NEWBIE: what is PROCESS_NAME in the !analyze output when "Only kernel address space is available"

[uvts...@yahoo.com]

Hi,

I read the windbg help page about "Using the !analyze Extension" and I
found that in User-Mode the PROCESS_NAME field specifies the name of
the process that raised the exception.

In the Kernel-Mode section of the help page, PROCESS_NAME is not
described.

I think my crash dump is kernel-mode because it says "Kernel Summary
Dump File: Only kernel address space is available" and it anyway shows
me the PROCESS_NAME.

Has the PROCESS_NAME the same meaning in Kernel-Mode and User-Mode?

Thank you.
Alessandro

[Scott Noone]

That indicates the process context of the faulting processor at the time of
the system crash.

To be more specific, I suspect that what !analyze does is take the current
thread out of the PRCB, get the parent process, and display the 16 character
name from the process object.

-scott

--
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

<uvts...@yahoo.com> wrote in message
news:8ecf6973-10c3-40b7...@e23g2000yqd.googlegroups.com...

[uvts...@yahoo.com]

On Nov 20, 6:41 pm, "Scott Noone" <sno...@osr.com> wrote:
> That indicates the process context of the faulting processor at the time of
> the system crash.
>
> To be more specific, I suspect that what !analyze does is take the current
> thread out of the PRCB, get the parent process, and display the 16 character
> name from the process object.
>
> -scott

Thank you Scott, I appreciate your help.

Now I have PROCESS_NAME: svchost.exe and the crash "Probably caused
by : tcpip.sys ( tcpip!TCPDataRequestComplete+2e )".
Is there any way to know what services was hosted by scvhost.exe?

thank you.
Alessandro

>
> --
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.http://www.osronline.com
>

> <uvts_...@yahoo.com> wrote in message

[Marc Sherman]

svchost.exe's command line may tell you. `!peb` to see command line works
with user mode dumps. Not sure if it'll work for kernel mode dump.

<uvts...@yahoo.com> wrote in message
news:ca4499ed-b1c7-4915...@j4g2000yqe.googlegroups.com...

[uvts...@yahoo.com]

On Nov 30, 11:02 pm, "Marc Sherman" <masherman1...@yahoo.com> wrote:
> svchost.exe's command line may tell you. `!peb` to see command line works
> with user mode dumps. Not sure if it'll work for kernel mode dump.

It seems to work even for kernel mode dump, it says to me:

CommandLine: 'C:\WINDOWS\system32\svchost.exe -k NetworkService'

Marc, Thank you very much for your help!
Alessandro

[Marc Sherman]

Glad it helped :-)

Also, a user mode stack trace may give you more context into what it was
doing (as long as there are MS symbols for the calls it makes).

good luck,
Marc

<uvts...@yahoo.com> wrote in message
news:e0ad9b03-04e5-408e...@k17g2000yqh.googlegroups.com...

[uvts...@yahoo.com]

On Dec 3, 1:36 am, "Marc Sherman" <masherman1...@yahoo.com> wrote:
> Glad it helped :-)
>
> Also, a user mode stack trace may give you more context into what it was
> doing (as long as there are MS symbols for the calls it makes).

newbie question:
Hello, how can I get a user mode dump?
I get the kernel dump "automatically" "as it happens", but how can I
get the user mode dump at the same time?

thank you.
All the best,
Alessandro

>
> good luck,
> Marc
>

[Scott Noone]

>I get the kernel dump "automatically" "as it happens", but how can I
>get the user mode dump at the same time?

Generate a full memory dump and then you can look at the user mode state of
any process.

-scott

--
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

<uvts...@yahoo.com> wrote in message
news:772df4e8-62fc-4939...@d20g2000yqh.googlegroups.com...

[uvts...@yahoo.com]

On Dec 3, 5:32 pm, "Scott Noone" <sno...@osr.com> wrote:
> >I get the kernel dump "automatically" "as it happens", but how can I
> >get the user mode dump at the same time?
>
> Generate a full memory dump and then you can look at the user mode state of
> any process.
>

OK, my dump is already a full memory one.

Could you suggest me any tutorial to learn how to "look at the user
mode state of any process"?

Thank you very much.

Alessandro

[Scott Noone]

>Could you suggest me any tutorial to learn how to "look at the user
>mode state of any process"?

Here's a post that describes switching to different threads and looking at
their user mode state:

http://analyze-v.com/?p=336

It also introduces most of the commands you'd need for anything else. For
example, to dump out all of the threads in a process with all of their
stacks:

0: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
...
PROCESS 8134eda0 SessionId: 0 Cid: 0c24 Peb: 7ffdf000 ParentCid: 075c
DirBase: 02200400 ObjectTable: e1c60650 HandleCount: 32.
Image: cmd.exe

0: kd> .PROCESS /r /p 8134eda0
Implicit process is now 8134eda0
Loading User Symbols
.......................
0: kd> !process 8134eda0
PROCESS 8134eda0 SessionId: 0 Cid: 0c24 Peb: 7ffdf000 ParentCid: 075c
DirBase: 02200400 ObjectTable: e1c60650 HandleCount: 32.
Image: cmd.exe
VadRoot 8190d630 Vads 55 Clone 0 Private 157. Modified 1. Locked 0.
DeviceMap e180a588
Token e1bf8b68
ElapsedTime 00:01:10.921
UserTime 00:00:00.015
KernelTime 00:00:00.046
QuotaPoolUsage[PagedPool] 58620
QuotaPoolUsage[NonPagedPool] 2200
Working Set Sizes (now,min,max) (665, 50, 345) (2660KB, 200KB, 1380KB)
PeakWorkingSetSize 666
VirtualSize 28 Mb
PeakVirtualSize 35 Mb
PageFaultCount 698
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 500

THREAD 813485b0 Cid 0c24.0c28 Teb: 7ffde000 Win32Thread: e16f6d28
WAIT: (WrLpcReply) UserMode Non-Alertable
813487a4 Semaphore Limit 0x1
Waiting for reply to LPC MessageId 00003263:
Current LPC port e1c6fcc8
Not impersonating
DeviceMap e180a588
Owning Process 0 Image: <Unknown>
Attached Process 8134eda0 Image: cmd.exe
Wait Start TickCount 13532 Ticks: 3468
(0:00:00:54.187)
Context Switch Count 172 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.046
Win32 Start Address cmd!mainCRTStartup (0x4ad05046)
Start Address kernel32!BaseProcessStartThunk (0x7c810705)
Stack Init f068d000 Current f068cc50 Base f068d000 Limit f0689000
Call 0
Priority 11 BasePriority 8 PriorityDecrement 2 DecrementCount 16
ChildEBP RetAddr
f068cc68 80503846 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f068cc74 804fb078 nt!KiSwapThread+0x8a (FPO: [0,0,0])
f068cc9c 805a3397 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
f068cd50 8054162c nt!NtRequestWaitReplyPort+0x63d (FPO: [Non-Fpo])
f068cd50 7c90e514 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @
f068cd64)
0013fc48 7c90daea ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0013fc4c 7c912de8 ntdll!ZwRequestWaitReplyPort+0xc (FPO: [3,0,0])
0013fc6c 7c872a51 ntdll!CsrClientCallServer+0x8c (FPO: [4,0,4])
0013fd68 7c872bee kernel32!ReadConsoleInternal+0x1be (FPO:
[Non-Fpo])
0013fdf4 4ad0efef kernel32!ReadConsoleW+0x42 (FPO: [5,22,4])
0013fe5c 4ad0f0d3 cmd!ReadBufFromConsole+0xb5 (FPO: [4,16,0])
0013fe88 4ad021ca cmd!FillBuf+0x174 (FPO: [0,2,4])
0013fe8c 4ad020e6 cmd!GetByte+0x11 (FPO: [0,0,0])
0013fea8 4ad0205f cmd!Lex+0x6b (FPO: [2,2,0])
0013feb8 4ad0200d cmd!GeToken+0x20 (FPO: [1,0,0])
0013fec8 4ad01f98 cmd!ParseStatement+0x36 (FPO: [1,0,4])
0013fedc 4ad0f0fc cmd!Parser+0x46 (FPO: [3,0,4])
0013ff44 4ad05154 cmd!main+0x1d6 (FPO: [Non-Fpo])
0013ffc0 7c817077 cmd!mainCRTStartup+0x125 (FPO: [Non-Fpo])
0013fff0 00000000 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

-scott

--
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

<uvts...@yahoo.com> wrote in message
news:4e66d0bb-cf23-4ca4...@b2g2000yqi.googlegroups.com...