windows 如何确定在内核调试会话中使用 WinDBG 正在等待哪些事件
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3045759/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can I work out what events are being waited for with WinDBG in a kernel debug session
提问by Benj
I'm a complete WinDbg newbie and I've been trying to debug a WindowsXP problem that a customer has sent me where our software and some third party software prevent windows from logging off. I've reproduced the problem and have verified that only when our software and the customers software are both installed (although not necessarily running at logoff) does the log off problem occur. I've observed that WM_ENDSESSION messages are not reaching the running windows when the user tries to log off and I know that the third party software uses a kernel driver.
我是一个完整的 WinDbg 新手,我一直在尝试调试客户发送给我的 WindowsXP 问题,我们的软件和某些第三方软件阻止 Windows 注销。我已经重现了这个问题,并验证了只有当我们的软件和客户软件都安装(虽然不一定在注销时运行)才会出现注销问题。我观察到当用户尝试注销时 WM_ENDSESSION 消息没有到达正在运行的窗口,我知道第三方软件使用内核驱动程序。
I've been looking at the processes in WinDbg and I know that csrss.exe would normally send all the windows a WM_ENDSESSION message. When I ran:
我一直在查看 WinDbg 中的进程,我知道 csrss.exe 通常会向所有窗口发送 WM_ENDSESSION 消息。当我跑:
!process 82356020 6
!process 82356020 6
To look at csrss.exe's stack I can see:
要查看 csrss.exe 的堆栈,我可以看到:
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 0x7c90e514
THREAD 8246d998 Cid 0248.02a0 Teb: 7ffd7000 Win32Thread: e1627008 WAIT: (WrUserRequest) UserMode Non-Alertable
8243d9f0 SynchronizationEvent
81fe0390 SynchronizationEvent
Not impersonating
DeviceMap e1004450
Owning Process 82356020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 1813 Ticks: 20748 (0:00:05:24.187)
Context Switch Count 3 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.000
Start Address 0x75b67cdf
Stack Init f80bd000 Current f80bc9c8 Base f80bd000 Limit f80ba000 Call 0
Priority 14 BasePriority 13 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr Args to Child
f80bc9e0 80500ce6 00000000 8246d998 804f9af2 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f80bc9ec 804f9af2 804f986e e1627008 00000000 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f80bca24 bf80a4a3 00000002 82475218 00000001 nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
f80bca5c bf88c0a6 00000001 82475218 00000000 win32k!xxxMsgWaitForMultipleObjects+0xb0 (FPO: [Non-Fpo])
f80bcd30 bf87507d bf9ac0a0 00000001 f80bcd54 win32k!xxxDesktopThread+0x339 (FPO: [Non-Fpo])
f80bcd40 bf8010fd bf9ac0a0 f80bcd64 00bcfff4 win32k!xxxCreateSystemThreads+0x6a (FPO: [Non-Fpo])
f80bcd54 8053d648 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23 (FPO: [Non-Fpo])
f80bcd54 7c90e514 00000000 00000022 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f80bcd64)
This waitForMultipleObjects looks interesting because I'm wondering if csrss.exe is waiting on some event which isn't arriving to allow the logoff. Can anyone tell me how I might find out what event it's waiting for anything else I might do to further investigate the problem?
这个waitForMultipleObjects 看起来很有趣,因为我想知道csrss.exe 是否正在等待某些未到达以允许注销的事件。谁能告诉我我如何才能找出它正在等待我可能做的任何其他事情来进一步调查问题的事件?
回答by snoone
The objects being waited on are right there in the output:
正在等待的对象就在输出中:
THREAD 8246d998 Cid 0248.02a0 Teb: 7ffd7000 Win32Thread: e1627008 WAIT: (WrUserRequest) UserMode Non-Alertable
8243d9f0 SynchronizationEvent
81fe0390 SynchronizationEvent
I'll note though that the thread you're looking at is a common thread, just about every system that you look at will have it (not sure what that thread is for exactly, but I recognize the stack...Sometimes I feel like I've been doing this too long!).
我会注意到虽然您正在查看的线程是一个公共线程,但您查看的几乎每个系统都会有它(不确定该线程的确切用途,但我认出了堆栈......有时我觉得就像我做这件事太久了!)。
I'll also note that you can't trust the parameters on the stack all of the time. See some details here: http://analyze-v.com/?p=7
我还要注意的是,您不能始终相信堆栈上的参数。在此处查看一些详细信息:http: //analyze-v.com/?p=7
-scott
-斯科特
回答by Jason Evans
To start off, try !object 82475218to see if that tells you what the object is.
首先,尝试!object 82475218看看这是否告诉您对象是什么。
If that fails to help, try this:
如果这没有帮助,请尝试以下操作:
http://blogs.msdn.com/search/SearchResults.aspx?q=KeWaitForMultipleObjects
http://blogs.msdn.com/search/SearchResults.aspx?q=KeWaitForMultipleObjects
It's a search for KeWaitForMultipleObjectson the NT Debugging Blog, which is a great blog in for learning about Windows internals.
它是KeWaitForMultipleObjects在 NT 调试博客上搜索的,这是一个很好的博客,用于了解 Windows 内部结构。
EDIT:
编辑:
Here's the documentation for KeWaitForMultipleObjects:
这是文档KeWaitForMultipleObjects:
http://msdn.microsoft.com/en-us/library/ff553324.aspxCheers. Jas.
