Certain System Objects can be found in object directory and can be useful to see additional system and other product activity. For example, in a complete memory dump we see that LowCommitCondition event is signalled:
1: kd> !object KernelObjects Object: 85a08030 Type: (82b38ed0) Directory ObjectHeader: 85a08018 (old version) HandleCount: 0 PointerCount: 19 Directory Object: 85a074c0 Name: KernelObjects
Hash Address Type Name ---- ------- ---- ---- 02 82b7b0b8 Event HighCommitCondition 04 82b7b780 Event HighMemoryCondition 10 82b7b178 Event LowNonPagedPoolCondition 11 82b7b138 Event HighNonPagedPoolCondition 17 82b7b0f8 Event LowCommitCondition 20 82b78d08 Event SuperfetchParametersChanged 82b6eb58 Event BootLoaderTraceReady 23 84bfdd58 Session Session0 82b78c88 Event PrefetchTracesReady 24 84b7d1f8 Session Session1 25 82b78cc8 Event SuperfetchScenarioNotify 82b7b740 Event LowPagedPoolCondition 26 82b7b1b8 Event HighPagedPoolCondition 82b7a030 Event MemoryErrors 28 82b78c48 Event SuperfetchTracesReady 32 82b7b7c0 Event LowMemoryCondition 85a09d00 KeyedEvent CritSecOutOfMemoryEvent 34 82b7b078 Event MaximumCommitCondition
1: kd> dt _DISPATCHER_HEADER 82b7b0f8 ntdll!_DISPATCHER_HEADER +0x000 Type : 0 '' +0x001 Abandoned : 0 '' +0x001 Absolute : 0 '' +0x001 NpxIrql : 0 '' +0x001 Signalling : 0 '' +0x002 Size : 0x4 '' +0x002 Hand : 0x4 '' +0x003 Inserted : 0 '' +0x003 DebugActive : 0 '' +0x003 DpcActive : 0 '' +0x000 Lock : 0n262144 +0×004 SignalState : 0n1 +0×008 WaitListHead : _LIST_ENTRY [ 0×82b7b100 - 0×82b7b100 ]
If we check virtual memory statistics we see a lot of free space for the current physical memory and page file:
1: kd> !vm *** Virtual Memory Usage *** Physical Memory: 261872 ( 1047488 Kb) Page File: ??C:pagefile.sys Current: 1354688 Kb Free Space: 53120 Kb Minimum: 1354688 Kb Maximum: 4194304 Kb Available Pages: 180984 ( 723936 Kb) ResAvail Pages: 216475 ( 865900 Kb) Locked IO Pages: 0 ( 0 Kb) Free System PTEs: 352925 ( 1411700 Kb) Modified Pages: 129 ( 516 Kb) Modified PF Pages: 94 ( 376 Kb) NonPagedPool Usage: 0 ( 0 Kb) NonPagedPoolNx Usage: 16894 ( 67576 Kb) NonPagedPool Max: 192350 ( 769400 Kb) PagedPool 0 Usage: 5957 ( 23828 Kb) PagedPool 1 Usage: 3218 ( 12872 Kb) PagedPool 2 Usage: 965 ( 3860 Kb) PagedPool 3 Usage: 1311 ( 5244 Kb) PagedPool 4 Usage: 1064 ( 4256 Kb) PagedPool Usage: 12515 ( 50060 Kb) PagedPool Maximum: 523264 ( 2093056 Kb) Session Commit: 5021 ( 20084 Kb) Shared Commit: 15023 ( 60092 Kb) Special Pool: 0 ( 0 Kb) Shared Process: 1938 ( 7752 Kb) PagedPool Commit: 12523 ( 50092 Kb) Driver Commit: 2592 ( 10368 Kb) Committed pages: 402494 ( 1609976 Kb) Commit limit: 589254 ( 2357016 Kb) [...]
Another example is from Windows 7 memory dump. Here we can find WER reporting mutant in session 1 object directory and get problem PID from its name:
0: kd> !object Sessions1BaseNamedObjects Object: fffff8a0016eb290 Type: (fffffa800426df30) Directory ObjectHeader: fffff8a0016eb260 (new version) HandleCount: 57 PointerCount: 217 Directory Object: fffff8a0016e9220 Name: BaseNamedObjects
Hash Address Type Name
---- ------- ---- ----
00 fffffa8008437670 Event STOP_HOOKING64
[...]
08 fffffa80044baa40 Mutant WERReportingForProcess1788
[...]
0: kd> !process 0n1788 1 Searching for Process with Cid == 6fc Cid handle table at fffff8a00180b000 with 21248 entries in use
PROCESS fffffa8004364060 SessionId: 1 Cid: 06fc Peb: 7fffffd4000 ParentCid: 0840 DirBase: 5fbc2000 ObjectTable: fffff8a004c8e930 HandleCount: 16. Image: ApplicationD.exe VadRoot fffffa8009d85170 Vads 34 Clone 0 Private 206. Modified 0. Locked 0. DeviceMap fffff8a001ce6b90 Token fffff8a003eab060 ElapsedTime 00:01:51.543 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 0 QuotaPoolUsage[NonPagedPool] 0 Working Set Sizes (now,min,max) (483, 50, 345) (1932KB, 200KB, 1380KB) PeakWorkingSetSize 483 VirtualSize 13 Mb PeakVirtualSize 13 Mb PageFaultCount 481 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 231