Frozen Process
Looks like Windows 8 reuses the debugging concept of a frozen thread for the so called a “deeply frozen” process:
0: kd> !sprocess 2 Dumping Session 2 [...] PROCESS fffffa8002cb2940 SessionId: 2 Cid: 0c80 Peb: 7f6c41dd000 ParentCid: 0288 DeepFreeze DirBase: 2ef45000 ObjectTable: fffff8a002f215c0 HandleCount: <Data Not Accessible> Image: iexplore.exe [...]
0: kd> dt nt!_KPROCESS fffffa8002cb2940 +0x000 Header : _DISPATCHER_HEADER +0x018 ProfileListHead : _LIST_ENTRY [ 0xfffffa80`02cb2958 - 0xfffffa80`02cb2958 ] +0x028 DirectoryTableBase : 0x2ef45000 +0x030 ThreadListHead : _LIST_ENTRY [ 0xfffffa80`01e4edf8 - 0xfffffa80`01f5bbf8 ] +0x040 ProcessLock : 0 +0x044 Spare0 : 0 +0x048 Affinity : _KAFFINITY_EX +0x0f0 ReadyListHead : _LIST_ENTRY [ 0xfffffa80`02cb2a30 - 0xfffffa80`02cb2a30 ] +0x100 SwapListEntry : _SINGLE_LIST_ENTRY +0x108 ActiveProcessors : _KAFFINITY_EX +0x1b0 AutoAlignment : 0y0 +0x1b0 DisableBoost : 0y0 +0x1b0 DisableQuantum : 0y0 +0x1b0 AffinitySet : 0y0 +0×1b0 DeepFreeze : 0y1 +0×1b0 TimerVirtualization : 0y1 +0×1b0 ActiveGroupsMask : 0y00000000000000000001 (0×1) +0×1b0 ReservedFlags : 0y000000 (0) +0×1b0 ProcessFlags : 0n112 +0×1b4 BasePriority : 8 ” +0×1b5 QuantumReset : 6 ” +0×1b6 Visited : 0 ” +0×1b7 Flags : _KEXECUTE_OPTIONS +0×1b8 ThreadSeed : [20] 0 +0×208 IdealNode : [20] 0 +0×230 IdealGlobalNode : 0 +0×232 Spare1 : 0 +0×234 StackCount : _KSTACK_COUNT +0×238 ProcessListEntry : _LIST_ENTRY [ 0xfffffa80`03816b78 - 0xfffffa80`02cc2b78 ] +0×248 CycleTime : 0×225078 +0×250 ContextSwitches : 0×22 +0×258 SchedulingGroup : (null) +0×260 FreezeCount : 0 +0×264 KernelTime : 0 +0×268 UserTime : 0 +0×26c LdtFreeSelectorHint : 0 +0×26e LdtTableLength : 0 +0×270 LdtSystemDescriptor : _KGDTENTRY64 +0×280 LdtBaseAddress : (null) +0×288 LdtProcessLock : _FAST_MUTEX +0×2c0 InstrumentationCallback : (null)
We also see that all its threads have a freeze count 1:
0: kd> !process fffffa8002cb2940 2 [...] THREAD fffffa8001e4eb00 Cid 0c80.0514 Teb: 000007f6c41de000 Win32Thread: fffff901000e5b90 WAIT: (Suspended) KernelMode Non-Alertable FreezeCount 1 fffffa8001e4ede0 NotificationEvent
THREAD fffffa800219c080 Cid 0c80.0d88 Teb: 000007f6c41db000 Win32Thread: fffff90103f206e0 WAIT: (Suspended) KernelMode Non-Alertable FreezeCount 1 fffffa800219c360 NotificationEvent [...]
0: kd> dt _KTHREAD fffffa800219c080 nt!_KTHREAD +0x000 Header : _DISPATCHER_HEADER +0x018 SListFaultAddress : (null) +0x020 QuantumTarget : 0x18c26200 +0x028 InitialStack : 0xfffff880`1548ddd0 Void +0x030 StackLimit : 0xfffff880`15488000 Void +0x038 StackBase : 0xfffff880`1548e000 Void +0x040 ThreadLock : 0 +0x048 CycleTime : 0x15ca97c8 +0x050 CurrentRunTime : 0 +0x054 ExpectedRunTime : 0xd77e +0x058 KernelStack : 0xfffff880`1548d430 Void +0x060 StateSaveArea : 0xfffff880`1548de00 _XSAVE_FORMAT +0x068 SchedulingGroup : (null) +0x070 WaitRegister : _KWAIT_STATUS_REGISTER +0x071 Running : 0 '' +0x072 Alerted : [2] "" +0x074 KernelStackResident : 0y1 +0x074 ReadyTransition : 0y0 +0x074 ProcessReadyQueue : 0y0 +0x074 WaitNext : 0y0 +0x074 SystemAffinityActive : 0y0 +0x074 Alertable : 0y0 +0x074 CodePatchInProgress : 0y0 +0x074 UserStackWalkActive : 0y0 +0x074 ApcInterruptRequest : 0y0 +0x074 QuantumEndMigrate : 0y0 +0x074 UmsDirectedSwitchEnable : 0y0 +0x074 TimerActive : 0y0 +0x074 SystemThread : 0y0 +0x074 ProcessDetachActive : 0y0 +0x074 CalloutActive : 0y0 +0x074 ScbReadyQueue : 0y0 +0x074 ApcQueueable : 0y1 +0x074 ReservedStackInUse : 0y0 +0x074 UmsPerformingSyscall : 0y0 +0x074 Reserved : 0y0000000000000 (0) +0x074 MiscFlags : 0n65537 +0x078 AutoAlignment : 0y0 +0x078 DisableBoost : 0y0 +0x078 UserAffinitySet : 0y0 +0x078 AlertedByThreadId : 0y0 +0x078 QuantumDonation : 0y0 +0x078 EnableStackSwap : 0y1 +0x078 GuiThread : 0y1 +0x078 DisableQuantum : 0y0 +0x078 ChargeOnlyGroup : 0y0 +0x078 DeferPreemption : 0y0 +0x078 QueueDeferPreemption : 0y0 +0x078 ForceDeferSchedule : 0y0 +0x078 ExplicitIdealProcessor : 0y0 +0×078 FreezeCount : 0y1 +0×078 EtwStackTraceApcInserted : 0y00000000 (0) +0×078 ReservedFlags : 0y0000000000 (0) +0×078 ThreadFlags : 0n8288 +0×07c Spare0 : 0 +0×080 SystemCallNumber : 0×87 +0×084 Spare1 : 0 +0×088 FirstArgument : 0×00000000`0000017c Void +0×090 TrapFrame : (null) +0×098 ApcState : _KAPC_STATE +0×098 ApcStateFill : [43] “???” +0×0c3 Priority : 8 ” +0×0c4 UserIdealProcessor : 1 +0×0c8 WaitStatus : 0n256 +0×0d0 WaitBlockList : 0xfffffa80`0219c1c0 _KWAIT_BLOCK +0×0d8 WaitListEntry : _LIST_ENTRY [ 0xfffffa80`0418a458 - 0xfffff880`009eb300 ] +0×0d8 SwapListEntry : _SINGLE_LIST_ENTRY +0×0e8 Queue : 0xfffffa80`03da4bc0 _KQUEUE +0×0f0 Teb : 0×000007f6`c41db000 Void +0×0f8 RelativeTimerBias : 0×00000001`8b165f54 +0×100 Timer : _KTIMER +0×140 WaitBlock : [4] _KWAIT_BLOCK +0×140 WaitBlockFill4 : [20] “h???” +0×154 ContextSwitches : 0×1817 +0×140 WaitBlockFill5 : [68] “h???” +0×184 State : 0×5 ” +0×185 NpxState : 1 ” +0×186 WaitIrql : 0 ” +0×187 WaitMode : 0 ” +0×140 WaitBlockFill6 : [116] “h???” +0×1b4 WaitTime : 0xf0172e +0×140 WaitBlockFill7 : [164] “h???” +0×1e4 KernelApcDisable : 0n0 +0×1e6 SpecialApcDisable : 0n0 +0×1e4 CombinedApcDisable : 0 +0×140 WaitBlockFill8 : [40] “h???” +0×168 ThreadCounters : (null) +0×140 WaitBlockFill9 : [88] “h???” +0×198 XStateSave : (null) +0×140 WaitBlockFill10 : [136] “h???” +0×1c8 Win32Thread : 0xfffff901`03f206e0 Void +0×140 WaitBlockFill11 : [176] “h???” +0×1f0 Ucb : (null) +0×1f8 Uch : (null) +0×200 TebMappedLowVa : (null) +0×208 QueueListEntry : _LIST_ENTRY [ 0xfffffa80`02ccf408 - 0xfffffa80`03da4bf0 ] +0×218 NextProcessor : 0 +0×21c DeferredProcessor : 1 +0×220 Process : 0xfffffa80`02cb2940 _KPROCESS +0×228 UserAffinity : _GROUP_AFFINITY +0×228 UserAffinityFill : [10] “???” +0×232 PreviousMode : 1 ” +0×233 BasePriority : 8 ” +0×234 PriorityDecrement : 0 ” +0×234 ForegroundBoost : 0y0000 +0×234 UnusualBoost : 0y0000 +0×235 Preempted : 0 ” +0×236 AdjustReason : 0 ” +0×237 AdjustIncrement : 0 ” +0×238 Affinity : _GROUP_AFFINITY +0×238 AffinityFill : [10] “???” +0×242 ApcStateIndex : 0 ” +0×243 WaitBlockCount : 0×1 ” +0×244 IdealProcessor : 1 +0×248 ApcStatePointer : [2] 0xfffffa80`0219c118 _KAPC_STATE +0×258 SavedApcState : _KAPC_STATE +0×258 SavedApcStateFill : [43] “???” +0×283 WaitReason : 0×5 ” +0×284 SuspendCount : 0 ” +0×285 Saturation : 0 ” +0×286 SListFaultCount : 0 +0×288 SchedulerApc : _KAPC +0×288 SchedulerApcFill0 : [1] “??????” +0×289 ResourceIndex : 0×1 ” +0×288 SchedulerApcFill1 : [3] “???” +0×28b QuantumReset : 0×6 ” +0×288 SchedulerApcFill2 : [4] “???” +0×28c KernelTime : 7 +0×288 SchedulerApcFill3 : [64] “???” +0×2c8 WaitPrcb : (null) +0×288 SchedulerApcFill4 : [72] “???” +0×2d0 LegoData : (null) +0×288 SchedulerApcFill5 : [83] “???” +0×2db CallbackNestingLevel : 0 ” +0×2dc UserTime : 0xa +0×2e0 SuspendEvent : _KEVENT +0×2f8 ThreadListEntry : _LIST_ENTRY [ 0xfffffa80`01c41378 - 0xfffffa80`01e4edf8 ] +0×308 MutantListHead : _LIST_ENTRY [ 0xfffffa80`0219c388 - 0xfffffa80`0219c388 ] +0×318 ReadOperationCount : 0n392 +0×320 WriteOperationCount : 0n321 +0×328 OtherOperationCount : 0n240 +0×330 ReadTransferCount : 0n1849338 +0×338 WriteTransferCount : 0n1197496 +0×340 OtherTransferCount : 0n4972
This is different when a process is under a debugger and all its threads are frozen except the one that communicates to the debugger like in the case study from Volume 4, page 204. In Windows 8 this happens, for example, when we switch to a desktop from IE launched from the start page. Then we would see shortly that iexplore.exe process changes from Running to Suspended in Task Manager Details page. This pattern covers both the new feature and a debugged process case.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.