(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubCallback] Callback SfnINOUTNCCALCSIZE, Unknown(WM_NCCALCSIZE), retval = 0
Breakpoint 26 hit
eax=007cffb0 ebx=77f2e840 ecx=0100d5dc edx=01055b80 esi=00000000 edi=01055b80
eip=77e4dec5 esp=007cff58 ebp=007cffb8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
kernel32!GetQueuedCompletionStatus:
001b:77e4dec5 55 push ebp
0: kd> kc
#
00 kernel32!GetQueuedCompletionStatus
01 winlogon!JobThread
02 kernel32!BaseThreadStart
0: kd> kv
# ChildEBP RetAddr Args to Child
00 007cff54 0102e2a2 00000d90 007cffb0 007cffa8 kernel32!GetQueuedCompletionStatus (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmasewin32clienterror.c @ 491]
01 007cffb8 77e41be7 00000000 00000000 00000000 winlogon!JobThread+0xa9 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmdssecurityginawinlogonjobwait.c @ 239]
02 007cffec 00000000 0102e1f9 00000000 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmasewin32clientsupport.c @ 533]
0: kd> bp 0102e2a2
0: kd> g
0: kd> g
Breakpoint 27 hit
eax=00000001 ebx=77f2e840 ecx=00000006 edx=7ffe0304 esi=00000000 edi=01055b80
eip=0102e2a2 esp=007cff70 ebp=007cffb8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
winlogon!JobThread+0xa9:
001b:0102e2a2 85c0 test eax,eax
0: kd> kc
#
00 winlogon!JobThread
01 kernel32!BaseThreadStart
0: kd> dv
Ignored = 0x00000000
WaitJob = 0x00000000
CompletionCode = 6
CompletionKey = 0x01232118
JobInfo = struct _JOBOBJECT_BASIC_PROCESS_ID_LIST
ProcessStatus = 0x89689e30
lpOverlapped = 0x000006c8
MinWait = 0xffffffff
Overlapped = struct _OVERLAPPED
D:123>grep “JOB_OBJECT_MSG_WINLOGON_TERMINATE_JOB” -nr D:srv03rtmdssecuritygina|grep -v “inary”
D:srv03rtmdssecuritygina/winlogon/jobwait.c:40:#define JOB_OBJECT_MSG_WINLOGON_TERMINATE_JOB 0x00010000
#define WINLOGON_JOB_TERMINATE_ON_TIMEOUT 0x00000001
#define WINLOGON_JOB_SIGNAL_ON_TERMINATE 0x00000002
#define WINLOGON_JOB_TERMINATED 0x00000004
#define WINLOGON_JOB_PROCESS_STARTED 0x00000008
#define WINLOGON_JOB_WATCH_PROCESS 0x00000010
#define WINLOGON_JOB_KILLED 0x00000020
#define WINLOGON_JOB_CALLBACKS_DONE 0x00000040
#define WINLOGON_JOB_RUN_ON_DELETE 0x00000080
#define WINLOGON_JOB_DELETED 0x00000100
#define WINLOGON_JOB_DELETING 0x00000200
#define JOB_OBJECT_MSG_WINLOGON_TERMINATE_JOB 0x00010000
#define JOB_OBJECT_MSG_WINLOGON_KILL_JOB 0x00010001
#define JOB_OBJECT_MSG_WINLOGON_TERMINATED 0x00010002
0: kd> dv
Ignored = 0x00000000
WaitJob = 0x00000000
CompletionCode = 6
CompletionKey = 0x01232118
JobInfo = struct _JOBOBJECT_BASIC_PROCESS_ID_LIST
ProcessStatus = 0x89689e30
lpOverlapped = 0x000006c8
MinWait = 0xffffffff
Overlapped = struct _OVERLAPPED
0: kd> dt WINLOGON_JOB 0x01232118
+0x000 List : _LIST_ENTRY [ 0x1055b98 – 0x1055b98 ]
+0x008 UniqueId : _LUID
+0x010 RefCount : 0n2
+0x014 Flags : 0x1b
+0x018 Job : 0x00000eec Void
+0x01c RootProcess : 0x00000db0 Void
+0x020 Timeout : 0xffffffff
+0x024 Event : (null)
+0x028 Callback : 0x0101ad11 unsigned long winlogon!ScreenSaverCallback+0
+0x02c Parameter : 0x0006fa6c Void
0: kd> x winlogon!JobList
01055b98 winlogon!JobList = struct _LIST_ENTRY [ 0x1232118 – 0x1232118 ]
0: kd> dx -id 0,0,89413020 -r1 (*((winlogon!_LIST_ENTRY *)0x1055b98))
(*((winlogon!_LIST_ENTRY *)0x1055b98)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x1232118 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x1232118 [Type: _LIST_ENTRY *]
0: kd> p
eax=00000000 ebx=77f2e840 ecx=7ffdc000 edx=01055b80 esi=00000000 edi=01055b80
eip=0102e280 esp=007cff68 ebp=007cffb8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
winlogon!JobThread+0x87:
001b:0102e280 e8433afeff call winlogon!LogEvent (01011cc8)
0: kd> t
eax=00000000 ebx=77f2e840 ecx=7ffdc000 edx=01055b80 esi=00000000 edi=01055b80
eip=01011cc8 esp=007cff64 ebp=007cffb8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
winlogon!LogEvent:
001b:01011cc8 55 push ebp
0: kd> dv
Mask = 0n262144
Format = 0x0100d5dc “No timeout.”
szOutString = char [256] “???”
ftTime = struct _FILETIME
localtime = struct _FILETIME Jan 1 22:54:23 1601
stTime = struct _SYSTEMTIME
0: kd> ?0n262144
Evaluate expression: 262144 = 00040000
0: kd> x winlogon!WinlogonInfoLevel
01054040 winlogon!WinlogonInfoLevel = 3
0: kd> ed 01054040 fffff
0: kd> x winlogon!WinlogonInfoLevel
01054040 winlogon!WinlogonInfoLevel = 0xfffff
0: kd> gu
456.504> Winlogon-Trace-Job: No timeout
D:123>grep “DEB_TRACE_JOB” -nr D:srv03rtmdssecuritygina|grep -v “inary”
D:srv03rtmdssecuritygina/winlogon/debug.c:82: {“Job”, DEB_TRACE_JOB}
D:srv03rtmdssecuritygina/winlogon/debug.h:51:#define DEB_TRACE_JOB 0x00040000
#define DEB_ERROR 0x00000001
#define DEB_WARN 0x00000002
#define DEB_TRACE 0x00000004
#define DEB_TRACE_INIT 0x00000008
#define DEB_TRACE_TIMEOUT 0x00000010
#define DEB_TRACE_SAS 0x00000020
#define DEB_TRACE_STATE 0x00000040
#define DEB_TRACE_MPR 0x00000080
#define DEB_COOL_SWITCH 0x00000100
#define DEB_TRACE_PROFILE 0x00000200
#define DEB_DEBUG_LSA 0x00000400
#define DEB_DEBUG_MPR 0x00000800
#define DEB_DEBUG_NOWAIT 0x00001000
#define DEB_TRACE_MIGRATE 0x00002000
#define DEB_DEBUG_SERVICES 0x00004000
#define DEB_TRACE_SETUP 0x00008000
#define DEB_TRACE_SC 0x00010000
#define DEB_TRACE_NOTIFY 0x00020000
#define DEB_TRACE_JOB 0x00040000
0: kd> gu
(s: 0 0x1c8.6c4 winlogon.exe) USRK-[Callout] W32: Thread Callout for ETHREAD 89810740 called for Exit
(s: 0 0x1c8.6c4 winlogon.exe) USRK-[Callout] PID = 1c8 TID = 6c4
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[Callout] W32: Process Callout for W32P 0XE17EEB30 EP 0X897D0D88 called for Creation
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[FOREGROUND] xxxInitProcessInfo set W32PF 0XE17EEB30
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[Callout] W32: Thread Callout for ETHREAD 89619740 called for Initialization
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[Callout] PID = 6c8 TID = 6d8
Breakpoint 22 hit
eax=b9ac0c3c ebx=bf9e5f20 ecx=b9ac0c68 edx=00000200 esi=bf9e8634 edi=e3109150
eip=bf844d9f esp=b9ac0b70 ebp=b9ac0cb4 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
win32k!xxxResolveDesktop:
bf844d9f 68bc020000 push 2BCh
0: kd> kc
#
00 win32k!xxxResolveDesktop
01 win32k!xxxCreateThreadInfo
02 win32k!UserThreadCallout
03 win32k!W32pThreadCallout
04 nt!PsConvertToGuiThread
05 nt!Ki16BitStackException
06 ntdll!LdrDisableThreadCalloutsForDll
0: kd> kc
#
00 win32k!xxxResolveDesktop
01 win32k!xxxCreateThreadInfo
02 win32k!UserThreadCallout
03 win32k!W32pThreadCallout
04 nt!PsConvertToGuiThread
05 nt!Ki16BitStackException
06 ntdll!LdrDisableThreadCalloutsForDll
0: kd> .process
Implicit process is now 897d0d88
0: kd> !thread
THREAD 89619740 Cid 06c8.06d8 Teb: 7ffde000 Win32Thread: e3109150 RUNNING on processor 0
Not impersonating
DeviceMap e14c43b8
Owning Process 897d0d88 Image: scrnsave.scr
Attached Process N/A Image: N/A
Wait Start TickCount 274772134 Ticks: 1 (0:00:00:00.015)
Context Switch Count 10 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address winlogon!_imp__RtlFreeHeap (0x01001836)
Stack Init b9ac1000 Current b9ac0c24 Base b9ac1000 Limit b9abe000 Call 00000000
Priority 5 BasePriority 4 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
b9ac0b6c bf8463da ffffffff b9ac0c3c b9ac0c68 win32k!xxxResolveDesktop (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkerneldesktop.c @ 5112]
b9ac0cb4 bf844cf6 89619740 00000000 89619740 win32k!xxxCreateThreadInfo+0x6b6 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelqueue.c @ 1858]
b9ac0cd0 bf844b64 89619740 00000000 00000000 win32k!UserThreadCallout+0x178 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscore
tuserkernelserver.c @ 2989]
b9ac0cec 80d32c5a 89619740 00000000 80b207f0 win32k!W32pThreadCallout+0xc0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmwindowscorekmodew32init.c @ 364]
b9ac0d54 80afb956 000010db 0006f6b4 0006f6b8 nt!PsConvertToGuiThread+0x28c (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmase
tospspsquery.c @ 4367]
b9ac0da0 77f273d6 00000001 03000001 ffffffff nt!Ki16BitStackException+0x52 [d:srv03rtmase
toskei386 rap.asm @ 1032]
00000000 00000000 00000000 00000000 00000000 ntdll!LdrDisableThreadCalloutsForDll+0x82 (FPO: [Non-Fpo]) (CONV: stdcall) [d:srv03rtmase
tdllldrapi.c @ 958]
0: kd> g
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[Callout] Mapping desktop 0x898D3C30 into process 0x897D0D88
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserInitializeThreadInfo, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] RemoteConnectState, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserGetThreadDesktop, retval = 4c
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserWaitMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
456.460> Winlogon-Trace-SAS: LOGONNOTIFY message 9
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserFindExistingCursorIcon, retval = 10003
456.460> Winlogon-Trace: ProfileUserMapping Refs = 2
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c017456.460> Winlogon-Trace-SAS: Playing sound range 0 index '7'
456.460> Winlogon-Trace: ProfileUserMapping Refs = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn456.1448> Winlogon-Trace: ProfileUserMapping Refs = 2
456.1448> Winlogon-Trace-SAS: Playing sound range 0 index '7'
456.1448> Winlogon-Trace: ProfileUserMapping Refs = 1
] NtUserFindExistingCursorIcon, retval = 10003
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c01c
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserFindExistingCursorIcon, retval = 10003
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c01e
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserFindExistingCursorIcon, retval = 10003
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = 8002
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserFindExistingCursorIcon, retval = 10005
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c018
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserFindExistingCursorIcon, retval = 10003
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c01a
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserFindExistingCursorIcon, retval = 10003
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c01d
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserFindExistingCursorIcon, retval = 10003
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c026
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserFindExistingCursorIcon, retval = 10003
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c019
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c020
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c025
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c023
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c022
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c024
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[Vrbs=2] UserFindAtom: lookup failed
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserRegisterClassExWOW, retval = c071
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserGetDC, retval = 9801020d
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] _ReleaseDC, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] fnINLPCREATESTRUCT, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserMessageCall, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_NCCREATE), retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] fnINOUTNCCALCSIZE, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnINOUTNCCALCSIZE, Unknown(WM_NCCALCSIZE), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] xxxGetCursorPos, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnINLPCREATESTRUCT, Unknown(WM_CREATE), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_SIZE), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_MOVE), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_SHOWWINDOW), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnINOUTLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGING), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[FOREGROUND] FAllowForegroundActivate FRemoveForegroundActivate 0XE3109150
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[FOREGROUND] FRemoveForegroundActivate clear W32PF 0XE17EEB30
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[FOREGROUND] xxxActivateWindow temporarly set TIF 0XE3109150
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[FOREGROUND] xxxSetForegroundWindow FRemoveForegroundActivate 0XE3109150
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[FOREGROUND] FRemoveForegroundActivate clear TIF 0XE3109150
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[FOREGROUND] FRemoveForegroundActivate clear W32PF 0XE17EEB30
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[FOREGROUND] xxxSetForegroundWindow2 by 0XE3109150 to 0XBCB7324C-0XE3109150
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[KBD] SetGlobalKeyboardTableInfo:Changing KL NLS Table: new HKL=0X04090409
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[KBD] SetGlobalKeyboardTableInfo: new gpKbdNlsTbl=00000000
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATEAPP), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] fnDWORD, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserMessageCall, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_NCACTIVATE), retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_SETFOCUS), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ACTIVATE), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[FOREGROUND] xxxActivateWindow clear TIF 0XE3109150
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_NCPAINT), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] fnDWORD, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserMessageCall, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_ERASEBKGND), retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnINLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGED), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserCreateWindowEx, retval = 600ae
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_NCHITTEST), retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserSetCursor, retval = 10007
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_SETCURSOR), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserGetMessage, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] xxxGetCursorPos, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserGetMessage, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_PAINT), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserDispatchMessage, retval = 0
1: kd> g
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserWaitMessage, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserGetDC, retval = 360101ec
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] fnINSTRINGNULL, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserMessageCall, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] _ReleaseDC, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserKillTimer, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserInvalidateRect, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserBeginPaint, retval = 2701021e
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserEndPaint, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserSetTimer, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserInvalidateRect, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_PAINT), retval = 0
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserDispatchMessage, retval = 0
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserBeginPaint, retval = 1010052
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserEndPaint, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_PAINT), retval = 0
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserDispatchMessage, retval = 0
(s: 0 0x1b0.1dc csrss.exe) USRK-[FOREGROUND] Removing all entries from ghCanActivateForegroundPIDs array
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserWaitMessage, retval = 1
(s: 0 0x3d8.41c explorer.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_NCHITTEST), retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserSetCursor, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_SETCURSOR), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserGetMessage, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] xxxGetCursorPos, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserPostMessage, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserGetMessage, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnINOUTLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGING), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[FOREGROUND] xxxEndDeferWindowPosEx set TIF 0XE3109150
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnINLPWINDOWPOS, Unknown(WM_WINDOWPOSCHANGED), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] _PostQuitMessage, retval = 1
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnDWORD, Unknown(WM_DESTROY), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubCallback] Callback SfnNCDESTROY, Unknown(WM_NCDESTROY), retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] fnDWORD, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserMessageCall, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[StubReturn] NtUserGetMessage, retval = 0
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[Callout] W32: Thread Callout for ETHREAD 89619740 called for Exit
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[Callout] PID = 6c8 TID = 6d8
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[Callout] W32: Process Callout for W32P 0XE17EEB30 EP 0X897D0D88 called for Deletion
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[Job] RemoveProcessFromJob: ppi 0XE17EEB30 pW32Job 00000000
(s: 0 0x6c8.6d8 scrnsave.scr) USRK-[Callout] Unmapping desktop 0x898D3C30 from process 0x897D0D88 (0x0 <-> 0x0)
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserWaitMessage, retval = 1
(s: 0 0x1c8.1cc winlogon.exe) USRK-[StubReturn] NtUserPeekMessage, retval = 1
456.460> Winlogon-Trace-SAS: LOGONNOTIFY message 9
456.460> Winlogon-Trace: ProfileUserMapping Refs = 2
456.460> Winlogon-Trace-SAS: Playing sound range 0 index '8'
456.460> Winlogon-Trace: ProfileUserMapping Refs = 1
Breakpoint 27 hit
eax=00000001 ebx=77f2e840 ecx=00000007 edx=7ffe0304 esi=00000000 edi=01055b80
eip=0102e2a2 esp=007cff70 ebp=007cffb8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
winlogon!JobThread+0xa9:
001b:0102e2a2 85c0 test eax,eax
1: kd> dv
Ignored = 0x00000000
WaitJob = 0x00000000
CompletionCode = 7
CompletionKey = 0x01232118
JobInfo = struct _JOBOBJECT_BASIC_PROCESS_ID_LIST
ProcessStatus = 0x89689e30
lpOverlapped = 0x000006c8
MinWait = 0xffffffff
Overlapped = struct _OVERLAPPED
case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS:
EnterCriticalSection( &JobLock );
if ( Job->Flags & WINLOGON_JOB_WATCH_PROCESS )
{
if ( GetExitCodeProcess( Job->RootProcess, &ProcessStatus ) &&
( ProcessStatus != STATUS_PENDING ) )
{
//
// Close the handle so the job can terminate
// if it needs to
//
NtClose( Job->RootProcess );
Job->RootProcess = NULL ;
//
// The initial process has terminated,
// and we're watching it. If there are other
// processes still in the job, we need to kill
// them.
//
Status = NtQueryInformationJobObject(
Job->Job,
JobObjectBasicProcessIdList,
&JobInfo,
sizeof( JobInfo ),
NULL );
if ( ( Status == STATUS_SUCCESS ) ||
( Status == STATUS_BUFFER_OVERFLOW ) )
{
//
// bugbug, 0 or 1?
//
if ( JobInfo.NumberOfAssignedProcesses > 0 )
{
DebugLog(( DEB_TRACE_JOB, “Job %x:%x root process terminated
“,
Job->UniqueId.HighPart,
Job->UniqueId.LowPart ));
//
// Post a private message indicating that we want to kill
// the job.
//
PostQueuedCompletionStatus( IoPort,
JOB_OBJECT_MSG_WINLOGON_KILL_JOB,
(ULONG_PTR) Job,
&Overlapped );
//
// Let the work happen in the normal place
//
}
}
}
}
LeaveCriticalSection( &JobLock );
continue;
break;
1: kd> x winlogon!joblist
01055b98 winlogon!JobList = struct _LIST_ENTRY [ 0x1232118 – 0x1232118 ]
1: kd> dt WINLOGON_JOB 0x1232118
+0x000 List : _LIST_ENTRY [ 0x1055b98 – 0x1055b98 ]
+0x008 UniqueId : _LUID
+0x010 RefCount : 0n2
+0x014 Flags : 0x1b
+0x018 Job : 0x00000eec Void
+0x01c RootProcess : 0x00000db0 Void //进程句柄:屏幕保护进程897d0d88
+0x020 Timeout : 0xffffffff
+0x024 Event : (null)
+0x028 Callback : 0x0101ad11 unsigned long winlogon!ScreenSaverCallback+0
+0x02c Parameter : 0x0006fa6c Void
PROCESS 897d0d88 SessionId: 0 Cid: 06c8 Peb: 7ffdf000 ParentCid: 01c8
DirBase: 792d6000 ObjectTable: 00000000 HandleCount: 0.
Image: scrnsave.scr
1: kd> !handle 0x00000db0
PROCESS 89413020 SessionId: 0 Cid: 01c8 Peb: 7ffdf000 ParentCid: 0180
DirBase: 7ac20000 ObjectTable: e135a400 HandleCount: 474.
Image: winlogon.exe
Handle table at e135a400 with 474 entries in use
0db0: Object: 897d0d88 GrantedAccess: 001f0fff Entry: e1806b60
Object: 897d0d88 Type: (899a28e8) Process
ObjectHeader: 897d0d70 (old version)
HandleCount: 1 PointerCount: 2
BOOL
WINAPI
GetExitCodeProcess(
HANDLE hProcess,
LPDWORD lpExitCode
)
{
NTSTATUS Status;
PROCESS_BASIC_INFORMATION BasicInformation;
Status = NtQueryInformationProcess (hProcess,
ProcessBasicInformation,
&BasicInformation,
sizeof(BasicInformation),
NULL);
if ( NT_SUCCESS(Status) ) {
*lpExitCode = BasicInformation.ExitStatus;
return TRUE;
} else {
if (BaseCheckForVDM (hProcess, lpExitCode) == TRUE) {
return TRUE;
}
BaseSetLastNTError(Status);
return FALSE;
}
}
1: kd> x winlogon!joblist
01055b98 winlogon!JobList = struct _LIST_ENTRY [ 0x1232118 – 0x1232118 ]
1: kd> dt WINLOGON_JOB 0x1232118
+0x000 List : _LIST_ENTRY [ 0x1055b98 – 0x1055b98 ]
+0x008 UniqueId : _LUID
+0x010 RefCount : 0n2
+0x014 Flags : 0x1b
+0x018 Job : 0x00000eec Void
+0x01c RootProcess : 0x00000db0 Void
+0x020 Timeout : 0xffffffff
+0x024 Event : (null)
+0x028 Callback : 0x0101ad11 unsigned long winlogon!ScreenSaverCallback+0
+0x02c Parameter : 0x0006fa6c Void
if ( Job->Flags & WINLOGON_JOB_WATCH_PROCESS )
{
#define WINLOGON_JOB_TERMINATE_ON_TIMEOUT 0x00000001
#define WINLOGON_JOB_SIGNAL_ON_TERMINATE 0x00000002
#define WINLOGON_JOB_TERMINATED 0x00000004
#define WINLOGON_JOB_PROCESS_STARTED 0x00000008
#define WINLOGON_JOB_WATCH_PROCESS 0x00000010
#define WINLOGON_JOB_KILLED 0x00000020
#define WINLOGON_JOB_CALLBACKS_DONE 0x00000040
#define WINLOGON_JOB_RUN_ON_DELETE 0x00000080
#define WINLOGON_JOB_DELETED 0x00000100
#define WINLOGON_JOB_DELETING 0x00000200
//
// MessageId: STATUS_PENDING
//
// MessageText:
//
// The operation that was requested is pending completion.
//
#define STATUS_PENDING ((NTSTATUS)0x00000103L) // winnt
NtClose( Job->RootProcess );
Job->RootProcess = NULL ;
//
// The initial process has terminated,
// and we're watching it. If there are other
// processes still in the job, we need to kill
// them.
//
Status = NtQueryInformationJobObject(
Job->Job,
JobObjectBasicProcessIdList,
&JobInfo,
sizeof( JobInfo ),
NULL );
1: kd> dt WINLOGON_JOB 0x1232118
+0x000 List : _LIST_ENTRY [ 0x1055b98 – 0x1055b98 ]
+0x008 UniqueId : _LUID
+0x010 RefCount : 0n2
+0x014 Flags : 0x1b
+0x018 Job : 0x00000eec Void
+0x01c RootProcess : (null)
+0x020 Timeout : 0xffffffff
+0x024 Event : (null)
+0x028 Callback : 0x0101ad11 unsigned long winlogon!ScreenSaverCallback+0
+0x02c Parameter : 0x0006fa6c Void
1: kd> dv
Ignored = 0x00000000
WaitJob = 0x00000000
CompletionCode = 7
CompletionKey = 0x01232118
JobInfo = struct _JOBOBJECT_BASIC_PROCESS_ID_LIST
ProcessStatus = 1
lpOverlapped = 0x000006c8
MinWait = 0xffffffff
Overlapped = struct _OVERLAPPED
1: kd> dx -id 0,0,89413020 -r1 (*((winlogon!_JOBOBJECT_BASIC_PROCESS_ID_LIST *)0x7cff90))
(*((winlogon!_JOBOBJECT_BASIC_PROCESS_ID_LIST *)0x7cff90)) [Type: _JOBOBJECT_BASIC_PROCESS_ID_LIST]
[+0x000] NumberOfAssignedProcesses : 0x0 [Type: unsigned long]
[+0x004] NumberOfProcessIdsInList : 0x0 [Type: unsigned long]
[+0x008] ProcessIdList [Type: unsigned long [1]]
1: kd> dx -id 0,0,89413020 -r1 (*((winlogon!unsigned long (*)[1])0x7cff98))
(*((winlogon!unsigned long (*)[1])0x7cff98)) [Type: unsigned long [1]]
[0] : 0x0 [Type: unsigned long]
1: kd> p
Breakpoint 27 hit
eax=00000001 ebx=77f2e840 ecx=00000004 edx=7ffe0304 esi=00000000 edi=01055b80
eip=0102e2a2 esp=007cff70 ebp=007cffb8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
winlogon!JobThread+0xa9:
001b:0102e2a2 85c0 test eax,eax
1: kd> dv
Ignored = 0x00000000
WaitJob = 0x00000000
CompletionCode = 4
CompletionKey = 0x01232118
JobInfo = struct _JOBOBJECT_BASIC_PROCESS_ID_LIST
ProcessStatus = 1
lpOverlapped = 0x00000000
MinWait = 0xffffffff
Overlapped = struct _OVERLAPPED
#define WINLOGON_JOB_TERMINATED 0x00000004
case JOB_OBJECT_MSG_WINLOGON_TERMINATED:
DebugLog(( DEB_TRACE_JOB, “Job %x:%x completed
“,
Job->UniqueId.HighPart,
Job->UniqueId.LowPart ));
EnterCriticalSection( &JobLock );
Job->Flags |= WINLOGON_JOB_TERMINATED ;
if ( ( CompletionCode == JOB_OBJECT_MSG_WINLOGON_TERMINATED ) ||
( (Job->Flags & WINLOGON_JOB_KILLED) == 0 ) ||
( (Job->Flags & WINLOGON_JOB_CALLBACKS_DONE) == 0 ))
{
if ( !(Job->Flags & WINLOGON_JOB_DELETED) )
{
Job->Flags |= WINLOGON_JOB_DELETING;
LeaveCriticalSection( &JobLock );
if ( Job->Event )
{
SetEvent( Job->Event );
}
if ( Job->Callback )
{
Job->Callback( Job->Parameter );
}
EnterCriticalSection( &JobLock );
Job->Flags &= ~WINLOGON_JOB_DELETING;
}
Job->Flags |= WINLOGON_JOB_CALLBACKS_DONE ;
}
LeaveCriticalSection( &JobLock );
PulseEvent(hJobLockEvent);
if ( CompletionCode == JOB_OBJECT_MSG_WINLOGON_TERMINATED )
{
//
// For these, we need to keep waiting until the
// job object actually empties. Take away the ref
// that we added when this message was posted, and
// continue waiting.
//
Job->Timeout = INFINITE ;
DerefWinlogonJob( Job );
continue;
}
break;
case JOB_OBJECT_MSG_WINLOGON_TERMINATED:
DebugLog(( DEB_TRACE_JOB, “Job %x:%x completed
“,
Job->UniqueId.HighPart,
Job->UniqueId.LowPart ));
1: kd> p
eax=01232120 ebx=77f2e840 ecx=01232124 edx=7ffe0304 esi=01232118 edi=01055b80
eip=0102e344 esp=007cff60 ebp=007cffb8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
winlogon!JobThread+0x14b:
001b:0102e344 e87f39feff call winlogon!LogEvent (01011cc8)
1: kd> p
456.504> Winlogon-Trace-Job: Job 0:2766d completed
eax=00000000 ebx=77f2e840 ecx=3dcecad3 edx=00000033 esi=01232118 edi=01055b80
eip=0102e349 esp=007cff60 ebp=007cffb8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
winlogon!JobThread+0x150:
001b:0102e349 83c410 add esp,10h
1: kd> dt WINLOGON_JOB 0x1232118
+0x000 List : _LIST_ENTRY [ 0x1055b98 – 0x1055b98 ]
+0x008 UniqueId : _LUID
+0x010 RefCount : 0n2
+0x014 Flags : 0x1b
+0x018 Job : 0x00000eec Void
+0x01c RootProcess : (null)
+0x020 Timeout : 0xffffffff
+0x024 Event : (null)
+0x028 Callback : 0x0101ad11 unsigned long winlogon!ScreenSaverCallback+0
+0x02c Parameter : 0x0006fa6c Void
1: kd> dx -id 0,0,89413020 -r1 (*((winlogon!_LUID *)0x1232120))
(*((winlogon!_LUID *)0x1232120)) [Type: _LUID]
[+0x000] LowPart : 0x2766d [Type: unsigned long]
[+0x004] HighPart : 0 [Type: long]
Job->Flags |= WINLOGON_JOB_TERMINATED ;
1: kd> dt WINLOGON_JOB 0x1232118
+0x000 List : _LIST_ENTRY [ 0x1055b98 – 0x1055b98 ]
+0x008 UniqueId : _LUID
+0x010 RefCount : 0n2
+0x014 Flags : 0x1f //1b变成了1f,+4
+0x018 Job : 0x00000eec Void
+0x01c RootProcess : (null)
+0x020 Timeout : 0xffffffff
+0x024 Event : (null)
+0x028 Callback : 0x0101ad11 unsigned long winlogon!ScreenSaverCallback+0
+0x02c Parameter : 0x0006fa6c Void
if ( ( CompletionCode == JOB_OBJECT_MSG_WINLOGON_TERMINATED ) ||
( (Job->Flags & WINLOGON_JOB_KILLED) == 0 ) ||
( (Job->Flags & WINLOGON_JOB_CALLBACKS_DONE) == 0 ))
{
if ( !(Job->Flags & WINLOGON_JOB_DELETED) )
{
Job->Flags |= WINLOGON_JOB_DELETING;
LeaveCriticalSection( &JobLock );
if ( Job->Event )
{
SetEvent( Job->Event );
}
if ( Job->Callback )
{
Job->Callback( Job->Parameter );
}
© 版权声明
文章版权归作者所有,未经允许请勿转载。
相关文章
暂无评论...
