365 00000000 001ec35c 00000000 smss!SmpApiLoop +0x103 (FPO: [Non-Fpo]) 001efb04 775d6329 00000000 001eddb9 00000000 smss! SmpCreateInitialSession+0xc3 (FPO: [Non-Fpo]) 001efb44 00000000 4776b2a2 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 83fde968 Cid 0174.01b4 Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 83fdeb7c Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 84311d90 Image: smss.exe Wait Start TickCount 2027 Ticks: 38362 (0:00:09:59.406) Context Switch Count 5 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address smss!SmpApiLoop (0x47769e96) Stack Init 8a540000 Current 8a53fb78 Base 8a540000 Limit 8a53d000 Call 0 Priority 12 BasePriority 11 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a53fb90 81c699de 83fde9f0 83fde968 83fdea20 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a53fbcc 81c67434 83fde968 84314f08 83fde968 nt!KiSwapThread +0x36d 8a53fc2c 81de127c 83fdeb7c 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a53fc64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a53fce0 81de5930 84314f08 00010000 0034fa38 nt! AlpcpReceiveMessage+0x163 8a53fd3c 81c461ca 0000002c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a53fd3c 77620f34 0000002c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a53fd64) 0034f9bc 7761f2c0 47769f99 0000002c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0034f9c0 47769f99 0000002c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 0034fb84 775d6329 00000000 0034dd39 00000000 smss!SmpApiLoop +0x103 (FPO: [Non-Fpo]) 0034fbc4 00000000 47769e96 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85170588 Cid 0174.01d8 Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 8517079c Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 84311d90 Image: smss.exe Wait Start TickCount 2036 Ticks: 38353 (0:00:09:59.265) Context Switch Count 6 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address smss!SmpCreateInitialSession (0x4776b2a2) Stack Init 8a4f0000 Current 8a4efb78 Base 8a4f0000 Limit 8a4ed000 Call 0 Priority 12 BasePriority 11 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a4efb90 81c699de 85170610 85170588 85170640 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a4efbcc 81c67434 85170588 84314f08 85170588 nt!KiSwapThread +0x36d 8a4efc2c 81de127c 8517079c 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a4efc64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a4efce0 81de5930 84314f08 00010000 0038fcb8 nt! AlpcpReceiveMessage+0x163 8a4efd3c 81c461ca 0000002c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a4efd3c 77620f34 0000002c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a4efd64) 0038fc3c 7761f2c0 47769f99 0000002c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0038fc40 47769f99 0000002c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 0038fe04 4776b365 00000000 0038c7dc 00000000 smss!SmpApiLoop +0x103 (FPO: [Non-Fpo]) 0038ff84 775d6329 00000000 0038d939 00000000 smss! SmpCreateInitialSession+0xc3 (FPO: [Non-Fpo]) 0038ffc4 00000000 4776b2a2 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) PROCESS 8479b980 SessionId: 0 Cid: 01b8 Peb: 7ffd9000 ParentCid: 01ac DirBase: 56383000 ObjectTable: 8c15dcb8 HandleCount: 109. Image: csrss.exe VadRoot 851a1800 Vads 74 Clone 0 Private 214. Modified 36. Locked 0. DeviceMap 87003058 Token 8c15ddb0 ElapsedTime 1 Day 18:07:56.843 UserTime 00:00:00.000 KernelTime 00:00:00.578 QuotaPoolUsage[PagedPool] 92872 QuotaPoolUsage[NonPagedPool] 3624 Working Set Sizes (now,min,max) (1164, 50, 345) (4656KB, 200KB, 1380KB) PeakWorkingSetSize 1170 VirtualSize 83 Mb PeakVirtualSize 105 Mb PageFaultCount 2959 MemoryPriority BACKGROUND BasePriority 13 CommitCharge 332 THREAD 8516e7c8 Cid 01b8.01c8 Teb: 7ffde000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 8516e3c0 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 1980 Ticks: 38409 (0:00:10:00.140) Context Switch Count 4 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75d50000 winsrv.dll -> winsrv.dll Win32 Start Address winsrv!TerminalServerRequestThread (0x75d5fc43) Stack Init 8a654000 Current 8a653c38 Base 8a654000 Limit 8a651000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Loading symbols for 775c0000 ntdll.dll -> ntdll.dll ChildEBP RetAddr Args to Child 8a653c50 81c699de 8516e850 8516e7c8 8516e880 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a653c8c 81c67434 8516e7c8 00000000 8516e3c0 nt!KiSwapThread +0x36d 8a653ce8 81ddee8a 8516e3c0 00000006 8a653d01 nt! KeWaitForSingleObject+0x414 8a653d50 81c461ca 0000006c 00000000 00000000 nt! NtWaitForSingleObject+0xbe 8a653d50 77620f34 0000006c 00000000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a653d64) 0085fa10 776206a0 75d5fc98 0000006c 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0085fa14 75d5fc98 0000006c 00000000 00000000 ntdll! NtWaitForSingleObject+0xc (FPO: [3,0,0]) 0085fb64 775d6329 00000000 0085fb1e 00000000 winsrv! TerminalServerRequestThread+0x55 (FPO: [Non-Fpo]) 0085fba4 00000000 75d5fc43 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 8516e4a0 Cid 01b8.01cc Teb: 7ffdd000 Win32Thread: ffa0b0b8 WAIT: (UserRequest) UserMode Alertable 847a3ee0 SynchronizationEvent 83fd6920 SynchronizationEvent 83fd68f0 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 38172 Ticks: 2217 (0:00:00:34.640) Context Switch Count 6 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!NotificationThread (0x75d5b56b) Stack Init 8a53c000 Current 8a53b8d0 Base 8a53c000 Limit 8a539000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a53b8e8 81c699de 8516e528 8516e4a0 81cee248 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a53b924 81c4a235 8516e4a0 00000000 00000003 nt!KiSwapThread +0x36d 8a53b970 81de2ca7 00000003 8a53baa8 00000001 nt! KeWaitForMultipleObjects+0x47d 8a53bbfc 81de2a16 00000003 00000001 00000001 nt! ObpWaitForMultipleObjects+0x256 8a53bd48 81c461ca 00000003 00cdfcc4 00000001 nt! NtWaitForMultipleObjects+0xcc 8a53bd48 77620f34 00000003 00cdfcc4 00000001 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a53bd64) 00cdfc78 77620690 75d5b6ae 00000003 00cdfcc4 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 00cdfc7c 75d5b6ae 00000003 00cdfcc4 00000001 ntdll! ZwWaitForMultipleObjects+0xc (FPO: [5,0,0]) 00cdfee4 775d6329 00000000 00cdff9e 00000000 winsrv! NotificationThread+0x149 (FPO: [Non-Fpo]) 00cdff24 00000000 75d5b56b 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85170d78 Cid 01b8.01d0 Teb: 7ffdc000 Win32Thread: ff811878 WAIT: (WrLpcReceive) UserMode Non-Alertable 85170f8c Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 38656 Ticks: 1733 (0:00:00:27.078) Context Switch Count 131 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75dd0000 CSRSRV.dll -> CSRSRV.dll Win32 Start Address CSRSRV!CsrApiRequestThread (0x75dd563d) Stack Init 8a538000 Current 8a537b78 Base 8a538000 Limit 8a535000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8a537b90 81c699de 85170e00 85170d78 85170e30 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a537bcc 81c67434 85170d78 851656c8 85170d78 nt!KiSwapThread +0x36d 8a537c2c 81de127c 85170f8c 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a537c64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a537ce0 81de5930 851656c8 00010000 008bfab0 nt! AlpcpReceiveMessage+0x163 8a537d3c 81c461ca 0000007c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a537d3c 77620f34 0000007c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a537d64) 008bfa74 7761f2c0 75dd5720 0000007c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 008bfa78 75dd5720 0000007c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 008bfc04 775d6329 00000080 008bfcfe 00000000 CSRSRV! CsrApiRequestThread+0xe3 (FPO: [Non-Fpo]) 008bfc44 00000000 75dd563d 00000080 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 8516f228 Cid 01b8.01d4 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 8516f43c Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 2011 Ticks: 38378 (0:00:09:59.656) Context Switch Count 3 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address CSRSRV!CsrSbApiRequestThread (0x75dd4530) Stack Init 8a530000 Current 8a52fb70 Base 8a530000 Limit 8a52d000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a52fb88 81c699de 8516f2b0 8516f228 8516f2e0 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a52fbc4 81c67434 8516f228 8516e030 8516f228 nt!KiSwapThread +0x36d 8a52fc24 81de127c 8516f43c 00000010 8c15dc01 nt! KeWaitForSingleObject+0x414 8a52fc5c 81de19df 8c15dc01 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a52fcc4 81de17d6 8516e030 0016fb08 00000000 nt! AlpcpReceiveLegacyMessage+0x197 8a52fd30 81de1834 00000080 0016fc20 0016fb08 nt! NtReplyWaitReceivePortEx+0x100 8a52fd4c 81c461ca 00000080 0016fc20 0016fb08 nt! NtReplyWaitReceivePort+0x18 8a52fd4c 77620f34 00000080 0016fc20 0016fb08 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a52fd64) 0016fae0 77620140 75dd4578 00000080 0016fc20 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0016fae4 75dd4578 00000080 0016fc20 0016fb08 ntdll! ZwReplyWaitReceivePort+0xc (FPO: [4,0,0]) 0016fc24 775d6329 00000000 0016fcde 00000000 CSRSRV! CsrSbApiRequestThread+0x48 (FPO: [Non-Fpo]) 0016fc64 00000000 75dd4530 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851752b8 Cid 01b8.01f4 Teb: 7ffdf000 Win32Thread: ffa4ec10 WAIT: (WrLpcReceive) UserMode Non-Alertable 851754cc Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 37250 Ticks: 3139 (0:00:00:49.046) Context Switch Count 55 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address CSRSRV!CsrApiRequestThread (0x75dd563d) Stack Init 8a550000 Current 8a54fb78 Base 8a550000 Limit 8a54d000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a54fb90 81c699de 85175340 851752b8 85175370 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a54fbcc 81c67434 851752b8 851656c8 851752b8 nt!KiSwapThread +0x36d 8a54fc2c 81de127c 851754cc 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a54fc64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a54fce0 81de5930 851656c8 00010000 001bf8d0 nt! AlpcpReceiveMessage+0x163 8a54fd3c 81c461ca 0000007c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a54fd3c 77620f34 0000007c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a54fd64) 001bf894 7761f2c0 75dd5720 0000007c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 001bf898 75dd5720 0000007c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 001bfa24 775d6329 00000000 001bfade 00000000 CSRSRV! CsrApiRequestThread+0xe3 (FPO: [Non-Fpo]) 001bfa64 00000000 75dd563d 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851a1850 Cid 01b8.0238 Teb: 7ffda000 Win32Thread: ff8c9a00 WAIT: (WrUserRequest) KernelMode Alertable 851a1708 SynchronizationEvent 8519ec80 NotificationTimer 8519ec50 SynchronizationTimer 81d01780 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 7252 Ticks: 33137 (0:00:08:37.765) Context Switch Count 15 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x75d5bde0) Stack Init 8a548000 Current 8a547c38 Base 8a548000 Limit 8a545000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8a547c50 81c699de 851a18d8 851a1850 00000004 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a547c8c 81c4a235 851a1850 00000001 81c4415c nt!KiSwapThread +0x36d 8a547cd8 8f60861a 00000004 851a16a0 00000001 nt! KeWaitForMultipleObjects+0x47d 8a547d34 8f605145 00000001 00000002 8a4fb478 win32k! RawInputThread+0x474 (FPO: [Non-Fpo]) 8a547d48 8f6d8d19 00000004 00f6fb64 8a547d64 win32k! xxxCreateSystemThreads+0x4a (FPO: [Non-Fpo]) 8a547d58 81c461ca 00000004 00f6fba4 77620f34 win32k! NtUserCallNoParam+0x1b (FPO: [Non-Fpo]) 8a547d58 77620f34 00000004 00f6fba4 77620f34 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a547d64) 00f6fb54 75d5612e 75d5bdf2 00000004 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 00f6fb58 75d5bdf2 00000004 00000000 775d6329 winsrv! NtUserCallNoParam+0xc (FPO: [Non-Fpo]) 00f6fb64 775d6329 00000000 00f6fb1e 00000000 winsrv! StartCreateSystemThreads+0x12 (FPO: [Non-Fpo]) 00f6fba4 00000000 75d5bde0 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851a1030 Cid 01b8.023c Teb: 7ffd8000 Win32Thread: ff8c9428 WAIT: (WrUserRequest) UserMode Non-Alertable 851a0540 SynchronizationEvent 8519f3b0 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 2111 Ticks: 38278 (0:00:09:58.093) Context Switch Count 19 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x75d5bde0) Stack Init 8a52c000 Current 8a52bbf8 Base 8a52c000 Limit 8a529000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a52bc10 81c699de 851a10b8 851a1030 86601b48 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a52bc4c 81c4a235 851a1030 81c49db1 ff8c9428 nt!KiSwapThread +0x36d 8a52bc9c 8f6b093b 00000002 8423d2b0 00000001 nt! KeWaitForMultipleObjects+0x47d 8a52bcf4 8f616737 00000001 8423d2b0 8f613e24 win32k! xxxMsgWaitForMultipleObjects+0xcb (FPO: [Non-Fpo]) 8a52bd34 8f60514f 8423d2b0 00000001 8f7dff40 win32k! xxxDesktopThread+0x18f (FPO: [Non-Fpo]) 8a52bd48 8f6d8d19 00000004 007ff7c4 8a52bd64 win32k! xxxCreateSystemThreads+0x54 (FPO: [Non-Fpo]) 8a52bd58 81c461ca 00000004 007ff804 77620f34 win32k! NtUserCallNoParam+0x1b (FPO: [Non-Fpo]) 8a52bd58 77620f34 00000004 007ff804 77620f34 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a52bd64) 007ff7b4 75d5612e 75d5bdf2 00000004 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 007ff7b8 75d5bdf2 00000004 00000000 775d6329 winsrv! NtUserCallNoParam+0xc (FPO: [Non-Fpo]) 007ff7c4 775d6329 00000000 007ff8be 00000000 winsrv! StartCreateSystemThreads+0x12 (FPO: [Non-Fpo]) 007ff804 00000000 75d5bde0 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851b1ca8 Cid 01b8.0264 Teb: 7ffd7000 Win32Thread: ffa07188 WAIT: (WrLpcReceive) UserMode Non-Alertable 851b1ebc Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 37250 Ticks: 3139 (0:00:00:49.046) Context Switch Count 42 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address CSRSRV!CsrApiRequestThread (0x75dd563d) Stack Init 8a64c000 Current 8a64bb78 Base 8a64c000 Limit 8a649000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a64bb90 81c699de 851b1d30 851b1ca8 851b1d60 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a64bbcc 81c67434 851b1ca8 851656c8 851b1ca8 nt!KiSwapThread +0x36d 8a64bc2c 81de127c 851b1ebc 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a64bc64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a64bce0 81de5930 851656c8 00010000 00d9f750 nt! AlpcpReceiveMessage+0x163 8a64bd3c 81c461ca 0000007c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a64bd3c 77620f34 0000007c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a64bd64) 00d9f714 7761f2c0 75dd5720 0000007c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 00d9f718 75dd5720 0000007c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 00d9f8a4 775d6329 00000000 00d9f85e 00000000 CSRSRV! CsrApiRequestThread+0xe3 (FPO: [Non-Fpo]) 00d9f8e4 00000000 75dd563d 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851b19a8 Cid 01b8.0268 Teb: 7ffd6000 Win32Thread: ffa176a0 WAIT: (WrUserRequest) UserMode Non-Alertable 851b03f8 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 2192 Ticks: 38197 (0:00:09:56.828) Context Switch Count 4 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x75d5bde0) Stack Init 8a650000 Current 8a64fbf8 Base 8a650000 Limit 8a64d000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a64fc10 81c699de 851b1a30 851b19a8 86601b48 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a64fc4c 81c4a235 851b19a8 81c49db1 ffa176a0 nt!KiSwapThread +0x36d 8a64fc9c 8f6b093b 00000001 842412b0 00000001 nt! KeWaitForMultipleObjects+0x47d 8a64fcf4 8f616737 00000000 842412b0 00000000 win32k! xxxMsgWaitForMultipleObjects+0xcb (FPO: [Non-Fpo]) 8a64fd34 8f60514f 842412b0 00000001 8f7dff20 win32k! xxxDesktopThread+0x18f (FPO: [Non-Fpo]) 8a64fd48 8f6d8d19 00000004 04c3f824 8a64fd64 win32k! xxxCreateSystemThreads+0x54 (FPO: [Non-Fpo]) 8a64fd58 81c461ca 00000004 04c3f864 77620f34 win32k! NtUserCallNoParam+0x1b (FPO: [Non-Fpo]) 8a64fd58 77620f34 00000004 04c3f864 77620f34 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a64fd64) 04c3f814 75d5612e 75d5bdf2 00000004 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 04c3f818 75d5bdf2 00000004 00000000 775d6329 winsrv! NtUserCallNoParam+0xc (FPO: [Non-Fpo]) 04c3f824 775d6329 00000000 04c3f8de 00000000 winsrv! StartCreateSystemThreads+0x12 (FPO: [Non-Fpo]) 04c3f864 00000000 75d5bde0 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851b1498 Cid 01b8.026c Teb: 7ffd5000 Win32Thread: ffa90d58 WAIT: (WrUserRequest) UserMode Non-Alertable 851b13e8 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 2227 Ticks: 38162 (0:00:09:56.281) Context Switch Count 6 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!ConsoleInputThread (0x75d52f42) Stack Init 8a534000 Current 8a533b68 Base 8a534000 Limit 8a531000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Loading symbols for 76ac0000 USER32.dll -> USER32.dll ChildEBP RetAddr Args to Child 8a533b80 81c699de 851b1520 851b1498 851b1550 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a533bbc 81c67434 851b1498 00000000 ffa90d58 nt!KiSwapThread +0x36d 8a533c18 8f6db8ed 851b13e8 0000000d 00000001 nt! KeWaitForSingleObject+0x414 8a533c74 8f6db724 000025ff 00000000 00000001 win32k! xxxRealSleepThread+0x1ad (FPO: [Non-Fpo]) 8a533c90 8f6d9976 000025ff 00000000 00000001 win32k! xxxSleepThread+0x2d (FPO: [Non-Fpo]) 8a533ce8 8f6dd983 8a533d18 000025ff 00000000 win32k! xxxRealInternalGetMessage+0x4a4 (FPO: [Non-Fpo]) 8a533d4c 81c461ca 04cffc3c 00000000 00000000 win32k! NtUserGetMessage+0x3f (FPO: [Non-Fpo]) 8a533d4c 77620f34 04cffc3c 00000000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a533d64) 04cffbf8 76ae199a 76ae19cd 04cffc3c 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 04cffbfc 76ae19cd 04cffc3c 00000000 00000000 USER32! NtUserGetMessage+0xc (FPO: [Non-Fpo]) 04cffc18 75d5306e 04cffc3c 00000000 00000000 USER32!GetMessageW +0x33 (FPO: [Non-Fpo]) 04cffc84 775d6329 00000000 04cffc7e 00000000 winsrv! ConsoleInputThread+0x21c (FPO: [Non-Fpo]) 04cffcc4 00000000 75d52f42 008bf9c0 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) PROCESS 85174d90 SessionId: 1 Cid: 01e4 Peb: 7ffdd000 ParentCid: 01dc DirBase: 4d1a3000 ObjectTable: 8c273790 HandleCount: 58. Image: csrss.exe VadRoot 8519ef90 Vads 61 Clone 0 Private 587. Modified 43. Locked 469. DeviceMap 87003058 Token 8c2732d0 ElapsedTime 1 Day 18:07:52.656 UserTime 00:00:00.015 KernelTime 00:00:00.390 QuotaPoolUsage[PagedPool] 91744 QuotaPoolUsage[NonPagedPool] 4880 Working Set Sizes (now,min,max) (1474, 50, 345) (5896KB, 200KB, 1380KB) PeakWorkingSetSize 2673 VirtualSize 87 Mb PeakVirtualSize 87 Mb PageFaultCount 5979 MemoryPriority BACKGROUND BasePriority 13 CommitCharge 1886 THREAD 85177588 Cid 01e4.01f8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 847a2618 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 2126 Ticks: 38263 (0:00:09:57.859) Context Switch Count 46 UserTime 00:00:00.000 KernelTime 00:00:00.140 Win32 Start Address cdd!PresentWorkerThread (0x8f41309e) Stack Init 8a4f8000 Current 8a4f7c10 Base 8a4f8000 Limit 8a4f5000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 Loading symbols for 775c0000 ntdll.dll -> ntdll.dll ChildEBP RetAddr Args to Child 8a4f7c28 81c699de 85177610 85177588 85177640 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a4f7c64 81c67434 85177588 875cd100 00000000 nt!KiSwapThread +0x36d 8a4f7cc4 8f413470 847a2618 00000000 00000000 nt! KeWaitForSingleObject+0x414 8a4f7d7c 81dafafd ff866af0 8a4fc680 00000000 cdd! PresentWorkerThread+0x3d2 (FPO: [Non-Fpo]) 8a4f7dc0 81c9a2c6 8f41309e ff866af0 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 851795d0 Cid 01e4.01fc Teb: 7ffde000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 8516e3c0 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 2027 Ticks: 38362 (0:00:09:59.406) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75d50000 winsrv.dll -> winsrv.dll Win32 Start Address winsrv!TerminalServerRequestThread (0x75d5fc43) Stack Init 8a500000 Current 8a4ffc38 Base 8a500000 Limit 8a4fd000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a4ffc50 81c699de 85179658 851795d0 85179688 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a4ffc8c 81c67434 851795d0 00000000 8516e3c0 nt!KiSwapThread +0x36d 8a4ffce8 81ddee8a 8516e3c0 00000006 81c98501 nt! KeWaitForSingleObject+0x414 8a4ffd50 81c461ca 00000074 00000000 00000000 nt! NtWaitForSingleObject+0xbe 8a4ffd50 77620f34 00000074 00000000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a4ffd64) 0076f6d0 776206a0 75d5fc98 00000074 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0076f6d4 75d5fc98 00000074 00000000 00000000 ntdll! NtWaitForSingleObject+0xc (FPO: [3,0,0]) 0076f824 775d6329 00000000 0076e973 00000000 winsrv! TerminalServerRequestThread+0x55 (FPO: [Non-Fpo]) 0076f864 00000000 75d5fc43 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85179318 Cid 01e4.0200 Teb: 7ffdc000 Win32Thread: ffb43d80 WAIT: (UserRequest) UserMode Alertable 85173d68 SynchronizationEvent 85173f88 SynchronizationEvent 85173d98 SynchronizationEvent 83fe1920 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 38172 Ticks: 2217 (0:00:00:34.640) Context Switch Count 4 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!NotificationThread (0x75d5b56b) Stack Init 8a504000 Current 8a5038d0 Base 8a504000 Limit 8a501000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a5038e8 81c699de 851793a0 85179318 86601b48 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a503924 81c4a235 85179318 00000000 00000004 nt!KiSwapThread +0x36d 8a503970 81de2ca7 00000004 8a503aa8 00000001 nt! KeWaitForMultipleObjects+0x47d 8a503bfc 81de2a16 00000004 00000001 00000001 nt! ObpWaitForMultipleObjects+0x256 8a503d48 81c461ca 00000004 01b2f8c4 00000001 nt! NtWaitForMultipleObjects+0xcc 8a503d48 77620f34 00000004 01b2f8c4 00000001 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a503d64) 01b2f878 77620690 75d5b6ae 00000004 01b2f8c4 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 01b2f87c 75d5b6ae 00000004 01b2f8c4 00000001 ntdll! ZwWaitForMultipleObjects+0xc (FPO: [5,0,0]) 01b2fae4 775d6329 00000000 01b2ea33 00000000 winsrv! NotificationThread+0x149 (FPO: [Non-Fpo]) 01b2fb24 00000000 75d5b56b 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85183488 Cid 01e4.0204 Teb: 7ffdb000 Win32Thread: ff88b908 WAIT: (WrLpcReceive) UserMode Non-Alertable 8518369c Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 38656 Ticks: 1733 (0:00:00:27.078) Context Switch Count 32 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75dd0000 CSRSRV.dll -> CSRSRV.dll Win32 Start Address CSRSRV!CsrApiRequestThread (0x75dd563d) Stack Init 8a508000 Current 8a507b78 Base 8a508000 Limit 8a505000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a507b90 81c699de 85183510 85183488 85183540 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a507bcc 81c67434 85183488 85183740 85183488 nt!KiSwapThread +0x36d 8a507c2c 81de127c 8518369c 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a507c64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a507ce0 81de5930 85183740 00010000 01c1faf0 nt! AlpcpReceiveMessage+0x163 8a507d3c 81c461ca 0000008c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a507d3c 77620f34 0000008c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a507d64) 01c1fab4 7761f2c0 75dd5720 0000008c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 01c1fab8 75dd5720 0000008c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 01c1fc44 775d6329 00000090 01c1ed93 00000000 CSRSRV! CsrApiRequestThread+0xe3 (FPO: [Non-Fpo]) 01c1fc84 00000000 75dd563d 00000090 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85184030 Cid 01e4.0208 Teb: 7ffda000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 85184244 Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 2036 Ticks: 38353 (0:00:09:59.265) Context Switch Count 3 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address CSRSRV!CsrSbApiRequestThread (0x75dd4530) Stack Init 8a50c000 Current 8a50bb70 Base 8a50c000 Limit 8a509000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a50bb88 81c699de 851840b8 85184030 851840e8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a50bbc4 81c67434 85184030 85183220 85184030 nt!KiSwapThread +0x36d 8a50bc24 81de127c 85184244 00000010 8c273701 nt! KeWaitForSingleObject+0x414 8a50bc5c 81de19df 8c273701 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a50bcc4 81de17d6 85183220 007bf988 00000000 nt! AlpcpReceiveLegacyMessage+0x197 8a50bd30 81de1834 00000090 007bfaa0 007bf988 nt! NtReplyWaitReceivePortEx+0x100 8a50bd4c 81c461ca 00000090 007bfaa0 007bf988 nt! NtReplyWaitReceivePort+0x18 8a50bd4c 77620f34 00000090 007bfaa0 007bf988 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a50bd64) 007bf960 77620140 75dd4578 00000090 007bfaa0 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 007bf964 75dd4578 00000090 007bfaa0 007bf988 ntdll! ZwReplyWaitReceivePort+0xc (FPO: [4,0,0]) 007bfaa4 775d6329 00000000 007bebf3 00000000 CSRSRV! CsrSbApiRequestThread+0x48 (FPO: [Non-Fpo]) 007bfae4 00000000 75dd4530 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85179ba0 Cid 01e4.0214 Teb: 7ffdf000 Win32Thread: ffa77c08 WAIT: (WrLpcReceive) UserMode Non-Alertable 85179db4 Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 37250 Ticks: 3139 (0:00:00:49.046) Context Switch Count 29 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address CSRSRV!CsrApiRequestThread (0x75dd563d) Stack Init 8a54c000 Current 8a54bb78 Base 8a54c000 Limit 8a549000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a54bb90 81c699de 85179c28 85179ba0 85179c58 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a54bbcc 81c67434 85179ba0 85183740 85179ba0 nt!KiSwapThread +0x36d 8a54bc2c 81de127c 85179db4 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a54bc64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a54bce0 81de5930 85183740 00010000 01ccf9f0 nt! AlpcpReceiveMessage+0x163 8a54bd3c 81c461ca 0000008c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a54bd3c 77620f34 0000008c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a54bd64) 01ccf9b4 7761f2c0 75dd5720 0000008c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 01ccf9b8 75dd5720 0000008c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 01ccfb44 775d6329 00000000 01ccea93 00000000 CSRSRV! CsrApiRequestThread+0xe3 (FPO: [Non-Fpo]) 01ccfb84 00000000 75dd563d 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851a1b50 Cid 01e4.0234 Teb: 7ffd9000 Win32Thread: ff88e8f0 WAIT: (WrUserRequest) KernelMode Alertable 851a17a0 SynchronizationEvent 851a0710 NotificationTimer 8519f7b0 SynchronizationTimer 8519f798 SynchronizationEvent IRP List: 83fe1088: (0006,01d8) Flags: 00060970 Mdl: 00000000 83fddd28: (0006,01d8) Flags: 00060970 Mdl: 00000000 Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 641 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x75d5bde0) Stack Init 8a558000 Current 8a557c38 Base 8a558000 Limit 8a555000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8a557c50 81c699de 851a1bd8 851a1b50 00000004 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a557c8c 81c4a235 851a1b50 00000001 81c4415c nt!KiSwapThread +0x36d 8a557cd8 8f60861a 00000004 8519ec38 00000001 nt! KeWaitForMultipleObjects+0x47d 8a557d34 8f605145 00000001 00000002 8a4f3478 win32k! RawInputThread+0x474 (FPO: [Non-Fpo]) 8a557d48 8f6d8d19 00000004 01e4fea4 8a557d64 win32k! xxxCreateSystemThreads+0x4a (FPO: [Non-Fpo]) 8a557d58 81c461ca 00000004 01e4fee4 77620f34 win32k! NtUserCallNoParam+0x1b (FPO: [Non-Fpo]) 8a557d58 77620f34 00000004 01e4fee4 77620f34 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a557d64) 01e4fe94 75d5612e 75d5bdf2 00000004 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 01e4fe98 75d5bdf2 00000004 00000000 775d6329 winsrv! NtUserCallNoParam+0xc (FPO: [Non-Fpo]) 01e4fea4 775d6329 00000000 01e4eff3 00000000 winsrv! StartCreateSystemThreads+0x12 (FPO: [Non-Fpo]) 01e4fee4 00000000 75d5bde0 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851a6030 Cid 01e4.0240 Teb: 7ffd8000 Win32Thread: ff8b4548 WAIT: (WrUserRequest) UserMode Non-Alertable 8519f758 SynchronizationEvent 851a43a8 SynchronizationEvent IRP List: 846d9660: (0006,01fc) Flags: 00060970 Mdl: 00000000 848465e8: (0006,01d8) Flags: 00060970 Mdl: 00000000 Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 40133 Ticks: 256 (0:00:00:04.000) Context Switch Count 39 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x75d5bde0) Stack Init 8a55c000 Current 8a55bbf8 Base 8a55c000 Limit 8a559000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8a55bc10 81c699de 851a60b8 851a6030 81cee248 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a55bc4c 81c4a235 851a6030 81c49db1 ff8b4548 nt!KiSwapThread +0x36d 8a55bc9c 8f6b093b 00000002 8423e2b0 00000001 nt! KeWaitForMultipleObjects+0x47d 8a55bcf4 8f616737 00000001 8423e2b0 8f613e24 win32k! xxxMsgWaitForMultipleObjects+0xcb (FPO: [Non-Fpo]) 8a55bd34 8f60514f 8423e2b0 00000001 8f7dff40 win32k! xxxDesktopThread+0x18f (FPO: [Non-Fpo]) 8a55bd48 8f6d8d19 00000004 01ebff64 8a55bd64 win32k! xxxCreateSystemThreads+0x54 (FPO: [Non-Fpo]) 8a55bd58 81c461ca 00000004 01ebffa4 77620f34 win32k! NtUserCallNoParam+0x1b (FPO: [Non-Fpo]) 8a55bd58 77620f34 00000004 01ebffa4 77620f34 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a55bd64) 01ebff54 75d5612e 75d5bdf2 00000004 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 01ebff58 75d5bdf2 00000004 00000000 775d6329 winsrv! NtUserCallNoParam+0xc (FPO: [Non-Fpo]) 01ebff64 775d6329 00000000 01ebeeb3 00000000 winsrv! StartCreateSystemThreads+0x12 (FPO: [Non-Fpo]) 01ebffa4 00000000 75d5bde0 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) PROCESS 85175690 SessionId: 0 Cid: 01ec Peb: 7ffda000 ParentCid: 01ac DirBase: 4d988000 ObjectTable: 8c27fc30 HandleCount: 73. Image: wininit.exe VadRoot 85177df8 Vads 46 Clone 0 Private 226. Modified 9. Locked 0. DeviceMap 87003058 Token 8c27fdb0 ElapsedTime 1 Day 18:07:52.281 UserTime 00:00:00.000 KernelTime 00:00:00.093 QuotaPoolUsage[PagedPool] 34180 QuotaPoolUsage[NonPagedPool] 2288 Working Set Sizes (now,min,max) (818, 50, 345) (3272KB, 200KB, 1380KB) PeakWorkingSetSize 828 VirtualSize 28 Mb PeakVirtualSize 53 Mb PageFaultCount 1332 MemoryPriority BACKGROUND BasePriority 13 CommitCharge 292 THREAD 85173858 Cid 01ec.01f0 Teb: 7ffdf000 Win32Thread: ff8af590 WAIT: (UserRequest) UserMode Non-Alertable 8517fb48 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 85175690 Image: wininit.exe Wait Start TickCount 2430 Ticks: 37959 (0:00:09:53.109) Context Switch Count 532 UserTime 00:00:00.031 KernelTime 00:00:00.171 Loading symbols for 00ce0000 wininit.exe -> wininit.exe Win32 Start Address wininit!WinMainCRTStartup (0x00ce5c70) Stack Init 8a4fc000 Current 8a4fbc38 Base 8a4fc000 Limit 8a4f9000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Loading symbols for 775c0000 ntdll.dll -> ntdll.dll Loading symbols for 772d0000 kernel32.dll -> kernel32.dll ChildEBP RetAddr Args to Child 8a4fbc50 81c699de 851738e0 85173858 85173910 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a4fbc8c 81c67434 85173858 00000000 8517fb48 nt!KiSwapThread +0x36d 8a4fbce8 81ddee8a 8517fb48 00000006 ffffff01 nt! KeWaitForSingleObject+0x414 8a4fbd50 81c461ca 000000d8 00000000 00000000 nt! NtWaitForSingleObject+0xbe 8a4fbd50 77620f34 000000d8 00000000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a4fbd64) 001ef7cc 776206a0 773177d4 000000d8 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 001ef7d0 773177d4 000000d8 00000000 00000000 ntdll! NtWaitForSingleObject+0xc (FPO: [3,0,0]) 001ef840 77317742 000000d8 ffffffff 00000000 kernel32! WaitForSingleObjectEx+0xbe (FPO: [Non-Fpo]) 001ef854 00ce2b8a 000000d8 ffffffff 001ef8c8 kernel32! WaitForSingleObject+0x12 (FPO: [Non-Fpo]) 001ef864 00ce25ca ffffffff 95abd7b4 00cf50e0 wininit! WaitForShutdown+0x14 (FPO: [Non-Fpo]) 001ef8c8 00ce5dd9 00ce0000 00000000 00071c23 wininit!WinMain +0x962 (FPO: [Non-Fpo]) 001ef958 77313833 7ffda000 001ef9a4 775fa9bd wininit! _initterm_e+0x1a1 (FPO: [Non-Fpo]) 001ef964 775fa9bd 7ffda000 001eeb48 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 001ef9a4 00000000 00ce5c70 7ffda000 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 85193d78 Cid 01ec.0220 Teb: 7ffde000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 85192d28 SynchronizationTimer 85192de0 SynchronizationTimer 851a9d90 ProcessObject 851ac880 ProcessObject 851b0d90 ProcessObject 85193cb0 SynchronizationTimer Not impersonating DeviceMap 87003058 Owning Process 85175690 Image: wininit.exe Wait Start TickCount 36610 Ticks: 3779 (0:00:00:59.046) Context Switch Count 15 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x775db49a) Stack Init 8a51c000 Current 8a51b8d0 Base 8a51c000 Limit 8a519000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a51b8e8 81c699de 85193e00 85193d78 86601b48 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a51b924 81c4a235 85193d78 00000000 00000006 nt!KiSwapThread +0x36d 8a51b970 81de2ca7 00000006 8a51baa8 00000001 nt! KeWaitForMultipleObjects+0x47d 8a51bbfc 81de2a16 00000006 00000001 00000001 nt! ObpWaitForMultipleObjects+0x256 8a51bd48 81c461ca 00000006 0008baa0 00000001 nt! NtWaitForMultipleObjects+0xcc 8a51bd48 77620f34 00000006 0008baa0 00000001 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a51bd64) 0089f738 77620690 775db65b 00000006 0008baa0 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0089f73c 775db65b 00000006 0008baa0 00000001 ntdll! ZwWaitForMultipleObjects+0xc (FPO: [5,0,0]) 0089f8d8 77313833 00000000 0089f924 775fa9bd ntdll! TppWaiterpThread+0x294 (FPO: [Non-Fpo]) 0089f8e4 775fa9bd 0008ba70 0089ebc8 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 0089f924 00000000 775db49a 0008ba70 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 8518e030 Cid 01ec.022c Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 8517f9d8 QueueObject Not impersonating DeviceMap 87003058 Owning Process 85175690 Image: wininit.exe Wait Start TickCount 5951 Ticks: 34438 (0:00:08:58.093) Context Switch Count 9 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75f20000 RPCRT4.dll -> RPCRT4.dll Win32 Start Address RPCRT4!ThreadStartRoutine (0x75f6ac65) Stack Init 8a520000 Current 8a51fbc8 Base 8a520000 Limit 8a51d000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a51fbe0 81c699de 8518e030 86600120 8518e0b8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a51fc1c 81c617d5 8518e030 00000001 006afd28 nt!KiSwapThread +0x36d 8a51fc6c 81de6594 8517f9d8 00000101 00000000 nt!KeRemoveQueueEx +0x568 8a51fcc4 81de8d1e 8517f9d8 8a51fcfc 8a51fd14 nt! IoRemoveIoCompletion+0x23 8a51fd48 81c461ca 00000088 006afd58 006afd48 nt! NtRemoveIoCompletion+0x106 8a51fd48 77620f34 00000088 006afd58 006afd48 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a51fd64) 006afd00 776200f0 772f7948 00000088 006afd58 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 006afd04 772f7948 00000088 006afd58 006afd48 ntdll! NtRemoveIoCompletion+0xc (FPO: [5,0,0]) 006afd30 75f6aeae 00000088 006afd68 006afd58 kernel32! GetQueuedCompletionStatus+0x29 (FPO: [Non-Fpo]) 006afd6c 75f6afe7 ffffffff 006afdd4 006afdc8 RPCRT4! COMMON_ProcessCalls+0xb5 006afdd8 75f6abcf 0008f368 006afe0c 75f6ac39 RPCRT4! LOADABLE_TRANSPORT::ProcessIOEvents+0xef 006afde4 75f6ac39 0008f368 00000000 00000000 RPCRT4! ProcessIOEventsWrapper+0xe 006afe0c 75f6ac83 0008bfe8 006afe24 77313833 RPCRT4! BaseCachedThreadRoutine+0x5c 006afe18 77313833 0008f698 006afe64 775fa9bd RPCRT4! ThreadStartRoutine+0x1e 006afe24 775fa9bd 0008f698 006aec88 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 006afe64 00000000 75f6ac65 0008f698 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 851efd78 Cid 01ec.028c Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Alertable 851efe00 NotificationTimer Not impersonating DeviceMap 87003058 Owning Process 85175690 Image: wininit.exe Wait Start TickCount 2727 Ticks: 37662 (0:00:09:48.468) Context Switch Count 13 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x7762a044) Stack Init 8acea000 Current 8ace9c58 Base 8acea000 Limit 8ace7000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8ace9c70 81c699de 851efe00 851efd78 81cec820 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8ace9cac 81c62b20 851efd78 00000001 013bfb40 nt!KiSwapThread +0x36d 8ace9d08 81e23f61 013bfa01 00000001 8ace9d2c nt! KeDelayExecutionThread+0x397 8ace9d54 81c461ca 00000001 013bfb74 013bfb98 nt! NtDelayExecution+0x8d 8ace9d54 77620f34 00000001 013bfb74 013bfb98 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8ace9d64) 013bfb2c 7761f7c0 773178e0 00000001 013bfb74 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 013bfb30 773178e0 00000001 013bfb74 013b3d54 ntdll! NtDelayExecution+0xc (FPO: [2,0,0]) 013bfb98 00ce1836 ffffffff 00000001 948ed344 kernel32!SleepEx +0x62 (FPO: [Non-Fpo]) 013bfc38 00ce198f ffffffff 948ed3bc 7ffd9000 wininit! WaitForRpcss+0x19f (FPO: [Non-Fpo]) 013bfcc0 00ce1c03 ffffffff 0008c290 775ffe6d wininit! StartWMsgServer+0x139 (FPO: [Non-Fpo]) 013bfccc 775ffe6d 00000000 013befdc 0008b8b8 wininit! WininitStartWmsgServer+0xa (FPO: [Non-Fpo]) 013bfd30 7762a2b8 00000000 0008c290 013becb4 ntdll! RtlpTpWorkCallback+0xbf (FPO: [Non-Fpo]) 013bfe58 77313833 0008b8b0 013bfea4 775fa9bd ntdll! TppWorkerThread+0x522 (FPO: [Non-Fpo]) 013bfe64 775fa9bd 0008b8b0 013bec48 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 013bfea4 00000000 7762a044 0008b8b0 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 851efac0 Cid 01ec.0290 Teb: 7ffd8000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Alertable 851efb48 NotificationTimer Not impersonating DeviceMap 87003058 Owning Process 85175690 Image: wininit.exe Wait Start TickCount 2727 Ticks: 37662 (0:00:09:48.468) Context Switch Count 12 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x7762a044) Stack Init 8acfa000 Current 8acf9c58 Base 8acfa000 Limit 8acf7000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8acf9c70 81c699de 851efb48 851efac0 86600120 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8acf9cac 81c62b20 851efac0 00000001 013ffb38 nt!KiSwapThread +0x36d 8acf9d08 81e23f61 013ffa01 00000001 8acf9d2c nt! KeDelayExecutionThread+0x397 8acf9d54 81c461ca 00000001 013ffb6c 013ffb90 nt! NtDelayExecution+0x8d 8acf9d54 77620f34 00000001 013ffb6c 013ffb90 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8acf9d64) 013ffb24 7761f7c0 773178e0 00000001 013ffb6c ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 013ffb28 773178e0 00000001 013ffb6c 013f3d5c ntdll! NtDelayExecution+0xc (FPO: [2,0,0]) 013ffb90 00ce1836 ffffffff 00000001 948ad34c kernel32!SleepEx +0x62 (FPO: [Non-Fpo]) 013ffc30 00ce1aa7 ffffffff 948ad310 7ffd8000 wininit! WaitForRpcss+0x19f (FPO: [Non-Fpo]) 013ffc6c 775ffe6d 00000000 013fee3c 0008b8b8 wininit! WsdpInitializeRemoteShutdown+0x22 (FPO: [Non-Fpo]) 013ffcd0 7762a2b8 00000000 0008c3d0 013fef14 ntdll! RtlpTpWorkCallback+0xbf (FPO: [Non-Fpo]) 013ffdf8 77313833 0008b8b0 013ffe44 775fa9bd ntdll! TppWorkerThread+0x522 (FPO: [Non-Fpo]) 013ffe04 775fa9bd 0008b8b0 013feca8 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 013ffe44 00000000 7762a044 0008b8b0 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) PROCESS 8517f6f0 SessionId: 1 Cid: 020c Peb: 7ffdd000 ParentCid: 01dc DirBase: 4bfa8000 ObjectTable: 8c2790c0 HandleCount: 53. Image: winlogon.exe VadRoot 83fdd098 Vads 47 Clone 0 Private 143. Modified 9. Locked 0. DeviceMap 87003058 Token 8c237730 ElapsedTime 1 Day 18:07:51.890 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 31680 QuotaPoolUsage[NonPagedPool] 2296 Working Set Sizes (now,min,max) (687, 50, 345) (2748KB, 200KB, 1380KB) PeakWorkingSetSize 695 VirtualSize 25 Mb PeakVirtualSize 54 Mb PageFaultCount 948 MemoryPriority BACKGROUND BasePriority 13 CommitCharge 216 THREAD 8517f420 Cid 020c.0210 Teb: 7ffdf000 Win32Thread: ff8af938 WAIT: (UserRequest) UserMode Non-Alertable 8516e3c0 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8517f6f0 Image: winlogon.exe Wait Start TickCount 2110 Ticks: 38279 (0:00:09:58.109) Context Switch Count 303 UserTime 00:00:00.000 KernelTime 00:00:00.109 Loading symbols for 006e0000 winlogon.exe -> winlogon.exe Win32 Start Address winlogon!WinMainCRTStartup (0x007057e2) Stack Init 8a4f4000 Current 8a4f3c38 Base 8a4f4000 Limit 8a4f1000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Loading symbols for 775c0000 ntdll.dll -> ntdll.dll Loading symbols for 772d0000 kernel32.dll -> kernel32.dll Loading symbols for 75ce0000 WINSTA.dll -> WINSTA.dll ChildEBP RetAddr Args to Child 8a4f3c50 81c699de 8517f4a8 8517f420 8517f4d8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a4f3c8c 81c67434 8517f420 00000000 8516e3c0 nt!KiSwapThread +0x36d 8a4f3ce8 81ddee8a 8516e3c0 00000006 00000001 nt! KeWaitForSingleObject+0x414 8a4f3d50 81c461ca 000000d8 00000000 00000000 nt! NtWaitForSingleObject+0xbe 8a4f3d50 77620f34 000000d8 00000000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a4f3d64) 0018fab0 776206a0 773177d4 000000d8 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0018fab4 773177d4 000000d8 00000000 00000000 ntdll! NtWaitForSingleObject+0xc (FPO: [3,0,0]) 0018fb24 77317742 000000d8 ffffffff 00000000 kernel32! WaitForSingleObjectEx+0xbe (FPO: [Non-Fpo]) 0018fb38 75ce3599 000000d8 ffffffff 75ce7760 kernel32! WaitForSingleObject+0x12 (FPO: [Non-Fpo]) 0018fb48 75ce76aa 95ae0121 00722c9c 006e2dac WINSTA! TestServiceStarted+0x71 (FPO: [Non-Fpo]) 0018fb8c 006e9e13 95ada407 00723bf4 00301c3c WINSTA! _WinStationWaitForConnect+0x22 (FPO: [Non-Fpo]) 0018fbe8 0070566c 006e0000 00000000 00301c3c winlogon!WinMain +0x54e (FPO: [Non-Fpo]) 0018fc78 77313833 7ffdd000 0018fcc4 775fa9bd winlogon! _initterm_e+0x1a1 (FPO: [Non-Fpo]) 0018fc84 775fa9bd 7ffdd000 0018e8d1 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 0018fcc4 00000000 007057e2 7ffdd000 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 85196d78 Cid 020c.0224 Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 85195eb0 SynchronizationTimer 85195f68 SynchronizationTimer 85196cb0 SynchronizationTimer Not impersonating DeviceMap 87003058 Owning Process 8517f6f0 Image: winlogon.exe Wait Start TickCount 36610 Ticks: 3779 (0:00:00:59.046) Context Switch Count 12 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x775db49a) Stack Init 8a518000 Current 8a5178d0 Base 8a518000 Limit 8a515000 Call 0 Priority 13 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a5178e8 81c699de 85196e00 85196d78 81cee248 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a517924 81c4a235 85196d78 00000000 00000003 nt!KiSwapThread +0x36d 8a517970 81de2ca7 00000003 8a517aa8 00000001 nt! KeWaitForMultipleObjects+0x47d 8a517bfc 81de2a16 00000003 00000001 00000001 nt! ObpWaitForMultipleObjects+0x256 8a517d48 81c461ca 00000003 0031dc20 00000001 nt! NtWaitForMultipleObjects+0xcc 8a517d48 77620f34 00000003 0031dc20 00000001 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a517d64) 00e9f758 77620690 775db65b 00000003 0031dc20 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 00e9f75c 775db65b 00000003 0031dc20 00000001 ntdll! ZwWaitForMultipleObjects+0xc (FPO: [5,0,0]) 00e9f8f8 77313833 00000000 00e9f944 775fa9bd ntdll! TppWaiterpThread+0x294 (FPO: [Non-Fpo]) 00e9f904 775fa9bd 0031dbf0 00e9ed51 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 00e9f944 00000000 775db49a 0031dbf0 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 85198d78 Cid 020c.0228 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 85179ae8 QueueObject Not impersonating DeviceMap 87003058 Owning Process 8517f6f0 Image: winlogon.exe Wait Start TickCount 3974 Ticks: 36415 (0:00:09:28.984) Context Switch Count 5 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75f20000 RPCRT4.dll -> RPCRT4.dll Win32 Start Address RPCRT4!ThreadStartRoutine (0x75f6ac65) Stack Init 8a524000 Current 8a523bc8 Base 8a524000 Limit 8a521000 Call 0 Priority 13 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args
From: unicell on 19 Sep 2008 04:55
(process list continued) PROCESS 84311d90 SessionId: none Cid: 0174 Peb: 7ffd8000 ParentCid: 0004 DirBase: 5a5b4000 ObjectTable: 88dda090 HandleCount: 26. Image: smss.exe VadRoot 846b9a48 Vads 15 Clone 0 Private 50. Modified 3. Locked 0. DeviceMap 87003058 Token 88ddd6a0 ElapsedTime 1 Day 18:08:03.578 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 7288 QuotaPoolUsage[NonPagedPool] 720 Working Set Sizes (now,min,max) (172, 50, 345) (688KB, 200KB, 1380KB) PeakWorkingSetSize 172 VirtualSize 4 Mb PeakVirtualSize 14 Mb PageFaultCount 253 MemoryPriority BACKGROUND BasePriority 11 CommitCharge 71 THREAD 846bed78 Cid 0174.0178 Teb: 7ffdf000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 8479b980 ProcessObject 85175690 ProcessObject Not impersonating DeviceMap 87003058 Owning Process 84311d90 Image: smss.exe Wait Start TickCount 2011 Ticks: 38378 (0:00:09:59.656) Context Switch Count 269 UserTime 00:00:00.000 KernelTime 00:00:00.187 Loading symbols for 47760000 smss.exe -> smss.exe Win32 Start Address smss!NtProcessStartupW (0x4776d757) Stack Init 8a658000 Current 8a6578d0 Base 8a658000 Limit 8a655000 Call 0 Priority 12 BasePriority 11 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Loading symbols for 775c0000 ntdll.dll -> ntdll.dll ChildEBP RetAddr Args to Child 8a6578e8 81c699de 846bee00 846bed78 81cee248 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a657924 81c4a235 846bed78 00000000 00000002 nt!KiSwapThread +0x36d 8a657970 81de2ca7 00000002 8a657aa8 00000001 nt! KeWaitForMultipleObjects+0x47d 8a657bfc 81de2a16 00000002 00000001 00000000 nt! ObpWaitForMultipleObjects+0x256 8a657d48 81c461ca 00000002 4776f47c 00000001 nt! NtWaitForMultipleObjects+0xcc 8a657d48 77620f34 00000002 4776f47c 00000001 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a657d64) 002efd64 77620690 4776b583 00000002 4776f47c ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 002efd68 4776b583 00000002 4776f47c 00000001 ntdll! ZwWaitForMultipleObjects+0xc (FPO: [5,0,0]) 002efe00 4776d73d 00000000 003c1a60 003c1a68 smss!wmain+0x211 (FPO: [Non-Fpo]) 002efe44 775d6329 7ffd8000 002ed879 00000000 smss! NtProcessStartupW_AfterSecurityCookieInitialized+0x1fe (FPO: [Non- Fpo]) 002efe84 00000000 4776d757 7ffd8000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 83fdb280 Cid 0174.01a8 Teb: 7ffde000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 83fdb494 Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 84311d90 Image: smss.exe Wait Start TickCount 2036 Ticks: 38353 (0:00:09:59.265) Context Switch Count 8 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address smss!SmpCreateInitialSession (0x4776b2a2) Stack Init 8a644000 Current 8a643b78 Base 8a644000 Limit 8a641000 Call 0 Priority 12 BasePriority 11 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a643b90 81c699de 83fdb308 83fdb280 83fdb338 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a643bcc 81c67434 83fdb280 84314f08 83fdb280 nt!KiSwapThread +0x36d 8a643c2c 81de127c 83fdb494 00000010 8c26b701 nt! KeWaitForSingleObject+0x414 8a643c64 81de5bc0 8c26b701 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a643ce0 81de5930 84314f08 00010000 001ef838 nt! AlpcpReceiveMessage+0x163 8a643d3c 81c461ca 0000002c 00010000 001ef838 nt! NtAlpcSendWaitReceivePort+0x11c 8a643d3c 77620f34 0000002c 00010000 001ef838 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a643d64) 001ef7bc 7761f2c0 47769f99 0000002c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 001ef7c0 47769f99 0000002c 00010000 001ef838 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 001ef984 4776b365 00000000 001ec35c 00000000 smss!SmpApiLoop +0x103 (FPO: [Non-Fpo]) 001efb04 775d6329 00000000 001eddb9 00000000 smss! SmpCreateInitialSession+0xc3 (FPO: [Non-Fpo]) 001efb44 00000000 4776b2a2 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 83fde968 Cid 0174.01b4 Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 83fdeb7c Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 84311d90 Image: smss.exe Wait Start TickCount 2027 Ticks: 38362 (0:00:09:59.406) Context Switch Count 5 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address smss!SmpApiLoop (0x47769e96) Stack Init 8a540000 Current 8a53fb78 Base 8a540000 Limit 8a53d000 Call 0 Priority 12 BasePriority 11 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a53fb90 81c699de 83fde9f0 83fde968 83fdea20 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a53fbcc 81c67434 83fde968 84314f08 83fde968 nt!KiSwapThread +0x36d 8a53fc2c 81de127c 83fdeb7c 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a53fc64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a53fce0 81de5930 84314f08 00010000 0034fa38 nt! AlpcpReceiveMessage+0x163 8a53fd3c 81c461ca 0000002c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a53fd3c 77620f34 0000002c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a53fd64) 0034f9bc 7761f2c0 47769f99 0000002c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0034f9c0 47769f99 0000002c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 0034fb84 775d6329 00000000 0034dd39 00000000 smss!SmpApiLoop +0x103 (FPO: [Non-Fpo]) 0034fbc4 00000000 47769e96 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85170588 Cid 0174.01d8 Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 8517079c Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 84311d90 Image: smss.exe Wait Start TickCount 2036 Ticks: 38353 (0:00:09:59.265) Context Switch Count 6 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address smss!SmpCreateInitialSession (0x4776b2a2) Stack Init 8a4f0000 Current 8a4efb78 Base 8a4f0000 Limit 8a4ed000 Call 0 Priority 12 BasePriority 11 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a4efb90 81c699de 85170610 85170588 85170640 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a4efbcc 81c67434 85170588 84314f08 85170588 nt!KiSwapThread +0x36d 8a4efc2c 81de127c 8517079c 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a4efc64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a4efce0 81de5930 84314f08 00010000 0038fcb8 nt! AlpcpReceiveMessage+0x163 8a4efd3c 81c461ca 0000002c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a4efd3c 77620f34 0000002c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a4efd64) 0038fc3c 7761f2c0 47769f99 0000002c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0038fc40 47769f99 0000002c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 0038fe04 4776b365 00000000 0038c7dc 00000000 smss!SmpApiLoop +0x103 (FPO: [Non-Fpo]) 0038ff84 775d6329 00000000 0038d939 00000000 smss! SmpCreateInitialSession+0xc3 (FPO: [Non-Fpo]) 0038ffc4 00000000 4776b2a2 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) PROCESS 8479b980 SessionId: 0 Cid: 01b8 Peb: 7ffd9000 ParentCid: 01ac DirBase: 56383000 ObjectTable: 8c15dcb8 HandleCount: 109. Image: csrss.exe VadRoot 851a1800 Vads 74 Clone 0 Private 214. Modified 36. Locked 0. DeviceMap 87003058 Token 8c15ddb0 ElapsedTime 1 Day 18:07:56.843 UserTime 00:00:00.000 KernelTime 00:00:00.578 QuotaPoolUsage[PagedPool] 92872 QuotaPoolUsage[NonPagedPool] 3624 Working Set Sizes (now,min,max) (1164, 50, 345) (4656KB, 200KB, 1380KB) PeakWorkingSetSize 1170 VirtualSize 83 Mb PeakVirtualSize 105 Mb PageFaultCount 2959 MemoryPriority BACKGROUND BasePriority 13 CommitCharge 332 THREAD 8516e7c8 Cid 01b8.01c8 Teb: 7ffde000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 8516e3c0 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 1980 Ticks: 38409 (0:00:10:00.140) Context Switch Count 4 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75d50000 winsrv.dll -> winsrv.dll Win32 Start Address winsrv!TerminalServerRequestThread (0x75d5fc43) Stack Init 8a654000 Current 8a653c38 Base 8a654000 Limit 8a651000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Loading symbols for 775c0000 ntdll.dll -> ntdll.dll ChildEBP RetAddr Args to Child 8a653c50 81c699de 8516e850 8516e7c8 8516e880 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a653c8c 81c67434 8516e7c8 00000000 8516e3c0 nt!KiSwapThread +0x36d 8a653ce8 81ddee8a 8516e3c0 00000006 8a653d01 nt! KeWaitForSingleObject+0x414 8a653d50 81c461ca 0000006c 00000000 00000000 nt! NtWaitForSingleObject+0xbe 8a653d50 77620f34 0000006c 00000000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a653d64) 0085fa10 776206a0 75d5fc98 0000006c 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0085fa14 75d5fc98 0000006c 00000000 00000000 ntdll! NtWaitForSingleObject+0xc (FPO: [3,0,0]) 0085fb64 775d6329 00000000 0085fb1e 00000000 winsrv! TerminalServerRequestThread+0x55 (FPO: [Non-Fpo]) 0085fba4 00000000 75d5fc43 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 8516e4a0 Cid 01b8.01cc Teb: 7ffdd000 Win32Thread: ffa0b0b8 WAIT: (UserRequest) UserMode Alertable 847a3ee0 SynchronizationEvent 83fd6920 SynchronizationEvent 83fd68f0 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 38172 Ticks: 2217 (0:00:00:34.640) Context Switch Count 6 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!NotificationThread (0x75d5b56b) Stack Init 8a53c000 Current 8a53b8d0 Base 8a53c000 Limit 8a539000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a53b8e8 81c699de 8516e528 8516e4a0 81cee248 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a53b924 81c4a235 8516e4a0 00000000 00000003 nt!KiSwapThread +0x36d 8a53b970 81de2ca7 00000003 8a53baa8 00000001 nt! KeWaitForMultipleObjects+0x47d 8a53bbfc 81de2a16 00000003 00000001 00000001 nt! ObpWaitForMultipleObjects+0x256 8a53bd48 81c461ca 00000003 00cdfcc4 00000001 nt! NtWaitForMultipleObjects+0xcc 8a53bd48 77620f34 00000003 00cdfcc4 00000001 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a53bd64) 00cdfc78 77620690 75d5b6ae 00000003 00cdfcc4 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 00cdfc7c 75d5b6ae 00000003 00cdfcc4 00000001 ntdll! ZwWaitForMultipleObjects+0xc (FPO: [5,0,0]) 00cdfee4 775d6329 00000000 00cdff9e 00000000 winsrv! NotificationThread+0x149 (FPO: [Non-Fpo]) 00cdff24 00000000 75d5b56b 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85170d78 Cid 01b8.01d0 Teb: 7ffdc000 Win32Thread: ff811878 WAIT: (WrLpcReceive) UserMode Non-Alertable 85170f8c Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 38656 Ticks: 1733 (0:00:00:27.078) Context Switch Count 131 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75dd0000 CSRSRV.dll -> CSRSRV.dll Win32 Start Address CSRSRV!CsrApiRequestThread (0x75dd563d) Stack Init 8a538000 Current 8a537b78 Base 8a538000 Limit 8a535000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8a537b90 81c699de 85170e00 85170d78 85170e30 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a537bcc 81c67434 85170d78 851656c8 85170d78 nt!KiSwapThread +0x36d 8a537c2c 81de127c 85170f8c 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a537c64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a537ce0 81de5930 851656c8 00010000 008bfab0 nt! AlpcpReceiveMessage+0x163 8a537d3c 81c461ca 0000007c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a537d3c 77620f34 0000007c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a537d64) 008bfa74 7761f2c0 75dd5720 0000007c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 008bfa78 75dd5720 0000007c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 008bfc04 775d6329 00000080 008bfcfe 00000000 CSRSRV! CsrApiRequestThread+0xe3 (FPO: [Non-Fpo]) 008bfc44 00000000 75dd563d 00000080 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 8516f228 Cid 01b8.01d4 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 8516f43c Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 2011 Ticks: 38378 (0:00:09:59.656) Context Switch Count 3 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address CSRSRV!CsrSbApiRequestThread (0x75dd4530) Stack Init 8a530000 Current 8a52fb70 Base 8a530000 Limit 8a52d000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a52fb88 81c699de 8516f2b0 8516f228 8516f2e0 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a52fbc4 81c67434 8516f228 8516e030 8516f228 nt!KiSwapThread +0x36d 8a52fc24 81de127c 8516f43c 00000010 8c15dc01 nt! KeWaitForSingleObject+0x414 8a52fc5c 81de19df 8c15dc01 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a52fcc4 81de17d6 8516e030 0016fb08 00000000 nt! AlpcpReceiveLegacyMessage+0x197 8a52fd30 81de1834 00000080 0016fc20 0016fb08 nt! NtReplyWaitReceivePortEx+0x100 8a52fd4c 81c461ca 00000080 0016fc20 0016fb08 nt! NtReplyWaitReceivePort+0x18 8a52fd4c 77620f34 00000080 0016fc20 0016fb08 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a52fd64) 0016fae0 77620140 75dd4578 00000080 0016fc20 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0016fae4 75dd4578 00000080 0016fc20 0016fb08 ntdll! ZwReplyWaitReceivePort+0xc (FPO: [4,0,0]) 0016fc24 775d6329 00000000 0016fcde 00000000 CSRSRV! CsrSbApiRequestThread+0x48 (FPO: [Non-Fpo]) 0016fc64 00000000 75dd4530 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851752b8 Cid 01b8.01f4 Teb: 7ffdf000 Win32Thread: ffa4ec10 WAIT: (WrLpcReceive) UserMode Non-Alertable 851754cc Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 37250 Ticks: 3139 (0:00:00:49.046) Context Switch Count 55 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address CSRSRV!CsrApiRequestThread (0x75dd563d) Stack Init 8a550000 Current 8a54fb78 Base 8a550000 Limit 8a54d000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a54fb90 81c699de 85175340 851752b8 85175370 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a54fbcc 81c67434 851752b8 851656c8 851752b8 nt!KiSwapThread +0x36d 8a54fc2c 81de127c 851754cc 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a54fc64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a54fce0 81de5930 851656c8 00010000 001bf8d0 nt! AlpcpReceiveMessage+0x163 8a54fd3c 81c461ca 0000007c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a54fd3c 77620f34 0000007c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a54fd64) 001bf894 7761f2c0 75dd5720 0000007c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 001bf898 75dd5720 0000007c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 001bfa24 775d6329 00000000 001bfade 00000000 CSRSRV! CsrApiRequestThread+0xe3 (FPO: [Non-Fpo]) 001bfa64 00000000 75dd563d 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851a1850 Cid 01b8.0238 Teb: 7ffda000 Win32Thread: ff8c9a00 WAIT: (WrUserRequest) KernelMode Alertable 851a1708 SynchronizationEvent 8519ec80 NotificationTimer 8519ec50 SynchronizationTimer 81d01780 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 7252 Ticks: 33137 (0:00:08:37.765) Context Switch Count 15 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x75d5bde0) Stack Init 8a548000 Current 8a547c38 Base 8a548000 Limit 8a545000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8a547c50 81c699de 851a18d8 851a1850 00000004 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a547c8c 81c4a235 851a1850 00000001 81c4415c nt!KiSwapThread +0x36d 8a547cd8 8f60861a 00000004 851a16a0 00000001 nt! KeWaitForMultipleObjects+0x47d 8a547d34 8f605145 00000001 00000002 8a4fb478 win32k! RawInputThread+0x474 (FPO: [Non-Fpo]) 8a547d48 8f6d8d19 00000004 00f6fb64 8a547d64 win32k! xxxCreateSystemThreads+0x4a (FPO: [Non-Fpo]) 8a547d58 81c461ca 00000004 00f6fba4 77620f34 win32k! NtUserCallNoParam+0x1b (FPO: [Non-Fpo]) 8a547d58 77620f34 00000004 00f6fba4 77620f34 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a547d64) 00f6fb54 75d5612e 75d5bdf2 00000004 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 00f6fb58 75d5bdf2 00000004 00000000 775d6329 winsrv! NtUserCallNoParam+0xc (FPO: [Non-Fpo]) 00f6fb64 775d6329 00000000 00f6fb1e 00000000 winsrv! StartCreateSystemThreads+0x12 (FPO: [Non-Fpo]) 00f6fba4 00000000 75d5bde0 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851a1030 Cid 01b8.023c Teb: 7ffd8000 Win32Thread: ff8c9428 WAIT: (WrUserRequest) UserMode Non-Alertable 851a0540 SynchronizationEvent 8519f3b0 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 2111 Ticks: 38278 (0:00:09:58.093) Context Switch Count 19 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x75d5bde0) Stack Init 8a52c000 Current 8a52bbf8 Base 8a52c000 Limit 8a529000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a52bc10 81c699de 851a10b8 851a1030 86601b48 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a52bc4c 81c4a235 851a1030 81c49db1 ff8c9428 nt!KiSwapThread +0x36d 8a52bc9c 8f6b093b 00000002 8423d2b0 00000001 nt! KeWaitForMultipleObjects+0x47d 8a52bcf4 8f616737 00000001 8423d2b0 8f613e24 win32k! xxxMsgWaitForMultipleObjects+0xcb (FPO: [Non-Fpo]) 8a52bd34 8f60514f 8423d2b0 00000001 8f7dff40 win32k! xxxDesktopThread+0x18f (FPO: [Non-Fpo]) 8a52bd48 8f6d8d19 00000004 007ff7c4 8a52bd64 win32k! xxxCreateSystemThreads+0x54 (FPO: [Non-Fpo]) 8a52bd58 81c461ca 00000004 007ff804 77620f34 win32k! NtUserCallNoParam+0x1b (FPO: [Non-Fpo]) 8a52bd58 77620f34 00000004 007ff804 77620f34 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a52bd64) 007ff7b4 75d5612e 75d5bdf2 00000004 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 007ff7b8 75d5bdf2 00000004 00000000 775d6329 winsrv! NtUserCallNoParam+0xc (FPO: [Non-Fpo]) 007ff7c4 775d6329 00000000 007ff8be 00000000 winsrv! StartCreateSystemThreads+0x12 (FPO: [Non-Fpo]) 007ff804 00000000 75d5bde0 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851b1ca8 Cid 01b8.0264 Teb: 7ffd7000 Win32Thread: ffa07188 WAIT: (WrLpcReceive) UserMode Non-Alertable 851b1ebc Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 37250 Ticks: 3139 (0:00:00:49.046) Context Switch Count 42 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address CSRSRV!CsrApiRequestThread (0x75dd563d) Stack Init 8a64c000 Current 8a64bb78 Base 8a64c000 Limit 8a649000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a64bb90 81c699de 851b1d30 851b1ca8 851b1d60 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a64bbcc 81c67434 851b1ca8 851656c8 851b1ca8 nt!KiSwapThread +0x36d 8a64bc2c 81de127c 851b1ebc 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a64bc64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a64bce0 81de5930 851656c8 00010000 00d9f750 nt! AlpcpReceiveMessage+0x163 8a64bd3c 81c461ca 0000007c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a64bd3c 77620f34 0000007c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a64bd64) 00d9f714 7761f2c0 75dd5720 0000007c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 00d9f718 75dd5720 0000007c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 00d9f8a4 775d6329 00000000 00d9f85e 00000000 CSRSRV! CsrApiRequestThread+0xe3 (FPO: [Non-Fpo]) 00d9f8e4 00000000 75dd563d 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851b19a8 Cid 01b8.0268 Teb: 7ffd6000 Win32Thread: ffa176a0 WAIT: (WrUserRequest) UserMode Non-Alertable 851b03f8 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 2192 Ticks: 38197 (0:00:09:56.828) Context Switch Count 4 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x75d5bde0) Stack Init 8a650000 Current 8a64fbf8 Base 8a650000 Limit 8a64d000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a64fc10 81c699de 851b1a30 851b19a8 86601b48 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a64fc4c 81c4a235 851b19a8 81c49db1 ffa176a0 nt!KiSwapThread +0x36d 8a64fc9c 8f6b093b 00000001 842412b0 00000001 nt! KeWaitForMultipleObjects+0x47d 8a64fcf4 8f616737 00000000 842412b0 00000000 win32k! xxxMsgWaitForMultipleObjects+0xcb (FPO: [Non-Fpo]) 8a64fd34 8f60514f 842412b0 00000001 8f7dff20 win32k! xxxDesktopThread+0x18f (FPO: [Non-Fpo]) 8a64fd48 8f6d8d19 00000004 04c3f824 8a64fd64 win32k! xxxCreateSystemThreads+0x54 (FPO: [Non-Fpo]) 8a64fd58 81c461ca 00000004 04c3f864 77620f34 win32k! NtUserCallNoParam+0x1b (FPO: [Non-Fpo]) 8a64fd58 77620f34 00000004 04c3f864 77620f34 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a64fd64) 04c3f814 75d5612e 75d5bdf2 00000004 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 04c3f818 75d5bdf2 00000004 00000000 775d6329 winsrv! NtUserCallNoParam+0xc (FPO: [Non-Fpo]) 04c3f824 775d6329 00000000 04c3f8de 00000000 winsrv! StartCreateSystemThreads+0x12 (FPO: [Non-Fpo]) 04c3f864 00000000 75d5bde0 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851b1498 Cid 01b8.026c Teb: 7ffd5000 Win32Thread: ffa90d58 WAIT: (WrUserRequest) UserMode Non-Alertable 851b13e8 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 8479b980 Image: csrss.exe Wait Start TickCount 2227 Ticks: 38162 (0:00:09:56.281) Context Switch Count 6 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!ConsoleInputThread (0x75d52f42) Stack Init 8a534000 Current 8a533b68 Base 8a534000 Limit 8a531000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Loading symbols for 76ac0000 USER32.dll -> USER32.dll ChildEBP RetAddr Args to Child 8a533b80 81c699de 851b1520 851b1498 851b1550 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a533bbc 81c67434 851b1498 00000000 ffa90d58 nt!KiSwapThread +0x36d 8a533c18 8f6db8ed 851b13e8 0000000d 00000001 nt! KeWaitForSingleObject+0x414 8a533c74 8f6db724 000025ff 00000000 00000001 win32k! xxxRealSleepThread+0x1ad (FPO: [Non-Fpo]) 8a533c90 8f6d9976 000025ff 00000000 00000001 win32k! xxxSleepThread+0x2d (FPO: [Non-Fpo]) 8a533ce8 8f6dd983 8a533d18 000025ff 00000000 win32k! xxxRealInternalGetMessage+0x4a4 (FPO: [Non-Fpo]) 8a533d4c 81c461ca 04cffc3c 00000000 00000000 win32k! NtUserGetMessage+0x3f (FPO: [Non-Fpo]) 8a533d4c 77620f34 04cffc3c 00000000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a533d64) 04cffbf8 76ae199a 76ae19cd 04cffc3c 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 04cffbfc 76ae19cd 04cffc3c 00000000 00000000 USER32! NtUserGetMessage+0xc (FPO: [Non-Fpo]) 04cffc18 75d5306e 04cffc3c 00000000 00000000 USER32!GetMessageW +0x33 (FPO: [Non-Fpo]) 04cffc84 775d6329 00000000 04cffc7e 00000000 winsrv! ConsoleInputThread+0x21c (FPO: [Non-Fpo]) 04cffcc4 00000000 75d52f42 008bf9c0 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) PROCESS 85174d90 SessionId: 1 Cid: 01e4 Peb: 7ffdd000 ParentCid: 01dc DirBase: 4d1a3000 ObjectTable: 8c273790 HandleCount: 58. Image: csrss.exe VadRoot 8519ef90 Vads 61 Clone 0 Private 587. Modified 43. Locked 469. DeviceMap 87003058 Token 8c2732d0 ElapsedTime 1 Day 18:07:52.656 UserTime 00:00:00.015 KernelTime 00:00:00.390 QuotaPoolUsage[PagedPool] 91744 QuotaPoolUsage[NonPagedPool] 4880 Working Set Sizes (now,min,max) (1474, 50, 345) (5896KB, 200KB, 1380KB) PeakWorkingSetSize 2673 VirtualSize 87 Mb PeakVirtualSize 87 Mb PageFaultCount 5979 MemoryPriority BACKGROUND BasePriority 13 CommitCharge 1886 THREAD 85177588 Cid 01e4.01f8 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable 847a2618 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 2126 Ticks: 38263 (0:00:09:57.859) Context Switch Count 46 UserTime 00:00:00.000 KernelTime 00:00:00.140 Win32 Start Address cdd!PresentWorkerThread (0x8f41309e) Stack Init 8a4f8000 Current 8a4f7c10 Base 8a4f8000 Limit 8a4f5000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 Loading symbols for 775c0000 ntdll.dll -> ntdll.dll ChildEBP RetAddr Args to Child 8a4f7c28 81c699de 85177610 85177588 85177640 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a4f7c64 81c67434 85177588 875cd100 00000000 nt!KiSwapThread +0x36d 8a4f7cc4 8f413470 847a2618 00000000 00000000 nt! KeWaitForSingleObject+0x414 8a4f7d7c 81dafafd ff866af0 8a4fc680 00000000 cdd! PresentWorkerThread+0x3d2 (FPO: [Non-Fpo]) 8a4f7dc0 81c9a2c6 8f41309e ff866af0 00000000 nt! PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup +0x16 THREAD 851795d0 Cid 01e4.01fc Teb: 7ffde000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 8516e3c0 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 2027 Ticks: 38362 (0:00:09:59.406) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75d50000 winsrv.dll -> winsrv.dll Win32 Start Address winsrv!TerminalServerRequestThread (0x75d5fc43) Stack Init 8a500000 Current 8a4ffc38 Base 8a500000 Limit 8a4fd000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a4ffc50 81c699de 85179658 851795d0 85179688 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a4ffc8c 81c67434 851795d0 00000000 8516e3c0 nt!KiSwapThread +0x36d 8a4ffce8 81ddee8a 8516e3c0 00000006 81c98501 nt! KeWaitForSingleObject+0x414 8a4ffd50 81c461ca 00000074 00000000 00000000 nt! NtWaitForSingleObject+0xbe 8a4ffd50 77620f34 00000074 00000000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a4ffd64) 0076f6d0 776206a0 75d5fc98 00000074 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0076f6d4 75d5fc98 00000074 00000000 00000000 ntdll! NtWaitForSingleObject+0xc (FPO: [3,0,0]) 0076f824 775d6329 00000000 0076e973 00000000 winsrv! TerminalServerRequestThread+0x55 (FPO: [Non-Fpo]) 0076f864 00000000 75d5fc43 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85179318 Cid 01e4.0200 Teb: 7ffdc000 Win32Thread: ffb43d80 WAIT: (UserRequest) UserMode Alertable 85173d68 SynchronizationEvent 85173f88 SynchronizationEvent 85173d98 SynchronizationEvent 83fe1920 SynchronizationEvent Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 38172 Ticks: 2217 (0:00:00:34.640) Context Switch Count 4 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!NotificationThread (0x75d5b56b) Stack Init 8a504000 Current 8a5038d0 Base 8a504000 Limit 8a501000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a5038e8 81c699de 851793a0 85179318 86601b48 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a503924 81c4a235 85179318 00000000 00000004 nt!KiSwapThread +0x36d 8a503970 81de2ca7 00000004 8a503aa8 00000001 nt! KeWaitForMultipleObjects+0x47d 8a503bfc 81de2a16 00000004 00000001 00000001 nt! ObpWaitForMultipleObjects+0x256 8a503d48 81c461ca 00000004 01b2f8c4 00000001 nt! NtWaitForMultipleObjects+0xcc 8a503d48 77620f34 00000004 01b2f8c4 00000001 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a503d64) 01b2f878 77620690 75d5b6ae 00000004 01b2f8c4 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 01b2f87c 75d5b6ae 00000004 01b2f8c4 00000001 ntdll! ZwWaitForMultipleObjects+0xc (FPO: [5,0,0]) 01b2fae4 775d6329 00000000 01b2ea33 00000000 winsrv! NotificationThread+0x149 (FPO: [Non-Fpo]) 01b2fb24 00000000 75d5b56b 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85183488 Cid 01e4.0204 Teb: 7ffdb000 Win32Thread: ff88b908 WAIT: (WrLpcReceive) UserMode Non-Alertable 8518369c Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 38656 Ticks: 1733 (0:00:00:27.078) Context Switch Count 32 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75dd0000 CSRSRV.dll -> CSRSRV.dll Win32 Start Address CSRSRV!CsrApiRequestThread (0x75dd563d) Stack Init 8a508000 Current 8a507b78 Base 8a508000 Limit 8a505000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a507b90 81c699de 85183510 85183488 85183540 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a507bcc 81c67434 85183488 85183740 85183488 nt!KiSwapThread +0x36d 8a507c2c 81de127c 8518369c 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a507c64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a507ce0 81de5930 85183740 00010000 01c1faf0 nt! AlpcpReceiveMessage+0x163 8a507d3c 81c461ca 0000008c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a507d3c 77620f34 0000008c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a507d64) 01c1fab4 7761f2c0 75dd5720 0000008c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 01c1fab8 75dd5720 0000008c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 01c1fc44 775d6329 00000090 01c1ed93 00000000 CSRSRV! CsrApiRequestThread+0xe3 (FPO: [Non-Fpo]) 01c1fc84 00000000 75dd563d 00000090 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85184030 Cid 01e4.0208 Teb: 7ffda000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 85184244 Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 2036 Ticks: 38353 (0:00:09:59.265) Context Switch Count 3 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address CSRSRV!CsrSbApiRequestThread (0x75dd4530) Stack Init 8a50c000 Current 8a50bb70 Base 8a50c000 Limit 8a509000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a50bb88 81c699de 851840b8 85184030 851840e8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a50bbc4 81c67434 85184030 85183220 85184030 nt!KiSwapThread +0x36d 8a50bc24 81de127c 85184244 00000010 8c273701 nt! KeWaitForSingleObject+0x414 8a50bc5c 81de19df 8c273701 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a50bcc4 81de17d6 85183220 007bf988 00000000 nt! AlpcpReceiveLegacyMessage+0x197 8a50bd30 81de1834 00000090 007bfaa0 007bf988 nt! NtReplyWaitReceivePortEx+0x100 8a50bd4c 81c461ca 00000090 007bfaa0 007bf988 nt! NtReplyWaitReceivePort+0x18 8a50bd4c 77620f34 00000090 007bfaa0 007bf988 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a50bd64) 007bf960 77620140 75dd4578 00000090 007bfaa0 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 007bf964 75dd4578 00000090 007bfaa0 007bf988 ntdll! ZwReplyWaitReceivePort+0xc (FPO: [4,0,0]) 007bfaa4 775d6329 00000000 007bebf3 00000000 CSRSRV! CsrSbApiRequestThread+0x48 (FPO: [Non-Fpo]) 007bfae4 00000000 75dd4530 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 85179ba0 Cid 01e4.0214 Teb: 7ffdf000 Win32Thread: ffa77c08 WAIT: (WrLpcReceive) UserMode Non-Alertable 85179db4 Semaphore Limit 0x1 Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 37250 Ticks: 3139 (0:00:00:49.046) Context Switch Count 29 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address CSRSRV!CsrApiRequestThread (0x75dd563d) Stack Init 8a54c000 Current 8a54bb78 Base 8a54c000 Limit 8a549000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a54bb90 81c699de 85179c28 85179ba0 85179c58 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a54bbcc 81c67434 85179ba0 85183740 85179ba0 nt!KiSwapThread +0x36d 8a54bc2c 81de127c 85179db4 00000010 00000001 nt! KeWaitForSingleObject+0x414 8a54bc64 81de5bc0 00000001 00000000 00000000 nt! AlpcpReceiveMessagePort+0x221 8a54bce0 81de5930 85183740 00010000 01ccf9f0 nt! AlpcpReceiveMessage+0x163 8a54bd3c 81c461ca 0000008c 00010000 00000000 nt! NtAlpcSendWaitReceivePort+0x11c 8a54bd3c 77620f34 0000008c 00010000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a54bd64) 01ccf9b4 7761f2c0 75dd5720 0000008c 00010000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 01ccf9b8 75dd5720 0000008c 00010000 00000000 ntdll! NtAlpcSendWaitReceivePort+0xc (FPO: [8,0,0]) 01ccfb44 775d6329 00000000 01ccea93 00000000 CSRSRV! CsrApiRequestThread+0xe3 (FPO: [Non-Fpo]) 01ccfb84 00000000 75dd563d 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851a1b50 Cid 01e4.0234 Teb: 7ffd9000 Win32Thread: ff88e8f0 WAIT: (WrUserRequest) KernelMode Alertable 851a17a0 SynchronizationEvent 851a0710 NotificationTimer 8519f7b0 SynchronizationTimer 8519f798 SynchronizationEvent IRP List: 83fe1088: (0006,01d8) Flags: 00060970 Mdl: 00000000 83fddd28: (0006,01d8) Flags: 00060970 Mdl: 00000000 Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 40387 Ticks: 2 (0:00:00:00.031) Context Switch Count 641 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x75d5bde0) Stack Init 8a558000 Current 8a557c38 Base 8a558000 Limit 8a555000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8a557c50 81c699de 851a1bd8 851a1b50 00000004 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a557c8c 81c4a235 851a1b50 00000001 81c4415c nt!KiSwapThread +0x36d 8a557cd8 8f60861a 00000004 8519ec38 00000001 nt! KeWaitForMultipleObjects+0x47d 8a557d34 8f605145 00000001 00000002 8a4f3478 win32k! RawInputThread+0x474 (FPO: [Non-Fpo]) 8a557d48 8f6d8d19 00000004 01e4fea4 8a557d64 win32k! xxxCreateSystemThreads+0x4a (FPO: [Non-Fpo]) 8a557d58 81c461ca 00000004 01e4fee4 77620f34 win32k! NtUserCallNoParam+0x1b (FPO: [Non-Fpo]) 8a557d58 77620f34 00000004 01e4fee4 77620f34 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a557d64) 01e4fe94 75d5612e 75d5bdf2 00000004 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 01e4fe98 75d5bdf2 00000004 00000000 775d6329 winsrv! NtUserCallNoParam+0xc (FPO: [Non-Fpo]) 01e4fea4 775d6329 00000000 01e4eff3 00000000 winsrv! StartCreateSystemThreads+0x12 (FPO: [Non-Fpo]) 01e4fee4 00000000 75d5bde0 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) THREAD 851a6030 Cid 01e4.0240 Teb: 7ffd8000 Win32Thread: ff8b4548 WAIT: (WrUserRequest) UserMode Non-Alertable 8519f758 SynchronizationEvent 851a43a8 SynchronizationEvent IRP List: 846d9660: (0006,01fc) Flags: 00060970 Mdl: 00000000 848465e8: (0006,01d8) Flags: 00060970 Mdl: 00000000 Not impersonating DeviceMap 87003058 Owning Process 85174d90 Image: csrss.exe Wait Start TickCount 40133 Ticks: 256 (0:00:00:04.000) Context Switch Count 39 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address winsrv!StartCreateSystemThreads (0x75d5bde0) Stack Init 8a55c000 Current 8a55bbf8 Base 8a55c000 Limit 8a559000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8a55bc10 81c699de 851a60b8 851a6030 81cee248 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a55bc4c 81c4a235 851a6030 81c49db1 ff8b4548 nt!KiSwapThread +0x36d 8a55bc9c 8f6b093b 00000002 8423e2b0 00000001 nt! KeWaitForMultipleObjects+0x47d 8a55bcf4 8f616737 00000001 8423e2b0 8f613e24 win32k! xxxMsgWaitForMultipleObjects+0xcb (FPO: [Non-Fpo]) 8a55bd34 8f60514f 8423e2b0 00000001 8f7dff40 win32k! xxxDesktopThread+0x18f (FPO: [Non-Fpo]) 8a55bd48 8f6d8d19 00000004 01ebff64 8a55bd64 win32k! xxxCreateSystemThreads+0x54 (FPO: [Non-Fpo]) 8a55bd58 81c461ca 00000004 01ebffa4 77620f34 win32k! NtUserCallNoParam+0x1b (FPO: [Non-Fpo]) 8a55bd58 77620f34 00000004 01ebffa4 77620f34 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a55bd64) 01ebff54 75d5612e 75d5bdf2 00000004 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 01ebff58 75d5bdf2 00000004 00000000 775d6329 winsrv! NtUserCallNoParam+0xc (FPO: [Non-Fpo]) 01ebff64 775d6329 00000000 01ebeeb3 00000000 winsrv! StartCreateSystemThreads+0x12 (FPO: [Non-Fpo]) 01ebffa4 00000000 75d5bde0 00000000 00000000 ntdll! _RtlUserThreadStart+0x35 (FPO: [Non-Fpo]) PROCESS 85175690 SessionId: 0 Cid: 01ec Peb: 7ffda000 ParentCid: 01ac DirBase: 4d988000 ObjectTable: 8c27fc30 HandleCount: 73. Image: wininit.exe VadRoot 85177df8 Vads 46 Clone 0 Private 226. Modified 9. Locked 0. DeviceMap 87003058 Token 8c27fdb0 ElapsedTime 1 Day 18:07:52.281 UserTime 00:00:00.000 KernelTime 00:00:00.093 QuotaPoolUsage[PagedPool] 34180 QuotaPoolUsage[NonPagedPool] 2288 Working Set Sizes (now,min,max) (818, 50, 345) (3272KB, 200KB, 1380KB) PeakWorkingSetSize 828 VirtualSize 28 Mb PeakVirtualSize 53 Mb PageFaultCount 1332 MemoryPriority BACKGROUND BasePriority 13 CommitCharge 292 THREAD 85173858 Cid 01ec.01f0 Teb: 7ffdf000 Win32Thread: ff8af590 WAIT: (UserRequest) UserMode Non-Alertable 8517fb48 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 85175690 Image: wininit.exe Wait Start TickCount 2430 Ticks: 37959 (0:00:09:53.109) Context Switch Count 532 UserTime 00:00:00.031 KernelTime 00:00:00.171 Loading symbols for 00ce0000 wininit.exe -> wininit.exe Win32 Start Address wininit!WinMainCRTStartup (0x00ce5c70) Stack Init 8a4fc000 Current 8a4fbc38 Base 8a4fc000 Limit 8a4f9000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Loading symbols for 775c0000 ntdll.dll -> ntdll.dll Loading symbols for 772d0000 kernel32.dll -> kernel32.dll ChildEBP RetAddr Args to Child 8a4fbc50 81c699de 851738e0 85173858 85173910 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a4fbc8c 81c67434 85173858 00000000 8517fb48 nt!KiSwapThread +0x36d 8a4fbce8 81ddee8a 8517fb48 00000006 ffffff01 nt! KeWaitForSingleObject+0x414 8a4fbd50 81c461ca 000000d8 00000000 00000000 nt! NtWaitForSingleObject+0xbe 8a4fbd50 77620f34 000000d8 00000000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a4fbd64) 001ef7cc 776206a0 773177d4 000000d8 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 001ef7d0 773177d4 000000d8 00000000 00000000 ntdll! NtWaitForSingleObject+0xc (FPO: [3,0,0]) 001ef840 77317742 000000d8 ffffffff 00000000 kernel32! WaitForSingleObjectEx+0xbe (FPO: [Non-Fpo]) 001ef854 00ce2b8a 000000d8 ffffffff 001ef8c8 kernel32! WaitForSingleObject+0x12 (FPO: [Non-Fpo]) 001ef864 00ce25ca ffffffff 95abd7b4 00cf50e0 wininit! WaitForShutdown+0x14 (FPO: [Non-Fpo]) 001ef8c8 00ce5dd9 00ce0000 00000000 00071c23 wininit!WinMain +0x962 (FPO: [Non-Fpo]) 001ef958 77313833 7ffda000 001ef9a4 775fa9bd wininit! _initterm_e+0x1a1 (FPO: [Non-Fpo]) 001ef964 775fa9bd 7ffda000 001eeb48 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 001ef9a4 00000000 00ce5c70 7ffda000 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 85193d78 Cid 01ec.0220 Teb: 7ffde000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 85192d28 SynchronizationTimer 85192de0 SynchronizationTimer 851a9d90 ProcessObject 851ac880 ProcessObject 851b0d90 ProcessObject 85193cb0 SynchronizationTimer Not impersonating DeviceMap 87003058 Owning Process 85175690 Image: wininit.exe Wait Start TickCount 36610 Ticks: 3779 (0:00:00:59.046) Context Switch Count 15 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x775db49a) Stack Init 8a51c000 Current 8a51b8d0 Base 8a51c000 Limit 8a519000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a51b8e8 81c699de 85193e00 85193d78 86601b48 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a51b924 81c4a235 85193d78 00000000 00000006 nt!KiSwapThread +0x36d 8a51b970 81de2ca7 00000006 8a51baa8 00000001 nt! KeWaitForMultipleObjects+0x47d 8a51bbfc 81de2a16 00000006 00000001 00000001 nt! ObpWaitForMultipleObjects+0x256 8a51bd48 81c461ca 00000006 0008baa0 00000001 nt! NtWaitForMultipleObjects+0xcc 8a51bd48 77620f34 00000006 0008baa0 00000001 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a51bd64) 0089f738 77620690 775db65b 00000006 0008baa0 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0089f73c 775db65b 00000006 0008baa0 00000001 ntdll! ZwWaitForMultipleObjects+0xc (FPO: [5,0,0]) 0089f8d8 77313833 00000000 0089f924 775fa9bd ntdll! TppWaiterpThread+0x294 (FPO: [Non-Fpo]) 0089f8e4 775fa9bd 0008ba70 0089ebc8 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 0089f924 00000000 775db49a 0008ba70 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 8518e030 Cid 01ec.022c Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 8517f9d8 QueueObject Not impersonating DeviceMap 87003058 Owning Process 85175690 Image: wininit.exe Wait Start TickCount 5951 Ticks: 34438 (0:00:08:58.093) Context Switch Count 9 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75f20000 RPCRT4.dll -> RPCRT4.dll Win32 Start Address RPCRT4!ThreadStartRoutine (0x75f6ac65) Stack Init 8a520000 Current 8a51fbc8 Base 8a520000 Limit 8a51d000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a51fbe0 81c699de 8518e030 86600120 8518e0b8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a51fc1c 81c617d5 8518e030 00000001 006afd28 nt!KiSwapThread +0x36d 8a51fc6c 81de6594 8517f9d8 00000101 00000000 nt!KeRemoveQueueEx +0x568 8a51fcc4 81de8d1e 8517f9d8 8a51fcfc 8a51fd14 nt! IoRemoveIoCompletion+0x23 8a51fd48 81c461ca 00000088 006afd58 006afd48 nt! NtRemoveIoCompletion+0x106 8a51fd48 77620f34 00000088 006afd58 006afd48 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a51fd64) 006afd00 776200f0 772f7948 00000088 006afd58 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 006afd04 772f7948 00000088 006afd58 006afd48 ntdll! NtRemoveIoCompletion+0xc (FPO: [5,0,0]) 006afd30 75f6aeae 00000088 006afd68 006afd58 kernel32! GetQueuedCompletionStatus+0x29 (FPO: [Non-Fpo]) 006afd6c 75f6afe7 ffffffff 006afdd4 006afdc8 RPCRT4! COMMON_ProcessCalls+0xb5 006afdd8 75f6abcf 0008f368 006afe0c 75f6ac39 RPCRT4! LOADABLE_TRANSPORT::ProcessIOEvents+0xef 006afde4 75f6ac39 0008f368 00000000 00000000 RPCRT4! ProcessIOEventsWrapper+0xe 006afe0c 75f6ac83 0008bfe8 006afe24 77313833 RPCRT4! BaseCachedThreadRoutine+0x5c 006afe18 77313833 0008f698 006afe64 775fa9bd RPCRT4! ThreadStartRoutine+0x1e 006afe24 775fa9bd 0008f698 006aec88 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 006afe64 00000000 75f6ac65 0008f698 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 851efd78 Cid 01ec.028c Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Alertable 851efe00 NotificationTimer Not impersonating DeviceMap 87003058 Owning Process 85175690 Image: wininit.exe Wait Start TickCount 2727 Ticks: 37662 (0:00:09:48.468) Context Switch Count 13 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x7762a044) Stack Init 8acea000 Current 8ace9c58 Base 8acea000 Limit 8ace7000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8ace9c70 81c699de 851efe00 851efd78 81cec820 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8ace9cac 81c62b20 851efd78 00000001 013bfb40 nt!KiSwapThread +0x36d 8ace9d08 81e23f61 013bfa01 00000001 8ace9d2c nt! KeDelayExecutionThread+0x397 8ace9d54 81c461ca 00000001 013bfb74 013bfb98 nt! NtDelayExecution+0x8d 8ace9d54 77620f34 00000001 013bfb74 013bfb98 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8ace9d64) 013bfb2c 7761f7c0 773178e0 00000001 013bfb74 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 013bfb30 773178e0 00000001 013bfb74 013b3d54 ntdll! NtDelayExecution+0xc (FPO: [2,0,0]) 013bfb98 00ce1836 ffffffff 00000001 948ed344 kernel32!SleepEx +0x62 (FPO: [Non-Fpo]) 013bfc38 00ce198f ffffffff 948ed3bc 7ffd9000 wininit! WaitForRpcss+0x19f (FPO: [Non-Fpo]) 013bfcc0 00ce1c03 ffffffff 0008c290 775ffe6d wininit! StartWMsgServer+0x139 (FPO: [Non-Fpo]) 013bfccc 775ffe6d 00000000 013befdc 0008b8b8 wininit! WininitStartWmsgServer+0xa (FPO: [Non-Fpo]) 013bfd30 7762a2b8 00000000 0008c290 013becb4 ntdll! RtlpTpWorkCallback+0xbf (FPO: [Non-Fpo]) 013bfe58 77313833 0008b8b0 013bfea4 775fa9bd ntdll! TppWorkerThread+0x522 (FPO: [Non-Fpo]) 013bfe64 775fa9bd 0008b8b0 013bec48 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 013bfea4 00000000 7762a044 0008b8b0 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 851efac0 Cid 01ec.0290 Teb: 7ffd8000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Alertable 851efb48 NotificationTimer Not impersonating DeviceMap 87003058 Owning Process 85175690 Image: wininit.exe Wait Start TickCount 2727 Ticks: 37662 (0:00:09:48.468) Context Switch Count 12 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWorkerThread (0x7762a044) Stack Init 8acfa000 Current 8acf9c58 Base 8acfa000 Limit 8acf7000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8acf9c70 81c699de 851efb48 851efac0 86600120 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8acf9cac 81c62b20 851efac0 00000001 013ffb38 nt!KiSwapThread +0x36d 8acf9d08 81e23f61 013ffa01 00000001 8acf9d2c nt! KeDelayExecutionThread+0x397 8acf9d54 81c461ca 00000001 013ffb6c 013ffb90 nt! NtDelayExecution+0x8d 8acf9d54 77620f34 00000001 013ffb6c 013ffb90 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8acf9d64) 013ffb24 7761f7c0 773178e0 00000001 013ffb6c ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 013ffb28 773178e0 00000001 013ffb6c 013f3d5c ntdll! NtDelayExecution+0xc (FPO: [2,0,0]) 013ffb90 00ce1836 ffffffff 00000001 948ad34c kernel32!SleepEx +0x62 (FPO: [Non-Fpo]) 013ffc30 00ce1aa7 ffffffff 948ad310 7ffd8000 wininit! WaitForRpcss+0x19f (FPO: [Non-Fpo]) 013ffc6c 775ffe6d 00000000 013fee3c 0008b8b8 wininit! WsdpInitializeRemoteShutdown+0x22 (FPO: [Non-Fpo]) 013ffcd0 7762a2b8 00000000 0008c3d0 013fef14 ntdll! RtlpTpWorkCallback+0xbf (FPO: [Non-Fpo]) 013ffdf8 77313833 0008b8b0 013ffe44 775fa9bd ntdll! TppWorkerThread+0x522 (FPO: [Non-Fpo]) 013ffe04 775fa9bd 0008b8b0 013feca8 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 013ffe44 00000000 7762a044 0008b8b0 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) PROCESS 8517f6f0 SessionId: 1 Cid: 020c Peb: 7ffdd000 ParentCid: 01dc DirBase: 4bfa8000 ObjectTable: 8c2790c0 HandleCount: 53. Image: winlogon.exe VadRoot 83fdd098 Vads 47 Clone 0 Private 143. Modified 9. Locked 0. DeviceMap 87003058 Token 8c237730 ElapsedTime 1 Day 18:07:51.890 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 31680 QuotaPoolUsage[NonPagedPool] 2296 Working Set Sizes (now,min,max) (687, 50, 345) (2748KB, 200KB, 1380KB) PeakWorkingSetSize 695 VirtualSize 25 Mb PeakVirtualSize 54 Mb PageFaultCount 948 MemoryPriority BACKGROUND BasePriority 13 CommitCharge 216 THREAD 8517f420 Cid 020c.0210 Teb: 7ffdf000 Win32Thread: ff8af938 WAIT: (UserRequest) UserMode Non-Alertable 8516e3c0 NotificationEvent Not impersonating DeviceMap 87003058 Owning Process 8517f6f0 Image: winlogon.exe Wait Start TickCount 2110 Ticks: 38279 (0:00:09:58.109) Context Switch Count 303 UserTime 00:00:00.000 KernelTime 00:00:00.109 Loading symbols for 006e0000 winlogon.exe -> winlogon.exe Win32 Start Address winlogon!WinMainCRTStartup (0x007057e2) Stack Init 8a4f4000 Current 8a4f3c38 Base 8a4f4000 Limit 8a4f1000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Loading symbols for 775c0000 ntdll.dll -> ntdll.dll Loading symbols for 772d0000 kernel32.dll -> kernel32.dll Loading symbols for 75ce0000 WINSTA.dll -> WINSTA.dll ChildEBP RetAddr Args to Child 8a4f3c50 81c699de 8517f4a8 8517f420 8517f4d8 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a4f3c8c 81c67434 8517f420 00000000 8516e3c0 nt!KiSwapThread +0x36d 8a4f3ce8 81ddee8a 8516e3c0 00000006 00000001 nt! KeWaitForSingleObject+0x414 8a4f3d50 81c461ca 000000d8 00000000 00000000 nt! NtWaitForSingleObject+0xbe 8a4f3d50 77620f34 000000d8 00000000 00000000 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a4f3d64) 0018fab0 776206a0 773177d4 000000d8 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0018fab4 773177d4 000000d8 00000000 00000000 ntdll! NtWaitForSingleObject+0xc (FPO: [3,0,0]) 0018fb24 77317742 000000d8 ffffffff 00000000 kernel32! WaitForSingleObjectEx+0xbe (FPO: [Non-Fpo]) 0018fb38 75ce3599 000000d8 ffffffff 75ce7760 kernel32! WaitForSingleObject+0x12 (FPO: [Non-Fpo]) 0018fb48 75ce76aa 95ae0121 00722c9c 006e2dac WINSTA! TestServiceStarted+0x71 (FPO: [Non-Fpo]) 0018fb8c 006e9e13 95ada407 00723bf4 00301c3c WINSTA! _WinStationWaitForConnect+0x22 (FPO: [Non-Fpo]) 0018fbe8 0070566c 006e0000 00000000 00301c3c winlogon!WinMain +0x54e (FPO: [Non-Fpo]) 0018fc78 77313833 7ffdd000 0018fcc4 775fa9bd winlogon! _initterm_e+0x1a1 (FPO: [Non-Fpo]) 0018fc84 775fa9bd 7ffdd000 0018e8d1 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 0018fcc4 00000000 007057e2 7ffdd000 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 85196d78 Cid 020c.0224 Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 85195eb0 SynchronizationTimer 85195f68 SynchronizationTimer 85196cb0 SynchronizationTimer Not impersonating DeviceMap 87003058 Owning Process 8517f6f0 Image: winlogon.exe Wait Start TickCount 36610 Ticks: 3779 (0:00:00:59.046) Context Switch Count 12 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!TppWaiterpThread (0x775db49a) Stack Init 8a518000 Current 8a5178d0 Base 8a518000 Limit 8a515000 Call 0 Priority 13 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args to Child 8a5178e8 81c699de 85196e00 85196d78 81cee248 nt!KiSwapContext +0x26 (FPO: [Uses EBP] [0,0,4]) 8a517924 81c4a235 85196d78 00000000 00000003 nt!KiSwapThread +0x36d 8a517970 81de2ca7 00000003 8a517aa8 00000001 nt! KeWaitForMultipleObjects+0x47d 8a517bfc 81de2a16 00000003 00000001 00000001 nt! ObpWaitForMultipleObjects+0x256 8a517d48 81c461ca 00000003 0031dc20 00000001 nt! NtWaitForMultipleObjects+0xcc 8a517d48 77620f34 00000003 0031dc20 00000001 nt!KiFastCallEntry +0x12a (FPO: [0,3] TrapFrame @ 8a517d64) 00e9f758 77620690 775db65b 00000003 0031dc20 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 00e9f75c 775db65b 00000003 0031dc20 00000001 ntdll! ZwWaitForMultipleObjects+0xc (FPO: [5,0,0]) 00e9f8f8 77313833 00000000 00e9f944 775fa9bd ntdll! TppWaiterpThread+0x294 (FPO: [Non-Fpo]) 00e9f904 775fa9bd 0031dbf0 00e9ed51 00000000 kernel32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 00e9f944 00000000 775db49a 0031dbf0 00000000 ntdll! _RtlUserThreadStart+0x23 (FPO: [Non-Fpo]) THREAD 85198d78 Cid 020c.0228 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable 85179ae8 QueueObject Not impersonating DeviceMap 87003058 Owning Process 8517f6f0 Image: winlogon.exe Wait Start TickCount 3974 Ticks: 36415 (0:00:09:28.984) Context Switch Count 5 UserTime 00:00:00.000 KernelTime 00:00:00.000 Loading symbols for 75f20000 RPCRT4.dll -> RPCRT4.dll Win32 Start Address RPCRT4!ThreadStartRoutine (0x75f6ac65) Stack Init 8a524000 Current 8a523bc8 Base 8a524000 Limit 8a521000 Call 0 Priority 13 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. ChildEBP RetAddr Args |