System Object

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

System Object

Certain System Objects can be found in object directory and can be useful to see additional system and other product activity. For example, in a complete memory dump we see that LowCommitCondition event is signalled:

1: kd> !object KernelObjects
Object: 85a08030 Type: (82b38ed0) Directory
ObjectHeader: 85a08018 (old version)
HandleCount: 0 PointerCount: 19
Directory Object: 85a074c0 Name: KernelObjects

Hash Address  Type        Name
---- -------  ----        ----
02   82b7b0b8 Event       HighCommitCondition
04   82b7b780 Event       HighMemoryCondition
10   82b7b178 Event       LowNonPagedPoolCondition
11   82b7b138 Event       HighNonPagedPoolCondition
17   82b7b0f8 Event       LowCommitCondition
20   82b78d08 Event       SuperfetchParametersChanged
     82b6eb58 Event       BootLoaderTraceReady
23   84bfdd58 Session     Session0
     82b78c88 Event       PrefetchTracesReady
24   84b7d1f8 Session     Session1
25   82b78cc8 Event       SuperfetchScenarioNotify
     82b7b740 Event       LowPagedPoolCondition
26   82b7b1b8 Event       HighPagedPoolCondition
     82b7a030 Event       MemoryErrors
28   82b78c48 Event       SuperfetchTracesReady
32   82b7b7c0 Event       LowMemoryCondition
     85a09d00 KeyedEvent  CritSecOutOfMemoryEvent
34   82b7b078 Event       MaximumCommitCondition

1: kd> dt _DISPATCHER_HEADER 82b7b0f8
ntdll!_DISPATCHER_HEADER
+0x000 Type :         0 ''
+0x001 Abandoned :    0 ''
+0x001 Absolute :     0 ''
+0x001 NpxIrql :      0 ''
+0x001 Signalling :   0 ''
+0x002 Size :         0x4 ''
+0x002 Hand :         0x4 ''
+0x003 Inserted :     0 ''
+0x003 DebugActive :  0 ''
+0x003 DpcActive :    0 ''
+0x000 Lock :         0n262144
+0×004 SignalState :  0n1
+0×008 WaitListHead : _LIST_ENTRY [ 0×82b7b100 - 0×82b7b100 ]

If we check virtual memory statistics we see a lot of free space for the current physical memory and page file:

1: kd> !vm

*** Virtual Memory Usage ***
Physical Memory: 261872 ( 1047488 Kb)
Page File: ??C:pagefile.sys
Current: 1354688 Kb   Free Space: 53120 Kb
Minimum: 1354688 Kb   Maximum: 4194304 Kb
Available Pages:      180984 (  723936 Kb)
ResAvail Pages:       216475 (  865900 Kb)
Locked IO Pages:           0 (       0 Kb)
Free System PTEs:     352925 ( 1411700 Kb)
Modified Pages:          129 (     516 Kb)
Modified PF Pages:        94 (     376 Kb)
NonPagedPool Usage:        0 (       0 Kb)
NonPagedPoolNx Usage:  16894 (   67576 Kb)
NonPagedPool Max:     192350 (  769400 Kb)
PagedPool 0 Usage:      5957 (   23828 Kb)
PagedPool 1 Usage:      3218 (   12872 Kb)
PagedPool 2 Usage:       965 (    3860 Kb)
PagedPool 3 Usage:      1311 (    5244 Kb)
PagedPool 4 Usage:      1064 (    4256 Kb)
PagedPool Usage:       12515 (   50060 Kb)
PagedPool Maximum:    523264 ( 2093056 Kb)
Session Commit:         5021 (   20084 Kb)
Shared Commit:         15023 (   60092 Kb)
Special Pool:              0 (       0 Kb)
Shared Process:         1938 (    7752 Kb)
PagedPool Commit:      12523 (   50092 Kb)
Driver Commit:          2592 (   10368 Kb)
Committed pages:      402494 ( 1609976 Kb)
Commit limit:         589254 ( 2357016 Kb)
[...]

Another example is from Windows 7 memory dump. Here we can find WER reporting mutant in session 1 object directory and get problem PID from its name:

0: kd> !object Sessions1BaseNamedObjects
Object: fffff8a0016eb290 Type: (fffffa800426df30) Directory
ObjectHeader: fffff8a0016eb260 (new version)
HandleCount: 57 PointerCount: 217
Directory Object: fffff8a0016e9220 Name: BaseNamedObjects

Hash Address          Type    Name
---- -------          ----    ----
00   fffffa8008437670 Event   STOP_HOOKING64
[...]
08   fffffa80044baa40 Mutant  WERReportingForProcess1788
[...]

0: kd> !process 0n1788 1
Searching for Process with Cid == 6fc
Cid handle table at fffff8a00180b000 with 21248 entries in use

PROCESS fffffa8004364060
SessionId: 1 Cid: 06fc Peb: 7fffffd4000 ParentCid: 0840
DirBase: 5fbc2000 ObjectTable: fffff8a004c8e930 HandleCount: 16.
Image: ApplicationD.exe
VadRoot fffffa8009d85170 Vads 34 Clone 0 Private 206. Modified 0. Locked
0.
DeviceMap      fffff8a001ce6b90
Token          fffff8a003eab060
ElapsedTime    00:01:51.543
UserTime       00:00:00.000
KernelTime     00:00:00.000
QuotaPoolUsage[PagedPool]        0
QuotaPoolUsage[NonPagedPool]  0
Working Set Sizes (now,min,max) (483, 50, 345) (1932KB, 200KB, 1380KB)
PeakWorkingSetSize 483
VirtualSize        13 Mb
PeakVirtualSize    13 Mb
PageFaultCount     481
MemoryPriority     BACKGROUND
BasePriority       8
CommitCharge       231

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for System Object

Create new playlist

Sign In

Sign Up

System Object

Table of Contents for
System Object