Case of the Windows 11 SystemSettings.exe Crash

Posted on January 24, 2022 by chentiangemalc

Collecting user mode dumps with dumptype set to 2 via Windows Error Reporting registry configuration as documented here

Noticed two SystemSettings.exe crashes, both with similar stack traces. The following information was logged in the Windows application event log:

Faulting application name: SystemSettings.exe, version: 10.0.22000.348, time stamp: 0x27a6d211
Faulting module name: MusUpdateHandlers.dll, version: 10.0.22000.348, time stamp: 0x5aa0c31b
Exception code: 0xc0000005
Fault offset: 0x0000000000092185
Faulting process id: 0x53c0
Faulting application start time: 0x01d802f49e9d7598
Faulting application path: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Faulting module path: C:\Windows\System32\MusUpdateHandlers.dll
Report Id: 75fce6a5-9ef4-42a1-a895-83bc2a6b6c9b
Faulting package full name: windows.immersivecontrolpanel_10.0.6.1000_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: microsoft.windows.immersivecontrolpanel

Normally some quick potential correlation may be found with Reliability Monitor to see if issues started occurring after specific system change, however possibly due to a major update installing it seems all noted crashes/changes/etc made to system on these dates earlier in the month when crash occurred no longer had any information available.

Initial analysis pointed to culprit being a null reference exception in MusUpdateHandlers.dll which is the Modern Update Settings Handler Implementation.

0:018> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

    Key  : AV.Dereference
    Value: NullPtr

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.mSec
    Value: 2827

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 12646

    Key  : Analysis.Init.CPU.mSec
    Value: 265

    Key  : Analysis.Init.Elapsed.mSec
    Value: 6821

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 285

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 201950

    Key  : Timeline.Process.Start.DeltaSec
    Value: 201231

    Key  : WER.OS.Branch
    Value: co_release

    Key  : WER.OS.Timestamp
    Value: 2021-06-04T16:28:00Z

    Key  : WER.OS.Version
    Value: 10.0.22000.1

    Key  : WER.Process.Version
    Value: 10.0.22000.348


FILE_IN_CAB:  SystemSettings.exe.16748.dmp

NTGLOBALFLAG:  400

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
rax=00007107f20fec8f rbx=0000004b595ff744 rcx=0000000000000000
rdx=0000004b595ff744 rsi=0000000000000002 rdi=0000000000000001
rip=00007ffe2ebd2185 rsp=0000004b595ff680 rbp=0000004b595ff7d0
 r8=0000000000000001  r9=0000000000000001 r10=0000000000009100
r11=0000004b595ff6b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=00007ffe2ec40328
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
MusUpdateHandlers!SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank+0x55:
00007ffe`2ebd2185 488b01          mov     rax,qword ptr [rcx] ds:00000000`00000000=????????????????
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffe2ebd2185 (MusUpdateHandlers!SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank+0x0000000000000055)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000

PROCESS_NAME:  SystemSettings.exe

READ_ADDRESS:  0000000000000000 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000000

STACK_TEXT:  
0000004b`595ff680 00007ffe`2eb8a93c     : 0000015a`dec14700 0000015a`dec14700 0000015a`dec14700 00000000`00000001 : MusUpdateHandlers!SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank+0x55
0000004b`595ff6d0 00007ffe`2eb6b013     : 0000015a`e0ca8110 0000015a`e0ca8110 0000015a`e0ca8110 00000000`00000000 : MusUpdateHandlers!SystemSettings::Update::CMusSeekerUpdate::InitializeState+0x38c
0000004b`595ff850 00007ffe`2eb6c0ee     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MusUpdateHandlers!<lambda_547ec51b376960035aba27ef737bbd82>::operator()+0x257
0000004b`595ff960 00007ffe`8ad36c0c     : 0000015a`e565e280 00000000`00000000 00000000`00000000 00000000`00000000 : MusUpdateHandlers!std::thread::_Invoke<std::tuple<<lambda_547ec51b376960035aba27ef737bbd82> >,0>+0xe
0000004b`595ff990 00007ffe`8bd454e0     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x4c
0000004b`595ff9c0 00007ffe`8cfa485b     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x10
0000004b`595ff9f0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2b


SYMBOL_NAME:  MusUpdateHandlers!SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank+55

MODULE_NAME: MusUpdateHandlers

IMAGE_NAME:  MusUpdateHandlers.dll

STACK_COMMAND:  ~18s ; .ecxr ; kb

FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_MusUpdateHandlers.dll!SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank

OS_VERSION:  10.0.22000.1

BUILDLAB_STR:  co_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  10.0.22000.348

FAILURE_ID_HASH:  {39aeb642-c99a-f672-5c69-96a915aec9c5}

Followup:     MachineOwner

The crash seems to be related to a class CMusOrchModel

What is that? Checking all references to the string in IDA pro we find related methods but the symbol names are mangled i.e in a format like ??_E?$_Ref_count_obj2@VCMusOrchModel@Update@SystemSettings@@@std@@UEAAPEAXI@Z so all search results are copied and pasted into an online GCC/MSVC C++ demangler here http://demangler.com/

This shows us function names involved:

public: virtual void * __ptr64 __cdecl std::_Ref_count_obj2<class SystemSettings::Update::CMusOrchModel>::`vector deleting destructor'(unsigned int) __ptr64
public: virtual void * __ptr64 __cdecl SystemSettings::Update::CMusOrchModel::`scalar deleting destructor'(unsigned int) __ptr64
public: __cdecl SystemSettings::Update::CMusOrchModel::CMusOrchModel(void) __ptr64
public: virtual __cdecl SystemSettings::Update::CMusOrchModel::~CMusOrchModel(void) __ptr64
private: virtual void __cdecl std::_Ref_count_obj2<class SystemSettings::Update::CMusOrchModel>::_Destroy(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::AcceptAllUpdateEulas(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::AddSeekerUpdateToApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::AddSeekerUpdateToApprovalList(class std::shared_ptr<class UxUsoUpdateShim>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveAllSeekerUpdatesFromApprovalList(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveSeekerFeatureUpdateForInstall(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveSeekerQualityUpdateForInstall(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::AreUpdatesPaused(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::AreUpdatesPausedByPolicy(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::AreUsoObjectsInitialized(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::CanExtendPauseUpdates(unsigned long,int * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::CanPauseUpdates(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::CreateNotifyPropertyChangedThread(enum SystemSettings::Update::UXUpdateReason) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::CreateUpdateResultsTaskSchedule(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::DecrementPauseUpdates(unsigned long) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::DoesRebootScheduleExist(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::ExtendPauseUpdates(unsigned long) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::FixServiceUnavailable(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ActiveHours(unsigned short * __ptr64,unsigned short * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ActiveHoursIntervalLimit(unsigned short * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApplicableUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApplicableUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApplicableUpdatesPayloadInfo(struct PayloadInfo * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApprovedSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApprovedSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_CanScheduleUpdate(struct PayloadInfo & __ptr64,BOOL * __ptr64) __ptr64
public: enum NormalizedPolicy __cdecl SystemSettings::Update::CMusOrchModel::get_EnforcedAuPolicy(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_OptInToMu(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_RebootSchedule(struct _SYSTEMTIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_SchedulePickerOption(enum SchedulePickerOption * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_SeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_SeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: enum UxSettingType __cdecl SystemSettings::Update::CMusOrchModel::get_UpdateUxOption(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_UserChoiceActiveHoursEnd(BOOL * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_UserChoiceActiveHoursStart(BOOL * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetApprovedSeekerUpdatesCounts(unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetAvailableUpdateStatusCounts(unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetCompatBlockInfo(class std::optional<class std::basic_string<unsigned short,struct std::char_traits<unsigned short>,class std::allocator<unsigned short> > > & __ptr64,class std::optional<class std::vector<class std::basic_string<unsigned short,struct std::char_traits<unsigned short>,class std::allocator<unsigned short> >,class std::allocator<class std::basic_string<unsigned short,struct std::char_traits<unsigned short>,class std::allocator<unsigned short> > > > > & __ptr64,class std::optional<unsigned int> & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetDaysSinceRebootRequired(unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetDefaultRebootScheduleTime(struct _SYSTEMTIME * __ptr64,struct _FILETIME,struct _FILETIME) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetDeviceEosStatus(BOOL * __ptr64,BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetDowntimeEstimateInfo(unsigned long * __ptr64,int * __ptr64) __ptr64
public: static class std::shared_ptr<class SystemSettings::Update::CMusOrchModel> __cdecl SystemSettings::Update::CMusOrchModel::GetInstanceShared(void)
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::GetIsSingletonDeinitializing(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetMaximumAllowedPauseDays(unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetMgmtDefaultScheduleTime(struct _SYSTEMTIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetOptionsForUpdateNotificationLevelPolicy(enum UpdateNotificationOption * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetOrchModelShimInstance(class std::shared_ptr<class SystemSettings::Update::OrchModelShim> & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetPauseUpdatesExpiryTime(struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetPolicyValue(enum NormalizedPolicy,enum tagUpdatePolicyStatus * __ptr64,struct tagVARIANT * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerFeatureUpdateBuildNumber(class std::optional<unsigned int> & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUpdatesCounts(unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUpdateTitle(unsigned short * __ptr64 * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank(unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdateHistoryDefinition(class std::vector<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy> > > & __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdateHistoryDriver(class std::vector<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy> > > & __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdateHistoryFeature(class std::vector<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy> > > & __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdateHistoryOther(class std::vector<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy> > > & __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdateHistoryQuality(class std::vector<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy> > > & __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdatePayloadSize(enum tagUsoUpdatePayloadType,unsigned __int64 * __ptr64,unsigned __int64 * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUXElementStoreForSurface(enum UXSurface,class UXElementStore * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetValidScheduleRange(struct _FILETIME * __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetValidScheduleRangeWithFallback(struct _FILETIME * __ptr64,struct _FILETIME * __ptr64,BOOL) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetWOSCOneSettingsInstance(struct IUxOneSettings * __ptr64 * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::InitializeUpdateHistory(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::InvokeAction(struct HWND__ * __ptr64,enum SystemSettings::Update::MusActionType const & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::InvokeReboot(BOOL,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsActiveHourIntervalValid(unsigned short,unsigned short,BOOL * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsActiveHoursUXApplicable(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsAutoApproveSeekerQualityUpdatesEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsAutoRestartDeadlinePolicyConfigured(BOOL * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsCTA(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsDirectEngagedReboot(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsDisableUXAccessPolicyEnabled(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsEngagedRebootAllowedByPolicy(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsEngagedRestartDeadlinePolicyConfigured(BOOL * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsFeatureUpdatePausedByPolicy(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsGraceDeadlinePolicyConfigured(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsMgmtPolicyValidForSchedulingReboot(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsNotifyToRebootPolicyApplicable(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsPolicyConfigured(enum NormalizedPolicy) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsPolicyConfiguredAndEnabled(enum NormalizedPolicy) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsPolicyConfiguredToMapToAutomaticReboot(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsQualityUpdatePausedByPolicy(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsRebootRequired(BOOL * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsRestartForced(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerFeatureOrQualityUpdatesAvailable(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerHighCompatMessageEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerOnDemandUxEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerUpdateInApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerUpdateInApprovalList(class std::shared_ptr<class UxUsoUpdateShim>,BOOL * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsSihUpdatePendingReboot(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsSmartActiveHoursSuggestionNeeded(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsUpdateErrorIgnorable(long) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsUSOAvailable(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsUXCampaignApplicable(enum UXSurface) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsWindowsInsiderAttentionNeeded(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::LoadDynamicElementById(enum UXSurface,enum UXElementType,unsigned int,struct HSTRING__ * __ptr64 * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::LoadDynamicUXStringById(unsigned int,struct HSTRING__ * __ptr64 * __ptr64) __ptr64
public: static long __cdecl SystemSettings::Update::CMusOrchModel::LocalizeWsxUpdateTitle(class std::basic_string_view<unsigned short,struct std::char_traits<unsigned short> > const & __ptr64,unsigned short * __ptr64 * __ptr64)
public: void __cdecl SystemSettings::Update::CMusOrchModel::NotifyInit(class SystemSettings::DataModel::CSingletonHelper<struct SystemSettings::Update::MusNotification>::CCallback * __ptr64) __ptr64
public: void __cdecl SystemSettings::Update::CMusOrchModel::NotifyPropertyChanged(enum SystemSettings::Update::UXUpdateReason) __ptr64
protected: virtual void __cdecl SystemSettings::Update::CMusOrchModel::OnAsyncInitComplete(void) __ptr64
protected: virtual void __cdecl SystemSettings::Update::CMusOrchModel::OnSingletonDeinit(void) __ptr64
protected: virtual long __cdecl SystemSettings::Update::CMusOrchModel::OnSingletonInit(void) __ptr64
protected: void __cdecl SystemSettings::Update::CMusOrchModel::OrchestratorUpdateCallback(char const & __ptr64,enum SystemSettings::Update::UXUpdateReason) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::PauseUpdates(unsigned long) __ptr64
protected: static void __cdecl SystemSettings::Update::CMusOrchModel::RefreshElementStoresCallback(struct _TP_CALLBACK_INSTANCE * __ptr64,void * __ptr64,struct _TP_TIMER * __ptr64)
protected: long __cdecl SystemSettings::Update::CMusOrchModel::RefreshSeekerSessionState(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::RemoveSeekerUpdateFromApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::RemoveSeekerUpdateFromApprovalList(class std::shared_ptr<class UxUsoUpdateShim>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::ResumeUpdates(void) __ptr64
private: long __cdecl SystemSettings::Update::CMusOrchModel::RunElevatedInstall(struct HWND__ * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::ScheduleReboot(struct _SYSTEMTIME,enum SchedulePickerOption) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::SendCTAApprovedData(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_ActiveHoursEnd(unsigned short) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_ActiveHoursStart(unsigned short) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_DoMicrosoftScan(BOOL) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_SchedulePickerOption(enum SchedulePickerOption) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_UserChoiceActiveHoursEnd(unsigned long) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_UserChoiceActiveHoursStart(unsigned long) __ptr64
protected: void __cdecl SystemSettings::Update::CMusOrchModel::SingletonDeinitialize(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::SingletonInitialize(void) __ptr64
protected: void __cdecl SystemSettings::Update::CMusOrchModel::StopTracing(void) __ptr64

The crash seems to have occured in function “GetSeekerUXDisplayRank” which is called by “CMusSeekerUpdate::InitializeState

References to seeker:

class WRL::Details::ComPtr<class SystemSettings::Update::CMusSeekerOnDemand> __cdecl Microsoft::WRL::Details::V::Make(void)
class WRL::Details::ComPtr<class SystemSettings::Update::CMusSeekerUpdate> __cdecl Microsoft::WRL::Details::V::Make(void)
private: long __cdecl SystemSettings::Update::CMusSeekerOnDemand::InitiateSeekerUpdateTitle(void) __ptr64
private: long __cdecl SystemSettings::Update::CMusSeekerOnDemand::MoInitiateSeekerUpdateTitle(void) __ptr64
private: long __cdecl SystemSettings::Update::CMusSeekerUpdate::InitiateSeekerUpdateTitle(void) __ptr64
private: long __cdecl SystemSettings::Update::CMusSeekerUpdate::InitiateWhatsNewUrl(void) __ptr64
private: long __cdecl UxUsoShim::GetNonSeekerOrApprovedUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveSeekerFeatureUpdateForInstall(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveSeekerQualityUpdateForInstall(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::RefreshSeekerSessionState(BOOL * __ptr64) __ptr64
protected: virtual long __cdecl SystemSettings::Update::CMusSeekerOnDemand::InitializeState(struct SystemSettings::Update::MusNotification) __ptr64
protected: virtual long __cdecl SystemSettings::Update::CMusSeekerOnDemand::Invoke(struct HWND__ * __ptr64) __ptr64
protected: virtual long __cdecl SystemSettings::Update::CMusSeekerUpdate::InitializeState(struct SystemSettings::Update::MusNotification) __ptr64
protected: virtual long __cdecl SystemSettings::Update::CMusSeekerUpdate::Invoke(struct HWND__ * __ptr64) __ptr64
protected: virtual void __cdecl SystemSettings::Update::CMusSeekerUpdate::RaiseValueChangedEvents(void) __ptr64
public: __cdecl Microsoft::WRL::Details::MakeAllocator<class SystemSettings::Update::CMusSeekerOnDemand>::~MakeAllocator<class SystemSettings::Update::CMusSeekerOnDemand>(void) __ptr64
public: __cdecl SystemSettings::Update::CMusSeekerOnDemand::CMusSeekerOnDemand(void) __ptr64
public: __cdecl SystemSettings::Update::CMusSeekerUpdate::CMusSeekerUpdate(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::AddSeekerUpdateToApprovalList(class std::shared_ptr<class UxUsoUpdateShim>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::AddSeekerUpdateToApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveAllSeekerUpdatesFromApprovalList(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApprovedSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApprovedSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_SeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_SeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetApprovedSeekerUpdatesCounts(unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerFeatureUpdateBuildNumber(class std::optional<unsigned int> & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUpdatesCounts(unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUpdateTitle(unsigned short * __ptr64 * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank(unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsAutoApproveSeekerQualityUpdatesEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerFeatureOrQualityUpdatesAvailable(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerHighCompatMessageEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerOnDemandUxEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerUpdateInApprovalList(class std::shared_ptr<class UxUsoUpdateShim>,BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerUpdateInApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::RemoveSeekerUpdateFromApprovalList(class std::shared_ptr<class UxUsoUpdateShim>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::RemoveSeekerUpdateFromApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>) __ptr64
public: long __cdecl UxUsoShim::GetApplicableSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: long __cdecl UxUsoShim::GetApprovedSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: static long __cdecl SystemSettings::Update::CMusSeekerOnDemand::CreateInstance(struct SystemSettings::DataModel::SettingDBItem const * __ptr64,struct SystemSettings::DataModel::ISettingItem * __ptr64 * __ptr64)
public: static long __cdecl SystemSettings::Update::CMusSeekerUpdate::CreateInstance(struct SystemSettings::DataModel::SettingDBItem const * __ptr64,struct SystemSettings::DataModel::ISettingItem * __ptr64 * __ptr64)
public: static long __cdecl UpdateUtil::GetApprovedSeekerUpdatesCount(class UxUsoShim * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64)
public: virtual __cdecl SystemSettings::Update::CMusSeekerOnDemand::~CMusSeekerOnDemand(void) __ptr64
public: virtual __cdecl SystemSettings::Update::CMusSeekerUpdate::~CMusSeekerUpdate(void) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerOnDemand::get_Description(struct HSTRING__ * __ptr64 * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerOnDemand::get_IsEnabled(unsigned char * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerOnDemand::GetProperty(struct HSTRING__ * __ptr64,struct IInspectable * __ptr64 * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerUpdate::get_Description(struct HSTRING__ * __ptr64 * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerUpdate::get_IsApplicable(unsigned char * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerUpdate::GetProperty(struct HSTRING__ * __ptr64,struct IInspectable * __ptr64 * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::ApproveSeekerQualityUpdateForInstall(void) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetApprovedSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetApprovedSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetApprovedSeekerUpdatesCount(unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetNonSelectableSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetSeekerSession(BOOL * __ptr64,BOOL * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetSelectableSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::SetSeekerSession(BOOL) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::ApproveSeekerQualityUpdateForInstall(void) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetApprovedSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetApprovedSeekerUpdatesCount(unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetNonSelectableSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetSeekerSession(BOOL * __ptr64,BOOL * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetSelectableSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetSelectableSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::SetSeekerSession(BOOL) __ptr64
public: virtual void * __ptr64 __cdecl SystemSettings::Update::CMusSeekerOnDemand::`vector deleting destructor'(unsigned int) __ptr64
public: virtual void * __ptr64 __cdecl SystemSettings::Update::CMusSeekerUpdate::`vector deleting destructor'(unsigned int) __ptr64

What is the process for this CMusSeekerUpdate::InitializeState function?

  1. A call to SystemSettings::Update::CMusSettings::InitializeState which checks for pending reboot.

It checks for pending reboot via SystemSettings::Update::CMusOrchModel::IsSihUpdatePendingReboot

I believe SIH in this case is referring to “Server Initiated Healing” which includes C:\Windows\System32\SIHClient.exe from checking C:\Windows\System32\en-US\SIHClient.exe.mui we find the following text:

This daily task launches the SIH client (server-initiated healing) to detect and fix system components that are vital to automatic updating of Windows and Microsoft software installed on the machine. This task can go online, evaluate applicability of healing actions, download necessary payloads to execute the actions, and execute healing actions.
This boot task launches the SIH client to finish executing healing actions to fix the system components vital to automatic updating of Windows and Microsoft software installed on the machine. It is enabled only when the daily SIH client task fails to complete execution of applicable healing actions. This boot task never goes online and does not evaluate applicability of healing actions.

(Note: SIH can also refer to Shell Infrastructure Host which is C:\Windows\System32\SIHost.exe)

IsSihUpdatePendingReboot calls UsoConfiguration::GetConfiguration(L”UsoServicingStack”, etc) which uses an internal function RegistryManager::GetHKLMValueOrDefault to retrieve a key with name UpdateOrchestratorConfigurationRoot

If GetConfiguration does not return a value of 1 IsSihUpdatePendingReboot exits immediately.

Otherwise it continues can calls RegistryManager::HKLMValueExists(L”Sih”, L”\UpdateStaged”, L”StagingTimeStamp”, x);

Finally IsSihUpdatePendingReboot checks SystemSettings::Update::OtaIsPendingExclusiveContent by calling GetUpdateResultsEx in UpdateAPI.dll.

OtaIsPendingExclusiveContent is true when GetUpdateResultsEx is 0 or greater.

Initialize state then calls SystemSettings::Update::CMusOrchModel::IsUSOAvailable

Here USO refers to Update Session Orchestrator (USO) which you can read about here

It checks if USO is available by checking Update Orchestrator Service (USOSvc) is available service and running.

There is then a check for SystemSettings::Update::CMusOrchModel::FixServiceUnavailable which seems to potentially update some telemetry and other stuff.

The total InitializeState function has some logic like this:

__int64 __fastcall SystemSettings::Update::CMusSettings<SystemSettings::DataModel::CActionSetting>::InitializeState(
        __int64 a1)
{
  bool IsSihUpdatePendingReboot; // bl
  char v3; // si

  IsSihUpdatePendingReboot = SystemSettings::Update::CMusOrchModel::IsSihUpdatePendingReboot(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248));
  if ( !SystemSettings::Update::CMusOrchModel::IsUSOAvailable(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248))
    || IsSihUpdatePendingReboot )
  {
    v3 = 0;
    if ( !IsSihUpdatePendingReboot )
      SystemSettings::Update::CMusOrchModel::FixServiceUnavailable(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248));
  }
  else
  {
    v3 = 1;
  }
  EnterCriticalSection((LPCRITICAL_SECTION)(a1 + 312));
  *(_BYTE *)(a1 + 264) = v3;
  if ( a1 != -312 )
    LeaveCriticalSection((LPCRITICAL_SECTION)(a1 + 312));
  return 0i64;
}

2. Some configuration is checked related to “allow scan map” and “SeekerOnDemandScanOverride

 v7 = (char *)&SystemSettings::Update::CMusSeekerUpdate::sc_rgupeMap;
  v8 = 0i64;
  v9 = *(_DWORD *)a2;
  v10 = &SystemSettings::Update::CMusSeekerUpdate::sc_rgupeMap;
  v11 = 1;
  while ( *v10 != v9 )
  {
    v8 = (unsigned int)(v8 + 1);
    ++v10;
    if ( (unsigned int)v8 >= 0xA )
      goto LABEL_9;
  }
  v7 = (char *)&SystemSettings::Update::CMusSeekerUpdate::sc_rgupeMap + 4 * v8;
LABEL_9:
  v12 = (char *)&SystemSettings::Update::CMusSeekerUpdate::sc_rgupeAllowScanMap;
  v13 = 0i64;
  v14 = &SystemSettings::Update::CMusSeekerUpdate::sc_rgupeAllowScanMap;
  while ( *v14 != v9 )
  {
    v13 = (unsigned int)(v13 + 1);
    ++v14;
    if ( (unsigned int)v13 >= 0xB )
      goto LABEL_14;
  }
  v12 = (char *)&SystemSettings::Update::CMusSeekerUpdate::sc_rgupeAllowScanMap + 4 * v13;
LABEL_14:
  v35 = &SystemSettings::Update::CMusSeekerUpdate::sc_rgupeAllowScanMap != (_UNKNOWN *)v12;
  HKLMValueOr = RegistryManager::GetHKLMValueOrDefault<unsigned long>(
                  L"WindowsUpdateUXRoot",
                  L"\\TestHooks",
                  L"SeekerOnDemandScanOverride",
                  1);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6871i64;
    goto LABEL_3;
  }
  if ( !v58[1] )
  {
    v15 = MusUpdateLogging::Provider();
    if ( *(_DWORD *)v15 > 4u )
    {
      v51 = (__int64)"Seeker on demand override is set so scan is not allowed immediately";
      _tlgWriteTemplate<long (_tlgProvider_t const *,void const *,_GUID const *,_GUID const *,unsigned int,_EVENT_DATA_DESCRIPTOR *),&long _tlgWriteTransfer_EventWriteTransfer(_tlgProvider_t const *,void const *,_GUID const *,_GUID const *,unsigned int,_EVENT_DATA_DESCRIPTOR *),_GUID const *,_GUID const *>::Write<_tlgWrapSz<char>>(
        (int)v15,
        (__int64)&v51);
    }
    v35 = 0;
  }

3. Some functions are called to check if UX access is blocked and if updates are paused i.e.

IsDisableUXAccessPolicyEnabled = SystemSettings::Update::CMusOrchModel::IsDisableUXAccessPolicyEnabled(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248));
  if ( SystemSettings::Update::CMusOrchModel::AreUpdatesPaused(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248))
    || (v16 = SystemSettings::Update::CMusOrchModel::AreUpdatesPausedByPolicy(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248)),
        v33 = 0,
        v16) )
  {
    v33 = 1;
  }

4. Get Seeker Update counts are retrieved

HKLMValueOr = SystemSettings::Update::CMusOrchModel::GetSeekerUpdatesCounts(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  &v46[1],
                  &v47,
                  &v44,
                  &v45);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6894i64;
    goto LABEL_3;
  }
  v17 = v46[1];
  v39 = v46[1] != 0;
  v18 = v47;
  v34 = v47 != 0;
  v19 = v45;
  if ( v44 || (v36 = 0, v45) )
    v36 = 1;
  v56 = 0;
  v57 = 0;
  HKLMValueOr = SystemSettings::Update::CMusOrchModel::GetApprovedSeekerUpdatesCounts(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  &v56,
                  &v57);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6904i64;
    goto LABEL_3;
  }

5. Configuration is checked if quality updates are auto approved

 if ( v34 )
  {
    HKLMValueOr = SystemSettings::Update::CMusOrchModel::IsAutoApproveSeekerQualityUpdatesEnabled(
                    *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                    &v32);
    if ( HKLMValueOr < 0 )
    {
      v5 = 6933i64;
      goto LABEL_3;
    }
    v23 = v32;
  }

6. We to spot where crash occurs, GetSeekerDisplayUXRank

 IsUXCampaignApplicable = 0;
  HKLMValueOr = SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  v46);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6938i64;
    goto LABEL_3;
  }
  v25 = v46[0];
  if ( v46[0] != 1 )
    IsUXCampaignApplicable = SystemSettings::Update::CMusOrchModel::IsUXCampaignApplicable(*(_QWORD *)(a1 + 248), 1i64);
  HKLMValueOr = SystemSettings::Update::CMusOrchModel::IsSeekerOnDemandUxEnabled(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  &v40);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6948i64;
    goto LABEL_3;
  }
  v32 = 0;
  v37 = 0;
  HKLMValueOr = SystemSettings::Update::CMusOrchModel::GetDeviceEosStatus(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  &v32,
                  &v37);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6954i64;
    goto LABEL_3;
  }
  HKLMValueOr = SystemSettings::Update::CMusOrchModel::IsSeekerHighCompatMessageEnabled(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  &v43);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6957i64;
    goto LABEL_3;
  }

The crash occurs because a function pointer is null when attempting to call _guard_xfg_dispatch_icall_fptr

__int64 __fastcall SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank(
        SystemSettings::Update::CMusOrchModel *this,
        unsigned int *a2)
{
  __int64 v4; // rcx
  int v5; // eax
  unsigned int v6; // edi
  int v7; // [rsp+20h] [rbp-28h]
  unsigned int v8; // [rsp+30h] [rbp-18h] BYREF
  wil::details::in1diag3 *retaddr; // [rsp+48h] [rbp+0h]

  if ( a2 )
  {
    v4 = *((_QWORD *)this + 212);
    v8 = 1;
    v5 = _guard_xfg_dispatch_icall_fptr(v4, 90i64, 1i64, &v8);

This function is an Xtended Flow Guard (XFG) function generated by the compiler, a good introduction to this is here

It seems like the reference to this function has been overwritten with 0s preventing, causing the null reference when attempting to reference a pointer to the targeted function, although I am current unsure as to what actually caused this problem.

Posted in Uncategorized | Leave a comment

Generate New Password Hash for VB6 App with WinDbg

Posted on January 21, 2022 by chentiangemalc

Application logon details for an application had been lost. Some quick investigation could see the credentials were stored in a SQL database with an 8 byte salt and 8 byte hash converted into XML.

<?xml version="1.0"?>
<ParameterValues>
	<Parameter Name="salt1" Value="5"/>
	<Parameter Name="salt2" Value="43"/>
	<Parameter Name="salt3" Value="121"/>
	<Parameter Name="salt4" Value="74"/>
	<Parameter Name="salt5" Value="121"/>
	<Parameter Name="salt6" Value="155"/>
	<Parameter Name="salt7" Value="129"/>
	<Parameter Name="salt8" Value="94"/>
	<Parameter Name="hash1" Value="33"/>
	<Parameter Name="hash2" Value="4"/>
	<Parameter Name="hash3" Value="27"/>
	<Parameter Name="hash4" Value="74"/>
	<Parameter Name="hash5" Value="26"/>
	<Parameter Name="hash6" Value="219"/>
	<Parameter Name="hash7" Value="50"/>
	<Parameter Name="hash8" Value="124"/>
</ParameterValues>

Tried to guess a few potential passwords but no luck

Using WinDbg and some breakpoints we could find the code easily that displayed the error message, and using the stack traces from the point, the hash generating algorithm. However fully re-creating the hash algorithm, was going to be time consuming …

The database used “ADO” for database access, using a breakpoint we were able to find the applications connection string to the database with full read/write access of the database.

0:000> sxe ld msado15
0:000> g
ModLoad: 7c630000 7c740000   C:\Program Files (x86)\Common Files\System\ado\msado15.dll
0:000> bp msado15!CConnection::put_ConnectionString ".printf \"CONNECTION STRING: '%mu'\\n\",poi(@esp+8);g"
0:000> g
CONNNECTION STRING 'DATA Provider=SQLOLEDB; SERVER=sql2000;DATABASE=secret;UID=sa;PWD=sa'

As this is a Visual Basic application a good starting point is to monitor string comparisons / and variable comparisons. Visual Basic stores variables internally in memory as a VARIANT data type, with strings as stored as type VT_BSTR and integers as VT_I2. The variant structure is documented here and here

Information in relation to use within Visual Basic for Applications is covered here

Unfortunately most Visual Basic 6 apps won’t load symbols so we can use WinDbg’s dt VARIANT <address> to display the variant data. In addition the dt view of VARIANT is very clumsy and painful to read in any quantity, as you need to the know the VARTYPE “vt” enum to understand whether you are looking at integer or string data. One quirk is that VB may add “VT_RESERVED” value to the VT_TYPE, so our java script removes that if it’s set, so that we can still determine the original data type.

To remedy this we can use JavaScript with WinDbg Preview to display the data. Note this script only covers a couple of the data types that I needed, but this is easy to expand as necessary.

I saved this file as C:\WinDbg\PrintVariant.js

function PrintVariant(addr)
{
	const VT_TYPE = { 
		VT_EMPTY: 0,
		VT_NULL: 1,
		VT_I2: 2,
		VT_I4: 3,
		VT_R4: 4,
		VT_R8: 5,
		VT_CY: 6,
		VT_DATE: 7,
		VT_BSTR: 8,
		VT_DISPATCH: 9,
		VT_ERROR: 10,
		VT_BOOL: 11,
		VT_VARIANT: 12,
		VT_UNKNOWN: 13,
		VT_DECIMAL: 14,
		VT_I1: 16,
		VT_UI1: 17,
		VT_UI2: 18,
		VT_UI4: 19,
		VT_I8: 20,
		VT_UI8: 21,
		VT_INT: 22,
		VT_UINT: 23,
		VT_VOID: 24,
		VT_HRESULT: 25,
		VT_PTR: 26,
		VT_SAFEARRAY: 27,
		VT_CARRAY: 28,
		VT_USERDEFINED: 29,
		VT_LPSTR: 30,
		VT_LPWSTR: 31,
		VT_RECORD: 36,
		VT_INT_PTR: 37,
		VT_UINT_PTR: 38,
		VT_FILETIME: 64,
		VT_BLOB: 65,
		VT_STREAM: 66,
		VT_STORAGE: 67,
		VT_STREAMED_OBJECT: 68,
		VT_STORED_OBJECT: 69,
		VT_BLOB_OBJECT: 70,
		VT_CF: 71,
		VT_CLSID: 72,
		VT_VERSIONED_STREAM: 73,
		VT_BSTR_BLOB: 0xfff,
		VT_VECTOR: 0x1000,
		VT_ARRAY: 0x2000,
		VT_BYREF: 0x4000,
		VT_RESERVED: 0x8000,
		VT_ILLEGAL: 0xffff,
		VT_ILLEGALMASKED: 0xfff,
		VT_TYPEMASK: 0xfff };

	// 32-bit
	var array = new Uint8Array(host.memory.readMemoryValues(addr,16));
	var buffer = new ArrayBuffer(array.length);
	var view = new Uint8Array(buffer);
	for (var i=0; i<array.length; i++) {
	    view[i] = array[i];
	}

        var dataView = new DataView(buffer);
        dataType = dataView.getUint16(0,true);
	if ((dataType & VT_TYPE.VT_RESERVED) == VT_TYPE.VT_RESERVED)
                    {
  	 	dataType = dataType - VT_TYPE.VT_RESERVED
                    }
	switch (dataType)
	{
		case VT_TYPE.VT_I2:
			data = dataView.getInt16(8,true);	
			host.diagnostics.debugLog(data + " (VT_I2)");
			break;
		case VT_TYPE.VT_I4:
			data = dataView.getInt16(16,true);	
			host.diagnostics.debugLog(data + " (VT_I4)");
			break;
		case VT_TYPE.VT_UI1:
			data = dataView.getUint8(8,true);
			host.diagnostics.debugLog("'" + data + "' (VT_UI1)");
			break;
		case VT_TYPE.VT_BSTR:
			data = dataView.getUint32(8,true);
			host.diagnostics.debugLog("'" + host.memory.readWideString(data) + "' (VT_BSTR)");
			break;
	                   
                                        default:
			host.diagnostics.debugLog("Unknown data type '" + dataType+"'");

	}

	// to do: 64-bit
	//variantData = host.memory.readMemoryValues(addr,24);

}

To now use this to display string and numerical comparisons in VB6 application as they occur we can use this:

bp OLEAUT32!VarBstrCmp ".printf \"OLEAUT32!VarBstrCmp('%mu','%mu')\\n\",poi(@esp+4),poi(@esp+8);g"
.scriptload C:\WinDbg\PrintVariant.js
dx @$PrintVariantScript = Debugger.State.Scripts.PrintVariant.Contents
bp oleaut32!VarCmp ".printf \"Oleaut32!VarCmp('\";dx -s @$PrintVariantScript.PrintVariant(  *((void **)(@esp+4)));.printf \"','\";dx -s @$PrintVariantScript.PrintVariant(  *((void **)(@esp+8)));.printf \"'\\n\";g"

In addition if we want to see strings and binary data as it is being allocated by a VB application we can also use:

bp ucrtbase!memcpy "!position;.echo memcpy;db poi(@esp+8) Lpoi(@esp+0C);.printf \"ASCII String='%ma' UNICODE String='%mu'\\n\",poi(@esp+8),poi(@esp+8);g"

Now we were able to attach our debugger and as we tried to logon with our own password. Just before the error dialog appeared we saw a number comparison:

Oleaut32!VarCmp(''5' (VT_UI1)',''33' (VT_BSTR)'

Now “33” was the existing hash1 value in our database, so we updated database hash1 to “5” As the user hashes were loaded at application launch we had to relaunch app and try again with our “new password” This time it got past the first comparison and made it to 2nd one:

Oleaut32!VarCmp(''5' (VT_UI1)',''5' (VT_BSTR)'
Oleaut32!VarCmp(''15' (VT_UI1)',''4' (VT_BSTR)'

This was repeated until all 8 hashes were updated and now could log onto the application normally.

Posted in Uncategorized | Leave a comment

Block Game in PowerShell Console with ANSII Escape Sequences

Posted on January 6, 2022 by chentiangemalc

Here is a simple game that runs entirely in the PowerShell console and uses ANSII escape sequences for graphics.

Available on github here https://github.com/chentiangemalc/PowerShellScripts/blob/master/BlockGame.ps1

clear

# must run in powershell console, not powershell ISE
$height = $Host.UI.RawUI.WindowSize.Height
$width  = $Host.UI.RawUI.WindowSize.Width
$level = 0
$score = 0
$playAreaHeight = 40
$playAreaWidth = 10 
$scoreBoxTop = 5
$scoreBoxLeft = 5
$totalLines = 0
$levelLines = 0
$highScoreFile = "$PSScriptRoot\BlocksHighScore.json"

# scales size of objects across Y axis
$playAreaScaleY = 2
$playAreaTop = 1
$playAreaLeft = ($width - ($playAreaWidth*$playAreaScaleY))/2

# esc character for ansi codes
$esc = [char]27
# ms delay for piece drop
$delay = (10-$level)*30

# default values if height/width not detected
if ($height -eq $null) { $height = 50 }
if ($width -eq $null) { $width = 120 } 

$blocks = @(
    @( 
    @(0,1,0),
    @(1,1,1)),
    @(
    @(2),
    @(2),
    @(2),
    @(2)),
    @(
    @(3,0,0),
    @(3,3,3)),
    @(
    @(0,0,4),
    @(4,4,4)),
    @(
    @(5,5),
    @(5,5)),
    @(
    @(0,6,6),
    @(6,6,0)),
    @(
    @(7,7,0),
    @(0,7,7)
    ))

$playingBoard = New-Object 'int[,]' ($playAreaHeight+1),($playAreaWidth+1)

# draw the board
for ($x=1;$x -lt $height;$x++)
{
    for ($y=1;$y -lt $width;$y++)
    {
    
        if ($x -ge $playAreaTop -and 
            $x -lt $playAreaTop+$playAreaHeight -and 
            $y -ge $playAreaLeft -and
            $y -lt $playAreaLeft+($playAreaWidth*$playAreaScaleY))
        {
            Write-Output "$esc[$($x);$($y)H$esc[0;0;0m "
        }
        else
        {
            Write-Output "$esc[$($x);$($y)H$esc[48;5;57m "
        }
    }
}

for ($x=0;$x -le 4;$x++)
{
    for ($y=0;$y -le 40;$y++)
    {
        if ($x -gt 0 -and $x -le 40 -or $y -gt 0 -and $y -le 4)
        { 
            Write-Output "$esc[$($x+$scoreBoxTop);$($y+$scoreBoxLeft)H$esc[0;93m "
        }
        else
        {
            Write-Output "$esc[$($x+$scoreBoxTop);$($y+$scoreBoxLeft)H$esc[0;96m "
        }
    }
}

$doExit = $false

while (!$doExit)
{

    Write-Output "$esc[$($scoreBoxTop+2);$($scoreBoxLeft+1)H$esc[0;96m LEVEL: $level LINES: $totalLines SCORE: $score"
    # select a random piece
    $pieceNumber = (Get-Random -Minimum 0 -Maximum ($blocks.Count-1))
    $currentPiece = $blocks[$pieceNumber]
    $previousPiece = $currentPiece
    $currentY = $playAreaWidth/2 - $Blocks[0].Count/2

    $previousX = 0
    $previousY = $currentY
    $collision = $false

    # drop selected piece
    for ($currentX = 0;$currentX -le $playAreaHeight-$currentPiece.Count;$currentX++)
    {
        # check for collision
        for ($x = 0;$x -lt $currentPiece.Count;$x++)
        {
            for ($y = 0;$y -lt $currentPiece[$x].Count;$y++)
            {
                if ($currentPiece[$x][$y] -gt 0 -and
                   ($playingBoard[($x+$currentX),($y+$currentY)]) -gt 0)
                {
                    $collision = $true
                }
            }
        }

        if ($collision) { break }

        # erase old 
        if ($currentX -gt 0)
        {
            for ($x = 0;$x -lt $previousPiece.Count;$x++)
            {
                for ($y = 0;$y -lt $previousPiece[$x].Count;$y++)
                {
                    if ($previousPiece[$x][$y] -gt 0)
                    {
                        for ($i = 0; $i -lt $playAreaScaleY;$i++)
                        {
                            $XX = $playAreaTop+$x+$previousX
                            $YY = $playAreaLeft+($playAreaScaleY*($previousY+$y))+$i
                            Write-Output "$esc[$($XX);$($YY)H$esc[0;0;0m "
                        }
                    }
                }
            }
        }

        $previousX = $currentX
        $previousY = $currentY
        $previousPiece = $currentPiece

        for ($x = 0;$x -lt $currentPiece.Count;$x++)
        {
            for ($y = 0;$y -lt $currentPiece[$x].Count;$y++)
            {
                if ($currentPiece[$x][$y] -gt 0)
                {
                    $color = $currentPiece[$x][$y]+100
                    for ($i = 0; $i -lt $playAreaScaleY;$i++)
                    {
                        $XX = $playAreaTop+$x+$currentX
                        $YY = $playAreaLeft+($playAreaScaleY*($currentY+$y))+$i
                    
                        Write-Output "$esc[$($XX);$($YY)H$esc[$($color)m "
                    }
                }
            }
        }

        if ([console]::KeyAvailable)
        {
            $key = [System.Console]::ReadKey() 
            switch($key.Key)
            {
                UpArrow {
                    $flippedPiece = New-Object Object[] $currentPiece[0].Count
                    for ($j = 0;$j -lt $currentPiece[0].Count;$j++)
                    {
                        $flippedPiece[$j] = New-Object Object[] $currentPiece.Count
                        for ($k = 0;$k -lt $currentPiece.Count;$k++)
                        {
                            $flippedPiece[$j][$k] = $currentPiece[($currentPiece.Count-$k-1)][$j]                       
                        }
                    }

                    $flipCollision = $false

                    # check flipped piece for collision
                    for ($j=0;$j -lt $flippedPiece.Count;$j++)
                    {
                        for ($k=0;$k -lt $flippedPiece[0].Count;$k++)
                        {
                            if ($flippedPiece[$j][$k] -gt 0)
                            {
                                if ($currentX+$j -ge $playAreaHeight -or $currentY+$k -ge $playAreaWidth)
                                {
                                    $flipCollision = $true
                                }
                                elseif ($playingBoard[($currentX+$j),($currentY+$k)] -gt 0)
                                {
                                    $flipCollision = $true
                                }
                            }
                        }
                    }

                    if (!$flipCollision)
                    {
                        $currentPiece = $flippedPiece
                        $currentX--
                        $noWait=$true
                    }
                
                }
                Escape    { 
                    $DoExit = $true
                    break }
                LeftArrow { 
                    if ($currentY -gt 0)
                    {
                        $currentY--
                        $currentX--
                        $noWait = $true 
                    }
                }
                RightArrow { 
                    if ($currentY + $currentPiece[0].Count -lt $playAreaWidth)
                    {
                        $currentY++ 
                        $currentX--
                        $noWait = $true
                    }
                }
                DownArrow {
                    $noWait = $true
                    $score+=10
                }
                default { Write-Host $key.Key }
            
            }
        }

        if ($noWait)
        {
            $noWait = $false
        }
        else
        {
            Start-Sleep -Milliseconds $delay
        }

    }

    if ($currentX -eq 0) 
    {
        clear
        Write-Host "$esc[37;0mGAME OVER - Your score is $score at level $level with $totalLines"
        $name = Read-Host -Prompt "Enter your name?"
        $dataTable = New-Object System.Data.DataTable
        [void]$dataTable.Columns.Add("Name")
        [void]$dataTable.Columns.Add("Score")
        [void]$dataTable.Columns.Add("Level")
        [void]$dataTable.Columns.Add("Lines")
        if (!(Test-Path($highScoreFile)))
        {
            [void]$dataTable.Rows.Add($name,$score,$level,$totalLines)
            $dataTable | Select-Object Name,Score,Level,Lines | ConvertTo-Json | Set-Content -Path $highScoreFile
            $highScoreTable = Get-Content -Path $highScoreFile | ConvertFrom-Json
            
        }
        else
        {        
            $highScoretable = Get-Content -Path $highScoreFile | ConvertFrom-Json
            ForEach ($row in $highScoreTable)
            {
                [void]$dataTable.Rows.Add($row.Name,$row.Score,$row.Level,$row.Lines)
        
            }            
            [void]$dataTable.Rows.Add($name,$score,$level,$totalLines)
            $dataTable | Select-Object Name,Score,Level,Line | Sort-Object -Property Score -Descending | Select-Object -First 20 | ConvertTo-Json | Set-Content -Path $highScoreFile
        }
        
        Write-Host "High Scores"
        $dataTable | Sort-Object -Property Score -Descending | Select-Object -First 20 | Format-Table
        &pause
        return
    }
    for ($x = 0;$x -lt $previousPiece.Count;$x++)
    {
        for ($y = 0;$y -lt $previousPiece[$x].Count;$y++)
        {
            if ($previousPiece[$x][$y] -gt 0)
            {
                $playingBoard[($x+$previousX),($y+$previousY)] = $previousPiece[$x][$y]
            }
        }
    }

    # check for completed lines

    $completedLines = 0
    for ($x=0;$x -lt $playAreaHeight;$x++)
                                                                                                                                                    {
    $XX = $playAreaTop+$x
    $blockCount = 0
    for ($y=0;$y -lt $playAreaWidth;$y++)
    {
        if ($playingBoard[$x,$y] -gt 0) { $blockCount++ }
    }

    if ($blockCount -eq $playAreaWidth)
    {
        $completedLines++
        
        for ($c=0;$c -lt 7;$c++)
        {
            $color = 101+$c
            if ($c -eq 6) { $color = 0 } 
            for ($y = 0;$y -lt $playAreaWidth;$y++)
            {
                
                for ($i = 0; $i -lt $playAreaScaleY;$i++)
                {
                    $YY = $playAreaLeft+($playAreaScaleY*($y))+$i
                    Write-Output "$esc[$($XX);$($YY)H$esc[$($color)m "
                }
            }

            Start-Sleep -Milliseconds 10
        }

        # move blocks down after removed row
        for ($xx = $x;$xx -gt 0;$xx--)
        {
            for ($yy=0;$yy -lt $playAreaWidth;$yy++)
            {
                $playingBoard[$xx,$yy] = $playingBoard[($xx-1),$yy]                
            } 
                   
        }
    
    }
    }
    
    $totalLines+=$completedLines
    $levelLines+=$completedLines

    if ($levelLines -gt $level*5)
    {
        $level++
        if ($level -gt 10) { 
            $level = 10 
            $score += 10000
        }
        $levelLines = 0
    }
    if ($completedLines -gt 0)
    {
        switch ($completedLines)
        {
            1 { $score += 40 * ($level + 1)	}
            2 { $score += 100 * ($level + 1) }	
            3 { $score += 300 * ($level + 1) }
            4 { $score += 400 * ($level + 1) }
        }

        # redraw board after erases lines
        for ($x=0;$x -lt $playAreaHeight;$x++)
        {
            $XX = $playAreaTop+$x

            for ($y=0;$y -lt $playAreaWidth;$y++)
            {
                if ($playingBoard[$x,$y] -gt 0)
                {
                    $color = $playingBoard[$x,$y]+100
                }
                else
                {
                    $color = 0
                }
            
                for ($i = 0; $i -lt $playAreaScaleY;$i++)
                {
                    $YY = $playAreaLeft+($playAreaScaleY*($y))+$i                   
                    Write-Output "$esc[$($XX);$($YY)H$esc[$($color)m "
                }
            }
        }
    }
}
Posted in Uncategorized | Leave a comment

Case of the Windows 11 Explorer Crash

Posted on December 20, 2021 by chentiangemalc

Viewing reliability monitor and Windows Application Event log I noticed a high volume of Explorer crashes since upgrading to Windows 11, with at least one crash a day.

And in event viewer:

The text being:

Faulting application name: Explorer.EXE, version: 10.0.22000.120, time stamp: 0xe846e749
Faulting module name: ExplorerExtensions.dll, version: 421.22500.115.0, time stamp: 0x615dfb43
Exception code: 0xc000027b
Fault offset: 0x00000000002c8482
Faulting process id: 0x322c
Faulting application start time: 0x01d7ee61e534e38c
Faulting application path: C:\WINDOWS\Explorer.EXE
Faulting module path: C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ExplorerExtensions.dll
Report Id: 018e61fa-ff84-4afe-a314-ece34074e30c
Faulting package full name: 
Faulting package-relative application ID:

Configuring “full” crash dumps as per https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps we collected some crash dumps.

While identifying a stowed exception in the dump files the root cause was still not immediately clear to me.

In this case I configured a Time Travel Debugging trace in “ring mode” with a size set 5000 MB. Note this results in severely deteriorated performance with command:

ttd -attach <process id> -ring -maxFile 5000

As there could be multiple explorer processes running, for simplicity I terminated them and relaunched explorer, only attaching to current running explorer.

If you want to stop trace prior to application crashing you can use command from another administrative command prompt:

ttd -stop all

As Windows 11 explorer is XAML based used the following commands to show event events leading to crash:

bp Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest "!position;kp 1;dx -r1 @$curstack.Frames[0x0].Parameters.hEvent;g"

This seems to indicate a right click, then attempt to show context menu is leading up to the crash:

Time Travel Position: 8F72379:194
 # Child-SP          RetAddr               Call Site
00 00000000`0336e828 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05a767b0, class CEventArgs * pArgs = 0x00000000`9c5156c0, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22c61f40) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerMoved (0xb) [Type: KnownEventIndex]
Time Travel Position: 8F72C63:11A
 # Child-SP          RetAddr               Call Site
00 00000000`0336e828 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`0089b540, class CEventArgs * pArgs = 0x00000000`9c515b20, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22c65ce0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerPressed (0xa) [Type: KnownEventIndex]
Time Travel Position: 8F72DA5:35
 # Child-SP          RetAddr               Call Site
00 00000000`0336e828 00007ffc`22adc5b3     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10302e40, class CEventArgs * pArgs = 0x00000000`9c515b20, int flags = 0n160, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00000000`00000000) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerPressed (0xa) [Type: KnownEventIndex]
Time Travel Position: 8F74FDD:24D
 # Child-SP          RetAddr               Call Site
00 00000000`0336e828 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10289320 {Name = {...}}, class CEventArgs * pArgs = 0x00000000`9c515b20, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22c65ce0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerPressed (0xa) [Type: KnownEventIndex]
Time Travel Position: 8F750B6:1E2
 # Child-SP          RetAddr               Call Site
00 00000000`0336e828 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`0089b0e0 {Name = {...}}, class CEventArgs * pArgs = 0x00000000`9c515b20, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22c65ce0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerPressed (0xa) [Type: KnownEventIndex]
Time Travel Position: 8F751C5:35
 # Child-SP          RetAddr               Call Site
00 00000000`0336e828 00007ffc`22adc5b3     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05fb80d0 {Name = {...}}, class CEventArgs * pArgs = 0x00000000`9c515b20, int flags = 0n160, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00000000`00000000) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerPressed (0xa) [Type: KnownEventIndex]
Time Travel Position: 8F7528B:2E
 # Child-SP          RetAddr               Call Site
00 00000000`0336e798 00007ffc`22adc976     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`05fb80d0 {Name = {...}}, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05fb80d0 {Name = {...}}, class CEventArgs * pArgs = 0x00000000`9c515b20, int flags = 0n168, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00000000`00000000) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerPressed (0xa) [Type: KnownEventIndex]
Time Travel Position: 8F753AF:17B
 # Child-SP          RetAddr               Call Site
00 00000000`0336e828 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10274060, class CEventArgs * pArgs = 0x00000000`9c515b20, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22c65ce0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerPressed (0xa) [Type: KnownEventIndex]
Time Travel Position: 8F753F4:1D8
 # Child-SP          RetAddr               Call Site
00 00000000`0336e828 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`1026dea0, class CEventArgs * pArgs = 0x00000000`9c515b20, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22c65ce0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerPressed (0xa) [Type: KnownEventIndex]
Time Travel Position: 8F75440:21E
 # Child-SP          RetAddr               Call Site
00 00000000`0336e828 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05a787b0, class CEventArgs * pArgs = 0x00000000`9c515b20, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22c65ce0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerPressed (0xa) [Type: KnownEventIndex]
Time Travel Position: 8F75491:194
 # Child-SP          RetAddr               Call Site
00 00000000`0336e828 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05a767b0, class CEventArgs * pArgs = 0x00000000`9c515b20, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22c65ce0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerPressed (0xa) [Type: KnownEventIndex]
Time Travel Position: 8F791FA:11A
 # Child-SP          RetAddr               Call Site
00 00000000`0336c9b8 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`0089b540, class CEventArgs * pArgs = 0x00000000`9c514930, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40eb0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerReleased (0xc) [Type: KnownEventIndex]
Time Travel Position: 8F792AB:35
 # Child-SP          RetAddr               Call Site
00 00000000`0336c9b8 00007ffc`22adc5b3     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10302e40, class CEventArgs * pArgs = 0x00000000`9c514930, int flags = 0n160, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00000000`00000000) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerReleased (0xc) [Type: KnownEventIndex]
Time Travel Position: 8F7A193:24D
 # Child-SP          RetAddr               Call Site
00 00000000`0336c9b8 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10289320 {Name = {...}}, class CEventArgs * pArgs = 0x00000000`9c514930, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40eb0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerReleased (0xc) [Type: KnownEventIndex]
Time Travel Position: 8F7A1F1:1E2
 # Child-SP          RetAddr               Call Site
00 00000000`0336c9b8 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`0089b0e0 {Name = {...}}, class CEventArgs * pArgs = 0x00000000`9c514930, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40eb0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerReleased (0xc) [Type: KnownEventIndex]
Time Travel Position: 8F7A21A:35
 # Child-SP          RetAddr               Call Site
00 00000000`0336c9b8 00007ffc`22adc5b3     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05fb80d0 {Name = {...}}, class CEventArgs * pArgs = 0x00000000`9c514930, int flags = 0n160, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00000000`00000000) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerReleased (0xc) [Type: KnownEventIndex]
Time Travel Position: 8F7A292:202
 # Child-SP          RetAddr               Call Site
00 00000000`0336c9b8 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10274060, class CEventArgs * pArgs = 0x00000000`9c514930, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40eb0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerReleased (0xc) [Type: KnownEventIndex]
Time Travel Position: 8F7A2BB:1D8
 # Child-SP          RetAddr               Call Site
00 00000000`0336c9b8 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`1026dea0, class CEventArgs * pArgs = 0x00000000`9c514930, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40eb0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerReleased (0xc) [Type: KnownEventIndex]
Time Travel Position: 8F7A2E6:21E
 # Child-SP          RetAddr               Call Site
00 00000000`0336c9b8 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05a787b0, class CEventArgs * pArgs = 0x00000000`9c514930, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40eb0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerReleased (0xc) [Type: KnownEventIndex]
Time Travel Position: 8F7A309:194
 # Child-SP          RetAddr               Call Site
00 00000000`0336c9b8 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05a767b0, class CEventArgs * pArgs = 0x00000000`9c514930, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40eb0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_PointerReleased (0xc) [Type: KnownEventIndex]
Time Travel Position: 8F7A36E:11A
 # Child-SP          RetAddr               Call Site
00 00000000`0336ca38 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`0089b540, class CEventArgs * pArgs = 0x00000000`9bcb23f0, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40f30) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_RightTapped (0x17) [Type: KnownEventIndex]
Time Travel Position: 8F7A392:35
 # Child-SP          RetAddr               Call Site
00 00000000`0336ca38 00007ffc`22adc5b3     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10302e40, class CEventArgs * pArgs = 0x00000000`9bcb23f0, int flags = 0n160, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00000000`00000000) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_RightTapped (0x17) [Type: KnownEventIndex]
Time Travel Position: 8F7A3C2:24D
 # Child-SP          RetAddr               Call Site
00 00000000`0336ca38 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10289320 {Name = {...}}, class CEventArgs * pArgs = 0x00000000`9bcb23f0, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40f30) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_RightTapped (0x17) [Type: KnownEventIndex]
Time Travel Position: 8F7A3E2:1E2
 # Child-SP          RetAddr               Call Site
00 00000000`0336ca38 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`0089b0e0 {Name = {...}}, class CEventArgs * pArgs = 0x00000000`9bcb23f0, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40f30) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_RightTapped (0x17) [Type: KnownEventIndex]
Time Travel Position: 8F7A404:35
 # Child-SP          RetAddr               Call Site
00 00000000`0336ca38 00007ffc`22adc5b3     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05fb80d0 {Name = {...}}, class CEventArgs * pArgs = 0x00000000`9bcb23f0, int flags = 0n160, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00000000`00000000) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_RightTapped (0x17) [Type: KnownEventIndex]
Time Travel Position: 8F7A430:202
 # Child-SP          RetAddr               Call Site
00 00000000`0336ca38 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10274060, class CEventArgs * pArgs = 0x00000000`9bcb23f0, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40f30) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_RightTapped (0x17) [Type: KnownEventIndex]
Time Travel Position: 8F7A44E:1D8
 # Child-SP          RetAddr               Call Site
00 00000000`0336ca38 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`1026dea0, class CEventArgs * pArgs = 0x00000000`9bcb23f0, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40f30) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_RightTapped (0x17) [Type: KnownEventIndex]
Time Travel Position: 8F7A46E:10E
 # Child-SP          RetAddr               Call Site
00 00000000`0336c9a8 00007ffc`22adca0d     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`1026dea0, class CEventArgs * pArgs = 0x00000000`9bcb23f0, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`232764a0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_RightTapped (0x17) [Type: KnownEventIndex]
Time Travel Position: 8F7A48D:149
 # Child-SP          RetAddr               Call Site
00 00000000`0336ca38 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05a787b0, class CEventArgs * pArgs = 0x00000000`9bcb23f0, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40f30) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_RightTapped (0x17) [Type: KnownEventIndex]
Time Travel Position: 8F7A4B1:194
 # Child-SP          RetAddr               Call Site
00 00000000`0336ca38 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05a767b0, class CEventArgs * pArgs = 0x00000000`9bcb23f0, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40f30) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_RightTapped (0x17) [Type: KnownEventIndex]
Time Travel Position: 8F7A4D8:10E
 # Child-SP          RetAddr               Call Site
00 00000000`0336c9a8 00007ffc`22adca0d     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`05a767b0, class CEventArgs * pArgs = 0x00000000`9bcb23f0, int flags = 0n128, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`232764a0) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_RightTapped (0x17) [Type: KnownEventIndex]
Time Travel Position: 8F7A51E:11D
 # Child-SP          RetAddr               Call Site
00 00000000`0336c998 00007ffc`22adc2c4     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`0089b540, class CEventArgs * pArgs = 0x00000000`9c4378a0, int flags = 0n0, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00007ffc`22e40900) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_ContextRequested (0x15) [Type: KnownEventIndex]
Time Travel Position: 8F7A55B:39
 # Child-SP          RetAddr               Call Site
00 00000000`0336c998 00007ffc`22adc5b3     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`00000000, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10302e40, class CEventArgs * pArgs = 0x00000000`9c4378a0, int flags = 0n32, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00000000`00000000) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_ContextRequested (0x15) [Type: KnownEventIndex]
Time Travel Position: 8F7A5A1:2E
 # Child-SP          RetAddr               Call Site
00 00000000`0336c908 00007ffc`22adc976     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`10302e40, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10302e40, class CEventArgs * pArgs = 0x00000000`9c4378a0, int flags = 0n40, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00000000`00000000) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_ContextRequested (0x15) [Type: KnownEventIndex]
(322c.3458): C++ EH exception - code e06d7363 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 8F7B3CD:0
ntdll!RtlRaiseException:
00007ffc`3a212b70 4055

We can explore parameters to last SyncScriptCallbackRequest before the crash:

0:000> !ttdext.tt 8F7A5A1:2E
Setting position: 8F7A5A1:2E
(322c.3458): Break instruction exception - code 80000003 (first/second chance not available)
Time Travel Position: 8F7A5A1:2E
Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest:
00007ffc`22b3d940 488bc4          mov     rax,rsp
0:000> kp 1
 # Child-SP          RetAddr               Call Site
00 00000000`0336c908 00007ffc`22adc976     Windows_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest(void * pVoidBH = 0x00000000`05df5ec0, class CDependencyObject * pListener = 0x00000000`10302e40, struct EventHandle hEvent = struct EventHandle, class CDependencyObject * pSender = 0x00000000`10302e40, class CEventArgs * pArgs = 0x00000000`9c4378a0, int flags = 0n40, struct IScriptObject * pScriptObject = 0x00000000`00000000, <function> * pHandler = 0x00000000`00000000) [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 998] 
0:000> dx -r1 @$curstack.Frames[0x0].Parameters
@$curstack.Frames[0x0].Parameters                 : (void * pVoidBH = 0x5df5ec0, CDependencyObject * pListener = 0x10302e40, EventHandle hEvent, CDependencyObject * pSender = 0x10302e40, CEventArgs * pArgs = 0x9c4378a0, CEventArgs * pArgs = 0x10302e40, int flags = 40, int flags = -1673299808, IScriptObject * pScriptObject = 0x0, IScriptObject * pScriptObject = 0x1, HRESULT (__cdecl*)(CDependencyObject *,CEventArgs *) pHandler = 0x0 : 0x0, HRESULT (__cdecl*)(CDependencyObject *,CEventArgs *) pHandler = 0x7ffc22b3d940 : Windows_UI_Xaml!CXcpBrowserHost::Sync...
    flags            : 40 [Type: int]
    hEvent           [Type: EventHandle]
    pArgs            : 0x9c4378a0 [Type: CEventArgs *]
    pHandler         : 0x0 : 0x0 [Type: HRESULT (__cdecl*)(CDependencyObject *,CEventArgs *)]
    pListener        : 0x10302e40 [Type: CDependencyObject *]
    pScriptObject    : 0x0 [Type: IScriptObject *]
    pSender          : 0x10302e40 [Type: CDependencyObject *]
    pVoidBH          : 0x5df5ec0 [Type: void *]
0:000> dx -r1 @$curstack.Frames[0x0].Parameters.hEvent
@$curstack.Frames[0x0].Parameters.hEvent                 [Type: EventHandle]
    [+0x000] index            : UIElement_ContextRequested (0x15) [Type: KnownEventIndex]
0:000> dx -r1 ((Windows_UI_Xaml!CEventArgs *)0x9c4378a0)
((Windows_UI_Xaml!CEventArgs *)0x9c4378a0)                 : 0x9c4378a0 [Type: CContextRequestedEventArgs * (derived from CEventArgs *)]
    [+0x000] CRoutedEventArgs [Type: CRoutedEventArgs]
    [+0x028] m_ptGlobal       [Type: XPOINTF]
    [+0x030] m_pointerDeviceType : Touch (0x0) [Type: DirectUI::PointerDeviceType]
    [+0x038] m_pCore          : 0x103f1710 [Type: CCoreServices *]
0:000> dx -r1 (*((Windows_UI_Xaml!CRoutedEventArgs *)0x9c4378a0)),nd
(*((Windows_UI_Xaml!CRoutedEventArgs *)0x9c4378a0)),nd                 [Type: CRoutedEventArgs]
    [<Raw View>]     [Type: CRoutedEventArgs]
    OriginalSource   : 0x89b540 [Type: CDependencyObject *]
0:000> dx -r1 ((Windows_UI_Xaml!CDependencyObject *)0x89b540)
((Windows_UI_Xaml!CDependencyObject *)0x89b540)                 : 0x89b540 [Type: CGrid * (derived from CDependencyObject *)]
    [+0x000] CPanel           : {Name = {...}} [Type: CPanel]
    c_spanStoreStackVectorSize : 0x10 [Type: unsigned __int64]
    c_cellCacheStackVectorSize : 0x10 [Type: unsigned __int64]
    [+0x1f0] m_pRowDefinitions : 0x0 [Type: CRowDefinitionCollection *]
    [+0x1f8] m_pColumnDefinitions : 0x0 [Type: CColumnDefinitionCollection *]
    [+0x200] m_pRows          : 0x0 [Type: CRowDefinitionCollection *]
    [+0x208] m_pColumns       : 0x0 [Type: CColumnDefinitionCollection *]
    [+0x210] m_ppTempDefinitions : 0x0 [Type: CDefinitionBase * *]
    [+0x218] m_cTempDefinitions : 0x0 [Type: unsigned int]
    [+0x21c] m_gridFlags      : None (0x0) [Type: GridFlags]
0:000> dx -r1 (*((Windows_UI_Xaml!CPanel *)0x89b540)),nd
(*((Windows_UI_Xaml!CPanel *)0x89b540)),nd                 : {Name = {...}} [Type: CPanel]
    [<Raw View>]     [Type: CPanel]
    Children         : 0x1061dcc0 [Type: CUIElementCollection *]
    IsItemsHost      : Unable to bind name 'm_bItemsHost'
    Width            : 45.000000 [Type: float]
    Height           : -1.#IND00 [Type: float]
    MouseCursor      : MouseCursorDefault (0x0) [Type: MouseCursor]
    Name             [Type: xstring_ptr]
    IsDoubleTapEnabled : true [Type: bool]
    IsRightTapEnabled : true [Type: bool]
    IsTapEnabled     : true [Type: bool]
    IsHoldingEnabled : true [Type: bool]
0:000> dx -r1 ((Windows_UI_Xaml!CDependencyObject *)0x10302e40)
((Windows_UI_Xaml!CDependencyObject *)0x10302e40)                 : 0x10302e40 [Type: CToggleButton * (derived from CDependencyObject *)]
    [+0x000] CContentControl  : {Name = {...} Content = [null]} [Type: CContentControl]
0:000> dx -r1 (*((Windows_UI_Xaml!CContentControl *)0x10302e40)),nd
(*((Windows_UI_Xaml!CContentControl *)0x10302e40)),nd                 : {Name = {...} Content = [null]} [Type: CContentControl]
    [<Raw View>]     [Type: CContentControl]
    Content          : 0x10303098 : [null] [Type: CValue *]
    IsTabStop        : true [Type: bool]
    TabIndex         : 2147483647 [Type: int]
    HorizontalContentAlignment : Stretch (0x3) [Type: DirectUI::HorizontalAlignment]
    VerticalContentAlignment : Stretch (0x3) [Type: DirectUI::VerticalAlignment]
    BorderThickness  [Type: XRECTF_RB]
    Padding          [Type: XRECTF_RB]
    IsFocused        : Unable to bind name 'Unfocused'
    Template         : 0x5e01150 [Type: CControlTemplate *]
    Width            : -1.#IND00 [Type: float]
    Height           : -1.#IND00 [Type: float]
    MouseCursor      : MouseCursorDefault (0x0) [Type: MouseCursor]
    Name             [Type: xstring_ptr]
    IsDoubleTapEnabled : true [Type: bool]
    IsRightTapEnabled : true [Type: bool]
    IsTapEnabled     : true [Type: bool]
    IsHoldingEnabled : true [Type: bool]
0:000> dx -r1 (*((Windows_UI_Xaml!xstring_ptr *)0x10302e58))
(*((Windows_UI_Xaml!xstring_ptr *)0x10302e58))                 [Type: xstring_ptr]
    [+0x000] xstring_ptr_view : "LaunchListButton" [Type: xstring_ptr_view]
0:000> dx -r1 ((Windows_UI_Xaml!CDependencyObject *)0x10302e40)
((Windows_UI_Xaml!CDependencyObject *)0x10302e40)                 : 0x10302e40 [Type: CToggleButton * (derived from CDependencyObject *)]
    [+0x000] CContentControl  : {Name = {...} Content = [null]} [Type: CContentControl]
0:000> dx -r1 (*((Windows_UI_Xaml!CContentControl *)0x10302e40)),nd
(*((Windows_UI_Xaml!CContentControl *)0x10302e40)),nd                 : {Name = {...} Content = [null]} [Type: CContentControl]
    [<Raw View>]     [Type: CContentControl]
    Content          : 0x10303098 : [null] [Type: CValue *]
    IsTabStop        : true [Type: bool]
    TabIndex         : 2147483647 [Type: int]
    HorizontalContentAlignment : Stretch (0x3) [Type: DirectUI::HorizontalAlignment]
    VerticalContentAlignment : Stretch (0x3) [Type: DirectUI::VerticalAlignment]
    BorderThickness  [Type: XRECTF_RB]
    Padding          [Type: XRECTF_RB]
    IsFocused        : Unable to bind name 'Unfocused'
    Template         : 0x5e01150 [Type: CControlTemplate *]
    Width            : -1.#IND00 [Type: float]
    Height           : -1.#IND00 [Type: float]
    MouseCursor      : MouseCursorDefault (0x0) [Type: MouseCursor]
    Name             [Type: xstring_ptr]
    IsDoubleTapEnabled : true [Type: bool]
    IsRightTapEnabled : true [Type: bool]
    IsTapEnabled     : true [Type: bool]
    IsHoldingEnabled : true [Type: bool]
0:000> dx -r1 (*((Windows_UI_Xaml!xstring_ptr *)0x10302e58))
(*((Windows_UI_Xaml!xstring_ptr *)0x10302e58))                 [Type: xstring_ptr]
    [+0x000] xstring_ptr_view : "LaunchListButton" [Type: xstring_ptr_view]

From this we can pArgs.CRoutedEventArgs.OriginalSource.CPanel.Name is “ExperienceToggleButtonRootPanel” and pSender.CContentControl.Name is “LaunchListButton

This string I found referenced in c:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\resources.pri so extracted this with makepri tool in Visual Studio native tools command prompt.

makepri dump /if resources.pri /of C:\support\resources.xml

The string “LaunchListButton” is found when analyzing the binary resources.pri but when dumped to XML that string is no longer present. The XML seems to have translated them to ms-resource:// references

<NamedResource name="StartButtonName" uri="ms-resource://MicrosoftWindows.Client.CBS/Taskbar/Resources/StartButtonName">

This .exe has a function Microsoft::Resources::StandalonePriFileXml::DumpBasicNamedResource that seems to be responsible for the conversion, although can investigate that further another day.

Looking at the SyncScriptCallbackRequest function we can see with flags set to 0x40 (128) and hEvent.Index set to 15 the following logic is triggered to send a Window message with message 0x40C

if ( bHasFlags )
  {
    if ( (flags & 0x80u) == 0 )
    {
      if ( (flags & 0x100) != 0 )
      {
        msg = 0x416;
      }
      else if ( hEvent.index == FrameworkElement_EffectiveViewportChanged )
      {
        msg = 0x40D;
      }
      else if ((hEvent.index - 31) > 1 )
      {
        if ( (hEvent.index - 84) <= 1 )
          msg = 0x419;
        else
          msg = 0x40C;
      }
      else
      {
        msg = 0x418;
      }
    }
    else
    {
      msg = 0x415;
    }
    lResult = SendMessageW(*(HWND *)(v8 + 112), msg, 0i64, (LPARAM)&lParam);

This triggers a call to Windows_UI_Xaml!CXcpDispatcher::ProcessMessage

0:000> .frame
00 00000000`0336c448 00007ffc`2298bd40     Windows_UI_Xaml!CXcpDispatcher::ProcessMessage [onecoreuap\windows\dxaml\xcp\win\shared\xcpwindow.cpp @ 876] 
0:000> dx -r1 @$curstack.Frames[0x0].Parameters
@$curstack.Frames[0x0].Parameters                 : (unsigned int msg = 0x40c, unsigned __int64 wParam = 0x0, __int64 lParam = 53921960, __int64 lParam = 0, __int64 * plRet = 0x336c498 : 0, __int64 * plRet = 0x80000022 : 27303540899250223, unsigned int * pbDoDefault = 0x336c490 : 0x1, unsigned int * pbDoDefault = 0x7ffc38181c4c : 0x24448948)
    lParam           : 53921960 [Type: __int64]
    msg              : 0x40c [Type: unsigned int]
    pbDoDefault      : 0x336c490 : 0x1 [Type: unsigned int *]
    plRet            : 0x336c498 : 0 [Type: __int64 *]
    wParam           : 0x0 [Type: unsigned __int64]
0:000> dx -r1 ((Windows_UI_Xaml!unsigned int *)0x336c490)

When the message is 0x40C this function triggers a call to CXcpDispatcher::OnReentrancyProtectedWindowMessage

It seems for this message that lParam holds a Windows_UI_Xaml!CDependencyObject

I’m not an expert in Xaml but it looks like possible this CDependencyObject has some corruption with the “name” field being populated with what looks like garbage. 

0:000> dt Windows_UI_Xaml!CDependencyObject 0n53921960
   +0x008 m_forwarder      : ctl::interface_forwarder<Windows::UI::Xaml::Core::Direct::IXamlDirectObject,CDependencyObject>
   +0x000 __VFN_table : 0x00000000`10302e40 
   =00007ffc`237b94e0 DefaultValuePoint : XPOINTF
   =00007ffc`237ca5a8 DefaultValueRect : XRECTF_WH
   =00007ffc`237c6570 DefaultValueGridLength : XGRIDLENGTH
   +0x010 m_sharedState    : xref_ptr<Flyweight::ValueObjectWrapper<CDOSharedState> >
   +0x018 m_strName        : xstring_ptr
   +0x020 m_pInheritedProperties : (null) 
   +0x028 m_pValueTable    : std::unique_ptr<containers::vector_map<enum KnownPropertyIndex,EffectiveValue,std::less<void>,std::allocator<std::pair<enum KnownPropertyIndex,EffectiveValue> > >,std::default_delete<containers::vector_map<enum KnownPropertyIndex,EffectiveValue,std::less<void>,std::allocator<std::pair<enum KnownPropertyIndex,EffectiveValue> > > > >
   +0x030 m_pDXAMLPeer     : (null) 
   +0x030 m_hasEverHadManagedPeer : 0
   +0x038 m_pParent        : 0x00000000`10302e40 CDependencyObject
   +0x038 m_pMentor        : 0x00000000`10302e40 xref::weakref_ptr<CDependencyObject>
   +0x040 m_ref_count      : xref::details::optional_ref_count
   +0x048 m_valid          : CDependencyObject::BitField
   +0x050 m_bitFields      : CDependencyObject::DependencyObjectBitFields
   +0x054 m_associativeStorage : AssociativeStorage::LocalStorage<enum AssociativeStorage::CDOFields>
   +0x05e m_theme          : 0y00000 ( 0, None )
   +0x05e m_isProcessingInheritanceContextChanged : 0y0
   +0x05e m_requiresThreadSafeAddRefRelease : 0y0
   +0x05e m_requiresReleaseOverride : 0y0
   +0x05f m_objectStrictness : 0y00 ( 0, Agnostic )
   +0x05f m_checkForResourceOverrides : 0y0
0:000> dx -r1 (*((Windows_UI_Xaml!xstring_ptr *)0x336c8c0))
(*((Windows_UI_Xaml!xstring_ptr *)0x336c8c0))                 [Type: xstring_ptr]
    [+0x000] xstring_ptr_view : "..翼" [Type: xstring_ptr_view]
0:000> dx -r1 ((Windows_UI_Xaml!CDependencyObject *)0x10302e40)
((Windows_UI_Xaml!CDependencyObject *)0x10302e40)                 : 0x10302e40 [Type: CToggleButton * (derived from CDependencyObject *)]
    [+0x000] CContentControl  : {Name = {...} Content = [null]} [Type: CContentControl]
0:000> dx -r1 (*((Windows_UI_Xaml!CContentControl *)0x10302e40)),nd
(*((Windows_UI_Xaml!CContentControl *)0x10302e40)),nd                 : {Name = {...} Content = [null]} [Type: CContentControl]
    [<Raw View>]     [Type: CContentControl]
    Content          : 0x10303098 : [null] [Type: CValue *]
    IsTabStop        : true [Type: bool]
    TabIndex         : 2147483647 [Type: int]
    HorizontalContentAlignment : Stretch (0x3) [Type: DirectUI::HorizontalAlignment]
    VerticalContentAlignment : Stretch (0x3) [Type: DirectUI::VerticalAlignment]
    BorderThickness  [Type: XRECTF_RB]
    Padding          [Type: XRECTF_RB]
    IsFocused        : Unable to bind name 'Unfocused'
    Template         : 0x5e01150 [Type: CControlTemplate *]
    Width            : -1.#IND00 [Type: float]
    Height           : -1.#IND00 [Type: float]
    MouseCursor      : MouseCursorDefault (0x0) [Type: MouseCursor]
    Name             [Type: xstring_ptr]
    IsDoubleTapEnabled : true [Type: bool]
    IsRightTapEnabled : true [Type: bool]
    IsTapEnabled     : true [Type: bool]
    IsHoldingEnabled : true [Type: bool]
0:000> dx -r1 (*((Windows_UI_Xaml!xstring_ptr *)0x10302e58))
(*((Windows_UI_Xaml!xstring_ptr *)0x10302e58))                 [Type: xstring_ptr]
    [+0x000] xstring_ptr_view : "LaunchListButton" [Type: xstring_ptr_view]

This function psuedocode is something like this, and can see this in many stack traces in issues raised at https://github.com/microsoft/microsoft-ui-xaml/issues/

__int64 __fastcall CXcpDispatcher::OnReentrancyProtectedWindowMessage(
        CXcpDispatcher *this,
        HWND__ *hwnd,
        unsigned int msg,
        unsigned __int64 wParam,
        __int64 lParam)
{
  int m_bMessageReentrancyGuard; // edi
  __int64 result; // rax
  unsigned int v9; // esi
  IXcpHostSite *v10; // rcx
  unsigned int v11; // esi
  IXcpBrowserHost *v12; // rcx
  __int64 v13; // rax
  IXcpHostSite *m_pSite; // rcx
  IXcpBrowserHost *m_pBH; // rcx
  HRESULT v16; // eax
  HWND__ *hWnd; // rcx
  unsigned __int64 wParam_1; // r8
  unsigned int pcStowedExceptions; // [rsp+40h] [rbp+18h] BYREF
  _STOWED_EXCEPTION_INFORMATION_V2 **pppStowedExceptions; // [rsp+48h] [rbp+20h] BYREF

  pppStowedExceptions = (_STOWED_EXCEPTION_INFORMATION_V2 **)wParam;
  m_bMessageReentrancyGuard = this->m_bMessageReentrancyGuard;
  this->m_bMessageReentrancyGuard = 1;
  if ( m_bMessageReentrancyGuard )
  {
    m_pSite = this->m_pSite;
    if ( m_pSite )
      ((void (__fastcall *)(IXcpHostSite *, HWND__ *))_guard_xfg_dispatch_icall_fptr)(m_pSite, hwnd);
    TraceForFailFast(-2147418113);
    OnNewFailureEncountered(-2147418113, 0i64, 0i64);
    GetStowedExceptionsForFailFast(&pppStowedExceptions, &pcStowedExceptions);
    RoFailFastWithErrorContextInternal2(-2147418113, pcStowedExceptions, pppStowedExceptions);
  }
  if ( msg == 1026 )
  {
    if ( this->m_pSite )
      CXcpDispatcher::Tick(this);
  }
  else
  {
    v9 = msg - 1030;
    if ( v9 )
    {
      v11 = v9 - 6;
      if ( v11 )
      {
        if ( v11 == 3 )
        {
          m_pBH = this->m_pBH;
          if ( m_pBH )
          {
            v16 = ((__int64 (__fastcall *)(IXcpBrowserHost *, HWND__ *))_guard_xfg_dispatch_icall_fptr)(m_pBH, hwnd);
            if ( v16 < 0 )
            {
              OnFailure_2064_(v16);
              CXcpDispatcher::ReleaseMessageResources(hWnd, 0x40Fu, wParam_1, lParam);
            }
          }
        }
      }
      else
      {
        v12 = this->m_pBH;
        if ( v12
          && (v13 = ((__int64 (__fastcall *)(IXcpBrowserHost *, HWND__ *))_guard_xfg_dispatch_icall_fptr)(v12, hwnd)) != 0
          && *(_DWORD *)(v13 + 1592) == 7 )
        {
          DeferWindowMessageDispatch::DeferWindowMessageDispatch(
            (DeferWindowMessageDispatch *)&pppStowedExceptions,
            this->m_messageLoopExtensions.m_ptr);
          CXcpDispatcher::OnScriptCallback(this, (CEventInfo *)lParam);
          DeferWindowMessageDispatch::~DeferWindowMessageDispatch((DeferWindowMessageDispatch *)&pppStowedExceptions);
        }
        else
        {
          CXcpDispatcher::OnScriptCallback(this, (CEventInfo *)lParam);
        }
      }
    }
    else
    {
      v10 = this->m_pSite;
      if ( v10
        && !(unsigned int)((__int64 (__fastcall *)(IXcpHostSite *, HWND__ *))_guard_xfg_dispatch_icall_fptr)(v10, hwnd) )
      {
        ((void (*)(void))_guard_xfg_dispatch_icall_fptr)();
      }
    }
  }
  result = 0i64;
  this->m_bMessageReentrancyGuard = m_bMessageReentrancyGuard;
  return result;
}

This passes Windows_UI_Xaml!DeferWindowMessageDispatch::DeferWindowMessageDispatch -> Windows_UI_Xaml!CPopup::WindowedPopupWindowProc -> Windows_UI_Xaml!CPopup::HandleWindowedPopupMessage

0:000> .frame
00 00000000`0336bc08 00007ffc`22cbb011     Windows_UI_Xaml!CPopup::HandleWindowedPopupMessage [onecoreuap\windows\dxaml\xcp\core\core\elements\popup.cpp @ 1752] 
0:000> dx -r1 @$curstack.Frames[0x0].Parameters
@$curstack.Frames[0x0].Parameters                 : (HWND__ * hwnd = 0x41270, unsigned int message = 0x46, unsigned __int64 wParam = 0x0, __int64 lParam = 53919472, __int64 lParam = 140721277646927)
    hwnd             : 0x41270 [Type: HWND__ *]
    lParam           : 53919472 [Type: __int64]
    message          : 0x46 [Type: unsigned int]
    wParam           : 0x0 [Type: unsigned __int64]

This takes us to Windows_UI_Xaml!VisualTree::GetContentRootForElement then Windows_UI_Xaml!DirectUI::DXamlCore::ForwardWindowedPopupMessageToJupiterWindow. Jupiter was originally the code name for Windows Runtime XAML in Windows 8, know known as the Universal Windows Platform (UWP)

This then takes us to Windows_UI_Xaml!CJupiterControl::ForwardWindowedPopupMessageToJupiterWindow 

0:000> dx -r1 @$curstack.Frames[0x0].Parameters
@$curstack.Frames[0x0].Parameters                 : (HWND__ * window = 0x41270, unsigned int message = 0x46, unsigned __int64 wParam = 0x0, __int64 lParam = 53919472, __int64 lParam = 140721174873598, CContentRoot * contentRoot = 0x5bc3750, CContentRoot * contentRoot = 0x5bc3750)
    contentRoot      : 0x5bc3750 [Type: CContentRoot *]
    lParam           : 53919472 [Type: __int64]
    message          : 0x46 [Type: unsigned int]
    wParam           : 0x0 [Type: unsigned __int64]
    window           : 0x41270 [Type: HWND__ *]

This function has some message handling logic:

LRESULT __fastcall CJupiterControl::ForwardWindowedPopupMessageToJupiterWindow(
        CJupiterControl *this,
        HWND__ *window,
        unsigned int message,
        unsigned __int64 wParam,
        __int64 lParam,
        CContentRoot *contentRoot)
{
  unsigned int result; // eax

  if ( message == 0x7B )
  {
    result = CJupiterControl::HandleGenericMessage(this, 0x7Bu, wParam, lParam, contentRoot);
  }
  else
  {
    if ( message <= 0x244
      || message > 0x247
      && (message <= 0x248
       || message > 0x24A && message != 588 && (message <= 0x24D || message > 0x250 && message != 594)) )
    {
      return DefWindowProcW(window, message, wParam, lParam);
    }
    result = CJupiterControl::HandlePointerMessage(this, message, wParam, lParam, contentRoot, 0i64, 0i64);
  }
  if ( !result )
    return DefWindowProcW(window, message, wParam, lParam);
  return 0i64;
}

This takes us to ExplorerExtensions!winrt::Taskbar::implementation::TaskbarResources::OnExperienceToggleButtonContextRequested -> ExplorerExtensions!winrt::Taskbar::implementation::TaskbarController::OnLaunchListItemContextRequested

This function performs operations like this:

void __fastcall winrt::Taskbar::implementation::TaskbarController::OnLaunchListItemContextRequested(
        winrt::Taskbar::implementation::TaskbarController *this,
        const struct winrt::Taskbar::LaunchListItemViewModel *a2)
{
  unsigned int v3; // ebx
  const char *v4; // r9
  HWND v5; // rax
  unsigned int v6; // esi
  __int64 v7; // rcx
  __int64 ChildItem; // rax
  char v9[24]; // [rsp+20h] [rbp-18h] BYREF
  wil::details::in1diag3 *retaddr; // [rsp+38h] [rbp+0h]
  __int64 v11; // [rsp+50h] [rbp+18h] BYREF
  __int64 v12; // [rsp+58h] [rbp+20h] BYREF

  v3 = winrt::impl::consume_SystemTray_IIconConfiguration<winrt::SystemTray::IIconConfiguration>::ContentType(a2);
  if ( (unsigned __int8)winrt::Taskbar::implementation::UdkHelpers::IsTaskbarFeatureSupported(9i64)
    && ((unsigned __int8)wil::details::FeatureImpl<__WilFeatureTraits_Feature_35238072>::__private_IsEnabled(&`wil::Feature<__WilFeatureTraits_Feature_35238072>::GetImpl'::`2'::impl)
     || v3 == 2) )
  {
    v5 = (HWND)winrt::impl::consume_WindowsUdk_UI_Shell_ITaskbarModel<winrt::WindowsUdk::UI::Shell::ITaskbarModel>::HostWindowId((char *)this + 328);
    SetForegroundWindow(v5);
  }
  if ( v3 != 1 )
  {
    if ( v3 == 2 )
    {
      winrt::Taskbar::implementation::TaskbarController::OnStartContextRequested(this);
      return;
    }
    if ( v3 - 3 > 2 )
      wil::details::in1diag3::_FailFast_Unexpected(
        retaddr,
        (void *)0x292,
        (unsigned int)"D:\\a\\_work\\3\\s\\Src\\Components\\ExplorerExtensions\\Taskbar\\lib\\TaskbarController.cpp",
        v4);
  }
  if ( (unsigned __int8)wil::details::FeatureImpl<__WilFeatureTraits_Feature_35238072>::__private_IsEnabled(&`wil::Feature<__WilFeatureTraits_Feature_35238072>::GetImpl'::`2'::impl) )
  {
    v6 = *(_DWORD *)(winrt::Taskbar::implementation::TaskbarItemsCollection::FindLaunchListItemViewModel(
                       *((_QWORD *)this + 45),
                       v9,
                       v3)
                   + 8);
    v7 = *(_QWORD *)(*((_QWORD *)this + 44) + 272i64);
    v11 = v7;
    if ( v7 )
      (*(void (__fastcall **)(__int64))(*(_QWORD *)v7 + 8i64))(v7);
    ChildItem = winrt::Taskbar::implementation::TaskbarFrame::TryGetChildItem(*((_QWORD *)this + 46), &v12, v6);
    winrt::Taskbar::implementation::ContextMenus::ShowLaunchListItemContextMenu(ChildItem, &v11, v3);
    if ( v12 )
      winrt::Windows::Foundation::IUnknown::unconditional_release_ref((winrt::Windows::Foundation::IUnknown *)&v12);
    if ( v11 )
      winrt::Windows::Foundation::IUnknown::unconditional_release_ref((winrt::Windows::Foundation::IUnknown *)&v11);
  }
}

This calls ExplorerExtensions!winrt::impl::consume_SystemTray_IIconConfiguration::ContentType -> ExplorerExtensions!winrt::Taskbar::implementation::UdkHelpers::IsTaskbarFeatureSupported. -> ExplorerExtensions!wil::details::FeatureImpl<__WilFeatureTraits_Feature_35238072>::__private_IsEnabled -> ExplorerExtensions!winrt::impl::consume_WindowsUdk_UI_Shell_ITaskbarModel::HostWindowId -> ExplorerExtensions!_imp_SetForegroundWindow -> ExplorerExtensions!winrt::Taskbar::implementation::TaskbarController::OnLaunchListItemContextRequested -> ExplorerExtensions!winrt::Taskbar::implementation::TaskbarController::OnStartContextRequested

This function is something like this:

void __fastcall winrt::Taskbar::implementation::TaskbarController::OnStartContextRequested(
        winrt::Taskbar::implementation::TaskbarController *this)
{
  __int64 *v2; // rsi
  int v3; // eax
  unsigned int v4; // edi
  __int64 v5; // rcx
  __int64 ChildItem; // rax
  __int64 v7; // [rsp+20h] [rbp-40h] BYREF
  __int64 v8; // [rsp+28h] [rbp-38h] BYREF
  char v9[8]; // [rsp+30h] [rbp-30h] BYREF
  char v10[16]; // [rsp+38h] [rbp-28h] BYREF
  char v11[8]; // [rsp+48h] [rbp-18h] BYREF

  v2 = (__int64 *)((char *)this + 328);
  winrt::impl::consume_Windows_UI_Xaml_Controls_IMenuFlyoutItemStatics<winrt::Windows::UI::Xaml::Controls::IMenuFlyoutItemStatics>::CommandProperty(
    (char *)this + 328,
    &v8);
  v11[0] = 0;
  v3 = (*(__int64 (__fastcall **)(__int64, char *))(*(_QWORD *)v8 + 304i64))(v8, v11);
  if ( v3 < 0 )
    winrt::throw_hresult((unsigned int)v3);
  if ( v11[0] && *(_BYTE *)(*((_QWORD *)this + 44) + 73i64) )
  {
    v4 = *(_DWORD *)(winrt::Taskbar::implementation::TaskbarItemsCollection::FindLaunchListItemViewModel(
                       *((_QWORD *)this + 45),
                       v10,
                       2i64)
                   + 8);
    v5 = *v2;
    v7 = v5;
    if ( v5 )
      (*(void (__fastcall **)(__int64))(*(_QWORD *)v5 + 8i64))(v5);
    ChildItem = winrt::Taskbar::implementation::TaskbarFrame::TryGetChildItem(*((_QWORD *)this + 46), v9, v4);
    winrt::Taskbar::implementation::ContextMenus::ShowStartButtonContextMenuAsync(ChildItem, &v7);
  }
  winrt::Windows::Foundation::IUnknown::unconditional_release_ref((winrt::Windows::Foundation::IUnknown *)&v8);
}

This calls into ExplorerExtensions!winrt::impl::consume_WindowsUdk_UI_Shell_ITaskbarAppsList::ActiveGroup -> ExplorerExtensions!_guard_dispatch_icall_fptr -> Taskbar!winrt::impl::produce::get_Settings -> Taskbar!_guard_xfg_dispatch_icall_fptr -> Taskbar!winrt::impl::produce_base >,winrt::Windows::Foundation::Collections::IKeyValuePair,void>::AddRef

This calls into Windows licensing API to check if Shell-WinXMenu-Enabled :

0:000> bp SLC!SLGetWindowsInformationDWORD
0:000> g
Breakpoint 6 hit
Time Travel Position: 8F7B34E:44
SLC!SLGetWindowsInformationDWORD:
00007ffc`361113c0 4c8bdc          mov     r11,rsp
0:000> du @rcx
00007ffb`f0a808f0  "Shell-WinXMenu-Enabled"

This returns “True”

Function ExplorerExtensions!winrt::Taskbar::implementation::TaskbarController::OnStartContextRequested and calls into ExplorerExtensions!winrt::Taskbar::implementation::TaskbarFrame::TryGetChildItem -> Windows_UI_Xaml!CDOCollection::GetCount -> Windows_UI_Xaml!DirectUI::PresentationFrameworkCollection::GetAt -> Windows_UI_Xaml!DirectUI::CValueBoxer::UnboxObjectValue

We can see “GetAt” returns again this LaunchListButton, by checking the parameters at start of function, then setting a breakpoint when it returns, and re-checking the value which has then been populated.

Breakpoint 103 hit
Time Travel Position: 8F7B395:A1
Windows_UI_Xaml![thunk]:DirectUI::PresentationFrameworkCollection<Windows::UI::Xaml::UIElement *>::GetAt`adjustor{8}':
00007ffc`22c78f00 4883e908        sub     rcx,8
0:000> t-
Time Travel Position: 8F7B395:92
Microsoft_UI_Xaml!DllGetActivationFactory+0x6b8c2:
00007ffb`edaee0a2 ff1530663600    call    qword ptr [Microsoft_UI_Xaml!DllCanUnloadNow+0x2b1b8 (00007ffb`ede546d8)] ds:00007ffb`ede546d8={ntdll!LdrpDispatchUserCallTarget (00007ffc`3a273210)}
0:000> bp 00007ffb`edaee0a8
0:000> g
Breakpoint 103 hit
Time Travel Position: 8F7B395:A1
Windows_UI_Xaml![thunk]:DirectUI::PresentationFrameworkCollection<Windows::UI::Xaml::UIElement *>::GetAt`adjustor{8}':
00007ffc`22c78f00 4883e908        sub     rcx,8
0:000> g
Breakpoint 23 hit
Time Travel Position: 8F7B395:A3
Windows_UI_Xaml!DirectUI::PresentationFrameworkCollection<Windows::UI::Xaml::UIElement *>::GetAt:
00007ffc`229963f0 4c8bdc          mov     r11,rsp
0:000> dx -r1 ((Windows_UI_Xaml!Windows::UI::Xaml::IUIElement * *)0x336bda8)
((Windows_UI_Xaml!Windows::UI::Xaml::IUIElement * *)0x336bda8)                 : 0x336bda8 [Type: Windows::UI::Xaml::IUIElement * *]
    0x0 [Type: Windows::UI::Xaml::IUIElement *]
0:000> dx -r1 @$curstack.Frames[0x0].Parameters
@$curstack.Frames[0x0].Parameters                 : (unsigned int index = 0x0, Windows::UI::Xaml::IUIElement * * item = 0x336bda8)
    index            : 0x0 [Type: unsigned int]
    item             : 0x336bda8 [Type: Windows::UI::Xaml::IUIElement * *]
0:000> dx -r1 ((Windows_UI_Xaml!Windows::UI::Xaml::IUIElement * *)0x336bda8)
((Windows_UI_Xaml!Windows::UI::Xaml::IUIElement * *)0x336bda8)                 : 0x336bda8 [Type: Windows::UI::Xaml::IUIElement * *]
    0x0 [Type: Windows::UI::Xaml::IUIElement *]
0:000> g
Breakpoint 11 hit
Time Travel Position: 8F7B39F:19
Microsoft_UI_Xaml!DllGetActivationFactory+0x6b8c8:
00007ffb`edaee0a8 85c0            test    eax,eax
0:000> dx -r1 ((Windows_UI_Xaml!Windows::UI::Xaml::IUIElement * *)0x336bda8)
((Windows_UI_Xaml!Windows::UI::Xaml::IUIElement * *)0x336bda8)                 : 0x336bda8 [Type: Windows::UI::Xaml::IUIElement * *]
    0x320d248 [Type: Windows::UI::Xaml::IUIElement *]
0:000> dx -r1 ((Windows_UI_Xaml!Windows::UI::Xaml::IUIElement *)0x320d248)
((Windows_UI_Xaml!Windows::UI::Xaml::IUIElement *)0x320d248)                 : 0x320d180 [Type: ctl::ComObject<DirectUI::ToggleButton> * (derived from Windows::UI::Xaml::IUIElement *)]
    [+0x008] m_pControllingUnknown : 0x3063008 [Type: IInspectable *]
    [+0x010] DirectUI::ContentControl : {Name = {...} Content = [null]} [Type: DirectUI::ContentControl]
    [+0x250] m_pointerPosition [Type: Windows::Foundation::Point]
    [+0x258 ( 0: 0)] m_bIsSpaceOrEnterKeyDown : false [Type: bool]
    [+0x258 ( 1: 1)] m_bIsNavigationAcceptOrGamepadAKeyDown : false [Type: bool]
    [+0x258 ( 2: 2)] m_bIsPointerLeftButtonDown : false [Type: bool]
    [+0x258 ( 3: 3)] m_bIsSuspendingIsEnabled : false [Type: bool]
    [+0x258 ( 4: 4)] m_bKeyboardNavigationAcceptsReturn : true [Type: bool]
    [+0x258 ( 5: 5)] m_shouldPerformActions : false [Type: bool]
    [+0x258 ( 6: 6)] m_handlesKeyboardInput : true [Type: bool]
    [+0x260] m_epCanExecuteChangedHandler [Type: ctl::WeakEventPtr<ctl::weak_event_handler<Windows::Foundation::IEventHandler<IInspectable *>,IInspectable,IInspectable,DirectUI::CommandCanExecuteChangedTraits<Windows::UI::Xaml::Input::ICommand,Windows::Foundation::IEventHandler<IInspectable *> > > >]
    [+0x268] m_tpPointerForPendingRightTapped : {...} [Type: DirectUI::TrackerPtr<Windows::UI::Xaml::Input::IPointer,1,0>]
    [+0x280] m_bIsPointerCaptured : 0x0 [Type: unsigned char]
    [+0x298] _skipCreateAutomationPeer : 0x0 [Type: unsigned char]
0:000> dx -r1 (*((Windows_UI_Xaml!DirectUI::ContentControl *)0x320d190)),nd
(*((Windows_UI_Xaml!DirectUI::ContentControl *)0x320d190)),nd                 : {Name = {...} Content = [null]} [Type: DirectUI::ContentControl]
    [<Raw View>]     [Type: DirectUI::ContentControl]
    [+0x000] CContentControl  : {Name = {...} Content = [null]} [Type: CContentControl]
0:000> dx -r1 (*((Windows_UI_Xaml!CContentControl *)0x10302e40)),nd
(*((Windows_UI_Xaml!CContentControl *)0x10302e40)),nd                 : {Name = {...} Content = [null]} [Type: CContentControl]
    [<Raw View>]     [Type: CContentControl]
    Content          : 0x10303098 : [null] [Type: CValue *]
    IsTabStop        : true [Type: bool]
    TabIndex         : 2147483647 [Type: int]
    HorizontalContentAlignment : Stretch (0x3) [Type: DirectUI::HorizontalAlignment]
    VerticalContentAlignment : Stretch (0x3) [Type: DirectUI::VerticalAlignment]
    BorderThickness  [Type: XRECTF_RB]
    Padding          [Type: XRECTF_RB]
    IsFocused        : Unable to bind name 'Unfocused'
    Template         : 0x5e01150 [Type: CControlTemplate *]
    Width            : -1.#IND00 [Type: float]
    Height           : -1.#IND00 [Type: float]
    MouseCursor      : MouseCursorDefault (0x0) [Type: MouseCursor]
    Name             [Type: xstring_ptr]
    IsDoubleTapEnabled : true [Type: bool]
    IsRightTapEnabled : true [Type: bool]
    IsTapEnabled     : true [Type: bool]
    IsHoldingEnabled : true [Type: bool]
0:000> dx -r1 (*((Windows_UI_Xaml!xstring_ptr *)0x10302e58))
(*((Windows_UI_Xaml!xstring_ptr *)0x10302e58))                 [Type: xstring_ptr]
    [+0x000] xstring_ptr_view : "LaunchListButton" [Type: xstring_ptr_view]

We then see a call into “ExperienceToggleButton” something we saw earlier:

ExplorerExtensions!winrt::impl::root_implements<winrt::Taskbar::implementation::ExperienceToggleButton,winrt::Taskbar::ExperienceToggleButton,winrt::Taskbar::ITaskbarButton,winrt::composable,winrt::composing,winrt::Windows::UI::Xaml::Controls::Primitives::IToggleButtonOverrides,winrt::Windows::UI::Xaml::Controls::IContentControlOverrides,winrt::Windows::UI::Xaml::Controls::IControlOverrides,winrt::Windows::UI::Xaml::Controls::IControlOverrides6,winrt::Windows::UI::Xaml::IFrameworkElementOverrides,winrt::Windows::UI::Xaml::IFrameworkElementOverrides2,winrt::Windows::UI::Xaml::IUIElementOverrides,winrt::Windows::UI::Xaml::IUIElementOverrides7,winrt::Windows::UI::Xaml::IUIElementOverrides8,winrt::Windows::UI::Xaml::IUIElementOverrides9>::QueryInterface

This leads to Windows_UI_Xaml!DirectUI::ButtonBaseGenerated::QueryInterfaceImpl -> Windows_UI_Xaml!DirectUI::ContentControlGenerated::QueryInterfaceImpl -> Windows_UI_Xaml!DirectUI::FrameworkElementGenerated::QueryInterfaceImpl -> Windows_UI_Xaml!DirectUI::UIElement::QueryInterfaceImpl -> Windows_UI_Xaml!DirectUI::UIElementGenerated::QueryInterfaceImpl

The interface GUID provided is {5C526665-F60E-4912-AF59-5FE0680F089D} which is for Windows.UI.Xaml.IDependencyObject, the type of object we saw being passed earlier. This GUIDs can be determined from *.winmd provided by Windows SDK

These various GUIDs get handled in conditional code something like:

__int64 __fastcall DirectUI::UIElementGenerated::QueryInterfaceImpl(
        DirectUI::UIElementGenerated *this,
        const _GUID *iid,
        void **ppObject)
{
  unsigned int Data1; // eax
  void *v7; // rdi
  unsigned int v8; // ebp
  unsigned int v9; // edi
  char *p_m_pM3Parents; // rdi
  int v12; // ecx
  ctl::forwarder_holder<Windows::UI::Xaml::IUIElement10,DirectUI::UIElementGenerated> *v13; // rax
  void *p_refCount; // rax
  ctl::forwarder_holder<Windows::UI::Xaml::IUIElement10,DirectUI::UIElementGenerated> *p_m_trackers; // rcx
  HRESULT v16; // eax
  char *v17; // rcx
  Windows::UI::Composition::IAnimationObject *v18; // rcx
  void (__fastcall *const **FailFast)(); // rbx
  void (__fastcall *const *v20)(); // rax
  ctl::ComPtr<Windows::Media::Core::ITimedMetadataTrack> *v21; // r15

  Data1 = iid->Data1;
  if ( iid->Data1 == -940168940 )
  {
    if ( *(_DWORD *)&iid->Data2 == *(_DWORD *)&GUID_c7f62914_70ca_47bd_8ac4_a018b262cf39.Data2
      && *(_DWORD *)iid->Data4 == *(_DWORD *)GUID_c7f62914_70ca_47bd_8ac4_a018b262cf39.Data4
      && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&GUID_c7f62914_70ca_47bd_8ac4_a018b262cf39.Data4[4] )
    {
      p_m_pM3Parents = (char *)&this[-1].ctl::forwarder_holder<Windows::UI::Xaml::IUIElement10,DirectUI::UIElementGenerated>;
      goto LABEL_38;
    }
LABEL_12:
    if ( Data1 == -1264564362 )
    {
      if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_b4a04776_4e88_50ca_8f2b_08940d6c5f94.Data2
        || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_b4a04776_4e88_50ca_8f2b_08940d6c5f94.Data4
        || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_b4a04776_4e88_50ca_8f2b_08940d6c5f94.Data4[4] )
      {
        goto LABEL_23;
      }
      p_m_pM3Parents = 0i64;
      if ( this != (DirectUI::UIElementGenerated *)8 && this != (DirectUI::UIElementGenerated *)-272i64 )
        p_m_pM3Parents = (char *)&this->ctl::forwarder_holder<Windows::UI::Xaml::IUIElementOverrides8,DirectUI::UIElementGenerated>;
      goto LABEL_38;
    }
LABEL_13:
    if ( Data1 == -1704044173 )
    {
      if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_9a6e5973_6d63_54f2_90fa_62813b20b7b9.Data2
        || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_9a6e5973_6d63_54f2_90fa_62813b20b7b9.Data4
        || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_9a6e5973_6d63_54f2_90fa_62813b20b7b9.Data4[4] )
      {
        goto LABEL_23;
      }
      p_m_pM3Parents = 0i64;
      if ( this != (DirectUI::UIElementGenerated *)8 && this != (DirectUI::UIElementGenerated *)-280i64 )
        p_m_pM3Parents = (char *)&this->ctl::forwarder_holder<Windows::UI::Xaml::IUIElement9,DirectUI::UIElementGenerated>;
      goto LABEL_38;
    }
LABEL_14:
    if ( Data1 != -418111990 )
      goto LABEL_15;
    if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_e7141e0a_04b8_4fc5_a4dc_195392e57807.Data2
      || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_e7141e0a_04b8_4fc5_a4dc_195392e57807.Data4
      || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_e7141e0a_04b8_4fc5_a4dc_195392e57807.Data4[4] )
    {
      goto LABEL_23;
    }
    if ( this != (DirectUI::UIElementGenerated *)8 )
    {
      p_m_pM3Parents = (char *)&this->Windows::UI::Xaml::IUIElementOverrides;
      goto LABEL_38;
    }
LABEL_174:
    p_m_pM3Parents = 0i64;
    goto LABEL_38;
  }
  switch ( Data1 )
  {
    case 0x676D0BE9u:
      if ( *(_DWORD *)&iid->Data2 == *(_DWORD *)&GUID_676d0be9_b65c_41c6_ba40_58cf87f201c1.Data2
        && *(_DWORD *)iid->Data4 == *(_DWORD *)GUID_676d0be9_b65c_41c6_ba40_58cf87f201c1.Data4
        && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&GUID_676d0be9_b65c_41c6_ba40_58cf87f201c1.Data4[4] )
      {
        if ( this != (DirectUI::UIElementGenerated *)8 )
        {
          p_m_pM3Parents = (char *)&this->m_pM3Parents;
          goto LABEL_38;
        }
        goto LABEL_174;
      }
      goto LABEL_13;
    case 0x608D2F1Du:
      if ( *(_DWORD *)&iid->Data2 == *(_DWORD *)&GUID_608d2f1d_7858_4aeb_89e4_b54e2c7ed3d3.Data2
        && *(_DWORD *)iid->Data4 == *(_DWORD *)GUID_608d2f1d_7858_4aeb_89e4_b54e2c7ed3d3.Data4
        && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&GUID_608d2f1d_7858_4aeb_89e4_b54e2c7ed3d3.Data4[4] )
      {
        if ( this != (DirectUI::UIElementGenerated *)8 )
        {
          p_m_pM3Parents = (char *)&this->Windows::UI::Xaml::IUIElement;
          goto LABEL_38;
        }
        goto LABEL_174;
      }
      goto LABEL_14;
    case 0x676D0BF9u:
      if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_676d0bf9_b66c_41d6_ba50_58cf87f201d1.Data2
        || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_676d0bf9_b66c_41d6_ba50_58cf87f201d1.Data4
        || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_676d0bf9_b66c_41d6_ba50_58cf87f201d1.Data4[4] )
      {
LABEL_15:
        if ( Data1 == -718158295 )
        {
          if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_d531c629_ad2c_5f6b_adcf_fb87287d18d7.Data2
            || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_d531c629_ad2c_5f6b_adcf_fb87287d18d7.Data4
            || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_d531c629_ad2c_5f6b_adcf_fb87287d18d7.Data4[4] )
          {
            goto LABEL_23;
          }
          p_m_pM3Parents = 0i64;
          if ( this != (DirectUI::UIElementGenerated *)8 && this != (DirectUI::UIElementGenerated *)-288i64 )
            p_m_pM3Parents = (char *)&this->ctl::forwarder_holder<Windows::UI::Xaml::IUIElementOverrides9,DirectUI::UIElementGenerated>;
          goto LABEL_38;
        }
        goto LABEL_16;
      }
      v17 = (char *)&this->Windows::UI::Composition::IVisualElement;
LABEL_169:
      p_m_pM3Parents = 0i64;
      if ( this == (DirectUI::UIElementGenerated *)8 )
        v17 = 0i64;
      if ( v17 )
        p_m_pM3Parents = v17;
      goto LABEL_38;
    case 0xBC2B28F1:
      if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_bc2b28f1_26f2_4aab_b256_3b5350881e37.Data2
        || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_bc2b28f1_26f2_4aab_b256_3b5350881e37.Data4
        || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_bc2b28f1_26f2_4aab_b256_3b5350881e37.Data4[4] )
      {
LABEL_16:
        if ( Data1 != 31868434 )
          goto LABEL_17;
        if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_01e64612_1d82_42f4_8e3f_a722ded33fc7.Data2
          || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_01e64612_1d82_42f4_8e3f_a722ded33fc7.Data4
          || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_01e64612_1d82_42f4_8e3f_a722ded33fc7.Data4[4] )
        {
          goto LABEL_23;
        }
        v18 = &this->Windows::UI::Composition::IAnimationObject;
        if ( this == (DirectUI::UIElementGenerated *)8 )
          v18 = 0i64;
        p_m_pM3Parents = (char *)v18;
        goto LABEL_38;
      }
      v17 = (char *)&this->ctl::forwarder_holder<Windows::UI::Xaml::IUIElement2,DirectUI::UIElementGenerated>;
      goto LABEL_169;
    case 0x69145CD4u:
      if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_69145cd4_199a_4657_9e57_e99e8f136712.Data2
        || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_69145cd4_199a_4657_9e57_e99e8f136712.Data4
        || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_69145cd4_199a_4657_9e57_e99e8f136712.Data4[4] )
      {
LABEL_17:
        if ( Data1 == 1704626518 )
        {
          if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_659a8956_ef29_4f50_8724_7e3207d23076.Data2
            || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_659a8956_ef29_4f50_8724_7e3207d23076.Data4 )
          {
            goto LABEL_23;
          }
          v12 = *(_DWORD *)&GUID_659a8956_ef29_4f50_8724_7e3207d23076.Data4[4];
          goto LABEL_42;
        }
LABEL_18:
        if ( Data1 != 1548904037 )
          goto LABEL_19;
        if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_5c526665_f60e_4912_af59_5fe0680f089d.Data2
          || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_5c526665_f60e_4912_af59_5fe0680f089d.Data4 )
        {
          goto LABEL_23;
        }
        v12 = *(_DWORD *)&GUID_5c526665_f60e_4912_af59_5fe0680f089d.Data4[4];
LABEL_42:
        if ( *(_DWORD *)&iid->Data4[4] != v12 )
          goto LABEL_23;
        v13 = &this[-1].ctl::forwarder_holder<Windows::UI::Xaml::IUIElement10,DirectUI::UIElementGenerated>;
        goto LABEL_44;
      }
      p_m_pM3Parents = 0i64;
      if ( this != (DirectUI::UIElementGenerated *)8 && this != (DirectUI::UIElementGenerated *)-224i64 )
        p_m_pM3Parents = (char *)&this->ctl::forwarder_holder<Windows::UI::Xaml::IUIElement3,DirectUI::UIElementGenerated>;
LABEL_38:
      *ppObject = p_m_pM3Parents;
      ((void (__fastcall *)(DirectUI::UIElementGenerated *))_guard_xfg_dispatch_icall_fptr)(this);
      return 0i64;
    case 0x8EED9BC2:
      if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_8eed9bc2_a58c_4453_af0f_a92ee06d0317.Data2
        || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_8eed9bc2_a58c_4453_af0f_a92ee06d0317.Data4
        || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_8eed9bc2_a58c_4453_af0f_a92ee06d0317.Data4[4] )
      {
        goto LABEL_18;
      }
      p_m_pM3Parents = 0i64;
      if ( this != (DirectUI::UIElementGenerated *)8 && this != (DirectUI::UIElementGenerated *)-232i64 )
        p_m_pM3Parents = (char *)&this->ctl::forwarder_holder<Windows::UI::Xaml::IUIElement4,DirectUI::UIElementGenerated>;
      goto LABEL_38;
  }
  if ( Data1 != -889435800 )
  {
    switch ( Data1 )
    {
      case 0xB97F7F68:
        if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_b97f7f68_c29b_4c99_a1c3_952619d6e720.Data2
          || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_b97f7f68_c29b_4c99_a1c3_952619d6e720.Data4
          || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_b97f7f68_c29b_4c99_a1c3_952619d6e720.Data4[4] )
        {
          goto LABEL_20;
        }
        p_m_pM3Parents = 0i64;
        if ( this != (DirectUI::UIElementGenerated *)8 && this != (DirectUI::UIElementGenerated *)-248i64 )
          p_m_pM3Parents = (char *)&this->ctl::forwarder_holder<Windows::UI::Xaml::IUIElement7,DirectUI::UIElementGenerated>;
        goto LABEL_38;
      case 0x3AB70E85u:
        if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_3ab70e85_d508_4477_b6f8_0e435701c836.Data2
          || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_3ab70e85_d508_4477_b6f8_0e435701c836.Data4
          || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_3ab70e85_d508_4477_b6f8_0e435701c836.Data4[4] )
        {
LABEL_21:
          if ( Data1 == -988054440 )
          {
            if ( *(_DWORD *)&iid->Data2 == *(_DWORD *)&GUID_c51b7c58_5f92_4ff9_98de_a3d27703b821.Data2
              && *(_DWORD *)iid->Data4 == *(_DWORD *)GUID_c51b7c58_5f92_4ff9_98de_a3d27703b821.Data4
              && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&GUID_c51b7c58_5f92_4ff9_98de_a3d27703b821.Data4[4] )
            {
              v9 = 0;
              FailFast = (void (__fastcall *const **)())XcpAllocation::OSMemoryAllocateFailFast(0x18ui64);
              if ( FailFast )
              {
                v20 = TearoffSourceInfoPrivate::`vftable';
LABEL_186:
                *FailFast = v20;
                FailFast[1] = (void (__fastcall *const *)())&this[-1].ctl::forwarder_holder<Windows::UI::Xaml::IUIElement10,DirectUI::UIElementGenerated>;
                *((_DWORD *)FailFast + 4) = 1;
                ((void (*)(void))_guard_xfg_dispatch_icall_fptr)();
LABEL_188:
                *ppObject = FailFast;
                return v9;
              }
LABEL_187:
              FailFast = 0i64;
              goto LABEL_188;
            }
LABEL_23:
            v7 = 0i64;
            v8 = 0;
            switch ( Data1 )
            {
              case 0x38u:
                if ( *(_DWORD *)&iid->Data2 == *(_DWORD *)&GUID_00000038_0000_0000_c000_000000000046.Data2
                  && *(_DWORD *)iid->Data4 == *(_DWORD *)GUID_00000038_0000_0000_c000_000000000046.Data4
                  && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&GUID_00000038_0000_0000_c000_000000000046.Data4[4] )
                {
                  if ( this )
                  {
                    p_refCount = &this->refCount_;
LABEL_50:
                    if ( p_refCount )
                      v7 = p_refCount;
                  }
LABEL_52:
                  *ppObject = v7;
LABEL_53:
                  ((void (__fastcall *)(DirectUI::UIElementGenerated *))_guard_xfg_dispatch_icall_fptr)(this);
                  return v8;
                }
                break;
              case 0x11D3B13Au:
                if ( *(_DWORD *)&iid->Data2 == *(_DWORD *)&GUID_11d3b13a_180e_4789_a8be_7712882893e6.Data2
                  && *(_DWORD *)iid->Data4 == *(_DWORD *)GUID_11d3b13a_180e_4789_a8be_7712882893e6.Data4
                  && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&GUID_11d3b13a_180e_4789_a8be_7712882893e6.Data4[4] )
                {
                  v16 = DirectUI::ComposingTrackerTargetWrapper::Ensure((ctl::WeakReferenceSourceNoThreadId *)this);
                  v8 = v16;
                  if ( v16 < 0 )
                    goto LABEL_148;
                  goto LABEL_48;
                }
                break;
              case 0x2DD3AD0u:
                if ( *(_DWORD *)&iid->Data2 == *(_DWORD *)&GUID_02dd3ad0_b9de_4b55_a0c3_507235eae8ea.Data2
                  && *(_DWORD *)iid->Data4 == *(_DWORD *)GUID_02dd3ad0_b9de_4b55_a0c3_507235eae8ea.Data4
                  && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&GUID_02dd3ad0_b9de_4b55_a0c3_507235eae8ea.Data4[4] )
                {
LABEL_48:
                  if ( this )
                  {
                    p_refCount = &this->ctl::forwarder_holder<IWeakReferenceSource,ctl::WeakReferenceSourceNoThreadId>;
                    goto LABEL_50;
                  }
                  goto LABEL_52;
                }
                break;
              default:
                if ( Data1 == -552911520
                  && *(_DWORD *)&iid->Data2 == *(_DWORD *)&GUID_df0b3d60_548f_101b_8e65_08002b2bd119.Data2
                  && *(_DWORD *)iid->Data4 == *(_DWORD *)GUID_df0b3d60_548f_101b_8e65_08002b2bd119.Data4
                  && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&GUID_df0b3d60_548f_101b_8e65_08002b2bd119.Data4[4] )
                {
                  v21 = (ctl::ComPtr<Windows::Media::Core::ITimedMetadataTrack> *)XcpAllocation::OSMemoryAllocateFailFast(0x18ui64);
                  if ( v21 )
                  {
                    v21->ptr_ = (Windows::Media::Core::ITimedMetadataTrack *)ctl::TearoffSupportErrorInfo::`vftable';
                    v21[1].ptr_ = (Windows::Media::Core::ITimedMetadataTrack *)this;
                    ctl::ComPtr<Windows::Media::Core::IMediaCueEventArgs>::InternalAddRef(v21 + 1);
                    LODWORD(v21[2].ptr_) = 1;
                    ((void (*)(void))_guard_xfg_dispatch_icall_fptr)();
                  }
                  else
                  {
                    v21 = 0i64;
                  }
                  *ppObject = v21;
                  return v8;
                }
                break;
            }
            if ( Data1 == IID_IUnknown.Data1
              && *(_DWORD *)&iid->Data2 == *(_DWORD *)&IID_IUnknown.Data2
              && *(_DWORD *)iid->Data4 == *(_DWORD *)IID_IUnknown.Data4
              && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&IID_IUnknown.Data4[4]
              || Data1 == IID_IInspectable.Data1
              && *(_DWORD *)&iid->Data2 == *(_DWORD *)&IID_IInspectable.Data2
              && *(_DWORD *)iid->Data4 == *(_DWORD *)IID_IInspectable.Data4
              && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&IID_IInspectable.Data4[4] )
            {
              *ppObject = this;
              goto LABEL_53;
            }
            if ( Data1 != IID_IMarshal.Data1
              || *(_DWORD *)&iid->Data2 != *(_DWORD *)&IID_IMarshal.Data2
              || *(_DWORD *)iid->Data4 != *(_DWORD *)IID_IMarshal.Data4
              || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&IID_IMarshal.Data4[4] )
            {
              return (unsigned int)-2147467262;
            }
            v16 = ctl::ComBase::EnsureFTM((ctl::ComBase *)this);
            v8 = v16;
            if ( v16 >= 0 )
            {
              v16 = ((__int64 (__fastcall *)(_QWORD, const _GUID *, void **))_guard_xfg_dispatch_icall_fptr)(
                      *(_QWORD *)&this->m_inFinalRelease,
                      iid,
                      ppObject);
              v8 = v16;
              if ( v16 >= 0 )
                return v8;
            }
LABEL_148:
            OnFailure_2064_(v16);
            return v8;
          }
LABEL_22:
          if ( Data1 == -333293059
            && *(_DWORD *)&iid->Data2 == *(_DWORD *)&GUID_ec2259fd_4613_40a7_95de_0b9b1701bbf1.Data2
            && *(_DWORD *)iid->Data4 == *(_DWORD *)GUID_ec2259fd_4613_40a7_95de_0b9b1701bbf1.Data4
            && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&GUID_ec2259fd_4613_40a7_95de_0b9b1701bbf1.Data4[4] )
          {
            v9 = 0;
            FailFast = (void (__fastcall *const **)())XcpAllocation::OSMemoryAllocateFailFast(0x18ui64);
            if ( FailFast )
            {
              v20 = TearoffMemoryInfoPrivate::`vftable';
              goto LABEL_186;
            }
            goto LABEL_187;
          }
          goto LABEL_23;
        }
        p_m_pM3Parents = 0i64;
        if ( this != (DirectUI::UIElementGenerated *)8 && this != (DirectUI::UIElementGenerated *)-256i64 )
          p_m_pM3Parents = (char *)&this->ctl::forwarder_holder<Windows::UI::Xaml::IUIElementOverrides7,DirectUI::UIElementGenerated>;
        goto LABEL_38;
      case 0x4A5A645Cu:
        if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_4a5a645c_548d_48cf_b998_7844d6e235a1.Data2
          || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_4a5a645c_548d_48cf_b998_7844d6e235a1.Data4
          || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_4a5a645c_548d_48cf_b998_7844d6e235a1.Data4[4] )
        {
          goto LABEL_22;
        }
        p_m_pM3Parents = 0i64;
        if ( this != (DirectUI::UIElementGenerated *)8 && this != (DirectUI::UIElementGenerated *)-264i64 )
          p_m_pM3Parents = (char *)&this->ctl::forwarder_holder<Windows::UI::Xaml::IUIElement8,DirectUI::UIElementGenerated>;
        goto LABEL_38;
    }
    goto LABEL_12;
  }
  if ( *(_DWORD *)&iid->Data2 == *(_DWORD *)&GUID_cafc4968_6369_4249_80f9_3d656319e811.Data2
    && *(_DWORD *)iid->Data4 == *(_DWORD *)GUID_cafc4968_6369_4249_80f9_3d656319e811.Data4
    && *(_DWORD *)&iid->Data4[4] == *(_DWORD *)&GUID_cafc4968_6369_4249_80f9_3d656319e811.Data4[4] )
  {
    p_m_pM3Parents = 0i64;
    if ( this != (DirectUI::UIElementGenerated *)8 && this != (DirectUI::UIElementGenerated *)-240i64 )
      p_m_pM3Parents = (char *)&this->ctl::forwarder_holder<Windows::UI::Xaml::IUIElement5,DirectUI::UIElementGenerated>;
    goto LABEL_38;
  }
LABEL_19:
  if ( Data1 == 704567389 )
  {
    if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_29fed85d_3d22_43a1_add0_17027c08b212.Data2
      || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_29fed85d_3d22_43a1_add0_17027c08b212.Data4
      || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_29fed85d_3d22_43a1_add0_17027c08b212.Data4[4] )
    {
      goto LABEL_23;
    }
    v13 = 0i64;
    if ( this == (DirectUI::UIElementGenerated *)8 )
      goto LABEL_44;
    p_m_trackers = (ctl::forwarder_holder<Windows::UI::Xaml::IUIElement10,DirectUI::UIElementGenerated> *)&this->m_trackers;
    goto LABEL_86;
  }
LABEL_20:
  if ( Data1 != -349912565 )
    goto LABEL_21;
  if ( *(_DWORD *)&iid->Data2 != *(_DWORD *)&GUID_eb24c20b_9816_4ac7_8cff_36f67a118f4e.Data2
    || *(_DWORD *)iid->Data4 != *(_DWORD *)GUID_eb24c20b_9816_4ac7_8cff_36f67a118f4e.Data4
    || *(_DWORD *)&iid->Data4[4] != *(_DWORD *)&GUID_eb24c20b_9816_4ac7_8cff_36f67a118f4e.Data4[4] )
  {
    goto LABEL_23;
  }
  v13 = 0i64;
  if ( this == (DirectUI::UIElementGenerated *)8 )
    goto LABEL_44;
  p_m_trackers = (ctl::forwarder_holder<Windows::UI::Xaml::IUIElement10,DirectUI::UIElementGenerated> *)&this->ctl::forwarder_holder<Windows::UI::Xaml::IDependencyObject2,DirectUI::DependencyObject>;
LABEL_86:
  if ( p_m_trackers )
    v13 = p_m_trackers;
LABEL_44:
  *ppObject = v13;
  ((void (__fastcall *)(DirectUI::UIElementGenerated *))_guard_xfg_dispatch_icall_fptr)(this);
  return 0i64;
}

This leads to Windows_UI_Xaml![thunk]:ctl::ComObject::AddRef`adjustor{8}’ -> Windows_UI_Xaml!ctl::ComObject::AddRef -> Windows_UI_Xaml!__guard_xfg_dispatch_icall_fptr -> ExplorerExtensions!winrt::impl::produce_base::AddRef

This eventually then calls into ExplorerExtensions!winrt::Taskbar::implementation::ContextMenus::ShowStartButtonContextMenuAsync

char __fastcall winrt::Taskbar::implementation::ContextMenus::ShowStartButtonContextMenuAsync(
        winrt::Windows::UI::Xaml::Style *a1,
        winrt::Windows::UI::Xaml::Controls::IMenuFlyoutFactory *a2)
{
  void *v4; // rax
  char v5; // bl
  int v7[250]; // [rsp+30h] [rbp-418h] BYREF
  winrt::Windows::UI::Xaml::Style *v8; // [rsp+418h] [rbp-30h]
  winrt::Windows::UI::Xaml::Controls::IMenuFlyoutFactory *v9; // [rsp+420h] [rbp-28h]
  char v10[8]; // [rsp+428h] [rbp-20h] BYREF

  v8 = a1;
  v9 = a2;
  v4 = operator new(0x3E0ui64);
  v7[0] = 0;
  winrt::Taskbar::implementation::ContextMenus::ShowStartButtonContextMenuAsync__InitCoro_1(v10, v7, v4, a1, a2);
  v5 = v10[0];
  winrt::Windows::UI::Xaml::Style::~Style(a1);
  winrt::Windows::UI::Xaml::Controls::IMenuFlyoutFactory::~IMenuFlyoutFactory(a2);
  return v5;
}

This calls Taskbar!CPearl::GetLauncherTipContextMenu which calls into twinui!CImmersiveMonitorManager::QueryServiceFromWindow

__int64 __fastcall CImmersiveMonitorManager::QueryServiceFromWindow(
        CImmersiveMonitorManager *this,
        HWND hWnd,
        const struct _GUID *a3,
        const struct _GUID *a4,
        void **a5)
{
  HMONITOR hMonitor; // rax

  *a5 = 0i64;
  hMonitor = MonitorFromWindow(hWnd, 0);
  if ( hMonitor )
    return _guard_xfg_dispatch_icall_fptr(this, hMonitor, a3, a4, a5);
  else
    return 0x80070490i64;
}

We can see QueryServiceFromWindow is querying service with GUID {b8c1db5f-cbb3-48bc-afd9-ce6b880c79ed}

twinui!CImmersiveMonitorManager::QueryServiceFromWindow:
00007ffb`efd02f60 48895c2408      mov     qword ptr [rsp+8],rbx ss:00000000`0336b770=0000000000000047
0:000> dt GUID @r8
MSVCR90!GUID
 {b8c1db5f-cbb3-48bc-afd9-ce6b880c79ed}
   +0x000 Data1            : 0xb8c1db5f
   +0x004 Data2            : 0xcbb3
   +0x006 Data3            : 0x48bc
   +0x008 Data4            : [8]  "???"
0:000> dt GUID @r9
MSVCR90!GUID
 {b8c1db5f-cbb3-48bc-afd9-ce6b880c79ed}
   +0x000 Data1            : 0xb8c1db5f
   +0x004 Data2            : 0xcbb3
   +0x006 Data3            : 0x48bc
   +0x008 Data4            : [8]  "???"

In the registry looking up this interface key we can see this GUID references ILauncherTipContextMenu

Looking up the ProxyStubClsid32 at HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 points to C:\Windows\System32\ActXPrxy.dll which is the ActiveX Interface Marshaling Library.

And here we finally find what triggers the crash, the Window handle passed to QueryServiceFromWindow is then passed to MonitorFromWindow

__int64 __fastcall CImmersiveMonitorManager::QueryServiceFromWindow(
CImmersiveMonitorManager *this,
HWND hWnd,
const struct _GUID *a3,
const struct _GUID *a4,
void **a5)
{
HMONITOR hMonitor; // rax

*a5 = 0i64;
hMonitor = MonitorFromWindow(hWnd, 0);
if ( hMonitor )
return _guard_xfg_dispatch_icall_fptr(this, hMonitor, a3, a4, a5);
else
return 0x80070490i64;
}

If the window intersects one or more display monitor rectangles, the return value is an HMONITOR handle to the display monitor that has the largest area of intersection with the window.

If the window does not intersect a display monitor, the return value depends on the value of dwFlags.

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-monitorfromwindow

Because the dwFlags in this case is set to 0 ( MONITOR_DEFAULTTONULL ) this means if the Windows doesn’t intersect a display monitor the function will return NULL. This causes this QueryServiceFromWindow function to return failure code 0x80070490

Time Travel Position: 8F7B3BE:2C3
twinui!CImmersiveMonitorManager::QueryServiceFromWindow+0x83:
00007ffb`efd02fe3 b890040780      mov     eax,80070490h

In Taskbar!winrt::WindowsUdk::UI::Shell::implementation::TaskbarModel::GetStartButtonMenuItemsAsync the return value of CPearl::GetLauncherTipContextMenu is returned via GetLauncherTipContextMenu and is checked if it is negative, and if so throws an exception that leads to the crash:

LauncherTipContextMenu = CPearl::GetLauncherTipContextMenu(*(CPearl **)(a1 + 64), &v13);
  if ( LauncherTipContextMenu < 0 )
    wil::details::in1diag3::_Throw_Hr(
      retaddr,
      (void *)0x46,
      (unsigned int)"pcshell\\shell\\taskbar\\taskband2\\TaskbarModel.cpp",
      (const char *)(unsigned int)LauncherTipContextMenu,
      v10);

Posted in Uncategorized | 6 Comments

Show Window Messages Sent In Time Travel Trace

Posted on November 19, 2021 by chentiangemalc

Continuing from previous look at tracking Progress Bar updates this time we will look more generically at Windows messages being sent. This script + breakpoint commands will product output like below:

First we create JavaScript function to translate the message ID to the constant name for well known message IDs, this is helpful if you don’t know all the message ID values from memory. In this example we will assume we have saved this as C:\WinDbg\ShowMessageName.js

function ShowMessageName(msg)
{
	switch (parseInt(msg))
	{
	case 0:
		host.diagnostics.debugLog("WM_NULL");
		break;
	case 1:
		host.diagnostics.debugLog("WM_CREATE");
		break;
	case 2:
		host.diagnostics.debugLog("WM_DESTROY");
		break;
	case 3:
		host.diagnostics.debugLog("WM_MOVE");
		break;
	case 5:
		host.diagnostics.debugLog("WM_SIZE");
		break;
	case 6:
		host.diagnostics.debugLog("WM_ACTIVATE");
		break;
	case 7:
		host.diagnostics.debugLog("WM_SETFOCUS");
		break;
	case 8:
		host.diagnostics.debugLog("WM_KILLFOCUS");
		break;
	case 10:
		host.diagnostics.debugLog("WM_ENABLE");
		break;
	case 11:
		host.diagnostics.debugLog("WM_SETREDRAW");
		break;
	case 12:
		host.diagnostics.debugLog("WM_SETTEXT");
		break;
	case 13:
		host.diagnostics.debugLog("WM_GETTEXT");
		break;
	case 14:
		host.diagnostics.debugLog("WM_GETTEXTLENGTH");
		break;
	case 15:
		host.diagnostics.debugLog("WM_PAINT");
		break;
	case 16:
		host.diagnostics.debugLog("WM_CLOSE");
		break;
	case 17:
		host.diagnostics.debugLog("WM_QUERYENDSESSION");
		break;
	case 18:
		host.diagnostics.debugLog("WM_QUIT");
		break;
	case 19:
		host.diagnostics.debugLog("WM_QUERYOPEN");
		break;
	case 20:
		host.diagnostics.debugLog("WM_ERASEBKGND");
		break;
	case 21:
		host.diagnostics.debugLog("WM_SYSCOLORCHANGE");
		break;
	case 22:
		host.diagnostics.debugLog("WM_ENDSESSION");
		break;
	case 24:
		host.diagnostics.debugLog("WM_SHOWWINDOW");
		break;
	case 25:
		host.diagnostics.debugLog("WM_CTLCOLOR");
		break;
	case 26:
		host.diagnostics.debugLog("WM_WININICHANGE");
		break;
	case 27:
		host.diagnostics.debugLog("WM_DEVMODECHANGE");
		break;
	case 28:
		host.diagnostics.debugLog("WM_ACTIVATEAPP");
		break;
	case 29:
		host.diagnostics.debugLog("WM_FONTCHANGE");
		break;
	case 30:
		host.diagnostics.debugLog("WM_TIMECHANGE");
		break;
	case 31:
		host.diagnostics.debugLog("WM_CANCELMODE");
		break;
	case 32:
		host.diagnostics.debugLog("WM_SETCURSOR");
		break;
	case 33:
		host.diagnostics.debugLog("WM_MOUSEACTIVATE");
		break;
	case 34:
		host.diagnostics.debugLog("WM_CHILDACTIVATE");
		break;
	case 35:
		host.diagnostics.debugLog("WM_QUEUESYNC");
		break;
	case 36:
		host.diagnostics.debugLog("WM_GETMINMAXINFO");
		break;
	case 38:
		host.diagnostics.debugLog("WM_PAINTICON");
		break;
	case 39:
		host.diagnostics.debugLog("WM_ICONERASEBKGND");
		break;
	case 40:
		host.diagnostics.debugLog("WM_NEXTDLGCTL");
		break;
	case 42:
		host.diagnostics.debugLog("WM_SPOOLERSTATUS");
		break;
	case 43:
		host.diagnostics.debugLog("WM_DRAWITEM");
		break;
	case 44:
		host.diagnostics.debugLog("WM_MEASUREITEM");
		break;
	case 45:
		host.diagnostics.debugLog("WM_DELETEITEM");
		break;
	case 46:
		host.diagnostics.debugLog("WM_VKEYTOITEM");
		break;
	case 47:
		host.diagnostics.debugLog("WM_CHARTOITEM");
		break;
	case 48:
		host.diagnostics.debugLog("WM_SETFONT");
		break;
	case 49:
		host.diagnostics.debugLog("WM_GETFONT");
		break;
	case 50:
		host.diagnostics.debugLog("WM_SETHOTKEY");
		break;
	case 51:
		host.diagnostics.debugLog("WM_GETHOTKEY");
		break;
	case 55:
		host.diagnostics.debugLog("WM_QUERYDRAGICON");
		break;
	case 57:
		host.diagnostics.debugLog("WM_COMPAREITEM");
		break;
	case 61:
		host.diagnostics.debugLog("WM_GETOBJECT");
		break;
	case 65:
		host.diagnostics.debugLog("WM_COMPACTING");
		break;
	case 68:
		host.diagnostics.debugLog("WM_COMMNOTIFY");
		break;
	case 70:
		host.diagnostics.debugLog("WM_WINDOWPOSCHANGING");
		break;
	case 71:
		host.diagnostics.debugLog("WM_WINDOWPOSCHANGED");
		break;
	case 72:
		host.diagnostics.debugLog("WM_POWER");
		break;
	case 73:
		host.diagnostics.debugLog("WM_COPYGLOBALDATA");
		break;
	case 74:
		host.diagnostics.debugLog("WM_COPYDATA");
		break;
	case 75:
		host.diagnostics.debugLog("WM_CANCELJOURNAL");
		break;
	case 78:
		host.diagnostics.debugLog("WM_NOTIFY");
		break;
	case 80:
		host.diagnostics.debugLog("WM_INPUTLANGCHANGEREQUEST");
		break;
	case 81:
		host.diagnostics.debugLog("WM_INPUTLANGCHANGE");
		break;
	case 82:
		host.diagnostics.debugLog("WM_TCARD");
		break;
	case 83:
		host.diagnostics.debugLog("WM_HELP");
		break;
	case 84:
		host.diagnostics.debugLog("WM_USERCHANGED");
		break;
	case 85:
		host.diagnostics.debugLog("WM_NOTIFYFORMAT");
		break;
	case 123:
		host.diagnostics.debugLog("WM_CONTEXTMENU");
		break;
	case 124:
		host.diagnostics.debugLog("WM_STYLECHANGING");
		break;
	case 125:
		host.diagnostics.debugLog("WM_STYLECHANGED");
		break;
	case 126:
		host.diagnostics.debugLog("WM_DISPLAYCHANGE");
		break;
	case 127:
		host.diagnostics.debugLog("WM_GETICON");
		break;
	case 128:
		host.diagnostics.debugLog("WM_SETICON");
		break;
	case 129:
		host.diagnostics.debugLog("WM_NCCREATE");
		break;
	case 130:
		host.diagnostics.debugLog("WM_NCDESTROY");
		break;
	case 131:
		host.diagnostics.debugLog("WM_NCCALCSIZE");
		break;
	case 132:
		host.diagnostics.debugLog("WM_NCHITTEST");
		break;
	case 133:
		host.diagnostics.debugLog("WM_NCPAINT");
		break;
	case 134:
		host.diagnostics.debugLog("WM_NCACTIVATE");
		break;
	case 135:
		host.diagnostics.debugLog("WM_GETDLGCODE");
		break;
	case 136:
		host.diagnostics.debugLog("WM_SYNCPAINT");
		break;
	case 160:
		host.diagnostics.debugLog("WM_NCMOUSEMOVE");
		break;
	case 161:
		host.diagnostics.debugLog("WM_NCLBUTTONDOWN");
		break;
	case 162:
		host.diagnostics.debugLog("WM_NCLBUTTONUP");
		break;
	case 163:
		host.diagnostics.debugLog("WM_NCLBUTTONDBLCLK");
		break;
	case 164:
		host.diagnostics.debugLog("WM_NCRBUTTONDOWN");
		break;
	case 165:
		host.diagnostics.debugLog("WM_NCRBUTTONUP");
		break;
	case 166:
		host.diagnostics.debugLog("WM_NCRBUTTONDBLCLK");
		break;
	case 167:
		host.diagnostics.debugLog("WM_NCMBUTTONDOWN");
		break;
	case 168:
		host.diagnostics.debugLog("WM_NCMBUTTONUP");
		break;
	case 169:
		host.diagnostics.debugLog("WM_NCMBUTTONDBLCLK");
		break;
	case 171:
		host.diagnostics.debugLog("WM_NCXBUTTONDOWN");
		break;
	case 172:
		host.diagnostics.debugLog("WM_NCXBUTTONUP");
		break;
	case 173:
		host.diagnostics.debugLog("WM_NCXBUTTONDBLCLK");
		break;
	case 176:
		host.diagnostics.debugLog("EM_GETSEL");
		break;
	case 177:
		host.diagnostics.debugLog("EM_SETSEL");
		break;
	case 178:
		host.diagnostics.debugLog("EM_GETRECT");
		break;
	case 179:
		host.diagnostics.debugLog("EM_SETRECT");
		break;
	case 180:
		host.diagnostics.debugLog("EM_SETRECTNP");
		break;
	case 181:
		host.diagnostics.debugLog("EM_SCROLL");
		break;
	case 182:
		host.diagnostics.debugLog("EM_LINESCROLL");
		break;
	case 183:
		host.diagnostics.debugLog("EM_SCROLLCARET");
		break;
	case 184:
		host.diagnostics.debugLog("EM_GETMODIFY");
		break;
	case 185:
		host.diagnostics.debugLog("EM_SETMODIFY");
		break;
	case 186:
		host.diagnostics.debugLog("EM_GETLINECOUNT");
		break;
	case 187:
		host.diagnostics.debugLog("EM_LINEINDEX");
		break;
	case 188:
		host.diagnostics.debugLog("EM_SETHANDLE");
		break;
	case 189:
		host.diagnostics.debugLog("EM_GETHANDLE");
		break;
	case 190:
		host.diagnostics.debugLog("EM_GETTHUMB");
		break;
	case 193:
		host.diagnostics.debugLog("EM_LINELENGTH");
		break;
	case 194:
		host.diagnostics.debugLog("EM_REPLACESEL");
		break;
	case 195:
		host.diagnostics.debugLog("EM_SETFONT");
		break;
	case 196:
		host.diagnostics.debugLog("EM_GETLINE");
		break;
	case 197:
		host.diagnostics.debugLog("EM_LIMITTEXT");
		break;
	case 197:
		host.diagnostics.debugLog("EM_SETLIMITTEXT");
		break;
	case 198:
		host.diagnostics.debugLog("EM_CANUNDO");
		break;
	case 199:
		host.diagnostics.debugLog("EM_UNDO");
		break;
	case 200:
		host.diagnostics.debugLog("EM_FMTLINES");
		break;
	case 201:
		host.diagnostics.debugLog("EM_LINEFROMCHAR");
		break;
	case 202:
		host.diagnostics.debugLog("EM_SETWORDBREAK");
		break;
	case 203:
		host.diagnostics.debugLog("EM_SETTABSTOPS");
		break;
	case 204:
		host.diagnostics.debugLog("EM_SETPASSWORDCHAR");
		break;
	case 205:
		host.diagnostics.debugLog("EM_EMPTYUNDOBUFFER");
		break;
	case 206:
		host.diagnostics.debugLog("EM_GETFIRSTVISIBLELINE");
		break;
	case 207:
		host.diagnostics.debugLog("EM_SETREADONLY");
		break;
	case 208:
		host.diagnostics.debugLog("EM_SETWORDBREAKPROC");
		break;
	case 209:
		host.diagnostics.debugLog("EM_GETWORDBREAKPROC");
		break;
	case 210:
		host.diagnostics.debugLog("EM_GETPASSWORDCHAR");
		break;
	case 211:
		host.diagnostics.debugLog("EM_SETMARGINS");
		break;
	case 212:
		host.diagnostics.debugLog("EM_GETMARGINS");
		break;
	case 213:
		host.diagnostics.debugLog("EM_GETLIMITTEXT");
		break;
	case 214:
		host.diagnostics.debugLog("EM_POSFROMCHAR");
		break;
	case 215:
		host.diagnostics.debugLog("EM_CHARFROMPOS");
		break;
	case 216:
		host.diagnostics.debugLog("EM_SETIMESTATUS");
		break;
	case 217:
		host.diagnostics.debugLog("EM_GETIMESTATUS");
		break;
	case 224:
		host.diagnostics.debugLog("SBM_SETPOS");
		break;
	case 225:
		host.diagnostics.debugLog("SBM_GETPOS");
		break;
	case 226:
		host.diagnostics.debugLog("SBM_SETRANGE");
		break;
	case 227:
		host.diagnostics.debugLog("SBM_GETRANGE");
		break;
	case 228:
		host.diagnostics.debugLog("SBM_ENABLE_ARROWS");
		break;
	case 230:
		host.diagnostics.debugLog("SBM_SETRANGEREDRAW");
		break;
	case 233:
		host.diagnostics.debugLog("SBM_SETSCROLLINFO");
		break;
	case 234:
		host.diagnostics.debugLog("SBM_GETSCROLLINFO");
		break;
	case 235:
		host.diagnostics.debugLog("SBM_GETSCROLLBARINFO");
		break;
	case 240:
		host.diagnostics.debugLog("BM_GETCHECK");
		break;
	case 241:
		host.diagnostics.debugLog("BM_SETCHECK");
		break;
	case 242:
		host.diagnostics.debugLog("BM_GETSTATE");
		break;
	case 243:
		host.diagnostics.debugLog("BM_SETSTATE");
		break;
	case 244:
		host.diagnostics.debugLog("BM_SETSTYLE");
		break;
	case 245:
		host.diagnostics.debugLog("BM_CLICK");
		break;
	case 246:
		host.diagnostics.debugLog("BM_GETIMAGE");
		break;
	case 247:
		host.diagnostics.debugLog("BM_SETIMAGE");
		break;
	case 248:
		host.diagnostics.debugLog("BM_SETDONTCLICK");
		break;
	case 255:
		host.diagnostics.debugLog("WM_INPUT");
		break;
	case 256:
		host.diagnostics.debugLog("WM_KEYDOWN");
		break;
	case 256:
		host.diagnostics.debugLog("WM_KEYFIRST");
		break;
	case 257:
		host.diagnostics.debugLog("WM_KEYUP");
		break;
	case 258:
		host.diagnostics.debugLog("WM_CHAR");
		break;
	case 259:
		host.diagnostics.debugLog("WM_DEADCHAR");
		break;
	case 260:
		host.diagnostics.debugLog("WM_SYSKEYDOWN");
		break;
	case 261:
		host.diagnostics.debugLog("WM_SYSKEYUP");
		break;
	case 262:
		host.diagnostics.debugLog("WM_SYSCHAR");
		break;
	case 263:
		host.diagnostics.debugLog("WM_SYSDEADCHAR");
		break;
	case 265:
		host.diagnostics.debugLog("WM_UNICHAR / WM_KEYLAST");
		break;
	case 265:
		host.diagnostics.debugLog("WM_WNT_CONVERTREQUESTEX");
		break;
	case 266:
		host.diagnostics.debugLog("WM_CONVERTREQUEST");
		break;
	case 267:
		host.diagnostics.debugLog("WM_CONVERTRESULT");
		break;
	case 268:
		host.diagnostics.debugLog("WM_INTERIM");
		break;
	case 269:
		host.diagnostics.debugLog("WM_IME_STARTCOMPOSITION");
		break;
	case 270:
		host.diagnostics.debugLog("WM_IME_ENDCOMPOSITION");
		break;
	case 271:
		host.diagnostics.debugLog("WM_IME_COMPOSITION");
		break;
	case 271:
		host.diagnostics.debugLog("WM_IME_KEYLAST");
		break;
	case 272:
		host.diagnostics.debugLog("WM_INITDIALOG");
		break;
	case 273:
		host.diagnostics.debugLog("WM_COMMAND");
		break;
	case 274:
		host.diagnostics.debugLog("WM_SYSCOMMAND");
		break;
	case 275:
		host.diagnostics.debugLog("WM_TIMER");
		break;
	case 276:
		host.diagnostics.debugLog("WM_HSCROLL");
		break;
	case 277:
		host.diagnostics.debugLog("WM_VSCROLL");
		break;
	case 278:
		host.diagnostics.debugLog("WM_INITMENU");
		break;
	case 279:
		host.diagnostics.debugLog("WM_INITMENUPOPUP");
		break;
	case 280:
		host.diagnostics.debugLog("WM_SYSTIMER");
		break;
	case 287:
		host.diagnostics.debugLog("WM_MENUSELECT");
		break;
	case 288:
		host.diagnostics.debugLog("WM_MENUCHAR");
		break;
	case 289:
		host.diagnostics.debugLog("WM_ENTERIDLE");
		break;
	case 290:
		host.diagnostics.debugLog("WM_MENURBUTTONUP");
		break;
	case 291:
		host.diagnostics.debugLog("WM_MENUDRAG");
		break;
	case 292:
		host.diagnostics.debugLog("WM_MENUGETOBJECT");
		break;
	case 293:
		host.diagnostics.debugLog("WM_UNINITMENUPOPUP");
		break;
	case 294:
		host.diagnostics.debugLog("WM_MENUCOMMAND");
		break;
	case 295:
		host.diagnostics.debugLog("WM_CHANGEUISTATE");
		break;
	case 296:
		host.diagnostics.debugLog("WM_UPDATEUISTATE");
		break;
	case 297:
		host.diagnostics.debugLog("WM_QUERYUISTATE");
		break;
	case 306:
		host.diagnostics.debugLog("WM_CTLCOLORMSGBOX");
		break;
	case 307:
		host.diagnostics.debugLog("WM_CTLCOLOREDIT");
		break;
	case 308:
		host.diagnostics.debugLog("WM_CTLCOLORLISTBOX");
		break;
	case 309:
		host.diagnostics.debugLog("WM_CTLCOLORBTN");
		break;
	case 310:
		host.diagnostics.debugLog("WM_CTLCOLORDLG");
		break;
	case 311:
		host.diagnostics.debugLog("WM_CTLCOLORSCROLLBAR");
		break;
	case 312:
		host.diagnostics.debugLog("WM_CTLCOLORSTATIC");
		break;
	case 512:
		host.diagnostics.debugLog("WM_MOUSEFIRST");
		break;
	case 512:
		host.diagnostics.debugLog("WM_MOUSEMOVE");
		break;
	case 513:
		host.diagnostics.debugLog("WM_LBUTTONDOWN");
		break;
	case 514:
		host.diagnostics.debugLog("WM_LBUTTONUP");
		break;
	case 515:
		host.diagnostics.debugLog("WM_LBUTTONDBLCLK");
		break;
	case 516:
		host.diagnostics.debugLog("WM_RBUTTONDOWN");
		break;
	case 517:
		host.diagnostics.debugLog("WM_RBUTTONUP");
		break;
	case 518:
		host.diagnostics.debugLog("WM_RBUTTONDBLCLK");
		break;
	case 519:
		host.diagnostics.debugLog("WM_MBUTTONDOWN");
		break;
	case 520:
		host.diagnostics.debugLog("WM_MBUTTONUP");
		break;
	case 521:
		host.diagnostics.debugLog("WM_MBUTTONDBLCLK");
		break;
	case 521:
		host.diagnostics.debugLog("WM_MOUSELAST");
		break;
	case 522:
		host.diagnostics.debugLog("WM_MOUSEWHEEL");
		break;
	case 523:
		host.diagnostics.debugLog("WM_XBUTTONDOWN");
		break;
	case 524:
		host.diagnostics.debugLog("WM_XBUTTONUP");
		break;
	case 525:
		host.diagnostics.debugLog("WM_XBUTTONDBLCLK");
		break;
	case 526:
		host.diagnostics.debugLog("WM_MOUSEHWHEEL");
		break;
	case 528:
		host.diagnostics.debugLog("WM_PARENTNOTIFY");
		break;
	case 529:
		host.diagnostics.debugLog("WM_ENTERMENULOOP");
		break;
	case 530:
		host.diagnostics.debugLog("WM_EXITMENULOOP");
		break;
	case 531:
		host.diagnostics.debugLog("WM_NEXTMENU");
		break;
	case 532:
		host.diagnostics.debugLog("WM_SIZING");
		break;
	case 533:
		host.diagnostics.debugLog("WM_CAPTURECHANGED");
		break;
	case 534:
		host.diagnostics.debugLog("WM_MOVING");
		break;
	case 536:
		host.diagnostics.debugLog("WM_POWERBROADCAST");
		break;
	case 537:
		host.diagnostics.debugLog("WM_DEVICECHANGE");
		break;
	case 544:
		host.diagnostics.debugLog("WM_MDICREATE");
		break;
	case 545:
		host.diagnostics.debugLog("WM_MDIDESTROY");
		break;
	case 546:
		host.diagnostics.debugLog("WM_MDIACTIVATE");
		break;
	case 547:
		host.diagnostics.debugLog("WM_MDIRESTORE");
		break;
	case 548:
		host.diagnostics.debugLog("WM_MDINEXT");
		break;
	case 549:
		host.diagnostics.debugLog("WM_MDIMAXIMIZE");
		break;
	case 550:
		host.diagnostics.debugLog("WM_MDITILE");
		break;
	case 551:
		host.diagnostics.debugLog("WM_MDICASCADE");
		break;
	case 552:
		host.diagnostics.debugLog("WM_MDIICONARRANGE");
		break;
	case 553:
		host.diagnostics.debugLog("WM_MDIGETACTIVE");
		break;
	case 560:
		host.diagnostics.debugLog("WM_MDISETMENU");
		break;
	case 561:
		host.diagnostics.debugLog("WM_ENTERSIZEMOVE");
		break;
	case 562:
		host.diagnostics.debugLog("WM_EXITSIZEMOVE");
		break;
	case 563:
		host.diagnostics.debugLog("WM_DROPFILES");
		break;
	case 564:
		host.diagnostics.debugLog("WM_MDIREFRESHMENU");
		break;
	case 640:
		host.diagnostics.debugLog("WM_IME_REPORT");
		break;
	case 641:
		host.diagnostics.debugLog("WM_IME_SETCONTEXT");
		break;
	case 642:
		host.diagnostics.debugLog("WM_IME_NOTIFY");
		break;
	case 643:
		host.diagnostics.debugLog("WM_IME_CONTROL");
		break;
	case 644:
		host.diagnostics.debugLog("WM_IME_COMPOSITIONFULL");
		break;
	case 645:
		host.diagnostics.debugLog("WM_IME_SELECT");
		break;
	case 646:
		host.diagnostics.debugLog("WM_IME_CHAR");
		break;
	case 648:
		host.diagnostics.debugLog("WM_IME_REQUEST");
		break;
	case 656:
		host.diagnostics.debugLog("WM_IMEKEYDOWN");
		break;
	case 656:
		host.diagnostics.debugLog("WM_IME_KEYDOWN");
		break;
	case 657:
		host.diagnostics.debugLog("WM_IMEKEYUP");
		break;
	case 657:
		host.diagnostics.debugLog("WM_IME_KEYUP");
		break;
	case 672:
		host.diagnostics.debugLog("WM_NCMOUSEHOVER");
		break;
	case 673:
		host.diagnostics.debugLog("WM_MOUSEHOVER");
		break;
	case 674:
		host.diagnostics.debugLog("WM_NCMOUSELEAVE");
		break;
	case 675:
		host.diagnostics.debugLog("WM_MOUSELEAVE");
		break;
	case 768:
		host.diagnostics.debugLog("WM_CUT");
		break;
	case 769:
		host.diagnostics.debugLog("WM_COPY");
		break;
	case 770:
		host.diagnostics.debugLog("WM_PASTE");
		break;
	case 771:
		host.diagnostics.debugLog("WM_CLEAR");
		break;
	case 772:
		host.diagnostics.debugLog("WM_UNDO");
		break;
	case 773:
		host.diagnostics.debugLog("WM_RENDERFORMAT");
		break;
	case 774:
		host.diagnostics.debugLog("WM_RENDERALLFORMATS");
		break;
	case 775:
		host.diagnostics.debugLog("WM_DESTROYCLIPBOARD");
		break;
	case 776:
		host.diagnostics.debugLog("WM_DRAWCLIPBOARD");
		break;
	case 777:
		host.diagnostics.debugLog("WM_PAINTCLIPBOARD");
		break;
	case 778:
		host.diagnostics.debugLog("WM_VSCROLLCLIPBOARD");
		break;
	case 779:
		host.diagnostics.debugLog("WM_SIZECLIPBOARD");
		break;
	case 780:
		host.diagnostics.debugLog("WM_ASKCBFORMATNAME");
		break;
	case 781:
		host.diagnostics.debugLog("WM_CHANGECBCHAIN");
		break;
	case 782:
		host.diagnostics.debugLog("WM_HSCROLLCLIPBOARD");
		break;
	case 783:
		host.diagnostics.debugLog("WM_QUERYNEWPALETTE");
		break;
	case 784:
		host.diagnostics.debugLog("WM_PALETTEISCHANGING");
		break;
	case 785:
		host.diagnostics.debugLog("WM_PALETTECHANGED");
		break;
	case 786:
		host.diagnostics.debugLog("WM_HOTKEY");
		break;
	case 791:
		host.diagnostics.debugLog("WM_PRINT");
		break;
	case 792:
		host.diagnostics.debugLog("WM_PRINTCLIENT");
		break;
	case 793:
		host.diagnostics.debugLog("WM_APPCOMMAND");
		break;
	case 856:
		host.diagnostics.debugLog("WM_HANDHELDFIRST");
		break;
	case 863:
		host.diagnostics.debugLog("WM_HANDHELDLAST");
		break;
	case 864:
		host.diagnostics.debugLog("WM_AFXFIRST");
		break;
	case 895:
		host.diagnostics.debugLog("WM_AFXLAST");
		break;
	case 896:
		host.diagnostics.debugLog("WM_PENWINFIRST");
		break;
	case 897:
		host.diagnostics.debugLog("WM_RCRESULT");
		break;
	case 898:
		host.diagnostics.debugLog("WM_HOOKRCRESULT");
		break;
	case 899:
		host.diagnostics.debugLog("WM_GLOBALRCCHANGE");
		break;
	case 899:
		host.diagnostics.debugLog("WM_PENMISCINFO");
		break;
	case 900:
		host.diagnostics.debugLog("WM_SKB");
		break;
	case 901:
		host.diagnostics.debugLog("WM_HEDITCTL");
		break;
	case 901:
		host.diagnostics.debugLog("WM_PENCTL");
		break;
	case 902:
		host.diagnostics.debugLog("WM_PENMISC");
		break;
	case 903:
		host.diagnostics.debugLog("WM_CTLINIT");
		break;
	case 904:
		host.diagnostics.debugLog("WM_PENEVENT");
		break;
	case 911:
		host.diagnostics.debugLog("WM_PENWINLAST");
		break;
	case 1024:
		host.diagnostics.debugLog("DDM_SETFMT");
		break;
	case 1024:
		host.diagnostics.debugLog("DM_GETDEFID");
		break;
	case 1024:
		host.diagnostics.debugLog("NIN_SELECT");
		break;
	case 1024:
		host.diagnostics.debugLog("TBM_GETPOS");
		break;
	case 1024:
		host.diagnostics.debugLog("WM_PSD_PAGESETUPDLG");
		break;
	case 1024:
		host.diagnostics.debugLog("WM_USER");
		break;
	case 1025:
		host.diagnostics.debugLog("CBEM_INSERTITEMA");
		break;
	case 1025:
		host.diagnostics.debugLog("DDM_DRAW");
		break;
	case 1025:
		host.diagnostics.debugLog("DM_SETDEFID");
		break;
	case 1025:
		host.diagnostics.debugLog("HKM_SETHOTKEY");
		break;
	case 1025:
		host.diagnostics.debugLog("PBM_SETRANGE");
		break;
	case 1025:
		host.diagnostics.debugLog("RB_INSERTBANDA");
		break;
	case 1025:
		host.diagnostics.debugLog("SB_SETTEXTA");
		break;
	case 1025:
		host.diagnostics.debugLog("TB_ENABLEBUTTON");
		break;
	case 1025:
		host.diagnostics.debugLog("TBM_GETRANGEMIN");
		break;
	case 1025:
		host.diagnostics.debugLog("TTM_ACTIVATE");
		break;
	case 1025:
		host.diagnostics.debugLog("WM_CHOOSEFONT_GETLOGFONT");
		break;
	case 1025:
		host.diagnostics.debugLog("WM_PSD_FULLPAGERECT");
		break;
	case 1026:
		host.diagnostics.debugLog("CBEM_SETIMAGELIST");
		break;
	case 1026:
		host.diagnostics.debugLog("DDM_CLOSE");
		break;
	case 1026:
		host.diagnostics.debugLog("DM_REPOSITION");
		break;
	case 1026:
		host.diagnostics.debugLog("HKM_GETHOTKEY");
		break;
	case 1026:
		host.diagnostics.debugLog("PBM_SETPOS");
		break;
	case 1026:
		host.diagnostics.debugLog("RB_DELETEBAND");
		break;
	case 1026:
		host.diagnostics.debugLog("SB_GETTEXTA");
		break;
	case 1026:
		host.diagnostics.debugLog("TB_CHECKBUTTON");
		break;
	case 1026:
		host.diagnostics.debugLog("TBM_GETRANGEMAX");
		break;
	case 1026:
		host.diagnostics.debugLog("WM_PSD_MINMARGINRECT");
		break;
	case 1027:
		host.diagnostics.debugLog("CBEM_GETIMAGELIST");
		break;
	case 1027:
		host.diagnostics.debugLog("DDM_BEGIN");
		break;
	case 1027:
		host.diagnostics.debugLog("HKM_SETRULES");
		break;
	case 1027:
		host.diagnostics.debugLog("PBM_DELTAPOS");
		break;
	case 1027:
		host.diagnostics.debugLog("RB_GETBARINFO");
		break;
	case 1027:
		host.diagnostics.debugLog("SB_GETTEXTLENGTHA");
		break;
	case 1027:
		host.diagnostics.debugLog("TBM_GETTIC");
		break;
	case 1027:
		host.diagnostics.debugLog("TB_PRESSBUTTON");
		break;
	case 1027:
		host.diagnostics.debugLog("TTM_SETDELAYTIME");
		break;
	case 1027:
		host.diagnostics.debugLog("WM_PSD_MARGINRECT");
		break;
	case 1028:
		host.diagnostics.debugLog("CBEM_GETITEMA");
		break;
	case 1028:
		host.diagnostics.debugLog("DDM_END");
		break;
	case 1028:
		host.diagnostics.debugLog("PBM_SETSTEP");
		break;
	case 1028:
		host.diagnostics.debugLog("RB_SETBARINFO");
		break;
	case 1028:
		host.diagnostics.debugLog("SB_SETPARTS");
		break;
	case 1028:
		host.diagnostics.debugLog("TB_HIDEBUTTON");
		break;
	case 1028:
		host.diagnostics.debugLog("TBM_SETTIC");
		break;
	case 1028:
		host.diagnostics.debugLog("TTM_ADDTOOLA");
		break;
	case 1028:
		host.diagnostics.debugLog("WM_PSD_GREEKTEXTRECT");
		break;
	case 1029:
		host.diagnostics.debugLog("CBEM_SETITEMA");
		break;
	case 1029:
		host.diagnostics.debugLog("PBM_STEPIT");
		break;
	case 1029:
		host.diagnostics.debugLog("TB_INDETERMINATE");
		break;
	case 1029:
		host.diagnostics.debugLog("TBM_SETPOS");
		break;
	case 1029:
		host.diagnostics.debugLog("TTM_DELTOOLA");
		break;
	case 1029:
		host.diagnostics.debugLog("WM_PSD_ENVSTAMPRECT");
		break;
	case 1030:
		host.diagnostics.debugLog("CBEM_GETCOMBOCONTROL");
		break;
	case 1030:
		host.diagnostics.debugLog("PBM_SETRANGE32");
		break;
	case 1030:
		host.diagnostics.debugLog("RB_SETBANDINFOA");
		break;
	case 1030:
		host.diagnostics.debugLog("SB_GETPARTS");
		break;
	case 1030:
		host.diagnostics.debugLog("TB_MARKBUTTON");
		break;
	case 1030:
		host.diagnostics.debugLog("TBM_SETRANGE");
		break;
	case 1030:
		host.diagnostics.debugLog("TTM_NEWTOOLRECTA");
		break;
	case 1030:
		host.diagnostics.debugLog("WM_PSD_YAFULLPAGERECT");
		break;
	case 1031:
		host.diagnostics.debugLog("CBEM_GETEDITCONTROL");
		break;
	case 1031:
		host.diagnostics.debugLog("PBM_GETRANGE");
		break;
	case 1031:
		host.diagnostics.debugLog("RB_SETPARENT");
		break;
	case 1031:
		host.diagnostics.debugLog("SB_GETBORDERS");
		break;
	case 1031:
		host.diagnostics.debugLog("TBM_SETRANGEMIN");
		break;
	case 1031:
		host.diagnostics.debugLog("TTM_RELAYEVENT");
		break;
	case 1032:
		host.diagnostics.debugLog("CBEM_SETEXSTYLE");
		break;
	case 1032:
		host.diagnostics.debugLog("PBM_GETPOS");
		break;
	case 1032:
		host.diagnostics.debugLog("RB_HITTEST");
		break;
	case 1032:
		host.diagnostics.debugLog("SB_SETMINHEIGHT");
		break;
	case 1032:
		host.diagnostics.debugLog("TBM_SETRANGEMAX");
		break;
	case 1032:
		host.diagnostics.debugLog("TTM_GETTOOLINFOA");
		break;
	case 1033:
		host.diagnostics.debugLog("CBEM_GETEXSTYLE");
		break;
	case 1033:
		host.diagnostics.debugLog("CBEM_GETEXTENDEDSTYLE");
		break;
	case 1033:
		host.diagnostics.debugLog("PBM_SETBARCOLOR");
		break;
	case 1033:
		host.diagnostics.debugLog("RB_GETRECT");
		break;
	case 1033:
		host.diagnostics.debugLog("SB_SIMPLE");
		break;
	case 1033:
		host.diagnostics.debugLog("TB_ISBUTTONENABLED");
		break;
	case 1033:
		host.diagnostics.debugLog("TBM_CLEARTICS");
		break;
	case 1033:
		host.diagnostics.debugLog("TTM_SETTOOLINFOA");
		break;
	case 1034:
		host.diagnostics.debugLog("CBEM_HASEDITCHANGED");
		break;
	case 1034:
		host.diagnostics.debugLog("RB_INSERTBANDW");
		break;
	case 1034:
		host.diagnostics.debugLog("SB_GETRECT");
		break;
	case 1034:
		host.diagnostics.debugLog("TB_ISBUTTONCHECKED");
		break;
	case 1034:
		host.diagnostics.debugLog("TBM_SETSEL");
		break;
	case 1034:
		host.diagnostics.debugLog("TTM_HITTESTA");
		break;
	case 1034:
		host.diagnostics.debugLog("WIZ_QUERYNUMPAGES");
		break;
	case 1035:
		host.diagnostics.debugLog("CBEM_INSERTITEMW");
		break;
	case 1035:
		host.diagnostics.debugLog("RB_SETBANDINFOW");
		break;
	case 1035:
		host.diagnostics.debugLog("SB_SETTEXTW");
		break;
	case 1035:
		host.diagnostics.debugLog("TB_ISBUTTONPRESSED");
		break;
	case 1035:
		host.diagnostics.debugLog("TBM_SETSELSTART");
		break;
	case 1035:
		host.diagnostics.debugLog("TTM_GETTEXTA");
		break;
	case 1035:
		host.diagnostics.debugLog("WIZ_NEXT");
		break;
	case 1036:
		host.diagnostics.debugLog("CBEM_SETITEMW");
		break;
	case 1036:
		host.diagnostics.debugLog("RB_GETBANDCOUNT");
		break;
	case 1036:
		host.diagnostics.debugLog("SB_GETTEXTLENGTHW");
		break;
	case 1036:
		host.diagnostics.debugLog("TB_ISBUTTONHIDDEN");
		break;
	case 1036:
		host.diagnostics.debugLog("TBM_SETSELEND");
		break;
	case 1036:
		host.diagnostics.debugLog("TTM_UPDATETIPTEXTA");
		break;
	case 1036:
		host.diagnostics.debugLog("WIZ_PREV");
		break;
	case 1037:
		host.diagnostics.debugLog("CBEM_GETITEMW");
		break;
	case 1037:
		host.diagnostics.debugLog("RB_GETROWCOUNT");
		break;
	case 1037:
		host.diagnostics.debugLog("SB_GETTEXTW");
		break;
	case 1037:
		host.diagnostics.debugLog("TB_ISBUTTONINDETERMINATE");
		break;
	case 1037:
		host.diagnostics.debugLog("TTM_GETTOOLCOUNT");
		break;
	case 1038:
		host.diagnostics.debugLog("CBEM_SETEXTENDEDSTYLE");
		break;
	case 1038:
		host.diagnostics.debugLog("RB_GETROWHEIGHT");
		break;
	case 1038:
		host.diagnostics.debugLog("SB_ISSIMPLE");
		break;
	case 1038:
		host.diagnostics.debugLog("TB_ISBUTTONHIGHLIGHTED");
		break;
	case 1038:
		host.diagnostics.debugLog("TBM_GETPTICS");
		break;
	case 1038:
		host.diagnostics.debugLog("TTM_ENUMTOOLSA");
		break;
	case 1039:
		host.diagnostics.debugLog("SB_SETICON");
		break;
	case 1039:
		host.diagnostics.debugLog("TBM_GETTICPOS");
		break;
	case 1039:
		host.diagnostics.debugLog("TTM_GETCURRENTTOOLA");
		break;
	case 1040:
		host.diagnostics.debugLog("RB_IDTOINDEX");
		break;
	case 1040:
		host.diagnostics.debugLog("SB_SETTIPTEXTA");
		break;
	case 1040:
		host.diagnostics.debugLog("TBM_GETNUMTICS");
		break;
	case 1040:
		host.diagnostics.debugLog("TTM_WINDOWFROMPOINT");
		break;
	case 1041:
		host.diagnostics.debugLog("RB_GETTOOLTIPS");
		break;
	case 1041:
		host.diagnostics.debugLog("SB_SETTIPTEXTW");
		break;
	case 1041:
		host.diagnostics.debugLog("TBM_GETSELSTART");
		break;
	case 1041:
		host.diagnostics.debugLog("TB_SETSTATE");
		break;
	case 1041:
		host.diagnostics.debugLog("TTM_TRACKACTIVATE");
		break;
	case 1042:
		host.diagnostics.debugLog("RB_SETTOOLTIPS");
		break;
	case 1042:
		host.diagnostics.debugLog("SB_GETTIPTEXTA");
		break;
	case 1042:
		host.diagnostics.debugLog("TB_GETSTATE");
		break;
	case 1042:
		host.diagnostics.debugLog("TBM_GETSELEND");
		break;
	case 1042:
		host.diagnostics.debugLog("TTM_TRACKPOSITION");
		break;
	case 1043:
		host.diagnostics.debugLog("RB_SETBKCOLOR");
		break;
	case 1043:
		host.diagnostics.debugLog("SB_GETTIPTEXTW");
		break;
	case 1043:
		host.diagnostics.debugLog("TB_ADDBITMAP");
		break;
	case 1043:
		host.diagnostics.debugLog("TBM_CLEARSEL");
		break;
	case 1043:
		host.diagnostics.debugLog("TTM_SETTIPBKCOLOR");
		break;
	case 1044:
		host.diagnostics.debugLog("RB_GETBKCOLOR");
		break;
	case 1044:
		host.diagnostics.debugLog("SB_GETICON");
		break;
	case 1044:
		host.diagnostics.debugLog("TB_ADDBUTTONSA");
		break;
	case 1044:
		host.diagnostics.debugLog("TBM_SETTICFREQ");
		break;
	case 1044:
		host.diagnostics.debugLog("TTM_SETTIPTEXTCOLOR");
		break;
	case 1045:
		host.diagnostics.debugLog("RB_SETTEXTCOLOR");
		break;
	case 1045:
		host.diagnostics.debugLog("TB_INSERTBUTTONA");
		break;
	case 1045:
		host.diagnostics.debugLog("TBM_SETPAGESIZE");
		break;
	case 1045:
		host.diagnostics.debugLog("TTM_GETDELAYTIME");
		break;
	case 1046:
		host.diagnostics.debugLog("RB_GETTEXTCOLOR");
		break;
	case 1046:
		host.diagnostics.debugLog("TB_DELETEBUTTON");
		break;
	case 1046:
		host.diagnostics.debugLog("TBM_GETPAGESIZE");
		break;
	case 1046:
		host.diagnostics.debugLog("TTM_GETTIPBKCOLOR");
		break;
	case 1047:
		host.diagnostics.debugLog("RB_SIZETORECT");
		break;
	case 1047:
		host.diagnostics.debugLog("TB_GETBUTTON");
		break;
	case 1047:
		host.diagnostics.debugLog("TBM_SETLINESIZE");
		break;
	case 1047:
		host.diagnostics.debugLog("TTM_GETTIPTEXTCOLOR");
		break;
	case 1048:
		host.diagnostics.debugLog("RB_BEGINDRAG");
		break;
	case 1048:
		host.diagnostics.debugLog("TB_BUTTONCOUNT");
		break;
	case 1048:
		host.diagnostics.debugLog("TBM_GETLINESIZE");
		break;
	case 1048:
		host.diagnostics.debugLog("TTM_SETMAXTIPWIDTH");
		break;
	case 1049:
		host.diagnostics.debugLog("RB_ENDDRAG");
		break;
	case 1049:
		host.diagnostics.debugLog("TB_COMMANDTOINDEX");
		break;
	case 1049:
		host.diagnostics.debugLog("TBM_GETTHUMBRECT");
		break;
	case 1049:
		host.diagnostics.debugLog("TTM_GETMAXTIPWIDTH");
		break;
	case 1050:
		host.diagnostics.debugLog("RB_DRAGMOVE");
		break;
	case 1050:
		host.diagnostics.debugLog("TBM_GETCHANNELRECT");
		break;
	case 1050:
		host.diagnostics.debugLog("TB_SAVERESTOREA");
		break;
	case 1050:
		host.diagnostics.debugLog("TTM_SETMARGIN");
		break;
	case 1051:
		host.diagnostics.debugLog("RB_GETBARHEIGHT");
		break;
	case 1051:
		host.diagnostics.debugLog("TB_CUSTOMIZE");
		break;
	case 1051:
		host.diagnostics.debugLog("TBM_SETTHUMBLENGTH");
		break;
	case 1051:
		host.diagnostics.debugLog("TTM_GETMARGIN");
		break;
	case 1052:
		host.diagnostics.debugLog("RB_GETBANDINFOW");
		break;
	case 1052:
		host.diagnostics.debugLog("TB_ADDSTRINGA");
		break;
	case 1052:
		host.diagnostics.debugLog("TBM_GETTHUMBLENGTH");
		break;
	case 1052:
		host.diagnostics.debugLog("TTM_POP");
		break;
	case 1053:
		host.diagnostics.debugLog("RB_GETBANDINFOA");
		break;
	case 1053:
		host.diagnostics.debugLog("TB_GETITEMRECT");
		break;
	case 1053:
		host.diagnostics.debugLog("TBM_SETTOOLTIPS");
		break;
	case 1053:
		host.diagnostics.debugLog("TTM_UPDATE");
		break;
	case 1054:
		host.diagnostics.debugLog("RB_MINIMIZEBAND");
		break;
	case 1054:
		host.diagnostics.debugLog("TB_BUTTONSTRUCTSIZE");
		break;
	case 1054:
		host.diagnostics.debugLog("TBM_GETTOOLTIPS");
		break;
	case 1054:
		host.diagnostics.debugLog("TTM_GETBUBBLESIZE");
		break;
	case 1055:
		host.diagnostics.debugLog("RB_MAXIMIZEBAND");
		break;
	case 1055:
		host.diagnostics.debugLog("TBM_SETTIPSIDE");
		break;
	case 1055:
		host.diagnostics.debugLog("TB_SETBUTTONSIZE");
		break;
	case 1055:
		host.diagnostics.debugLog("TTM_ADJUSTRECT");
		break;
	case 1056:
		host.diagnostics.debugLog("TBM_SETBUDDY");
		break;
	case 1056:
		host.diagnostics.debugLog("TB_SETBITMAPSIZE");
		break;
	case 1056:
		host.diagnostics.debugLog("TTM_SETTITLEA");
		break;
	case 1057:
		host.diagnostics.debugLog("MSG_FTS_JUMP_VA");
		break;
	case 1057:
		host.diagnostics.debugLog("TB_AUTOSIZE");
		break;
	case 1057:
		host.diagnostics.debugLog("TBM_GETBUDDY");
		break;
	case 1057:
		host.diagnostics.debugLog("TTM_SETTITLEW");
		break;
	case 1058:
		host.diagnostics.debugLog("RB_GETBANDBORDERS");
		break;
	case 1059:
		host.diagnostics.debugLog("MSG_FTS_JUMP_QWORD");
		break;
	case 1059:
		host.diagnostics.debugLog("RB_SHOWBAND");
		break;
	case 1059:
		host.diagnostics.debugLog("TB_GETTOOLTIPS");
		break;
	case 1060:
		host.diagnostics.debugLog("MSG_REINDEX_REQUEST");
		break;
	case 1060:
		host.diagnostics.debugLog("TB_SETTOOLTIPS");
		break;
	case 1061:
		host.diagnostics.debugLog("MSG_FTS_WHERE_IS_IT");
		break;
	case 1061:
		host.diagnostics.debugLog("RB_SETPALETTE");
		break;
	case 1061:
		host.diagnostics.debugLog("TB_SETPARENT");
		break;
	case 1062:
		host.diagnostics.debugLog("RB_GETPALETTE");
		break;
	case 1063:
		host.diagnostics.debugLog("RB_MOVEBAND");
		break;
	case 1063:
		host.diagnostics.debugLog("TB_SETROWS");
		break;
	case 1064:
		host.diagnostics.debugLog("TB_GETROWS");
		break;
	case 1065:
		host.diagnostics.debugLog("TB_GETBITMAPFLAGS");
		break;
	case 1066:
		host.diagnostics.debugLog("TB_SETCMDID");
		break;
	case 1067:
		host.diagnostics.debugLog("RB_PUSHCHEVRON");
		break;
	case 1067:
		host.diagnostics.debugLog("TB_CHANGEBITMAP");
		break;
	case 1068:
		host.diagnostics.debugLog("TB_GETBITMAP");
		break;
	case 1069:
		host.diagnostics.debugLog("MSG_GET_DEFFONT");
		break;
	case 1069:
		host.diagnostics.debugLog("TB_GETBUTTONTEXTA");
		break;
	case 1070:
		host.diagnostics.debugLog("TB_REPLACEBITMAP");
		break;
	case 1071:
		host.diagnostics.debugLog("TB_SETINDENT");
		break;
	case 1072:
		host.diagnostics.debugLog("TB_SETIMAGELIST");
		break;
	case 1073:
		host.diagnostics.debugLog("TB_GETIMAGELIST");
		break;
	case 1074:
		host.diagnostics.debugLog("TB_LOADIMAGES");
		break;
	case 1074:
		host.diagnostics.debugLog("EM_CANPASTE");
		break;
	case 1074:
		host.diagnostics.debugLog("TTM_ADDTOOLW");
		break;
	case 1075:
		host.diagnostics.debugLog("EM_DISPLAYBAND");
		break;
	case 1075:
		host.diagnostics.debugLog("TB_GETRECT");
		break;
	case 1075:
		host.diagnostics.debugLog("TTM_DELTOOLW");
		break;
	case 1076:
		host.diagnostics.debugLog("EM_EXGETSEL");
		break;
	case 1076:
		host.diagnostics.debugLog("TB_SETHOTIMAGELIST");
		break;
	case 1076:
		host.diagnostics.debugLog("TTM_NEWTOOLRECTW");
		break;
	case 1077:
		host.diagnostics.debugLog("EM_EXLIMITTEXT");
		break;
	case 1077:
		host.diagnostics.debugLog("TB_GETHOTIMAGELIST");
		break;
	case 1077:
		host.diagnostics.debugLog("TTM_GETTOOLINFOW");
		break;
	case 1078:
		host.diagnostics.debugLog("EM_EXLINEFROMCHAR");
		break;
	case 1078:
		host.diagnostics.debugLog("TB_SETDISABLEDIMAGELIST");
		break;
	case 1078:
		host.diagnostics.debugLog("TTM_SETTOOLINFOW");
		break;
	case 1079:
		host.diagnostics.debugLog("EM_EXSETSEL");
		break;
	case 1079:
		host.diagnostics.debugLog("TB_GETDISABLEDIMAGELIST");
		break;
	case 1079:
		host.diagnostics.debugLog("TTM_HITTESTW");
		break;
	case 1080:
		host.diagnostics.debugLog("EM_FINDTEXT");
		break;
	case 1080:
		host.diagnostics.debugLog("TB_SETSTYLE");
		break;
	case 1080:
		host.diagnostics.debugLog("TTM_GETTEXTW");
		break;
	case 1081:
		host.diagnostics.debugLog("EM_FORMATRANGE");
		break;
	case 1081:
		host.diagnostics.debugLog("TB_GETSTYLE");
		break;
	case 1081:
		host.diagnostics.debugLog("TTM_UPDATETIPTEXTW");
		break;
	case 1082:
		host.diagnostics.debugLog("EM_GETCHARFORMAT");
		break;
	case 1082:
		host.diagnostics.debugLog("TB_GETBUTTONSIZE");
		break;
	case 1082:
		host.diagnostics.debugLog("TTM_ENUMTOOLSW");
		break;
	case 1083:
		host.diagnostics.debugLog("EM_GETEVENTMASK");
		break;
	case 1083:
		host.diagnostics.debugLog("TB_SETBUTTONWIDTH");
		break;
	case 1083:
		host.diagnostics.debugLog("TTM_GETCURRENTTOOLW");
		break;
	case 1084:
		host.diagnostics.debugLog("EM_GETOLEINTERFACE");
		break;
	case 1084:
		host.diagnostics.debugLog("TB_SETMAXTEXTROWS");
		break;
	case 1085:
		host.diagnostics.debugLog("EM_GETPARAFORMAT");
		break;
	case 1085:
		host.diagnostics.debugLog("TB_GETTEXTROWS");
		break;
	case 1086:
		host.diagnostics.debugLog("EM_GETSELTEXT");
		break;
	case 1086:
		host.diagnostics.debugLog("TB_GETOBJECT");
		break;
	case 1087:
		host.diagnostics.debugLog("EM_HIDESELECTION");
		break;
	case 1087:
		host.diagnostics.debugLog("TB_GETBUTTONINFOW");
		break;
	case 1088:
		host.diagnostics.debugLog("EM_PASTESPECIAL");
		break;
	case 1088:
		host.diagnostics.debugLog("TB_SETBUTTONINFOW");
		break;
	case 1089:
		host.diagnostics.debugLog("EM_REQUESTRESIZE");
		break;
	case 1089:
		host.diagnostics.debugLog("TB_GETBUTTONINFOA");
		break;
	case 1090:
		host.diagnostics.debugLog("EM_SELECTIONTYPE");
		break;
	case 1090:
		host.diagnostics.debugLog("TB_SETBUTTONINFOA");
		break;
	case 1091:
		host.diagnostics.debugLog("EM_SETBKGNDCOLOR");
		break;
	case 1091:
		host.diagnostics.debugLog("TB_INSERTBUTTONW");
		break;
	case 1092:
		host.diagnostics.debugLog("EM_SETCHARFORMAT");
		break;
	case 1092:
		host.diagnostics.debugLog("TB_ADDBUTTONSW");
		break;
	case 1093:
		host.diagnostics.debugLog("EM_SETEVENTMASK");
		break;
	case 1093:
		host.diagnostics.debugLog("TB_HITTEST");
		break;
	case 1094:
		host.diagnostics.debugLog("EM_SETOLECALLBACK");
		break;
	case 1094:
		host.diagnostics.debugLog("TB_SETDRAWTEXTFLAGS");
		break;
	case 1095:
		host.diagnostics.debugLog("EM_SETPARAFORMAT");
		break;
	case 1095:
		host.diagnostics.debugLog("TB_GETHOTITEM");
		break;
	case 1096:
		host.diagnostics.debugLog("EM_SETTARGETDEVICE");
		break;
	case 1096:
		host.diagnostics.debugLog("TB_SETHOTITEM");
		break;
	case 1097:
		host.diagnostics.debugLog("EM_STREAMIN");
		break;
	case 1097:
		host.diagnostics.debugLog("TB_SETANCHORHIGHLIGHT");
		break;
	case 1098:
		host.diagnostics.debugLog("EM_STREAMOUT");
		break;
	case 1098:
		host.diagnostics.debugLog("TB_GETANCHORHIGHLIGHT");
		break;
	case 1099:
		host.diagnostics.debugLog("EM_GETTEXTRANGE");
		break;
	case 1099:
		host.diagnostics.debugLog("TB_GETBUTTONTEXTW");
		break;
	case 1100:
		host.diagnostics.debugLog("EM_FINDWORDBREAK");
		break;
	case 1100:
		host.diagnostics.debugLog("TB_SAVERESTOREW");
		break;
	case 1101:
		host.diagnostics.debugLog("EM_SETOPTIONS");
		break;
	case 1101:
		host.diagnostics.debugLog("TB_ADDSTRINGW");
		break;
	case 1102:
		host.diagnostics.debugLog("EM_GETOPTIONS");
		break;
	case 1102:
		host.diagnostics.debugLog("TB_MAPACCELERATORA");
		break;
	case 1103:
		host.diagnostics.debugLog("EM_FINDTEXTEX");
		break;
	case 1103:
		host.diagnostics.debugLog("TB_GETINSERTMARK");
		break;
	case 1104:
		host.diagnostics.debugLog("EM_GETWORDBREAKPROCEX");
		break;
	case 1104:
		host.diagnostics.debugLog("TB_SETINSERTMARK");
		break;
	case 1105:
		host.diagnostics.debugLog("EM_SETWORDBREAKPROCEX");
		break;
	case 1105:
		host.diagnostics.debugLog("TB_INSERTMARKHITTEST");
		break;
	case 1106:
		host.diagnostics.debugLog("EM_SETUNDOLIMIT");
		break;
	case 1106:
		host.diagnostics.debugLog("TB_MOVEBUTTON");
		break;
	case 1107:
		host.diagnostics.debugLog("TB_GETMAXSIZE");
		break;
	case 1108:
		host.diagnostics.debugLog("EM_REDO");
		break;
	case 1108:
		host.diagnostics.debugLog("TB_SETEXTENDEDSTYLE");
		break;
	case 1109:
		host.diagnostics.debugLog("EM_CANREDO");
		break;
	case 1109:
		host.diagnostics.debugLog("TB_GETEXTENDEDSTYLE");
		break;
	case 1110:
		host.diagnostics.debugLog("EM_GETUNDONAME");
		break;
	case 1110:
		host.diagnostics.debugLog("TB_GETPADDING");
		break;
	case 1111:
		host.diagnostics.debugLog("EM_GETREDONAME");
		break;
	case 1111:
		host.diagnostics.debugLog("TB_SETPADDING");
		break;
	case 1112:
		host.diagnostics.debugLog("EM_STOPGROUPTYPING");
		break;
	case 1112:
		host.diagnostics.debugLog("TB_SETINSERTMARKCOLOR");
		break;
	case 1113:
		host.diagnostics.debugLog("EM_SETTEXTMODE");
		break;
	case 1113:
		host.diagnostics.debugLog("TB_GETINSERTMARKCOLOR");
		break;
	case 1114:
		host.diagnostics.debugLog("EM_GETTEXTMODE");
		break;
	case 1114:
		host.diagnostics.debugLog("TB_MAPACCELERATORW");
		break;
	case 1115:
		host.diagnostics.debugLog("EM_AUTOURLDETECT");
		break;
	case 1115:
		host.diagnostics.debugLog("TB_GETSTRINGW");
		break;
	case 1116:
		host.diagnostics.debugLog("EM_GETAUTOURLDETECT");
		break;
	case 1116:
		host.diagnostics.debugLog("TB_GETSTRINGA");
		break;
	case 1117:
		host.diagnostics.debugLog("EM_SETPALETTE");
		break;
	case 1118:
		host.diagnostics.debugLog("EM_GETTEXTEX");
		break;
	case 1119:
		host.diagnostics.debugLog("EM_GETTEXTLENGTHEX");
		break;
	case 1120:
		host.diagnostics.debugLog("EM_SHOWSCROLLBAR");
		break;
	case 1121:
		host.diagnostics.debugLog("EM_SETTEXTEX");
		break;
	case 1123:
		host.diagnostics.debugLog("TAPI_REPLY");
		break;
	case 1124:
		host.diagnostics.debugLog("ACM_OPENA");
		break;
	case 1124:
		host.diagnostics.debugLog("BFFM_SETSTATUSTEXTA");
		break;
	case 1124:
		host.diagnostics.debugLog("CDM_FIRST");
		break;
	case 1124:
		host.diagnostics.debugLog("CDM_GETSPEC");
		break;
	case 1124:
		host.diagnostics.debugLog("EM_SETPUNCTUATION");
		break;
	case 1124:
		host.diagnostics.debugLog("IPM_CLEARADDRESS");
		break;
	case 1124:
		host.diagnostics.debugLog("WM_CAP_UNICODE_START");
		break;
	case 1125:
		host.diagnostics.debugLog("ACM_PLAY");
		break;
	case 1125:
		host.diagnostics.debugLog("BFFM_ENABLEOK");
		break;
	case 1125:
		host.diagnostics.debugLog("CDM_GETFILEPATH");
		break;
	case 1125:
		host.diagnostics.debugLog("EM_GETPUNCTUATION");
		break;
	case 1125:
		host.diagnostics.debugLog("IPM_SETADDRESS");
		break;
	case 1125:
		host.diagnostics.debugLog("PSM_SETCURSEL");
		break;
	case 1125:
		host.diagnostics.debugLog("UDM_SETRANGE");
		break;
	case 1125:
		host.diagnostics.debugLog("WM_CHOOSEFONT_SETLOGFONT");
		break;
	case 1126:
		host.diagnostics.debugLog("ACM_STOP");
		break;
	case 1126:
		host.diagnostics.debugLog("BFFM_SETSELECTIONA");
		break;
	case 1126:
		host.diagnostics.debugLog("CDM_GETFOLDERPATH");
		break;
	case 1126:
		host.diagnostics.debugLog("EM_SETWORDWRAPMODE");
		break;
	case 1126:
		host.diagnostics.debugLog("IPM_GETADDRESS");
		break;
	case 1126:
		host.diagnostics.debugLog("PSM_REMOVEPAGE");
		break;
	case 1126:
		host.diagnostics.debugLog("UDM_GETRANGE");
		break;
	case 1126:
		host.diagnostics.debugLog("WM_CAP_SET_CALLBACK_ERRORW");
		break;
	case 1126:
		host.diagnostics.debugLog("WM_CHOOSEFONT_SETFLAGS");
		break;
	case 1127:
		host.diagnostics.debugLog("ACM_OPENW");
		break;
	case 1127:
		host.diagnostics.debugLog("BFFM_SETSELECTIONW");
		break;
	case 1127:
		host.diagnostics.debugLog("CDM_GETFOLDERIDLIST");
		break;
	case 1127:
		host.diagnostics.debugLog("EM_GETWORDWRAPMODE");
		break;
	case 1127:
		host.diagnostics.debugLog("IPM_SETRANGE");
		break;
	case 1127:
		host.diagnostics.debugLog("PSM_ADDPAGE");
		break;
	case 1127:
		host.diagnostics.debugLog("UDM_SETPOS");
		break;
	case 1127:
		host.diagnostics.debugLog("WM_CAP_SET_CALLBACK_STATUSW");
		break;
	case 1128:
		host.diagnostics.debugLog("BFFM_SETSTATUSTEXTW");
		break;
	case 1128:
		host.diagnostics.debugLog("CDM_SETCONTROLTEXT");
		break;
	case 1128:
		host.diagnostics.debugLog("EM_SETIMECOLOR");
		break;
	case 1128:
		host.diagnostics.debugLog("IPM_SETFOCUS");
		break;
	case 1128:
		host.diagnostics.debugLog("PSM_CHANGED");
		break;
	case 1128:
		host.diagnostics.debugLog("UDM_GETPOS");
		break;
	case 1129:
		host.diagnostics.debugLog("CDM_HIDECONTROL");
		break;
	case 1129:
		host.diagnostics.debugLog("EM_GETIMECOLOR");
		break;
	case 1129:
		host.diagnostics.debugLog("IPM_ISBLANK");
		break;
	case 1129:
		host.diagnostics.debugLog("PSM_RESTARTWINDOWS");
		break;
	case 1129:
		host.diagnostics.debugLog("UDM_SETBUDDY");
		break;
	case 1130:
		host.diagnostics.debugLog("CDM_SETDEFEXT");
		break;
	case 1130:
		host.diagnostics.debugLog("EM_SETIMEOPTIONS");
		break;
	case 1130:
		host.diagnostics.debugLog("PSM_REBOOTSYSTEM");
		break;
	case 1130:
		host.diagnostics.debugLog("UDM_GETBUDDY");
		break;
	case 1131:
		host.diagnostics.debugLog("EM_GETIMEOPTIONS");
		break;
	case 1131:
		host.diagnostics.debugLog("PSM_CANCELTOCLOSE");
		break;
	case 1131:
		host.diagnostics.debugLog("UDM_SETACCEL");
		break;
	case 1132:
		host.diagnostics.debugLog("EM_CONVPOSITION");
		break;
	case 1132:
		host.diagnostics.debugLog("EM_CONVPOSITION");
		break;
	case 1132:
		host.diagnostics.debugLog("PSM_QUERYSIBLINGS");
		break;
	case 1132:
		host.diagnostics.debugLog("UDM_GETACCEL");
		break;
	case 1133:
		host.diagnostics.debugLog("MCIWNDM_GETZOOM");
		break;
	case 1133:
		host.diagnostics.debugLog("PSM_UNCHANGED");
		break;
	case 1133:
		host.diagnostics.debugLog("UDM_SETBASE");
		break;
	case 1134:
		host.diagnostics.debugLog("PSM_APPLY");
		break;
	case 1134:
		host.diagnostics.debugLog("UDM_GETBASE");
		break;
	case 1135:
		host.diagnostics.debugLog("PSM_SETTITLEA");
		break;
	case 1135:
		host.diagnostics.debugLog("UDM_SETRANGE32");
		break;
	case 1136:
		host.diagnostics.debugLog("PSM_SETWIZBUTTONS");
		break;
	case 1136:
		host.diagnostics.debugLog("UDM_GETRANGE32");
		break;
	case 1136:
		host.diagnostics.debugLog("WM_CAP_DRIVER_GET_NAMEW");
		break;
	case 1137:
		host.diagnostics.debugLog("PSM_PRESSBUTTON");
		break;
	case 1137:
		host.diagnostics.debugLog("UDM_SETPOS32");
		break;
	case 1137:
		host.diagnostics.debugLog("WM_CAP_DRIVER_GET_VERSIONW");
		break;
	case 1138:
		host.diagnostics.debugLog("PSM_SETCURSELID");
		break;
	case 1138:
		host.diagnostics.debugLog("UDM_GETPOS32");
		break;
	case 1139:
		host.diagnostics.debugLog("PSM_SETFINISHTEXTA");
		break;
	case 1140:
		host.diagnostics.debugLog("PSM_GETTABCONTROL");
		break;
	case 1141:
		host.diagnostics.debugLog("PSM_ISDIALOGMESSAGE");
		break;
	case 1142:
		host.diagnostics.debugLog("MCIWNDM_REALIZE");
		break;
	case 1142:
		host.diagnostics.debugLog("PSM_GETCURRENTPAGEHWND");
		break;
	case 1143:
		host.diagnostics.debugLog("MCIWNDM_SETTIMEFORMATA");
		break;
	case 1143:
		host.diagnostics.debugLog("PSM_INSERTPAGE");
		break;
	case 1144:
		host.diagnostics.debugLog("EM_SETLANGOPTIONS");
		break;
	case 1144:
		host.diagnostics.debugLog("MCIWNDM_GETTIMEFORMATA");
		break;
	case 1144:
		host.diagnostics.debugLog("PSM_SETTITLEW");
		break;
	case 1144:
		host.diagnostics.debugLog("WM_CAP_FILE_SET_CAPTURE_FILEW");
		break;
	case 1145:
		host.diagnostics.debugLog("EM_GETLANGOPTIONS");
		break;
	case 1145:
		host.diagnostics.debugLog("MCIWNDM_VALIDATEMEDIA");
		break;
	case 1145:
		host.diagnostics.debugLog("PSM_SETFINISHTEXTW");
		break;
	case 1145:
		host.diagnostics.debugLog("WM_CAP_FILE_GET_CAPTURE_FILEW");
		break;
	case 1146:
		host.diagnostics.debugLog("EM_GETIMECOMPMODE");
		break;
	case 1147:
		host.diagnostics.debugLog("EM_FINDTEXTW");
		break;
	case 1147:
		host.diagnostics.debugLog("MCIWNDM_PLAYTO");
		break;
	case 1147:
		host.diagnostics.debugLog("WM_CAP_FILE_SAVEASW");
		break;
	case 1148:
		host.diagnostics.debugLog("EM_FINDTEXTEXW");
		break;
	case 1148:
		host.diagnostics.debugLog("MCIWNDM_GETFILENAMEA");
		break;
	case 1149:
		host.diagnostics.debugLog("EM_RECONVERSION");
		break;
	case 1149:
		host.diagnostics.debugLog("MCIWNDM_GETDEVICEA");
		break;
	case 1149:
		host.diagnostics.debugLog("PSM_SETHEADERTITLEA");
		break;
	case 1149:
		host.diagnostics.debugLog("WM_CAP_FILE_SAVEDIBW");
		break;
	case 1150:
		host.diagnostics.debugLog("EM_SETIMEMODEBIAS");
		break;
	case 1150:
		host.diagnostics.debugLog("MCIWNDM_GETPALETTE");
		break;
	case 1150:
		host.diagnostics.debugLog("PSM_SETHEADERTITLEW");
		break;
	case 1151:
		host.diagnostics.debugLog("EM_GETIMEMODEBIAS");
		break;
	case 1151:
		host.diagnostics.debugLog("MCIWNDM_SETPALETTE");
		break;
	case 1151:
		host.diagnostics.debugLog("PSM_SETHEADERSUBTITLEA");
		break;
	case 1152:
		host.diagnostics.debugLog("MCIWNDM_GETERRORA");
		break;
	case 1152:
		host.diagnostics.debugLog("PSM_SETHEADERSUBTITLEW");
		break;
	case 1153:
		host.diagnostics.debugLog("PSM_HWNDTOINDEX");
		break;
	case 1154:
		host.diagnostics.debugLog("PSM_INDEXTOHWND");
		break;
	case 1155:
		host.diagnostics.debugLog("MCIWNDM_SETINACTIVETIMER");
		break;
	case 1155:
		host.diagnostics.debugLog("PSM_PAGETOINDEX");
		break;
	case 1156:
		host.diagnostics.debugLog("PSM_INDEXTOPAGE");
		break;
	case 1157:
		host.diagnostics.debugLog("DL_BEGINDRAG");
		break;
	case 1157:
		host.diagnostics.debugLog("MCIWNDM_GETINACTIVETIMER");
		break;
	case 1157:
		host.diagnostics.debugLog("PSM_IDTOINDEX");
		break;
	case 1158:
		host.diagnostics.debugLog("DL_DRAGGING");
		break;
	case 1158:
		host.diagnostics.debugLog("PSM_INDEXTOID");
		break;
	case 1159:
		host.diagnostics.debugLog("DL_DROPPED");
		break;
	case 1159:
		host.diagnostics.debugLog("PSM_GETRESULT");
		break;
	case 1160:
		host.diagnostics.debugLog("DL_CANCELDRAG");
		break;
	case 1160:
		host.diagnostics.debugLog("PSM_RECALCPAGESIZES");
		break;
	case 1164:
		host.diagnostics.debugLog("MCIWNDM_GET_SOURCE");
		break;
	case 1165:
		host.diagnostics.debugLog("MCIWNDM_PUT_SOURCE");
		break;
	case 1166:
		host.diagnostics.debugLog("MCIWNDM_GET_DEST");
		break;
	case 1167:
		host.diagnostics.debugLog("MCIWNDM_PUT_DEST");
		break;
	case 1168:
		host.diagnostics.debugLog("MCIWNDM_CAN_PLAY");
		break;
	case 1169:
		host.diagnostics.debugLog("MCIWNDM_CAN_WINDOW");
		break;
	case 1170:
		host.diagnostics.debugLog("MCIWNDM_CAN_RECORD");
		break;
	case 1171:
		host.diagnostics.debugLog("MCIWNDM_CAN_SAVE");
		break;
	case 1172:
		host.diagnostics.debugLog("MCIWNDM_CAN_EJECT");
		break;
	case 1173:
		host.diagnostics.debugLog("MCIWNDM_CAN_CONFIG");
		break;
	case 1174:
		host.diagnostics.debugLog("IE_GETINK");
		break;
	case 1174:
		host.diagnostics.debugLog("IE_MSGFIRST");
		break;
	case 1174:
		host.diagnostics.debugLog("MCIWNDM_PALETTEKICK");
		break;
	case 1175:
		host.diagnostics.debugLog("IE_SETINK");
		break;
	case 1176:
		host.diagnostics.debugLog("IE_GETPENTIP");
		break;
	case 1177:
		host.diagnostics.debugLog("IE_SETPENTIP");
		break;
	case 1178:
		host.diagnostics.debugLog("IE_GETERASERTIP");
		break;
	case 1179:
		host.diagnostics.debugLog("IE_SETERASERTIP");
		break;
	case 1180:
		host.diagnostics.debugLog("IE_GETBKGND");
		break;
	case 1181:
		host.diagnostics.debugLog("IE_SETBKGND");
		break;
	case 1182:
		host.diagnostics.debugLog("IE_GETGRIDORIGIN");
		break;
	case 1183:
		host.diagnostics.debugLog("IE_SETGRIDORIGIN");
		break;
	case 1184:
		host.diagnostics.debugLog("IE_GETGRIDPEN");
		break;
	case 1185:
		host.diagnostics.debugLog("IE_SETGRIDPEN");
		break;
	case 1186:
		host.diagnostics.debugLog("IE_GETGRIDSIZE");
		break;
	case 1187:
		host.diagnostics.debugLog("IE_SETGRIDSIZE");
		break;
	case 1188:
		host.diagnostics.debugLog("IE_GETMODE");
		break;
	case 1189:
		host.diagnostics.debugLog("IE_SETMODE");
		break;
	case 1190:
		host.diagnostics.debugLog("IE_GETINKRECT");
		break;
	case 1190:
		host.diagnostics.debugLog("WM_CAP_SET_MCI_DEVICEW");
		break;
	case 1191:
		host.diagnostics.debugLog("WM_CAP_GET_MCI_DEVICEW");
		break;
	case 1204:
		host.diagnostics.debugLog("WM_CAP_PAL_OPENW");
		break;
	case 1205:
		host.diagnostics.debugLog("WM_CAP_PAL_SAVEW");
		break;
	case 1208:
		host.diagnostics.debugLog("IE_GETAPPDATA");
		break;
	case 1209:
		host.diagnostics.debugLog("IE_SETAPPDATA");
		break;
	case 1210:
		host.diagnostics.debugLog("IE_GETDRAWOPTS");
		break;
	case 1211:
		host.diagnostics.debugLog("IE_SETDRAWOPTS");
		break;
	case 1212:
		host.diagnostics.debugLog("IE_GETFORMAT");
		break;
	case 1213:
		host.diagnostics.debugLog("IE_SETFORMAT");
		break;
	case 1214:
		host.diagnostics.debugLog("IE_GETINKINPUT");
		break;
	case 1215:
		host.diagnostics.debugLog("IE_SETINKINPUT");
		break;
	case 1216:
		host.diagnostics.debugLog("IE_GETNOTIFY");
		break;
	case 1217:
		host.diagnostics.debugLog("IE_SETNOTIFY");
		break;
	case 1218:
		host.diagnostics.debugLog("IE_GETRECOG");
		break;
	case 1219:
		host.diagnostics.debugLog("IE_SETRECOG");
		break;
	case 1220:
		host.diagnostics.debugLog("IE_GETSECURITY");
		break;
	case 1221:
		host.diagnostics.debugLog("IE_SETSECURITY");
		break;
	case 1222:
		host.diagnostics.debugLog("IE_GETSEL");
		break;
	case 1223:
		host.diagnostics.debugLog("IE_SETSEL");
		break;
	case 1224:
		host.diagnostics.debugLog("CDM_LAST");
		break;
	case 1224:
		host.diagnostics.debugLog("EM_SETBIDIOPTIONS");
		break;
	case 1224:
		host.diagnostics.debugLog("IE_DOCOMMAND");
		break;
	case 1224:
		host.diagnostics.debugLog("MCIWNDM_NOTIFYMODE");
		break;
	case 1225:
		host.diagnostics.debugLog("EM_GETBIDIOPTIONS");
		break;
	case 1225:
		host.diagnostics.debugLog("IE_GETCOMMAND");
		break;
	case 1226:
		host.diagnostics.debugLog("EM_SETTYPOGRAPHYOPTIONS");
		break;
	case 1226:
		host.diagnostics.debugLog("IE_GETCOUNT");
		break;
	case 1227:
		host.diagnostics.debugLog("EM_GETTYPOGRAPHYOPTIONS");
		break;
	case 1227:
		host.diagnostics.debugLog("IE_GETGESTURE");
		break;
	case 1227:
		host.diagnostics.debugLog("MCIWNDM_NOTIFYMEDIA");
		break;
	case 1228:
		host.diagnostics.debugLog("EM_SETEDITSTYLE");
		break;
	case 1228:
		host.diagnostics.debugLog("IE_GETMENU");
		break;
	case 1229:
		host.diagnostics.debugLog("EM_GETEDITSTYLE");
		break;
	case 1229:
		host.diagnostics.debugLog("IE_GETPAINTDC");
		break;
	case 1229:
		host.diagnostics.debugLog("MCIWNDM_NOTIFYERROR");
		break;
	case 1230:
		host.diagnostics.debugLog("IE_GETPDEVENT");
		break;
	case 1231:
		host.diagnostics.debugLog("IE_GETSELCOUNT");
		break;
	case 1232:
		host.diagnostics.debugLog("IE_GETSELITEMS");
		break;
	case 1233:
		host.diagnostics.debugLog("IE_GETSTYLE");
		break;
	case 1243:
		host.diagnostics.debugLog("MCIWNDM_SETTIMEFORMATW");
		break;
	case 1244:
		host.diagnostics.debugLog("EM_OUTLINE");
		break;
	case 1244:
		host.diagnostics.debugLog("MCIWNDM_GETTIMEFORMATW");
		break;
	case 1245:
		host.diagnostics.debugLog("EM_GETSCROLLPOS");
		break;
	case 1246:
		host.diagnostics.debugLog("EM_SETSCROLLPOS");
		break;
	case 1246:
		host.diagnostics.debugLog("EM_SETSCROLLPOS");
		break;
	case 1247:
		host.diagnostics.debugLog("EM_SETFONTSIZE");
		break;
	case 1248:
		host.diagnostics.debugLog("EM_GETZOOM");
		break;
	case 1248:
		host.diagnostics.debugLog("MCIWNDM_GETFILENAMEW");
		break;
	case 1249:
		host.diagnostics.debugLog("EM_SETZOOM");
		break;
	case 1249:
		host.diagnostics.debugLog("MCIWNDM_GETDEVICEW");
		break;
	case 1250:
		host.diagnostics.debugLog("EM_GETVIEWKIND");
		break;
	case 1251:
		host.diagnostics.debugLog("EM_SETVIEWKIND");
		break;
	case 1252:
		host.diagnostics.debugLog("EM_GETPAGE");
		break;
	case 1252:
		host.diagnostics.debugLog("MCIWNDM_GETERRORW");
		break;
	case 1253:
		host.diagnostics.debugLog("EM_SETPAGE");
		break;
	case 1254:
		host.diagnostics.debugLog("EM_GETHYPHENATEINFO");
		break;
	case 1255:
		host.diagnostics.debugLog("EM_SETHYPHENATEINFO");
		break;
	case 1259:
		host.diagnostics.debugLog("EM_GETPAGEROTATE");
		break;
	case 1260:
		host.diagnostics.debugLog("EM_SETPAGEROTATE");
		break;
	case 1261:
		host.diagnostics.debugLog("EM_GETCTFMODEBIAS");
		break;
	case 1262:
		host.diagnostics.debugLog("EM_SETCTFMODEBIAS");
		break;
	case 1264:
		host.diagnostics.debugLog("EM_GETCTFOPENSTATUS");
		break;
	case 1265:
		host.diagnostics.debugLog("EM_SETCTFOPENSTATUS");
		break;
	case 1266:
		host.diagnostics.debugLog("EM_GETIMECOMPTEXT");
		break;
	case 1267:
		host.diagnostics.debugLog("EM_ISIME");
		break;
	case 1268:
		host.diagnostics.debugLog("EM_GETIMEPROPERTY");
		break;
	case 1293:
		host.diagnostics.debugLog("EM_GETQUERYRTFOBJ");
		break;
	case 1294:
		host.diagnostics.debugLog("EM_SETQUERYRTFOBJ");
		break;
	case 1536:
		host.diagnostics.debugLog("FM_GETFOCUS");
		break;
	case 1537:
		host.diagnostics.debugLog("FM_GETDRIVEINFOA");
		break;
	case 1538:
		host.diagnostics.debugLog("FM_GETSELCOUNT");
		break;
	case 1539:
		host.diagnostics.debugLog("FM_GETSELCOUNTLFN");
		break;
	case 1540:
		host.diagnostics.debugLog("FM_GETFILESELA");
		break;
	case 1541:
		host.diagnostics.debugLog("FM_GETFILESELLFNA");
		break;
	case 1542:
		host.diagnostics.debugLog("FM_REFRESH_WINDOWS");
		break;
	case 1543:
		host.diagnostics.debugLog("FM_RELOAD_EXTENSIONS");
		break;
	case 1553:
		host.diagnostics.debugLog("FM_GETDRIVEINFOW");
		break;
	case 1556:
		host.diagnostics.debugLog("FM_GETFILESELW");
		break;
	case 1557:
		host.diagnostics.debugLog("FM_GETFILESELLFNW");
		break;
	case 1625:
		host.diagnostics.debugLog("WLX_WM_SAS");
		break;
	case 2024:
		host.diagnostics.debugLog("SM_GETSELCOUNT");
		break;
	case 2024:
		host.diagnostics.debugLog("UM_GETSELCOUNT");
		break;
	case 2024:
		host.diagnostics.debugLog("WM_CPL_LAUNCH");
		break;
	case 2025:
		host.diagnostics.debugLog("SM_GETSERVERSELA");
		break;
	case 2025:
		host.diagnostics.debugLog("UM_GETUSERSELA");
		break;
	case 2025:
		host.diagnostics.debugLog("WM_CPL_LAUNCHED");
		break;
	case 2026:
		host.diagnostics.debugLog("SM_GETSERVERSELW");
		break;
	case 2026:
		host.diagnostics.debugLog("UM_GETUSERSELW");
		break;
	case 2027:
		host.diagnostics.debugLog("SM_GETCURFOCUSA");
		break;
	case 2027:
		host.diagnostics.debugLog("UM_GETGROUPSELA");
		break;
	case 2028:
		host.diagnostics.debugLog("SM_GETCURFOCUSW");
		break;
	case 2028:
		host.diagnostics.debugLog("UM_GETGROUPSELW");
		break;
	case 2029:
		host.diagnostics.debugLog("SM_GETOPTIONS");
		break;
	case 2029:
		host.diagnostics.debugLog("UM_GETCURFOCUSA");
		break;
	case 2030:
		host.diagnostics.debugLog("UM_GETCURFOCUSW");
		break;
	case 2031:
		host.diagnostics.debugLog("UM_GETOPTIONS");
		break;
	case 2032:
		host.diagnostics.debugLog("UM_GETOPTIONS2");
		break;
	case 4096:
		host.diagnostics.debugLog("LVM_FIRST");
		break;
	case 4096:
		host.diagnostics.debugLog("LVM_GETBKCOLOR");
		break;
	case 4097:
		host.diagnostics.debugLog("LVM_SETBKCOLOR");
		break;
	case 4098:
		host.diagnostics.debugLog("LVM_GETIMAGELIST");
		break;
	case 4099:
		host.diagnostics.debugLog("LVM_SETIMAGELIST");
		break;
	case 4100:
		host.diagnostics.debugLog("LVM_GETITEMCOUNT");
		break;
	case 4101:
		host.diagnostics.debugLog("LVM_GETITEMA");
		break;
	case 4102:
		host.diagnostics.debugLog("LVM_SETITEMA");
		break;
	case 4103:
		host.diagnostics.debugLog("LVM_INSERTITEMA");
		break;
	case 4104:
		host.diagnostics.debugLog("LVM_DELETEITEM");
		break;
	case 4105:
		host.diagnostics.debugLog("LVM_DELETEALLITEMS");
		break;
	case 4106:
		host.diagnostics.debugLog("LVM_GETCALLBACKMASK");
		break;
	case 4107:
		host.diagnostics.debugLog("LVM_SETCALLBACKMASK");
		break;
	case 4108:
		host.diagnostics.debugLog("LVM_GETNEXTITEM");
		break;
	case 4109:
		host.diagnostics.debugLog("LVM_FINDITEMA");
		break;
	case 4110:
		host.diagnostics.debugLog("LVM_GETITEMRECT");
		break;
	case 4111:
		host.diagnostics.debugLog("LVM_SETITEMPOSITION");
		break;
	case 4112:
		host.diagnostics.debugLog("LVM_GETITEMPOSITION");
		break;
	case 4113:
		host.diagnostics.debugLog("LVM_GETSTRINGWIDTHA");
		break;
	case 4114:
		host.diagnostics.debugLog("LVM_HITTEST");
		break;
	case 4115:
		host.diagnostics.debugLog("LVM_ENSUREVISIBLE");
		break;
	case 4116:
		host.diagnostics.debugLog("LVM_SCROLL");
		break;
	case 4117:
		host.diagnostics.debugLog("LVM_REDRAWITEMS");
		break;
	case 4118:
		host.diagnostics.debugLog("LVM_ARRANGE");
		break;
	case 4119:
		host.diagnostics.debugLog("LVM_EDITLABELA");
		break;
	case 4120:
		host.diagnostics.debugLog("LVM_GETEDITCONTROL");
		break;
	case 4121:
		host.diagnostics.debugLog("LVM_GETCOLUMNA");
		break;
	case 4122:
		host.diagnostics.debugLog("LVM_SETCOLUMNA");
		break;
	case 4123:
		host.diagnostics.debugLog("LVM_INSERTCOLUMNA");
		break;
	case 4124:
		host.diagnostics.debugLog("LVM_DELETECOLUMN");
		break;
	case 4125:
		host.diagnostics.debugLog("LVM_GETCOLUMNWIDTH");
		break;
	case 4126:
		host.diagnostics.debugLog("LVM_SETCOLUMNWIDTH");
		break;
	case 4127:
		host.diagnostics.debugLog("LVM_GETHEADER");
		break;
	case 4129:
		host.diagnostics.debugLog("LVM_CREATEDRAGIMAGE");
		break;
	case 4130:
		host.diagnostics.debugLog("LVM_GETVIEWRECT");
		break;
	case 4131:
		host.diagnostics.debugLog("LVM_GETTEXTCOLOR");
		break;
	case 4132:
		host.diagnostics.debugLog("LVM_SETTEXTCOLOR");
		break;
	case 4133:
		host.diagnostics.debugLog("LVM_GETTEXTBKCOLOR");
		break;
	case 4134:
		host.diagnostics.debugLog("LVM_SETTEXTBKCOLOR");
		break;
	case 4135:
		host.diagnostics.debugLog("LVM_GETTOPINDEX");
		break;
	case 4136:
		host.diagnostics.debugLog("LVM_GETCOUNTPERPAGE");
		break;
	case 4137:
		host.diagnostics.debugLog("LVM_GETORIGIN");
		break;
	case 4138:
		host.diagnostics.debugLog("LVM_UPDATE");
		break;
	case 4139:
		host.diagnostics.debugLog("LVM_SETITEMSTATE");
		break;
	case 4140:
		host.diagnostics.debugLog("LVM_GETITEMSTATE");
		break;
	case 4141:
		host.diagnostics.debugLog("LVM_GETITEMTEXTA");
		break;
	case 4142:
		host.diagnostics.debugLog("LVM_SETITEMTEXTA");
		break;
	case 4143:
		host.diagnostics.debugLog("LVM_SETITEMCOUNT");
		break;
	case 4144:
		host.diagnostics.debugLog("LVM_SORTITEMS");
		break;
	case 4145:
		host.diagnostics.debugLog("LVM_SETITEMPOSITION32");
		break;
	case 4146:
		host.diagnostics.debugLog("LVM_GETSELECTEDCOUNT");
		break;
	case 4147:
		host.diagnostics.debugLog("LVM_GETITEMSPACING");
		break;
	case 4148:
		host.diagnostics.debugLog("LVM_GETISEARCHSTRINGA");
		break;
	case 4149:
		host.diagnostics.debugLog("LVM_SETICONSPACING");
		break;
	case 4150:
		host.diagnostics.debugLog("LVM_SETEXTENDEDLISTVIEWSTYLE");
		break;
	case 4151:
		host.diagnostics.debugLog("LVM_GETEXTENDEDLISTVIEWSTYLE");
		break;
	case 4152:
		host.diagnostics.debugLog("LVM_GETSUBITEMRECT");
		break;
	case 4153:
		host.diagnostics.debugLog("LVM_SUBITEMHITTEST");
		break;
	case 4154:
		host.diagnostics.debugLog("LVM_SETCOLUMNORDERARRAY");
		break;
	case 4155:
		host.diagnostics.debugLog("LVM_GETCOLUMNORDERARRAY");
		break;
	case 4156:
		host.diagnostics.debugLog("LVM_SETHOTITEM");
		break;
	case 4157:
		host.diagnostics.debugLog("LVM_GETHOTITEM");
		break;
	case 4158:
		host.diagnostics.debugLog("LVM_SETHOTCURSOR");
		break;
	case 4159:
		host.diagnostics.debugLog("LVM_GETHOTCURSOR");
		break;
	case 4160:
		host.diagnostics.debugLog("LVM_APPROXIMATEVIEWRECT");
		break;
	case 4161:
		host.diagnostics.debugLog("LVM_SETWORKAREAS");
		break;
	case 4162:
		host.diagnostics.debugLog("LVM_GETSELECTIONMARK");
		break;
	case 4163:
		host.diagnostics.debugLog("LVM_SETSELECTIONMARK");
		break;
	case 4164:
		host.diagnostics.debugLog("LVM_SETBKIMAGEA");
		break;
	case 4165:
		host.diagnostics.debugLog("LVM_GETBKIMAGEA");
		break;
	case 4166:
		host.diagnostics.debugLog("LVM_GETWORKAREAS");
		break;
	case 4167:
		host.diagnostics.debugLog("LVM_SETHOVERTIME");
		break;
	case 4168:
		host.diagnostics.debugLog("LVM_GETHOVERTIME");
		break;
	case 4169:
		host.diagnostics.debugLog("LVM_GETNUMBEROFWORKAREAS");
		break;
	case 4170:
		host.diagnostics.debugLog("LVM_SETTOOLTIPS");
		break;
	case 4171:
		host.diagnostics.debugLog("LVM_GETITEMW");
		break;
	case 4172:
		host.diagnostics.debugLog("LVM_SETITEMW");
		break;
	case 4173:
		host.diagnostics.debugLog("LVM_INSERTITEMW");
		break;
	case 4174:
		host.diagnostics.debugLog("LVM_GETTOOLTIPS");
		break;
	case 4179:
		host.diagnostics.debugLog("LVM_FINDITEMW");
		break;
	case 4183:
		host.diagnostics.debugLog("LVM_GETSTRINGWIDTHW");
		break;
	case 4191:
		host.diagnostics.debugLog("LVM_GETCOLUMNW");
		break;
	case 4192:
		host.diagnostics.debugLog("LVM_SETCOLUMNW");
		break;
	case 4193:
		host.diagnostics.debugLog("LVM_INSERTCOLUMNW");
		break;
	case 4211:
		host.diagnostics.debugLog("LVM_GETITEMTEXTW");
		break;
	case 4212:
		host.diagnostics.debugLog("LVM_SETITEMTEXTW");
		break;
	case 4213:
		host.diagnostics.debugLog("LVM_GETISEARCHSTRINGW");
		break;
	case 4214:
		host.diagnostics.debugLog("LVM_EDITLABELW");
		break;
	case 4235:
		host.diagnostics.debugLog("LVM_GETBKIMAGEW");
		break;
	case 4236:
		host.diagnostics.debugLog("LVM_SETSELECTEDCOLUMN");
		break;
	case 4237:
		host.diagnostics.debugLog("LVM_SETTILEWIDTH");
		break;
	case 4238:
		host.diagnostics.debugLog("LVM_SETVIEW");
		break;
	case 4239:
		host.diagnostics.debugLog("LVM_GETVIEW");
		break;
	case 4241:
		host.diagnostics.debugLog("LVM_INSERTGROUP");
		break;
	case 4243:
		host.diagnostics.debugLog("LVM_SETGROUPINFO");
		break;
	case 4245:
		host.diagnostics.debugLog("LVM_GETGROUPINFO");
		break;
	case 4246:
		host.diagnostics.debugLog("LVM_REMOVEGROUP");
		break;
	case 4247:
		host.diagnostics.debugLog("LVM_MOVEGROUP");
		break;
	case 4250:
		host.diagnostics.debugLog("LVM_MOVEITEMTOGROUP");
		break;
	case 4251:
		host.diagnostics.debugLog("LVM_SETGROUPMETRICS");
		break;
	case 4252:
		host.diagnostics.debugLog("LVM_GETGROUPMETRICS");
		break;
	case 4253:
		host.diagnostics.debugLog("LVM_ENABLEGROUPVIEW");
		break;
	case 4254:
		host.diagnostics.debugLog("LVM_SORTGROUPS");
		break;
	case 4255:
		host.diagnostics.debugLog("LVM_INSERTGROUPSORTED");
		break;
	case 4256:
		host.diagnostics.debugLog("LVM_REMOVEALLGROUPS");
		break;
	case 4257:
		host.diagnostics.debugLog("LVM_HASGROUP");
		break;
	case 4258:
		host.diagnostics.debugLog("LVM_SETTILEVIEWINFO");
		break;
	case 4259:
		host.diagnostics.debugLog("LVM_GETTILEVIEWINFO");
		break;
	case 4260:
		host.diagnostics.debugLog("LVM_SETTILEINFO");
		break;
	case 4261:
		host.diagnostics.debugLog("LVM_GETTILEINFO");
		break;
	case 4262:
		host.diagnostics.debugLog("LVM_SETINSERTMARK");
		break;
	case 4263:
		host.diagnostics.debugLog("LVM_GETINSERTMARK");
		break;
	case 4264:
		host.diagnostics.debugLog("LVM_INSERTMARKHITTEST");
		break;
	case 4265:
		host.diagnostics.debugLog("LVM_GETINSERTMARKRECT");
		break;
	case 4266:
		host.diagnostics.debugLog("LVM_SETINSERTMARKCOLOR");
		break;
	case 4267:
		host.diagnostics.debugLog("LVM_GETINSERTMARKCOLOR");
		break;
	case 4269:
		host.diagnostics.debugLog("LVM_SETINFOTIP");
		break;
	case 4270:
		host.diagnostics.debugLog("LVM_GETSELECTEDCOLUMN");
		break;
	case 4271:
		host.diagnostics.debugLog("LVM_ISGROUPVIEWENABLED");
		break;
	case 4272:
		host.diagnostics.debugLog("LVM_GETOUTLINECOLOR");
		break;
	case 4273:
		host.diagnostics.debugLog("LVM_SETOUTLINECOLOR");
		break;
	case 4275:
		host.diagnostics.debugLog("LVM_CANCELEDITLABEL");
		break;
	case 4276:
		host.diagnostics.debugLog("LVM_MAPINDEXTOID");
		break;
	case 4277:
		host.diagnostics.debugLog("LVM_MAPIDTOINDEX");
		break;
	case 4278:
		host.diagnostics.debugLog("LVM_ISITEMVISIBLE");
		break;
	case 8192:
		host.diagnostics.debugLog("OCM__BASE");
		break;
	case 8197:
		host.diagnostics.debugLog("LVM_SETUNICODEFORMAT");
		break;
	case 8198:
		host.diagnostics.debugLog("LVM_GETUNICODEFORMAT");
		break;
	case 8217:
		host.diagnostics.debugLog("OCM_CTLCOLOR");
		break;
	case 8235:
		host.diagnostics.debugLog("OCM_DRAWITEM");
		break;
	case 8236:
		host.diagnostics.debugLog("OCM_MEASUREITEM");
		break;
	case 8237:
		host.diagnostics.debugLog("OCM_DELETEITEM");
		break;
	case 8238:
		host.diagnostics.debugLog("OCM_VKEYTOITEM");
		break;
	case 8239:
		host.diagnostics.debugLog("OCM_CHARTOITEM");
		break;
	case 8249:
		host.diagnostics.debugLog("OCM_COMPAREITEM");
		break;
	case 8270:
		host.diagnostics.debugLog("OCM_NOTIFY");
		break;
	case 8465:
		host.diagnostics.debugLog("OCM_COMMAND");
		break;
	case 8468:
		host.diagnostics.debugLog("OCM_HSCROLL");
		break;
	case 8469:
		host.diagnostics.debugLog("OCM_VSCROLL");
		break;
	case 8498:
		host.diagnostics.debugLog("OCM_CTLCOLORMSGBOX");
		break;
	case 8499:
		host.diagnostics.debugLog("OCM_CTLCOLOREDIT");
		break;
	case 8500:
		host.diagnostics.debugLog("OCM_CTLCOLORLISTBOX");
		break;
	case 8501:
		host.diagnostics.debugLog("OCM_CTLCOLORBTN");
		break;
	case 8502:
		host.diagnostics.debugLog("OCM_CTLCOLORDLG");
		break;
	case 8503:
		host.diagnostics.debugLog("OCM_CTLCOLORSCROLLBAR");
		break;
	case 8504:
		host.diagnostics.debugLog("OCM_CTLCOLORSTATIC");
		break;
	case 8720:
		host.diagnostics.debugLog("OCM_PARENTNOTIFY");
		break;
	case 32768:
		host.diagnostics.debugLog("WM_APP");
		break;
	case 52429:
		host.diagnostics.debugLog("WM_RASDIALEVENT");
		break;
	default:
		host.diagnostics.debugLog("Unknown Window Message 0x" + msg.toString(16));
		break;
	}
}

Now we can prepare the script for use:

.scriptload C:\WinDbg\ShowMessageName.js
dx @$ShowMsgScript = Debugger.State.Scripts.ShowMessageName.Contents

We can now resolve a message ID by running this script. We can use the undocumented “-s” parameter on dx command to avoid echoing the command itself. Note when using -s however you will also not see any JavaScript errors, so it is good to first test script without -s.

dx -s @$ShowMsgScript.ShowMessageName(@rdx)

We can now integrate it into break point commands. Note for the message timeout functions this script doesn’t display all the parameters.

For 32-bit Process

bp user32!SendMessageA "!position;.printf \"SendMessageA(hWnd=%08x Msg=%08x (\",poi(@esp+04h),poi(@esp+08h);dx -s @$ShowMsgScript.ShowMessageName(poi(@esp+08h));.printf \") wParam=%08x lParam=%08x\\n\",poi(@esp+0ch),poi(@esp+010h);g"
bp user32!SendMessageW "!position;.printf \"SendMessageW(hWnd=%08x Msg=%08x (\",poi(@esp+04h),poi(@esp+08h);dx -s @$ShowMsgScript.ShowMessageName(poi(@esp+08h));.printf \") wParam=%08x lParam=%08x\\n\",poi(@esp+0ch),poi(@esp+010h);g"
bp user32!PostMessageA "!position;.printf \"PostMessageA(hWnd=%08x Msg=%08x (\",poi(@esp+04h),poi(@esp+08h);dx -s @$ShowMsgScript.ShowMessageName(poi(@esp+08h));.printf \") wParam=%08x lParam=%08x\\n\",poi(@esp+0ch),poi(@esp+010h);g"
bp user32!PostMessageW "!position;.printf \"PostMessageW(hWnd=%08x Msg=%08x (\",poi(@esp+04h),poi(@esp+08h);dx -s @$ShowMsgScript.ShowMessageName(poi(@esp+08h));.printf \") wParam=%08x lParam=%08x\\n\",poi(@esp+0ch),poi(@esp+010h);g"
bp user32!SendNotifyMessageA "!position;.printf \"SendNotifyMessageA(hWnd=%08x Msg=%08x (\",poi(@esp+04h),poi(@esp+08h);dx -s @$ShowMsgScript.ShowMessageName(poi(@esp+08h));.printf \") wParam=%08x lParam=%08x\\n\",poi(@esp+0ch),poi(@esp+010h);g"
bp user32!SendNotifyMessageW "!position;.printf \"SendNotifyMessageW(hWnd=%08x Msg=%08x (\",poi(@esp+04h),poi(@esp+08h);dx -s @$ShowMsgScript.ShowMessageName(poi(@esp+08h));.printf \") wParam=%08x lParam=%08x\\n\",poi(@esp+0ch),poi(@esp+010h);g"
bp user32!SendMessageTimeOutA "!position;.printf \"SendMessageTimeOutA(hWnd=%08x Msg=%08x (\",poi(@esp+04h),poi(@esp+08h);dx -s @$ShowMsgScript.ShowMessageName(poi(@esp+08h));.printf \") wParam=%08x lParam=%08x\\n\",poi(@esp+0ch),poi(@esp+010h);g"
bp user32!SendMessageTimeOutA "!position;.printf \"SendMessageTimeOutA(hWnd=%08x Msg=%08x (\",poi(@esp+04h),poi(@esp+08h);dx -s @$ShowMsgScript.ShowMessageName(poi(@esp+08h));.printf \") wParam=%08x lParam=%08x\\n\",poi(@esp+0ch),poi(@esp+010h);g"

For 64-bit Process

bp user32!SendMessageA "!position;.printf \"SendMessageA(hWnd=%016x Msg=%016x (\",@rcx,@rdx;dx -s @$ShowMsgScript.ShowMessageName(@rdx);.printf \") wParam=%016x lParam=%016x\\n\",@r8,@r9;g"
bp user32!SendMessageW "!position;.printf \"SendMessageW(hWnd=%016x Msg=%016x (\",@rcx,@rdx;dx -s @$ShowMsgScript.ShowMessageName(@rdx);.printf \") wParam=%016x lParam=%016x\\n\",@r8,@r9;g"
bp user32!PostMessageA "!position;.printf \"PostMessageA(hWnd=%016x Msg=%016x (\",@rcx,@rdx;dx -s @$ShowMsgScript.ShowMessageName(@rdx);.printf \") wParam=%016x lParam=%016x\\n\",@r8,@r9;g"
bp user32!PostMessageW "!position;.printf \"PostMessageW(hWnd=%016x Msg=%016x (\",@rcx,@rdx;dx -s @$ShowMsgScript.ShowMessageName(@rdx);.printf \") wParam=%016x lParam=%016x\\n\",@r8,@r9;g"
bp user32!SendNotifyMessageA "!position;.printf \"SendNotifyMessageA(hWnd=%016x Msg=%016x (\",@rcx,@rdx;dx -s @$ShowMsgScript.ShowMessageName(@rdx);.printf \") wParam=%016x lParam=%016x\\n\",@r8,@r9;g"
bp user32!SendNotifyMessageW "!position;.printf \"SendNotifyMessageW(hWnd=%016x Msg=%016x (\",@rcx,@rdx;dx -s @$ShowMsgScript.ShowMessageName(@rdx);.printf \") wParam=%016x lParam=%016x\\n\",@r8,@r9;g"
bp user32!SendMessageTimeOutA "!position;.printf \"SendMessageTimeOutA(hWnd=%016x Msg=%016x (\",@rcx,@rdx;dx -s @$ShowMsgScript.ShowMessageName(@rdx);.printf \") wParam=%016x lParam=%016x\\n\",@r8,@r9;g"
bp user32!SendMessageTimeOutA "!position;.printf \"SendMessageTimeOutA(hWnd=%016x Msg=%016x (\",@rcx,@rdx;dx -s @$ShowMsgScript.ShowMessageName(@rdx);.printf \") wParam=%016x lParam=%016x\\n\",@r8,@r9;g"
Posted in Uncategorized | Leave a comment

Tracking Progress Bar Progress in Time Travel Trace

Posted on November 17, 2021 by chentiangemalc

When analyzing Time Travel Debugging traces it is useful to track when a progress bar is being updated in a Windows app, so we can investigate more details around what is triggering the progress bar update and identify application code related to that. This is using a similar approach to what we used when identifying user interaction events in a TTD.

These commands will show progress bar update details that use Microsoft Common Controls progress bar. (comctl32.dll)

The messages referenced here https://docs.microsoft.com/en-us/windows/win32/controls/bumper-progress-bar-control-reference-messages

32-bit Process

bp comctl32!Progress_WndProc ".if (poi(@ebp+010h) >= 0x400) { !position };.printf \"Progress Bar Msg 0x%016X\\n\",poi(@ebp+010h);.if (poi(@ebp+010h) == 0x401) { .printf \"Progress Bar SetRange ( %i - %i )\\n\",(poi(@ebp+018h) & 0xffff),(poi(@ebp+018h)) >> 16) & 0xffff)};.if (poi(@ebp+010h) == 0x402) { .printf \"Progress Bar SetPos ( %i )\\n\",poi(@ebp+014h) };.if (poi(@ebp+010h) == 0x403) { .printf \"Progress Bar DeltaPos ( %i )\\n\",poi(@ebp+014h) };.if (poi(@ebp+010h) == 0x404) { .printf \"Progress Bar SetStep ( %i )\\n\",poi(@ebp+014h) };.if (poi(@ebp+010h) == 0x405) { .printf \"Progress Bar StepIt ()\\n\" };.if (poi(@ebp+010h) == 0x406) { .printf \"Progress Bar SetRange32 ( %i - %i )\\n\",poi(@ebp+014h),poi(@ebp+018h) };g"

64-bit Process

bp comctl32!Progress_WndProc ".if (@rdx >= 0x400) { !position };.printf \"Progress Bar Msg 0x%016X\\n\",@rdx;.if (@rdx == 0x401) { .printf \"Progress Bar SetRange ( %i - %i )\\n\",(@r9 & 0xffff),(@r9) >> 16) & 0xffff)};.if (@rdx == 0x402) { .printf \"Progress Bar SetPos ( %i )\\n\",@r8 };.if (@rdx == 0x403) { .printf \"Progress Bar DeltaPos ( %i )\\n\",@r8 };.if (@rdx == 0x404) { .printf \"Progress Bar SetStep ( %i )\\n\",@r8 };.if (@rdx == 0x405) { .printf \"Progress Bar StepIt ()\\n\" };.if (@rdx == 0x406) { .printf \"Progress Bar SetRange32 ( %i - %i )\\n\",@r8,@r9 };g"

Example output:

Posted in Uncategorized | Leave a comment

Case of the Windows 11 Notepad Failed To Launch

Posted on November 8, 2021 by chentiangemalc

From a command prompt tried to launch notepad.exe but nothing happened, and there was no error message.

So I launched with WinDbg using DbgX.Shell.exe notepad.exe test.log

Hitting “g” in debugger showed the following output:

0:000> g
ModLoad: 00007ffa`9b750000 00007ffa`9b781000   C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffa`9ca10000 00007ffa`9cabc000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffa`9be80000 00007ffa`9bf1d000   C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffa`9b400000 00007ffa`9b480000   C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffa`98e10000 00007ffa`98e28000   C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 00007ffa`960a0000 00007ffa`9614c000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 00007ffa`9cd20000 00007ffa`9cdcf000   C:\WINDOWS\System32\clbcatq.dll
ModLoad: 00007ffa`87460000 00007ffa`87561000   C:\Windows\System32\MrmCoreR.dll
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(731)\MrmCoreR.dll!00007FFA874759AD: (caller: 00007FFA87478636) ReturnHr(1) tid(8798) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(573)\MrmCoreR.dll!00007FFA874B4C69: (caller: 00007FFA8746F2C0) ReturnHr(2) tid(8798) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(331)\MrmCoreR.dll!00007FFA874B1756: (caller: 00007FFA8749E1D6) ReturnHr(3) tid(8798) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(164)\MrmCoreR.dll!00007FFA874C1BB8: (caller: 00007FFA8749E0D6) ReturnHr(4) tid(8798) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(1374)\MrmCoreR.dll!00007FFA874C1CDB: (caller: 00007FFA8749E0D6) ReturnHr(5) tid(8798) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(1273)\MrmCoreR.dll!00007FFA874C1B7C: (caller: 00007FFA8746F016) ReturnHr(6) tid(8798) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\com\winrt\core\winrtresourcemanager.cpp(603)\MrmCoreR.dll!00007FFA8746F002: (caller: 00007FF7C8984E5E) ReturnHr(7) tid(8798) 80070002 The system cannot find the file specified.
ntdll!NtTerminateProcess+0x14:
00007ffa`9d783854 c3              ret

I then used .restart to relaunch process and find stack traces for the debug output that had been displayed:

0:000> bm kernelbase!OutputDebugString* "kp;g"
  1: 00007ffa`9af0855a @!"KERNELBASE!OutputDebugStringA$fin$2"
  2: 00007ffa`9af082fa @!"KERNELBASE!OutputDebugStringW$filt$0"
  3: 00007ffa`9af08510 @!"KERNELBASE!OutputDebugStringA$filt$0"
  4: 00007ffa`9af0853a @!"KERNELBASE!OutputDebugStringA$filt$1"
  5: 00007ffa`9ae7f330 @!"KERNELBASE!OutputDebugStringW"
  6: 00007ffa`9ae938b0 @!"KERNELBASE!OutputDebugStringA"
0:000> g
ModLoad: 00007ffa`9b750000 00007ffa`9b781000   C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffa`9ca10000 00007ffa`9cabc000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffa`9be80000 00007ffa`9bf1d000   C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffa`9b400000 00007ffa`9b480000   C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffa`98e10000 00007ffa`98e28000   C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 00007ffa`960a0000 00007ffa`9614c000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 00007ffa`9cd20000 00007ffa`9cdcf000   C:\WINDOWS\System32\clbcatq.dll
ModLoad: 00007ffa`87460000 00007ffa`87561000   C:\Windows\System32\MrmCoreR.dll
 # Child-SP          RetAddr               Call Site
00 00000091`6633dea8 00007ffa`874c2d6f     KERNELBASE!OutputDebugStringW
01 00000091`6633deb0 00007ffa`874c2805     MrmCoreR!wil::details::ReportFailure_Return<1>+0x25f
02 00000091`6633f3c0 00007ffa`874c392c     MrmCoreR!wil::details::ReportFailure_Hr<1>+0x59
03 00000091`6633f440 00007ffa`874759ad     MrmCoreR!wil::details::in1diag3::Return_Hr+0x18
04 00000091`6633f490 00007ffa`87478636     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::LoadPriFiles+0x505
05 00000091`6633f570 00007ffa`8746f2c0     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::LoadPriFile+0x20a
06 00000091`6633f6a0 00007ffa`8749e1d6     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::InitializeWithProfile+0x168
07 00000091`6633f750 00007ffa`8749e0d6     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_CreatePackageDefaultResourceManagerInternal+0xe6
08 00000091`6633fa40 00007ffa`8746f016     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_GetPackageDefaultResourceManagerInternal+0x1e
09 00000091`6633fa70 00007ff7`c8984e5e     MrmCoreR!Windows::ApplicationModel::Resources::Core::CResourceManagerFactory::get_Current+0xf6
0a 00000091`6633fac0 00007ff7`c896c22f     notepad!GetMrtResourceHandle+0xde
0b 00000091`6633fb40 00007ff7`c89859b6     notepad!wWinMain+0x137
0c 00000091`6633fbf0 00007ffa`9c8a54e0     notepad!__scrt_common_main_seh+0x106
0d 00000091`6633fc30 00007ffa`9d6e485b     KERNEL32!BaseThreadInitThunk+0x10
0e 00000091`6633fc60 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(731)\MrmCoreR.dll!00007FFA874759AD: (caller: 00007FFA87478636) ReturnHr(1) tid(94c4) 80070002 The system cannot find the file specified.
 # Child-SP          RetAddr               Call Site
00 00000091`6633df88 00007ffa`874c2d6f     KERNELBASE!OutputDebugStringW
01 00000091`6633df90 00007ffa`874c2805     MrmCoreR!wil::details::ReportFailure_Return<1>+0x25f
02 00000091`6633f4a0 00007ffa`874c392c     MrmCoreR!wil::details::ReportFailure_Hr<1>+0x59
03 00000091`6633f520 00007ffa`874b4c69     MrmCoreR!wil::details::in1diag3::Return_Hr+0x18
04 00000091`6633f570 00007ffa`8746f2c0     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::LoadPriFile+0x3c83d
05 00000091`6633f6a0 00007ffa`8749e1d6     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::InitializeWithProfile+0x168
06 00000091`6633f750 00007ffa`8749e0d6     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_CreatePackageDefaultResourceManagerInternal+0xe6
07 00000091`6633fa40 00007ffa`8746f016     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_GetPackageDefaultResourceManagerInternal+0x1e
08 00000091`6633fa70 00007ff7`c8984e5e     MrmCoreR!Windows::ApplicationModel::Resources::Core::CResourceManagerFactory::get_Current+0xf6
09 00000091`6633fac0 00007ff7`c896c22f     notepad!GetMrtResourceHandle+0xde
0a 00000091`6633fb40 00007ff7`c89859b6     notepad!wWinMain+0x137
0b 00000091`6633fbf0 00007ffa`9c8a54e0     notepad!__scrt_common_main_seh+0x106
0c 00000091`6633fc30 00007ffa`9d6e485b     KERNEL32!BaseThreadInitThunk+0x10
0d 00000091`6633fc60 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(573)\MrmCoreR.dll!00007FFA874B4C69: (caller: 00007FFA8746F2C0) ReturnHr(2) tid(94c4) 80070002 The system cannot find the file specified.
 # Child-SP          RetAddr               Call Site
00 00000091`6633e0b8 00007ffa`874c2d6f     KERNELBASE!OutputDebugStringW
01 00000091`6633e0c0 00007ffa`874c2805     MrmCoreR!wil::details::ReportFailure_Return<1>+0x25f
02 00000091`6633f5d0 00007ffa`874c392c     MrmCoreR!wil::details::ReportFailure_Hr<1>+0x59
03 00000091`6633f650 00007ffa`874b1756     MrmCoreR!wil::details::in1diag3::Return_Hr+0x18
04 00000091`6633f6a0 00007ffa`8749e1d6     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::InitializeWithProfile+0x425fe
05 00000091`6633f750 00007ffa`8749e0d6     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_CreatePackageDefaultResourceManagerInternal+0xe6
06 00000091`6633fa40 00007ffa`8746f016     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_GetPackageDefaultResourceManagerInternal+0x1e
07 00000091`6633fa70 00007ff7`c8984e5e     MrmCoreR!Windows::ApplicationModel::Resources::Core::CResourceManagerFactory::get_Current+0xf6
08 00000091`6633fac0 00007ff7`c896c22f     notepad!GetMrtResourceHandle+0xde
09 00000091`6633fb40 00007ff7`c89859b6     notepad!wWinMain+0x137
0a 00000091`6633fbf0 00007ffa`9c8a54e0     notepad!__scrt_common_main_seh+0x106
0b 00000091`6633fc30 00007ffa`9d6e485b     KERNEL32!BaseThreadInitThunk+0x10
0c 00000091`6633fc60 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(331)\MrmCoreR.dll!00007FFA874B1756: (caller: 00007FFA8749E1D6) ReturnHr(3) tid(94c4) 80070002 The system cannot find the file specified.
 # Child-SP          RetAddr               Call Site
00 00000091`6633e168 00007ffa`874c2d6f     KERNELBASE!OutputDebugStringW
01 00000091`6633e170 00007ffa`874c2805     MrmCoreR!wil::details::ReportFailure_Return<1>+0x25f
02 00000091`6633f680 00007ffa`874c392c     MrmCoreR!wil::details::ReportFailure_Hr<1>+0x59
03 00000091`6633f700 00007ffa`874c1bb8     MrmCoreR!wil::details::in1diag3::Return_Hr+0x18
04 00000091`6633f750 00007ffa`8749e0d6     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_CreatePackageDefaultResourceManagerInternal+0x23ac8
05 00000091`6633fa40 00007ffa`8746f016     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_GetPackageDefaultResourceManagerInternal+0x1e
06 00000091`6633fa70 00007ff7`c8984e5e     MrmCoreR!Windows::ApplicationModel::Resources::Core::CResourceManagerFactory::get_Current+0xf6
07 00000091`6633fac0 00007ff7`c896c22f     notepad!GetMrtResourceHandle+0xde
08 00000091`6633fb40 00007ff7`c89859b6     notepad!wWinMain+0x137
09 00000091`6633fbf0 00007ffa`9c8a54e0     notepad!__scrt_common_main_seh+0x106
0a 00000091`6633fc30 00007ffa`9d6e485b     KERNEL32!BaseThreadInitThunk+0x10
0b 00000091`6633fc60 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(164)\MrmCoreR.dll!00007FFA874C1BB8: (caller: 00007FFA8749E0D6) ReturnHr(4) tid(94c4) 80070002 The system cannot find the file specified.
 # Child-SP          RetAddr               Call Site
00 00000091`6633e168 00007ffa`874c2d6f     KERNELBASE!OutputDebugStringW
01 00000091`6633e170 00007ffa`874c2805     MrmCoreR!wil::details::ReportFailure_Return<1>+0x25f
02 00000091`6633f680 00007ffa`874c392c     MrmCoreR!wil::details::ReportFailure_Hr<1>+0x59
03 00000091`6633f700 00007ffa`874c1cdb     MrmCoreR!wil::details::in1diag3::Return_Hr+0x18
04 00000091`6633f750 00007ffa`8749e0d6     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_CreatePackageDefaultResourceManagerInternal+0x23beb
05 00000091`6633fa40 00007ffa`8746f016     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_GetPackageDefaultResourceManagerInternal+0x1e
06 00000091`6633fa70 00007ff7`c8984e5e     MrmCoreR!Windows::ApplicationModel::Resources::Core::CResourceManagerFactory::get_Current+0xf6
07 00000091`6633fac0 00007ff7`c896c22f     notepad!GetMrtResourceHandle+0xde
08 00000091`6633fb40 00007ff7`c89859b6     notepad!wWinMain+0x137
09 00000091`6633fbf0 00007ffa`9c8a54e0     notepad!__scrt_common_main_seh+0x106
0a 00000091`6633fc30 00007ffa`9d6e485b     KERNEL32!BaseThreadInitThunk+0x10
0b 00000091`6633fc60 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(1374)\MrmCoreR.dll!00007FFA874C1CDB: (caller: 00007FFA8749E0D6) ReturnHr(5) tid(94c4) 80070002 The system cannot find the file specified.
 # Child-SP          RetAddr               Call Site
00 00000091`6633e458 00007ffa`874c2d6f     KERNELBASE!OutputDebugStringW
01 00000091`6633e460 00007ffa`874c2805     MrmCoreR!wil::details::ReportFailure_Return<1>+0x25f
02 00000091`6633f970 00007ffa`874c392c     MrmCoreR!wil::details::ReportFailure_Hr<1>+0x59
03 00000091`6633f9f0 00007ffa`874c1b7c     MrmCoreR!wil::details::in1diag3::Return_Hr+0x18
04 00000091`6633fa40 00007ffa`8746f016     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_GetPackageDefaultResourceManagerInternal+0x23ac4
05 00000091`6633fa70 00007ff7`c8984e5e     MrmCoreR!Windows::ApplicationModel::Resources::Core::CResourceManagerFactory::get_Current+0xf6
06 00000091`6633fac0 00007ff7`c896c22f     notepad!GetMrtResourceHandle+0xde
07 00000091`6633fb40 00007ff7`c89859b6     notepad!wWinMain+0x137
08 00000091`6633fbf0 00007ffa`9c8a54e0     notepad!__scrt_common_main_seh+0x106
09 00000091`6633fc30 00007ffa`9d6e485b     KERNEL32!BaseThreadInitThunk+0x10
0a 00000091`6633fc60 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(1273)\MrmCoreR.dll!00007FFA874C1B7C: (caller: 00007FFA8746F016) ReturnHr(6) tid(94c4) 80070002 The system cannot find the file specified.
 # Child-SP          RetAddr               Call Site
00 00000091`6633e488 00007ffa`874c2d6f     KERNELBASE!OutputDebugStringW
01 00000091`6633e490 00007ffa`874c2805     MrmCoreR!wil::details::ReportFailure_Return<1>+0x25f
02 00000091`6633f9a0 00007ffa`874c392c     MrmCoreR!wil::details::ReportFailure_Hr<1>+0x59
03 00000091`6633fa20 00007ffa`8746f002     MrmCoreR!wil::details::in1diag3::Return_Hr+0x18
04 00000091`6633fa70 00007ff7`c8984e5e     MrmCoreR!Windows::ApplicationModel::Resources::Core::CResourceManagerFactory::get_Current+0xe2
05 00000091`6633fac0 00007ff7`c896c22f     notepad!GetMrtResourceHandle+0xde
06 00000091`6633fb40 00007ff7`c89859b6     notepad!wWinMain+0x137
07 00000091`6633fbf0 00007ffa`9c8a54e0     notepad!__scrt_common_main_seh+0x106
08 00000091`6633fc30 00007ffa`9d6e485b     KERNEL32!BaseThreadInitThunk+0x10
09 00000091`6633fc60 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
onecoreuap\base\mrt\runtime\com\winrt\core\winrtresourcemanager.cpp(603)\MrmCoreR.dll!00007FFA8746F002: (caller: 00007FF7C8984E5E) ReturnHr(7) tid(94c4) 80070002 The system cannot find the file specified.
ntdll!NtTerminateProcess+0x14:
00007ffa`9d783854 c3              ret

Then checked what file APIs might be in use

0:000> bm ntdll!*File* ".frame;g"
  7: 00007ffa`9d78c8ed @!"ntdll!LdrpQuerySxSMUIFile$fin$0"
  8: 00007ffa`9d6e8b2c @!"ntdll!EtwpCreateFile"
  9: 00007ffa`9d763380 @!"ntdll!RtlGetLocaleFileMappingAddress"
 10: 00007ffa`9d75ba40 @!"ntdll!RtlpOpenBaseImageFileOptionsKey"
 11: 00007ffa`9d75b8d8 @!"ntdll!RtlpOpenImageFileOptionsKeyEx"
 12: 00007ffa`9d71a6cc @!"ntdll!LdrpGetFileSizeFromLoadAsDataTable"
 13: 00007ffa`9d724b78 @!"ntdll!LdrpAppendUnicodeStringToFilenameBuffer"
 14: 00007ffa`9d782a33 @!"ntdll!RtlGetImageFileMachines$fin$1"
 15: 00007ffa`9d782969 @!"ntdll!RtlGetImageFileMachines$filt$0"
 16: 00007ffa`9d6ec008 @!"ntdll!_IsProgramFilesPath"
 17: 00007ffa`9d6e847c @!"ntdll!EtwpAddLogHeaderToLogFile"
 18: 00007ffa`9d6eac08 @!"ntdll!EtwpGenerateFileName"
 19: 00007ffa`9d7434bc @!"ntdll!RtlpGetMUIRedirectedFilePath"
 20: 00007ffa`9d723e94 @!"ntdll!RtlDoesFileExists_UstrEx"
 21: 00007ffa`9d730594 @!"ntdll!GetOverlayFilePathUsingChecksum"
 22: 00007ffa`9d760018 @!"ntdll!LdrpGetFileDriverStoreRoot"
 23: 00007ffa`9d761450 @!"ntdll!RtlQueryImageFileKeyOption"
 24: 00007ffa`9d75d9a8 @!"ntdll!LdrpQuerySxSMUIFile"
 25: 00007ffa`9d744458 @!"ntdll!LdrpResSearchResourceMappedFile"
 26: 00007ffa`9d7337f0 @!"ntdll!LdrpFindLoadedDllByMappingFile"
 27: 00007ffa`9d78b409 @!"ntdll!LdrpGetFileSizeFromLoadAsDataTable$fin$0"
 28: 00007ffa`9d6eab88 @!"ntdll!EtwpAddInstanceIdToLogFileName"
 29: 00007ffa`9d7613b0 @!"ntdll!RtlQueryImageFileExecutionOptions"
 30: 00007ffa`9d72f974 @!"ntdll!LdrpMapDllNtFileName"
 31: 00007ffa`9d7302d8 @!"ntdll!LdrMapAndVerifyResourceFile"
 32: 00007ffa`9d724e80 @!"ntdll!RtlDosApplyFileIsolationRedirection_Ustr"
 33: 00007ffa`9d72dcf4 @!"ntdll!LdrpMapResourceFile"
 34: 00007ffa`9d6edd64 @!"ntdll!LdrpAllocateFileNameBufferIfNeeded"
 35: 00007ffa`9d77003c @!"ntdll!EtwpFinalizeLogFileHeader"
 36: 00007ffa`9d7435c4 @!"ntdll!RtlpGetMUIRedirectedFilePathInternal"
 37: 00007ffa`9d742e50 @!"ntdll!RtlGetFileMUIPath"
 38: 00007ffa`9d75baa0 @!"ntdll!RtlpOpenBaseImageFileOptionsKeyEx"
 39: 00007ffa`9d784990 @!"ntdll!ZwCreateNamedPipeFile"
 40: 00007ffa`9d785670 @!"ntdll!ZwNotifyChangeDirectoryFileEx"
 41: 00007ffa`9d6edccc @!"ntdll!LdrpAppendAnsiStringToFilenameBuffer"
 42: 00007ffa`9d785c10 @!"ntdll!NtQueryEaFile"
 43: 00007ffa`9d783920 @!"ntdll!ZwOpenFile"
 44: 00007ffa`9d785010 @!"ntdll!NtFlushBuffersFileEx"
 45: 00007ffa`9d783c20 @!"ntdll!NtFlushBuffersFile"
 46: 00007ffa`9d7833a0 @!"ntdll!ZwDeviceIoControlFile"
 47: 00007ffa`9d7e9b88 @!"ntdll!RtlpOpenAndMapCustomCultureFile"
 48: 00007ffa`9d783960 @!"ntdll!ZwQueryDirectoryFile"
 49: 00007ffa`9d783d60 @!"ntdll!NtCreateFile"
 50: 00007ffa`9d784d90 @!"ntdll!ZwDeleteFile"
 51: 00007ffa`9d7867f0 @!"ntdll!ZwSetIntervalProfile"
 52: 00007ffa`9d7cc000 @!"ntdll!LdrGetFileNameFromLoadAsDataTable"
 53: 00007ffa`9d785d90 @!"ntdll!ZwQueryIntervalProfile"
 54: 00007ffa`9d808a2c @!"ntdll!AppendCumulativeOverlayFilePath"
 55: 00007ffa`9d7cc04c @!"ntdll!LdrpCnvrtShortToLongFileName"
 56: 00007ffa`9d75a400 @!"ntdll!RtlPcToFileHeader"
 57: 00007ffa`9d75cc28 @!"ntdll!TpBindFileToDirect"
 58: 00007ffa`9d7cfc90 @!"ntdll!LdrpResSetFilePointer"
breakpoint 48 redefined
 48: 00007ffa`9d783960 @!"ntdll!NtQueryDirectoryFile"
breakpoint 49 redefined
 49: 00007ffa`9d783d60 @!"ntdll!ZwCreateFile"
 59: 00007ffa`9d7ebb90 @!"ntdll!RtlIsPartialPlaceholderFileHandle"
 60: 00007ffa`9d7d8f60 @!"ntdll!RtlCreateBootStatusDataFile"
breakpoint 50 redefined
 50: 00007ffa`9d784d90 @!"ntdll!NtDeleteFile"
breakpoint 51 redefined
 51: 00007ffa`9d7867f0 @!"ntdll!NtSetIntervalProfile"
breakpoint 53 redefined
 53: 00007ffa`9d785d90 @!"ntdll!NtQueryIntervalProfile"
 61: 00007ffa`9d743804 @!"ntdll!RtlDoesFileExists_UEx"
breakpoint 40 redefined
 40: 00007ffa`9d785670 @!"ntdll!NtNotifyChangeDirectoryFileEx"
 62: 00007ffa`9d769660 @!"ntdll!RtlIsCloudFilesPlaceholder"
breakpoint 39 redefined
 39: 00007ffa`9d784990 @!"ntdll!NtCreateNamedPipeFile"
 63: 00007ffa`9d743860 @!"ntdll!RtlpFileIsWin32WithRCManifest"
breakpoint 43 redefined
 43: 00007ffa`9d783920 @!"ntdll!NtOpenFile"
breakpoint 44 redefined
 44: 00007ffa`9d785010 @!"ntdll!ZwFlushBuffersFileEx"
breakpoint 42 redefined
 42: 00007ffa`9d785c10 @!"ntdll!ZwQueryEaFile"
breakpoint 45 redefined
 45: 00007ffa`9d783c20 @!"ntdll!ZwFlushBuffersFile"
breakpoint 46 redefined
 46: 00007ffa`9d7833a0 @!"ntdll!NtDeviceIoControlFile"
 64: 00007ffa`9d7849b0 @!"ntdll!ZwCreatePagingFile"
 65: 00007ffa`9d785eb0 @!"ntdll!ZwQueryQuotaInformationFile"
 66: 00007ffa`9d784950 @!"ntdll!NtCreateMailslotFile"
 67: 00007ffa`9d7cf4f8 @!"ntdll!LdrpResReadFile"
 68: 00007ffa`9d7868b0 @!"ntdll!NtSetQuotaInformationFile"
 69: 00007ffa`9d786b10 @!"ntdll!NtStopProfile"
 70: 00007ffa`9d784a70 @!"ntdll!NtCreateProfile"
 71: 00007ffa`9d7bbd1c @!"ntdll!LdrpLogMapAndVerifyResourceFileFailure"
 72: 00007ffa`9d783e50 @!"ntdll!NtCancelIoFile"
 73: 00007ffa`9d7e964c @!"ntdll!RtlpGetCustomCultureDataFromFile"
 74: 00007ffa`9d7839e0 @!"ntdll!NtFsControlFile"
 75: 00007ffa`9d7844f0 @!"ntdll!NtCancelIoFileEx"
 76: 00007ffa`9d786a30 @!"ntdll!NtSetVolumeInformationFile"
 77: 00007ffa`9d7ce718 @!"ntdll!RtlpIsEmptyImageFileOptionsKey"
breakpoint 70 redefined
 70: 00007ffa`9d784a70 @!"ntdll!ZwCreateProfile"
breakpoint 69 redefined
 69: 00007ffa`9d786b10 @!"ntdll!ZwStopProfile"
 78: 00007ffa`9d7b6b40 @!"ntdll!RtlAppxIsFileOwnedByTrustedInstaller"
breakpoint 72 redefined
 72: 00007ffa`9d783e50 @!"ntdll!ZwCancelIoFile"
 79: 00007ffa`9d808c88 @!"ntdll!BuildStandardOverlayFilePath"
breakpoint 74 redefined
 74: 00007ffa`9d7839e0 @!"ntdll!ZwFsControlFile"
breakpoint 75 redefined
 75: 00007ffa`9d7844f0 @!"ntdll!ZwCancelIoFileEx"
breakpoint 76 redefined
 76: 00007ffa`9d786a30 @!"ntdll!ZwSetVolumeInformationFile"
 80: 00007ffa`9d752738 @!"ntdll!LdrpBuildSystem32FileName"
 81: 00007ffa`9d782ed0 @!"ntdll!NpOpenFile"
breakpoint 64 redefined
 64: 00007ffa`9d7849b0 @!"ntdll!NtCreatePagingFile"
 82: 00007ffa`9d808b44 @!"ntdll!BuildCumulativeOverlayFilePath"
breakpoint 66 redefined
 66: 00007ffa`9d784950 @!"ntdll!ZwCreateMailslotFile"
breakpoint 65 redefined
 65: 00007ffa`9d785eb0 @!"ntdll!NtQueryQuotaInformationFile"
breakpoint 68 redefined
 68: 00007ffa`9d7868b0 @!"ntdll!ZwSetQuotaInformationFile"
 83: 00007ffa`9d7cfd30 @!"ntdll!LdrpResValidateFilePath"
 84: 00007ffa`9d7865f0 @!"ntdll!NtSetEaFile"
 85: 00007ffa`9d7837a0 @!"ntdll!NtSetInformationFile"
 86: 00007ffa`9d785330 @!"ntdll!ZwInitializeNlsFiles"
 87: 00007ffa`9d782540 @!"ntdll!RtlGetImageFileMachines"
 88: 00007ffa`9d761370 @!"ntdll!LdrQueryImageFileExecutionOptions"
 89: 00007ffa`9d784a90 @!"ntdll!NtCreateProfileEx"
 90: 00007ffa`9d7854b0 @!"ntdll!NtLockFile"
 91: 00007ffa`9d785c30 @!"ntdll!ZwQueryFullAttributesFile"
 92: 00007ffa`9d785bb0 @!"ntdll!ZwQueryDirectoryFileEx"
 93: 00007ffa`9d783620 @!"ntdll!NtWriteFileGather"
 94: 00007ffa`9d802dc0 @!"ntdll!EtwpFinalizeRelogFileHeaderStats"
 95: 00007ffa`9d783a60 @!"ntdll!NtQueryAttributesFile"
 96: 00007ffa`9d7834e0 @!"ntdll!ZwQueryInformationFile"
 97: 00007ffa`9d786c90 @!"ntdll!ZwTranslateFilePath"
breakpoint 90 redefined
 90: 00007ffa`9d7854b0 @!"ntdll!ZwLockFile"
breakpoint 92 redefined
 92: 00007ffa`9d785bb0 @!"ntdll!NtQueryDirectoryFileEx"
breakpoint 91 redefined
 91: 00007ffa`9d785c30 @!"ntdll!NtQueryFullAttributesFile"
 98: 00007ffa`9d7ce698 @!"ntdll!RtlpDeleteEmptyImageFileOptionsKey"
breakpoint 93 redefined
 93: 00007ffa`9d783620 @!"ntdll!ZwWriteFileGather"
breakpoint 95 redefined
 95: 00007ffa`9d783a60 @!"ntdll!ZwQueryAttributesFile"
breakpoint 97 redefined
 97: 00007ffa`9d786c90 @!"ntdll!NtTranslateFilePath"
breakpoint 96 redefined
 96: 00007ffa`9d7834e0 @!"ntdll!NtQueryInformationFile"
breakpoint 84 redefined
 84: 00007ffa`9d7865f0 @!"ntdll!ZwSetEaFile"
breakpoint 85 redefined
 85: 00007ffa`9d7837a0 @!"ntdll!ZwSetInformationFile"
breakpoint 86 redefined
 86: 00007ffa`9d785330 @!"ntdll!NtInitializeNlsFiles"
breakpoint 89 redefined
 89: 00007ffa`9d784a90 @!"ntdll!ZwCreateProfileEx"
 99: 00007ffa`9d8023f4 @!"ntdll!EtwpIncrementUmLoggerFile"
100: 00007ffa`9d783be0 @!"ntdll!NtQueryVolumeInformationFile"
101: 00007ffa`9d7cf184 @!"ntdll!LdrpResMapFile"
102: 00007ffa`9d783380 @!"ntdll!ZwReadFile"
103: 00007ffa`9d783880 @!"ntdll!NtReadFileScatter"
104: 00007ffa`9d741970 @!"ntdll!RtlDoesFileExists_U"
105: 00007ffa`9d7833c0 @!"ntdll!ZwWriteFile"
106: 00007ffa`9d786d50 @!"ntdll!NtUnlockFile"
107: 00007ffa`9d786af0 @!"ntdll!NtStartProfile"
108: 00007ffa`9d784470 @!"ntdll!NtAreMappedFilesTheSame"
109: 00007ffa`9d7e9768 @!"ntdll!RtlpGetFileSize"
110: 00007ffa`9d7246e4 @!"ntdll!LdrpApplyFileNameRedirection"
111: 00007ffa`9d784510 @!"ntdll!NtCancelSynchronousIoFile"
112: 00007ffa`9d785650 @!"ntdll!ZwNotifyChangeDirectoryFile"
113: 00007ffa`9d808ae8 @!"ntdll!AppendStandardOverlayFilePath"
breakpoint 103 redefined
103: 00007ffa`9d783880 @!"ntdll!ZwReadFileScatter"
breakpoint 106 redefined
106: 00007ffa`9d786d50 @!"ntdll!ZwUnlockFile"
breakpoint 105 redefined
105: 00007ffa`9d7833c0 @!"ntdll!NtWriteFile"
breakpoint 107 redefined
107: 00007ffa`9d786af0 @!"ntdll!ZwStartProfile"
114: 00007ffa`9d7cf010 @!"ntdll!LdrpResFileSize"
breakpoint 108 redefined
108: 00007ffa`9d784470 @!"ntdll!ZwAreMappedFilesTheSame"
115: 00007ffa`9d7c5864 @!"ntdll!AVrfOpenCurrentUserImageFileOptionsKey"
116: 00007ffa`9d7cfcd4 @!"ntdll!LdrpResValidateFileHandle"
117: 00007ffa`9d7caec8 @!"ntdll!RtlpQueryFilesInAssemblyInformationActivationContextDetailedInformation"
breakpoint 112 redefined
112: 00007ffa`9d785650 @!"ntdll!NtNotifyChangeDirectoryFile"
breakpoint 111 redefined
111: 00007ffa`9d784510 @!"ntdll!ZwCancelSynchronousIoFile"
118: 00007ffa`9d7cc990 @!"ntdll!RtlOpenImageFileOptionsKey"
119: 00007ffa`9d7ebbf0 @!"ntdll!RtlIsPartialPlaceholderFileInfo"
breakpoint 100 redefined
100: 00007ffa`9d783be0 @!"ntdll!ZwQueryVolumeInformationFile"
breakpoint 102 redefined
102: 00007ffa`9d783380 @!"ntdll!NtReadFile"
0:000> g
00 000000d5`df67ea48 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e9a8 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9a8 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9a8 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea48 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e9a8 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9a8 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9a8 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eac8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67ea28 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea28 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea28 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67dca8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67dc08 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67dc08 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67dc08 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9e8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e948 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e9e8 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9e8 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9e8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e948 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e948 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e948 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9e8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e948 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e948 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e948 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9e8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e948 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e948 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e948 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ee08 00007ffa`9b3712a6     ntdll!RtlPcToFileHeader
00 000000d5`df67ee08 00007ffa`9b3711c6     ntdll!RtlPcToFileHeader
00 000000d5`df67e228 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e188 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67df78 00007ffa`9d72f5eb     ntdll!NtQueryAttributesFil

00 000000d5`df67e0b8 00007ffa`9d72f519     ntdll!LdrpFindLoadedDllByMappingFile
00 000000d5`df67dfe8 00007ffa`9d73385f     ntdll!NtOpenFile
00 000000d5`df67e208 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e168 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
ModLoad: 00007ffa`9b750000 00007ffa`9b781000   C:\WINDOWS\System32\IMM32.DLL
00 000000d5`df67dcb8 00007ffa`9d71f6d9     ntdll!LdrpGetFileSizeFromLoadAsDataTable
00 000000d5`df67dd88 00007ffa`9d744321     ntdll!LdrpResSearchResourceMappedFile
00 000000d5`df67da28 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67da28 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67da28 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67da28 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67d3d8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67d398 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67d368 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67d2c8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67d368 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67d4e8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67d4a8 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67d478 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67d3d8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67d478 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67d478 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67d6a8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67d608 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e4a8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e408 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e228 00007ffa`9b592b17     ntdll!LdrQueryImageFileExecutionOptions
00 000000d5`df67e1d8 00007ffa`9d761399     ntdll!RtlQueryImageFileExecutionOptions
00 000000d5`df67e188 00007ffa`9d7613e8     ntdll!RtlpOpenImageFileOptionsKeyEx
00 000000d5`df67e0b8 00007ffa`9d75b971     ntdll!RtlpOpenBaseImageFileOptionsKey
00 000000d5`df67e188 00007ffa`9d761429     ntdll!RtlQueryImageFileKeyOption
00 000000d5`df67e228 00007ffa`9b592b17     ntdll!LdrQueryImageFileExecutionOptions
00 000000d5`df67e1d8 00007ffa`9d761399     ntdll!RtlQueryImageFileExecutionOptions
00 000000d5`df67e188 00007ffa`9d7613e8     ntdll!RtlpOpenImageFileOptionsKeyEx
00 000000d5`df67e0b8 00007ffa`9d75b971     ntdll!RtlpOpenBaseImageFileOptionsKey
00 000000d5`df67e188 00007ffa`9d761429     ntdll!RtlQueryImageFileKeyOption
00 000000d5`df67dcd8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67dc98 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67dc68 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67dbc8 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67dbc8 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67dbc8 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67d988 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67d948 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67d918 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67d878 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67d878 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67d878 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67dc68 00007ffa`9d7632da     ntdll!RtlGetLocaleFileMappingAddress
00 000000d5`df67d538 00007ffa`9d721f93     ntdll!LdrpQuerySxSMUIFile
00 000000d5`df67d2f8 00007ffa`9d75da77     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67d538 00007ffa`9d72214b     ntdll!GetOverlayFilePathUsingChecksum
00 000000d5`df67d138 00007ffa`9d730552     ntdll!_IsProgramFilesPath
00 000000d5`df67d538 00007ffa`9d7222f6     ntdll!LdrMapAndVerifyResourceFile
00 000000d5`df67d4b8 00007ffa`9d730372     ntdll!LdrpMapResourceFile
00 000000d5`df67d3a8 00007ffa`9d72de06     ntdll!NtOpenFile
00 000000d5`df67d538 00007ffa`9d72232c     ntdll!LdrpGetFileDriverStoreRoot
00 000000d5`df67d538 00007ffa`9d721f93     ntdll!LdrpQuerySxSMUIFile
00 000000d5`df67d2f8 00007ffa`9d75da77     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67d538 00007ffa`9d72214b     ntdll!GetOverlayFilePathUsingChecksum
00 000000d5`df67d138 00007ffa`9d730552     ntdll!_IsProgramFilesPath
00 000000d5`df67d538 00007ffa`9d7222f6     ntdll!LdrMapAndVerifyResourceFile
00 000000d5`df67d4b8 00007ffa`9d730372     ntdll!LdrpMapResourceFile
00 000000d5`df67d3a8 00007ffa`9d72de06     ntdll!NtOpenFile
00 000000d5`df67d538 00007ffa`9d72232c     ntdll!LdrpGetFileDriverStoreRoot
00 000000d5`df67df58 00007ffa`9d746c81     ntdll!NtQueryAttributesFile
00 000000d5`df67e128 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e088 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e128 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67d958 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67d918 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67d8e8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67d848 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67d848 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67d848 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e7a8 00007ffa`9b592b17     ntdll!LdrQueryImageFileExecutionOptions
00 000000d5`df67e758 00007ffa`9d761399     ntdll!RtlQueryImageFileExecutionOptions
00 000000d5`df67e708 00007ffa`9d7613e8     ntdll!RtlpOpenImageFileOptionsKeyEx
00 000000d5`df67e638 00007ffa`9d75b971     ntdll!RtlpOpenBaseImageFileOptionsKey
00 000000d5`df67e708 00007ffa`9d761429     ntdll!RtlQueryImageFileKeyOption
00 000000d5`df67ebb8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67eb18 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67ebb8 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eb38 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67ea98 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea98 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea98 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e898 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e858 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e828 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e788 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e828 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e828 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9c8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e928 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e9c8 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eb28 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67ea88 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67eb28 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eb38 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67ea98 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea98 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea98 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e898 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e858 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e828 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e788 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e828 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e828 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ed48 00007ffa`9c9674ac     ntdll!RtlPcToFileHeader
00 000000d5`df67db68 00007ffa`9c89a9ee     ntdll!NtOpenFile
00 000000d5`df67da48 00007ffa`9c8990da     ntdll!NtQueryInformationFile
00 000000d5`df67db18 00007ffa`9c89de99     ntdll!NtQueryVolumeInformationFile
00 000000d5`df67e818 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e778 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e818 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e818 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e818 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e778 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e818 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e818 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f918 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67f878 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f878 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f878 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f678 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67f638 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67f608 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67f568 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67f608 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f608 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f678 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67f638 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67f608 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67f568 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67f608 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f608 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f828 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67f788 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67f828 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eda8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67ed68 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67ed38 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67ec98 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67ed38 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
ModLoad: 00007ffa`9ca10000 00007ffa`9cabc000   C:\WINDOWS\System32\ADVAPI32.dll
00 000000d5`df67e7e8 00007ffa`9d71f6d9     ntdll!LdrpGetFileSizeFromLoadAsDataTable
00 000000d5`df67e8b8 00007ffa`9d744321     ntdll!LdrpResSearchResourceMappedFile
00 000000d5`df67e558 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e558 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e558 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e558 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
ModLoad: 00007ffa`9be80000 00007ffa`9bf1d000   C:\WINDOWS\System32\sechost.dll
00 000000d5`df67e0a8 00007ffa`9d71f6d9     ntdll!LdrpGetFileSizeFromLoadAsDataTable
00 000000d5`df67e178 00007ffa`9d744321     ntdll!LdrpResSearchResourceMappedFile
00 000000d5`df67de18 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67de18 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e558 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e558 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e558 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e558 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e558 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e558 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e558 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e558 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eeb8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67ee78 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67ee48 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67eda8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67ee48 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ee48 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eeb8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67ee78 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67ee48 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67eda8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67ee48 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ee48 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eeb8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67ee78 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67ee48 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67eda8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67ee48 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ee48 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eeb8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67ee78 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67ee48 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67eda8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67ee48 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ee48 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f088 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67f048 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67f018 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67ef78 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67f018 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
ModLoad: 00007ffa`9b400000 00007ffa`9b480000   C:\WINDOWS\System32\bcryptPrimitives.dll
00 000000d5`df67eac8 00007ffa`9d71f6d9     ntdll!LdrpGetFileSizeFromLoadAsDataTable
00 000000d5`df67eb98 00007ffa`9d744321     ntdll!LdrpResSearchResourceMappedFile
00 000000d5`df67e838 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e838 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eb48 00007ffa`9b421e54     ntdll!NtOpenFile
00 000000d5`df67eb18 00007ffa`9ae83edb     ntdll!NtDeviceIoControlFile
00 000000d5`df67ed38 00007ffa`9aea71d0     ntdll!RtlPcToFileHeader
00 000000d5`df67f6b8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67f618 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67f408 00007ffa`9d72f5eb     ntdll!NtQueryAttributesFile
00 000000d5`df67f548 00007ffa`9d72f519     ntdll!LdrpFindLoadedDllByMappingFile
00 000000d5`df67f478 00007ffa`9d73385f     ntdll!NtOpenFile
00 000000d5`df67ede8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67eda8 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67ed78 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67ecd8 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ecd8 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ecd8 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea28 00007ffa`9d72f5eb     ntdll!NtQueryAttributesFile
00 000000d5`df67eb68 00007ffa`9d730fac     ntdll!LdrpMapDllNtFileName
00 000000d5`df67ea58 00007ffa`9d72fa61     ntdll!NtOpenFile
ModLoad: 00007ffa`98e10000 00007ffa`98e28000   C:\WINDOWS\SYSTEM32\kernel.appcore.dll
00 000000d5`df67e608 00007ffa`9d71f6d9     ntdll!LdrpGetFileSizeFromLoadAsDataTable
00 000000d5`df67e6d8 00007ffa`9d744321     ntdll!LdrpResSearchResourceMappedFile
00 000000d5`df67e378 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e378 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e378 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e378 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e378 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e378 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eed8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67ee98 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67ee68 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67edc8 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67edc8 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67edc8 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67efe8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67efa8 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67ef78 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67eed8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67ef78 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ef78 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ee68 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67edc8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67eb18 00007ffa`9d72f5eb     ntdll!NtQueryAttributesFile
00 000000d5`df67ec58 00007ffa`9d730fac     ntdll!LdrpMapDllNtFileName
00 000000d5`df67eb48 00007ffa`9d72fa61     ntdll!NtOpenFile
ModLoad: 00007ffa`960a0000 00007ffa`9614c000   C:\WINDOWS\system32\uxtheme.dll
00 000000d5`df67e6f8 00007ffa`9d71f6d9     ntdll!LdrpGetFileSizeFromLoadAsDataTable
00 000000d5`df67e7c8 00007ffa`9d744321     ntdll!LdrpResSearchResourceMappedFile
00 000000d5`df67e468 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e468 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e468 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e468 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e468 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e468 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f028 00007ffa`9aea71d0     ntdll!RtlPcToFileHeader
00 000000d5`df67f348 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67f2a8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67f348 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eb58 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67eb18 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67eae8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67ea48 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea48 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea48 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
ModLoad: 00007ffa`9cd20000 00007ffa`9cdcf000   C:\WINDOWS\System32\clbcatq.dll
00 000000d5`df67e598 00007ffa`9d71f6d9     ntdll!LdrpGetFileSizeFromLoadAsDataTable
00 000000d5`df67e668 00007ffa`9d744321     ntdll!LdrpResSearchResourceMappedFile
00 000000d5`df67e308 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e308 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e308 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e308 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e308 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e308 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e308 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e308 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f168 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67f0c8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67ee18 00007ffa`9d72f5eb     ntdll!NtQueryAttributesFile
00 000000d5`df67ef58 00007ffa`9d730fac     ntdll!LdrpMapDllNtFileName
00 000000d5`df67ee48 00007ffa`9d72fa61     ntdll!NtOpenFile
ModLoad: 00007ffa`87460000 00007ffa`87561000   C:\Windows\System32\MrmCoreR.dll
00 000000d5`df67e9f8 00007ffa`9d71f6d9     ntdll!LdrpGetFileSizeFromLoadAsDataTable
00 000000d5`df67eac8 00007ffa`9d744321     ntdll!LdrpResSearchResourceMappedFile
00 000000d5`df67e768 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e768 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e768 00007ffa`9d71e4e9     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e768 00007ffa`9d71e581     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67eaa8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67ea08 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea08 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea08 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e808 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e7c8 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e798 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e6f8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e798 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e798 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea58 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67ea18 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e9e8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e948 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e948 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e948 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e908 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e8c8 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e898 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e7f8 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e7f8 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e7f8 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9a8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e968 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e938 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e898 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e898 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e898 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e9a8 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e968 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e938 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e898 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e898 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e898 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67ea08 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e9c8 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e998 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e8f8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e998 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e738 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e6f8 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e6c8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e628 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e628 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e628 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e638 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e5f8 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e5c8 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e528 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e528 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e528 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e588 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e548 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e518 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e478 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e478 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e478 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e688 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e648 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e618 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e578 00007ffa`9d72485a     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e578 00007ffa`9d724869     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e578 00007ffa`9d724876     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e798 00007ffa`9d72322e     ntdll!LdrpAppendAnsiStringToFilenameBuffer
00 000000d5`df67e758 00007ffa`9d6edd06     ntdll!LdrpAllocateFileNameBufferIfNeeded
00 000000d5`df67e728 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67e688 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67e728 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67e728 00007ffa`9d7245ec     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67f358 00007ffa`9ae84d65     ntdll!NtQueryFullAttributesFile
00 000000d5`df67f218 00007ffa`9ae84d65     ntdll!NtQueryFullAttributesFile
00 000000d5`df67ddc8 00007ffa`9aea71d0     ntdll!RtlPcToFileHeader
00 000000d5`df67d868 00007ffa`9d724528     ntdll!LdrpApplyFileNameRedirection
00 000000d5`df67d7c8 00007ffa`9d7247e1     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67d868 00007ffa`9d724583     ntdll!LdrpAppendUnicodeStringToFilenameBuffer
00 000000d5`df67cd68 00007ffa`9d721f93     ntdll!LdrpQuerySxSMUIFile
00 000000d5`df67cb28 00007ffa`9d75da77     ntdll!RtlDosApplyFileIsolationRedirection_Ustr
00 000000d5`df67cd68 00007ffa`9d72214b     ntdll!GetOverlayFilePathUsingChecksum
00 000000d5`df67cd68 00007ffa`9d7222f6     ntdll!LdrMapAndVerifyResourceFile
00 000000d5`df67cce8 00007ffa`9d730372     ntdll!LdrpMapResourceFile
00 000000d5`df67cbd8 00007ffa`9d72de06     ntdll!NtOpenFile
00 000000d5`df67cac8 00007ffa`9d71a335     ntdll!LdrpGetFileSizeFromLoadAsDataTable
00 000000d5`df67d708 00007ffa`9d71a335     ntdll!LdrpGetFileSizeFromLoadAsDataTable
00 000000d5`df67d998 00007ffa`9d71a335     ntdll!LdrpGetFileSizeFromLoadAsDataTable
 # Child-SP          RetAddr               Call Site
00 000000d5`df67dfb8 00007ffa`874c2d6f     KERNELBASE!OutputDebugStringW
01 000000d5`df67dfc0 00007ffa`874c2805     MrmCoreR!wil::details::ReportFailure_Return<1>+0x25f
02 000000d5`df67f4d0 00007ffa`874c392c     MrmCoreR!wil::details::ReportFailure_Hr<1>+0x59
03 000000d5`df67f550 00007ffa`874759ad     MrmCoreR!wil::details::in1diag3::Return_Hr+0x18
04 000000d5`df67f5a0 00007ffa`87478636     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::LoadPriFiles+0x505
05 000000d5`df67f680 00007ffa`8746f2c0     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::LoadPriFile+0x20a
06 000000d5`df67f7b0 00007ffa`8749e1d6     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::InitializeWithProfile+0x168
07 000000d5`df67f860 00007ffa`8749e0d6     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_CreatePackageDefaultResourceManagerInternal+0xe6
08 000000d5`df67fb50 00007ffa`8746f016     MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_GetPackageDefaultResourceManagerInternal+0x1e
09 000000d5`df67fb80 00007ff7`c8984e5e     MrmCoreR!Windows::ApplicationModel::Resources::Core::CResourceManagerFactory::get_Current+0xf6
0a 000000d5`df67fbd0 00007ff7`c896c22f     notepad!GetMrtResourceHandle+0xde
0b 000000d5`df67fc50 00007ff7`c89859b6     notepad!wWinMain+0x137
0c 000000d5`df67fd00 00007ffa`9c8a54e0     notepad!__scrt_common_main_seh+0x106
0d 000000d5`df67fd40 00007ffa`9d6e485b     KERNEL32!BaseThreadInitThunk+0x10
0e 000000d5`df67fd70 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(731)\MrmCoreR.dll!00007FFA874759AD: (caller: 00007FFA87478636) ReturnHr(1) tid(9654) 80070002 The system cannot find the file specified.
00 000000d5`df67d7e8 00007ffa`9d71a335     ntdll!LdrpGetFileSizeFromLoadAsDataTable
00 000000d5`df67da78 00007ffa`9d71a335     ntdll!LdrpGetFileSizeFromLoadAsDataTable
 # Child-SP          RetAddr               Call Site
00 000000d5`df67e098 00007ffa`874c2d6f     KERNELBASE!OutputDebugStringW
01 000000d5`df67e0a0 00007ffa`874c2805     MrmCoreR!wil::details::ReportFailure_Return<1>+0x25f
02 000000d5`df67f5b0 00007ffa`874c392c     MrmCoreR!wil::details::ReportFailure_Hr<1>+0x59
03 000000d5`df67f630 00007ffa`874b4c69     MrmCoreR!wil::details::in1diag3::Return_Hr+0x18

Based on this output stack of ntdll!NtQueryFullAttributesFile then set a breakpoint on the documented API that called it and dumped the filename, GetFileAttributesExW. We could extract the parameters from the ntdll API, but this is easier.

0:000> bm KERNELBASE!GetFileAttributesExW ".printf \"GetFileAttributesExW('%mu')\\r\\n\",@rcx;g"
breakpoint 0 redefined
  0: 00007ffa`9ae84cd0 @!"KERNELBASE!GetFileAttributesExW"
0:000> g
ModLoad: 00007ffa`9b750000 00007ffa`9b781000   C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffa`9ca10000 00007ffa`9cabc000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffa`9be80000 00007ffa`9bf1d000   C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffa`9b400000 00007ffa`9b480000   C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffa`98e10000 00007ffa`98e28000   C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 00007ffa`960a0000 00007ffa`9614c000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 00007ffa`9cd20000 00007ffa`9cdcf000   C:\WINDOWS\System32\clbcatq.dll
ModLoad: 00007ffa`87460000 00007ffa`87561000   C:\Windows\System32\MrmCoreR.dll
GetFileAttributesExW('C:\support\resources.pri')
GetFileAttributesExW('C:\support\resources.pri')
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(731)\MrmCoreR.dll!00007FFA874759AD: (caller: 00007FFA87478636) ReturnHr(1) tid(2144) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(573)\MrmCoreR.dll!00007FFA874B4C69: (caller: 00007FFA8746F2C0) ReturnHr(2) tid(2144) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(331)\MrmCoreR.dll!00007FFA874B1756: (caller: 00007FFA8749E1D6) ReturnHr(3) tid(2144) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(164)\MrmCoreR.dll!00007FFA874C1BB8: (caller: 00007FFA8749E0D6) ReturnHr(4) tid(2144) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(1374)\MrmCoreR.dll!00007FFA874C1CDB: (caller: 00007FFA8749E0D6) ReturnHr(5) tid(2144) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\src\cresourcemanagerinternal.cpp(1273)\MrmCoreR.dll!00007FFA874C1B7C: (caller: 00007FFA8746F016) ReturnHr(6) tid(2144) 80070002 The system cannot find the file specified.
onecoreuap\base\mrt\runtime\com\winrt\core\winrtresourcemanager.cpp(603)\MrmCoreR.dll!00007FFA8746F002: (caller: 00007FF7C8984E5E) ReturnHr(7) tid(2144) 80070002 The system cannot find the file specified.
ntdll!NtTerminateProcess+0x14:

The Package Resource Indexing (PRI) files are normally part of an AppX package…

Checking lmv notepad we could see a copy of notepad.exe was in my current directory, but the entire AppX folder had not been copied. So in this case issue could be resolved simply by deleting notepad.exe in current directory.

In previous versions of Windows a simple copy of notepad.exe would still work if relocated, but in this scenario because it’s part of a complete package all files are needed. I.e. On this machine the entire installation of notepad is now contained within C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe

0:000> lmvlm notepad
Browse full module list
start             end                 module name
00007ff7`c8960000 00007ff7`c899a000   notepad    (pdb symbols)          c:\symbols\notepad.pdb\6539CE998C7CAFD73A8E13A54542E1121\notepad.pdb
    Loaded symbol image file: C:\support\notepad.exe
    Image path: notepad.exe
    Image name: notepad.exe
    Browse all global symbols  functions  data
    Image was built with /Brepro flag.
    Timestamp:        F57E80D4 (This is a reproducible build file hash, not a timestamp)
    CheckSum:         0003CCD9
    ImageSize:        0003A000
    File version:     10.0.19041.1081
    Product version:  10.0.19041.1081
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    Information from resource tables:
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     Notepad
        OriginalFilename: NOTEPAD.EXE
        ProductVersion:   10.0.19041.1081
        FileVersion:      10.0.19041.1081 (WinBuild.160101.0800)
        FileDescription:  Notepad
        LegalCopyright:   © Microsoft Corporation. All rights reserved.

But what about these other notepad.exe …

To workout more about this new startup process I used a combination of WinDbg, IDA Pro and ProcMon.

With ProcMon we can see Image File Execution option key is loaded with AppExecutionAliasRedirect set to 1.

We then see in ProcMon stack trace apisethost.appexecutionalias.dll called:

To analyze in more detail I used a Time Travel Debugging Trace (TTD)

We find it hit function here:

0:000> bc *
0:000> bm apisethost.appexecutionalias.dll!*LoadAppExecutionAlias*
  1: 00007ffa`9af01df0 @!"KERNELBASE!ext_ms_win_appmodel_appexecutionalias_l1_1_3_LoadAppExecutionAliasInfoEx"
breakpoint 1 redefined
  1: 00007ffa`9af01df0 @!"KERNELBASE!ext_ms_win_appmodel_appexecutionalias_l1_1_2_LoadAppExecutionAliasInfoEx"
breakpoint 1 redefined
  1: 00007ffa`9af01df0 @!"KERNELBASE!ext_ms_win_appmodel_appexecutionalias_l1_1_1_LoadAppExecutionAliasInfoEx"
breakpoint 1 redefined
  1: 00007ffa`9af01df0 @!"KERNELBASE!ext_ms_win_appmodel_appexecutionalias_l1_1_0_LoadAppExecutionAliasInfoEx"
  2: 00007ffa`9af03457 @!"KERNELBASE!_imp_load_LoadAppExecutionAliasInfoEx"
  3: 00007ffa`9af03378 @!"KERNELBASE!IsLoadAppExecutionAliasInfoExPresent"
breakpoint 1 redefined
  1: 00007ffa`9af01df0 @!"KERNELBASE!ext_ms_win_appmodel_appexecutionalias_l1_1_4_LoadAppExecutionAliasInfoEx"
  4: 00007ffa`9af8efec @!"KERNELBASE!LoadAppExecutionAliasInfoForExecutable"
breakpoint 1 redefined
  1: 00007ffa`9af01df0 @!"KERNELBASE!ext_ms_win_appmodel_daxcore_l1_1_2_LoadAppExecutionAliasInfo"
breakpoint 1 redefined
  1: 00007ffa`9af01df0 @!"KERNELBASE!ext_ms_win_appmodel_daxcore_l1_1_3_LoadAppExecutionAliasInfo"
breakpoint 1 redefined
  1: 00007ffa`9af01df0 @!"KERNELBASE!ext_ms_win_appmodel_daxcore_l1_1_0_LoadAppExecutionAliasInfo"
breakpoint 1 redefined
  1: 00007ffa`9af01df0 @!"KERNELBASE!ext_ms_win_appmodel_daxcore_l1_1_1_LoadAppExecutionAliasInfo"
0:000> !tt 0
Setting position to the beginning of the trace
Setting position: F:0
(597c.a954): Break instruction exception - code 80000003 (first/second chance not available)
Time Travel Position: F:0
ntdll!LdrInitializeThunk:
00007ffa`9d75a6d0 4053            push    rbx
0:000> g
ModLoad: 00007ffa`9be80000 00007ffa`9bf1d000   C:\WINDOWS\System32\sechost.dll
Breakpoint 4 hit
Time Travel Position: 99D:40
KERNELBASE!LoadAppExecutionAliasInfoForExecutable:
00007ffa`9af8efec 488bc4          mov     rax,rsp

This funciontn in psuedo code, which could be further investigated to work out how this process works. First from within kernelbase!CreateProcessInternalW:

 v269 = 0;
        v140 = LdrQueryImageFileKeyOption(v76, L"AppExecutionAliasRedirect", 4u, &v269, 4u, 0i64);
        if ( v140 >= 0 && v269 == 1 )
        {
          v79 = LoadAppExecutionAliasInfoForExecutable(
                  (__int64)DestinationString.Buffer,
                  (__int64)v263,
                  ProcessHeap,
                  (__int64)&v149);
          v140 = v79;
          if ( v79 >= 0 && v149 )
          {
            v79 = ValidateAppExecutionAliasRedirectPackageIdentity(v76);
            v140 = v79;
          }
          else if ( v79 == -1073267456 )
          {
            NtClose(v76);
            goto LABEL_57;
          }
          if ( v79 >= 0 )
          {
            DosPathName = (LPCWSTR)v149[1];
            v211 = (HANDLE)v149[2];
            v80 = (void *)BuildAppExecutionAliasCommandLine(pszSrc, v149, ProcessHeap);
            v286 = v80;
            v81 = pszSrc;
            if ( v80 )
              v81 = (const wchar_t *)v80;
            pszSrc = v81;
            if ( *((_DWORD *)v149 + 8) != 1 )
            {
              RtlInitUnicodeString(&v234, (PCWSTR)*v149);
              v209 = 0;
            }
          }

Which calls into this function:

__int64 __fastcall LoadAppExecutionAliasInfoForExecutable(__int64 a1, __int64 a2, void *a3, __int64 a4)
{
  void *v4; // rdi
  signed int AppExecutionAliasInfo; // ebx
  PVOID Heap; // rax
  int v12[10]; // [rsp+20h] [rbp-28h] BYREF

  v4 = 0i64;
  v12[0] = 0;
  if ( !(unsigned __int8)IsGetAppExecutionAliasPathPresent() || !(unsigned __int8)IsLoadAppExecutionAliasInfoExPresent() )
    return 3221225474i64;
  LOWORD(AppExecutionAliasInfo) = GetAppExecutionAliasPath(a1, a2, 0i64, v12);
  if ( (_WORD)AppExecutionAliasInfo == 122 )
  {
    Heap = RtlAllocateHeap(a3, 0, 2i64 * (unsigned int)v12[0]);
    v4 = Heap;
    if ( Heap )
      LOWORD(AppExecutionAliasInfo) = GetAppExecutionAliasPath(a1, a2, Heap, v12);
  }
  AppExecutionAliasInfo = (unsigned __int16)AppExecutionAliasInfo;
  if ( (_WORD)AppExecutionAliasInfo )
    AppExecutionAliasInfo = (unsigned __int16)AppExecutionAliasInfo | 0xC0070000;
  if ( AppExecutionAliasInfo >= 0 )
    AppExecutionAliasInfo = LoadAppExecutionAliasInfoEx(v4, a2, a4);
  if ( v4 )
    RtlFreeHeap(a3, 0, v4);
  return (unsigned int)AppExecutionAliasInfo;
}

Based on this we can get the AppX package name after the function has been called:

铐ᶶƫ0:000> .printf "%mu",poi(poi(@rsp+0E8h))
Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe
0:000> .printf "%mu",poi(poi(@rsp+0E8h)+8)
C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe
Posted in Uncategorized | 2 Comments

Case of the PowerShell Error Occurred While Creating The Pipeline

Posted on September 29, 2021 by chentiangemalc

Running a script with several thousands of lines resulted in the error:

An error occurred while creating the pipeline.
+ CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : RuntimeException

Unfortunately there was no indication of a line number or any other useful information on what the issue may be related to.

I used WinDbg to attach to the PowerShell process

Then using .loadby sos clr command and g to continue debugger, I re-tried to run my script. We can see multiple CLR exceptions are thrown.

0:011> .loadby sos clr
0:011> g
(6430.6394): CLR exception - code e0434352 (first chance)
(6430.6394): CLR exception - code e0434352 (first chance)
(6430.6394): CLR exception - code e0434352 (first chance)
(6430.6394): CLR exception - code e0434352 (first chance)
(6430.4f78): CLR exception - code e0434352 (first chance)

Hitting “break” button or Ctrl+C in WinDbg we can run a command to show the CLR exceptions and a CLR stack trace with parameters when they are hit, then automatically continue:

0:011> sxe -c "!pe;!clrstack -p;g" e0434352
0:011> g

Now we re-run script, and we get the following output:

0:011> g
(6430.6394): CLR exception - code e0434352 (first chance)
Exception object: 000002802cffff88
Exception type:   System.ArgumentNullException
Message:          Value cannot be null.
InnerException:   <none>
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80004003
OS Thread Id: 0x6394 (6)
        Child SP               IP Call Site
000000b78e94e058 00007ff8ef1f4f99 [HelperMethodFrame: 000000b78e94e058] 
000000b78e94e140 00007ff8d1492a92 System.Reflection.Emit.FieldBuilder..ctor(System.Reflection.Emit.TypeBuilder, System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        typeBuilder = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e1c0 00007ff8d071e040 System.Reflection.Emit.TypeBuilder.DefineFieldNoLock(System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e240 00007ff8d071df00 System.Reflection.Emit.TypeBuilder.DefineField(System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e2d0 00007ff87da5908d System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.EmitPropertyIl(System.Management.Automation.Language.PropertyMemberAst, System.Type)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffe520
        propertyMemberAst (<CLR reg>) = 0x000002802cff7f48
        type (<CLR reg>) = 0x0000000000000000

000000b78e94e4d0 00007ff87da58f77 System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.DefineProperty(System.Management.Automation.Language.PropertyMemberAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffe520
        propertyMemberAst (<CLR reg>) = 0x000002802cff7f48

000000b78e94e520 00007ff87da58ab6 System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.DefineMembers()
    PARAMETERS:
        this (0x000000b78e94e5c0) = 0x000002802cffe520

000000b78e94e5c0 00007ff87d9a9f92 System.Management.Automation.Language.TypeDefiner.DefineTypes(System.Management.Automation.Language.Parser, System.Management.Automation.Language.Ast, System.Management.Automation.Language.TypeDefinitionAst[])
    PARAMETERS:
        parser (0x000000b78e94e6c0) = 0x000002802cffd810
        rootAst = <no data>
        typeDefinitions = <no data>

000000b78e94e6c0 00007ff87d883d0b System.Management.Automation.Language.Compiler.DefinePowerShellTypes(System.Management.Automation.Language.Ast, System.Management.Automation.Language.TypeDefinitionAst[])
    PARAMETERS:
        rootForDefiningTypes = <no data>
        typeAsts (<CLR reg>) = 0x000002802cffd7f0

000000b78e94e710 00007ff87d8838cf System.Management.Automation.Language.Compiler.GenerateTypesAndUsings(System.Management.Automation.Language.ScriptBlockAst, System.Collections.Generic.List`1<System.Linq.Expressions.Expression>)
    PARAMETERS:
        this = <no data>
        rootForDefiningTypesAndUsings (<CLR reg>) = 0x000002802cff82a0
        exprs (<CLR reg>) = 0x000002802cffd460

000000b78e94e780 00007ff87d883359 System.Management.Automation.Language.Compiler.CompileSingleLambda(System.Collections.ObjectModel.ReadOnlyCollection`1<System.Management.Automation.Language.StatementAst>, System.Collections.ObjectModel.ReadOnlyCollection`1<System.Management.Automation.Language.TrapStatementAst>, System.String, System.Management.Automation.Language.IScriptExtent, System.Management.Automation.Language.IScriptExtent, System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        statements (<CLR reg>) = 0x000002802cff8238
        traps (<CLR reg>) = 0x0000000000000000
        funcName (<CLR reg>) = 0x000002802c85f7c0
        entryExtent = <no data>
        exitExtent (0x00000000000000c8) = <unable to retrieve data>
        rootForDefiningTypesAndUsings = <no data>

000000b78e94e820 00007ff87d883042 System.Management.Automation.Language.Compiler.CompileNamedBlock(System.Management.Automation.Language.NamedBlockAst, System.String, System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this = <no data>
        namedBlockAst = <no data>
        funcName = <no data>
        rootForDefiningTypes = <no data>

000000b78e94e8b0 00007ff87d882ee4 System.Management.Automation.Language.Compiler.VisitScriptBlock(System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        scriptBlockAst = <no data>

000000b78e94e900 00007ff87d881768 System.Management.Automation.Language.Compiler.Compile(System.Management.Automation.CompiledScriptBlockData, Boolean)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        scriptBlock (<CLR reg>) = 0x000002802cff93a8
        optimize (<CLR reg>) = 0x0000000000000000

000000b78e94e960 00007ff87d89b695 System.Management.Automation.CompiledScriptBlockData.ReallyCompile(Boolean)
    PARAMETERS:
        this = <no data>
        optimize = <no data>

000000b78e94e9d0 00007ff87d89b480 System.Management.Automation.CompiledScriptBlockData.CompileUnoptimized()
    PARAMETERS:
        this (0x000000b78e94ea10) = 0x000002802cff93a8

000000b78e94ea10 00007ff87d89b19e System.Management.Automation.CompiledScriptBlockData.Compile(Boolean)
    PARAMETERS:
        this = <no data>
        optimized = <no data>

000000b78e94ea50 00007ff87d8e4eca System.Management.Automation.DlrScriptCommandProcessor.Init()
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cff9470

000000b78e94ea90 00007ff87d7aa457 System.Management.Automation.Runspaces.Command.CreateCommandProcessor(System.Management.Automation.ExecutionContext, System.Management.Automation.CommandFactory, Boolean, System.Management.Automation.CommandOrigin)
    PARAMETERS:
        this (0x000000b78e94eb50) = 0x000002802cfd8158
        executionContext (0x000000b78e94eb58) = 0x000002802c7010c8
        commandFactory = <no data>
        addToHistory = <no data>
        origin = <no data>

000000b78e94eb50 00007ff87d717fd1 System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()
    PARAMETERS:
        this (0x000000b78e94ebe0) = 0x000002802cfd7fb8

000000b78e94ebe0 00007ff87d7169e7 System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
    PARAMETERS:
        this (0x000000b78e94ecb0) = 0x000002802cfd7fb8

000000b78e94ecb0 00007ff87d71772a System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
    PARAMETERS:
        this (0x000000b78e94ed20) = 0x000002802cfd7fb8

000000b78e94ed20 00007ff87d7a6be0 System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
    PARAMETERS:
        this (<CLR reg>) = 0x000002802c837098

000000b78e94ed50 00007ff8d06ddf12 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>
        preserveSyncCtx = <no data>

000000b78e94ee20 00007ff8d06ddd95 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>
        preserveSyncCtx = <no data>

000000b78e94ee50 00007ff8d06ddd65 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>

000000b78e94eea0 00007ff8d0783e85 System.Threading.ThreadHelper.ThreadStart()
    PARAMETERS:
        this = <no data>

000000b78e94f0f0 00007ff8d1a46913 [GCFrame: 000000b78e94f0f0] 
000000b78e94f450 00007ff8d1a46913 [DebuggerU2MCatchHandlerFrame: 000000b78e94f450] 
(6430.6394): CLR exception - code e0434352 (first chance)
Exception object: 000002802cffff88
Exception type:   System.ArgumentNullException
Message:          Value cannot be null.
InnerException:   <none>
StackTrace (generated):
    SP               IP               Function
    000000B78E94E140 00007FF8D1492A93 mscorlib_ni!System.Reflection.Emit.FieldBuilder..ctor(System.Reflection.Emit.TypeBuilder, System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)+0xd748e3
    000000B78E94E1C0 00007FF8D071E041 mscorlib_ni!System.Reflection.Emit.TypeBuilder.DefineFieldNoLock(System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)+0xe1
    000000B78E94E240 00007FF8D071DF01 mscorlib_ni!System.Reflection.Emit.TypeBuilder.DefineField(System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)+0x91
    000000B78E94E2D0 00007FF87DA5908E System_Management_Automation_ni!System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.EmitPropertyIl(System.Management.Automation.Language.PropertyMemberAst, System.Type)+0xee
    000000B78E94E4D0 00007FF87DA58F78 System_Management_Automation_ni!System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.DefineProperty(System.Management.Automation.Language.PropertyMemberAst)+0x138
    000000B78E94E520 00007FF87DA58AB7 System_Management_Automation_ni!System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.DefineMembers()+0x107
    000000B78E94E5C0 00007FF87D9A9F93 System_Management_Automation_ni!System.Management.Automation.Language.TypeDefiner.DefineTypes(System.Management.Automation.Language.Parser, System.Management.Automation.Language.Ast, System.Management.Automation.Language.TypeDefinitionAst[])+0x3b3
    000000B78E94E6C0 00007FF87D883D0C System_Management_Automation_ni!System.Management.Automation.Language.Compiler.DefinePowerShellTypes(System.Management.Automation.Language.Ast, System.Management.Automation.Language.TypeDefinitionAst[])+0x7c
    000000B78E94E710 00007FF87D8838D0 System_Management_Automation_ni!System.Management.Automation.Language.Compiler.GenerateTypesAndUsings(System.Management.Automation.Language.ScriptBlockAst, System.Collections.Generic.List`1<System.Linq.Expressions.Expression>)+0x180
    000000B78E94E780 00007FF87D88335A System_Management_Automation_ni!System.Management.Automation.Language.Compiler.CompileSingleLambda(System.Collections.ObjectModel.ReadOnlyCollection`1<System.Management.Automation.Language.StatementAst>, System.Collections.ObjectModel.ReadOnlyCollection`1<System.Management.Automation.Language.TrapStatementAst>, System.String, System.Management.Automation.Language.IScriptExtent, System.Management.Automation.Language.IScriptExtent, System.Management.Automation.Language.ScriptBlockAst)+0xfa
    000000B78E94E820 00007FF87D883043 System_Management_Automation_ni!System.Management.Automation.Language.Compiler.CompileNamedBlock(System.Management.Automation.Language.NamedBlockAst, System.String, System.Management.Automation.Language.ScriptBlockAst)+0x143
    000000B78E94E8B0 00007FF87D882EE5 System_Management_Automation_ni!System.Management.Automation.Language.Compiler.VisitScriptBlock(System.Management.Automation.Language.ScriptBlockAst)+0x1c5
    000000B78E94E900 00007FF87D881769 System_Management_Automation_ni!System.Management.Automation.Language.Compiler.Compile(System.Management.Automation.CompiledScriptBlockData, Boolean)+0x339
    000000B78E94E960 00007FF87D89B696 System_Management_Automation_ni!System.Management.Automation.CompiledScriptBlockData.ReallyCompile(Boolean)+0x126
    000000B78E94E9D0 00007FF87D89B481 System_Management_Automation_ni!System.Management.Automation.CompiledScriptBlockData.CompileUnoptimized()+0x51
    000000B78E94EA10 00007FF87D89B19F System_Management_Automation_ni!System.Management.Automation.CompiledScriptBlockData.Compile(Boolean)+0x6f
    000000B78E94EA50 00007FF87D8E4ECB System_Management_Automation_ni!System.Management.Automation.DlrScriptCommandProcessor.Init()+0x6b
    000000B78E94EA90 00007FF87D7AA458 System_Management_Automation_ni!System.Management.Automation.Runspaces.Command.CreateCommandProcessor(System.Management.Automation.ExecutionContext, System.Management.Automation.CommandFactory, Boolean, System.Management.Automation.CommandOrigin)+0x278
    000000B78E94EB50 00007FF87D717FD2 System_Management_Automation_ni!System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()+0x222

StackTraceString: <none>
HResult: 80004003
OS Thread Id: 0x6394 (6)
        Child SP               IP Call Site
000000b78e94bdf8 00007ff8ef1f4f99 [HelperMethodFrame: 000000b78e94bdf8] 
000000b78e94bee0 00007ff87d7182c5 System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()
    PARAMETERS:
        this = <no data>

000000b78e94e058 00007ff8d1baee92 [HelperMethodFrame: 000000b78e94e058] 
000000b78e94e140 00007ff8d1492a92 System.Reflection.Emit.FieldBuilder..ctor(System.Reflection.Emit.TypeBuilder, System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        typeBuilder = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e1c0 00007ff8d071e040 System.Reflection.Emit.TypeBuilder.DefineFieldNoLock(System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e240 00007ff8d071df00 System.Reflection.Emit.TypeBuilder.DefineField(System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e2d0 00007ff87da5908d System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.EmitPropertyIl(System.Management.Automation.Language.PropertyMemberAst, System.Type)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffe520
        propertyMemberAst (<CLR reg>) = 0x000002802cff7f48
        type (<CLR reg>) = 0x0000000000000000

000000b78e94e4d0 00007ff87da58f77 System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.DefineProperty(System.Management.Automation.Language.PropertyMemberAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffe520
        propertyMemberAst (<CLR reg>) = 0x000002802cff7f48

000000b78e94e520 00007ff87da58ab6 System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.DefineMembers()
    PARAMETERS:
        this (0x000000b78e94e5c0) = 0x000002802cffe520

000000b78e94e5c0 00007ff87d9a9f92 System.Management.Automation.Language.TypeDefiner.DefineTypes(System.Management.Automation.Language.Parser, System.Management.Automation.Language.Ast, System.Management.Automation.Language.TypeDefinitionAst[])
    PARAMETERS:
        parser (0x000000b78e94e6c0) = 0x000002802cffd810
        rootAst = <no data>
        typeDefinitions = <no data>

000000b78e94e6c0 00007ff87d883d0b System.Management.Automation.Language.Compiler.DefinePowerShellTypes(System.Management.Automation.Language.Ast, System.Management.Automation.Language.TypeDefinitionAst[])
    PARAMETERS:
        rootForDefiningTypes = <no data>
        typeAsts (<CLR reg>) = 0x000002802cffd7f0

000000b78e94e710 00007ff87d8838cf System.Management.Automation.Language.Compiler.GenerateTypesAndUsings(System.Management.Automation.Language.ScriptBlockAst, System.Collections.Generic.List`1<System.Linq.Expressions.Expression>)
    PARAMETERS:
        this = <no data>
        rootForDefiningTypesAndUsings (<CLR reg>) = 0x000002802cff82a0
        exprs (<CLR reg>) = 0x000002802cffd460

000000b78e94e780 00007ff87d883359 System.Management.Automation.Language.Compiler.CompileSingleLambda(System.Collections.ObjectModel.ReadOnlyCollection`1<System.Management.Automation.Language.StatementAst>, System.Collections.ObjectModel.ReadOnlyCollection`1<System.Management.Automation.Language.TrapStatementAst>, System.String, System.Management.Automation.Language.IScriptExtent, System.Management.Automation.Language.IScriptExtent, System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        statements (<CLR reg>) = 0x000002802cff8238
        traps (<CLR reg>) = 0x0000000000000000
        funcName (<CLR reg>) = 0x000002802c85f7c0
        entryExtent = <no data>
        exitExtent (0x00000000000000c8) = <unable to retrieve data>
        rootForDefiningTypesAndUsings = <no data>

000000b78e94e820 00007ff87d883042 System.Management.Automation.Language.Compiler.CompileNamedBlock(System.Management.Automation.Language.NamedBlockAst, System.String, System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this = <no data>
        namedBlockAst = <no data>
        funcName = <no data>
        rootForDefiningTypes = <no data>

000000b78e94e8b0 00007ff87d882ee4 System.Management.Automation.Language.Compiler.VisitScriptBlock(System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        scriptBlockAst = <no data>

000000b78e94e900 00007ff87d881768 System.Management.Automation.Language.Compiler.Compile(System.Management.Automation.CompiledScriptBlockData, Boolean)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        scriptBlock (<CLR reg>) = 0x000002802cff93a8
        optimize (<CLR reg>) = 0x0000000000000000

000000b78e94e960 00007ff87d89b695 System.Management.Automation.CompiledScriptBlockData.ReallyCompile(Boolean)
    PARAMETERS:
        this = <no data>
        optimize = <no data>

000000b78e94e9d0 00007ff87d89b480 System.Management.Automation.CompiledScriptBlockData.CompileUnoptimized()
    PARAMETERS:
        this (0x000000b78e94ea10) = 0x000002802cff93a8

000000b78e94ea10 00007ff87d89b19e System.Management.Automation.CompiledScriptBlockData.Compile(Boolean)
    PARAMETERS:
        this = <no data>
        optimized = <no data>

000000b78e94ea50 00007ff87d8e4eca System.Management.Automation.DlrScriptCommandProcessor.Init()
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cff9470

000000b78e94ea90 00007ff87d7aa457 System.Management.Automation.Runspaces.Command.CreateCommandProcessor(System.Management.Automation.ExecutionContext, System.Management.Automation.CommandFactory, Boolean, System.Management.Automation.CommandOrigin)
    PARAMETERS:
        this (0x000000b78e94eb50) = 0x000002802cfd8158
        executionContext (0x000000b78e94eb58) = 0x000002802c7010c8
        commandFactory = <no data>
        addToHistory = <no data>
        origin = <no data>

000000b78e94eb50 00007ff87d717fd1 System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()
    PARAMETERS:
        this (0x000000b78e94ebe0) = 0x000002802cfd7fb8

000000b78e94ebe0 00007ff87d7169e7 System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
    PARAMETERS:
        this (0x000000b78e94ecb0) = 0x000002802cfd7fb8

000000b78e94ecb0 00007ff87d71772a System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
    PARAMETERS:
        this (0x000000b78e94ed20) = 0x000002802cfd7fb8

000000b78e94ed20 00007ff87d7a6be0 System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
    PARAMETERS:
        this (<CLR reg>) = 0x000002802c837098

000000b78e94ed50 00007ff8d06ddf12 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>
        preserveSyncCtx = <no data>

000000b78e94ee20 00007ff8d06ddd95 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>
        preserveSyncCtx = <no data>

000000b78e94ee50 00007ff8d06ddd65 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>

000000b78e94eea0 00007ff8d0783e85 System.Threading.ThreadHelper.ThreadStart()
    PARAMETERS:
        this = <no data>

000000b78e94f0f0 00007ff8d1a46913 [GCFrame: 000000b78e94f0f0] 
000000b78e94f450 00007ff8d1a46913 [DebuggerU2MCatchHandlerFrame: 000000b78e94f450] 
(6430.6394): CLR exception - code e0434352 (first chance)
Exception object: 000002802d0008b8
Exception type:   System.Management.Automation.RuntimeException
Message:          An error occurred while creating the pipeline.
InnerException:   System.ArgumentNullException, Use !PrintException 000002802cffff88 to see more.
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80131501
OS Thread Id: 0x6394 (6)
        Child SP               IP Call Site
000000b78e949bf8 00007ff8ef1f4f99 [HelperMethodFrame: 000000b78e949bf8] 
000000b78e949ce0 00007ff87d7183bb System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()
    PARAMETERS:
        this = <no data>

000000b78e94bdf8 00007ff8d1baee92 [HelperMethodFrame: 000000b78e94bdf8] 
000000b78e94bee0 00007ff87d7182c5 System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()
    PARAMETERS:
        this = <no data>

000000b78e94e058 00007ff8d1baee92 [HelperMethodFrame: 000000b78e94e058] 
000000b78e94e140 00007ff8d1492a92 System.Reflection.Emit.FieldBuilder..ctor(System.Reflection.Emit.TypeBuilder, System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        typeBuilder = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e1c0 00007ff8d071e040 System.Reflection.Emit.TypeBuilder.DefineFieldNoLock(System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e240 00007ff8d071df00 System.Reflection.Emit.TypeBuilder.DefineField(System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e2d0 00007ff87da5908d System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.EmitPropertyIl(System.Management.Automation.Language.PropertyMemberAst, System.Type)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffe520
        propertyMemberAst (<CLR reg>) = 0x000002802cff7f48
        type (<CLR reg>) = 0x0000000000000000

000000b78e94e4d0 00007ff87da58f77 System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.DefineProperty(System.Management.Automation.Language.PropertyMemberAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffe520
        propertyMemberAst (<CLR reg>) = 0x000002802cff7f48

000000b78e94e520 00007ff87da58ab6 System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.DefineMembers()
    PARAMETERS:
        this (0x000000b78e94e5c0) = 0x000002802cffe520

000000b78e94e5c0 00007ff87d9a9f92 System.Management.Automation.Language.TypeDefiner.DefineTypes(System.Management.Automation.Language.Parser, System.Management.Automation.Language.Ast, System.Management.Automation.Language.TypeDefinitionAst[])
    PARAMETERS:
        parser (0x000000b78e94e6c0) = 0x000002802cffd810
        rootAst = <no data>
        typeDefinitions = <no data>

000000b78e94e6c0 00007ff87d883d0b System.Management.Automation.Language.Compiler.DefinePowerShellTypes(System.Management.Automation.Language.Ast, System.Management.Automation.Language.TypeDefinitionAst[])
    PARAMETERS:
        rootForDefiningTypes = <no data>
        typeAsts (<CLR reg>) = 0x000002802cffd7f0

000000b78e94e710 00007ff87d8838cf System.Management.Automation.Language.Compiler.GenerateTypesAndUsings(System.Management.Automation.Language.ScriptBlockAst, System.Collections.Generic.List`1<System.Linq.Expressions.Expression>)
    PARAMETERS:
        this = <no data>
        rootForDefiningTypesAndUsings (<CLR reg>) = 0x000002802cff82a0
        exprs (<CLR reg>) = 0x000002802cffd460

000000b78e94e780 00007ff87d883359 System.Management.Automation.Language.Compiler.CompileSingleLambda(System.Collections.ObjectModel.ReadOnlyCollection`1<System.Management.Automation.Language.StatementAst>, System.Collections.ObjectModel.ReadOnlyCollection`1<System.Management.Automation.Language.TrapStatementAst>, System.String, System.Management.Automation.Language.IScriptExtent, System.Management.Automation.Language.IScriptExtent, System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        statements (<CLR reg>) = 0x000002802cff8238
        traps (<CLR reg>) = 0x0000000000000000
        funcName (<CLR reg>) = 0x000002802c85f7c0
        entryExtent = <no data>
        exitExtent (0x00000000000000c8) = <unable to retrieve data>
        rootForDefiningTypesAndUsings = <no data>

000000b78e94e820 00007ff87d883042 System.Management.Automation.Language.Compiler.CompileNamedBlock(System.Management.Automation.Language.NamedBlockAst, System.String, System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this = <no data>
        namedBlockAst = <no data>
        funcName = <no data>
        rootForDefiningTypes = <no data>

000000b78e94e8b0 00007ff87d882ee4 System.Management.Automation.Language.Compiler.VisitScriptBlock(System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        scriptBlockAst = <no data>

000000b78e94e900 00007ff87d881768 System.Management.Automation.Language.Compiler.Compile(System.Management.Automation.CompiledScriptBlockData, Boolean)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        scriptBlock (<CLR reg>) = 0x000002802cff93a8
        optimize (<CLR reg>) = 0x0000000000000000

000000b78e94e960 00007ff87d89b695 System.Management.Automation.CompiledScriptBlockData.ReallyCompile(Boolean)
    PARAMETERS:
        this = <no data>
        optimize = <no data>

000000b78e94e9d0 00007ff87d89b480 System.Management.Automation.CompiledScriptBlockData.CompileUnoptimized()
    PARAMETERS:
        this (0x000000b78e94ea10) = 0x000002802cff93a8

000000b78e94ea10 00007ff87d89b19e System.Management.Automation.CompiledScriptBlockData.Compile(Boolean)
    PARAMETERS:
        this = <no data>
        optimized = <no data>

000000b78e94ea50 00007ff87d8e4eca System.Management.Automation.DlrScriptCommandProcessor.Init()
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cff9470

000000b78e94ea90 00007ff87d7aa457 System.Management.Automation.Runspaces.Command.CreateCommandProcessor(System.Management.Automation.ExecutionContext, System.Management.Automation.CommandFactory, Boolean, System.Management.Automation.CommandOrigin)
    PARAMETERS:
        this (0x000000b78e94eb50) = 0x000002802cfd8158
        executionContext (0x000000b78e94eb58) = 0x000002802c7010c8
        commandFactory = <no data>
        addToHistory = <no data>
        origin = <no data>

000000b78e94eb50 00007ff87d717fd1 System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()
    PARAMETERS:
        this (0x000000b78e94ebe0) = 0x000002802cfd7fb8

000000b78e94ebe0 00007ff87d7169e7 System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
    PARAMETERS:
        this (0x000000b78e94ecb0) = 0x000002802cfd7fb8

000000b78e94ecb0 00007ff87d71772a System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
    PARAMETERS:
        this (0x000000b78e94ed20) = 0x000002802cfd7fb8

000000b78e94ed20 00007ff87d7a6be0 System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
    PARAMETERS:
        this (<CLR reg>) = 0x000002802c837098

000000b78e94ed50 00007ff8d06ddf12 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>
        preserveSyncCtx = <no data>

000000b78e94ee20 00007ff8d06ddd95 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>
        preserveSyncCtx = <no data>

000000b78e94ee50 00007ff8d06ddd65 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>

000000b78e94eea0 00007ff8d0783e85 System.Threading.ThreadHelper.ThreadStart()
    PARAMETERS:
        this = <no data>

000000b78e94f0f0 00007ff8d1a46913 [GCFrame: 000000b78e94f0f0] 
000000b78e94f450 00007ff8d1a46913 [DebuggerU2MCatchHandlerFrame: 000000b78e94f450] 
(6430.6394): CLR exception - code e0434352 (first chance)
Exception object: 000002802d0008b8
Exception type:   System.Management.Automation.RuntimeException
Message:          An error occurred while creating the pipeline.
InnerException:   System.ArgumentNullException, Use !PrintException 000002802cffff88 to see more.
StackTrace (generated):
    SP               IP               Function
    000000B78E949CE0 00007FF87D7183BB System_Management_Automation_ni!System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()+0x60b
    000000B78E94EBE0 00007FF87D7169E7 System_Management_Automation_ni!System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()+0x2e7

StackTraceString: <none>
HResult: 80131501
OS Thread Id: 0x6394 (6)
        Child SP               IP Call Site
000000b78e947968 00007ff8ef1f4f99 [HelperMethodFrame: 000000b78e947968] 
000000b78e947a50 00007ff87d716d96 System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
    PARAMETERS:
        this = <no data>

000000b78e949bf8 00007ff8d1baee92 [HelperMethodFrame: 000000b78e949bf8] 
000000b78e949ce0 00007ff87d7183bb System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()
    PARAMETERS:
        this = <no data>

000000b78e94bdf8 00007ff8d1baee92 [HelperMethodFrame: 000000b78e94bdf8] 
000000b78e94bee0 00007ff87d7182c5 System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()
    PARAMETERS:
        this = <no data>

000000b78e94e058 00007ff8d1baee92 [HelperMethodFrame: 000000b78e94e058] 
000000b78e94e140 00007ff8d1492a92 System.Reflection.Emit.FieldBuilder..ctor(System.Reflection.Emit.TypeBuilder, System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        typeBuilder = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e1c0 00007ff8d071e040 System.Reflection.Emit.TypeBuilder.DefineFieldNoLock(System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e240 00007ff8d071df00 System.Reflection.Emit.TypeBuilder.DefineField(System.String, System.Type, System.Type[], System.Type[], System.Reflection.FieldAttributes)
    PARAMETERS:
        this = <no data>
        fieldName = <no data>
        type = <no data>
        requiredCustomModifiers = <no data>
        optionalCustomModifiers = <no data>
        attributes = <no data>

000000b78e94e2d0 00007ff87da5908d System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.EmitPropertyIl(System.Management.Automation.Language.PropertyMemberAst, System.Type)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffe520
        propertyMemberAst (<CLR reg>) = 0x000002802cff7f48
        type (<CLR reg>) = 0x0000000000000000

000000b78e94e4d0 00007ff87da58f77 System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.DefineProperty(System.Management.Automation.Language.PropertyMemberAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffe520
        propertyMemberAst (<CLR reg>) = 0x000002802cff7f48

000000b78e94e520 00007ff87da58ab6 System.Management.Automation.Language.TypeDefiner+DefineTypeHelper.DefineMembers()
    PARAMETERS:
        this (0x000000b78e94e5c0) = 0x000002802cffe520

000000b78e94e5c0 00007ff87d9a9f92 System.Management.Automation.Language.TypeDefiner.DefineTypes(System.Management.Automation.Language.Parser, System.Management.Automation.Language.Ast, System.Management.Automation.Language.TypeDefinitionAst[])
    PARAMETERS:
        parser (0x000000b78e94e6c0) = 0x000002802cffd810
        rootAst = <no data>
        typeDefinitions = <no data>

000000b78e94e6c0 00007ff87d883d0b System.Management.Automation.Language.Compiler.DefinePowerShellTypes(System.Management.Automation.Language.Ast, System.Management.Automation.Language.TypeDefinitionAst[])
    PARAMETERS:
        rootForDefiningTypes = <no data>
        typeAsts (<CLR reg>) = 0x000002802cffd7f0

000000b78e94e710 00007ff87d8838cf System.Management.Automation.Language.Compiler.GenerateTypesAndUsings(System.Management.Automation.Language.ScriptBlockAst, System.Collections.Generic.List`1<System.Linq.Expressions.Expression>)
    PARAMETERS:
        this = <no data>
        rootForDefiningTypesAndUsings (<CLR reg>) = 0x000002802cff82a0
        exprs (<CLR reg>) = 0x000002802cffd460

000000b78e94e780 00007ff87d883359 System.Management.Automation.Language.Compiler.CompileSingleLambda(System.Collections.ObjectModel.ReadOnlyCollection`1<System.Management.Automation.Language.StatementAst>, System.Collections.ObjectModel.ReadOnlyCollection`1<System.Management.Automation.Language.TrapStatementAst>, System.String, System.Management.Automation.Language.IScriptExtent, System.Management.Automation.Language.IScriptExtent, System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        statements (<CLR reg>) = 0x000002802cff8238
        traps (<CLR reg>) = 0x0000000000000000
        funcName (<CLR reg>) = 0x000002802c85f7c0
        entryExtent = <no data>
        exitExtent (0x00000000000000c8) = <unable to retrieve data>
        rootForDefiningTypesAndUsings = <no data>

000000b78e94e820 00007ff87d883042 System.Management.Automation.Language.Compiler.CompileNamedBlock(System.Management.Automation.Language.NamedBlockAst, System.String, System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this = <no data>
        namedBlockAst = <no data>
        funcName = <no data>
        rootForDefiningTypes = <no data>

000000b78e94e8b0 00007ff87d882ee4 System.Management.Automation.Language.Compiler.VisitScriptBlock(System.Management.Automation.Language.ScriptBlockAst)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        scriptBlockAst = <no data>

000000b78e94e900 00007ff87d881768 System.Management.Automation.Language.Compiler.Compile(System.Management.Automation.CompiledScriptBlockData, Boolean)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cffb980
        scriptBlock (<CLR reg>) = 0x000002802cff93a8
        optimize (<CLR reg>) = 0x0000000000000000

000000b78e94e960 00007ff87d89b695 System.Management.Automation.CompiledScriptBlockData.ReallyCompile(Boolean)
    PARAMETERS:
        this = <no data>
        optimize = <no data>

000000b78e94e9d0 00007ff87d89b480 System.Management.Automation.CompiledScriptBlockData.CompileUnoptimized()
    PARAMETERS:
        this (0x000000b78e94ea10) = 0x000002802cff93a8

000000b78e94ea10 00007ff87d89b19e System.Management.Automation.CompiledScriptBlockData.Compile(Boolean)
    PARAMETERS:
        this = <no data>
        optimized = <no data>

000000b78e94ea50 00007ff87d8e4eca System.Management.Automation.DlrScriptCommandProcessor.Init()
    PARAMETERS:
        this (<CLR reg>) = 0x000002802cff9470

000000b78e94ea90 00007ff87d7aa457 System.Management.Automation.Runspaces.Command.CreateCommandProcessor(System.Management.Automation.ExecutionContext, System.Management.Automation.CommandFactory, Boolean, System.Management.Automation.CommandOrigin)
    PARAMETERS:
        this (0x000000b78e94eb50) = 0x000002802cfd8158
        executionContext (0x000000b78e94eb58) = 0x000002802c7010c8
        commandFactory = <no data>
        addToHistory = <no data>
        origin = <no data>

000000b78e94eb50 00007ff87d717fd1 System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()
    PARAMETERS:
        this (0x000000b78e94ebe0) = 0x000002802cfd7fb8

000000b78e94ebe0 00007ff87d7169e7 System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
    PARAMETERS:
        this (0x000000b78e94ecb0) = 0x000002802cfd7fb8

000000b78e94ecb0 00007ff87d71772a System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
    PARAMETERS:
        this (0x000000b78e94ed20) = 0x000002802cfd7fb8

000000b78e94ed20 00007ff87d7a6be0 System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
    PARAMETERS:
        this (<CLR reg>) = 0x000002802c837098

000000b78e94ed50 00007ff8d06ddf12 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>
        preserveSyncCtx = <no data>

000000b78e94ee20 00007ff8d06ddd95 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>
        preserveSyncCtx = <no data>

000000b78e94ee50 00007ff8d06ddd65 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    PARAMETERS:
        executionContext = <no data>
        callback = <no data>
        state = <no data>

000000b78e94eea0 00007ff8d0783e85 System.Threading.ThreadHelper.ThreadStart()
    PARAMETERS:
        this = <no data>

000000b78e94f0f0 00007ff8d1a46913 [GCFrame: 000000b78e94f0f0] 
000000b78e94f450 00007ff8d1a46913 [DebuggerU2MCatchHandlerFrame: 000000b78e94f450] 
(6430.4f78): CLR exception - code e0434352 (first chance)
Exception object: 000002802d0008b8
Exception type:   System.Management.Automation.RuntimeException
Message:          An error occurred while creating the pipeline.
InnerException:   System.ArgumentNullException, Use !PrintException 000002802cffff88 to see more.
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80131501
OS Thread Id: 0x4f78 (0)
        Child SP               IP Call Site
000000b78d0dd548 00007ff8ef1f4f99 [HelperMethodFrame: 000000b78d0dd548] 
000000b78d0dd630 00007ff87e3ec4b1 System.Management.Automation.Runspaces.PipelineBase.Invoke(System.Collections.IEnumerable)
    PARAMETERS:
        this = <no data>
        input = <no data>

000000b78d0dd670 00007ff8a4952f36 Microsoft.PowerShell.Executor.ExecuteCommandHelper(System.Management.Automation.Runspaces.Pipeline, System.Exception ByRef, ExecutionOptions)
    PARAMETERS:
        this (0x000000b78d0dd6f0) = 0x000002802ca5d028
        tempPipeline = <no data>
        exceptionThrown (0x000000b78d0dd700) = 0x000000b78d0dd768
        options = <no data>

000000b78d0dd6f0 00007ff8a495a304 Microsoft.PowerShell.ConsoleHost+InputLoop.Run(Boolean)
    PARAMETERS:
        this (0x000000b78d0dd7a0) = 0x000002802ca5cf58
        inputLoopIsNested = <no data>

000000b78d0dd7a0 00007ff8a4959ac2 Microsoft.PowerShell.ConsoleHost+InputLoop.RunNewInputLoop(Microsoft.PowerShell.ConsoleHost, Boolean)
    PARAMETERS:
        parent = <no data>
        isNested = <no data>

000000b78d0dd7f0 00007ff8a494cd4f Microsoft.PowerShell.ConsoleHost.EnterNestedPrompt()
    PARAMETERS:
        this = <no data>

000000b78d0dd850 00007ff8a494dca4 Microsoft.PowerShell.ConsoleHost.DoRunspaceLoop(System.String, Boolean, System.Collections.ObjectModel.Collection`1<System.Management.Automation.Runspaces.CommandParameter>, Boolean, Boolean, System.String)
    PARAMETERS:
        this (<CLR reg>) = 0x000002802c6bc110
        initialCommand (<CLR reg>) = 0x0000000000000000
        skipProfiles (<CLR reg>) = 0x0000000000000000
        initialCommandArgs (<CLR reg>) = 0x000002802c6bc820
        staMode (<CLR reg>) = 0x0000000000000001
        importSystemModules (<CLR reg>) = 0x0000000000000000
        configurationName (<CLR reg>) = 0x0000000000000000

000000b78d0dd8d0 00007ff8a494db17 Microsoft.PowerShell.ConsoleHost.Run(Microsoft.PowerShell.CommandLineParameterParser, Boolean)
    PARAMETERS:
        this = <no data>
        cpp = <no data>
        isPrestartWarned = <no data>

000000b78d0dd940 00007ff8a494bee7 Microsoft.PowerShell.ConsoleHost.Start(System.Management.Automation.Runspaces.RunspaceConfiguration, System.String, System.String, System.String, System.String[])
    PARAMETERS:
        configuration = <no data>
        bannerText = <no data>
        helpText = <no data>
        preStartWarning = <no data>
        args = <no data>

000000b78d0dd9c0 00007ff8a4964206 Microsoft.PowerShell.UnmanagedPSEntry.Start(System.String, System.String[])
    PARAMETERS:
        this = <no data>
        consoleFilePath = <no data>
        args = <no data>

000000b78d0ddcd0 00007ff8d1a46913 [DebuggerU2MCatchHandlerFrame: 000000b78d0ddcd0] 
000000b78d0de018 00007ff8d1a46913 [HelperMethodFrame_PROTECTOBJ: 000000b78d0de018] System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
000000b78d0de190 00007ff8d06ed884 System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[])
    PARAMETERS:
        this = <no data>
        obj = <no data>
        parameters (<CLR reg>) = 0x000002802c684cc0
        arguments (<CLR reg>) = 0x000002802c684d00

000000b78d0de200 00007ff8d07051f2 System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)
    PARAMETERS:
        this = <no data>
        obj = <no data>
        invokeAttr = <no data>
        binder = <no data>
        parameters = <no data>
        culture = <no data>

000000b78d0df370 00007ff8d1a46913 [DebuggerU2MCatchHandlerFrame: 000000b78d0df370] 
000000b78d0df2e8 00007ff8d1a46913 [GCFrame: 000000b78d0df2e8] 
000000b78d0df320 00007ff8d1a46913 [GCFrame: 000000b78d0df320]

From these parameters we can gain a lot of details and insight, such as script contents, etc.

For example finding the script contents, involves clicking “scriptBlock” then “_ast” then “<Extent>k__BackingField” then “_positionHelper” then “_scriptText”

0:011> !DumpObj /d 000002802cff93a8
Name:        System.Management.Automation.CompiledScriptBlockData
MethodTable: 00007ff87e25ceb8
EEClass:     00007ff87cb26188
Size:        200(0xc8) bytes
File:        C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
00007ff8d01759c0  4001451        8        System.String  0 instance 0000000000000000 _scriptText
00007ff87e104e38  4001452       10 ...rMetadataProvider  0 instance 000002802cff82a0 _ast
00007ff8d0177000  4001453       18          System.Type  0 instance 0000000000000000 <LocalsMutableTupleType>k__BackingField
00007ff8d0177000  4001454       20          System.Type  0 instance 0000000000000000 <UnoptimizedLocalsMutableTupleType>k__BackingField
00007ff87e1629f0  4001455       28 ...ment.Automation]]  0 instance 0000000000000000 <LocalsMutableTupleCreator>k__BackingField
00007ff87e1629f0  4001456       30 ...ment.Automation]]  0 instance 0000000000000000 <UnoptimizedLocalsMutableTupleCreator>k__BackingField
00007ff8d0186db0  4001457       38 ...Int32, mscorlib]]  0 instance 0000000000000000 <NameToIndexMap>k__BackingField
00007ff87e12da20  4001458       40 ...ment.Automation]]  0 instance 0000000000000000 <DynamicParamBlock>k__BackingField
00007ff87e12da20  4001459       48 ...ment.Automation]]  0 instance 0000000000000000 <UnoptimizedDynamicParamBlock>k__BackingField
00007ff87e12da20  400145a       50 ...ment.Automation]]  0 instance 0000000000000000 <BeginBlock>k__BackingField
00007ff87e12da20  400145b       58 ...ment.Automation]]  0 instance 0000000000000000 <UnoptimizedBeginBlock>k__BackingField
00007ff87e12da20  400145c       60 ...ment.Automation]]  0 instance 0000000000000000 <ProcessBlock>k__BackingField
00007ff87e12da20  400145d       68 ...ment.Automation]]  0 instance 0000000000000000 <UnoptimizedProcessBlock>k__BackingField
00007ff87e12da20  400145e       70 ...ment.Automation]]  0 instance 0000000000000000 <EndBlock>k__BackingField
00007ff87e12da20  400145f       78 ...ment.Automation]]  0 instance 0000000000000000 <UnoptimizedEndBlock>k__BackingField
00007ff87e1978d8  4001460       80 ...e.IScriptExtent[]  0 instance 0000000000000000 <SequencePoints>k__BackingField
00007ff87e27d920  4001461       88 ...rameterDictionary  0 instance 000002802cff9858 _runtimeDefinedParameterDictionary
00007ff8d0171250  4001462       90   System.Attribute[]  0 instance 000002802c85ed70 _attributes
00007ff8d017b698  4001463       a0       System.Boolean  1 instance                0 _usesCmdletBinding
00007ff8d017b698  4001464       a1       System.Boolean  1 instance                0 _compiledOptimized
00007ff8d017b698  4001465       a2       System.Boolean  1 instance                0 _compiledUnoptimized
00007ff8d017b698  4001466       a3       System.Boolean  1 instance                0 _hasSuspicousContent
00007ff8d017b698  4001467       a4       System.Boolean  1 instance                0 <DebuggerHidden>k__BackingField
00007ff8d017b698  4001468       a5       System.Boolean  1 instance                0 <DebuggerStepThrough>k__BackingField
00007ff8d01f1180  4001469       b0          System.Guid  1 instance 000002802cff9458 <Id>k__BackingField
00007ff8d017b698  400146a       a6       System.Boolean  1 instance                0 <HasLogged>k__BackingField
00007ff8d017b698  400146b       a7       System.Boolean  1 instance                0 <IsFilter>k__BackingField
00007ff8d017b698  400146c       a8       System.Boolean  1 instance                0 <IsProductCode>k__BackingField
00007ff87e2630d8  400146d       98 ...ParameterMetadata  0 instance 0000000000000000 _parameterMetadata
0:011> !DumpObj /d 000002802cff82a0
Name:        System.Management.Automation.Language.ScriptBlockAst
MethodTable: 00007ff87e2577e8
EEClass:     00007ff87cb227a8
Size:        104(0x68) bytes
File:        C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
00007ff87e108368  40024ca        8 ...age.IScriptExtent  0 instance 000002802cff81e0 <Extent>k__BackingField
00007ff87e257c28  40024cb       10 ...tion.Language.Ast  0 instance 0000000000000000 <Parent>k__BackingField
00007ff8d017b698  40024cd       18       System.Boolean  1 instance                0 <HasSuspiciousContent>k__BackingField
00007ff87e16a710  40024cc     1f40 ...tion.PSTypeName[]  0   shared           static EmptyPSTypeNameArray
                                 >> Domain:Value  000002802a4ac1d0:NotInit  <<
00007ff8d017b698  40024e1       19       System.Boolean  1 instance                0 <HadErrors>k__BackingField
00007ff8d017b698  40024e2       1a       System.Boolean  1 instance                0 <IsConfiguration>k__BackingField
00007ff8d017b698  40024e3       1b       System.Boolean  1 instance                1 <PostParseChecksPerformed>k__BackingField
00007ff87c7469c0  40024e4       20 ...ment.Automation]]  0 instance 000002802c856830 <Attributes>k__BackingField
00007ff87c746090  40024e5       28 ...ment.Automation]]  0 instance 000002802c856868 <UsingStatements>k__BackingField
00007ff87e257bc8  40024e6       30 ...age.ParamBlockAst  0 instance 0000000000000000 <ParamBlock>k__BackingField
00007ff87e257fc0  40024e7       38 ...age.NamedBlockAst  0 instance 0000000000000000 <BeginBlock>k__BackingField
00007ff87e257fc0  40024e8       40 ...age.NamedBlockAst  0 instance 0000000000000000 <ProcessBlock>k__BackingField
00007ff87e257fc0  40024e9       48 ...age.NamedBlockAst  0 instance 000002802cff8308 <EndBlock>k__BackingField
00007ff87e257fc0  40024ea       50 ...age.NamedBlockAst  0 instance 0000000000000000 <DynamicParamBlock>k__BackingField
00007ff87e28d420  40024eb       58 ...criptRequirements  0 instance 0000000000000000 <ScriptRequirements>k__BackingField
00007ff87c7469c0  40024df     1f68 ...ment.Automation]]  0   shared           static EmptyAttributeList
                                 >> Domain:Value  000002802a4ac1d0:000002802c856830 <<
00007ff87c746090  40024e0     1f70 ...ment.Automation]]  0   shared           static EmptyUsingStatementList
                                 >> Domain:Value  000002802a4ac1d0:000002802c856868 <<
0:011> !DumpObj /d 000002802cff81e0
Name:        System.Management.Automation.Language.InternalScriptExtent
MethodTable: 00007ff87e257a90
EEClass:     00007ff87cb22960
Size:        32(0x20) bytes
File:        C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
00007ff87e2602c0  400276d        8 ...ge.PositionHelper  0 instance 000002802cff7070 _positionHelper
00007ff8d01785a0  400276e       10         System.Int32  1 instance                0 _startOffset
00007ff8d01785a0  400276f       14         System.Int32  1 instance               99 _endOffset
0:011> !DumpObj /d 000002802cff7070
Name:        System.Management.Automation.Language.PositionHelper
MethodTable: 00007ff87e2602c0
EEClass:     00007ff87cb28750
Size:        40(0x28) bytes
File:        C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
00007ff8d01759c0  4002768        8        System.String  0 instance 0000000000000000 _filename
00007ff8d01759c0  4002769       10        System.String  0 instance 000002802cff1ac8 _scriptText
00007ff8d0178538  400276a       18       System.Int32[]  0 instance 000002802cff7268 _lineStartMap
0:011> !DumpObj /d 000002802cff1ac8
Name:        System.String
MethodTable: 00007ff8d01759c0
EEClass:     00007ff8d0152ec0
Size:        224(0xe0) bytes
File:        C:\WINDOWS\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
String:      class myClass
{
    [String]$Name
        [System.Collections.SortedList[Guid,String]]$sortedList
}
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
00007ff8d01785a0  4000283        8         System.Int32  1 instance               99 m_stringLength
00007ff8d0176838  4000284        c          System.Char  1 instance               63 m_firstChar
00007ff8d01759c0  4000288       e0        System.String  0   shared           static Empty
                                 >> Domain:Value  000002802a4ac1d0:NotInit  <<

We also can the class property that triggered the exception by clicking “propertyMemberAst” then “_name

0:011> !DumpObj /d 000002802cff7f48
Name:        System.Management.Automation.Language.PropertyMemberAst
MethodTable: 00007ff87e258818
EEClass:     00007ff87cb23408
Size:        80(0x50) bytes
File:        C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
00007ff87e108368  40024ca        8 ...age.IScriptExtent  0 instance 000002802cff7f28 <Extent>k__BackingField
00007ff87e257c28  40024cb       10 ...tion.Language.Ast  0 instance 000002802cff8058 <Parent>k__BackingField
00007ff8d017b698  40024cd       18       System.Boolean  1 instance                0 <HasSuspiciousContent>k__BackingField
00007ff87e16a710  40024cc     1f40 ...tion.PSTypeName[]  0   shared           static EmptyPSTypeNameArray
                                 >> Domain:Value  000002802a4ac1d0:NotInit  <<
00007ff8d01759c0  4002526       20        System.String  0 instance 000002802cff7e48 _name
00007ff87e28d490  4002527       28 ...TypeConstraintAst  0 instance 000002802cff7df8 <PropertyType>k__BackingField
00007ff87c7469c0  4002528       30 ...ment.Automation]]  0 instance 000002802cff7f98 <Attributes>k__BackingField
00007ff87e1056e0  4002529       40         System.Int32  1 instance                1 <PropertyAttributes>k__BackingField
00007ff87e28dd68  400252a       38 ...age.ExpressionAst  0 instance 0000000000000000 <InitialValue>k__BackingField
00007ff87c7469c0  4002525     1fc0 ...ment.Automation]]  0   shared           static EmptyAttributeList
                                 >> Domain:Value  000002802a4ac1d0:NotInit  <<
0:011> !DumpObj /d 000002802cff7e48
Name:        System.String
MethodTable: 00007ff8d01759c0
EEClass:     00007ff8d0152ec0
Size:        46(0x2e) bytes
File:        C:\WINDOWS\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
String:      sortedList
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
00007ff8d01785a0  4000283        8         System.Int32  1 instance               10 m_stringLength
00007ff8d0176838  4000284        c          System.Char  1 instance               73 m_firstChar
00007ff8d01759c0  4000288       e0        System.String  0   shared           static Empty
                                 >> Domain:Value  000002802a4ac1d0:NotInit  <<

So we know issue is with “sortedList” looking at the relevant code section:

class myClass
{
	[String]$Name
	[System.Collections.SortedList[Guid,String]]$sortedList
}

Checking the type for declared constructors shows there are none:

PS C:\Users\malcolm> [System.Collections.SortedList[Guid,string]].DeclaredConstructors
Unable to find type [System.Collections.SortedList[Guid,string]].
At line:1 char:1
+ [System.Collections.SortedList[Guid,string]].DeclaredConstructors
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Collecti...st[Guid,string]:GenericTypeName) [], RuntimeExcepti
   on
    + FullyQualifiedErrorId : TypeNotFound

Checking the .NET documentation can see why, the Generic sorted list should have been used instead. Changing declaration to use Generic sorted list resolved the pipeline error:

PS C:\Users\malcolm> [System.Collections.Generic.SortedList[Guid,string]].DeclaredConstructors


Name                      : .ctor
MemberType                : Constructor
DeclaringType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
ReflectedType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
MetadataToken             : 100672585
Module                    : System.dll
MethodHandle              : System.RuntimeMethodHandle
Attributes                : PrivateScope, Public, HideBySig, SpecialName, RTSpecialName
CallingConvention         : Standard, HasThis
IsSecurityCritical        : True
IsSecuritySafeCritical    : True
IsSecurityTransparent     : False
ContainsGenericParameters : False
MethodImplementationFlags : Managed
IsGenericMethodDefinition : False
IsGenericMethod           : False
IsPublic                  : True
IsPrivate                 : False
IsFamily                  : False
IsAssembly                : False
IsFamilyAndAssembly       : False
IsFamilyOrAssembly        : False
IsStatic                  : False
IsFinal                   : False
IsVirtual                 : False
IsHideBySig               : True
IsAbstract                : False
IsSpecialName             : True
IsConstructor             : True
CustomAttributes          : {[__DynamicallyInvokableAttribute()]}

Name                      : .ctor
MemberType                : Constructor
DeclaringType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
ReflectedType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
MetadataToken             : 100672586
Module                    : System.dll
MethodHandle              : System.RuntimeMethodHandle
Attributes                : PrivateScope, Public, HideBySig, SpecialName, RTSpecialName
CallingConvention         : Standard, HasThis
IsSecurityCritical        : True
IsSecuritySafeCritical    : True
IsSecurityTransparent     : False
ContainsGenericParameters : False
MethodImplementationFlags : Managed
IsGenericMethodDefinition : False
IsGenericMethod           : False
IsPublic                  : True
IsPrivate                 : False
IsFamily                  : False
IsAssembly                : False
IsFamilyAndAssembly       : False
IsFamilyOrAssembly        : False
IsStatic                  : False
IsFinal                   : False
IsVirtual                 : False
IsHideBySig               : True
IsAbstract                : False
IsSpecialName             : True
IsConstructor             : True
CustomAttributes          : {[__DynamicallyInvokableAttribute()]}

Name                      : .ctor
MemberType                : Constructor
DeclaringType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
ReflectedType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
MetadataToken             : 100672587
Module                    : System.dll
MethodHandle              : System.RuntimeMethodHandle
Attributes                : PrivateScope, Public, HideBySig, SpecialName, RTSpecialName
CallingConvention         : Standard, HasThis
IsSecurityCritical        : True
IsSecuritySafeCritical    : True
IsSecurityTransparent     : False
ContainsGenericParameters : False
MethodImplementationFlags : Managed
IsGenericMethodDefinition : False
IsGenericMethod           : False
IsPublic                  : True
IsPrivate                 : False
IsFamily                  : False
IsAssembly                : False
IsFamilyAndAssembly       : False
IsFamilyOrAssembly        : False
IsStatic                  : False
IsFinal                   : False
IsVirtual                 : False
IsHideBySig               : True
IsAbstract                : False
IsSpecialName             : True
IsConstructor             : True
CustomAttributes          : {[__DynamicallyInvokableAttribute()]}

Name                      : .ctor
MemberType                : Constructor
DeclaringType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
ReflectedType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
MetadataToken             : 100672588
Module                    : System.dll
MethodHandle              : System.RuntimeMethodHandle
Attributes                : PrivateScope, Public, HideBySig, SpecialName, RTSpecialName
CallingConvention         : Standard, HasThis
IsSecurityCritical        : True
IsSecuritySafeCritical    : True
IsSecurityTransparent     : False
ContainsGenericParameters : False
MethodImplementationFlags : Managed
IsGenericMethodDefinition : False
IsGenericMethod           : False
IsPublic                  : True
IsPrivate                 : False
IsFamily                  : False
IsAssembly                : False
IsFamilyAndAssembly       : False
IsFamilyOrAssembly        : False
IsStatic                  : False
IsFinal                   : False
IsVirtual                 : False
IsHideBySig               : True
IsAbstract                : False
IsSpecialName             : True
IsConstructor             : True
CustomAttributes          : {[__DynamicallyInvokableAttribute()]}

Name                      : .ctor
MemberType                : Constructor
DeclaringType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
ReflectedType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
MetadataToken             : 100672589
Module                    : System.dll
MethodHandle              : System.RuntimeMethodHandle
Attributes                : PrivateScope, Public, HideBySig, SpecialName, RTSpecialName
CallingConvention         : Standard, HasThis
IsSecurityCritical        : True
IsSecuritySafeCritical    : True
IsSecurityTransparent     : False
ContainsGenericParameters : False
MethodImplementationFlags : Managed
IsGenericMethodDefinition : False
IsGenericMethod           : False
IsPublic                  : True
IsPrivate                 : False
IsFamily                  : False
IsAssembly                : False
IsFamilyAndAssembly       : False
IsFamilyOrAssembly        : False
IsStatic                  : False
IsFinal                   : False
IsVirtual                 : False
IsHideBySig               : True
IsAbstract                : False
IsSpecialName             : True
IsConstructor             : True
CustomAttributes          : {[__DynamicallyInvokableAttribute()]}

Name                      : .ctor
MemberType                : Constructor
DeclaringType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
ReflectedType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
MetadataToken             : 100672590
Module                    : System.dll
MethodHandle              : System.RuntimeMethodHandle
Attributes                : PrivateScope, Public, HideBySig, SpecialName, RTSpecialName
CallingConvention         : Standard, HasThis
IsSecurityCritical        : True
IsSecuritySafeCritical    : True
IsSecurityTransparent     : False
ContainsGenericParameters : False
MethodImplementationFlags : Managed
IsGenericMethodDefinition : False
IsGenericMethod           : False
IsPublic                  : True
IsPrivate                 : False
IsFamily                  : False
IsAssembly                : False
IsFamilyAndAssembly       : False
IsFamilyOrAssembly        : False
IsStatic                  : False
IsFinal                   : False
IsVirtual                 : False
IsHideBySig               : True
IsAbstract                : False
IsSpecialName             : True
IsConstructor             : True
CustomAttributes          : {[__DynamicallyInvokableAttribute()]}

Name                      : .cctor
MemberType                : Constructor
DeclaringType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
ReflectedType             : System.Collections.Generic.SortedList`2[System.Guid,System.String]
MetadataToken             : 100672641
Module                    : System.dll
MethodHandle              : System.RuntimeMethodHandle
Attributes                : PrivateScope, Private, Static, HideBySig, SpecialName, RTSpecialName
CallingConvention         : Standard
IsSecurityCritical        : True
IsSecuritySafeCritical    : True
IsSecurityTransparent     : False
ContainsGenericParameters : False
MethodImplementationFlags : Managed
IsGenericMethodDefinition : False
IsGenericMethod           : False
IsPublic                  : False
IsPrivate                 : True
IsFamily                  : False
IsAssembly                : False
IsFamilyAndAssembly       : False
IsFamilyOrAssembly        : False
IsStatic                  : True
IsFinal                   : False
IsVirtual                 : False
IsHideBySig               : True
IsAbstract                : False
IsSpecialName             : True
IsConstructor             : False
CustomAttributes          : {}
Posted in Uncategorized | Leave a comment

Logging Heap Allocations / Frees with Time Travel Debugging

Posted on August 31, 2021 by chentiangemalc

The following commands can be used to trace heap allocations within time travel debugging trace. This is useful in analysing many problems such heap corruption, access violations, etc.

32-bit Process

bm kernel*!GlobalAlloc "!position;.printf \"GlobalAlloc ( 0x%08X, %i )\\r\\n\",poi(@esp+4),poi(@esp+8);bp /1 @$ra \".printf \\\"GlobalAlloc=0x%08X\\\\r\\\\n\\\",@eax;!gle;g\";g"
bm kernel*!GlobalFree "!position;.printf \"GlobalFree ( 0x%08X )\",poi(@esp+4);bp /1 @$ra \".printf \\\"=0x%08X\\\\r\\\\n\\\",@eax;!gle;g\";g"
bm kernel*!GlobalSize "!position;.printf \"GlobalSize ( 0x%08X )\",poi(@esp+4);bp /1 @$ra \".printf \\\"=%i\\\\r\\\\n\\\",@eax;!gle;g\";g"
bp ntdll!RtlAllocateHeap "!position;.printf \"RtlAllocateHeap ( 0x%08X, 0x%08X, %i )\",poi(@esp+4),poi(@esp+8),poi(@esp+C);bp /1 @$ra \".printf \\\"=0x%08X\\\\r\\\\n\\\",@eax;!gle;g\";g"
bp ntdll!RtlCreateHeap "!position;.printf \"RtlCreateHeap ( 0x%08X, 0x%08X, %i, %i, 0x%08X, 0x%08X)\",poi(@esp+4),poi(@esp+8),poi(@esp+0xC),poi(@esp+0x10),poi(@esp+0x14),poi(@esp+0x18);bp /1 @$ra \".printf \\\"=0x%08X\\\\r\\\\n\\\",@eax;!gle;g\";g"
bp ntdll!RtlFreeHeap "!position;.printf \"RtlFreeHeap ( 0x%08X, %i, 0x%08X )\",poi(@esp+4),poi(@esp+8),poi(@esp+0xC);bp /1 @$ra \".printf \\\"=0x%08X\\\\r\\\\n\\\",@eax;!gle;g\";g"

64-bit Process

bm kernel*!GlobalAlloc "!position;.printf \"GlobalAlloc ( 0x%016X, %i )\\r\\n\",@rcx,@rdx;bp /1 @$ra \".printf \\\"GlobalAlloc=0x%016X\\\\r\\\\n\\\",@rax;!gle;g\";g"
bm kernel*!GlobalFree "!position;.printf \"GlobalFree ( 0x%016X )\",@rcx;bp /1 @$ra \".printf \\\"=0x%016X\\\\r\\\\n\\\",@rax;!gle;g\";g"
bm kernel*!GlobalSize "!position;.printf \"GlobalSize ( 0x%016X )\",@rdx;bp /1 @$ra \".printf \\\"=%i\\\\r\\\\n\\\",@rax;!gle;g\";g"
bp ntdll!RtlAllocateHeap "!position;.printf \"RtlAllocateHeap ( 0x%016X, 0x%016X, %i )\",@rcx,@rdx,@r8;bp /1 @$ra \".printf \\\"=0x%016X\\\\r\\\\n\\\",@rax;!gle;g\";g"
bp ntdll!RtlCreateHeap "!position;.printf \"RtlCreateHeap ( 0x%016X, 0x%016X, %i, %i, 0x%016X, 0x%016X)\",@rcx,@rdx,@r8,@r9,poi(@rsp+28h),poi(@rsp+30h);bp /1 @$ra \".printf \\\"=0x%016X\\\\r\\\\n\\\",@rax;!gle;g\";g"
bp ntdll!RtlFreeHeap "!position;.printf \"RtlFreeHeap ( 0x%016X, %i, 0x%016X )\",@rcx,@rdx,@r8;bp /1 @$ra \".printf \\\"=0x%016X\\\\r\\\\n\\\",@rax;!gle;g\";g"

Example in use:

Posted in Uncategorized | Leave a comment

PowerShell Piano

Posted on August 31, 2021 by chentiangemalc

In helping a customer migrate a 1980s MS-DOS application to a modern platform, among the application prerequisites came across the installation files for Microsoft Mouse, which included a “Virtual Piano” by Chris Peters written in basic. I thought I’d try and create a PowerShell port of this complete with the awful color scheme. Unfortuantely PowerShell / .NET framework is not great for music production without use of 3rd party libraries or native OS calls. This uses a simple method – System.Media.SoundPlayer class to play back samples. As a consequence only one note can be played at a time. The tuneful beeps of the original have been replaced with real piano samples. If CAPS LOCK key is on the sound of a key will continue after you let go of mouse button until you hit next key.

As the original 320×200 can look quite tiny on a modern display the variable $global:multiplier can be set to zoom the display.

Piano samples are from http://theremin.music.uiowa.edu/MISpiano.html and were converted to WAV files with https://www.audacityteam.org/

The original piano.bas can be found with Microsoft Mouse software archived here https://winworldpc.com/product/microsoft-mouse/1x

The script with samples is available here https://github.com/chentiangemalc/PowerShellPiano

PowerShell Piano in action:

# PowerShell port of "The Virtual Piano" piano.bas originally by written by Chris Peters 1983
# Included with Microsoft Mouse https://winworldpc.com/product/microsoft-mouse/1x

Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing

$form = New-Object System.Windows.Forms.Form

# zooms the display from the original 320x200
$global:multiplier = 4

# Key Size Parameters
$global:YL = 60 
$global:WKL = 80 
$global:BKL = 45 
$global:KW = 15
$global:WKN = 21
$global:XL = 320-$global:KW*$global:WKN
$global:YH = $global:YL + $global:WKL
$global:XH = 319
$global:BKW2=$global:KW / 3
$global:QX = 272 
$global:QY = 176

$form.add_MouseDown({
    param($sender,$e)
    
    [Int]$MX = $e.X # mouse X position
    [Int]$MY = $e.Y # mouse Y position

    $WKY = [Math]::Ceiling(($MX-($global:XL*$global:multiplier))/($global:KW * $global:multiplier))
    $R = 1  
    if ($MY -le (($global:YL+$global:BKL)*$global:multiplier))
    {
        $MK=($MX-($global:XL*$global:multiplier)) % ($global:KW * $global:multiplier)
        if ($MK -le ($global:BKW2*$global:multiplier))
        { 
            $R = 0
        }
        elseif ($MK -ge (($global:KW-$global:BKW2)*$global:multiplier))
        {
            $R = 2  
        }
    }

    $global:samplePlayer[$global:Freq[$WKY,$R]].Play()
})

$form.add_MouseUp({
    # if caps lock is on won't stop the sound on mouse up
    if (!([System.Windows.Forms.Control]::IsKeyLocked([System.Windows.Forms.Keys]::CapsLock)))
    {
        ForEach ($sample in $global:samplePlayer)
        {
            $sample.Stop()
        }
    }
})

$form.BackColor = [System.Drawing.Color]::FromArgb(0x00,0x00,0xAA)
$form.Width = 320 * $global:multiplier
$form.Height = 200 * $global:multiplier
$form.Visible = $true 
$logoBrush = New-Object System.Drawing.SolidBrush([System.Drawing.Color]::FromArgb(0xAA,0xAA,0xAA))
$whiteKeyBrush = New-Object System.Drawing.SolidBrush([System.Drawing.Color]::FromArgb(0xAA,0xAA,0xAA))
$blackKeyBrush = New-Object System.Drawing.SolidBrush([System.Drawing.Color]::FromArgb(0xAA,0x00,0xAA))

$backgroundBrush = New-Object System.Drawing.SolidBrush([System.Drawing.Color]::FromArgb(0x00,0x00,0xAA))
$gfx = $form.CreateGraphics()

# Load Piano Samples
$pianoSamples = @( 
    "Piano.mf.C3.wav",
    "Piano.mf.Db3.wav",
    "Piano.mf.D3.wav",
    "Piano.mf.Eb3.wav",
    "Piano.mf.E3.wav",
    "Piano.mf.F3.wav",
    "Piano.mf.Gb3.wav",
    "Piano.mf.G3.wav",
    "Piano.mf.Ab3.wav",
    "Piano.mf.A3.wav",
    "Piano.mf.Bb3.wav"
    "Piano.mf.B3.wav",
    "Piano.mf.C4.wav",
    "Piano.mf.Db4.wav",
    "Piano.mf.D4.wav",
    "Piano.mf.Eb4.wav",
    "Piano.mf.E4.wav",
    "Piano.mf.F4.wav",
    "Piano.mf.Gb4.wav",
    "Piano.mf.G4.wav",
    "Piano.mf.Ab4.wav",
    "Piano.mf.A4.wav",
    "Piano.mf.Bb4.wav"
    "Piano.mf.B4.wav",
    "Piano.mf.C5.wav",
    "Piano.mf.Db5.wav",
    "Piano.mf.D5.wav",
    "Piano.mf.Eb5.wav",
    "Piano.mf.E5.wav",
    "Piano.mf.F5.wav",
    "Piano.mf.Gb5.wav",
    "Piano.mf.G5.wav",
    "Piano.mf.Ab5.wav",
    "Piano.mf.A5.wav",
    "Piano.mf.Bb5.wav"
    "Piano.mf.B5.wav")

$global:samplePlayer = @()   
ForEach ($filename in $pianoSamples)
{
    $path = Join-Path -Path $PSScriptRoot -childPath $filename
    $sample = New-Object System.Media.SoundPlayer($path)
    $sample.Load()
    $global:samplePlayer += $sample 
} 

$global:Freq = New-Object 'Int[,]' 22,3
$j = 0
For ($i=0;$i -lt 21;$i+=7)
{
    $global:Freq[(1+$i),1]=0+$j
    $global:Freq[(1+$i),2]=1+$j
    $global:Freq[(2+$i),0]=1+$j
    $global:Freq[(2+$i),1]=2+$j
    $global:Freq[(2+$i),2]=3+$j
    $global:Freq[(3+$i),0]=3+$j
    $global:Freq[(3+$i),1]=4+$j
    $global:Freq[(3+$i),2]=4+$j
    $global:Freq[(4+$i),0]=5+$j
    $global:Freq[(4+$i),1]=5+$j
    $global:Freq[(4+$i),2]=6+$j
    $global:Freq[(5+$i),0]=6+$j
    $global:Freq[(5+$i),1]=7+$j
    $global:Freq[(5+$i),2]=8+$j
    $global:Freq[(6+$i),0]=8+$j
    $global:Freq[(6+$i),1]=9+$j
    $global:Freq[(6+$i),2]=10+$j
    $global:Freq[(7+$i),0]=10+$j
    $global:Freq[(7+$i),1]=11+$j
    $global:Freq[(7+$i),2]=11+$j
    $j+=12
}

# Draw old school Microsoft Logo from Piano.bas, included with Microsoft Mouse for MS-DOS
$msLogo = @( 208, 28 )
$msLogo += @( 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
$msLogo += @( 0, 0, 0, 0, 0, 0, -128, 0, 0, 0, 0, 0, 0)
$msLogo += @( 0, 0, 3, -512, 0, 7, -16, 62, 0, -128, 0, 0, 0)
$msLogo += @( -512, 4071, -16369, -128, 8188, 0, 0, 255, -32765, -32, 1023, -7169, -128)
$msLogo += @( -256, 8167, -16321, -32, 8191, -32705, -2, 1023, -8177, -8, 1023, -7169, -128)
$msLogo += @( -256, 8167, -16129, -8, 8191, -16260, 31, 2047, -4033, -2, 1023, -7169, -128)
$msLogo += @( -128, 16359, -15880, 252, 8191, -8192, 0, 2047, -3970, 63, 1023, -7169, -128)
$msLogo += @( -128, 16359, -15392, 62, 7943, -3585, -1, -14361, -3848, 15, -31745, -7169, -128)
$msLogo += @( -64, 32743, -15424, 30, 7939, -3136, 1, -6173, -3856, 7, -31776, 7, -16384)
$msLogo += @( -64, 32743, -14464, 15, 7937, -4096, 0, 2016, 480, 3, -15392, 7, -16384)
$msLogo += @( -32, -25, -14464, 15, 7937, -2049, 127, -2056, 480, 3, -15392, 7, -16384)
$msLogo += @( -32, -25, -12544, 7, -24829, -2176, 0, -3074, 960, 1, -7200, 7, -16384)
$msLogo += @( -15, -25, -12544, 0, 7943, -4096, 0, 1023, -31808, 1, -7169, -8185, -16384)
$msLogo += @( -1039, -1049, -12544, 0, 8191, -6146, 63, -3585, -15424, 1, -7169, -8185, -16384)
$msLogo += @( -1029, -1049, -12544, 0, 8191, -6272, 0, -3969, -7232, 1, -7169, -8185, -16384)
$msLogo += @( -1541, -3097, -12544, 0, 8191, -16384, 0, 15, -3136, 1, -7169, -8185, -16384)
$msLogo += @( -1537, -3097, -12544, 0, 8191, -14464, 0, -4093, -1088, 1, -7200, 7, -16384)
$msLogo += @( -1793, -7193, -14464, 0, 7967, -14337, 127, -4095, -1568, 3, -15392, 7, -16384)
$msLogo += @( -1793, -7193, -14464, 15, 7943, -8192, 0, 4033, -1568, 3, -15392, 7, -16384)
$msLogo += @( -1921, -15385, -15424, 30, 7939, -7232, 1, -4125, -1808, 7, -31776, 7, -16384)
$msLogo += @( -1921, -15385, -15392, 62, 7939, -3585, -1, -12289, -1800, 15, -31776, 7, -16384)
$msLogo += @( -1985, -31769, -15880, 252, 7937, -4096, 0, 2047, -3970, 63, 992, 7, -16384)
$msLogo += @( -1985, -31769, -16130, 1016, 7937, -3972, 31, 2047, -8129, -32514, 992, 7, -16384)
$msLogo += @( -2017, 999, -16321, -32, 7937, -4033, -2, 1023, -16369, -8, 992, 7, -16384)
$msLogo += @( -2017, 999, -16369, -128, 7937, -4096, 0, 255, 3, -32, 992, 7, -16384)
$msLogo += @( 0, 0, 3, -512, 0, 7, -16, 0, 0, -128, 0, 0, 0)
$msLogo += @( 0, 0, 0, 0, 0, 0, -128, 0, 0, 0, 0, 0, 0)
$msLogo += @( 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)

$width = $msLogo[0]
$height = $mslogo[1]
$currentRow = 0
$currentColumn = 0

$total = ""
$offSet = 63
for ($i = 2;$i -lt $mslogo.Length ;$i++)
{
    for ($j =16;$j -gt 0;$j--)
    {
        if (([Int16]$mslogo[$i] -band (1 -shL $j)) -ne 0)
        {
            $gfx.FillRectangle($logoBrush,($offSet*$global:multiplier)+$currentColumn*$global:multiplier,$currentRow*$global:multiplier,$global:multiplier,$global:multiplier)

        }
        $currentColumn++
        if ($currentColumn -ge $WIDTH)
        {
            $currentColumn = 0 
            $currentRow++
        }   
    }
}

# Draw white keys
$gfx.FillRectangle($whiteKeyBrush,$global:XL*$global:multiplier,$global:YL*$global:multiplier,($global:XH*$global:multiplier)-($global:XL*$global:multiplier),($global:YH*$global:multiplier)-($global:YL*$global:multiplier))
for ($i=$global:XL;$i -lt $global:XH;$i+=$global:KW)
{
    $gfx.FillRectangle($backgroundBrush,$i*$global:multiplier,$global:YL*$global:multiplier,$global:multiplier,($global:YH*$global:multiplier)-($global:YL*$multipler))
}

# Draw black keys
$C=6
for ($X=$global:XL;$X -lt $global:XH;$X+=$global:KW)
{
    $C++
    if ($C -eq 7) { $C = 0 }
    if (!($C -eq 0 -or $C -eq 3))
    {
         $gfx.FillRectangle($blackKeyBrush,($X-$global:BKW2)*$global:multiplier,$global:YL*$global:multiplier,(($X+$global:BKW2)*$global:multiplier)-(($X-$global:BKW2)*$global:multiplier),(($global:YL+$global:BKL)*$global:multiplier)-($global:YL*$global:multiplier))
    }
}

[void][System.Windows.Forms.Application]::Run($form)
$Form.close()

For a reference here is the original piano.bas

1000 '
1010 '               THE VIRTUAL PIANO
1020 '
1030 '   COPYRIGHT (C) 1983 BY MICROSOFT CORPORATION
1040 '           WRITTEN BY CHRIS PETERS
1050 '
1060 '-----------------------------------------------
1070 '
1080 '  I N I T I A L I Z E
1090 '
1100 DEFINT A-Z
1110 DIM CURSOR(15,1),FREQ(27,2),MICROSOFT(839)
1120 KEY OFF
1130 PLAY"MF"
1140 SCREEN 1
1150 COLOR 1,1
1160 CLS
1170 '
1180 '  Read in the flat, normal, and sharp note frequencies
1190 '
1200 FOR J=0 TO 2
1210 FOR I=0 TO 6
1220 READ K
1230 FREQ(I,J)=K : FREQ(I+7,J)=K*2 : FREQ(I+14,J)=K*4 : FREQ(I+21,J)=K*8
1240 NEXT
1250 NEXT
1260 '
1270 '  Determine mouse driver location, if not found, quit.
1280 '
1290 DEF SEG=0
1300 MSEG=256*PEEK(51*4+3)+PEEK(51*4+2)     ' Get mouse segment
1310 MOUSE=256*PEEK(51*4+1)+PEEK(51*4)+2    ' Get mouse offset
1320 IF MSEG OR MOUSE THEN 1370
1330 PRINT"Mouse driver not found"          ' Not found, so print error.
1340 PRINT
1350 PRINT"Press any key to return to system"
1360 I$=INKEY$ : IF I$="" THEN 1360 ELSE SYSTEM
1370 DEF SEG=MSEG                           ' Set mouse segment
1380 M1 = 0 : CALL MOUSE(M1,M2,M3,M4)       ' Initialize the mouse
1390 '
1400 '  Set mouse sensitivity
1410 '
1420 M1 = 15 : M3=4 : M4=8
1430 CALL MOUSE(M1,M2,M3,M4)
1440 '
1450 '  Define the "logical and" cursor mask
1460 '
1470 CURSOR( 0,0)=&HFFFF         ' Binary 1111111111111111
1480 CURSOR( 1,0)=&HFFFF         ' Binary 1111111111111111
1490 CURSOR( 2,0)=&HFFFF         ' Binary 1111111111111111
1500 CURSOR( 3,0)=&HFFFF         ' Binary 1111111111111111
1510 CURSOR( 4,0)=&HFFFF         ' Binary 1111111111111111
1520 CURSOR( 5,0)=&HFFFF         ' Binary 1111111111111111
1530 CURSOR( 6,0)=&HFFFF         ' Binary 1111111111111111
1540 CURSOR( 7,0)=&HFFFF         ' Binary 1111111111111111
1550 CURSOR( 8,0)=&HFFFF         ' Binary 1111111111111111
1560 CURSOR( 9,0)=&HFFFF         ' Binary 1111111111111111
1570 CURSOR(10,0)=&HFFFF         ' Binary 1111111111111111
1580 CURSOR(11,0)=&HFFFF         ' Binary 1111111111111111
1590 CURSOR(12,0)=&HFFFF         ' Binary 1111111111111111
1600 CURSOR(13,0)=&HFFFF         ' Binary 1111111111111111
1610 CURSOR(14,0)=&HFFFF         ' Binary 1111111111111111
1620 CURSOR(15,0)=&HFFFF         ' Binary 1111111111111111
1630 '
1640 '  Define the "exclusive or" cursor mask
1650 '
1660 CURSOR( 0,1)=&H0300         ' Binary 0000001100000000
1670 CURSOR( 1,1)=&H0300         ' Binary 0000001100000000
1680 CURSOR( 2,1)=&H0FC0         ' Binary 0000111111000000
1690 CURSOR( 3,1)=&H0FC0         ' Binary 0000111111000000
1700 CURSOR( 4,1)=&H3FF0         ' Binary 0011111111110000
1710 CURSOR( 5,1)=&H3FF0         ' Binary 0011111111110000
1720 CURSOR( 6,1)=&HFCFC         ' Binary 1111110011111100
1730 CURSOR( 7,1)=&HC00C         ' Binary 1100000000001100
1740 CURSOR( 8,1)=&H0000         ' Binary 0000000000000000
1750 CURSOR( 9,1)=&H0000         ' Binary 0000000000000000
1760 CURSOR(10,1)=&H0000         ' Binary 0000000000000000
1770 CURSOR(11,1)=&H0000         ' Binary 0000000000000000
1780 CURSOR(12,1)=&H0000         ' Binary 0000000000000000
1790 CURSOR(13,1)=&H0000         ' Binary 0000000000000000
1800 CURSOR(14,1)=&H0000         ' Binary 0000000000000000
1810 CURSOR(15,1)=&H0000         ' Binary 0000000000000000
1820 '
1830 '  Set the mouse cursor shape
1840 '
1850 M1 = 9 : M2 = 6 : M3 = 0
1860 CALL MOUSE(M1,M2,M3,CURSOR(0,0))
1870 '
1880 '  Draw the MICROSOFT logo from precalculated data
1890 '
1900 FOR I=0 TO 779
1910 READ MICROSOFT(I)
1920 NEXT
1930 PUT(62,0),MICROSOFT,PSET
1940 '
1950 '  Initialize keyboard size parameters
1960 '
1970 YL = 60 : WKL = 80 : BKL = 45 : KW = 15 : WKN = 21
1980 XL = 320-KW*WKN : YH = YL + WKL : XH = 319 : BKW2=KW\3
1990 QX = 272 : QY = 176
2000 '
2010 '  Draw the white keys
2020 '
2030 LINE (XL,YL)-(XH,YH),3,BF
2040 FOR I=XL TO XH STEP KW
2050 LINE (I,YL)-(I,YH),0
2060 NEXT
2070 '
2080 '  Draw the "black" keys
2090 '
2100 C=6
2110 FOR X=XL TO XH STEP KW
2120 C=C+1 : IF C=7 THEN C=0
2130 IF C=0 OR C=3 THEN 2150
2140 LINE(X-BKW2,YL)-(X+BKW2,YL+BKL),2,BF
2150 NEXT
2160 '
2170 '  Draw the quit box
2180 '
2190 LINE(QX,QY)-(319,199),3,B
2200 LOCATE 24,36 : PRINT"Quit";
2210 '
2220 '  Set mouse cursor location, then turn on cursor
2230 '
2240 M1 = 4 : M3 = 320 : M4 = 160 : CALL MOUSE(M1,M2,M3,M4)
2250 M1 = 1 : CALL MOUSE(M1,M2,M3,M4)
2260 '
2270 '  M A I N    L O O P
2280 '
2290 M1=3 : CALL MOUSE(M1,BT,MX,MY)     ' Get mouse location and button status
2300 IF (BT AND 2) THEN OTV=7 : GOTO 2340   ' If right button down, set high octave
2310 IF (BT AND 1) THEN OTV=0 : GOTO 2340   ' If left button down, set lower octave
2320 SOUND 442,0                        ' If both buttons up, turn off sound
2330 GOTO 2290                          ' Keep looping...
2340 MX = MX\2                          ' Correct for medium resolution screen
2350 IF MX <= XL OR MY < YL THEN 2320   ' If above keyboard, turn off sound
2360 IF MY <= YH THEN 2470              ' If on keyboard, play sound
2370 IF MY < QY OR MX < QX THEN 2320    ' If above quit box, turn off sound
2380 '
2390 '  Button down inside the quit box
2400 '
2410 M1=2 : CALL MOUSE(M1,M2,M3,M4)     ' Turn off mouse cursor
2420 CLS                                ' Clear screen
2430 END                                ' quit
2440 '
2450 '  Button down over keyboard, determine which key
2460 '
2470 WKY = (MX-XL)\KW+OTV : R = 1       ' Get which white key cursor is over
2480 IF MY > YL+BKL THEN 2560           ' is it lower than the black keys?
2490 MK=(MX-XL) MOD KW                  ' No, get which side of key
2500 IF MK <= BKW2 THEN R=0 : GOTO 2560 ' Is it the left black key?
2510 IF MK >= KW-BKW2 THEN R=2          ' Is it the right black key?
2520 '
2530 '  Play the note. For BASIC interpreter duration = 2
2540 '                 For BASIC compiler    duration = 1
2550 '
2560 SOUND FREQ(WKY,R),2
2570 GOTO 2290                          ' Continue looping
2580 '
2590 '  Musical note frequencies
2600 '
2610 DATA 131,139,156,175,185,208,233
2620 DATA 131,147,165,175,196,220,247
2630 DATA 139,156,165,185,208,233,247
2640 '
2650 '  Data to draw the MICROSOFT logo
2660 '
2670 DATA 462,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
2680 DATA 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
2690 DATA 0,0,0,-193,240,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
2700 DATA 0,0,0,0,0,768,-1,0,0,0,0,3840,-1,-16129,0,-253,0,0,-193,240
2710 DATA 0,0,0,0,0,0,0,0,0,-193,0,16128,4095,252,16128,-1,240,-256,-769,0
2720 DATA 0,0,0,0,-193,240,768,-1,255,768,-1,1023,-1,-1,240,0,0,0,-193,192
2730 DATA -256,4095,252,-253,-1,255,-256,-1,240,-253,-1,-1,768,-1,255,16128,-1,-3841,768,-1
2740 DATA 1023,-1,-1,240,0,0,0,-193,192,-256,4095,252,-193,-1,-3841,-256,-1,252,-1009,0
2750 DATA -256,4032,-1,-16129,-253,-1,-1,768,-1,1023,-1,-1,240,0,0,0,-193,240,-253,4095
2760 DATA 252,-3841,0,-961,-256,-1,255,0,0,0,3840,-1,-16129,-241,0,-253,960,-1,1023,-1
2770 DATA -1,240,0,0,0,-193,240,-253,4095,1020,255,0,-253,-256,4032,-16129,-1,-1,-1,4092
2780 DATA 4095,-16129,-4033,0,16128,1008,-1,1023,-1,-1,240,0,0,0,-193,252,-241,4095,1020,252
2790 DATA 0,-256,-256,960,-15361,252,0,0,4095,1023,-16129,-16321,0,3840,1008,255,0,3840,252,0
2800 DATA 0,0,0,-193,252,-241,4095,4092,240,0,16128,-64,192,-16129,0,0,0,3840,255,0
2810 DATA 255,0,768,1020,255,0,3840,252,0,0,0,0,-193,255,-193,4095,4092,240,0,16128
2820 DATA -64,192,-12289,-1,192,-241,-12289,-3841,0,255,0,768,1020,255,0,3840,252,0,0,0
2830 DATA 0,-193,255,-193,4095,16380,192,0,3840,-16,960,-12289,240,0,0,-15553,-1,768,252,0
2840 DATA 0,1023,255,0,3840,252,0,0,0,0,-193,-16129,-1,4095,16380,192,0,0,-256,4032
2850 DATA -16129,0,0,0,768,-1,1008,252,0,0,1023,-1,255,3840,252,0,0,0,0,-3265
2860 DATA -16129,-3073,4095,16380,192,0,0,-256,-1,4095,-1,0,-253,-16129,-1,1020,252,0,0,1023
2870 DATA -1,255,3840,252,0,0,0,0,-3265,-3073,-3073,4095,16380,192,0,0,-256,-1,4095,240
2880 DATA 0,0,-16321,-241,1023,252,0,0,1023,-1,255,3840,252,0,0,0,0,-4033,-3073,-15361
2890 DATA 4095,16380,192,0,0,-256,-1,252,0,0,0,0,16128,-15361,252,0,0,1023,-1,255
2900 DATA 3840,252,0,0,0,0,-4033,-1,-15361,4095,16380,192,0,0,-256,-1,4092,240,0,0
2910 DATA -16321,768,-3073,252,0,0,1023,255,0,3840,252,0,0,0,0,-4033,-193,1023,4095,4092
2920 DATA 240,0,0,-256,-64,4092,-1,192,-241,-16129,0,-3841,255,0,768,1020,255,0,3840,252
2930 DATA 0,0,0,0,-4033,-193,1023,4095,4092,240,0,16128,-64,4032,255,0,0,0,16128,252
2940 DATA -3841,255,0,768,1020,255,0,3840,252,0,0,0,0,-4033,-241,1020,4095,1020,252,0
2950 DATA -256,-256,960,1023,252,0,0,16383,1023,-3841,-16321,0,3840,1008,255,0,3840,252,0,0
2960 DATA 0,0,-4033,-241,1020,4095,1020,255,0,-253,-256,960,-16129,-1,-1,-1,16380,-1,-3841,-4033
2970 DATA 0,16128,1008,255,0,3840,252,0,0,0,0,-4033,-253,1008,4095,252,-3841,0,-961,-256
2980 DATA 192,-16129,0,0,0,3840,-1,-16129,-241,0,-253,960,255,0,3840,252,0,0,0,0
2990 DATA -4033,-253,1008,4095,252,-193,768,-3841,-256,192,-16129,-1009,0,-256,4032,-1,255,-253,240,-193
3000 DATA 768,255,0,3840,252,0,0,0,0,-4033,-256,960,4095,252,-253,-1,255,-256,192,-16129
3010 DATA -253,-1,-1,768,-1,252,16128,-1,-3841,768,255,0,3840,252,0,0,0,0,-4033,-256
3020 DATA 960,4095,252,16128,-1,240,-256,192,-16129,0,0,0,0,-193,192,768,-1,255,768,255
3030 DATA 0,3840,252,0,0,0,0,0,0,0,0,0,768,-1,0,0,0,0,3840,-1
3040 DATA -16129,0,0,0,0,-193,240,0,0,0,0,0,0,0,0,0,0,0,0,0
3050 DATA 0,0,0,0,0,0,0,0,-193,240,0,0,0,0,0,0,0,0,0,0
Posted in Uncategorized | Leave a comment