Case of the Word Scroll Hangs in Citrix

A simple one page document was causing Word to freeze on opening, and if it ever did open, attempting to use scroll bar caused some parts of a background image to appear intermittently.

3 dump files were collected using Task Manger. We see the following stacks. Example 2 & 3 were from same instance of the process.

Example #1

Process Uptime: 0 days 0:00:52.000

0:000:x86> !runaway
User Mode Time
  Thread       Time
   0:1ab4      0 days 0:00:44.468
   6:1ae4      0 days 0:00:00.015
  13:19fc      0 days 0:00:00.000
  12:2d0       0 days 0:00:00.000
  11:2510      0 days 0:00:00.000
  10:1fdc      0 days 0:00:00.000
   9:192c      0 days 0:00:00.000
   8:1220      0 days 0:00:00.000
   7:1e80      0 days 0:00:00.000
   5:2590      0 days 0:00:00.000
   4:15d8      0 days 0:00:00.000
   3:2448      0 days 0:00:00.000
   2:31c       0 days 0:00:00.000
   1:2418      0 days 0:00:00.000
0:000:x86> k
ChildEBP RetAddr 
001f546c 063f41dc GdiPlus!FLOOR+0x9
001f5478 063f41f6 GdiPlus!FPUStateSaver::Round+0x1d
001f5484 064dc28c GdiPlus!GpRound+0x11
001f54b4 064dcc34 GdiPlus!GpRecolorObject::TransformColor5x5+0x199
001f54c8 064dd03e GdiPlus!GpRecolorObject::ComputeColorTwist+0x91
001f54ec 06421894 GdiPlus!GpRecolorObject::ColorAdjust+0xfa
001f54fc 064e12e1 GdiPlus!GpRecolor::ColorAdjust+0x1e
001f5510 064e0d81 GdiPlus!GpRecolorOp::Run+0x18
001f5534 064ebe7d GdiPlus!GpBitmapOps::ReleasePixelDataBuffer+0x8a
001f55ec 064dd31e GdiPlus!GpWicDecoder::Decode+0x169
001f5600 064dda0f GdiPlus!GpDecodedImage::InternalPushIntoSink+0x2d
001f5618 064de571 GdiPlus!GpDecodedImage::PushIntoSink+0x3c
001f568c 06434fc6 GdiPlus!GpMemoryBitmap::InitImageBitmap+0x15f
001f56e0 06436c63 GdiPlus!CopyOnWriteBitmap::PipeLockBitsFromDecoder+0xa5
001f57bc 06436e69 GdiPlus!CopyOnWriteBitmap::PipeLockBits+0x56b
001f57d4 06441df8 GdiPlus!GpBitmap::PipeLockBits+0x50
001f5c68 06444718 GdiPlus!GpGraphics::DrvDrawImage+0x1eff
001f5d60 0644487d GdiPlus!GpGraphics::DrawImage+0x386
001f5dc4 0640e8da GdiPlus!GpGraphics::DrawImage+0x66
001f5e38 64d1f230 GdiPlus!GdipDrawImagePointsRect+0x1e5
WARNING: Stack unwind information not available. Following frames may be wrong.
001f5ea8 64d1f58b MSO!Ordinal1458+0x20b
001f619c 64d1ef43 MSO!Ordinal1458+0x566
001f61f8 64d1ee85 MSO!Ordinal8926+0x115
001f6248 64d1bcbf MSO!Ordinal8926+0x57
001f69c4 64d1e666 MSO!Ordinal6882+0x6a3
001f6a00 64d1e5b8 MSO!Ordinal3379+0x214
001f6c4c 64d196fc MSO!Ordinal3379+0x166
001f6c74 64d1eeb6 MSO!Ordinal1075+0x2a5d
001f6c98 64d1968e MSO!Ordinal8926+0x88
001f6ca8 64d194ff MSO!Ordinal1075+0x29ef
001f79a4 64d19363 MSO!Ordinal1075+0x2860
001f79cc 64d171e8 MSO!Ordinal1075+0x26c4
001f7ad8 64cfb39b MSO!Ordinal1075+0x549
001f7b44 313ce150 MSO!Ordinal423+0x155
001f7c3c 312351a0 WWLIB!DllGetLCID+0x1b20da
001f7c80 31235169 WWLIB!DllGetLCID+0x1912a
001f7fb8 310cfdee WWLIB!DllGetLCID+0x190f3
001f80a8 310c50b4 WWLIB!GetAllocCounters+0xa9996
001f80d8 310e980e WWLIB!GetAllocCounters+0x9ec5c
001f8130 3108050c WWLIB!GetAllocCounters+0xc33b6
001f81b0 310247b5 WWLIB!GetAllocCounters+0x5a0b4
001f81f0 766462fa WWLIB!DllGetClassObject+0xf161
001f821c 76647316 user32!InternalCallWinProc+0x23
001f8294 76646de8 user32!UserCallWinProcCheckWow+0xd8
001f82f0 76646e44 user32!DispatchClientMessage+0xe0
001f832c 7753010a user32!__fnDWORD+0x2b
001f8374 310794a3 ntdll_77520000!KiUserCallbackDispatcher+0x2e
001f8394 3107935a WWLIB!GetAllocCounters+0x5304b
001f83d8 3107f72b WWLIB!GetAllocCounters+0x52f02
001f83e4 3107f63e WWLIB!GetAllocCounters+0x592d3
001f8410 649e18c6 WWLIB!GetAllocCounters+0x591e6
001f843c 649e1682 MSO!Ordinal10331+0x399
001f844c 649e161d MSO!Ordinal10331+0x155
001f8460 31078dd8 MSO!Ordinal10331+0xf0
001f84b8 310252b7 WWLIB!GetAllocCounters+0x52980
001faa0c 310247b5 WWLIB!DllGetClassObject+0xfc63
001faa4c 766462fa WWLIB!DllGetClassObject+0xf161
001faa78 76646d3a user32!InternalCallWinProc+0x23
001faaf0 76650d27 user32!UserCallWinProcCheckWow+0x109
001fab28 76650d4d user32!CallWindowProcAorW+0xab
001fab48 70ebf443 user32!CallWindowProcW+0x1b
001fab64 70ebf5ee comctl32_70e90000!CallOriginalWndProc+0x1a
001fabc8 70ebf5a2 comctl32_70e90000!CallNextSubclassProc+0x3d
001fabec 6494e298 comctl32_70e90000!DefSubclassProc+0x46
001fac34 6494def5 MSO!Ordinal4894+0x74f
001fac60 70ebf5ee MSO!Ordinal4894+0x3ac
001facc4 70ebf490 comctl32_70e90000!CallNextSubclassProc+0x3d
001fad24 766462fa comctl32_70e90000!MasterSubclassProc+0x54
001fad50 76646d3a user32!InternalCallWinProc+0x23
001fadc8 766490c9 user32!UserCallWinProcCheckWow+0x109
001fae58 76646a8c user32!RealDefWindowProcWorker+0x622
001fae78 6d360b64 user32!RealDefWindowProcW+0x4a
001faed4 6d360b96 uxtheme!_ThemeDefWindowProc+0x197
001faef0 7664729a uxtheme!ThemeDefWindowProcW+0x18
001faf38 310249b5 user32!DefWindowProcW+0x68
001fd490 310247b5 WWLIB!DllGetClassObject+0xf361
001fd4d0 766462fa WWLIB!DllGetClassObject+0xf161
001fd4fc 76646d3a user32!InternalCallWinProc+0x23
001fd574 76650d27 user32!UserCallWinProcCheckWow+0x109
001fd5ac 76650d4d user32!CallWindowProcAorW+0xab
001fd5cc 70ebf443 user32!CallWindowProcW+0x1b
001fd5e8 70ebf5ee comctl32_70e90000!CallOriginalWndProc+0x1a
001fd64c 70ebf5a2 comctl32_70e90000!CallNextSubclassProc+0x3d
001fd670 6494e298 comctl32_70e90000!DefSubclassProc+0x46
001fd6b8 6494def5 MSO!Ordinal4894+0x74f
001fd6e4 70ebf5ee MSO!Ordinal4894+0x3ac
001fd748 70ebf490 comctl32_70e90000!CallNextSubclassProc+0x3d
001fd7a8 766462fa comctl32_70e90000!MasterSubclassProc+0x54
001fd7d4 76647316 user32!InternalCallWinProc+0x23
001fd84c 76646de8 user32!UserCallWinProcCheckWow+0xd8
001fd8a8 76648fa7 user32!DispatchClientMessage+0xe0
001fd8e4 7753010a user32!__fnINLPWINDOWPOS+0x2c
001fd988 649aa323 ntdll_77520000!KiUserCallbackDispatcher+0x2e
001fd9b8 3107553b MSO!Ordinal2880+0x2e
001fd9d4 310754eb WWLIB!GetAllocCounters+0x4f0e3
001fd9f8 310754c5 WWLIB!GetAllocCounters+0x4f093
001fda3c 3107476f WWLIB!GetAllocCounters+0x4f06d
001fda78 310746d9 WWLIB!GetAllocCounters+0x4e317
001ffbe8 2fa31625 WWLIB!GetAllocCounters+0x4e281
001ffc0c 2fa315aa WINWORD+0x1625
001ffc9c 769e336a WINWORD+0x15aa
001ffca8 77559f72 kernel32!BaseThreadInitThunk+0xe
001ffce8 77559f45 ntdll_77520000!__RtlUserThreadStart+0x70
001ffd00 00000000 ntdll_77520000!_RtlUserThreadStart+0x1b

 

Example #2

Process Uptime: 0 days 0:02:01.000

0:000:x86> !runaway
User Mode Time
  Thread       Time
   0:2100      0 days 0:01:52.640
   6:1624      0 days 0:00:00.046
   3:2510      0 days 0:00:00.015
  12:21bc      0 days 0:00:00.000
  11:1e4c      0 days 0:00:00.000
  10:15b8      0 days 0:00:00.000
   9:1628      0 days 0:00:00.000
   8:1a90      0 days 0:00:00.000
   7:1060      0 days 0:00:00.000
   5:2664      0 days 0:00:00.000
   4:440       0 days 0:00:00.000
   2:2488      0 days 0:00:00.000
   1:147c      0 days 0:00:00.000
0:000:x86> k
ChildEBP RetAddr 
0040a300 663c0ee0 GdiPlus!DpOutputSpanStretch<1>::OutputSpan+0x361
0040a334 663e9b58 GdiPlus!EpAntialiasedFiller::OutputSpan+0x31
0040a358 663c10ed GdiPlus!DpClipRegion::OutputSpan+0x51
0040a378 663c1e3a GdiPlus!EpAntialiasedFiller::GenerateOutputAndClearCoverage+0x64
0040a3a0 663c0dda GdiPlus!EpAntialiasedFiller::FillEdgesAlternate+0x104
0040a3b8 663c2474 GdiPlus!RasterizeEdges+0xa9
0040ae70 663cb0f6 GdiPlus!RasterizePath+0x2d0
0040b05c 66392054 GdiPlus!DpDriver::DrawImage+0x240
0040b50c 66394718 GdiPlus!GpGraphics::DrvDrawImage+0x215b
0040b604 6639487d GdiPlus!GpGraphics::DrawImage+0x386
0040b668 6635e8da GdiPlus!GpGraphics::DrawImage+0x66
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for MSO.DLL –
0040b6dc 64d1f230 GdiPlus!GdipDrawImagePointsRect+0x1e5
WARNING: Stack unwind information not available. Following frames may be wrong.
0040b74c 64d1f58b MSO!Ordinal1458+0x20b
0040ba40 64d1ef43 MSO!Ordinal1458+0x566
0040ba9c 64d1ee85 MSO!Ordinal8926+0x115
0040baec 64d1bcbf MSO!Ordinal8926+0x57
0040c268 64d1e666 MSO!Ordinal6882+0x6a3
0040c2a4 64d1e5b8 MSO!Ordinal3379+0x214
0040c4f0 64d196fc MSO!Ordinal3379+0x166
0040c518 64d1eeb6 MSO!Ordinal1075+0x2a5d
0040c53c 64d1968e MSO!Ordinal8926+0x88
0040c54c 64d194ff MSO!Ordinal1075+0x29ef
0040d248 64d19363 MSO!Ordinal1075+0x2860
0040d270 64d171e8 MSO!Ordinal1075+0x26c4
0040d37c 64cfb39b MSO!Ordinal1075+0x549
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for WWLIB.DLL –
0040d3e8 50f9e150 MSO!Ordinal423+0x155
0040d4e0 50e051a0 WWLIB!DllGetLCID+0x1b20da
0040d524 50e05169 WWLIB!DllGetLCID+0x1912a
0040d85c 50c9fdee WWLIB!DllGetLCID+0x190f3
0040d94c 50c950b4 WWLIB!GetAllocCounters+0xa9996
0040d97c 50cb980e WWLIB!GetAllocCounters+0x9ec5c
0040d9d4 50c5050c WWLIB!GetAllocCounters+0xc33b6
0040da54 50bf47b5 WWLIB!GetAllocCounters+0x5a0b4
0040da94 766462fa WWLIB!DllGetClassObject+0xf161
0040dac0 76647316 user32!InternalCallWinProc+0x23
0040db38 76646de8 user32!UserCallWinProcCheckWow+0xd8
0040db94 76646e44 user32!DispatchClientMessage+0xe0
0040dbd0 7753010a user32!__fnDWORD+0x2b
0040dc5c 50c463ce ntdll_77520000!KiUserCallbackDispatcher+0x2e
0040dc6c 50e44725 WWLIB!GetAllocCounters+0x4ff76
0040dc84 50c45cad WWLIB!DllGetLCID+0x586af
0040dcac 50c446d9 WWLIB!GetAllocCounters+0x4f855
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for WINWORD.EXE –
0040fe1c 2fe71625 WWLIB!GetAllocCounters+0x4e281
0040fe40 2fe715aa WINWORD+0x1625
0040fed0 769e336a WINWORD+0x15aa
0040fedc 77559f72 kernel32!BaseThreadInitThunk+0xe
0040ff1c 77559f45 ntdll_77520000!__RtlUserThreadStart+0x70
0040ff34 00000000 ntdll_77520000!_RtlUserThreadStart+0x1b

Example #3

Process Uptime: 0 days 0:03:04.000

0:000:x86> Process Uptime: 0 days 0:03:04.000!runaway
User Mode Time
  Thread       Time
   0:2100      0 days 0:02:46.406
   5:1624      0 days 0:00:00.046
   3:2510      0 days 0:00:00.015
  11:2780      0 days 0:00:00.000
  10:21bc      0 days 0:00:00.000
   9:1e4c      0 days 0:00:00.000
   8:15b8      0 days 0:00:00.000
   7:1628      0 days 0:00:00.000
   6:1a90      0 days 0:00:00.000
   4:440       0 days 0:00:00.000
   2:2488      0 days 0:00:00.000
   1:147c      0 days 0:00:00.000
0:000:x86> k
ChildEBP RetAddr 
0040ad1c 663441f6 GdiPlus!FPUStateSaver::Round+0x18
0040ad28 6642c28c GdiPlus!GpRound+0x11
0040ad58 6642cc34 GdiPlus!GpRecolorObject::TransformColor5x5+0x199
0040ad6c 6642d03e GdiPlus!GpRecolorObject::ComputeColorTwist+0x91
0040ad90 66371894 GdiPlus!GpRecolorObject::ColorAdjust+0xfa
0040ada0 664312e1 GdiPlus!GpRecolor::ColorAdjust+0x1e
0040adb4 66430d81 GdiPlus!GpRecolorOp::Run+0x18
0040add8 6643be7d GdiPlus!GpBitmapOps::ReleasePixelDataBuffer+0x8a
0040ae90 6642d31e GdiPlus!GpWicDecoder::Decode+0x169
0040aea4 6642da0f GdiPlus!GpDecodedImage::InternalPushIntoSink+0x2d
0040aebc 6642e571 GdiPlus!GpDecodedImage::PushIntoSink+0x3c
0040af30 66384fc6 GdiPlus!GpMemoryBitmap::InitImageBitmap+0x15f
0040af84 66386c63 GdiPlus!CopyOnWriteBitmap::PipeLockBitsFromDecoder+0xa5
0040b060 66386e69 GdiPlus!CopyOnWriteBitmap::PipeLockBits+0x56b
0040b078 66391df8 GdiPlus!GpBitmap::PipeLockBits+0x50
0040b50c 66394718 GdiPlus!GpGraphics::DrvDrawImage+0x1eff
0040b604 6639487d GdiPlus!GpGraphics::DrawImage+0x386
0040b668 6635e8da GdiPlus!GpGraphics::DrawImage+0x66
0040b6dc 64d1f230 GdiPlus!GdipDrawImagePointsRect+0x1e5
WARNING: Stack unwind information not available. Following frames may be wrong.
0040b74c 64d1f58b MSO!Ordinal1458+0x20b
0040ba40 64d1ef43 MSO!Ordinal1458+0x566
0040ba9c 64d1ee85 MSO!Ordinal8926+0x115
0040baec 64d1bcbf MSO!Ordinal8926+0x57
0040c268 64d1e666 MSO!Ordinal6882+0x6a3
0040c2a4 64d1e5b8 MSO!Ordinal3379+0x214
0040c4f0 64d196fc MSO!Ordinal3379+0x166
0040c518 64d1eeb6 MSO!Ordinal1075+0x2a5d
0040c53c 64d1968e MSO!Ordinal8926+0x88
0040c54c 64d194ff MSO!Ordinal1075+0x29ef
0040d248 64d19363 MSO!Ordinal1075+0x2860
0040d270 64d171e8 MSO!Ordinal1075+0x26c4
0040d37c 64cfb39b MSO!Ordinal1075+0x549
0040d3e8 50f9e150 MSO!Ordinal423+0x155
0040d4e0 50e051a0 WWLIB!DllGetLCID+0x1b20da
0040d524 50e05169 WWLIB!DllGetLCID+0x1912a
0040d85c 50c9fdee WWLIB!DllGetLCID+0x190f3
0040d94c 50c950b4 WWLIB!GetAllocCounters+0xa9996
0040d97c 50cb980e WWLIB!GetAllocCounters+0x9ec5c
0040d9d4 50c5050c WWLIB!GetAllocCounters+0xc33b6
0040da54 50bf47b5 WWLIB!GetAllocCounters+0x5a0b4
0040da94 766462fa WWLIB!DllGetClassObject+0xf161
0040dac0 76647316 user32!InternalCallWinProc+0x23
0040db38 76646de8 user32!UserCallWinProcCheckWow+0xd8
0040db94 76646e44 user32!DispatchClientMessage+0xe0
0040dbd0 7753010a user32!__fnDWORD+0x2b
0040dc5c 50c463ce ntdll_77520000!KiUserCallbackDispatcher+0x2e
0040dc6c 50e44725 WWLIB!GetAllocCounters+0x4ff76
0040dc84 50c45cad WWLIB!DllGetLCID+0x586af
0040dcac 50c446d9 WWLIB!GetAllocCounters+0x4f855
0040fe1c 2fe71625 WWLIB!GetAllocCounters+0x4e281
0040fe40 2fe715aa WINWORD+0x1625
0040fed0 769e336a WINWORD+0x15aa
0040fedc 77559f72 kernel32!BaseThreadInitThunk+0xe
0040ff1c 77559f45 ntdll_77520000!__RtlUserThreadStart+0x70
0040ff34 00000000 ntdll_77520000!_RtlUserThreadStart+0x1b

We can see we are dealing with graphics library.

0:000:x86> lmvm gdiplus
start             end                 module name
66320000 664b0000   GdiPlus    (pdb symbols)          c:\symbols\MicrosoftWindowsGdiPlus-1.1.7601.17514-gdiplus.pdb\999409491C874F1DAA3DBBD44C54AC201\MicrosoftWindowsGdiPlus-1.1.7601.17514-gdiplus.pdb
    Loaded symbol image file: GdiPlus.dll
    Image path: C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
    Image name: GdiPlus.dll
    Timestamp:        Sat Nov 20 22:55:00 2010 (4CE7B714)
    CheckSum:         00191664
    ImageSize:        00190000
    File version:     6.1.7601.17514
    Product version:  6.1.7601.17514
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     gdiplus
    OriginalFilename: gdiplus
    ProductVersion:   6.1.7601.17514
    FileVersion:      6.1.7601.17514 (win7sp1_rtm.101119-1850)
    FileDescription:  Microsoft GDI+
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

 

The issue is reported as image is not always showing correctly and there is some kind of image processing going on. Let’s see if we can extract the image from the DMP file.

We’ll start and check if any JPEGs are loaded, to do this we will search process memory for the JPEG file header which is bytes FF D8 FF E0 00 10 4A 46 49 46:

0:000:x86> s 0 L?80000000 FF D8 FF E0 00 10 4A 46 49 46
06950000  ff d8 ff e0 00 10 4a 46-49 46 00 01 02 01 04 b0  ……JFIF……

Now we need to find the JPEG “end of file” marker is which is bytes FF D9

0:000:x86> s -[sn1]b 06950000 L?80000000 FF D9
06d756dd  ff d9 00 00 00 00 00 00-00 00 00 00 00 00 00 00  …………….
                                             ^ Overflow error in ‘s -[sn1]b 06950000 l?80000000 FF D9′

The overflow error is expected, because we used sn1 to return a single result. Now we just need to add 2 to 06d756dd to have our ending address. Now we just need to write out the file

0:000:x86> .writemem c:\support\jpg1.jpg 6950000 L?(06d756dd+2-06950000)
Writing 4256df bytes

We need to use L? in this case due the range being greater than 1 MB in size.

The image extracts fine, and we look at properties can see it is very high resolution image 9,922 x 14,032 pixels.

image

Reducing the image size in document fixed the issue.

Posted in Citrix, Office, WinDbg | Tagged | Leave a comment

PowerShell Script to Extract Info From ADMX

Note: This script may need tweaking to handle all ADMX content scenarios. If in-doubt compare output with gpedit.msc, and adjust script as necessary.

Also currently this doesn’t handle special characters in the explanation text, they will come back as question marks.

This also provides some examples of querying XML content via PowerShell.

How this works:

1) scans the $policyDir for .ADMX file

2) under the language folder i.e. en-US the appropriate ADML file is opened to translate the parameters in the ADMX to the local language.

3) adds the contents to a DataTable which is exported to CSV at the end.

4) PowerShell is very slow at loops, so this is not very high performance method and will take a while to process all the files.

It is possible to extract more information out of the ADMX then is here. Examine the contents of $policy variable within loop for example.

$policyDir = "$($env:windir)\policyDefinitions" $language = "en-US" $outputfilename = "C:\support\group_policy.csv" $table= New-Object System.Data.DataTable [void]$table.Columns.Add("ADMX") [void]$table.Columns.Add("Parent Category") [void]$table.Columns.Add("Name") [void]$table.Columns.Add("Display Name") [void]$table.Columns.Add("Class") [void]$table.Columns.Add("Explain Text") [void]$table.Columns.Add("Supported On") [void]$table.Columns.Add("Key") [void]$table.Columns.Add("Value Name") $admxFiles = Get-ChildItem $policyDir -filter *.admx ForEach ($file in $admxFiles) { [xml]$data=Get-Content "$policyDir\$($file.Name)" [xml]$lang=Get-Content "$policyDir\$language\$($file.Name.Replace(".admx",".adml"))" $policyText = $lang.policyDefinitionResources.resources.stringTable.ChildNodes $data.PolicyDefinitions.policies.ChildNodes | ForEach-Object { $policy = $_ if ($policy -ne $null) { if ($policy.Name -ne "#comment") { "Processing policy $($policy.Name)" $displayName = ($policyText | Where-Object { $_.id -eq $policy.displayName.Substring(9).TrimEnd(')') }).'#text' $explainText = ($policyText | Where-Object { $_.id -eq $policy.explainText.Substring(9).TrimEnd(')') }).'#text' if ($policy.SupportedOn.ref.Contains(":")) { $source=$policy.SupportedOn.ref.Split(":")[0] $valueName=$policy.SupportedOn.ref.Split(":")[1] [xml]$adml=Get-Content "$policyDir\$language\$source.adml" $resourceText= $adml.policyDefinitionResources.resources.stringTable.ChildNodes $supportedOn=($resourceText | Where-Object { $_.id -eq $valueName }).'#text' } else { $supportedOnID = ($data.policyDefinitions.supportedOn.definitions.ChildNodes | Where-Object { $_.Name -eq $policy.supportedOn.ref }).DisplayName $supportedOn = ($policyText | Where-Object { $_.id -eq $supportedOnID.Substring(9).TrimEnd(')') }).'#text' } if ($policy.parentCategory.ref.Contains(":")) { $source=$policy.SupportedOn.ref.Split(":")[0] $valueName=$policy.SupportedOn.ref.Split(":")[1] [xml]$adml=Get-Content "$policyDir\$language\$source.adml" $resourceText= $adml.policyDefinitionResources.resources.stringTable.ChildNodes $parentCategory=($resourceText | Where-Object { $_.id -eq $valueName }).'#text' } else { $parentCategoryID = ($data.policyDefinitions.categories.ChildNodes | Where-Object { $_.Name -eq $policy.parentCategory.ref }).DisplayName $parentCategory = ($policyText | Where-Object { $_.id -eq $parentCategoryID.Substring(9).TrimEnd(')') }).'#text' } [void]$table.Rows.Add( $file.Name, $parentCategory, $policy.Name, $displayName, $policy.class, $explainText, $supportedOn, $policy.key, $policy.valueName) } } } } $table | Export-Csv $outputfilename -NoTypeInformation

Posted in Group Policy, PowerShell | Tagged | Leave a comment

Windows 10–Active Memory Dump

Windows 10 brings a new type of memory dump: Active Memory Dump. I love this feature, just what I’ve been waiting for.

To analyze the Windows 10 Technical Preview Dump files ensure you have the symbols from http://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx 

This memory dmp is much more compact that a complete memory dump, while containing “active memory” in kernel and user mode space.

We can now get both user + kernel space without having to dmp complete memory. After recently having to deal with several 32 GB dmp files on slow networks…I really welcome this feature…

Here are 3 dmp files created just after logging on with different settings. The default is “automatic memory” dump.

image

image

Loading Dump File [Z:\ACTIVE_MEMORY.DMP]
Kernel Bitmap Dump File: Full address space is available

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
OK                                             C:\programdata\red gate\.NET Reflector\DevPath
Deferred                                       SRV*C:\netsymbols*
http://referencesource.microsoft.com/symbols
Deferred                                       SRV*C:\symbols\*http://msdl.microsoft.com/download/symbols
Symbol search path is: C:\programdata\red gate\.NET Reflector\DevPath;SRV*C:\netsymbols*http://referencesource.microsoft.com/symbols;SRV*C:\symbols\*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9841 UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9841.0.x86fre.fbl_release.140912-1613
Machine Name:
Kernel base = 0x80c04000 PsLoadedModuleList = 0x80e1b6d8
Debug session time: Thu Oct  2 18:39:22.554 2014 (UTC + 10:00)
System Uptime: 0 days 0:02:36.160
Loading Kernel Symbols
……………………………………………………..Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
.
……Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
………………………………………………….
………………………
Loading User Symbols
……………………..
Loading unloaded module list
…….
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {a7601550, 2, 0, 8a1b05ab}

*** ERROR: Module load completed but symbols could not be loaded for myfault.sys
*** ERROR: Module load completed but symbols could not be loaded for NotMyfault.exe
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Analysis in progress… Time Elapsed: [39.59s] Current Phase: [Check Image Analysis], to halt analysis, press CTRL-C twice within 2 seconds.

Probably caused by : myfault.sys ( myfault+5ab )

Followup: MachineOwner
———

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 83b55c80  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 001a8000  ObjectTable: 81403000  HandleCount: <Data Not Accessible>
    Image: System

PROCESS 887cdc80  SessionId: none  Cid: 010c    Peb: 7fe17000  ParentCid: 0004
    DirBase: 3ffe3020  ObjectTable: 8853b100  HandleCount: <Data Not Accessible>
    Image: smss.exe

PROCESS 8874b480  SessionId: 0  Cid: 016c    Peb: 7fa5d000  ParentCid: 0160
    DirBase: 3ffe3060  ObjectTable: 814f1780  HandleCount: <Data Not Accessible>
    Image: csrss.exe

PROCESS 83bb22c0  SessionId: 0  Cid: 01b8    Peb: 7fb1b000  ParentCid: 0160
    DirBase: 3ffe30a0  ObjectTable: 8c24c040  HandleCount: <Data Not Accessible>
    Image: wininit.exe

PROCESS 83bc1040  SessionId: 1  Cid: 01c0    Peb: 7f239000  ParentCid: 01ac
    DirBase: 3ffe30c0  ObjectTable: 8c24e100  HandleCount: <Data Not Accessible>
    Image: csrss.exe

PROCESS 83bd65c0  SessionId: 1  Cid: 01e0    Peb: 7fc3f000  ParentCid: 01ac
    DirBase: 3ffe3040  ObjectTable: 814caf80  HandleCount: <Data Not Accessible>
    Image: winlogon.exe

PROCESS a04fe040  SessionId: 0  Cid: 022c    Peb: 7ff5f000  ParentCid: 01b8
    DirBase: 3ffe3080  ObjectTable: 80178840  HandleCount: <Data Not Accessible>
    Image: services.exe

PROCESS a0517040  SessionId: 0  Cid: 0234    Peb: 7fb2f000  ParentCid: 01b8
    DirBase: 3ffe30e0  ObjectTable: 8017f040  HandleCount: <Data Not Accessible>
    Image: lsass.exe

PROCESS a0556040  SessionId: 0  Cid: 0274    Peb: 7f35a000  ParentCid: 022c
    DirBase: 3ffe3100  ObjectTable: 801ea540  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS a055f640  SessionId: 0  Cid: 0294    Peb: 7fa8f000  ParentCid: 022c
    DirBase: 3ffe3120  ObjectTable: a3053640  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS a0596cc0  SessionId: 1  Cid: 030c    Peb: 7f086000  ParentCid: 01e0
    DirBase: 3ffe3160  ObjectTable: a3113e00  HandleCount: <Data Not Accessible>
    Image: dwm.exe

PROCESS a05e8300  SessionId: 0  Cid: 0350    Peb: 7f12a000  ParentCid: 022c
    DirBase: 3ffe3180  ObjectTable: a3189e40  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS a05f5040  SessionId: 0  Cid: 0370    Peb: 7f447000  ParentCid: 022c
    DirBase: 3ffe31a0  ObjectTable: a584eec0  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS a05fe040  SessionId: 0  Cid: 038c    Peb: 7fbc6000  ParentCid: 022c
    DirBase: 3ffe31c0  ObjectTable: a5857900  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS a5628cc0  SessionId: 0  Cid: 03a8    Peb: 7f61b000  ParentCid: 022c
    DirBase: 3ffe31e0  ObjectTable: a58c0380  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS a56679c0  SessionId: 0  Cid: 0490    Peb: 7f47d000  ParentCid: 022c
    DirBase: 3ffe3220  ObjectTable: a593d440  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS a56dc180  SessionId: 0  Cid: 0544    Peb: 7f4ef000  ParentCid: 022c
    DirBase: 3ffe3260  ObjectTable: a59ea980  HandleCount: <Data Not Accessible>
    Image: spoolsv.exe

PROCESS a56ecac0  SessionId: 0  Cid: 056c    Peb: 7f43f000  ParentCid: 022c
    DirBase: 3ffe3280  ObjectTable: a59f1e00  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS a57885c0  SessionId: 0  Cid: 060c    Peb: 7f89d000  ParentCid: 022c
    DirBase: 3ffe3240  ObjectTable: a7044480  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS a57e8140  SessionId: 0  Cid: 06ac    Peb: 7fc1f000  ParentCid: 022c
    DirBase: 3ffe32a0  ObjectTable: a71821c0  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS a9e02100  SessionId: 0  Cid: 06e8    Peb: 7f24c000  ParentCid: 03a8
    DirBase: 3ffe32c0  ObjectTable: a71a13c0  HandleCount: <Data Not Accessible>
    Image: dasHost.exe

PROCESS a9e54040  SessionId: 0  Cid: 0790    Peb: 7fd1d000  ParentCid: 022c
    DirBase: 3ffe32e0  ObjectTable: aa2ec240  HandleCount: <Data Not Accessible>
    Image: prl_tools_service.exe

PROCESS a9f05200  SessionId: 0  Cid: 07e0    Peb: 7ff2f000  ParentCid: 022c
    DirBase: 3ffe3300  ObjectTable: aa32ff80  HandleCount: <Data Not Accessible>
    Image: coherence.exe

PROCESS a9f0d280  SessionId: 1  Cid: 07f0    Peb: 7faac000  ParentCid: 0790
    DirBase: 3ffe3320  ObjectTable: aa3a7b00  HandleCount: <Data Not Accessible>
    Image: prl_tools.exe

PROCESS a9f43040  SessionId: 0  Cid: 0138    Peb: 7f6fe000  ParentCid: 022c
    DirBase: 3ffe3340  ObjectTable: aa3b4ec0  HandleCount: <Data Not Accessible>
    Image: dllhost.exe

PROCESS a9fb0040  SessionId: 1  Cid: 06e4    Peb: 7fa8c000  ParentCid: 07e0
    DirBase: 3ffe33c0  ObjectTable: aaa22540  HandleCount: <Data Not Accessible>
    Image: coherence.exe

PROCESS a9fbf640  SessionId: 0  Cid: 0420    Peb: 7f6cf000  ParentCid: 022c
    DirBase: 3ffe33e0  ObjectTable: aaa7d040  HandleCount: <Data Not Accessible>
    Image: MsMpEng.exe

PROCESS ab23d800  SessionId: 0  Cid: 08bc    Peb: 7f19f000  ParentCid: 022c
    DirBase: 3ffe33a0  ObjectTable: aaa94e80  HandleCount: <Data Not Accessible>
    Image: VSSVC.exe

PROCESS ab26d040  SessionId: 0  Cid: 0914    Peb: 7fb4f000  ParentCid: 022c
    DirBase: 3ffe3360  ObjectTable: a5972f80  HandleCount: <Data Not Accessible>
    Image: dllhost.exe

PROCESS ab2dfcc0  SessionId: 1  Cid: 09f4    Peb: 7fb16000  ParentCid: 09e0
    DirBase: 3ffe3420  ObjectTable: ad06c700  HandleCount: <Data Not Accessible>
    Image: explorer.exe

PROCESS a9f78040  SessionId: 1  Cid: 0a00    Peb: 7f408000  ParentCid: 0350
    DirBase: 3ffe3440  ObjectTable: abd06bc0  HandleCount: <Data Not Accessible>
    Image: taskhostex.exe

PROCESS ab37ecc0  SessionId: 1  Cid: 0a88    Peb: 7f809000  ParentCid: 0274
    DirBase: 3ffe3460  ObjectTable: ad6bd940  HandleCount: <Data Not Accessible>
    Image: ChsIME.exe

PROCESS ab3d4580  SessionId: 0  Cid: 0bc4    Peb: 7f4e3000  ParentCid: 022c
    DirBase: 3ffe3480  ObjectTable: ad724b80  HandleCount: <Data Not Accessible>
    Image: msdtc.exe

PROCESS ab3f1040  SessionId: 0  Cid: 0c74    Peb: 7f5b6000  ParentCid: 0274
    DirBase: 3ffe3380  ObjectTable: 8c246240  HandleCount: <Data Not Accessible>
    Image: WmiPrvSE.exe

PROCESS a9fab940  SessionId: 0  Cid: 0ce8    Peb: 7f076000  ParentCid: 022c
    DirBase: 3ffe34a0  ObjectTable: ad7a6340  HandleCount: <Data Not Accessible>
    Image: SearchIndexer.exe

PROCESS 81e4d940  SessionId: 1  Cid: 0dd8    Peb: 7fd6c000  ParentCid: 0274
    DirBase: 3ffe3200  ObjectTable: b09ac040  HandleCount: <Data Not Accessible>
    Image: SkyDrive.exe

PROCESS ab367cc0  SessionId: 0  Cid: 0df0    Peb: 7f9b8000  ParentCid: 0ce8
    DirBase: 3ffe3140  ObjectTable: b2e3ebc0  HandleCount: <Data Not Accessible>
    Image: SearchProtocolHost.exe

PROCESS b5787cc0  SessionId: 0  Cid: 0e90    Peb: 7f144000  ParentCid: 0ce8
    DirBase: 3ffe34c0  ObjectTable: b09c25c0  HandleCount: <Data Not Accessible>
    Image: SearchFilterHost.exe

PROCESS afb04240  SessionId: 1  Cid: 0f18    Peb: 7f72f000  ParentCid: 09f4
    DirBase: 3ffe3500  ObjectTable: b09d3b80  HandleCount: <Data Not Accessible>
    Image: prl_cc.exe

PROCESS ab3e5580  SessionId: 1  Cid: 0fa4    Peb: 7f8df000  ParentCid: 0274
    DirBase: 3ffe3520  ObjectTable: b2f211c0  HandleCount: <Data Not Accessible>
    Image: SettingSyncHost.exe

PROCESS a2a549c0  SessionId: 1  Cid: 08d8    Peb: 7ff3c000  ParentCid: 09f4
    DirBase: 3ffe3540  ObjectTable: ad64fe40  HandleCount: <Data Not Accessible>
    Image: iexplore.exe

PROCESS 81f2dcc0  SessionId: 1  Cid: 09a0    Peb: 7f95d000  ParentCid: 08d8
    DirBase: 3ffe3560  ObjectTable: a5901b40  HandleCount: <Data Not Accessible>
    Image: iexplore.exe

PROCESS ab28fbc0  SessionId: 1  Cid: 005c    Peb: 7fdcf000  ParentCid: 0274
DeepFreeze
    DirBase: 3ffe35a0  ObjectTable: 8ae5d600  HandleCount: <Data Not Accessible>
    Image: livecomm.exe

PROCESS ab2ddcc0  SessionId: 1  Cid: 0c40    Peb: 7fc37000  ParentCid: 0274
    DirBase: 3ffe3400  ObjectTable: b88d1240  HandleCount: <Data Not Accessible>
    Image: RuntimeBroker.exe

PROCESS afb61280  SessionId: 1  Cid: 0ec0    Peb: 7f9ef000  ParentCid: 0ce8
    DirBase: 3ffe3580  ObjectTable: b083e4c0  HandleCount: <Data Not Accessible>
    Image: SearchProtocolHost.exe

PROCESS 89cbec40  SessionId: 0  Cid: 0808    Peb: 7fdff000  ParentCid: 022c
    DirBase: 3ffe3600  ObjectTable: a1897880  HandleCount: <Data Not Accessible>
    Image: sppsvc.exe

PROCESS a2b83040  SessionId: 0  Cid: 0518    Peb: 7f3fe000  ParentCid: 022c
    DirBase: 3ffe35c0  ObjectTable: a1891d80  HandleCount: <Data Not Accessible>
    Image: wmpnetwk.exe

PROCESS a9fac040  SessionId: 1  Cid: 0414    Peb: 7f6e6000  ParentCid: 0350
    DirBase: 3ffe34e0  ObjectTable: 00000000  HandleCount:   0.
    Image: consent.exe

PROCESS a2bbf040  SessionId: 0  Cid: 03f0    Peb: 7fa74000  ParentCid: 038c
    DirBase: 3ffe3620  ObjectTable: ad005440  HandleCount: <Data Not Accessible>
    Image: audiodg.exe

PROCESS a9f1b840  SessionId: 1  Cid: 0630    Peb: 7f51d000  ParentCid: 0274
    DirBase: 3ffe3640  ObjectTable: b89fac40  HandleCount: <Data Not Accessible>
    Image: dllhost.exe

PROCESS a9f73040  SessionId: 0  Cid: 0140    Peb: 7f248000  ParentCid: 0274
    DirBase: 3ffe3660  ObjectTable: b888cf80  HandleCount: <Data Not Accessible>
    Image: dllhost.exe

PROCESS a9f89cc0  SessionId: 1  Cid: 0758    Peb: 7fb9f000  ParentCid: 09f4
    DirBase: 3ffe3680  ObjectTable: 80155540  HandleCount: <Data Not Accessible>
    Image: NotMyfault.exe

kd> lmv
start    end        module name
00ed0000 00ee8000   NotMyfault   (no symbols)          
    Loaded symbol image file: NotMyfault.exe
    Image path: C:\Users\Malcolm\Downloads\NotMyFault\x86\NotMyfault.exe
    Image name: NotMyfault.exe
    Timestamp:        Sun Apr 08 02:34:41 2012 (4F806CA1)
    CheckSum:         00022E54
    ImageSize:        00018000
    File version:     4.0.0.0
    Product version:  4.0.0.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Sysinternals – http://www.sysinternals.com
    ProductName:      Sysinternals NotMyfault
    InternalName:     Sysinternals NotMyfault
    OriginalFilename: NotMyfault.exe
    ProductVersion:   4.0
    FileVersion:      4.0
    FileDescription:  Driver Bug Test Program
    LegalCopyright:   Copyright © 2002-2012 Mark Russinovich
734f0000 736f1000   COMCTL32   (pdb symbols)          c:\symbols\comctl32.pdb\C8FBB1ECACEF4FB48365E9A5B3E4EEE01\comctl32.pdb
    Loaded symbol image file: COMCTL32.dll
    Image path: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9841.0_none_38d154a85935aa0a\COMCTL32.dll
    Image name: COMCTL32.dll
    Timestamp:        Sat Sep 13 13:16:10 2014 (5413B6FA)
    CheckSum:         00205CDE
    ImageSize:        00201000
    File version:     6.10.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     comctl32
    OriginalFilename: comctl32.DLL
    ProductVersion:   6.4.9841.0
    FileVersion:      6.10 (fbl_release.140912-1613)
    FileDescription:  User Experience Controls Library
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
73700000 73796000   apphelp    (deferred)            
    Image path: C:\Windows\system32\apphelp.dll
    Image name: apphelp.dll
    Timestamp:        Sat Sep 13 13:14:24 2014 (5413B690)
    CheckSum:         000A1D75
    ImageSize:        00096000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     Apphelp
    OriginalFilename: Apphelp
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Application Compatibility Client Library
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
737a0000 737b9000   dwmapi     (deferred)            
    Image path: C:\Windows\system32\dwmapi.dll
    Image name: dwmapi.dll
    Timestamp:        Sat Sep 13 11:53:47 2014 (5413A3AB)
    CheckSum:         0001EB15
    ImageSize:        00019000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     dwmapi.dll
    OriginalFilename: dwmapi.dll
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Microsoft Desktop Window Manager API
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
73c30000 73cce000   uxtheme    (deferred)            
    Image path: C:\Windows\system32\uxtheme.dll
    Image name: uxtheme.dll
    Timestamp:        Sat Sep 13 13:15:38 2014 (5413B6DA)
    CheckSum:         0009EA4C
    ImageSize:        0009E000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     UxTheme.dll
    OriginalFilename: UxTheme.dll
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Microsoft UxTheme Library
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
73cf0000 73cfa000   kernel_appcore   (deferred)            
    Image path: C:\Windows\SYSTEM32\kernel.appcore.dll
    Image name: kernel.appcore.dll
    Timestamp:        Sat Sep 13 12:39:12 2014 (5413AE50)
    CheckSum:         00007FB8
    ImageSize:        0000A000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     kernel.appcore.dll
    OriginalFilename: kernel.appcore.dll
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  AppModel API Host
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
74200000 74227000   ntmarta    (deferred)            
    Image path: C:\Windows\SYSTEM32\ntmarta.dll
    Image name: ntmarta.dll
    Timestamp:        Sat Sep 13 12:02:47 2014 (5413A5C7)
    CheckSum:         00030C75
    ImageSize:        00027000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     ntmarta.dll
    OriginalFilename: ntmarta.dll
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Windows NT MARTA provider
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
749f0000 74a43000   bcryptPrimitives   (deferred)            
    Image path: C:\Windows\SYSTEM32\bcryptPrimitives.dll
    Image name: bcryptPrimitives.dll
    Timestamp:        Sat Sep 13 12:43:03 2014 (5413AF37)
    CheckSum:         000530A3
    ImageSize:        00053000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     bcryptprimitives.dll
    OriginalFilename: bcryptprimitives.dll
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Windows Cryptographic Primitives Library
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
74b20000 74b29000   CRYPTBASE   (deferred)            
    Image path: C:\Windows\SYSTEM32\CRYPTBASE.dll
    Image name: CRYPTBASE.dll
    Timestamp:        Sat Sep 13 12:19:58 2014 (5413A9CE)
    CheckSum:         0000D9FF
    ImageSize:        00009000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     cryptbase.dll
    OriginalFilename: cryptbase.dll
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Base cryptographic API DLL
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
74b40000 74b5f000   bcrypt     (deferred)            
    Image path: C:\Windows\SYSTEM32\bcrypt.dll
    Image name: bcrypt.dll
    Timestamp:        Sat Sep 13 12:45:34 2014 (5413AFCE)
    CheckSum:         0002DA71
    ImageSize:        0001F000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     bcrypt.dll
    OriginalFilename: bcrypt.dll
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Windows Cryptographic Primitives Library
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
74ee0000 7503f000   KERNELBASE   (pdb symbols)          c:\symbols\kernelbase.pdb\F83BAE59DD40463DAA4D1FD37820C8BC1\kernelbase.pdb
    Loaded symbol image file: KERNELBASE.dll
    Image path: C:\Windows\system32\KERNELBASE.dll
    Image name: KERNELBASE.dll
    Timestamp:        Sat Sep 13 12:19:04 2014 (5413A998)
    CheckSum:         001632C8
    ImageSize:        0015F000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
75040000 75197000   USER32     (pdb symbols)          c:\symbols\user32.pdb\88592CFA9DB54056BC655C02CC98AB791\user32.pdb
    Loaded symbol image file: USER32.dll
    Image path: C:\Windows\system32\USER32.dll
    Image name: USER32.dll
    Timestamp:        Sat Sep 13 11:59:36 2014 (5413A508)
    CheckSum:         00159B76
    ImageSize:        00157000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     user32
    OriginalFilename: user32
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Multi-User Windows USER API Client DLL
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
751a0000 75219000   ADVAPI32   (deferred)            
    Image path: C:\Windows\system32\ADVAPI32.dll
    Image name: ADVAPI32.dll
    Timestamp:        Sat Sep 13 12:15:16 2014 (5413A8B4)
    CheckSum:         000833A7
    ImageSize:        00079000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     advapi32.dll
    OriginalFilename: advapi32.dll
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Advanced Windows 32 Base API
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
75220000 752a1000   SHCORE     (deferred)            
    Image path: C:\Windows\system32\SHCORE.DLL
    Image name: SHCORE.DLL
    Timestamp:        Sat Sep 13 11:51:50 2014 (5413A336)
    CheckSum:         0008CE8B
    ImageSize:        00081000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     SHCORE
    OriginalFilename: SHCORE.dll
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  SHCORE
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
752b0000 75436000   combase    (deferred)            
    Image path: C:\Windows\system32\combase.dll
    Image name: combase.dll
    Timestamp:        Sat Sep 13 11:54:25 2014 (5413A3D1)
    CheckSum:         00189DFA
    ImageSize:        00186000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     COMBASE.DLL
    OriginalFilename: COMBASE.DLL
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Microsoft COM for Windows
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
75440000 7546e000   IMM32      (deferred)            
    Image path: C:\Windows\system32\IMM32.DLL
    Image name: IMM32.DLL
    Timestamp:        Sat Sep 13 11:59:17 2014 (5413A4F5)
    CheckSum:         0003A5FA
    ImageSize:        0002E000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     imm32
    OriginalFilename: imm32
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Multi-User Windows IMM32 API Client DLL
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
75610000 75652000   SHLWAPI    (deferred)            
    Image path: C:\Windows\system32\SHLWAPI.dll
    Image name: SHLWAPI.dll
    Timestamp:        Sat Sep 13 11:33:08 2014 (54139ED4)
    CheckSum:         0004F30D
    ImageSize:        00042000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     SHLWAPI
    OriginalFilename: SHLWAPI.DLL
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Shell Light-weight Utility Library
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
756e0000 75833000   GDI32      (deferred)            
    Image path: C:\Windows\system32\GDI32.dll
    Image name: GDI32.dll
    Timestamp:        Sat Sep 13 12:44:46 2014 (5413AF9E)
    CheckSum:         001575A7
    ImageSize:        00153000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     gdi32
    OriginalFilename: gdi32
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  GDI Client DLL
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
75890000 7594e000   msvcrt     (deferred)            
    Image path: C:\Windows\system32\msvcrt.dll
    Image name: msvcrt.dll
    Timestamp:        Sat Sep 13 13:18:46 2014 (5413B796)
    CheckSum:         000C23C9
    ImageSize:        000BE000
    File version:     7.0.9841.0
    Product version:  6.1.8638.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     msvcrt.dll
    OriginalFilename: msvcrt.dll
    ProductVersion:   7.0.9841.0
    FileVersion:      7.0.9841.0 (fbl_release.140912-1613)
    FileDescription:  Windows NT CRT DLL
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
75950000 75992000   sechost    (deferred)            
    Image path: C:\Windows\system32\sechost.dll
    Image name: sechost.dll
    Timestamp:        Sat Sep 13 12:19:01 2014 (5413A995)
    CheckSum:         0004EFD3
    ImageSize:        00042000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     sechost.dll
    OriginalFilename: sechost.dll
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Host for SCM/SDDL/LSA Lookup APIs
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
759b0000 76cba000   SHELL32    (deferred)            
    Image path: C:\Windows\system32\SHELL32.dll
    Image name: SHELL32.dll
    Timestamp:        Sat Sep 13 11:37:28 2014 (54139FD8)
    CheckSum:         0133360E
    ImageSize:        0130A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
76e30000 76ec0000   KERNEL32   (pdb symbols)          c:\symbols\kernel32.pdb\CC55D9DB2B87455DB0696749DD510C6C1\kernel32.pdb
    Loaded symbol image file: KERNEL32.DLL
    Image path: C:\Windows\system32\KERNEL32.DLL
    Image name: KERNEL32.DLL
    Timestamp:        Sat Sep 13 13:13:34 2014 (5413B65E)
    CheckSum:         000A0A9F
    ImageSize:        00090000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
77060000 77174000   MSCTF      (deferred)            
    Image path: C:\Windows\system32\MSCTF.dll
    Image name: MSCTF.dll
    Timestamp:        Sat Sep 13 11:52:46 2014 (5413A36E)
    CheckSum:         0011E8BF
    ImageSize:        00114000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
77180000 7721a000   comdlg32   (deferred)            
    Image path: C:\Windows\system32\comdlg32.dll
    Image name: comdlg32.dll
    Timestamp:        Sat Sep 13 12:00:04 2014 (5413A524)
    CheckSum:         000A3373
    ImageSize:        0009A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
77220000 772ed000   RPCRT4     (deferred)            
    Image path: C:\Windows\system32\RPCRT4.dll
    Image name: RPCRT4.dll
    Timestamp:        Sat Sep 13 12:09:53 2014 (5413A771)
    CheckSum:         000DC2F8
    ImageSize:        000CD000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     rpcrt4.dll
    OriginalFilename: rpcrt4.dll
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Remote Procedure Call Runtime
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
77430000 775a4000   ntdll      (pdb symbols)          c:\symbols\ntdll.pdb\70FD0887B4CC4B48AA65FA136E9F7F0F1\ntdll.pdb
    Loaded symbol image file: ntdll.dll
    Image path: C:\Windows\SYSTEM32\ntdll.dll
    Image name: ntdll.dll
    Timestamp:        Sat Sep 13 13:19:21 2014 (5413B7B9)
    CheckSum:         0017F7B4
    ImageSize:        00174000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
803d6000 803de000   kd         (deferred)            
    Image path: \SystemRoot\system32\kd.dll
    Image name: kd.dll
    Timestamp:        Sat Sep 13 13:18:46 2014 (5413B796)
    CheckSum:         0000AE4F
    ImageSize:        00008000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
80c04000 811f9000   nt         (pdb symbols)          c:\symbols\ntkrpamp.pdb\D6A45AA28E89439FAD70BF52349C306E1\ntkrpamp.pdb
    Loaded symbol image file: ntkrpamp.exe
    Image path: ntkrpamp.exe
    Image name: ntkrpamp.exe
    Timestamp:        Sat Sep 13 13:20:53 2014 (5413B815)
    CheckSum:         00590F17
    ImageSize:        005F5000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
811f9000 81254000   hal        (deferred)            
    Image path: halmacpi.dll
    Image name: halmacpi.dll
    Timestamp:        Sat Sep 13 11:21:39 2014 (54139C23)
    CheckSum:         00056107
    ImageSize:        0005B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
81800000 81823000   pacer      (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\pacer.sys
    Image name: pacer.sys
    Timestamp:        Sat Sep 13 13:14:38 2014 (5413B69E)
    CheckSum:         0002D03D
    ImageSize:        00023000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
81830000 8186b000   WdFilter   (deferred)            
    Image path: \SystemRoot\system32\drivers\WdFilter.sys
    Image name: WdFilter.sys
    Timestamp:        Sat Sep 13 13:17:45 2014 (5413B759)
    CheckSum:         0003E03F
    ImageSize:        0003B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
81870000 819dc000   dxgkrnl    (deferred)            
    Image path: \SystemRoot\System32\drivers\dxgkrnl.sys
    Image name: dxgkrnl.sys
    Timestamp:        Sat Sep 13 13:16:54 2014 (5413B726)
    CheckSum:         0016831F
    ImageSize:        0016C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84600000 8460a000   BOOTVID    (deferred)            
    Image path: \SystemRoot\system32\BOOTVID.dll
    Image name: BOOTVID.dll
    Timestamp:        Sat Sep 13 13:18:40 2014 (5413B790)
    CheckSum:         0000FFA5
    ImageSize:        0000A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84610000 8461a000   cmimcext   (deferred)            
    Image path: \SystemRoot\System32\drivers\cmimcext.sys
    Image name: cmimcext.sys
    Timestamp:        Sat Sep 13 13:18:37 2014 (5413B78D)
    CheckSum:         00008D90
    ImageSize:        0000A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84620000 84629000   ntosext    (deferred)            
    Image path: \SystemRoot\System32\drivers\ntosext.sys
    Image name: ntosext.sys
    Timestamp:        Sat Sep 13 11:21:29 2014 (54139C19)
    CheckSum:         00009AE1
    ImageSize:        00009000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84630000 846b3000   CI         (deferred)            
    Image path: \SystemRoot\system32\CI.dll
    Image name: CI.dll
    Timestamp:        Sat Sep 13 13:16:55 2014 (5413B727)
    CheckSum:         0008A6D1
    ImageSize:        00083000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
846c0000 846e3e00   prl_fs     (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\prl_fs.sys
    Image name: prl_fs.sys
    Timestamp:        Thu Jul 03 02:21:36 2014 (53B43190)
    CheckSum:         00035671
    ImageSize:        00023E00
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
846f0000 8475e000   mcupdate_GenuineIntel   (deferred)            
    Image path: \SystemRoot\system32\mcupdate_GenuineIntel.dll
    Image name: mcupdate_GenuineIntel.dll
    Timestamp:        Sat Sep 13 13:18:34 2014 (5413B78A)
    CheckSum:         0006EFEF
    ImageSize:        0006E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84760000 8476c000   werkernel   (deferred)            
    Image path: \SystemRoot\System32\drivers\werkernel.sys
    Image name: werkernel.sys
    Timestamp:        Sat Sep 13 13:18:38 2014 (5413B78E)
    CheckSum:         000179C8
    ImageSize:        0000C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84770000 847ba000   CLFS       (deferred)            
    Image path: \SystemRoot\System32\drivers\CLFS.SYS
    Image name: CLFS.SYS
    Timestamp:        Sat Sep 13 13:18:19 2014 (5413B77B)
    CheckSum:         0004B528
    ImageSize:        0004A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
847c0000 847db000   tm         (deferred)            
    Image path: \SystemRoot\System32\drivers\tm.sys
    Image name: tm.sys
    Timestamp:        Sat Sep 13 11:21:30 2014 (54139C1A)
    CheckSum:         00024269
    ImageSize:        0001B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
847e0000 847f3000   PSHED      (deferred)            
    Image path: \SystemRoot\system32\PSHED.dll
    Image name: PSHED.dll
    Timestamp:        Sat Sep 13 14:23:33 2014 (5413C6C5)
    CheckSum:         0001671C
    ImageSize:        00013000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84a00000 84a17000   acpiex     (deferred)            
    Image path: \SystemRoot\System32\Drivers\acpiex.sys
    Image name: acpiex.sys
    Timestamp:        Sat Sep 13 13:16:44 2014 (5413B71C)
    CheckSum:         00019C5B
    ImageSize:        00017000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84a20000 84a2a000   WppRecorder   (deferred)            
    Image path: \SystemRoot\System32\Drivers\WppRecorder.sys
    Image name: WppRecorder.sys
    Timestamp:        Sat Sep 13 13:18:10 2014 (5413B772)
    CheckSum:         0000CE16
    ImageSize:        0000A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84a30000 84a65000   Wof        (deferred)            
    Image path: \SystemRoot\System32\Drivers\Wof.sys
    Image name: Wof.sys
    Timestamp:        Sat Sep 13 13:16:28 2014 (5413B70C)
    CheckSum:         0003EB32
    ImageSize:        00035000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84a80000 84ab2000   msrpc      (deferred)            
    Image path: \SystemRoot\System32\drivers\msrpc.sys
    Image name: msrpc.sys
    Timestamp:        Sat Sep 13 13:17:38 2014 (5413B752)
    CheckSum:         0002E989
    ImageSize:        00032000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84ac0000 84b06000   FLTMGR     (deferred)            
    Image path: \SystemRoot\System32\drivers\FLTMGR.SYS
    Image name: FLTMGR.SYS
    Timestamp:        Sat Sep 13 13:18:19 2014 (5413B77B)
    CheckSum:         0004BF00
    ImageSize:        00046000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84b10000 84b2b000   ksecdd     (deferred)            
    Image path: \SystemRoot\System32\drivers\ksecdd.sys
    Image name: ksecdd.sys
    Timestamp:        Sat Sep 13 13:17:46 2014 (5413B75A)
    CheckSum:         0001AE81
    ImageSize:        0001B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84b30000 84b41000   clipsp     (deferred)            
    Image path: \SystemRoot\System32\drivers\clipsp.sys
    Image name: clipsp.sys
    Timestamp:        Sat Sep 13 13:17:41 2014 (5413B755)
    CheckSum:         0001072D
    ImageSize:        00011000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84b50000 84bef000   Wdf01000   (deferred)            
    Image path: \SystemRoot\system32\drivers\Wdf01000.sys
    Image name: Wdf01000.sys
    Timestamp:        Sat Sep 13 13:16:24 2014 (5413B708)
    CheckSum:         000A4A57
    ImageSize:        0009F000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84bf0000 84bfe000   WDFLDR     (deferred)            
    Image path: \SystemRoot\system32\drivers\WDFLDR.SYS
    Image name: WDFLDR.SYS
    Timestamp:        Sat Sep 13 13:17:39 2014 (5413B753)
    CheckSum:         0000F4AC
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84c00000 84c09000   WMILIB     (deferred)            
    Image path: \SystemRoot\System32\drivers\WMILIB.SYS
    Image name: WMILIB.SYS
    Timestamp:        Sat Sep 13 13:18:37 2014 (5413B78D)
    CheckSum:         0000F42E
    ImageSize:        00009000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84c10000 84c87000   cng        (deferred)            
    Image path: \SystemRoot\System32\Drivers\cng.sys
    Image name: cng.sys
    Timestamp:        Sat Sep 13 13:16:43 2014 (5413B71B)
    CheckSum:         00084215
    ImageSize:        00077000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84ca0000 84cae000   pcw        (deferred)            
    Image path: \SystemRoot\System32\drivers\pcw.sys
    Image name: pcw.sys
    Timestamp:        Sat Sep 13 11:21:30 2014 (54139C1A)
    CheckSum:         000185A7
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84cb0000 84cb8000   msisadrv   (deferred)            
    Image path: \SystemRoot\System32\drivers\msisadrv.sys
    Image name: msisadrv.sys
    Timestamp:        Sat Sep 13 13:17:43 2014 (5413B757)
    CheckSum:         00012FAB
    ImageSize:        00008000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84cc0000 84cfa000   pci        (deferred)            
    Image path: \SystemRoot\System32\drivers\pci.sys
    Image name: pci.sys
    Timestamp:        Sat Sep 13 13:17:07 2014 (5413B733)
    CheckSum:         0003AC58
    ImageSize:        0003A000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     pci.sys
    OriginalFilename: pci.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  NT Plug and Play PCI Enumerator
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
84d00000 84d0b000   vdrvroot   (deferred)            
    Image path: \SystemRoot\System32\drivers\vdrvroot.sys
    Image name: vdrvroot.sys
    Timestamp:        Sat Sep 13 13:17:37 2014 (5413B751)
    CheckSum:         0000C2FA
    ImageSize:        0000B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84d10000 84d14300   prl_tg     (deferred)            
    Image path: \SystemRoot\System32\drivers\prl_tg.sys
    Image name: prl_tg.sys
    Timestamp:        Thu Jul 03 02:20:11 2014 (53B4313B)
    CheckSum:         00009D61
    ImageSize:        00004300
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84d20000 84d34000   pdc        (deferred)            
    Image path: \SystemRoot\system32\drivers\pdc.sys
    Image name: pdc.sys
    Timestamp:        Sat Sep 13 11:21:31 2014 (54139C1B)
    CheckSum:         0001A36E
    ImageSize:        00014000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84d40000 84d50000   CEA        (deferred)            
    Image path: \SystemRoot\system32\drivers\CEA.sys
    Image name: CEA.sys
    Timestamp:        Sat Sep 13 13:17:25 2014 (5413B745)
    CheckSum:         000106D5
    ImageSize:        00010000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84d50000 84d68000   partmgr    (deferred)            
    Image path: \SystemRoot\System32\drivers\partmgr.sys
    Image name: partmgr.sys
    Timestamp:        Sat Sep 13 11:21:33 2014 (54139C1D)
    CheckSum:         0001D3BB
    ImageSize:        00018000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84d70000 84dcf000   spaceport   (deferred)            
    Image path: \SystemRoot\System32\drivers\spaceport.sys
    Image name: spaceport.sys
    Timestamp:        Sat Sep 13 13:16:35 2014 (5413B713)
    CheckSum:         0005E557
    ImageSize:        0005F000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84dd0000 84de3000   volmgr     (deferred)            
    Image path: \SystemRoot\System32\drivers\volmgr.sys
    Image name: volmgr.sys
    Timestamp:        Sat Sep 13 11:21:33 2014 (54139C1D)
    CheckSum:         00012A26
    ImageSize:        00013000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84df0000 84e3e000   volmgrx    (deferred)            
    Image path: \SystemRoot\System32\drivers\volmgrx.sys
    Image name: volmgrx.sys
    Timestamp:        Sat Sep 13 13:18:19 2014 (5413B77B)
    CheckSum:         0005A2C8
    ImageSize:        0004E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84e40000 84e47000   intelide   (deferred)            
    Image path: \SystemRoot\System32\drivers\intelide.sys
    Image name: intelide.sys
    Timestamp:        Sat Sep 13 13:18:22 2014 (5413B77E)
    CheckSum:         0000DCF0
    ImageSize:        00007000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     intelide.sys
    OriginalFilename: intelide.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Intel PCI IDE Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
84e50000 84e5e000   PCIIDEX    (deferred)            
    Image path: \SystemRoot\System32\drivers\PCIIDEX.SYS
    Image name: PCIIDEX.SYS
    Timestamp:        Sat Sep 13 13:18:03 2014 (5413B76B)
    CheckSum:         000180E5
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84e60000 84e76000   mountmgr   (deferred)            
    Image path: \SystemRoot\System32\drivers\mountmgr.sys
    Image name: mountmgr.sys
    Timestamp:        Sat Sep 13 13:18:17 2014 (5413B779)
    CheckSum:         0002342E
    ImageSize:        00016000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84e80000 84e89000   atapi      (deferred)            
    Image path: \SystemRoot\System32\drivers\atapi.sys
    Image name: atapi.sys
    Timestamp:        Sat Sep 13 13:18:44 2014 (5413B794)
    CheckSum:         0000B802
    ImageSize:        00009000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84e90000 84eba000   ataport    (deferred)            
    Image path: \SystemRoot\System32\drivers\ataport.SYS
    Image name: ataport.SYS
    Timestamp:        Sat Sep 13 13:18:05 2014 (5413B76D)
    CheckSum:         000284D0
    ImageSize:        0002A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84ec0000 84edb000   storahci   (deferred)            
    Image path: \SystemRoot\System32\drivers\storahci.sys
    Image name: storahci.sys
    Timestamp:        Sat Sep 13 13:18:44 2014 (5413B794)
    CheckSum:         000225B4
    ImageSize:        0001B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84ee0000 84f37000   storport   (deferred)            
    Image path: \SystemRoot\System32\drivers\storport.sys
    Image name: storport.sys
    Timestamp:        Sat Sep 13 13:17:38 2014 (5413B752)
    CheckSum:         00060BC0
    ImageSize:        00057000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84f40000 84f56000   EhStorClass   (deferred)            
    Image path: \SystemRoot\System32\drivers\EhStorClass.sys
    Image name: EhStorClass.sys
    Timestamp:        Sat Sep 13 13:17:14 2014 (5413B73A)
    CheckSum:         0002079C
    ImageSize:        00016000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84f60000 84f72000   fileinfo   (deferred)            
    Image path: \SystemRoot\System32\drivers\fileinfo.sys
    Image name: fileinfo.sys
    Timestamp:        Sat Sep 13 13:17:28 2014 (5413B748)
    CheckSum:         0001D915
    ImageSize:        00012000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
84f80000 84ff5000   ACPI       (deferred)            
    Image path: \SystemRoot\System32\drivers\ACPI.sys
    Image name: ACPI.sys
    Timestamp:        Sat Sep 13 11:21:39 2014 (54139C23)
    CheckSum:         00072E09
    ImageSize:        00075000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85000000 85025000   ksecpkg    (deferred)            
    Image path: \SystemRoot\System32\Drivers\ksecpkg.sys
    Image name: ksecpkg.sys
    Timestamp:        Sat Sep 13 13:16:29 2014 (5413B70D)
    CheckSum:         00029D3B
    ImageSize:        00025000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85030000 8506a000   netbt      (deferred)            
    Image path: \SystemRoot\System32\DRIVERS\netbt.sys
    Image name: netbt.sys
    Timestamp:        Sat Sep 13 13:16:04 2014 (5413B6F4)
    CheckSum:         000450BC
    ImageSize:        0003A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85070000 850e7000   afd        (deferred)            
    Image path: \SystemRoot\system32\drivers\afd.sys
    Image name: afd.sys
    Timestamp:        Sat Sep 13 13:16:04 2014 (5413B6F4)
    CheckSum:         0007E9F1
    ImageSize:        00077000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
850f0000 8529b000   Ntfs       (deferred)            
    Image path: \SystemRoot\System32\Drivers\Ntfs.sys
    Image name: Ntfs.sys
    Timestamp:        Sat Sep 13 11:21:50 2014 (54139C2E)
    CheckSum:         001AFEFF
    ImageSize:        001AB000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     ntfs.sys
    OriginalFilename: ntfs.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  NT File System Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
852a0000 852aa000   Fs_Rec     (deferred)            
    Image path: \SystemRoot\System32\Drivers\Fs_Rec.sys
    Image name: Fs_Rec.sys
    Timestamp:        Sat Sep 13 11:21:30 2014 (54139C1A)
    CheckSum:         00007E47
    ImageSize:        0000A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
852b0000 8538f000   ndis       (deferred)            
    Image path: \SystemRoot\system32\drivers\ndis.sys
    Image name: ndis.sys
    Timestamp:        Sat Sep 13 13:16:10 2014 (5413B6FA)
    CheckSum:         000E3445
    ImageSize:        000DF000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85390000 853e1000   NETIO      (deferred)            
    Image path: \SystemRoot\system32\drivers\NETIO.SYS
    Image name: NETIO.SYS
    Timestamp:        Sat Sep 13 13:16:05 2014 (5413B6F5)
    CheckSum:         0004F60D
    ImageSize:        00051000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
853f0000 853fe000   netbios    (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\netbios.sys
    Image name: netbios.sys
    Timestamp:        Sat Sep 13 13:17:12 2014 (5413B738)
    CheckSum:         00016CD1
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85400000 85411000   mup        (deferred)            
    Image path: \SystemRoot\System32\Drivers\mup.sys
    Image name: mup.sys
    Timestamp:        Sat Sep 13 13:18:37 2014 (5413B78D)
    CheckSum:         00011905
    ImageSize:        00011000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85420000 8542c000   intelpep   (deferred)            
    Image path: \SystemRoot\System32\drivers\intelpep.sys
    Image name: intelpep.sys
    Timestamp:        Sat Sep 13 13:17:34 2014 (5413B74E)
    CheckSum:         0000E8F5
    ImageSize:        0000C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85430000 8543c000   TDI        (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\TDI.SYS
    Image name: TDI.SYS
    Timestamp:        Sat Sep 13 13:17:14 2014 (5413B73A)
    CheckSum:         00010CD6
    ImageSize:        0000C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85440000 85457000   disk       (deferred)            
    Image path: \SystemRoot\System32\drivers\disk.sys
    Image name: disk.sys
    Timestamp:        Sat Sep 13 11:21:33 2014 (54139C1D)
    CheckSum:         0002141C
    ImageSize:        00017000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85460000 854b4000   CLASSPNP   (deferred)            
    Image path: \SystemRoot\System32\drivers\CLASSPNP.SYS
    Image name: CLASSPNP.SYS
    Timestamp:        Sat Sep 13 11:21:37 2014 (54139C21)
    CheckSum:         0005C140
    ImageSize:        00054000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
854e0000 854f1000   crashdmp   (deferred)            
    Image path: \SystemRoot\System32\Drivers\crashdmp.sys
    Image name: crashdmp.sys
    Timestamp:        Sat Sep 13 13:18:21 2014 (5413B77D)
    CheckSum:         000108DB
    ImageSize:        00011000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     crashdmp.sys
    OriginalFilename: crashdmp.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Crash Dump Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
85500000 85556000   srv        (deferred)            
    Image path: \SystemRoot\System32\DRIVERS\srv.sys
    Image name: srv.sys
    Timestamp:        Sat Sep 13 13:16:19 2014 (5413B703)
    CheckSum:         0005FF11
    ImageSize:        00056000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
855a0000 855c3000   cdrom      (deferred)            
    Image path: \SystemRoot\System32\drivers\cdrom.sys
    Image name: cdrom.sys
    Timestamp:        Sat Sep 13 11:21:33 2014 (54139C1D)
    CheckSum:         0002248C
    ImageSize:        00023000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
855d0000 855d7000   Null       (deferred)            
    Image path: \SystemRoot\System32\Drivers\Null.SYS
    Image name: Null.SYS
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
    Timestamp:        unavailable (FFFFFFFE)
    CheckSum:         missing
    ImageSize:        00007000
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
Page 330e not present in the dump file. Type “.hh dbgerr004″ for details
855e0000 855e7000   Beep       (deferred)            
    Image path: \SystemRoot\System32\Drivers\Beep.SYS
    Image name: Beep.SYS
    Timestamp:        Sat Sep 13 13:18:38 2014 (5413B78E)
    CheckSum:         00001CB3
    ImageSize:        00007000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
855f0000 85600000   BasicDisplay   (deferred)            
    Image path: \SystemRoot\System32\drivers\BasicDisplay.sys
    Image name: BasicDisplay.sys
    Timestamp:        Sat Sep 13 13:17:59 2014 (5413B767)
    CheckSum:         0000E606
    ImageSize:        00010000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85600000 8560e000   watchdog   (deferred)            
    Image path: \SystemRoot\System32\drivers\watchdog.sys
    Image name: watchdog.sys
    Timestamp:        Sat Sep 13 13:18:06 2014 (5413B76E)
    CheckSum:         0000FDE5
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85610000 8561c000   BasicRender   (deferred)            
    Image path: \SystemRoot\System32\drivers\BasicRender.sys
    Image name: BasicRender.sys
    Timestamp:        Sat Sep 13 13:17:50 2014 (5413B75E)
    CheckSum:         0001534B
    ImageSize:        0000C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85620000 85630000   Npfs       (deferred)            
    Image path: \SystemRoot\System32\Drivers\Npfs.SYS
    Image name: Npfs.SYS
    Timestamp:        Sat Sep 13 13:18:38 2014 (5413B78E)
    CheckSum:         0000C537
    ImageSize:        00010000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
85630000 8563b000   Msfs       (deferred)            
    Image path: \SystemRoot\System32\Drivers\Msfs.SYS
    Image name: Msfs.SYS
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
    Timestamp:        unavailable (FFFFFFFE)
    CheckSum:         missing
    ImageSize:        0000B000
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
Page c40 not present in the dump file. Type “.hh dbgerr004″ for details
85640000 85647b00   prl_boot   (deferred)            
    Image path: \SystemRoot\System32\Drivers\prl_boot.sys
    Image name: prl_boot.sys
    Timestamp:        Thu Jul 03 02:22:26 2014 (53B431C2)
    CheckSum:         00011884
    ImageSize:        00007B00
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85650000 8566a000   tdx        (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\tdx.sys
    Image name: tdx.sys
    Timestamp:        Sat Sep 13 13:16:05 2014 (5413B6F5)
    CheckSum:         000176A3
    ImageSize:        0001A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85670000 8584c000   tcpip      (deferred)            
    Image path: \SystemRoot\System32\drivers\tcpip.sys
    Image name: tcpip.sys
    Timestamp:        Sat Sep 13 13:16:05 2014 (5413B6F5)
    CheckSum:         001DBE8F
    ImageSize:        001DC000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85850000 85898000   fwpkclnt   (deferred)            
    Image path: \SystemRoot\System32\drivers\fwpkclnt.sys
    Image name: fwpkclnt.sys
    Timestamp:        Sat Sep 13 13:16:06 2014 (5413B6F6)
    CheckSum:         00045D66
    ImageSize:        00048000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
858a0000 858b3000   wfplwfs    (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\wfplwfs.sys
    Image name: wfplwfs.sys
    Timestamp:        Sat Sep 13 13:15:58 2014 (5413B6EE)
    CheckSum:         000173D9
    ImageSize:        00013000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
858c0000 85944000   fvevol     (deferred)            
    Image path: \SystemRoot\System32\DRIVERS\fvevol.sys
    Image name: fvevol.sys
    Timestamp:        Sat Sep 13 13:16:38 2014 (5413B716)
    CheckSum:         0008E9C8
    ImageSize:        00084000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
85950000 859a8000   volsnap    (deferred)            
    Image path: \SystemRoot\System32\drivers\volsnap.sys
    Image name: volsnap.sys
    Timestamp:        Sat Sep 13 13:18:37 2014 (5413B78D)
    CheckSum:         00056D8A
    ImageSize:        00058000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
859b0000 859e5000   rdyboost   (deferred)            
    Image path: \SystemRoot\System32\drivers\rdyboost.sys
    Image name: rdyboost.sys
    Timestamp:        Sat Sep 13 13:17:24 2014 (5413B744)
    CheckSum:         0003DE68
    ImageSize:        00035000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
859f0000 859fb000   prl_strg   (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\prl_strg.sys
    Image name: prl_strg.sys
    Timestamp:        Thu Jul 03 02:27:00 2014 (53B432D4)
    CheckSum:         00011D25
    ImageSize:        0000B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89600000 8960b000   mssmbios   (deferred)            
    Image path: \SystemRoot\System32\drivers\mssmbios.sys
    Image name: mssmbios.sys
    Timestamp:        Sat Sep 13 13:18:04 2014 (5413B76C)
    CheckSum:         000096F0
    ImageSize:        0000B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89610000 8962e000   dfsc       (deferred)            
    Image path: \SystemRoot\System32\Drivers\dfsc.sys
    Image name: dfsc.sys
    Timestamp:        Sat Sep 13 13:17:00 2014 (5413B72C)
    CheckSum:         0001A13D
    ImageSize:        0001E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89640000 89664000   ahcache    (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\ahcache.sys
    Image name: ahcache.sys
    Timestamp:        Sat Sep 13 11:21:30 2014 (54139C1A)
    CheckSum:         0002F792
    ImageSize:        00024000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89670000 8967d000   CompositeBus   (deferred)            
    Image path: \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_x86_52685d853a5f64f3\CompositeBus.sys
    Image name: CompositeBus.sys
    Timestamp:        Sat Sep 13 13:17:32 2014 (5413B74C)
    CheckSum:         00011F50
    ImageSize:        0000D000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89680000 8968a000   kdnic      (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\kdnic.sys
    Image name: kdnic.sys
    Timestamp:        Sat Sep 13 13:17:04 2014 (5413B730)
    CheckSum:         0000F9A2
    ImageSize:        0000A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89690000 8969e000   umbus      (deferred)            
    Image path: \SystemRoot\System32\drivers\umbus.sys
    Image name: umbus.sys
    Timestamp:        Sat Sep 13 13:17:42 2014 (5413B756)
    CheckSum:         00011CE7
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
896a0000 896be000   intelppm   (deferred)            
    Image path: \SystemRoot\System32\drivers\intelppm.sys
    Image name: intelppm.sys
    Timestamp:        Sat Sep 13 11:21:33 2014 (54139C1D)
    CheckSum:         00025E04
    ImageSize:        0001E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
896c0000 896e5000   prl_kmdd   (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\prl_kmdd.sys
    Image name: prl_kmdd.sys
    Timestamp:        Thu Jul 03 02:21:17 2014 (53B4317D)
    CheckSum:         00028C23
    ImageSize:        00025000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
896f0000 8970d200   E1G60I32   (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\E1G60I32.sys
    Image name: E1G60I32.sys
    Timestamp:        Wed Mar 24 08:07:51 2010 (4BA92DA7)
    CheckSum:         000282C0
    ImageSize:        0001D200
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89710000 89717000   prl_memdev   (deferred)            
    Image path: \SystemRoot\System32\drivers\prl_memdev.sys
    Image name: prl_memdev.sys
    Timestamp:        Thu Jul 03 02:20:09 2014 (53B43139)
    CheckSum:         0000F8AB
    ImageSize:        00007000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89720000 8972b000   usbuhci    (deferred)            
    Image path: \SystemRoot\System32\drivers\usbuhci.sys
    Image name: usbuhci.sys
    Timestamp:        Sat Sep 13 13:17:57 2014 (5413B765)
    CheckSum:         00013A07
    ImageSize:        0000B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89730000 89790000   USBPORT    (deferred)            
    Image path: \SystemRoot\System32\drivers\USBPORT.SYS
    Image name: USBPORT.SYS
    Timestamp:        Sat Sep 13 13:18:05 2014 (5413B76D)
    CheckSum:         0005FEAD
    ImageSize:        00060000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89790000 897d5000   USBXHCI    (deferred)            
    Image path: \SystemRoot\System32\drivers\USBXHCI.SYS
    Image name: USBXHCI.SYS
    Timestamp:        Sat Sep 13 13:16:34 2014 (5413B712)
    CheckSum:         0004EBE2
    ImageSize:        00045000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     usbxhci.sys
    OriginalFilename: usbxhci.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  USB XHCI Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
897e0000 8980b000   ucx01000   (deferred)            
    Image path: \SystemRoot\System32\drivers\ucx01000.sys
    Image name: ucx01000.sys
    Timestamp:        Sat Sep 13 13:16:41 2014 (5413B719)
    CheckSum:         0002F0FB
    ImageSize:        0002B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89810000 89824000   usbehci    (deferred)            
    Image path: \SystemRoot\System32\drivers\usbehci.sys
    Image name: usbehci.sys
    Timestamp:        Sat Sep 13 13:17:51 2014 (5413B75F)
    CheckSum:         0001BDBB
    ImageSize:        00014000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89830000 89849000   i8042prt   (deferred)            
    Image path: \SystemRoot\System32\drivers\i8042prt.sys
    Image name: i8042prt.sys
    Timestamp:        Sat Sep 13 13:17:47 2014 (5413B75B)
    CheckSum:         00018714
    ImageSize:        00019000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89850000 8985e000   kbdclass   (deferred)            
    Image path: \SystemRoot\System32\drivers\kbdclass.sys
    Image name: kbdclass.sys
    Timestamp:        Sat Sep 13 13:17:52 2014 (5413B760)
    CheckSum:         00015CDA
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89860000 89862700   prl_mouf   (deferred)            
    Image path: \SystemRoot\System32\drivers\prl_mouf.sys
    Image name: prl_mouf.sys
    Timestamp:        Thu Jul 03 02:20:39 2014 (53B43157)
    CheckSum:         00004B94
    ImageSize:        00002700
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89870000 8987c000   mouclass   (deferred)            
    Image path: \SystemRoot\System32\drivers\mouclass.sys
    Image name: mouclass.sys
    Timestamp:        Sat Sep 13 13:17:50 2014 (5413B75E)
    CheckSum:         0000B120
    ImageSize:        0000C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89880000 8988f000   prl_sound   (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\prl_sound.sys
    Image name: prl_sound.sys
    Timestamp:        Thu Jul 03 02:26:55 2014 (53B432CF)
    CheckSum:         0000C1CF
    ImageSize:        0000F000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89890000 898cb000   portcls    (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\portcls.sys
    Image name: portcls.sys
    Timestamp:        Sat Sep 13 13:16:29 2014 (5413B70D)
    CheckSum:         00040388
    ImageSize:        0003B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
898d0000 898e5000   drmk       (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\drmk.sys
    Image name: drmk.sys
    Timestamp:        Sat Sep 13 13:17:53 2014 (5413B761)
    CheckSum:         0001BB7E
    ImageSize:        00015000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
898f0000 898f5d00   MpKsld125cf3e   (deferred)            
    Image path: \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{56A75674-70B6-4061-BCD6-254E1D99F288}\MpKsld125cf3e.sys
    Image name: MpKsld125cf3e.sys
    Timestamp:        Thu Aug 22 08:32:05 2013 (52153FE5)
    CheckSum:         00012C3C
    ImageSize:        00005D00
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89910000 89967000   rdbss      (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\rdbss.sys
    Image name: rdbss.sys
    Timestamp:        Sat Sep 13 13:16:32 2014 (5413B710)
    CheckSum:         0005527E
    ImageSize:        00057000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
89970000 899de000   csc        (deferred)            
    Image path: \SystemRoot\system32\drivers\csc.sys
    Image name: csc.sys
    Timestamp:        Sat Sep 13 13:17:06 2014 (5413B732)
    CheckSum:         00070E21
    ImageSize:        0006E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
899e0000 899ec000   nsiproxy   (deferred)            
    Image path: \SystemRoot\system32\drivers\nsiproxy.sys
    Image name: nsiproxy.sys
    Timestamp:        Sat Sep 13 13:16:15 2014 (5413B6FF)
    CheckSum:         0000B7FA
    ImageSize:        0000C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
899f0000 899fb000   npsvctrig   (deferred)            
    Image path: \SystemRoot\System32\drivers\npsvctrig.sys
    Image name: npsvctrig.sys
    Timestamp:        Sat Sep 13 13:17:25 2014 (5413B745)
    CheckSum:         00005D85
    ImageSize:        0000B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a000000 8a01a000   HIDCLASS   (deferred)            
    Image path: \SystemRoot\System32\drivers\HIDCLASS.SYS
    Image name: HIDCLASS.SYS
    Timestamp:        Sat Sep 13 13:17:46 2014 (5413B75A)
    CheckSum:         0001CBB5
    ImageSize:        0001A000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     hidclass.sys
    OriginalFilename: hidclass.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Hid Class Library
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
8a020000 8a02a000   mouhid     (deferred)            
    Image path: \SystemRoot\System32\drivers\mouhid.sys
    Image name: mouhid.sys
    Timestamp:        Sat Sep 13 13:17:51 2014 (5413B75F)
    CheckSum:         0000D25A
    ImageSize:        0000A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a030000 8a03b000   kbdhid     (deferred)            
    Image path: \SystemRoot\System32\drivers\kbdhid.sys
    Image name: kbdhid.sys
    Timestamp:        Sat Sep 13 13:17:51 2014 (5413B75F)
    CheckSum:         0000EE04
    ImageSize:        0000B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a040000 8a05d000   luafv      (deferred)            
    Image path: \SystemRoot\system32\drivers\luafv.sys
    Image name: luafv.sys
    Timestamp:        Sat Sep 13 13:18:06 2014 (5413B76E)
    CheckSum:         0001EF10
    ImageSize:        0001D000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a060000 8a070000   lltdio     (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\lltdio.sys
    Image name: lltdio.sys
    Timestamp:        Sat Sep 13 13:16:03 2014 (5413B6F3)
    CheckSum:         0001524A
    ImageSize:        00010000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a070000 8a084000   rspndr     (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\rspndr.sys
    Image name: rspndr.sys
    Timestamp:        Sat Sep 13 13:16:05 2014 (5413B6F5)
    CheckSum:         0001C001
    ImageSize:        00014000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a090000 8a09b000   usbprint   (deferred)            
    Image path: \SystemRoot\System32\drivers\usbprint.sys
    Image name: usbprint.sys
    Timestamp:        Sat Sep 13 13:16:13 2014 (5413B6FD)
    CheckSum:         0000EBDA
    ImageSize:        0000B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a0b0000 8a0bb000   dump_diskdump   (deferred)            
    Image path: \SystemRoot\System32\Drivers\dump_diskdump.sys
    Image name: dump_diskdump.sys
    Timestamp:        Sat Sep 13 13:18:36 2014 (5413B78C)
    CheckSum:         0001241F
    ImageSize:        0000B000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     diskdump.sys
    OriginalFilename: diskdump.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Crash Dump Disk Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
8a0e0000 8a0fb000   dump_storahci   (deferred)            
    Image path: \SystemRoot\System32\Drivers\dump_storahci.sys
    Image name: dump_storahci.sys
    Timestamp:        Sat Sep 13 13:18:44 2014 (5413B794)
    CheckSum:         000225B4
    ImageSize:        0001B000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     storahci.sys
    OriginalFilename: storahci.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  MS AHCI Storport Miniport Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
8a120000 8a133000   dump_dumpfve   (deferred)            
    Image path: \SystemRoot\System32\Drivers\dump_dumpfve.sys
    Image name: dump_dumpfve.sys
    Timestamp:        Sat Sep 13 13:18:16 2014 (5413B778)
    CheckSum:         00015A17
    ImageSize:        00013000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0000.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     dumpfve.sys
    OriginalFilename: dumpfve.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Bitlocker Drive Encryption Crashdump Filter
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
8a140000 8a193000   dxgmms1    (deferred)            
    Image path: \SystemRoot\System32\drivers\dxgmms1.sys
    Image name: dxgmms1.sys
    Timestamp:        Sat Sep 13 13:16:36 2014 (5413B714)
    CheckSum:         00054E15
    ImageSize:        00053000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     dxgmms1.sys
    OriginalFilename: dxgmms1.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  DirectX Graphics MMS
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
8a1a0000 8a1ab000   monitor    (deferred)            
    Image path: \SystemRoot\System32\drivers\monitor.sys
    Image name: monitor.sys
    Timestamp:        Sat Sep 13 13:16:14 2014 (5413B6FE)
    CheckSum:         0000D3D8
    ImageSize:        0000B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a1b0000 8a1b1880   myfault    (no symbols)          
    Loaded symbol image file: myfault.sys
    Image path: \??\C:\Windows\system32\drivers\myfault.sys
    Image name: myfault.sys
    Timestamp:        Sun Apr 08 02:34:40 2012 (4F806CA0)
    CheckSum:         00003871
    ImageSize:        00001880
    File version:     4.0.0.0
    Product version:  4.0.0.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Sysinternals
    ProductName:      Sysinternals Myfault
    InternalName:     myfault.sys
    OriginalFilename: myfault.sys
    ProductVersion:   4.0
    FileVersion:      4.0 (sysinternals.com)
    FileDescription:  Crash Test Driver
    LegalCopyright:   Copyright © 2002-2012 Mark Russinovich
8a1c0000 8a205000   ks         (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\ks.sys
    Image name: ks.sys
    Timestamp:        Sat Sep 13 13:18:04 2014 (5413B76C)
    CheckSum:         00040D56
    ImageSize:        00045000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a210000 8a215080   CmBatt     (deferred)            
    Image path: \SystemRoot\System32\drivers\CmBatt.sys
    Image name: CmBatt.sys
    Timestamp:        Sat Sep 13 13:18:03 2014 (5413B76B)
    CheckSum:         000065BF
    ImageSize:        00005080
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a220000 8a22b000   BATTC      (deferred)            
    Image path: \SystemRoot\System32\drivers\BATTC.SYS
    Image name: BATTC.SYS
    Timestamp:        Sat Sep 13 13:18:23 2014 (5413B77F)
    CheckSum:         0000B8DD
    ImageSize:        0000B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a230000 8a238000   NdisVirtualBus   (deferred)            
    Image path: \SystemRoot\System32\drivers\NdisVirtualBus.sys
    Image name: NdisVirtualBus.sys
    Timestamp:        Sat Sep 13 13:16:11 2014 (5413B6FB)
    CheckSum:         00007E21
    ImageSize:        00008000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a240000 8a241400   swenum     (deferred)            
    Image path: \SystemRoot\System32\DriverStore\FileRepository\swenum.inf_x86_a44e7d5abb8c9783\swenum.sys
    Image name: swenum.sys
    Timestamp:        Sat Sep 13 13:17:59 2014 (5413B767)
    CheckSum:         000116B9
    ImageSize:        00001400
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a250000 8a25a000   rdpbus     (deferred)            
    Image path: \SystemRoot\System32\drivers\rdpbus.sys
    Image name: rdpbus.sys
    Timestamp:        Sat Sep 13 13:17:38 2014 (5413B752)
    CheckSum:         0000B151
    ImageSize:        0000A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a260000 8a2bc000   usbhub     (deferred)            
    Image path: \SystemRoot\System32\drivers\usbhub.sys
    Image name: usbhub.sys
    Timestamp:        Sat Sep 13 13:17:22 2014 (5413B742)
    CheckSum:         0005DB85
    ImageSize:        0005C000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     usbhub.sys
    OriginalFilename: usbhub.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Default Hub Driver for USB
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
8a2c0000 8a2ca000   USBD       (deferred)            
    Image path: \SystemRoot\System32\drivers\USBD.SYS
    Image name: USBD.SYS
    Timestamp:        Sat Sep 13 13:18:37 2014 (5413B78D)
    CheckSum:         00014686
    ImageSize:        0000A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a2d0000 8a333000   UsbHub3    (deferred)            
    Image path: \SystemRoot\System32\drivers\UsbHub3.sys
    Image name: UsbHub3.sys
    Timestamp:        Sat Sep 13 13:16:25 2014 (5413B709)
    CheckSum:         0006120F
    ImageSize:        00063000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     usbhub3.sys
    OriginalFilename: usbhub3.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  USB3 HUB Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
8a340000 8a385000   udfs       (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\udfs.sys
    Image name: udfs.sys
    Timestamp:        Sat Sep 13 13:18:36 2014 (5413B78C)
    CheckSum:         00042F9C
    ImageSize:        00045000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a390000 8a396900   HIDPARSE   (deferred)            
    Image path: \SystemRoot\System32\drivers\HIDPARSE.SYS
    Image name: HIDPARSE.SYS
    Timestamp:        Sat Sep 13 13:18:36 2014 (5413B78C)
    CheckSum:         000165B8
    ImageSize:        00006900
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     hidparse.sys
    OriginalFilename: hidparse.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Hid Parsing Library
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
8a3a0000 8a3bc000   usbccgp    (deferred)            
    Image path: \SystemRoot\System32\drivers\usbccgp.sys
    Image name: usbccgp.sys
    Timestamp:        Sat Sep 13 13:17:03 2014 (5413B72F)
    CheckSum:         0001E745
    ImageSize:        0001C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a3c0000 8a3eb200   usbvideo   (deferred)            
    Image path: \SystemRoot\System32\Drivers\usbvideo.sys
    Image name: usbvideo.sys
    Timestamp:        Sat Sep 13 13:16:59 2014 (5413B72B)
    CheckSum:         0003A188
    ImageSize:        0002B200
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8a3f0000 8a3fb000   hidusb     (deferred)            
    Image path: \SystemRoot\System32\drivers\hidusb.sys
    Image name: hidusb.sys
    Timestamp:        Sat Sep 13 13:17:36 2014 (5413B750)
    CheckSum:         0001251F
    ImageSize:        0000B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
8c660000 8c678000   win32k     (deferred)            
    Image path: \SystemRoot\System32\win32k.sys
    Image name: win32k.sys
    Timestamp:        Sat Sep 13 13:15:54 2014 (5413B6EA)
    CheckSum:         0001774E
    ImageSize:        00018000
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
Page 3bf3c not present in the dump file. Type “.hh dbgerr004″ for details
8c860000 8c8f8000   win32kbase   (deferred)            
    Image path: \SystemRoot\System32\win32kbase.sys
    Image name: win32kbase.sys
    Timestamp:        Sat Sep 13 13:16:09 2014 (5413B6F9)
    CheckSum:         0008EB39
    ImageSize:        00098000
    File version:     6.4.9841.0
    Product version:  6.4.9841.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     win32kbase.sys
    OriginalFilename: win32kbase.sys
    ProductVersion:   6.4.9841.0
    FileVersion:      6.4.9841.0 (fbl_release.140912-1613)
    FileDescription:  Base Win32k Kernel Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
8fad0000 8fdaa000   win32kfull   (deferred)            
    Image path: \SystemRoot\System32\win32kfull.sys
    Image name: win32kfull.sys
    Timestamp:        Sat Sep 13 13:16:27 2014 (5413B70B)
    CheckSum:         002CE747
    ImageSize:        002DA000
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
Page 5ed8 not present in the dump file. Type “.hh dbgerr004″ for details
8fe10000 8fe18000   TSDDD      (deferred)            
    Image path: \SystemRoot\System32\TSDDD.dll
    Image name: TSDDD.dll
    Timestamp:        Sat Sep 13 13:16:02 2014 (5413B6F2)
    CheckSum:         00010BB9
    ImageSize:        00008000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a1bc0000 a1bef000   cdd        (deferred)            
    Image path: \SystemRoot\System32\cdd.dll
    Image name: cdd.dll
    Timestamp:        Sat Sep 13 14:25:21 2014 (5413C731)
    CheckSum:         0003A1F6
    ImageSize:        0002F000
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
Page 3b282 not present in the dump file. Type “.hh dbgerr004″ for details
a6a00000 a6a34000   srvnet     (deferred)            
    Image path: \SystemRoot\System32\DRIVERS\srvnet.sys
    Image name: srvnet.sys
    Timestamp:        Sat Sep 13 13:14:33 2014 (5413B699)
    CheckSum:         00031E1F
    ImageSize:        00034000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6a40000 a6ad2000   srv2       (deferred)            
    Image path: \SystemRoot\System32\DRIVERS\srv2.sys
    Image name: srv2.sys
    Timestamp:        Sat Sep 13 13:16:20 2014 (5413B704)
    CheckSum:         0008CC9E
    ImageSize:        00092000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6ae0000 a6aee000   mmcss      (deferred)            
    Image path: \SystemRoot\system32\drivers\mmcss.sys
    Image name: mmcss.sys
    Timestamp:        Sat Sep 13 13:17:42 2014 (5413B756)
    CheckSum:         0001528D
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6af0000 a6b2d000   mrxsmb10   (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    Image name: mrxsmb10.sys
    Timestamp:        Sat Sep 13 13:14:34 2014 (5413B69A)
    CheckSum:         0003A6ED
    ImageSize:        0003D000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6b30000 a6b49000   Ndu        (deferred)            
    Image path: \SystemRoot\system32\drivers\Ndu.sys
    Image name: Ndu.sys
    Timestamp:        Sat Sep 13 13:14:41 2014 (5413B6A1)
    CheckSum:         0001E797
    ImageSize:        00019000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6b50000 a6bf2000   peauth     (deferred)            
    Image path: \SystemRoot\system32\drivers\peauth.sys
    Image name: peauth.sys
    Timestamp:        Sat Sep 13 13:16:08 2014 (5413B6F8)
    CheckSum:         0009EA99
    ImageSize:        000A2000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6c00000 a6c25000   tunnel     (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\tunnel.sys
    Image name: tunnel.sys
    Timestamp:        Sat Sep 13 13:14:33 2014 (5413B699)
    CheckSum:         0001F791
    ImageSize:        00025000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6c30000 a6c3d000   condrv     (deferred)            
    Image path: \SystemRoot\System32\drivers\condrv.sys
    Image name: condrv.sys
    Timestamp:        Sat Sep 13 13:18:34 2014 (5413B78A)
    CheckSum:         0000CB28
    ImageSize:        0000D000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6c40000 a6cf6000   HTTP       (deferred)            
    Image path: \SystemRoot\system32\drivers\HTTP.sys
    Image name: HTTP.sys
    Timestamp:        Sat Sep 13 13:16:04 2014 (5413B6F4)
    CheckSum:         000BD71C
    ImageSize:        000B6000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6d00000 a6d1a000   bowser     (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\bowser.sys
    Image name: bowser.sys
    Timestamp:        Sat Sep 13 13:17:08 2014 (5413B734)
    CheckSum:         00019CA7
    ImageSize:        0001A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6d20000 a6d79000   mrxsmb     (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\mrxsmb.sys
    Image name: mrxsmb.sys
    Timestamp:        Sat Sep 13 13:14:35 2014 (5413B69B)
    CheckSum:         000557E4
    ImageSize:        00059000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6d80000 a6dae000   mrxsmb20   (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    Image name: mrxsmb20.sys
    Timestamp:        Sat Sep 13 13:16:41 2014 (5413B719)
    CheckSum:         0003549E
    ImageSize:        0002E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6db0000 a6dc1000   mpsdrv     (deferred)            
    Image path: \SystemRoot\System32\drivers\mpsdrv.sys
    Image name: mpsdrv.sys
    Timestamp:        Sat Sep 13 13:14:51 2014 (5413B6AB)
    CheckSum:         000111DE
    ImageSize:        00011000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6dd0000 a6dd2300   prl_time   (deferred)            
    Image path: \??\C:\Windows\system32\drivers\prl_time.sys
    Image name: prl_time.sys
    Timestamp:        Thu Jul 03 02:21:29 2014 (53B43189)
    CheckSum:         000070E8
    ImageSize:        00002300
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6de0000 a6dea000   secdrv     (deferred)            
    Image path: \SystemRoot\System32\Drivers\secdrv.SYS
    Image name: secdrv.SYS
    Timestamp:        Wed Sep 13 23:18:32 2006 (45080528)
    CheckSum:         0000EE69
    ImageSize:        0000A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
a6df0000 a6dfe000   tcpipreg   (deferred)            
    Image path: \SystemRoot\System32\drivers\tcpipreg.sys
    Image name: tcpipreg.sys
    Timestamp:        Sat Sep 13 13:14:50 2014 (5413B6AA)
    CheckSum:         00017C0E
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Unloaded modules:
a6dd0000 a6de8000   parport.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00018000
85510000 8551b000   dump_storport.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000B000
85540000 8555b000   dump_storahci.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0001B000
85580000 85593000   dump_dumpfve.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00013000
89630000 8963f000   dam.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000F000
84c90000 84c9a000   WdBoot.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000A000
85430000 8543b000   hwpolicy.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000B000

Posted in WinDbg, Windows 10 | Tagged | Leave a comment

Case of the XP Service Pack 3 Upgrade Fail

Over the weekend the drummer in my band “The Brushed Keys” ( https://www.youtube.com/watch?v=WU-U7SBPF5Y&list=PLQA4w1oo2uGQGxKTzvzcJaPcNSj8SL8pp ) had finally taken the plunge and attempted the Windows XP Service Pack 3 upgrade, only about 6 years late.

However it all went wrong when the machine would no longer startup, going to a permanent black screen with mouse cursor after the XP  logo. This occurred in all the Safe modes, and also Last Known Good Configuration.

image

Using a Windows PE boot disk I had on hand, with diagnostic utilities, I first used an offline event viewer Event Log Explorer to check the last Windows events, opening the .evt files in c:\windows\system32\config  ( http://www.eventlogxp.com/ ) This tool is particularly useful in XP environments .EVT files cannot be opened by event viewer if copied off a machine, they must be exported first. Windows Vista and later EVTX files do not suffer this problem.

From the application log we could see WinLogon.exe was crashing, but there was no fault information i.e. exception code, faulting module, etc. In addition Dr Watson logs were not generated. Without a firewire/serial cable on hand I didn’t have much diagnostic info, so decided to just revert the XP Service Pack 3 upgrade.

On the C: drive I could see System Restore was enabled, but in Windows XP you cannot use System Restore until you actually boot into the system, (Or you have a specific boot disk to handle offline XP system restore, I hadn’t used in 5 years or more so no idea where that was)

To do this, I booted into Windows PE. (but you could use Windows XP recovery console) and did the following:

1) Made a backup of C:\Windows\System32\Config folder

2) Browsed C:\System Volume Information\_restore<GUID>\RPxxx (I chose the oldest one)\snapshot folder (Note these are Hidden System Folder)

3) Copied the following files to Config folder, and renamed them taking of the _REGISTRY_MACHINE_ prefix, replacing the existing files.

  • _REGISTRY_MACHINE_SAM
  • _REGISTRY_MACHINE_SECURITY
  • _REGISTRY_MACHINE_SOFTWARE
  • _REGISTRY_MACHINE_SYSTEM
  • _REGISTRY_MACHINE_DEFAULT

4) This was probably not necessary but I also restored the user’s ntuser.dat (Also made a backup of it before replacing)

Copying

_REGISTRY_USER_USERCLASS_<SID> to C:\Documents and Settings\<User Profile>

You can see the SID by checking permissions on user profile within Windows PE, i.e. using icacls/etc.

5) Renamed C:\windows\$NTServicePackUninstall$\spuninst.txt to spuninst.cmd and ran the batch file. This deletes the Service Pack 3 files, and copies back the backed up files before the patch was applied

Unfortunately after restarting we got error

lssass.exe – System Error

When trying to update a password, this return status indicates that the value provided

as the current password is not correct.

image

After this error the computer immediately rebooted.

This issue was fixed by restoring the SAM and SECURITY files from my backup, back into C:\Windows\System32\Config (If you didn’t have a backup you could try your luck the backups in c:\windows\repair folder)

After this the machine boots fine, with all the users applications intact.

I made a 5 minute video of the process on my phone, it is here on YouTube

Uninstalling Windows XP SP3 on an Unbootable PC

https://www.youtube.com/watch?v=MTR50Z3Kh98

Posted in Windows XP | Tagged | Leave a comment

Case of the IE Hangs-Citrix HDX Flash Redirection

To start with I wanted to capture IE hangs properly. In modern versions of Internet before you capture hang dumps you ideally want to set the TabProcGrowth value to 0 under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

This will force IE to put all tabs in the one process. This can decrease stability, but ensures we can see everything IE doing in the one process memory snapshot.

Be aware on IE10 or later in 64-bit platforms this setting can cause compatibility issues http://support.microsoft.com/kb/2716529

Next I prefer to capture about 3 dmp files, about 10 seconds apart. If you have no tools installed you can use task manager.

Or you can use ProcDump ( http://live.sysinternals.com/ProcDump.exe ) to autodetect (must be only one process for this to work, or change iexplore.exe with PID )

This simple batch file will wait for IE to hang then generate 3 consecutive dmp files.

procdump.exe -h -ma -x c:\dumps iexplore.exe ping 1.1.1.1 -w 10000 -n 1 procdump.exe -h -ma -x c:\dumps iexplore.exe ping 1.1.1.1 -w 10000 -n 1 procdump.exe -h -ma -x c:\dumps iexplore.exe

Alternatively you can use AdPlus.exe from Windows Debugging Tools, which you can manually initiate on a hang situation. This has the benefit of generating a log file, which can be useful if you are getting someone else to collect the dmp files and they are having trouble doing so.

adplus -hang -pn iexplore.exe -o C:\dumps -quiet ping 1.1.1.1 -w 10000 -n 1 adplus -hang -pn iexplore.exe -o C:\dumps -quiet ping 1.1.1.1 -w 10000 -n 1 adplus -hang -pn iexplore.exe -o C:\dumps -quiet

After reproducing some hangs I had a collection of 5 sets of 3 hangs. Once we opened up our dmp file in WinDbg I started with !analyze –vhang

FAULTING_IP:
+0
00000000 ??              ???

EXCEPTION_RECORD:  ffffffff — (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
   ExceptionCode: 80000007 (Wake debugger)
  ExceptionFlags: 00000000
NumberParameters: 0

BUGCHECK_STR:  HANG

PROCESS_NAME:  iexplore.exe

ERROR_CODE: (NTSTATUS) 0xcfffffff – <Unable to get error code text>

EXCEPTION_CODE: (NTSTATUS) 0xcfffffff – <Unable to get error code text>

DETOURED_IMAGE: 1

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

DERIVED_WAIT_CHAIN: 

Dl Eid Cid     WaitType
– — ——- ————————–
   0   3e18.5ae0 SendMessage           

WAIT_CHAIN_COMMAND:  ~0s;k;;

BLOCKING_THREAD:  00005ae0

DEFAULT_BUCKET_ID:  APPLICATION_HANG_BusyHang

PRIMARY_PROBLEM_CLASS:  APPLICATION_HANG_BusyHang

LAST_CONTROL_TRANSFER:  from 74a874bb to 74a872b9

FAULTING_THREAD:  00000000

STACK_TEXT: 
003ee130 74a874bb 00040274 00000112 0000f120 user32!NtUserMessageCall+0x15
003ee1bc 74a86a8c 01425b10 00000000 00000112 user32!RealDefWindowProcWorker+0x73
003ee1dc 64d27744 00040274 00000112 0000f120 user32!RealDefWindowProcW+0x4a
003ee1f4 64d2a092 003ee220 03f150f8 003ee258 uxtheme!DoMsgDefault+0x2d
003ee204 64d20b0d 03f150f8 003ee220 00003fff uxtheme!OnDwpSysCommand+0x47
003ee258 64d20b96 00000000 00000000 0000f120 uxtheme!_ThemeDefWindowProc+0x13c
003ee274 74a8729a 00040274 00000112 0000f120 uxtheme!ThemeDefWindowProcW+0x18
003ee2bc 59247cda 00040274 00000112 0000f120 user32!DefWindowProcW+0x68
003ee2d8 592487b0 00040274 00000112 0000f120 ieframe!Detour_DefWindowProcW+0x18
003ee34c 59241fe3 00040274 00000112 0000f120 ieframe!CBrowserFrame::v_WndProc+0xd3e
003ee370 74a862fa 00040274 00000112 0000f120 ieframe!CImpWndProc::s_WndProc+0x68
003ee39c 74a87316 59241fa1 00040274 00000112 user32!InternalCallWinProc+0x23
003ee414 74a8965e 00000000 59241fa1 00040274 user32!UserCallWinProcCheckWow+0xd8
003ee458 74a896c5 01425b10 00000000 59241fa1 user32!SendMessageWorker+0x581
003ee47c 64d2a173 00040274 00000112 0000f120 user32!SendMessageW+0x7f
003ee4a4 64d20b0d 03f150f8 003ee4c0 00003fff uxtheme!OnDwpNcLButtonDown+0xc7
003ee4f8 64d20b96 00000000 00000000 00000009 uxtheme!_ThemeDefWindowProc+0x13c
003ee514 74a8729a 00040274 000000a1 00000009 uxtheme!ThemeDefWindowProcW+0x18
003ee55c 59247cda 00040274 000000a1 00000009 user32!DefWindowProcW+0x68
003ee578 592487b0 00040274 000000a1 00000009 ieframe!Detour_DefWindowProcW+0x18
003ee5ec 59241fe3 00040274 000000a1 00000009 ieframe!CBrowserFrame::v_WndProc+0xd3e
003ee610 74a862fa 00040274 000000a1 00000009 ieframe!CImpWndProc::s_WndProc+0x68
003ee63c 74a86d3a 59241fa1 00040274 000000a1 user32!InternalCallWinProc+0x23
003ee6b4 74a877c4 00000000 59241fa1 00040274 user32!UserCallWinProcCheckWow+0x109
003ee714 74a8788a 59241fa1 00000000 003ee798 user32!DispatchMessageWorker+0x3bc
003ee724 59241e74 003ee740 005795c8 04664f00 user32!DispatchMessageW+0xf
003ee798 59228df7 004c4788 0057f200 00000001 ieframe!CBrowserFrame::FrameMessagePump+0x38c
003ee7fc 59264501 00000000 004c4788 74e71420 ieframe!BrowserThreadProc+0x258
003ee824 59264459 004c4788 004c4824 004c4788 ieframe!BrowserNewThreadProc+0x95
003ef89c 592642f7 004c4788 75089058 75088861 ieframe!SHOpenFolderWindow+0x10f
003efac4 59264161 00501f20 00000001 00000000 ieframe!IEWinMain+0x1a7
003efb08 01333958 00501f20 00000001 00000000 ieframe!LCIEStartAsFrame+0x457
003efb50 0133131a 01330000 00000000 004c2d88 iexplore!wWinMain+0x3e9
003efbe4 74e7338a 7efde000 003efc30 7709bf32 iexplore!_initterm_e+0x1b0
003efbf0 7709bf32 7efde000 62daa4f5 00000000 kernel32!BaseThreadInitThunk+0xe
003efc30 7709bf05 013326b0 7efde000 ffffffff ntdll!__RtlUserThreadStart+0x70
003efc48 00000000 013326b0 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b

FOLLOWUP_IP:
uxtheme!ThemeDefWindowProcW+18
64d20b96 5d              pop     ebp

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  uxtheme!ThemeDefWindowProcW+18

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: uxtheme

IMAGE_NAME:  uxtheme.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bdb3c

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  HANG_DETOURED_uxtheme!ThemeDefWindowProcW+18

FAILURE_BUCKET_ID:  APPLICATION_HANG_BusyHang_cfffffff_uxtheme.dll!ThemeDefWindowProcW

WATSON_STAGEONE_URL:  http://watson.microsoft.com/00000000.htm?Retriage=1

Followup: MachineOwner
———

0:000> lmvm uxtheme
start    end        module name
64d10000 64d90000   uxtheme    (pdb symbols)          g:\symbols\wuxtheme.pdb\20C669C0018E406295BFA56B7C93850F2\wuxtheme.pdb
    Loaded symbol image file: uxtheme.dll
    Image path: C:\Windows\System32\uxtheme.dll
    Image name: uxtheme.dll
    Timestamp:        Tue Jul 14 11:11:24 2009 (4A5BDB3C)
    CheckSum:         000479E1
    ImageSize:        00080000
    File version:     6.1.7600.16385
    Product version:  6.1.7600.16385
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     UxTheme.dll
    OriginalFilename: UxTheme.dll
    ProductVersion:   6.1.7600.16385
    FileVersion:      6.1.7600.16385 (win7_rtm.090713-1255)
    FileDescription:  Microsoft UxTheme Library
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

 

In this case !analyze –v  is showing us the UI thread is hung, which is correct. But it’s not the root cause of the hang.

Checking for deadlocks we can see a critical section with high lock count / contention count. Understanding Critical Sections is essential for Windows Hang Analysis. A good starting point is the MSDN documentation here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682530(v=vs.85).aspx

0:000> !locks

CritSec ntdll!LdrpLoaderLock+0 at 771620c0
WaiterWoken        No
LockCount          27
RecursionCount     1
OwningThread       5da8
EntryCount         0
ContentionCount    125
*** Locked

CritSec PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+7a1d30 at 53753ea0
WaiterWoken        No
LockCount          0
RecursionCount     1
OwningThread       5da8
EntryCount         0
ContentionCount    0
*** Locked

CritSec +ee88e80 at 0ee88e80
WaiterWoken        No
LockCount          0
RecursionCount     1
OwningThread       5da8
EntryCount         0
ContentionCount    0
*** Locked

Scanned 2706 critical sections

We can view the thread status, and here you also see

  • thread #
  • ID – which is Process ID and Thread ID (In WinDbg often referred to as CID which is a shortcut for the undocumented structure CLIENT_ID – reference the free book “undocumented Windows 2000 secrets” http://undocumented.rawol.com/)
  • TEB (Thread Environment Block)

0:000> ~
.  0  Id: 3e18.5ae0 Suspend: 1 Teb: 7efdd000 Unfrozen
   1  Id: 3e18.5c7c Suspend: 1 Teb: 7efda000 Unfrozen
   2  Id: 3e18.1454 Suspend: 1 Teb: 7efd7000 Unfrozen
   3  Id: 3e18.5780 Suspend: 1 Teb: 7efac000 Unfrozen
   4  Id: 3e18.4808 Suspend: 1 Teb: 7efa9000 Unfrozen
   5  Id: 3e18.59cc Suspend: 1 Teb: 7efa6000 Unfrozen
   6  Id: 3e18.30a8 Suspend: 1 Teb: 7ef9f000 Unfrozen
   7  Id: 3e18.39d4 Suspend: 1 Teb: 7ef9c000 Unfrozen
   8  Id: 3e18.47a8 Suspend: 1 Teb: 7ef99000 Unfrozen
   9  Id: 3e18.4f94 Suspend: 1 Teb: 7ef96000 Unfrozen
  10  Id: 3e18.34ac Suspend: 1 Teb: 7ef8f000 Unfrozen
  11  Id: 3e18.2478 Suspend: 1 Teb: 7ef8c000 Unfrozen
  12  Id: 3e18.34d8 Suspend: 1 Teb: 7ef89000 Unfrozen
  13  Id: 3e18.d44 Suspend: 1 Teb: 7ef83000 Unfrozen
  14  Id: 3e18.5db0 Suspend: 1 Teb: 7ef7f000 Unfrozen
  15  Id: 3e18.4f1c Suspend: 1 Teb: 7ef79000 Unfrozen
  16  Id: 3e18.35e0 Suspend: 1 Teb: 7ef76000 Unfrozen
  17  Id: 3e18.31b4 Suspend: 1 Teb: 7ef73000 Unfrozen
  18  Id: 3e18.3d88 Suspend: 1 Teb: 7ef93000 Unfrozen
  19  Id: 3e18.4dec Suspend: 1 Teb: 7ef7c000 Unfrozen
  20  Id: 3e18.4bc4 Suspend: 1 Teb: 7ef6f000 Unfrozen
  21  Id: 3e18.2994 Suspend: 1 Teb: 7ef6c000 Unfrozen
  22  Id: 3e18.3ddc Suspend: 1 Teb: 7ef66000 Unfrozen
  23  Id: 3e18.5b68 Suspend: 1 Teb: 7ef63000 Unfrozen
  24  Id: 3e18.4bac Suspend: 1 Teb: 7ef5f000 Unfrozen
  25  Id: 3e18.38c4 Suspend: 1 Teb: 7ef5c000 Unfrozen
  26  Id: 3e18.3824 Suspend: 1 Teb: 7ef56000 Unfrozen
  27  Id: 3e18.41c8 Suspend: 1 Teb: 7ef53000 Unfrozen
  28  Id: 3e18.dac Suspend: 1 Teb: 7ef49000 Unfrozen
  29  Id: 3e18.1a9c Suspend: 1 Teb: 7ef3f000 Unfrozen
  30  Id: 3e18.22cc Suspend: 1 Teb: 7ef39000 Unfrozen
  31  Id: 3e18.3084 Suspend: 1 Teb: 7ef36000 Unfrozen
  32  Id: 3e18.4118 Suspend: 1 Teb: 7ef1c000 Unfrozen
  33  Id: 3e18.458c Suspend: 1 Teb: 7ef19000 Unfrozen
  34  Id: 3e18.4b90 Suspend: 1 Teb: 7ef4f000 Unfrozen
  35  Id: 3e18.3c18 Suspend: 1 Teb: 7ef46000 Unfrozen
  36  Id: 3e18.5da8 Suspend: 1 Teb: 7ef69000 Unfrozen
  37  Id: 3e18.4b84 Suspend: 1 Teb: 7ef4c000 Unfrozen
  38  Id: 3e18.5a40 Suspend: 1 Teb: 7ef29000 Unfrozen
  39  Id: 3e18.2bbc Suspend: 1 Teb: 7ef1f000 Unfrozen
  40  Id: 3e18.2a14 Suspend: 1 Teb: 7ef13000 Unfrozen
  41  Id: 3e18.16ac Suspend: 1 Teb: 7ef03000 Unfrozen
  42  Id: 3e18.5ddc Suspend: 1 Teb: 7ef33000 Unfrozen
  43  Id: 3e18.31b0 Suspend: 1 Teb: 7ef09000 Unfrozen
  44  Id: 3e18.23c4 Suspend: 1 Teb: 7eef6000 Unfrozen
  45  Id: 3e18.5f54 Suspend: 1 Teb: 7eef3000 Unfrozen
  46  Id: 3e18.1880 Suspend: 1 Teb: 7eeef000 Unfrozen
  47  Id: 3e18.58f0 Suspend: 1 Teb: 7eeec000 Unfrozen
  48  Id: 3e18.4f18 Suspend: 1 Teb: 7eee9000 Unfrozen
  49  Id: 3e18.321c Suspend: 1 Teb: 7eee6000 Unfrozen
  50  Id: 3e18.a64 Suspend: 1 Teb: 7eee3000 Unfrozen
  51  Id: 3e18.4828 Suspend: 1 Teb: 7ef86000 Unfrozen
  52  Id: 3e18.2f00 Suspend: 1 Teb: 7ef59000 Unfrozen
  53  Id: 3e18.2e24 Suspend: 1 Teb: 7eedf000 Unfrozen
  54  Id: 3e18.5b9c Suspend: 1 Teb: 7eedc000 Unfrozen
  55  Id: 3e18.37c4 Suspend: 1 Teb: 7ef26000 Unfrozen
  56  Id: 3e18.3de4 Suspend: 1 Teb: 7ef23000 Unfrozen
  57  Id: 3e18.2b80 Suspend: 1 Teb: 7efaf000 Unfrozen
  58  Id: 3e18.518c Suspend: 1 Teb: 7efa3000 Unfrozen
  59  Id: 3e18.6090 Suspend: 1 Teb: 7ef43000 Unfrozen
  60  Id: 3e18.42bc Suspend: 1 Teb: 7ef3c000 Unfrozen
  61  Id: 3e18.6074 Suspend: 1 Teb: 7ef2f000 Unfrozen
  62  Id: 3e18.4038 Suspend: 1 Teb: 7ef2c000 Unfrozen
  63  Id: 3e18.4c4 Suspend: 1 Teb: 7ef16000 Unfrozen
0:000> ~36s
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000cc8 edi=00000000
eip=7707f8d1 esp=0d9eb37c ebp=0d9eb3e8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!ZwWaitForSingleObject+0x15:
7707f8d1 83c404          add     esp,4
0:036> kv
ChildEBP RetAddr  Args to Child             
0d9eb37c 767414ab 00000cc8 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0d9eb3e8 74e71194 00000cc8 ffffffff 00000000 KERNELBASE!WaitForSngleObjectEx+0x98 (FPO: [Non-Fpo])
0d9eb400 74e71148 00000cc8 ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])
0d9eb414 5a7a31e2 00000cc8 ffffffff 0ee88e80 kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
0d9eb434 5a7a3359 0d9ee6a8 00000000 52fb0000 MMDevAPI!CDeviceEnumerator::DestroyHWndNotificationThread+0xf6 (FPO: [Non-Fpo])
0d9eb444 5a7a24c0 00000003 00050418 00000000 MMDevAPI!CDeviceEnumerator::ReleaseHWndNotification+0x29 (FPO: [0,0,4])
0d9eb458 5305bc4f 0ee88e00 011ce808 5c0eaf18 MMDevAPI!CDeviceEnumerator::UnregisterEndpointNotificationCallback+0x7e (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0d9ebcbc 5305b3fb 5c0ed6b4 011ce528 73736553 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0xa9adf <- likely culprit
0d9ec510 5305ec4f 011ce528 0d9ecd88 53022718 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0xa928b
0d9ec51c 53022718 00000001 5c0ede2c cccccccc PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0xacadf
0d9ecd88 53022297 5c0ec64c 011bd900 011e0e20 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x705a8
0d9ed5e8 53066055 5c0ecdf0 011cef20 011e0ff0 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x70127
0d9ede54 52fb25b1 5c0ef510 0d9ef7ac 00000003 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0xb3ee5
0d9ee6b4 52fbaf16 011e0e20 0d9eef58 530653c1 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x441
0d9ee6c0 530653c1 00000001 5c0efcfc 0d9ee6fc PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x8da6
0d9eef58 52fb10f7 5c0ee41c 00000000 00000003 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0xb3251
0d9ef7b8 52fdb209 52fb0000 00000003 00000000 PseudoServerInproc2+0x10f7
0d9ef7fc 52fdb2c2 52fb0000 665d1fed 52fb0000 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x29099
0d9ef82c 665d1f5d 52fb0000 00000003 00000000 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x29152
0d9ef860 7709b990 52fb0000 00000003 00000000 IEShims!CShimBindings::s_DllMainHook+0x4a (FPO: [Non-Fpo])
0d9ef880 770b659f 665d1f14 52fb0000 00000003 ntdll!LdrpCallInitRoutine+0x14
0d9ef924 770b6786 00000000 00000000 0d9ef94c ntdll!LdrShutdownThread+0xe6 (FPO: [Non-Fpo])
0d9ef934 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
0d9ef94c 74e7338a 07c1f260 0d9ef998 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
0d9ef958 7709bf32 07c1f260 6f7aa15d 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0d9ef998 7709bf05 5924fe98 07c1f260 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0d9ef9b0 00000000 5924fe98 07c1f260 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

From this we can work out the issue is caused when audio is being shutdown, a critical section is blocked and deadlock is created. In this case ~40% of threads, including the primary user interface thread are waiting for access to that critical section 771620c0.

Critical sections can be found by looking for first argument in ntdll!RtlEnterCriticalSection and you can view them by command !critsec <value>

We can also see many additional 3rd party components, so we won’t be surprised if we see more issues once this one is resolved Smile 

 

0:036> ~*kv

#  0  Id: 3e18.5ae0 Suspend: 1 Teb: 7efdd000 Unfrozen
ChildEBP RetAddr  Args to Child             
003ee130 74a874bb 00040274 00000112 0000f120 user32!NtUserMessageCall+0x15 (FPO: [7,0,0])
003ee1bc 74a86a8c 01425b10 00000000 00000112 user32!RealDefWindowProcWorker+0x73 (FPO: [Non-Fpo])
003ee1dc 64d27744 00040274 00000112 0000f120 user32!RealDefWindowProcW+0x4a (FPO: [Non-Fpo])
003ee1f4 64d2a092 003ee220 03f150f8 003ee258 uxtheme!DoMsgDefault+0x2d (FPO: [Non-Fpo])
003ee204 64d20b0d 03f150f8 003ee220 00003fff uxtheme!OnDwpSysCommand+0x47 (FPO: [Non-Fpo])
003ee258 64d20b96 00000000 00000000 0000f120 uxtheme!_ThemeDefWindowProc+0x13c (FPO: [Non-Fpo])
003ee274 74a8729a 00040274 00000112 0000f120 uxtheme!ThemeDefWindowProcW+0x18 (FPO: [Non-Fpo])
003ee2bc 59247cda 00040274 00000112 0000f120 user32!DefWindowProcW+0x68 (FPO: [Non-Fpo])
003ee2d8 592487b0 00040274 00000112 0000f120 ieframe!Detour_DefWindowProcW+0x18 (FPO: [Non-Fpo])
003ee34c 59241fe3 00040274 00000112 0000f120 ieframe!CBrowserFrame::v_WndProc+0xd3e (FPO: [4,19,4])
003ee370 74a862fa 00040274 00000112 0000f120 ieframe!CImpWndProc::s_WndProc+0x68 (FPO: [Non-Fpo])
003ee39c 74a87316 59241fa1 00040274 00000112 user32!InternalCallWinProc+0x23
003ee414 74a8965e 00000000 59241fa1 00040274 user32!UserCallWinProcCheckWow+0xd8 (FPO: [Non-Fpo])
003ee458 74a896c5 01425b10 00000000 59241fa1 user32!SendMessageWorker+0x581 (FPO: [Non-Fpo])
003ee47c 64d2a173 00040274 00000112 0000f120 user32!SendMessageW+0x7f (FPO: [Non-Fpo])
003ee4a4 64d20b0d 03f150f8 003ee4c0 00003fff uxtheme!OnDwpNcLButtonDown+0xc7 (FPO: [Non-Fpo])
003ee4f8 64d20b96 00000000 00000000 00000009 uxtheme!_ThemeDefWindowProc+0x13c (FPO: [Non-Fpo])
003ee514 74a8729a 00040274 000000a1 00000009 uxtheme!ThemeDefWindowProcW+0x18 (FPO: [Non-Fpo])
003ee55c 59247cda 00040274 000000a1 00000009 user32!DefWindowProcW+0x68 (FPO: [Non-Fpo])
003ee578 592487b0 00040274 000000a1 00000009 ieframe!Detour_DefWindowProcW+0x18 (FPO: [Non-Fpo])
003ee5ec 59241fe3 00040274 000000a1 00000009 ieframe!CBrowserFrame::v_WndProc+0xd3e (FPO: [4,19,4])
003ee610 74a862fa 00040274 000000a1 00000009 ieframe!CImpWndProc::s_WndProc+0x68 (FPO: [Non-Fpo])
003ee63c 74a86d3a 59241fa1 00040274 000000a1 user32!InternalCallWinProc+0x23
003ee6b4 74a877c4 00000000 59241fa1 00040274 user32!UserCallWinProcCheckWow+0x109 (FPO: [Non-Fpo])
003ee714 74a8788a 59241fa1 00000000 003ee798 user32!DispatchMessageWorker+0x3bc (FPO: [Non-Fpo])
003ee724 59241e74 003ee740 005795c8 04664f00 user32!DispatchMessageW+0xf (FPO: [Non-Fpo])
003ee798 59228df7 004c4788 0057f200 00000001 ieframe!CBrowserFrame::FrameMessagePump+0x38c (FPO: [Non-Fpo])
003ee7fc 59264501 00000000 004c4788 74e71420 ieframe!BrowserThreadProc+0x258 (FPO: [Non-Fpo])
003ee824 59264459 004c4788 004c4824 004c4788 ieframe!BrowserNewThreadProc+0x95 (FPO: [1,3,4])
003ef89c 592642f7 004c4788 75089058 75088861 ieframe!SHOpenFolderWindow+0x10f (FPO: [Non-Fpo])
003efac4 59264161 00501f20 00000001 00000000 ieframe!IEWinMain+0x1a7 (FPO: [Non-Fpo])
003efb08 01333958 00501f20 00000001 00000000 ieframe!LCIEStartAsFrame+0x457 (FPO: [Non-Fpo])
003efb50 0133131a 01330000 00000000 004c2d88 iexplore!wWinMain+0x3e9 (FPO: [4,9,4])
003efbe4 74e7338a 7efde000 003efc30 7709bf32 iexplore!_initterm_e+0x1b0 (FPO: [Non-Fpo])
003efbf0 7709bf32 7efde000 62daa4f5 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
003efc30 7709bf05 013326b0 7efde000 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
003efc48 00000000 013326b0 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

   1  Id: 3e18.5c7c Suspend: 1 Teb: 7efda000 Unfrozen
ChildEBP RetAddr  Args to Child             
031af2c8 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
031af32c 7709b398 00000000 00000000 00000001 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
031af354 77096c20 771620c0 61feab49 00000000 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
031af38c 7674190f 00000001 00000000 031af3b4 ntdll!LdrLockLoaderLock+0xe4 (FPO: [Non-Fpo])
031af3d8 5c3c7835 64cc0000 13fe8140 00000103 KERNELBASE!GetModuleFileNameW+0x75 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
031af418 5c3c5c2f cdb656cc 03381a00 033b4978 rsintcor32+0x7835
031af44c 5c3c7229 64cc0000 741c14c5 03381a00 rsintcor32+0x5c2f
031af69c 741c1749 03381a00 03381a00 03381a00 rsintcor32+0x7229
031af6c8 741c196f 00000228 741c1622 03381a00 csma_ldr32+0x1749
031af714 741c16bc 741c1962 741c2566 74e71432 csma_ldr32+0x196f
031af75c 741c272c cdb95aa2 00000000 00000000 csma_ldr32+0x16bc
031af7b0 74133433 00000000 cdb95a64 00000000 csma_ldr32!DllUnregisterServer+0x70d
031af7e8 741334c7 00000000 031af800 74e7338a msvcr90!_endthreadex+0x44 (FPO: [Non-Fpo])
031af7f4 74e7338a 03381a00 031af840 7709bf32 msvcr90!_endthreadex+0xd8 (FPO: [Non-Fpo])
031af800 7709bf32 03381a00 61fea085 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
031af840 7709bf05 7413345e 03381a00 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
031af858 00000000 7413345e 03381a00 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

   2  Id: 3e18.1454 Suspend: 1 Teb: 7efd7000 Unfrozen
ChildEBP RetAddr  Args to Child             
036afaec 7709c6c5 00000023 00526270 00000001 ntdll!ZwWaitForMultipleObjects+0x15 (FPO: [5,0,0])
036afc80 74e7338a 00000000 036afccc 7709bf32 ntdll!TppWaiterpThread+0x33d (FPO: [Non-Fpo])
036afc8c 7709bf32 00526240 618ea409 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
036afccc 7709bf05 7709c599 00526240 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
036afce4 00000000 7709c599 00526240 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

   3  Id: 3e18.5780 Suspend: 1 Teb: 7efac000 Unfrozen
ChildEBP RetAddr  Args to Child             
0464ea24 767415f7 00000002 0464ea74 00000001 ntdll!ZwWaitForMultipleObjects+0x15 (FPO: [5,0,0])
0464eac0 74e719f8 0464ea74 0464eae8 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100 (FPO: [Non-Fpo])
0464eb08 74e74200 00000002 7efde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0 (FPO: [Non-Fpo])
0464eb24 75093e16 00000002 0055b798 00000000 kernel32!WaitForMultipleObjects+0x18 (FPO: [Non-Fpo])
0464fb4c 750b2f6a 0055b748 0464fb70 5924febb iertutil!CForeignProcessToCurrentProcessMessaging::_vThreadProc+0xa5 (FPO: [Non-Fpo])
0464fb58 5924febb 00577b98 00000000 00000000 iertutil!CForeignProcessToCurrentProcessMessaging::_sThreadProc+0xe (FPO: [Non-Fpo])
0464fb70 74e7338a 0055b748 0464fbbc 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0464fb7c 7709bf32 0055b748 6680a379 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0464fbbc 7709bf05 5924fe98 0055b748 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0464fbd4 00000000 5924fe98 0055b748 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

   4  Id: 3e18.4808 Suspend: 1 Teb: 7efa9000 Unfrozen
ChildEBP RetAddr  Args to Child             
0486f730 767415f7 00000001 0486f780 00000001 ntdll!ZwWaitForMultipleObjects+0x15 (FPO: [5,0,0])
0486f7cc 74e719f8 0486f780 0486f7f4 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100 (FPO: [Non-Fpo])
0486f814 74a9086a 00000001 7efde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0 (FPO: [Non-Fpo])
0486f868 750a874c 00000708 00000000 ffffffff user32!RealMsgWaitForMultipleObjectsEx+0x14d (FPO: [Non-Fpo])
0486f8c4 750b2e2f 00000001 00000000 750b2dd4 iertutil!IsoThreadWindowsPumpInit+0x266 (FPO: [Non-Fpo])
0486f8e8 5924febb 0056cc80 00000000 00000000 iertutil!IsoManagerThreadNonzero_WindowsPump+0x5b (FPO: [Non-Fpo])
0486f900 74e7338a 0055b768 0486f94c 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0486f90c 7709bf32 0055b768 6662a189 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0486f94c 7709bf05 5924fe98 0055b768 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0486f964 00000000 5924fe98 0055b768 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

   5  Id: 3e18.59cc Suspend: 1 Teb: 7efa6000 Unfrozen
ChildEBP RetAddr  Args to Child             
04b2fc74 767415f7 00000003 04b2fcc4 00000001 ntdll!ZwWaitForMultipleObjects+0x15 (FPO: [5,0,0])
04b2fd10 74e719f8 04b2fcc4 04b2fd38 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100 (FPO: [Non-Fpo])
04b2fd58 74e74200 00000003 7efde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0 (FPO: [Non-Fpo])
04b2fd74 59263f31 00000003 04b2fd98 00000000 kernel32!WaitForMultipleObjects+0x18 (FPO: [Non-Fpo])
04b2fda8 5924febb 00000001 00000000 00000000 ieframe!MTAThread+0x54 (FPO: [Non-Fpo])
04b2fdc0 74e7338a 0055b7a8 04b2fe0c 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
04b2fdcc 7709bf32 0055b7a8 6656a6c9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
04b2fe0c 7709bf05 5924fe98 0055b7a8 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
04b2fe24 00000000 5924fe98 0055b7a8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

   6  Id: 3e18.30a8 Suspend: 1 Teb: 7ef9f000 Unfrozen
ChildEBP RetAddr  Args to Child             
04e6fe1c 76743bd5 00000000 04e6fe60 cb691217 ntdll!ZwDelayExecution+0x15 (FPO: [2,0,0])
04e6fe84 767444a5 0000ea60 00000000 04e6febc KERNELBASE!SleepEx+0x65 (FPO: [Non-Fpo])
04e6fe94 74b9d98d 0000ea60 00578278 74b9cd48 KERNELBASE!Sleep+0xf (FPO: [Non-Fpo])
04e6fea0 74b9cd48 00000000 74b9d864 00578278 ole32!CROIDTable::WorkerThreadLoop+0x14 (FPO: [1,0,4]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\refcache.cxx @ 1345]
04e6febc 74b9d87a 74b9d864 0055b878 04e6fee4 ole32!CRpcThread::WorkerLoop+0x26 (FPO: [Non-Fpo]) (CONV: thiscall) [d:\w7rtm\com\ole32\com\dcomrem\threads.cxx @ 257]
04e6fecc 5924febb 00578278 00000000 00000000 ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x16 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\threads.cxx @ 63]
04e6fee4 74e7338a 0055b878 04e6ff30 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
04e6fef0 7709bf32 0055b878 6602a7f5 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
04e6ff30 7709bf05 5924fe98 0055b878 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
04e6ff48 00000000 5924fe98 0055b878 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

   7  Id: 3e18.39d4 Suspend: 1 Teb: 7ef9c000 Unfrozen
ChildEBP RetAddr  Args to Child             
04fefcb0 770b1ad0 000002e0 04fefd64 661aa6d5 ntdll!ZwWaitForWorkViaWorkerFactory+0x12 (FPO: [2,0,0])
04fefe10 74e7338a 00526478 04fefe5c 7709bf32 ntdll!TppWorkerThread+0x216 (FPO: [Non-Fpo])
04fefe1c 7709bf32 00526478 661aa699 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
04fefe5c 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
04fefe74 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

   8  Id: 3e18.47a8 Suspend: 1 Teb: 7ef99000 Unfrozen
ChildEBP RetAddr  Args to Child             
051bfa54 767414ab 00000540 00000001 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
051bfac0 74e71194 00000540 ffffffff 00000001 KERNELBASE!WaitForSingleObjectEx+0x98 (FPO: [Non-Fpo])
051bfad8 67e633b7 00000540 ffffffff 00000001 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])
051bfb3c 5924febb 00000000 00000000 00000000 rasman!RasmanServiceMonitorThread+0xe7 (FPO: [Non-Fpo])
051bfb54 74e7338a 005b2eb0 051bfba0 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
051bfb60 7709bf32 005b2eb0 67ffa365 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
051bfba0 7709bf05 5924fe98 005b2eb0 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
051bfbb8 00000000 5924fe98 005b2eb0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

   9  Id: 3e18.4f94 Suspend: 1 Teb: 7ef96000 Unfrozen
ChildEBP RetAddr  Args to Child             
0541fa5c 767414ab 00000580 00000000 0541faa4 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0541fac8 74e71194 00000580 001b7740 00000000 KERNELBASE!WaitForSingleObjectEx+0x98 (FPO: [Non-Fpo])
0541fae0 74e71148 00000580 001b7740 00000000 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])
0541faf4 765dc964 00000580 001b7740 00572a18 kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
0541fb14 765dc8be 00572a18 001b7740 00000000 wininet!AutoProxyResolver::WaitForMessage+0x6b (FPO: [Non-Fpo])
0541fb30 765dc825 00572a18 0541fb4c 00000000 wininet!AutoProxyResolver::PumpProxyMessage+0x75 (FPO: [Non-Fpo])
0541fb68 765dc73b 00572a18 765dc631 005b2f30 wininet!AutoProxyResolver::ProcessMessages+0x54 (FPO: [Non-Fpo])
0541fd1c 765dc63e 00572a18 0541fd40 5924febb wininet!AutoProxyResolver::AutoProxyThread+0x12a (FPO: [Non-Fpo])
0541fd28 5924febb 00572a18 00000000 00000000 wininet!AutoProxyResolver::AutoProxyThreadStart+0xd (FPO: [Non-Fpo])
0541fd40 74e7338a 005b2f30 0541fd8c 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0541fd4c 7709bf32 005b2f30 67a5a549 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0541fd8c 7709bf05 5924fe98 005b2f30 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0541fda4 00000000 5924fe98 005b2f30 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  10  Id: 3e18.34ac Suspend: 1 Teb: 7ef8f000 Unfrozen
ChildEBP RetAddr  Args to Child             
05b8f904 767415f7 00000002 05b8f954 00000001 ntdll!ZwWaitForMultipleObjects+0x15 (FPO: [5,0,0])
05b8f9a0 74e719f8 05b8f954 05b8f9c8 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100 (FPO: [Non-Fpo])
05b8f9e8 74a9086a 00000002 7efde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0 (FPO: [Non-Fpo])
05b8fa3c 699e2006 000005c8 05b8fa74 ffffffff user32!RealMsgWaitForMultipleObjectsEx+0x14d (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
05b8fa60 699e6b29 000004ff ffffffff 00000001 ieui+0x2006
05b8fa94 699e9344 05b8fad4 00000000 00000000 ieui!SetGadgetParent+0x6fa
05b8fab4 699e92a4 05b8fad4 00000000 00000000 ieui!GetMessageExA+0x3b
05b8fb08 749d1287 00000000 ca093af1 749d12e5 ieui!DllMain+0x407
05b8fb40 749d1328 05b8fb60 5924febb 006bdf88 msvcrt!_endthreadex+0x44 (FPO: [Non-Fpo])
05b8fb48 5924febb 006bdf88 00000000 00000000 msvcrt!_endthreadex+0xce (FPO: [Non-Fpo])
05b8fb60 74e7338a 0465fc68 05b8fbac 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
05b8fb6c 7709bf32 0465fc68 675ca369 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
05b8fbac 7709bf05 5924fe98 0465fc68 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
05b8fbc4 00000000 5924fe98 0465fc68 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  11  Id: 3e18.2478 Suspend: 1 Teb: 7ef8c000 Unfrozen
ChildEBP RetAddr  Args to Child             
05dbf644 770b1ad0 000002dc 05dbf6f8 673faf61 ntdll!ZwWaitForWorkViaWorkerFactory+0x12 (FPO: [2,0,0])
05dbf7a4 74e7338a 00526478 05dbf7f0 7709bf32 ntdll!TppWorkerThread+0x216 (FPO: [Non-Fpo])
05dbf7b0 7709bf32 00526478 673faf35 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
05dbf7f0 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
05dbf808 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  12  Id: 3e18.34d8 Suspend: 1 Teb: 7ef89000 Unfrozen
ChildEBP RetAddr  Args to Child             
0551fb00 770b1ad0 000002e0 0551fbb4 67b5a4a5 ntdll!ZwWaitForWorkViaWorkerFactory+0x12 (FPO: [2,0,0])
0551fc60 74e7338a 00526478 0551fcac 7709bf32 ntdll!TppWorkerThread+0x216 (FPO: [Non-Fpo])
0551fc6c 7709bf32 00526478 67b5a469 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0551fcac 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0551fcc4 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  13  Id: 3e18.d44 Suspend: 1 Teb: 7ef83000 Unfrozen
ChildEBP RetAddr  Args to Child             
0624f5d0 767415f7 00000001 0624f620 00000001 ntdll!ZwWaitForMultipleObjects+0x15 (FPO: [5,0,0])
0624f66c 74e719f8 0624f620 0624f694 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100 (FPO: [Non-Fpo])
0624f6b4 74a9086a 00000001 7efde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0 (FPO: [Non-Fpo])
0624f708 750a874c 00000624 00000000 ffffffff user32!RealMsgWaitForMultipleObjectsEx+0x14d (FPO: [Non-Fpo])
0624f764 750afc2c 00000001 00000000 005aeb00 iertutil!IsoThreadWindowsPumpInit+0x266 (FPO: [Non-Fpo])
0624f778 750b3418 006beae8 0466a3f0 0624f7a0 iertutil!IsoThreadWindowsPump+0x12 (FPO: [Non-Fpo])
0624f788 5924febb 005aeb00 00000000 00000000 iertutil!CIsoScope::RegisterThread+0xab (FPO: [Non-Fpo])
0624f7a0 74e7338a 0466a3f0 0624f7ec 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0624f7ac 7709bf32 0466a3f0 64c0af29 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0624f7ec 7709bf05 5924fe98 0466a3f0 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0624f804 00000000 5924fe98 0466a3f0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  14  Id: 3e18.5db0 Suspend: 1 Teb: 7ef7f000 Unfrozen
ChildEBP RetAddr  Args to Child             
05edf930 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
05edf994 7709b398 00000000 00000000 0000fff8 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
05edf9bc 770b650d 771620c0 6709a291 00526478 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
05edfa54 770b6786 00000002 00000000 05edfbc0 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
05edfa64 770c0289 00000000 6709a305 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
05edfbc0 74e7338a 00526478 05edfc0c 7709bf32 ntdll!TppWorkerThread+0x856 (FPO: [Non-Fpo])
05edfbcc 7709bf32 00526478 6709a4c9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
05edfc0c 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
05edfc24 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  15  Id: 3e18.4f1c Suspend: 1 Teb: 7ef79000 Unfrozen
ChildEBP RetAddr  Args to Child             
0756fc5c 71a1635c 000006c0 0756fc90 0756fc84 ntdll!NtRemoveIoCompletion+0x15 (FPO: [5,0,0])
0756fc88 5924febb 71a164b3 00000000 00000000 mswsock!SockAsyncThread+0x83 (FPO: [Non-Fpo])
0756fca0 74e7338a 0468ffc8 0756fcec 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0756fcac 7709bf32 0468ffc8 65b2a429 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0756fcec 7709bf05 5924fe98 0468ffc8 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0756fd04 00000000 5924fe98 0468ffc8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  16  Id: 3e18.35e0 Suspend: 1 Teb: 7ef76000 Unfrozen
ChildEBP RetAddr  Args to Child             
07a1d8c8 59247c31 046f8e70 046f8e8c 006bf680 user32!NtUserWaitMessage+0x15 (FPO: [0,0,0])
07a1f9ec 59261976 046f8e70 046fc0d0 750b340a ieframe!CTabWindow::_TabWindowThreadProc+0x7d1 (FPO: [1,2115,4])
07a1faa8 750b3418 006bf680 046dff10 07a1fad0 ieframe!LCIETab_ThreadProc+0x317 (FPO: [Non-Fpo])
07a1fab8 5924febb 046fc0d0 00000000 00000000 iertutil!CIsoScope::RegisterThread+0xab (FPO: [Non-Fpo])
07a1fad0 74e7338a 046dff10 07a1fb1c 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
07a1fadc 7709bf32 046dff10 6545a3d9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
07a1fb1c 7709bf05 5924fe98 046dff10 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
07a1fb34 00000000 5924fe98 046dff10 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  17  Id: 3e18.31b4 Suspend: 1 Teb: 7ef73000 Unfrozen
ChildEBP RetAddr  Args to Child             
07b3f654 767414ab 00000758 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
07b3f6c0 74e71194 00000758 ffffffff 00000000 KERNELBASE!WaitForSingleObjectEx+0x98 (FPO: [Non-Fpo])
07b3f6d8 74e71148 00000758 ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])
07b3f6ec 65dea262 00000758 ffffffff 65f84f60 kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
07b3f72c 65de7b65 c9f34248 05bdd8d4 05bdd878 swi_filter!HTTPFilterIsEos+0x57872
07b3f76c 65de80d7 05bd28d8 07b3f7bc 05c067b8 swi_filter!HTTPFilterIsEos+0x55175
07b3f7cc 65de99f4 c9f34d24 05bdd8d4 05bdd878 swi_filter!HTTPFilterIsEos+0x556e7
07b3f800 65de8c46 c9f34d1c 65e42d14 0470e9c8 swi_filter!HTTPFilterIsEos+0x57004
07b3f838 65e34adb 65e42d14 0470e9c8 05c36d10 swi_filter!HTTPFilterIsEos+0x56256
07b3f864 65e42cee 05bdd87c c9f34db8 65e42d14 swi_filter!HTTPFilterIsEos+0xa20eb
07b3f89c 65e42d96 0470e9c8 07b3f8c0 5924febb swi_filter!HTTPFilterIsEos+0xb02fe
07b3f8a8 5924febb 05c36d10 00000000 00000000 swi_filter!HTTPFilterIsEos+0xb03a6
07b3f8c0 74e7338a 0470e9c8 07b3f90c 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
07b3f8cc 7709bf32 0470e9c8 6557a1c9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
07b3f90c 7709bf05 5924fe98 0470e9c8 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
07b3f924 00000000 5924fe98 0470e9c8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  18  Id: 3e18.3d88 Suspend: 1 Teb: 7ef93000 Unfrozen
ChildEBP RetAddr  Args to Child             
0568f914 71a16f1f 000006d4 00000001 0568f93c ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0568f954 71a16d40 000006d4 00000780 00000001 mswsock!SockWaitForSingleObject+0x1ba (FPO: [Non-Fpo])
0568fa40 755e6a28 00000001 0568fd68 0568fc64 mswsock!WSPSelect+0x3a6 (FPO: [Non-Fpo])
0568fac0 5c3cfaea 00000001 0568fd68 0568fc64 ws2_32!select+0x494 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0568fb0c 765e36f3 00000001 0568fd68 0568fc64 rsintcor32!RslLoadedTerm+0x7c6e
0568fe70 765eccbb 0568fe90 5924febb 0469deb0 wininet!ICAsyncThread::SelectThread+0x381 (FPO: [Non-Fpo])
0568fe78 5924febb 0469deb0 00000000 00000000 wininet!ICAsyncThread::SelectThreadWrapper+0xd (FPO: [Non-Fpo])
0568fe90 74e7338a 0470ea18 0568fedc 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0568fe9c 7709bf32 0470ea18 678ca619 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0568fedc 7709bf05 5924fe98 0470ea18 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0568fef4 00000000 5924fe98 0470ea18 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  19  Id: 3e18.4dec Suspend: 1 Teb: 7ef7c000 Unfrozen
ChildEBP RetAddr  Args to Child             
07e8fd18 767414ab 00000888 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
07e8fd84 74e71194 00000888 ffffffff 00000000 KERNELBASE!WaitForSingleObjectEx+0x98 (FPO: [Non-Fpo])
07e8fd9c 74e71148 00000888 ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])
07e8fdb0 6c396bf0 00000888 ffffffff 74e713d0 kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
07e8fdc0 6c396e4a 00000100 07e8fe40 00000001 winsta!CWaitEventCollect::WaitEvent+0x13 (FPO: [0,0,4])
07e8fdf4 74053072 00000000 00000008 07e8fe14 winsta!WinStationWaitSystemEvent+0x243 (FPO: [Non-Fpo])
07e8fe18 65c72111 00000000 00000008 07e8fe40 wtsapi32!WTSWaitSystemEvent+0x8d (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
07e8fe38 5924febb 65cb7380 00000000 00000000 AppSenseURLFilter+0x2111
07e8fe50 74e7338a 0470eac8 07e8fe9c 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
07e8fe5c 7709bf32 0470eac8 650ca659 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
07e8fe9c 7709bf05 5924fe98 0470eac8 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
07e8feb4 00000000 5924fe98 0470eac8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  20  Id: 3e18.4bc4 Suspend: 1 Teb: 7ef6f000 Unfrozen
ChildEBP RetAddr  Args to Child             
080afa9c 74a8790d 080afb18 00000000 00000000 user32!NtUserGetMessage+0x15 (FPO: [4,0,0])
080afab8 5c3c1722 080afb18 00000000 00000000 user32!GetMessageW+0x33 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
080afaf0 65c80701 080afb18 00000000 00000000 rsintcor32+0x1722
080afb78 5924febb 65cb7380 00000000 00000000 AppSenseURLFilter!DllUnregisterServer+0x1c61
080afb90 74e7338a 0470ead8 080afbdc 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
080afb9c 7709bf32 0470ead8 6aeea319 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
080afbdc 7709bf05 5924fe98 0470ead8 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
080afbf4 00000000 5924fe98 0470ead8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  21  Id: 3e18.2994 Suspend: 1 Teb: 7ef6c000 Unfrozen
ChildEBP RetAddr  Args to Child             
081ff788 767415f7 00000002 081ff7d8 00000001 ntdll!ZwWaitForMultipleObjects+0x15 (FPO: [5,0,0])
081ff824 74e719f8 081ff7d8 081ff84c 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100 (FPO: [Non-Fpo])
081ff86c 74e74200 00000002 7efde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0 (FPO: [Non-Fpo])
081ff888 65c8d7ba 00000002 081ff8b0 00000000 kernel32!WaitForMultipleObjects+0x18 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
081ff8d4 65c808c1 081ff914 65c91401 65cb73cc AppSenseURLFilter!DllUnregisterServer+0xed1a
081ff8dc 65c91401 65cb73cc f9ff7d20 65c91427 AppSenseURLFilter!DllUnregisterServer+0x1e21
081ff914 65c9148b 0470eac8 081ff938 5924febb AppSenseURLFilter!DllUnregisterServer+0x12961
081ff920 5924febb 06fe1260 00000000 00000000 AppSenseURLFilter!DllUnregisterServer+0x129eb
081ff938 74e7338a 0470eac8 081ff984 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
081ff944 7709bf32 0470eac8 6afba141 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
081ff984 7709bf05 5924fe98 0470eac8 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
081ff99c 00000000 5924fe98 0470eac8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  22  Id: 3e18.3ddc Suspend: 1 Teb: 7ef66000 Unfrozen
ChildEBP RetAddr  Args to Child             
08d7fbc8 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
08d7fc2c 7709b398 00000000 00000000 00000003 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
08d7fc54 770b650d 771620c0 6a33a429 005046f0 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
08d7fcec 770b6786 00000002 00000000 08d7fe58 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
08d7fcfc 770c0289 00000000 6a33a69d 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
08d7fe58 74e7338a 005046f0 08d7fea4 7709bf32 ntdll!TppWorkerThread+0x856 (FPO: [Non-Fpo])
08d7fe64 7709bf32 005046f0 6a33a661 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
08d7fea4 7709bf05 770b25c1 005046f0 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
08d7febc 00000000 770b25c1 005046f0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  23  Id: 3e18.5b68 Suspend: 1 Teb: 7ef63000 Unfrozen
ChildEBP RetAddr  Args to Child             
08e7fa88 767414ab 0000094c 00000000 08e7fad0 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
08e7faf4 74e71194 0000094c 000927c0 00000000 KERNELBASE!WaitForSingleObjectEx+0x98 (FPO: [Non-Fpo])
08e7fb0c 74e71148 0000094c 000927c0 00000000 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])
08e7fb20 63ec0770 0000094c 000927c0 63d3c527 kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
08e7fb80 63eca2da 63ac0000 08e7fb98 63d3c535 mshtml!CDwnTaskExec::ThreadExec+0x401 (FPO: [0,17,4])
08e7fb8c 63d3c535 07b89160 08e7fbb0 5924febb mshtml!CExecFT::ThreadProc+0x4b (FPO: [Non-Fpo])
08e7fb98 5924febb 0056a428 00000000 00000000 mshtml!CExecFT::StaticThreadProc+0xe (FPO: [Non-Fpo])
08e7fbb0 74e7338a 07b89160 08e7fbfc 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
08e7fbbc 7709bf32 07b89160 6a03a339 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
08e7fbfc 7709bf05 5924fe98 07b89160 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
08e7fc14 00000000 5924fe98 07b89160 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  24  Id: 3e18.4bac Suspend: 1 Teb: 7ef5f000 Unfrozen
ChildEBP RetAddr  Args to Child             
0913f700 770b1ad0 000009c4 0913f7b4 6bf7a0a5 ntdll!ZwWaitForWorkViaWorkerFactory+0x12 (FPO: [2,0,0])
0913f860 74e7338a 07bc76d8 0913f8ac 7709bf32 ntdll!TppWorkerThread+0x216 (FPO: [Non-Fpo])
0913f86c 7709bf32 07bc76d8 6bf7a069 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0913f8ac 7709bf05 770b25c1 07bc76d8 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0913f8c4 00000000 770b25c1 07bc76d8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  25  Id: 3e18.38c4 Suspend: 1 Teb: 7ef5c000 Unfrozen
ChildEBP RetAddr  Args to Child             
0ab4fc48 767414ab 00000a14 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0ab4fcb4 74e71194 00000a14 ffffffff 00000000 KERNELBASE!WaitForSingleObjectEx+0x98 (FPO: [Non-Fpo])
0ab4fccc 74e71148 00000a14 ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])
0ab4fce0 63edf509 00000a14 ffffffff 63d3c527 kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
0ab4fd10 63eca2da 63ac0000 0ab4fd28 63d3c535 mshtml!CTimerMan::ThreadExec+0x119 (FPO: [0,5,4])
0ab4fd1c 63d3c535 07bd85c0 0ab4fd40 5924febb mshtml!CExecFT::ThreadProc+0x4b (FPO: [Non-Fpo])
0ab4fd28 5924febb 07b79100 00000000 00000000 mshtml!CExecFT::StaticThreadProc+0xe (FPO: [Non-Fpo])
0ab4fd40 74e7338a 07bd85c0 0ab4fd8c 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0ab4fd4c 7709bf32 07bd85c0 6850a549 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0ab4fd8c 7709bf05 5924fe98 07bd85c0 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0ab4fda4 00000000 5924fe98 07bd85c0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  26  Id: 3e18.3824 Suspend: 1 Teb: 7ef56000 Unfrozen
ChildEBP RetAddr  Args to Child             
0aebf864 767415f7 00000002 0aebf8b4 00000001 ntdll!ZwWaitForMultipleObjects+0x15 (FPO: [5,0,0])
0aebf900 74e719f8 0aebf8b4 0aebf928 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100 (FPO: [Non-Fpo])
0aebf948 74e74200 00000002 7efde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0 (FPO: [Non-Fpo])
0aebf964 5adc1400 00000002 0aebf988 00000000 kernel32!WaitForMultipleObjects+0x18 (FPO: [Non-Fpo])
0aebf990 5ae917af 00000002 f8fd95a9 749d12e5 jscript9!Recycler::ThreadProc+0x9e (FPO: [Non-Fpo])
0aebf9cc 749d1287 0100abf8 c55a3bb5 749d12e5 jscript9!Recycler::StaticThreadProc+0x4c (FPO: [Non-Fpo])
0aebfa04 749d1328 0aebfa24 5924febb 00ff1040 msvcrt!_endthreadex+0x44 (FPO: [Non-Fpo])
0aebfa0c 5924febb 00ff1040 00000000 00000000 msvcrt!_endthreadex+0xce (FPO: [Non-Fpo])
0aebfa24 74e7338a 07bd8730 0aebfa70 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0aebfa30 7709bf32 07bd8730 680fa2b5 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0aebfa70 7709bf05 5924fe98 07bd8730 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0aebfa88 00000000 5924fe98 07bd8730 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  27  Id: 3e18.41c8 Suspend: 1 Teb: 7ef53000 Unfrozen
ChildEBP RetAddr  Args to Child             
0ad8f918 767414ab 00000b10 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0ad8f984 74e71194 00000b10 ffffffff 00000000 KERNELBASE!WaitForSingleObjectEx+0x98 (FPO: [Non-Fpo])
0ad8f99c 74e71148 00000b10 ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])
0ad8f9b0 5adc1947 00000b10 ffffffff 0100d2b8 kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
0ad8f9d0 5adc19b7 f8ce9665 749d12e5 07bd8730 jscript9!BackgroundCodeGenThread::GetNextCodeGenWorkItem+0x1a2 (FPO: [0,2,0])
0ad8fa00 5ae9183c f8ce965d 749d12e5 07bd8730 jscript9!BackgroundCodeGenThread::MainProc+0xa0 (FPO: [Non-Fpo])
0ad8fa38 749d1287 0100d2b8 c5693bc1 749d12e5 jscript9!BackgroundCodeGenThread::StaticThreadProc+0x4b (FPO: [Non-Fpo])
0ad8fa70 749d1328 0ad8fa90 5924febb 00ff1040 msvcrt!_endthreadex+0x44 (FPO: [Non-Fpo])
0ad8fa78 5924febb 00ff1040 00000000 00000000 msvcrt!_endthreadex+0xce (FPO: [Non-Fpo])
0ad8fa90 74e7338a 07bd8730 0ad8fadc 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0ad8fa9c 7709bf32 07bd8730 683ca219 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0ad8fadc 7709bf05 5924fe98 07bd8730 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0ad8faf4 00000000 5924fe98 07bd8730 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  28  Id: 3e18.dac Suspend: 1 Teb: 7ef49000 Unfrozen
ChildEBP RetAddr  Args to Child             
0b4ff7f8 770b1ad0 000002dc 0b4ff8ac 69aba19d ntdll!ZwWaitForWorkViaWorkerFactory+0x12 (FPO: [2,0,0])
0b4ff958 74e7338a 00526478 0b4ff9a4 7709bf32 ntdll!TppWorkerThread+0x216 (FPO: [Non-Fpo])
0b4ff964 7709bf32 00526478 69aba161 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0b4ff9a4 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0b4ff9bc 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  29  Id: 3e18.1a9c Suspend: 1 Teb: 7ef3f000 Unfrozen
ChildEBP RetAddr  Args to Child             
0c42f8d8 767414ab 00000c34 00000000 0c42f920 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0c42f944 74e71194 00000c34 000927c0 00000000 KERNELBASE!WaitForSingleObjectEx+0x98 (FPO: [Non-Fpo])
0c42f95c 74e71148 00000c34 000927c0 00000000 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])
0c42f970 63ec0770 00000c34 000927c0 63d3c527 kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
0c42f9d0 63eca2da 63ac0000 0c42f9e8 63d3c535 mshtml!CDwnTaskExec::ThreadExec+0x401 (FPO: [0,17,4])
0c42f9dc 63d3c535 07c6e6c0 0c42fa00 5924febb mshtml!CExecFT::ThreadProc+0x4b (FPO: [Non-Fpo])
0c42f9e8 5924febb 07b66d00 00000000 00000000 mshtml!CExecFT::StaticThreadProc+0xe (FPO: [Non-Fpo])
0c42fa00 74e7338a 07c6e6c0 0c42fa4c 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0c42fa0c 7709bf32 07c6e6c0 6ea6a289 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0c42fa4c 7709bf05 5924fe98 07c6e6c0 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0c42fa64 00000000 5924fe98 07c6e6c0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  30  Id: 3e18.22cc Suspend: 1 Teb: 7ef39000 Unfrozen
ChildEBP RetAddr  Args to Child             
0cacf9b8 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0cacfa1c 7709b398 00000000 00000000 0000fffd ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
0cacfa44 770b650d 771620c0 6e48a219 00526478 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
0cacfadc 770b6786 00000002 00000000 0cacfc48 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
0cacfaec 770c0289 00000000 6e48a48d 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
0cacfc48 74e7338a 00526478 0cacfc94 7709bf32 ntdll!TppWorkerThread+0x856 (FPO: [Non-Fpo])
0cacfc54 7709bf32 00526478 6e48a451 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0cacfc94 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0cacfcac 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  31  Id: 3e18.3084 Suspend: 1 Teb: 7ef36000 Unfrozen
ChildEBP RetAddr  Args to Child             
0ccbfccc 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0ccbfd30 7709b398 00000000 00000000 0000fffc ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
0ccbfd58 770b650d 771620c0 6e2fa535 00526478 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
0ccbfdf0 770b6786 00000002 00000000 0ccbff5c ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
0ccbfe00 770c0289 00000000 6e2fa799 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
0ccbff5c 74e7338a 00526478 0ccbffa8 7709bf32 ntdll!TppWorkerThread+0x856 (FPO: [Non-Fpo])
0ccbff68 7709bf32 00526478 6e2fa76d 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0ccbffa8 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0ccbffc0 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  32  Id: 3e18.4118 Suspend: 1 Teb: 7ef1c000 Unfrozen
ChildEBP RetAddr  Args to Child             
0df7f680 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0df7f6e4 7709b398 00000000 00000000 0000fffe ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
0df7f70c 770b650d 771620c0 6f13af61 00526478 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
0df7f7a4 770b6786 00000002 00000000 0df7f910 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
0df7f7b4 770c0289 00000000 6f13a1d5 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
0df7f910 74e7338a 00526478 0df7f95c 7709bf32 ntdll!TppWorkerThread+0x856 (FPO: [Non-Fpo])
0df7f91c 7709bf32 00526478 6f13a199 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0df7f95c 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0df7f974 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  33  Id: 3e18.458c Suspend: 1 Teb: 7ef19000 Unfrozen
ChildEBP RetAddr  Args to Child             
0de3f6e0 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0de3f744 7709b398 00000000 00000000 0000fffb ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
0de3f76c 770b650d 771620c0 6f07a0c1 00526478 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
0de3f804 770b6786 00000002 00000000 0de3f970 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
0de3f814 770c0289 00000000 6f07a1b5 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
0de3f970 74e7338a 00526478 0de3f9bc 7709bf32 ntdll!TppWorkerThread+0x856 (FPO: [Non-Fpo])
0de3f97c 7709bf32 00526478 6f07a179 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0de3f9bc 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0de3f9d4 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  34  Id: 3e18.4b90 Suspend: 1 Teb: 7ef4f000 Unfrozen
ChildEBP RetAddr  Args to Child             
0d17fa8c 770b1ad0 00000d64 0d17fb40 6ff3a329 ntdll!ZwWaitForWorkViaWorkerFactory+0x12 (FPO: [2,0,0])
0d17fbec 74e7338a 107ff210 0d17fc38 7709bf32 ntdll!TppWorkerThread+0x216 (FPO: [Non-Fpo])
0d17fbf8 7709bf32 107ff210 6ff3a4fd 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0d17fc38 7709bf05 770b25c1 107ff210 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0d17fc50 00000000 770b25c1 107ff210 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  35  Id: 3e18.3c18 Suspend: 1 Teb: 7ef46000 Unfrozen
ChildEBP RetAddr  Args to Child             
0d46fb98 7673770d 00000dc4 0d46fc60 0d46fbdc ntdll!NtRemoveIoCompletion+0x15 (FPO: [5,0,0])
0d46fbc4 5c3c187b 00000dc4 0d46fc4c 0d46fc60 KERNELBASE!GetQueuedCompletionStatus+0x29 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0d46fc10 73ff01dc 00000dc4 0d46fc4c 0d46fc60 rsintcor32+0x187b
0d46fc74 7401c20c c2fc9c49 7401c1d0 0470eba8 scardhook!gvch::IoCompletionPort::WorkerThread::Execute+0x5c (FPO: [Non-Fpo])
0d46fca4 5924febb 02c48e48 00000000 00000000 scardhook!ctxb::Thread::ThreadProc+0x3c (FPO: [Non-Fpo])
0d46fcbc 74e7338a 0470eba8 0d46fd08 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0d46fcc8 7709bf32 0470eba8 6fa2a5cd 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0d46fd08 7709bf05 5924fe98 0470eba8 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0d46fd20 00000000 5924fe98 0470eba8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  36  Id: 3e18.5da8 Suspend: 1 Teb: 7ef69000 Unfrozen
ChildEBP RetAddr  Args to Child             
0d9eb37c 767414ab 00000cc8 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0d9eb3e8 74e71194 00000cc8 ffffffff 00000000 KERNELBASE!WaitForSingleObjectEx+0x98 (FPO: [Non-Fpo])
0d9eb400 74e71148 00000cc8 ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])
0d9eb414 5a7a31e2 00000cc8 ffffffff 0ee88e80 kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
0d9eb434 5a7a3359 0d9ee6a8 00000000 52fb0000 MMDevAPI!CDeviceEnumerator::DestroyHWndNotificationThread+0xf6 (FPO: [Non-Fpo])
0d9eb444 5a7a24c0 00000003 00050418 00000000 MMDevAPI!CDeviceEnumerator::ReleaseHWndNotification+0x29 (FPO: [0,0,4])
0d9eb458 5305bc4f 0ee88e00 011ce808 5c0eaf18 MMDevAPI!CDeviceEnumerator::UnregisterEndpointNotificationCallback+0x7e (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0d9ebcbc 5305b3fb 5c0ed6b4 011ce528 73736553 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0xa9adf
0d9ec510 5305ec4f 011ce528 0d9ecd88 53022718 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0xa928b
0d9ec51c 53022718 00000001 5c0ede2c cccccccc PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0xacadf
0d9ecd88 53022297 5c0ec64c 011bd900 011e0e20 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x705a8
0d9ed5e8 53066055 5c0ecdf0 011cef20 011e0ff0 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x70127
0d9ede54 52fb25b1 5c0ef510 0d9ef7ac 00000003 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0xb3ee5
0d9ee6b4 52fbaf16 011e0e20 0d9eef58 530653c1 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x441
0d9ee6c0 530653c1 00000001 5c0efcfc 0d9ee6fc PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x8da6
0d9eef58 52fb10f7 5c0ee41c 00000000 00000003 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0xb3251
0d9ef7b8 52fdb209 52fb0000 00000003 00000000 PseudoServerInproc2+0x10f7
0d9ef7fc 52fdb2c2 52fb0000 665d1fed 52fb0000 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x29099
0d9ef82c 665d1f5d 52fb0000 00000003 00000000 PseudoServerInproc2!PseudoServer_IsURLInDynamicBlacklist+0x29152
0d9ef860 7709b990 52fb0000 00000003 00000000 IEShims!CShimBindings::s_DllMainHook+0x4a (FPO: [Non-Fpo])
0d9ef880 770b659f 665d1f14 52fb0000 00000003 ntdll!LdrpCallInitRoutine+0x14
0d9ef924 770b6786 00000000 00000000 0d9ef94c ntdll!LdrShutdownThread+0xe6 (FPO: [Non-Fpo])
0d9ef934 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
0d9ef94c 74e7338a 07c1f260 0d9ef998 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
0d9ef958 7709bf32 07c1f260 6f7aa15d 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0d9ef998 7709bf05 5924fe98 07c1f260 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0d9ef9b0 00000000 5924fe98 07c1f260 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  37  Id: 3e18.4b84 Suspend: 1 Teb: 7ef4c000 Unfrozen
ChildEBP RetAddr  Args to Child             
0d2af6c0 770b1ad0 00000ce0 0d2af774 6fcea0e5 ntdll!ZwWaitForWorkViaWorkerFactory+0x12 (FPO: [2,0,0])
0d2af820 74e7338a 1083f7a8 0d2af86c 7709bf32 ntdll!TppWorkerThread+0x216 (FPO: [Non-Fpo])
0d2af82c 7709bf32 1083f7a8 6fcea0a9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0d2af86c 7709bf05 770b25c1 1083f7a8 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0d2af884 00000000 770b25c1 1083f7a8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  38  Id: 3e18.5a40 Suspend: 1 Teb: 7ef29000 Unfrozen
ChildEBP RetAddr  Args to Child             
100ef95c 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
100ef9c0 7709b398 00000000 00000000 6e700000 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
100ef9e8 770a3ab8 771620c0 72eaa2ed 100efb18 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
100efa28 5c3c1550 6e700000 dea258d4 100efb18 ntdll!LdrUnloadDll+0x2a (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
100efa54 76742d2c 6e700000 00000000 100efabc rsintcor32+0x1550
100efa64 7367f5c6 6e700000 100efb18 109b0f78 KERNELBASE!FreeLibrary+0x15 (FPO: [Non-Fpo])
100efabc 73695252 6e700000 100efb04 7369a081 sophos_detoured+0xf5c6
100efac8 7369a081 6e700000 00005a40 754f825e sophos_detoured+0x25252
100efb04 754f8aae 6e700000 6b637453 754f8210 sophos_detoured!Detoured+0x1401
100efb3c 754f82ed 00000000 00000000 754f82a5 crypt32!FreeDllWaitForCallback+0x161 (FPO: [Non-Fpo])
100efb58 5924febb 00000001 00000000 00000000 crypt32!ILS_WaitForThreadProc+0x44 (FPO: [Non-Fpo])
100efb70 74e7338a 07bf6ee8 100efbbc 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
100efb7c 7709bf32 07bf6ee8 72eaa379 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
100efbbc 7709bf05 5924fe98 07bf6ee8 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
100efbd4 00000000 5924fe98 07bf6ee8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  39  Id: 3e18.2bbc Suspend: 1 Teb: 7ef1f000 Unfrozen
ChildEBP RetAddr  Args to Child             
116ff7cc 767415f7 00000002 116ff81c 00000001 ntdll!ZwWaitForMultipleObjects+0x15 (FPO: [5,0,0])
116ff868 74e719f8 116ff81c 116ff890 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100 (FPO: [Non-Fpo])
116ff8b0 74e74200 00000002 7efde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0 (FPO: [Non-Fpo])
116ff8cc 5adc1400 00000002 116ff8f0 00000000 kernel32!WaitForMultipleObjects+0x18 (FPO: [Non-Fpo])
116ff8f8 5ae917af 00000002 e3799551 749d12e5 jscript9!Recycler::ThreadProc+0x9e (FPO: [Non-Fpo])
116ff934 749d1287 0f1c18f8 dede38dd 749d12e5 jscript9!Recycler::StaticThreadProc+0x4c (FPO: [Non-Fpo])
116ff96c 749d1328 116ff98c 5924febb 010588b0 msvcrt!_endthreadex+0x44 (FPO: [Non-Fpo])
116ff974 5924febb 010588b0 00000000 00000000 msvcrt!_endthreadex+0xce (FPO: [Non-Fpo])
116ff98c 74e7338a 046cb820 116ff9d8 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
116ff998 7709bf32 046cb820 738ba11d 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
116ff9d8 7709bf05 5924fe98 046cb820 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
116ff9f0 00000000 5924fe98 046cb820 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  40  Id: 3e18.2a14 Suspend: 1 Teb: 7ef13000 Unfrozen
ChildEBP RetAddr  Args to Child             
1183fcd8 767414ab 00001120 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
1183fd44 74e71194 00001120 ffffffff 00000000 KERNELBASE!WaitForSingleObjectEx+0x98 (FPO: [Non-Fpo])
1183fd5c 74e71148 00001120 ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])
1183fd70 5adc1947 00001120 ffffffff 01090160 kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
1183fd94 5adc19b7 e39591a1 749d12e5 07c9b738 jscript9!BackgroundCodeGenThread::GetNextCodeGenWorkItem+0x1a2 (FPO: [0,2,0])
1183fdc4 5ae9183c e3959199 749d12e5 07c9b738 jscript9!BackgroundCodeGenThread::MainProc+0xa0 (FPO: [Non-Fpo])
1183fdfc 749d1287 01090160 de323f85 749d12e5 jscript9!BackgroundCodeGenThread::StaticThreadProc+0x4b (FPO: [Non-Fpo])
1183fe34 749d1328 1183fe54 5924febb 010588b0 msvcrt!_endthreadex+0x44 (FPO: [Non-Fpo])
1183fe3c 5924febb 010588b0 00000000 00000000 msvcrt!_endthreadex+0xce (FPO: [Non-Fpo])
1183fe54 74e7338a 07c9b738 1183fea0 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
1183fe60 7709bf32 07c9b738 7367a665 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
1183fea0 7709bf05 5924fe98 07c9b738 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
1183feb8 00000000 5924fe98 07c9b738 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  41  Id: 3e18.16ac Suspend: 1 Teb: 7ef03000 Unfrozen
ChildEBP RetAddr  Args to Child             
11e1f7c4 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
11e1f828 7709b398 00000000 00000000 00000000 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
11e1f850 770902a9 771620c0 7305a029 00000074 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
11e1f8ec 770901e2 755e0000 00000000 00000074 ntdll!LdrGetProcedureAddressEx+0x159 (FPO: [Non-Fpo])
11e1f908 76741e59 755e0000 00000000 00000074 ntdll!LdrGetProcedureAddress+0x18 (FPO: [Non-Fpo])
11e1f930 73161e95 755e0000 00000074 109a0798 KERNELBASE!GetProcAddress+0x44 (FPO: [Non-Fpo])
11e1f978 73161eda 755e0000 73193040 0c8be458 webio!__delayLoadHelper2+0xe9 (FPO: [Non-Fpo])
11e1f9e0 731799ad 10000001 ff000002 00000000 webio!_tailMerge_WS2_32_dll+0xd
11e1fa20 731b1894 10000001 ff000002 00000000 webio!WebTerminate+0x22
11e1fa40 731b183f 11e1faac 11e1fa70 770b326f winhttp!WINHTTP_DLL::_Terminate+0x64 (FPO: [Non-Fpo])
11e1fa4c 770b326f 11e1faac 04746908 108007b8 winhttp!WINHTTP_DLL::_SafeTerminateDll+0x10 (FPO: [Non-Fpo])
11e1fa70 770b2b65 11e1faac 10800818 7305a315 ntdll!TppTimerpExecuteCallback+0x10f (FPO: [Non-Fpo])
11e1fbd0 74e7338a 00526478 11e1fc1c 7709bf32 ntdll!TppWorkerThread+0x572 (FPO: [Non-Fpo])
11e1fbdc 7709bf32 00526478 7305a4d9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
11e1fc1c 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
11e1fc34 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  42  Id: 3e18.5ddc Suspend: 1 Teb: 7ef33000 Unfrozen
ChildEBP RetAddr  Args to Child             
11a0fd7c 770b1ad0 000002d8 11a0fe30 7344a619 ntdll!ZwWaitForWorkViaWorkerFactory+0x12 (FPO: [2,0,0])
11a0fedc 74e7338a 00526478 11a0ff28 7709bf32 ntdll!TppWorkerThread+0x216 (FPO: [Non-Fpo])
11a0fee8 7709bf32 00526478 7344a7ed 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
11a0ff28 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
11a0ff40 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  43  Id: 3e18.31b0 Suspend: 1 Teb: 7ef09000 Unfrozen
ChildEBP RetAddr  Args to Child             
12a4fd94 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
12a4fdf8 7709b398 00000000 00000000 0b6f1448 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
12a4fe20 770b650d 771620c0 7040a67d 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
12a4feb8 770b6786 00000000 00000000 12a4fee0 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
12a4fec8 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
12a4fee0 74e7338a 0ee18b80 12a4ff2c 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
12a4feec 7709bf32 0ee18b80 7040a7e9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
12a4ff2c 7709bf05 5924fe98 0ee18b80 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
12a4ff44 00000000 5924fe98 0ee18b80 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  44  Id: 3e18.23c4 Suspend: 1 Teb: 7eef6000 Unfrozen
ChildEBP RetAddr  Args to Child             
12bafce0 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
12bafd44 7709b398 00000000 00000000 0000fff9 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
12bafd6c 770b650d 771620c0 705ea6c1 00526478 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
12bafe04 770b6786 00000002 00000000 12baff70 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
12bafe14 770c0289 00000000 705ea7b5 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
12baff70 74e7338a 00526478 12baffbc 7709bf32 ntdll!TppWorkerThread+0x856 (FPO: [Non-Fpo])
12baff7c 7709bf32 00526478 705ea779 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
12baffbc 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
12baffd4 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  45  Id: 3e18.5f54 Suspend: 1 Teb: 7eef3000 Unfrozen
ChildEBP RetAddr  Args to Child             
12d8f920 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
12d8f984 7709b398 00000000 00000000 06cc2020 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
12d8f9ac 770b650d 771620c0 703ca281 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
12d8fa44 770b6786 00000000 00000000 12d8fa6c ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
12d8fa54 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
12d8fa6c 74e7338a 04746d68 12d8fab8 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
12d8fa78 7709bf32 04746d68 703ca27d 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
12d8fab8 7709bf05 5924fe98 04746d68 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
12d8fad0 00000000 5924fe98 04746d68 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  46  Id: 3e18.1880 Suspend: 1 Teb: 7eeef000 Unfrozen
ChildEBP RetAddr  Args to Child             
0e71faf0 770b1ad0 000002d8 0e71fba4 6c95a495 ntdll!ZwWaitForWorkViaWorkerFactory+0x12 (FPO: [2,0,0])
0e71fc50 74e7338a 00526478 0e71fc9c 7709bf32 ntdll!TppWorkerThread+0x216 (FPO: [Non-Fpo])
0e71fc5c 7709bf32 00526478 6c95a459 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0e71fc9c 7709bf05 770b25c1 00526478 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0e71fcb4 00000000 770b25c1 00526478 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  47  Id: 3e18.58f0 Suspend: 1 Teb: 7eeec000 Unfrozen
ChildEBP RetAddr  Args to Child             
12fcf694 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
12fcf6f8 7709b398 00000000 00000000 06cc1708 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
12fcf720 770b650d 771620c0 7018af7d 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
12fcf7b8 770b6786 00000000 00000000 12fcf7e0 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
12fcf7c8 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
12fcf7e0 74e7338a 0ee8cf90 12fcf82c 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
12fcf7ec 7709bf32 0ee8cf90 7018a0e9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
12fcf82c 7709bf05 5924fe98 0ee8cf90 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
12fcf844 00000000 5924fe98 0ee8cf90 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  48  Id: 3e18.4f18 Suspend: 1 Teb: 7eee9000 Unfrozen
ChildEBP RetAddr  Args to Child             
131ff674 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
131ff6d8 7709b398 00000000 00000000 0b6eeb78 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
131ff700 770b650d 771620c0 71fbaf5d 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
131ff798 770b6786 00000000 00000000 131ff7c0 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
131ff7a8 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
131ff7c0 74e7338a 04746d68 131ff80c 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
131ff7cc 7709bf32 04746d68 71fba0c9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
131ff80c 7709bf05 5924fe98 04746d68 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
131ff824 00000000 5924fe98 04746d68 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  49  Id: 3e18.321c Suspend: 1 Teb: 7eee6000 Unfrozen
ChildEBP RetAddr  Args to Child             
1333fe20 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
1333fe84 7709b398 00000000 00000000 0b712b30 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
1333feac 770b650d 771620c0 71d7a781 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
1333ff44 770b6786 00000000 00000000 1333ff6c ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
1333ff54 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
1333ff6c 74e7338a 0ee18b80 1333ffb8 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
1333ff78 7709bf32 0ee18b80 71d7a77d 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
1333ffb8 7709bf05 5924fe98 0ee18b80 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
1333ffd0 00000000 5924fe98 0ee18b80 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  50  Id: 3e18.a64 Suspend: 1 Teb: 7eee3000 Unfrozen
ChildEBP RetAddr  Args to Child             
12e9f874 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
12e9f8d8 7709b398 00000000 00000000 06cc2328 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
12e9f900 770b650d 771620c0 700da15d 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
12e9f998 770b6786 00000000 00000000 12e9f9c0 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
12e9f9a8 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
12e9f9c0 74e7338a 07bfd338 12e9fa0c 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
12e9f9cc 7709bf32 07bfd338 700da2c9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
12e9fa0c 7709bf05 5924fe98 07bfd338 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
12e9fa24 00000000 5924fe98 07bfd338 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  51  Id: 3e18.4828 Suspend: 1 Teb: 7ef86000 Unfrozen
ChildEBP RetAddr  Args to Child             
1345f784 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
1345f7e8 7709b398 00000000 00000000 06cd05e8 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
1345f810 770b650d 771620c0 71a1a06d 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
1345f8a8 770b6786 00000000 00000000 1345f8d0 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
1345f8b8 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
1345f8d0 74e7338a 0ee8cf90 1345f91c 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
1345f8dc 7709bf32 0ee8cf90 71a1a1d9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
1345f91c 7709bf05 5924fe98 0ee8cf90 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
1345f934 00000000 5924fe98 0ee8cf90 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  52  Id: 3e18.2f00 Suspend: 1 Teb: 7ef59000 Unfrozen
ChildEBP RetAddr  Args to Child             
136dfbe4 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
136dfc48 7709b398 00000000 00000000 0b6ee568 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
136dfc70 770b650d 771620c0 7189a5cd 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
136dfd08 770b6786 00000000 00000000 136dfd30 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
136dfd18 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
136dfd30 74e7338a 10a211c0 136dfd7c 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
136dfd3c 7709bf32 10a211c0 7189a5b9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
136dfd7c 7709bf05 5924fe98 10a211c0 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
136dfd94 00000000 5924fe98 10a211c0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  53  Id: 3e18.2e24 Suspend: 1 Teb: 7eedf000 Unfrozen
ChildEBP RetAddr  Args to Child             
0f97fc94 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0f97fcf8 7709b398 00000000 00000000 0b6ee260 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
0f97fd20 770b650d 771620c0 6d73a57d 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
0f97fdb8 770b6786 00000000 00000000 0f97fde0 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
0f97fdc8 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
0f97fde0 74e7338a 10a211c0 0f97fe2c 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
0f97fdec 7709bf32 10a211c0 6d73a6e9 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0f97fe2c 7709bf05 5924fe98 10a211c0 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0f97fe44 00000000 5924fe98 10a211c0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  54  Id: 3e18.5b9c Suspend: 1 Teb: 7eedc000 Unfrozen
ChildEBP RetAddr  Args to Child             
139ff750 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
139ff7b4 7709b398 00000000 00000000 06ccd9c8 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
139ff7dc 770b650d 771620c0 717ba0b1 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
139ff874 770b6786 00000000 00000000 139ff89c ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
139ff884 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
139ff89c 74e7338a 0465ee48 139ff8e8 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
139ff8a8 7709bf32 0465ee48 717ba02d 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
139ff8e8 7709bf05 5924fe98 0465ee48 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
139ff900 00000000 5924fe98 0465ee48 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  55  Id: 3e18.37c4 Suspend: 1 Teb: 7ef26000 Unfrozen
ChildEBP RetAddr  Args to Child             
13ccf9d0 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
13ccfa34 7709b398 00000000 00000000 0b6f0218 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
13ccfa5c 770b650d 771620c0 7128a231 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
13ccfaf4 770b6786 00000000 00000000 13ccfb1c ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
13ccfb04 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
13ccfb1c 74e7338a 07c1f270 13ccfb68 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
13ccfb28 7709bf32 07c1f270 7128a3ad 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
13ccfb68 7709bf05 5924fe98 07c1f270 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
13ccfb80 00000000 5924fe98 07c1f270 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  56  Id: 3e18.3de4 Suspend: 1 Teb: 7ef23000 Unfrozen
ChildEBP RetAddr  Args to Child             
0eb0fe38 74a8790d 0eb0feb0 00000000 00000000 user32!NtUserGetMessage+0x15 (FPO: [4,0,0])
0eb0fe54 5c3c1722 0eb0feb0 00000000 00000000 user32!GetMessageW+0x33 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0eb0fe8c 74b8a44e 0eb0feb0 00000000 00000000 rsintcor32+0x1722
0eb0fecc 74b8853b 00007530 74e71151 10a227f0 ole32!CDllHost::STAWorkerLoop+0x81 (FPO: [Non-Fpo]) (CONV: thiscall) [d:\w7rtm\com\ole32\com\objact\dllhost.cxx @ 957]
0eb0fee8 74b8a4ac 0eb0ff0c 74b9cd48 74cb7b68 ole32!CDllHost::WorkerThread+0xd0 (FPO: [Non-Fpo]) (CONV: thiscall) [d:\w7rtm\com\ole32\com\objact\dllhost.cxx @ 825]
0eb0fef0 74b9cd48 74cb7b68 74b9d864 10a227f0 ole32!DLLHostThreadEntry+0xd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\objact\dllhost.cxx @ 758]
0eb0ff0c 74b9d87a 74b9d864 07c1fa10 0eb0ff34 ole32!CRpcThread::WorkerLoop+0x26 (FPO: [Non-Fpo]) (CONV: thiscall) [d:\w7rtm\com\ole32\com\dcomrem\threads.cxx @ 257]
0eb0ff1c 5924febb 10a227f0 00000000 00000000 ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x16 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\threads.cxx @ 63]
0eb0ff34 74e7338a 07c1fa10 0eb0ff80 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
0eb0ff40 7709bf32 07c1fa10 6c54a745 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0eb0ff80 7709bf05 5924fe98 07c1fa10 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0eb0ff98 00000000 5924fe98 07c1fa10 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  57  Id: 3e18.2b80 Suspend: 1 Teb: 7efaf000 Unfrozen
ChildEBP RetAddr  Args to Child             
0db5f924 770b1ad0 0000019c 0db5f9d8 6f51a241 ntdll!ZwWaitForWorkViaWorkerFactory+0x12 (FPO: [2,0,0])
0db5fa84 74e7338a 005046f0 0db5fad0 7709bf32 ntdll!TppWorkerThread+0x216 (FPO: [Non-Fpo])
0db5fa90 7709bf32 005046f0 6f51a215 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0db5fad0 7709bf05 770b25c1 005046f0 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0db5fae8 00000000 770b25c1 005046f0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  58  Id: 3e18.518c Suspend: 1 Teb: 7efa3000 Unfrozen
ChildEBP RetAddr  Args to Child             
1037f850 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
1037f8b4 7709b398 00000000 00000000 06ccdfd8 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
1037f8dc 770b650d 771620c0 72d3a1b1 7197d290 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
1037f974 770b6786 00000000 00000000 1037f99c ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
1037f984 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
1037f99c 74e7338a 10a2d960 1037f9e8 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
1037f9a8 7709bf32 10a2d960 72d3a12d 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
1037f9e8 7709bf05 5924fe98 10a2d960 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
1037fa00 00000000 5924fe98 10a2d960 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  59  Id: 3e18.6090 Suspend: 1 Teb: 7ef43000 Unfrozen
ChildEBP RetAddr  Args to Child             
0ffbfb14 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0ffbfb78 7709b398 00000000 00000000 011ce528 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
0ffbfba0 770b650d 771620c0 6d1fa4fd 5305b630 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
0ffbfc38 770b6786 00000000 00000000 0ffbfc60 ntdll!LdrShutdownThread+0x50 (FPO: [Non-Fpo])
0ffbfc48 5924fec9 00000000 00000000 00000000 ntdll!RtlExitUserThread+0x2a (FPO: [Non-Fpo])
0ffbfc60 74e7338a 13e4f778 0ffbfcac 7709bf32 ieframe!Detour_DefWindowProcA+0x7a (FPO: [Non-Fpo])
0ffbfc6c 7709bf32 13e4f778 6d1fa469 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0ffbfcac 7709bf05 5924fe98 13e4f778 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0ffbfcc4 00000000 5924fe98 13e4f778 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  60  Id: 3e18.42bc Suspend: 1 Teb: 7ef3c000 Unfrozen
ChildEBP RetAddr  Args to Child             
1200f544 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
1200f5a8 7709b398 00000000 00000000 1200f610 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
1200f5d0 770902a9 771620c0 70e4aea9 74aeaae6 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
1200f66c 770901e2 74780000 1200f6a8 00000000 ntdll!LdrGetProcedureAddressEx+0x159 (FPO: [Non-Fpo])
1200f688 76741e59 74780000 1200f6a8 00000000 ntdll!LdrGetProcedureAddress+0x18 (FPO: [Non-Fpo])
1200f6b0 74aad75a 74780000 74aeaae6 00000000 KERNELBASE!GetProcAddress+0x44 (FPO: [Non-Fpo])
1200f6f8 74aad6dc 74780000 74af0004 0002003e user32!__delayLoadHelper2+0xe9 (FPO: [Non-Fpo])
1200f71c 5a7a216d 07c9e240 5a7a27e1 13e4f708 user32!_tailMerge_CFGMGR32_dll+0xd
1200f7b4 5a7a27ee 1200f7d4 5924febb 0ee88e00 MMDevAPI!CDeviceEnumerator::PnpNotificationThread+0x33b (FPO: [Non-Fpo])
1200f7bc 5924febb 0ee88e00 00000000 00000000 MMDevAPI!CDeviceEnumerator::PnpNotificationThreadWrapper+0xd (FPO: [Non-Fpo])
1200f7d4 74e7338a 13e4f708 1200f820 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
1200f7e0 7709bf32 13e4f708 70e4a0e5 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
1200f820 7709bf05 5924fe98 13e4f708 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
1200f838 00000000 5924fe98 13e4f708 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  61  Id: 3e18.6074 Suspend: 1 Teb: 7ef2f000 Unfrozen
ChildEBP RetAddr  Args to Child             
14e0fbac 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
14e0fc10 7709b398 00000000 00000000 58580000 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
14e0fc38 770a3ab8 771620c0 7604a4bd 585a2c40 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
14e0fc78 5c3c1550 58580000 da4c5e24 585a2c40 ntdll!LdrUnloadDll+0x2a (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
14e0fca4 76741833 58580000 07c9e2e0 0e3c3058 rsintcor32+0x1550
14e0fcb8 74e8d562 58580000 00000000 14e0fce4 KERNELBASE!FreeLibraryAndExitThread+0x28 (FPO: [Non-Fpo])
14e0fcc8 585a2d34 58580000 00000000 58580000 kernel32!FreeLibraryAndExitThreadStub+0x10 (FPO: [Non-Fpo])
14e0fce4 5924febb 00000001 00000000 00000000 icaendpoint!RegistryMonitor::ThreadProc+0xf4 (FPO: [Non-Fpo])
14e0fcfc 74e7338a 07c9e2e0 14e0fd48 7709bf32 ieframe!Detour_DefWindowProcA+0x6c (FPO: [Non-Fpo])
14e0fd08 7709bf32 07c9e2e0 7604a58d 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
14e0fd48 7709bf05 5924fe98 07c9e2e0 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
14e0fd60 00000000 5924fe98 07c9e2e0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

  62  Id: 3e18.4038 Suspend: 1 Teb: 7ef2c000 Unfrozen
ChildEBP RetAddr  Args to Child             
0e90f4ac 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0e90f510 7709b398 00000000 00000000 00000000 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
0e90f538 7709c0e9 771620c0 6c74ad09 7ef2c000 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
0e90f5cc 7709be8c 0e90f63c 6c74aedd 00000000 ntdll!LdrpInitializeThread+0xc6 (FPO: [Non-Fpo])
0e90f618 7709beb9 0e90f63c 77060000 00000000 ntdll!_LdrpInitialize+0x1ad (FPO: [Non-Fpo])
0e90f628 00000000 0e90f63c 77060000 00000000 ntdll!LdrInitializeThunk+0x10 (FPO: [Non-Fpo])

  63  Id: 3e18.4c4 Suspend: 1 Teb: 7ef16000 Unfrozen
ChildEBP RetAddr  Args to Child             
0e20f998 7709b4b4 00000210 00000000 00000000 ntdll!ZwWaitForSingleObject+0x15 (FPO: [3,0,0])
0e20f9fc 7709b398 00000000 00000000 00000000 ntdll!RtlpWaitOnCriticalSection+0x13e (FPO: [Non-Fpo])
0e20fa24 7709c0e9 771620c0 6cc4a27d 7ef16000 ntdll!RtlEnterCriticalSection+0x150 (FPO: [Non-Fpo])
0e20fab8 7709be8c 0e20fb28 6cc4a3c1 00000000 ntdll!LdrpInitializeThread+0xc6 (FPO: [Non-Fpo])
0e20fb04 7709beb9 0e20fb28 77060000 00000000 ntdll!_LdrpInitialize+0x1ad (FPO: [Non-Fpo])
0e20fb14 00000000 0e20fb28 77060000 00000000 ntdll!LdrInitializeThunk+0x10 (FPO: [Non-Fpo])

Contacting Citrix support, they confirmed this was an issue within this component.

0:036> lmvm PseudoServerInproc2
start    end        module name
52fb0000 537af000   PseudoServerInproc2 PseudoServerInproc2.dll
    Loaded symbol image file: PseudoServerInproc2.dll
    Symbol file: PseudoServerInproc2.dll
    Image path: C:\Program Files (x86)\Citrix\system32\PseudoServerInproc2.dll
    Timestamp:        Sat Apr 12 01:51:11 2014 (53480F6F)
    CheckSum:         007FD94B
    ImageSize:        007FF000
    File version:     6.2.9.100
    Product version:  6.2.9.100
    File flags:       8 (Mask 3F) Private
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Citrix Systems, Inc.
    ProductName:      Citrix ICA Host
    InternalName:     HDX Flash v2 PseudoServerInproc
    OriginalFilename: PseudoServerInproc2.dll
    ProductVersion:   6.2
    FileVersion:      6.2.9.100
    FileDescription:  HDX MediaStream For Flash v2 Server DLL
    LegalCopyright:   Copyright 1990-2010 Citrix Systems, Inc.

Citrix have a private hotfix for this particular issue, if you experience the same you should contact Citrix support to receive the fix.

As a workaround to Flash Redirection issues you can use Citrix Policy to stop certain sites from using Flash Redirection, this will increase load on Citrix server.

To check if a site is using Flash redirection or not, take a screenshot within the Citrix session, if you see a black square where the Flash content is being played, then the site is being redirected. If you see the content in the screen capture it isn’t being redirected.

In addition to improve Flash Redirection performance ensure you are using the latest Citrix Receiver Client, and supported browser/flash combination on both server and client.

Note:

One of the affected web applications was thought not to use Flash. But taking a Fiddler trace and searching for .swf we found a JavaScript file

image

Checking this JavaScript file we found it initiated Flash.

Posted in Citrix, Internet Explorer, WinDbg | Tagged | Leave a comment

Patching a PAC File To Improve Performance

Having taken the trouble to write a PAC file debugger ( http://chentiangemalc.wordpress.com/2013/09/30/pacdbg-custom-proxy-browser-set-proxy-cmd-line-tool/ ) I have to say I’ve seen some pretty horrendous PAC files, where attempts have been made to put the entire network design in this little JavaScript file. In the more extreme cases I consider the PAC file is more like a major application to manage that requires a specialist development team.

By far the most frequent cause of hangs/lockups/slow web performance I’ve seen due to PAC file being processed is because of DNS lookups, in particular IsInNet. Check http://www.websense.com/content/support/library/web/v76/pac_file_best_practices/PAC_best_pract.aspx for some good tips on high performance PAC files.

In particular this issue seems to be worse when the websites request a hostname that can’t resolve successfully. In many cases this failure to resolve a hostname will happen in the background and not be visible to the user, but can be diagnosed with a packet capture tool like WireShark, Network Monitor, Fiddler/etc.

In some cases however because the logic of the PAC file has grown so complex, it can take significant effort to make it compact and high performing once again.

In these cases I’ve found a workaround which frequently improves the performance, having seen this simple change result in certain applications drop from minutes to seconds.

This logic does the following:

  • Checks if HOST is an IPv4 address, with shExpMatch – if it’s an IP address, the script continues on as normal (This script as is does not cater for IPv6)
  • If HOST is NOT an IPv4 address we check if we can resolve the HOST. If we can’t, we immediately return DIRECT. (No Proxy)
function FindProxyForURL(url, host) { if (!shExpMatch(host, "/^\d+\.\d+\.\d+\.\d+$/g")) { if(!isResolvable(host)) { return "DIRECT"; }}

If you are using a PAC file, I like to ensure I can always test with a direct proxy/no proxy in cases of slow performances or unexplained web issues.

This can be done without changing your browser proxy settings, by using the Custom Proxy Browser Tool I put together, also here http://chentiangemalc.wordpress.com/2013/09/30/pacdbg-custom-proxy-browser-set-proxy-cmd-line-tool/

Posted in Fiddler, Internet Explorer | Tagged | Leave a comment

Case of the DllHost.exe Crash

A problem case had been going on for sometime about DllHost.exe crashing, aka COM Surrogate Host across many Citrix Servers. There were about 1200 crashes a week.

We set up a server setup to capture dmp files on application crash. Due to a previous case where 10,000 instances of werfault.exe had been running on a Citrix Server however werfault.exe had been disabled  from launching via this method by setting under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Werfault.exe

REG_SZ value Debugger to NUL

image

 

Due to this being disabled we couldn’t use the Windows in-built app dumping  here: http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181(v=vs.85).aspx

To work around this issue we set Debugger under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug to a little PowerShell script with %ld as the first parameter. (Process ID)

image

The main point of this script was to do some additional check on free disk space, as in this case D:\ also handled SCCM cache and we needed to ensure plenty remained available.

The way this is handled is first check if disk has 10GB free minimum, if it doesn’t we don’t do any dmp files.

Next after dmp file is written we check if the folder has 10GB worth of dmp files, if so the oldest ones are deleted until 10GB of files remain.

Warning: Quick & Dirty Ugly scripting follows.

 

Param( [Parameter(Mandatory=$true,Position=0)] [string]$procID) [bool]$ok=$false; # force a single instance at a time # just to limit load, paranoia/etc $m = New-Object System.Threading.Mutex($true, "AutoProcDump.Debugger", [ref]$ok); if (!$ok) { "Another instance is already running." return 0 } #Get D: Drive freespace $driveData = Get-WmiObject -class win32_LogicalDisk -filter "Name = 'D:'" | select "FreeSpace" $driveDataSize = ([int]($driveData.FreeSpace/1GB)) # Check if D: is Less than 10GB if ($driveDataSize -le 10) { return } $Folder = "D:\Tools\Dumps" $psi = New-Object System.Diagnostics.ProcessStartInfo $psi.FileName="D:\Tools\ApplicationCrash\procdump.exe" $psi.UseShellExecute=$false $psi.WorkingDirectory=$Folder $psi.Arguments="-accepteula -ma $($procID)" Write-Host $Proc $psi.Arguments $p=[System.Diagnostics.Process]::Start($psi) $p.WaitForExit(60000) if (!$p.HasExited) { # running too long $p.Kill() } #put our folder we want to check here $folder2 = "D:\Tools\Dumps" #now we need to see how big that folder is $foldersize = (Get-ChildItem $folder2 | Measure-Object -property length -sum ) #and convert it to GB's $GBsize = "{0:N5}" -f ($foldersize.sum/ 1GB) #now, let's check to see if it's over 10 GBs If ($GBsize -gt 10) #if it is, we want to DO the following {do #Let's get the 1st file (sorted by lastwrite time and remove it {dir $folder2\*.dmp | sort lastwritetime | select -first 1 | remove-item -force #now let's recheck the folder size $foldersize = (Get-ChildItem $folder2 | Measure-Object -property length -sum ) $GBsize = "{0:N5}" -f ($foldersize.sum/ 1GB) #print the folder size for testing $Gbsize } #is the folder less than 10gb? Yes, we are done. No, go back and delete another file until ($GBsize -lt 10) Write-Host "Deletes Done" } else {"No deletes Needed"} return

However after all this, no dumps were collected. The reason – the issue was not occurring on the test server, even after a week.

Then almost by accident, when I was looking for some dmp files I had run

dir *.dmp /s

And found a hidden cache of hundreds upon hundreds of mini-dump files in the D:\EdgeSight\EdgeSight folder on the Citrix server. Better than nothing, I’ll take what I can get.

So I got a list of all citrix servers, and stole all the minidumps I could find.

FOR /F %i IN (server_list.txt) DO ( xcopy \\%i\d$\EdgeSight\EdgeSight\FaultReports C:\support\minidumps /s /q )

 

However these dump files had funny random looking names.

To fix this I ran an automated script against all the dmp files, based on one from Volume 1, http://www.patterndiagnostics.com/ultimate-memory-analysis-reference

.symfix C:\symbols .reload vertarget r kv 100 !analyze -v r kv 100 ub eip u eip uf eip dps esp-3000 esp+3000 dpu esp-3000 esp+3000 dpa esp-3000 esp+3000 lmv ~*k q

I then saved the above in a file C:\support\autodbg.txt and ran a single command line to process all dmp files in current folder (Cdb.exe was accessible from this DIR)

If running from a batch file change %I to %%i

FOR /f "delims=/" %i IN ('dir *.dmp /b') DO ( cdb -z "%i" -command "$$><C:\support\autodbg.txt" > "%i.txt" )

Then I used this process to rename all the dmp files, this added a prefix to our dmp files of process name _ bucket ID from the !analyze –v output:

$files=Get-ChildItem -Path c:\support\minidumps -Filter *.txt ForEach ($file in $files) { $sr = New-Object System.IO.StreamReader($file.FullName) $text=$sr.ReadToEnd() $sr.Close() #ignore invalid dmp files if (!$text.Contains("Could not open dump file")) { $proc_start=$text.IndexOf("PROCESS_NAME:")+"PROCESS_NAME:".Length $proc_end=$text.IndexOf("`n",$proc_start) $bucket_start=$text.IndexOf("BUCKET_ID:")+"BUCKET_ID:".Length $bucket_end=$text.IndexOf("`n",$bucket_start) $proc=$text.Substring($proc_start,$proc_end-$proc_start).Trim() $bucket=$text.Substring($bucket_start,$bucket_end-$bucket_start).Trim() $dmpFileName=$file.FullName.Replace(".txt",".dmp") $dstFileName=[String]::Format("{0}_{1}_{2}.dmp",$proc,$bucket,$file.BaseName) Rename-Item $dmpFilename $dstFileName } }

This converted a folder looking like

image

to

image

Unfortunately these are all mini-dumps. But we still have some important information. Looking at !analyze –v output

FAULTING_IP: ole32!CStdMarshal::CreateStub+8c 000007fe`fe0dc170 498b0424 mov rax,qword ptr [r12] EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000007fefe0dc170 (ole32!CStdMarshal::CreateStub+0x000000000000008c) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: 00000000027621c8 Attempt to read from address 00000000027621c8 DEFAULT_BUCKET_ID: INVALID_POINTER_READ PROCESS_NAME: dllhost.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: 00000000027621c8 READ_ADDRESS: 00000000027621c8 FOLLOWUP_IP: esint+2190 00000000`6bc22190 ?? ??? DETOURED_IMAGE: 1 MOD_LIST: <ANALYSIS/> LAST_CONTROL_TRANSFER: from 000007fefe0dc063 to 000007fefe0dc170 FAULTING_THREAD: 0000000000001d70 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ STACK_TEXT: 00000000`03cdeaa0 000007fe`fe0dc063 : 00000000`00000001 00000000`002de9f0 00000000`03cdeb98 00000000`03cdeb60 : ole32!CStdMarshal::CreateStub+0x8c 00000000`03cdeb30 000007fe`fe0dbf32 : 00000000`002fb4a8 00000000`00000000 00000000`002f97b0 00000000`00000000 : ole32!CStdMarshal::ConnectSrvIPIDEntry+0x2f 00000000`03cdeb80 000007fe`fe0e21ef : 00000000`00000000 00000000`002fb4a8 00000000`03cdeca0 00000000`00326780 : ole32!CStdMarshal::MarshalServerIPID+0xb6 00000000`03cdec20 000007fe`fe0e209f : 00000000`00000001 000007fe`fe0e2018 00000000`00000002 00000000`00000001 : ole32!CStdMarshal::MarshalIPID+0x34 00000000`03cdec60 000007fe`ffa0ff85 : 00000000`00000006 00000000`03cdf140 00000000`03cded60 00000000`00000001 : ole32!CRemoteUnknown::RemQueryInterface+0x2f5 00000000`03cded30 000007fe`ffabb68e : 00000000`00000006 00000000`002d8840 000007fe`fe247da8 00000000`002f0090 : rpcrt4!Invoke+0x65 00000000`03cdeda0 000007fe`ffa12496 : 00000000`77859fc0 00000000`0000ffff 00000000`00000000 00000000`77859fd0 : rpcrt4!Ndr64StubWorker+0x61b 00000000`03cdf360 000007fe`fe220883 : 00000000`00000000 00000000`00000000 000007fe`fe253870 00000000`002de320 : rpcrt4!NdrStubCall3+0xb5 00000000`03cdf3c0 000007fe`fe220ccd : 00000000`00000001 00000000`00000000 00000000`02b96850 00000000`00000000 : ole32!CStdStubBuffer_Invoke+0x5b 00000000`03cdf3f0 000007fe`fe220c43 : 00000000`002f0090 00000000`002e07d4 00000000`00000000 000007fe`fe2371e0 : ole32!SyncStubInvoke+0x5d 00000000`03cdf460 000007fe`fe0da4f0 : 00000000`002f0090 00000000`002e6980 00000000`002f0090 000007fe`fe0d1b00 : ole32!StubInvoke+0xdb 00000000`03cdf510 000007fe`fe0ed551 : 00000000`00000000 ab08e781`00000001 00000000`002d6450 00000000`002de320 : ole32!CCtxComChnl::ContextInvoke+0x190 00000000`03cdf6a0 000007fe`fe22347e : 00000000`002e6980 00000000`00000000 00000000`002d8840 00000000`00000000 : ole32!STAInvoke+0x91 00000000`03cdf6f0 000007fe`fe22122b : 00000000`d0908070 00000000`002e6980 00000000`002ee330 00000000`002d8840 : ole32!AppInvoke+0x1aa 00000000`03cdf760 000007fe`fe223542 : 00000000`002f0000 00000000`00000400 00000000`00000000 000007fe`fe0bb3c4 : ole32!ComInvokeWithLockAndIPID+0x52b 00000000`03cdf8f0 000007fe`fe0ed42d : 00000000`002de320 00000000`00000000 00000000`002d7fc8 00000000`002f0000 : ole32!ComInvoke+0xae 00000000`03cdf920 000007fe`fe0ed1d6 : 00000000`002e6980 00000000`002f0008 00000000`00000400 00000000`00000000 : ole32!ThreadDispatch+0x29 00000000`03cdf950 00000000`775c9bd1 : 00000000`00000000 00000000`00000000 00000000`00000000 53d9b361`91bf321e : ole32!ThreadWndProc+0xaa 00000000`03cdf9d0 00000000`775c98da : 00000000`03cdfb30 000007fe`fe0ed12c 000007fe`fe285780 00000000`00806d70 : user32!UserCallWinProcCheckWow+0x1ad 00000000`03cdfa90 000007fe`fe0ed0ab : 00000000`02cd0606 00000000`02cd0606 000007fe`fe0ed12c 00000000`00000000 : user32!DispatchMessageWorker+0x3b5 00000000`03cdfb10 000007fe`fe213e57 : 00000000`002e6980 00000000`00000000 00000000`002e6b60 000007fe`fe0d3032 : ole32!CDllHost::STAWorkerLoop+0x68 00000000`03cdfb70 000007fe`fe0c0106 : 00000000`002e6980 00000000`002d6350 00000000`00000000 00000000`00000000 : ole32!CDllHost::WorkerThread+0xd7 00000000`03cdfbb0 000007fe`fe0c0182 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ole32!CRpcThread::WorkerLoop+0x1e 00000000`03cdfbf0 00000000`7729652d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a 00000000`03cdfc20 00000000`7782c541 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd 00000000`03cdfc50 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: esint+2190 FOLLOWUP_NAME: MachineOwner MODULE_NAME: esint IMAGE_NAME: esint.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5385f6ee STACK_COMMAND: .cxr 0000000000000000 ; kb ; ~4s; .ecxr ; kb FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_esint.dll!Unknown BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_READ_DETOURED_esint+2190 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/dllhost_exe/6_1_7600_16385/4a5bca54/ole32_dll/6_1_7601_17514/4ce7c92c/c0000005/0002c170.htm?Retriage=1 Followup: MachineOwner

 

We can see esint.dll pointed to by !analyze –v is from Citrix:

Loaded symbol image file: esint.dll
Image path: c:\program files (x86)\Citrix\system monitoring\Agent\edgesight\esint.dll
Image name: esint.dll
Timestamp:        Thu May 29 00:47:10 2014 (5385F6EE)
CheckSum:         00013F89
ImageSize:        00013000
File version:     5.4.16.19
Product version:  5.4.16.19
File flags:       0 (Mask 3F)
File OS:          40004 NT Win32
File type:        2.0 Dll
File date:        00000000.00000000
Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

However I didn’t suspect this component was likely to be at fault.

Almost always dllhost.exe crashes are caused by 3rd party viewers/codecs/printer drivers/etc. So I carefully examined the output of lmv

and found this…

000007fe`dcc00000 000007fe`dd9ab000   npdf       (deferred)            
    Image path: C:\Program Files\Nitro\Pro 9\npdf.dll
    Image name: npdf.dll
    Timestamp:        Tue Jun 24 12:13:04 2014 (53A8DEB0)
    CheckSum:         00C96AB8
    ImageSize:        00DAB000
    File version:     9.5.19.13
    Product version:  3.9.0.0
    File flags:       28 (Mask 3F) Private Special
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

 

I then checked DllHost.exe on several machines, including the DllHost.exe generated when printing, and none of them had this DLL loaded, even though the application was installed.

So this suggested to me this DLL was loaded only on tasks related to this plugin.

However I had several hundred minidumps, did they all have this module loaded?

To check this I ran another quick PowerShell script against the output text files:

$files=Get-ChildItem -Path c:\support\minidumps -Filter *dllhost*.txt $hasNitro=0 $noNitro=0 ForEach ($file in $files) { $sr = New-Object System.IO.StreamReader($file.FullName) $text=$sr.ReadToEnd() if ($text.Contains("npdf")) { $hasNitro++ } else { $file.FullName $noNitro++ } }

 

Checking the value of HasNitro vs noNitro at the end, we saw 153 had the DLL loaded, 2 didn’t. Because these were different I output their filename for further manual analysis. (The final 2 were related to Photo Preview Handler )

What was it doing to crash? Due to various reasons we were restricted and weren’t able to talk to users to find out what they were doing leading up to crash . So I checked dllhost.exe on it’s own, and the DLLs and compared them further with the crash dumps. (Note when printing, you will also see a dllhost.exe launch – this will have different DLLs again)

image

All the crash dumps also had Microsoft Thumbnail Cache loaded

000007fe`f4010000 000007fe`f402f000   thumbcache   (deferred)            
    Mapped memory image file: C:\symbols\thumbcache.dll\4CE7C9D01f000\thumbcache.dll
    Image path: C:\Windows\System32\thumbcache.dll
    Image name: thumbcache.dll
    Timestamp:        Sun Nov 21 00:14:56 2010 (4CE7C9D0)
    CheckSum:         00022DBA
    ImageSize:        0001F000
    File version:     6.1.7601.17514
    Product version:  6.1.7601.17514
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     thumbcache.dll
    OriginalFilename: thumbcache.dll
    ProductVersion:   6.1.7601.17514
    FileVersion:      6.1.7601.17514 (win7sp1_rtm.101119-1850)
    FileDescription:  Microsoft Thumbnail Cache
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

So from this we can guess – the crashes occurred when building thumbnails of PDFs

From http://msdn.microsoft.com/en-us/library/windows/desktop/cc144118(v=vs.85).aspx we can see thumbnail preview handlers have GUID E357FCCD-A995-4576-B01F-234630154E96

Looking up .PDF in HKEY_CLASSES_ROOT we see (Default) is set to NitroPDF.Document9image

We then look up HKEY_CLASSES_ROOT\NitroPDF.Document.9

And sure enough we can see it has a thumbnail handler installed under ShellEx\{e357fccd-a995-4576-b01f-234630154e96}

Note: {8895b1c6-b41f-4c1c-a562-0d564250836f} is for the preview handler. http://msdn.microsoft.com/en-us/library/windows/desktop/cc144144(v=vs.85).aspx

image

We can remove the preview handler by deleting this registry key.

We contacted the vendor and they confirmed their product caused this issue, and the latest version of the product had fixed the bug.

Posted in Citrix, ProcExp, WinDbg | Tagged | Leave a comment