Recently I observed a few occurrences of a rare No Current Thread pattern in a large set of process memory dumps:
0:??? > k WARNING: The debugger does not have a current process or thread WARNING: Many commands will not work ^ Illegal thread error in ‘k’ 0:??? > ~ WARNING: The debugger does not have a current process or thread WARNING: Many commands will not work 0 Id: 95f4.6780 Suspend: 1 Teb: 7efdd000 Unfrozen
Setting a current thread helps:
0:???> ~0s WARNING: The debugger does not have a current process or thread WARNING: Many commands will not work eax=037d0010 ebx=0002bda0 ecx=03b1a010 edx=00000007 esi=037d0010 edi=03b069fc eip=0397939f esp=0018fd98 ebp=0018fdd8 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 DllA+0×939f: 0397939f 8b10 mov edx,dword ptr [eax] ds:002b:037d0010=03b1a010 0:000 > k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0018fdd8 03975257 DllA+0x939f 0018fdf8 03975577 DllA+0x5257 0018fe58 772bb9a0 DllA+0x5577 0018fe78 772d9b96 ntdll!LdrpCallInitRoutine+0x14 0018ff1c 772d9a38 ntdll!LdrShutdownProcess+0x1aa 0018ff30 752279f4 ntdll!RtlExitUserProcess+0x74 0018ff44 0040625d kernel32!ExitProcessStub+0x12 0018ff5c 012528e5 Application+0x625d 0018ff88 7522339a Application!foo+0xdc88f1 0018ff94 772bbf42 kernel32!BaseThreadInitThunk+0xe 0018ffd4 772bbf15 ntdll!__RtlUserThreadStart+0x70 0018ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
However, EIP of the new current thread doesn't point to any access violation and the dereferenced address is valid:
0:000> !address 037d0010
Usage: <unclassified>
Allocation Base: 037d0000
Base Address: 037d0000
End Address: 038dd000
Region Size: 0010d000
Type: 00020000 MEM_PRIVATE
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Also, if we inspect the raw stack data we won't find any hidden exceptions (Volume 1, page 271) there. So we conclude that the missing thread was exceptional. Indeed, there is a saved exception context in the process memory dump:
0:000> .exr -1 ExceptionAddress: 08a9ae18 (<Unloaded_DllB.dll>+0x001cae18) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 00000008