Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- kd> !process 0 0
- PROCESS ffffe001f9652080
- SessionId: 1 Cid: 0da4 Peb: 7ffdf000 ParentCid: 0588
- DirBase: 11d6d000 ObjectTable: ffffc0013e905680 HandleCount: <Data Not Accessible>
- Image: myfile.exe
- kd> !process ffffe001f9652080 7
- 1: kd> !process ffffe001f9652080 7
- PROCESS ffffe001f9652080
- SessionId: 1 Cid: 0da4 Peb: 7ffdf000 ParentCid: 0588
- DirBase: 11d6d000 ObjectTable: ffffc0013e905680 HandleCount: <Data Not Accessible>
- Image: myfile.exe
- VadRoot ffffe001f64dda10 Vads 129 Clone 0 Private 5676. Modified 520. Locked 0.
- DeviceMap ffffc0013dff8c30
- Token ffffc0014336a8e0
- ElapsedTime 00:08:14.197
- UserTime 00:00:00.046
- KernelTime 00:00:00.125
- QuotaPoolUsage[PagedPool] 231392
- QuotaPoolUsage[NonPagedPool] 17632
- Working Set Sizes (now,min,max) (11793, 50, 345) (47172KB, 200KB, 1380KB)
- PeakWorkingSetSize 13859
- VirtualSize 148 Mb
- PeakVirtualSize 159 Mb
- PageFaultCount 24764
- MemoryPriority BACKGROUND
- BasePriority 8
- CommitCharge 6195
- DebugPort ffffe001fa6f0f90
- Job ffffe001f8544620
- THREAD ffffe001fa713440 Cid 0da4.10a4 Teb: 000000007ffdb000 Win32Thread: ffffe001f6822cb0 WAIT: (WrUserRequest) UserMode Non-Alertable
- ffffe001fa4bbb90 SynchronizationEvent
- Not impersonating
- DeviceMap ffffc0013dff8c30
- Owning Process ffffe001f9652080 Image: myfile.exe
- Attached Process N/A Image: N/A
- Wait Start TickCount 56653 Ticks: 2 (0:00:00:00.031)
- Context Switch Count 11053 IdealProcessor: 2
- UserTime 00:00:01.125
- KernelTime 00:00:00.781
- Win32 Start Address 0x000000000044aa31
- Stack Init ffffd00025d59c90 Current ffffd00025d59480
- Base ffffd00025d5a000 Limit ffffd00025d54000 Call 0
- Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
- Child-SP RetAddr : Args to Child : Call Site
- ffffd000`25d594c0 fffff802`a1c92130 : ffffe001`f805e0c0 fffff961`00000000 ffffe001`fa713440 fffff802`a1c8ee76 : nt!KiSwapContext+0x76
- ffffd000`25d59600 fffff802`a1c91b48 : 00000000`00000000 00000000`00010001 00000000`00000000 00000000`00000000 : nt!KiSwapThread+0x160
- ffffd000`25d596b0 fffff802`a1c9120d : 00000000`00000000 00000000`00000000 ffffd000`25d59900 00000000`00000000 : nt!KiCommitThreadWait+0x148
- ffffd000`25d59740 fffff961`00c95dc5 : fffff901`00000000 ffffd000`25d598a0 fffff901`423edb20 fffff901`0000000d : nt!KeWaitForMultipleObjects+0x3fd
- ffffd000`25d59800 fffff961`00c959f8 : fffff901`423edb20 fffff901`423edb20 00000000`00003dff fffff961`00c958a3 : win32kfull!xxxRealSleepThread+0x355
- ffffd000`25d598f0 fffff961`00c94ba0 : ffffd000`25d59b80 00000000`00000000 fffff901`423edb20 00000000`00000000 : win32kfull!xxxSleepThread2+0x98
- ffffd000`25d59940 fffff961`00c93fc0 : ffffd000`25d59ab8 ffffd000`25d5c240 00000000`00000000 00000000`ffffffff : win32kfull!xxxRealInternalGetMessage+0xb70
- ffffd000`25d59a70 fffff802`a1dd2a63 : ffffe001`fa713440 00000000`570a8480 00000000`00000020 00000000`00000000 : win32kfull!NtUserGetMessage+0x90
- ffffd000`25d59b00 00000000`570b344a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`25d59b00)
- 00000000`0009e6b8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x570b344a
- THREAD ffffe001fab05840 Cid 0da4.11ac Teb: 000000007fe9e000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
- ffffe001f6741d40 QueueObject
- Not impersonating
- DeviceMap ffffc0013dff8c30
- Owning Process ffffe001f9652080 Image: myfile.exe
- Attached Process N/A Image: N/A
- Wait Start TickCount 51667 Ticks: 4988 (0:00:01:17.937)
- Context Switch Count 34 IdealProcessor: 2
- UserTime 00:00:00.000
- KernelTime 00:00:00.015
- Win32 Start Address 0x0000000077e54630
- Stack Init ffffd000203cfc90 Current ffffd000203cf420
- Base ffffd000203d0000 Limit ffffd000203ca000 Call 0
- Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
- Child-SP RetAddr : Args to Child : Call Site
- ffffd000`203cf460 fffff802`a1c92130 : 0000ffff`00000000 00000000`00000001 ffffe001`fab05980 ffffe001`fab05940 : nt!KiSwapContext+0x76
- ffffd000`203cf5a0 fffff802`a1c91b48 : 00000000`743af562 00000000`00000030 00000000`00000000 ffffe001`f9652578 : nt!KiSwapThread+0x160
- ffffd000`203cf650 fffff802`a1c907a5 : 00000000`69f79021 00000000`00000010 fffffa80`013de6b0 fffffa80`0127b690 : nt!KiCommitThreadWait+0x148
- ffffd000`203cf6e0 fffff802`a1c90382 : ffffe001`f6741d40 00000000`00000000 00000000`00000001 00000000`00000000 : nt!KeRemoveQueueEx+0x215
- ffffd000`203cf750 fffff802`a1c8fd43 : fffff680`003a1d78 ffffe001`f9652578 ffffd000`203cfa00 00000000`00000000 : nt!IoRemoveIoCompletion+0x82
- ffffd000`203cf870 fffff802`a1dd2a63 : fffff6fb`40001d08 fffff680`003a1d78 ffff504a`eece1c5c 00000000`00000000 : nt!NtWaitForWorkViaWorkerFactory+0x303
- ffffd000`203cfa90 00007ff9`eeab538a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`203cfb00)
- 00000000`049eea78 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtWaitForWorkViaWorkerFactory+0xa
- Stack Init ffffd00025d59c90 Current ffffd00025d59480
- Stack Init ffffd000203cfc90 Current ffffd000203cf420
- dc ffffd00025d59c90
- dc ffffd000203cfc90
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement