Skip to content

Instantly share code, notes, and snippets.

@ntddk

ntddk/gist:adedc65a612aca12ce21

Created May 7, 2015 09:08
Show Gist options
  • Save ntddk/adedc65a612aca12ce21 to your computer and use it in GitHub Desktop.
Save ntddk/adedc65a612aca12ce21 to your computer and use it in GitHub Desktop.
Download ZIP
livekd on Windows 10 Build 10074
Raw
gistfile1.txt
PS C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64> ./livekd
LiveKd v5.40 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2015 Mark Russinovich and Ken Johnson
Launching C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\kd.exe:
Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\livekd.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'LiveKD live system view'
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 UP Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10074.0.amd64fre.fbl_impressive.150424-1350
Machine Name:
Kernel base = 0xfffff801`33e01000 PsLoadedModuleList = 0xfffff801`3411b610
Debug session time: Thu May 7 17:38:58.603 2015 (UTC + 9:00)
System Uptime: 0 days 0:01:07.609
Loading Kernel Symbols
...............................................................
................................................................
.................................................
Loading User Symbols
..........................................
kd> !idt -a
*** ERROR: Module load completed but symbols could not be loaded for LiveKdD.SYS
Dumping IDT: fffff80135ad5070
00: fffff80133f3f000 nt!KiDivideErrorFault
01: fffff80133f3f100 nt!KiDebugTrapOrFault
02: fffff80133f3f2c0 nt!KiNmiInterrupt Stack = 0xFFFFF80135AF0000
03: fffff80133f3f640 nt!KiBreakpointTrap
04: fffff80133f3f740 nt!KiOverflowTrap
05: fffff80133f3f840 nt!KiBoundFault
06: fffff80133f3fac0 nt!KiInvalidOpcodeFault
07: fffff80133f3fd00 nt!KiNpxNotAvailableFault
08: fffff80133f3fdc0 nt!KiDoubleFaultAbort Stack = 0xFFFFF80135AEE000
09: fffff80133f3fe80 nt!KiNpxSegmentOverrunAbort
0a: fffff80133f3ff40 nt!KiInvalidTssFault
0b: fffff80133f40000 nt!KiSegmentNotPresentFault
0c: fffff80133f40140 nt!KiStackFault
0d: fffff80133f40280 nt!KiGeneralProtectionFault
0e: fffff80133f40380 nt!KiPageFault
0f: fffff80133f39208 nt!KiIsrThunk+0x78
10: fffff80133f40740 nt!KiFloatingErrorFault
11: fffff80133f408c0 nt!KiAlignmentFault
12: fffff80133f409c0 nt!KiMcheckAbort Stack = 0xFFFFF80135AF2000
13: fffff80133f41040 nt!KiXmmException
14: fffff80133f39230 nt!KiIsrThunk+0xA0
15: fffff80133f39238 nt!KiIsrThunk+0xA8
16: fffff80133f39240 nt!KiIsrThunk+0xB0
17: fffff80133f39248 nt!KiIsrThunk+0xB8
18: fffff80133f39250 nt!KiIsrThunk+0xC0
19: fffff80133f39258 nt!KiIsrThunk+0xC8
1a: fffff80133f39260 nt!KiIsrThunk+0xD0
1b: fffff80133f39268 nt!KiIsrThunk+0xD8
1c: fffff80133f39270 nt!KiIsrThunk+0xE0
1d: fffff80133f39278 nt!KiIsrThunk+0xE8
1e: fffff80133f39280 nt!KiIsrThunk+0xF0
1f: fffff80133f3a4b0 nt!KiApcInterrupt
20: fffff80133f3e690 nt!KiSwInterrupt
21: fffff80133f39298 nt!KiIsrThunk+0x108
22: fffff80133f392a0 nt!KiIsrThunk+0x110
23: fffff80133f392a8 nt!KiIsrThunk+0x118
24: fffff80133f392b0 nt!KiIsrThunk+0x120
25: fffff80133f392b8 nt!KiIsrThunk+0x128
26: fffff80133f392c0 nt!KiIsrThunk+0x130
27: fffff80133f392c8 nt!KiIsrThunk+0x138
28: fffff80133f392d0 nt!KiIsrThunk+0x140
29: fffff80133f41200 nt!KiRaiseSecurityCheckFailure
2a: fffff80133f392e0 nt!KiIsrThunk+0x150
2b: fffff80133f392e8 nt!KiIsrThunk+0x158
2c: fffff80133f41300 nt!KiRaiseAssertion
2d: fffff80133f41400 nt!KiDebugServiceTrap
2e: fffff80133f39300 nt!KiIsrThunk+0x170
2f: fffff80133f3a780 nt!KiDpcInterrupt
30: fffff80133f3a9b0 nt!KiHvInterrupt
31: fffff80133f3ad10 nt!KiVmbusInterrupt0
32: fffff80133f3b060 nt!KiVmbusInterrupt1
33: fffff80133f3b3b0 nt!KiVmbusInterrupt2
34: fffff80133f3b700 nt!KiVmbusInterrupt3
35: fffff80133f39338 nt!KiIsrThunk+0x1A8
36: fffff80133f39340 nt!KiIsrThunk+0x1B0
37: fffff80133f39348 nt!KiIsrThunk+0x1B8
38: fffff80133f39350 nt!KiIsrThunk+0x1C0
39: fffff80133f39358 nt!KiIsrThunk+0x1C8
3a: fffff80133f39360 nt!KiIsrThunk+0x1D0
3b: fffff80133f39368 nt!KiIsrThunk+0x1D8
3c: fffff80133f39370 nt!KiIsrThunk+0x1E0
3d: fffff80133f39378 nt!KiIsrThunk+0x1E8
3e: fffff80133f39380 nt!KiIsrThunk+0x1F0
3f: fffff80133f39388 nt!KiIsrThunk+0x1F8
40: fffff80133f39390 nt!KiIsrThunk+0x200
41: fffff80133f39398 nt!KiIsrThunk+0x208
42: fffff80133f393a0 nt!KiIsrThunk+0x210
43: fffff80133f393a8 nt!KiIsrThunk+0x218
44: fffff80133f393b0 nt!KiIsrThunk+0x220
45: fffff80133f393b8 nt!KiIsrThunk+0x228
46: fffff80133f393c0 nt!KiIsrThunk+0x230
47: fffff80133f393c8 nt!KiIsrThunk+0x238
48: fffff80133f393d0 nt!KiIsrThunk+0x240
49: fffff80133f393d8 nt!KiIsrThunk+0x248
4a: fffff80133f393e0 nt!KiIsrThunk+0x250
4b: fffff80133f393e8 nt!KiIsrThunk+0x258
4c: fffff80133f393f0 nt!KiIsrThunk+0x260
4d: fffff80133f393f8 nt!KiIsrThunk+0x268
4e: fffff80133f39400 nt!KiIsrThunk+0x270
4f: fffff80133f39408 nt!KiIsrThunk+0x278
50: fffff80133f39410 nt!KiIsrThunk+0x280
51: fffff80133f39418 nt!KiIsrThunk+0x288
52: fffff80133f39420 nt!KiIsrThunk+0x290
53: fffff80133f39428 nt!KiIsrThunk+0x298
54: fffff80133f39430 nt!KiIsrThunk+0x2A0
55: fffff80133f39438 nt!KiIsrThunk+0x2A8
56: fffff80133f39440 nt!KiIsrThunk+0x2B0
57: fffff80133f39448 nt!KiIsrThunk+0x2B8
58: fffff80133f39450 nt!KiIsrThunk+0x2C0
59: fffff80133f39458 nt!KiIsrThunk+0x2C8
5a: fffff80133f39460 nt!KiIsrThunk+0x2D0
5b: fffff80133f39468 nt!KiIsrThunk+0x2D8
5c: fffff80133f39470 nt!KiIsrThunk+0x2E0
5d: fffff80133f39478 nt!KiIsrThunk+0x2E8
5e: fffff80133f39480 nt!KiIsrThunk+0x2F0
5f: fffff80133f39488 nt!KiIsrThunk+0x2F8
60: fffff80133f39490 nt!KiIsrThunk+0x300
61: fffff80133f39498 nt!KiIsrThunk+0x308
62: fffff80133f394a0 nt!KiIsrThunk+0x310
63: fffff80133f394a8 nt!KiIsrThunk+0x318
64: fffff80133f394b0 nt!KiIsrThunk+0x320
65: fffff80133f394b8 nt!KiIsrThunk+0x328
66: fffff80133f394c0 nt!KiIsrThunk+0x330
67: fffff80133f394c8 nt!KiIsrThunk+0x338
68: fffff80133f394d0 nt!KiIsrThunk+0x340
69: fffff80133f394d8 nt!KiIsrThunk+0x348
6a: fffff80133f394e0 nt!KiIsrThunk+0x350
6b: fffff80133f394e8 nt!KiIsrThunk+0x358
6c: fffff80133f394f0 nt!KiIsrThunk+0x360
6d: fffff80133f394f8 nt!KiIsrThunk+0x368
6e: fffff80133f39500 nt!KiIsrThunk+0x370
6f: fffff80133f39508 nt!KiIsrThunk+0x378
70: fffff80133f39510 nt!KiIsrThunk+0x380
71: fffff80133f39518 nt!KiIsrThunk+0x388
72: fffff80133f39520 nt!KiIsrThunk+0x390
73: fffff80133f39528 nt!KiIsrThunk+0x398
74: fffff80133f39530 nt!KiIsrThunk+0x3A0
75: fffff80133f39538 nt!KiIsrThunk+0x3A8
76: fffff80133f39540 nt!KiIsrThunk+0x3B0
77: fffff80133f39548 nt!KiIsrThunk+0x3B8
78: fffff80133f39550 nt!KiIsrThunk+0x3C0
79: fffff80133f39558 nt!KiIsrThunk+0x3C8
7a: fffff80133f39560 nt!KiIsrThunk+0x3D0
7b: fffff80133f39568 nt!KiIsrThunk+0x3D8
7c: fffff80133f39570 nt!KiIsrThunk+0x3E0
7d: fffff80133f39578 nt!KiIsrThunk+0x3E8
7e: fffff80133f39580 nt!KiIsrThunk+0x3F0
7f: fffff80133f39588 nt!KiIsrThunk+0x3F8
80: fffff80133f39590 nt!KiIsrThunk+0x400
81: fffff80133f39598 nt!KiIsrThunk+0x408
82: fffff80133f395a0 nt!KiIsrThunk+0x410
83: fffff80133f395a8 nt!KiIsrThunk+0x418
84: fffff80133f395b0 nt!KiIsrThunk+0x420
85: fffff80133f395b8 nt!KiIsrThunk+0x428
86: fffff80133f395c0 nt!KiIsrThunk+0x430
87: fffff80133f395c8 nt!KiIsrThunk+0x438
88: fffff80133f395d0 nt!KiIsrThunk+0x440
89: fffff80133f395d8 nt!KiIsrThunk+0x448
8a: fffff80133f395e0 nt!KiIsrThunk+0x450
8b: fffff80133f395e8 nt!KiIsrThunk+0x458
8c: fffff80133f395f0 nt!KiIsrThunk+0x460
8d: fffff80133f395f8 nt!KiIsrThunk+0x468
8e: fffff80133f39600 nt!KiIsrThunk+0x470
8f: fffff80133f39608 nt!KiIsrThunk+0x478
90: fffff80133f39610 nt!KiIsrThunk+0x480
91: fffff80133f39618 nt!KiIsrThunk+0x488
92: fffff80133f39620 nt!KiIsrThunk+0x490
93: fffff80133f39628 nt!KiIsrThunk+0x498
94: fffff80133f39630 nt!KiIsrThunk+0x4A0
95: fffff80133f39638 nt!KiIsrThunk+0x4A8
96: fffff80133f39640 nt!KiIsrThunk+0x4B0
97: fffff80133f39648 nt!KiIsrThunk+0x4B8
98: fffff80133f39650 nt!KiIsrThunk+0x4C0
99: fffff80133f39658 nt!KiIsrThunk+0x4C8
9a: fffff80133f39660 nt!KiIsrThunk+0x4D0
9b: fffff80133f39668 nt!KiIsrThunk+0x4D8
9c: fffff80133f39670 nt!KiIsrThunk+0x4E0
9d: fffff80133f39678 nt!KiIsrThunk+0x4E8
9e: fffff80133f39680 nt!KiIsrThunk+0x4F0
9f: fffff80133f39688 nt!KiIsrThunk+0x4F8
a0: fffff80133f39690 nt!KiIsrThunk+0x500
a1: fffff80133f39698 nt!KiIsrThunk+0x508
a2: fffff80133f396a0 nt!KiIsrThunk+0x510
a3: fffff80133f396a8 nt!KiIsrThunk+0x518
a4: fffff80133f396b0 nt!KiIsrThunk+0x520
a5: fffff80133f396b8 nt!KiIsrThunk+0x528
a6: fffff80133f396c0 nt!KiIsrThunk+0x530
a7: fffff80133f396c8 nt!KiIsrThunk+0x538
a8: fffff80133f396d0 nt!KiIsrThunk+0x540
a9: fffff80133f396d8 nt!KiIsrThunk+0x548
aa: fffff80133f396e0 nt!KiIsrThunk+0x550
ab: fffff80133f396e8 nt!KiIsrThunk+0x558
ac: fffff80133f396f0 nt!KiIsrThunk+0x560
ad: fffff80133f396f8 nt!KiIsrThunk+0x568
ae: fffff80133f39700 nt!KiIsrThunk+0x570
af: fffff80133f39708 nt!KiIsrThunk+0x578
b0: fffff80133f39710 nt!KiIsrThunk+0x580
b1: fffff80133f39718 nt!KiIsrThunk+0x588
b2: fffff80133f39720 nt!KiIsrThunk+0x590
b3: fffff80133f39728 nt!KiIsrThunk+0x598
b4: fffff80133f39730 nt!KiIsrThunk+0x5A0
b5: fffff80133f39738 nt!KiIsrThunk+0x5A8
b6: fffff80133f39740 nt!KiIsrThunk+0x5B0
b7: fffff80133f39748 nt!KiIsrThunk+0x5B8
b8: fffff80133f39750 nt!KiIsrThunk+0x5C0
b9: fffff80133f39758 nt!KiIsrThunk+0x5C8
ba: fffff80133f39760 nt!KiIsrThunk+0x5D0
bb: fffff80133f39768 nt!KiIsrThunk+0x5D8
bc: fffff80133f39770 nt!KiIsrThunk+0x5E0
bd: fffff80133f39778 nt!KiIsrThunk+0x5E8
be: fffff80133f39780 nt!KiIsrThunk+0x5F0
bf: fffff80133f39788 nt!KiIsrThunk+0x5F8
c0: fffff80133f39790 nt!KiIsrThunk+0x600
c1: fffff80133f39798 nt!KiIsrThunk+0x608
c2: fffff80133f397a0 nt!KiIsrThunk+0x610
c3: fffff80133f397a8 nt!KiIsrThunk+0x618
c4: fffff80133f397b0 nt!KiIsrThunk+0x620
c5: fffff80133f397b8 nt!KiIsrThunk+0x628
c6: fffff80133f397c0 nt!KiIsrThunk+0x630
c7: fffff80133f397c8 nt!KiIsrThunk+0x638
c8: fffff80133f397d0 nt!KiIsrThunk+0x640
c9: fffff80133f397d8 nt!KiIsrThunk+0x648
ca: fffff80133f397e0 nt!KiIsrThunk+0x650
cb: fffff80133f397e8 nt!KiIsrThunk+0x658
cc: fffff80133f397f0 nt!KiIsrThunk+0x660
cd: fffff80133f397f8 nt!KiIsrThunk+0x668
ce: fffff80133f39800 nt!KiIsrThunk+0x670
cf: fffff80133f39808 nt!KiIsrThunk+0x678
d0: fffff80133f39810 nt!KiIsrThunk+0x680
d1: fffff80133f39818 nt!KiIsrThunk+0x688
d2: fffff80133f39820 nt!KiIsrThunk+0x690
d3: fffff80133f39828 nt!KiIsrThunk+0x698
d4: fffff80133f39830 nt!KiIsrThunk+0x6A0
d5: fffff80133f39838 nt!KiIsrThunk+0x6A8
d6: fffff80133f39840 nt!KiIsrThunk+0x6B0
d7: fffff80133f39848 nt!KiIsrThunk+0x6B8
d8: fffff80133f39850 nt!KiIsrThunk+0x6C0
d9: fffff80133f39858 nt!KiIsrThunk+0x6C8
da: fffff80133f39860 nt!KiIsrThunk+0x6D0
db: fffff80133f39868 nt!KiIsrThunk+0x6D8
dc: fffff80133f39870 nt!KiIsrThunk+0x6E0
dd: fffff80133f39878 nt!KiIsrThunk+0x6E8
de: fffff80133f39880 nt!KiIsrThunk+0x6F0
df: fffff80133f39888 nt!KiIsrThunk+0x6F8
e0: fffff80133f39890 nt!KiIsrThunk+0x700
e1: fffff80133f3ba50 nt!KiIpiInterrupt
e2: fffff80133f398a0 nt!KiIsrThunk+0x710
e3: fffff80133f398a8 nt!KiIsrThunk+0x718
e4: fffff80133f398b0 nt!KiIsrThunk+0x720
e5: fffff80133f398b8 nt!KiIsrThunk+0x728
e6: fffff80133f398c0 nt!KiIsrThunk+0x730
e7: fffff80133f398c8 nt!KiIsrThunk+0x738
e8: fffff80133f398d0 nt!KiIsrThunk+0x740
e9: fffff80133f398d8 nt!KiIsrThunk+0x748
ea: fffff80133f398e0 nt!KiIsrThunk+0x750
eb: fffff80133f398e8 nt!KiIsrThunk+0x758
ec: fffff80133f398f0 nt!KiIsrThunk+0x760
ed: fffff80133f398f8 nt!KiIsrThunk+0x768
ee: fffff80133f39900 nt!KiIsrThunk+0x770
ef: fffff80133f39908 nt!KiIsrThunk+0x778
f0: fffff80133f39910 nt!KiIsrThunk+0x780
f1: fffff80133f39918 nt!KiIsrThunk+0x788
f2: fffff80133f39920 nt!KiIsrThunk+0x790
f3: fffff80133f39928 nt!KiIsrThunk+0x798
f4: fffff80133f39930 nt!KiIsrThunk+0x7A0
f5: fffff80133f39938 nt!KiIsrThunk+0x7A8
f6: fffff80133f39940 nt!KiIsrThunk+0x7B0
f7: fffff80133f39948 nt!KiIsrThunk+0x7B8
f8: fffff80133f39950 nt!KiIsrThunk+0x7C0
f9: fffff80133f39958 nt!KiIsrThunk+0x7C8
fa: fffff80133f39960 nt!KiIsrThunk+0x7D0
fb: fffff80133f39968 nt!KiIsrThunk+0x7D8
fc: fffff80133f39970 nt!KiIsrThunk+0x7E0
fd: fffff80133f39978 nt!KiIsrThunk+0x7E8
fe: fffff80133f39980 nt!KiIsrThunk+0x7F0
ff: fffff80133f39988 nt!KiIsrThunk+0x7F8
kd> dds KiServiceTable
fffff801`340fd540 fddf4e04
fffff801`340fd544 fde23380
fffff801`340fd548 01eb3682
fffff801`340fd54c 03905d00
fffff801`340fd550 01200a00
fffff801`340fd554 fe3ca500
fffff801`340fd558 0113c505
fffff801`340fd55c 01c30506
fffff801`340fd560 00fe3d05
fffff801`340fd564 01c27501
fffff801`340fd568 01c3e400
fffff801`340fd56c 014638c0
fffff801`340fd570 01e2a900
fffff801`340fd574 01875e00
fffff801`340fd578 01085c00
fffff801`340fd57c 0115bf00
fffff801`340fd580 017f6101
fffff801`340fd584 01170a01
fffff801`340fd588 01d58b00
fffff801`340fd58c 01816f02
fffff801`340fd590 01892600
fffff801`340fd594 01dc2540
fffff801`340fd598 01027f01
fffff801`340fd59c 0101ec02
fffff801`340fd5a0 01106302
fffff801`340fd5a4 01671901
fffff801`340fd5a8 01c23201
fffff801`340fd5ac 01ddd745
fffff801`340fd5b0 01a99400
fffff801`340fd5b4 01d0e8c3
fffff801`340fd5b8 013f8600
fffff801`340fd5bc 03879280
kd> !peb
PEB at 00007ff66afaf000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 00007ff66b420000
Ldr 00007ffa32712c80
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 000000e9cc631ca0 . 000000e9cc66d290
Ldr.InLoadOrderModuleList: 000000e9cc631e00 . 000000e9cc66d270
Ldr.InMemoryOrderModuleList: 000000e9cc631e10 . 000000e9cc66d280
Base TimeStamp Module
7ff66b420000 544af778 Oct 25 10:06:00 2014 C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\kd.exe
7ffa325d0000 553ace18 Apr 25 08:13:28 2015 C:\Windows\SYSTEM32\ntdll.dll
7ffa31830000 553acf74 Apr 25 08:19:16 2015 C:\Windows\system32\KERNEL32.DLL
7ffa2fc30000 553acf7b Apr 25 08:19:23 2015 C:\Windows\system32\KERNELBASE.dll
7ffa318e0000 553ad6e2 Apr 25 08:50:58 2015 C:\Windows\system32\msvcrt.dll
7ffa32240000 553ad648 Apr 25 08:48:24 2015 C:\Windows\system32\ADVAPI32.dll
7ffa321e0000 553acf03 Apr 25 08:17:23 2015 C:\Windows\system32\sechost.dll
7ffa324a0000 553acf2b Apr 25 08:18:03 2015 C:\Windows\system32\RPCRT4.dll
7ffa0afd0000 54efcf51 Feb 27 10:58:41 2015 C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\dbgeng.dll
7ffa31980000 553ad23b Apr 25 08:31:07 2015 C:\Windows\system32\SHLWAPI.dll
7ffa31aa0000 553ad415 Apr 25 08:39:01 2015 C:\Windows\system32\combase.dll
7ffa30050000 553ad08a Apr 25 08:23:54 2015 C:\Windows\system32\GDI32.dll
7ffa2fee0000 553ad096 Apr 25 08:24:06 2015 C:\Windows\system32\USER32.dll
7ffa0b5c0000 544af7be Oct 25 10:07:10 2014 C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\dbghelp.dll
7ffa26a50000 553ad23d Apr 25 08:31:09 2015 C:\Windows\SYSTEM32\VERSION.dll
7ffa2b700000 553ad64a Apr 25 08:48:26 2015 C:\Windows\SYSTEM32\XmlLite.dll
7ffa301e0000 553ad6ab Apr 25 08:50:03 2015 C:\Windows\system32\IMM32.DLL
7ffa31ed0000 553ad09a Apr 25 08:24:10 2015 C:\Windows\system32\MSCTF.dll
7ffa2ef70000 553ad1cf Apr 25 08:29:19 2015 C:\Windows\SYSTEM32\bcryptPrimitives.dll
7ffa0af80000 544af4cc Oct 25 09:54:36 2014 C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symsrv.dll
7ffa303c0000 553acf22 Apr 25 08:17:54 2015 C:\Windows\system32\WS2_32.dll
7ffa302f0000 553aceee Apr 25 08:17:02 2015 C:\Windows\system32\NSI.dll
7ffa1f630000 553ad3ac Apr 25 08:37:16 2015 C:\Windows\SYSTEM32\WININET.dll
7ffa2d440000 553ad382 Apr 25 08:36:34 2015 C:\Windows\SYSTEM32\iertutil.dll
7ffa2f430000 553ad468 Apr 25 08:40:24 2015 C:\Windows\system32\shcore.dll
7ffa2ea30000 553ad19c Apr 25 08:28:28 2015 C:\Windows\SYSTEM32\CRYPTSP.dll
7ffa2f0f0000 553ad1f7 Apr 25 08:29:59 2015 C:\Windows\SYSTEM32\bcrypt.dll
7ffa24e20000 553ad1cc Apr 25 08:29:16 2015 C:\Windows\SYSTEM32\Secur32.dll
7ffa2eda0000 553acf0d Apr 25 08:17:33 2015 C:\Windows\SYSTEM32\SSPICLI.DLL
7ffa30420000 553adb93 Apr 25 09:10:59 2015 C:\Windows\system32\SHELL32.dll
7ffa2f550000 553ae072 Apr 25 09:31:46 2015 C:\Windows\system32\windows.storage.dll
7ffa2f220000 553acf21 Apr 25 08:17:53 2015 C:\Windows\system32\kernel.appcore.dll
7ffa2f1d0000 553acf15 Apr 25 08:17:41 2015 C:\Windows\system32\powrprof.dll
7ffa2f230000 553acef1 Apr 25 08:17:05 2015 C:\Windows\system32\profapi.dll
7ffa30300000 553acf07 Apr 25 08:17:27 2015 C:\Windows\system32\OLEAUT32.dll
7ffa247e0000 553ad704 Apr 25 08:51:32 2015 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10074.0_none_829357a05fa06a26\Comctl32.dll
7ffa2a560000 553ad4d7 Apr 25 08:42:15 2015 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
7ffa2de90000 553acf7d Apr 25 08:19:25 2015 C:\Windows\SYSTEM32\RMCLIENT.dll
7ffa2c740000 553ad108 Apr 25 08:26:00 2015 C:\Windows\SYSTEM32\IPHLPAPI.DLL
7ffa2c550000 553acef8 Apr 25 08:17:12 2015 C:\Windows\SYSTEM32\WINNSI.DLL
7ffa2b170000 553ad4fc Apr 25 08:42:52 2015 C:\Windows\SYSTEM32\winhttp.dll
7ffa2e9d0000 553acf2d Apr 25 08:18:05 2015 C:\Windows\system32\mswsock.dll
SubSystemData: 0000000000000000
ProcessHeap: 000000e9cc630000
ProcessParameters: 000000e9cc6313f0
CurrentDirectory: 'C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\'
WindowTitle: 'C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\livekd64.exe'
ImageFile: 'C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\kd.exe'
CommandLine: 'kd.exe -z C:\Windows\livekd.dmp'
DllPath: '< Name not readable >'
Environment: 000000e9cc673940
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Yuma\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=WIN-PDK4DQSKPI1
ComSpec=C:\Windows\system32\cmd.exe
DBGENG_NO_BUGCHECK_ANALYSIS=1
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default
HOMEDRIVE=C:
HOMEPATH=\Users\Yuma
LOCALAPPDATA=C:\Users\Yuma\AppData\Local
LOGONSERVER=\\WIN-PDK4DQSKPI1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\winext\arcade;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 61 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=3d04
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PSModulePath=C:\Users\Yuma\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Yuma\AppData\Local\Temp
TMP=C:\Users\Yuma\AppData\Local\Temp
USERDOMAIN=WIN-PDK4DQSKPI1
USERDOMAIN_ROAMINGPROFILE=WIN-PDK4DQSKPI1
USERNAME=Yuma
USERPROFILE=C:\Users\Yuma
windir=C:\Windows
_NT_SYMBOL_PATH=srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
kd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x2d8 ProcessLock : _EX_PUSH_LOCK
+0x2e0 RundownProtect : _EX_RUNDOWN_REF
+0x2e8 UniqueProcessId : Ptr64 Void
+0x2f0 ActiveProcessLinks : _LIST_ENTRY
+0x300 Flags2 : Uint4B
+0x300 JobNotReallyActive : Pos 0, 1 Bit
+0x300 AccountingFolded : Pos 1, 1 Bit
+0x300 NewProcessReported : Pos 2, 1 Bit
+0x300 ExitProcessReported : Pos 3, 1 Bit
+0x300 ReportCommitChanges : Pos 4, 1 Bit
+0x300 LastReportMemory : Pos 5, 1 Bit
+0x300 ForceWakeCharge : Pos 6, 1 Bit
+0x300 CrossSessionCreate : Pos 7, 1 Bit
+0x300 NeedsHandleRundown : Pos 8, 1 Bit
+0x300 RefTraceEnabled : Pos 9, 1 Bit
+0x300 DisableDynamicCode : Pos 10, 1 Bit
+0x300 EmptyJobEvaluated : Pos 11, 1 Bit
+0x300 DefaultPagePriority : Pos 12, 3 Bits
+0x300 PrimaryTokenFrozen : Pos 15, 1 Bit
+0x300 ProcessVerifierTarget : Pos 16, 1 Bit
+0x300 StackRandomizationDisabled : Pos 17, 1 Bit
+0x300 AffinityPermanent : Pos 18, 1 Bit
+0x300 AffinityUpdateEnable : Pos 19, 1 Bit
+0x300 PropagateNode : Pos 20, 1 Bit
+0x300 ExplicitAffinity : Pos 21, 1 Bit
+0x300 ProcessExecutionState : Pos 22, 2 Bits
+0x300 DisallowStrippedImages : Pos 24, 1 Bit
+0x300 HighEntropyASLREnabled : Pos 25, 1 Bit
+0x300 ExtensionPointDisable : Pos 26, 1 Bit
+0x300 ForceRelocateImages : Pos 27, 1 Bit
+0x300 ProcessStateChangeRequest : Pos 28, 2 Bits
+0x300 ProcessStateChangeInProgress : Pos 30, 1 Bit
+0x300 DisallowWin32kSystemCalls : Pos 31, 1 Bit
+0x304 Flags : Uint4B
+0x304 CreateReported : Pos 0, 1 Bit
+0x304 NoDebugInherit : Pos 1, 1 Bit
+0x304 ProcessExiting : Pos 2, 1 Bit
+0x304 ProcessDelete : Pos 3, 1 Bit
+0x304 ControlFlowGuardEnabled : Pos 4, 1 Bit
+0x304 VmDeleted : Pos 5, 1 Bit
+0x304 OutswapEnabled : Pos 6, 1 Bit
+0x304 Outswapped : Pos 7, 1 Bit
+0x304 FailFastOnCommitFail : Pos 8, 1 Bit
+0x304 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x304 AddressSpaceInitialized : Pos 10, 2 Bits
+0x304 SetTimerResolution : Pos 12, 1 Bit
+0x304 BreakOnTermination : Pos 13, 1 Bit
+0x304 DeprioritizeViews : Pos 14, 1 Bit
+0x304 WriteWatch : Pos 15, 1 Bit
+0x304 ProcessInSession : Pos 16, 1 Bit
+0x304 OverrideAddressSpace : Pos 17, 1 Bit
+0x304 HasAddressSpace : Pos 18, 1 Bit
+0x304 LaunchPrefetched : Pos 19, 1 Bit
+0x304 Background : Pos 20, 1 Bit
+0x304 VmTopDown : Pos 21, 1 Bit
+0x304 ImageNotifyDone : Pos 22, 1 Bit
+0x304 PdeUpdateNeeded : Pos 23, 1 Bit
+0x304 VdmAllowed : Pos 24, 1 Bit
+0x304 ProcessRundown : Pos 25, 1 Bit
+0x304 ProcessInserted : Pos 26, 1 Bit
+0x304 DefaultIoPriority : Pos 27, 3 Bits
+0x304 ProcessSelfDelete : Pos 30, 1 Bit
+0x304 SetTimerResolutionLink : Pos 31, 1 Bit
+0x308 CreateTime : _LARGE_INTEGER
+0x310 ProcessQuotaUsage : [2] Uint8B
+0x320 ProcessQuotaPeak : [2] Uint8B
+0x330 PeakVirtualSize : Uint8B
+0x338 VirtualSize : Uint8B
+0x340 SessionProcessLinks : _LIST_ENTRY
+0x350 ExceptionPortData : Ptr64 Void
+0x350 ExceptionPortValue : Uint8B
+0x350 ExceptionPortState : Pos 0, 3 Bits
+0x358 Token : _EX_FAST_REF
+0x360 WorkingSetPage : Uint8B
+0x368 AddressCreationLock : _EX_PUSH_LOCK
+0x370 PageTableCommitmentLock : _EX_PUSH_LOCK
+0x378 RotateInProgress : Ptr64 _ETHREAD
+0x380 ForkInProgress : Ptr64 _ETHREAD
+0x388 CommitChargeJob : Ptr64 _EJOB
+0x390 CloneRoot : _RTL_AVL_TREE
+0x398 NumberOfPrivatePages : Uint8B
+0x3a0 NumberOfLockedPages : Uint8B
+0x3a8 Win32Process : Ptr64 Void
+0x3b0 Job : Ptr64 _EJOB
+0x3b8 SectionObject : Ptr64 Void
+0x3c0 SectionBaseAddress : Ptr64 Void
+0x3c8 Cookie : Uint4B
+0x3d0 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY
+0x3d8 Win32WindowStation : Ptr64 Void
+0x3e0 InheritedFromUniqueProcessId : Ptr64 Void
+0x3e8 LdtInformation : Ptr64 Void
+0x3f0 OwnerProcessId : Uint8B
+0x3f8 Peb : Ptr64 _PEB
+0x400 Session : Ptr64 Void
+0x408 AweInfo : Ptr64 Void
+0x410 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK
+0x418 ObjectTable : Ptr64 _HANDLE_TABLE
+0x420 DebugPort : Ptr64 Void
+0x428 Wow64Process : Ptr64 Void
+0x430 DeviceMap : Ptr64 Void
+0x438 EtwDataSource : Ptr64 Void
+0x440 PageDirectoryPte : Uint8B
+0x448 ImageFileName : [15] UChar
+0x457 PriorityClass : UChar
+0x458 SecurityPort : Ptr64 Void
+0x460 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x468 JobLinks : _LIST_ENTRY
+0x478 HighestUserAddress : Ptr64 Void
+0x480 ThreadListHead : _LIST_ENTRY
+0x490 ActiveThreads : Uint4B
+0x494 ImagePathHash : Uint4B
+0x498 DefaultHardErrorProcessing : Uint4B
+0x49c LastThreadExitStatus : Int4B
+0x4a0 PrefetchTrace : _EX_FAST_REF
+0x4a8 LockedPagesList : Ptr64 Void
+0x4b0 ReadOperationCount : _LARGE_INTEGER
+0x4b8 WriteOperationCount : _LARGE_INTEGER
+0x4c0 OtherOperationCount : _LARGE_INTEGER
+0x4c8 ReadTransferCount : _LARGE_INTEGER
+0x4d0 WriteTransferCount : _LARGE_INTEGER
+0x4d8 OtherTransferCount : _LARGE_INTEGER
+0x4e0 CommitChargeLimit : Uint8B
+0x4e8 CommitCharge : Uint8B
+0x4f0 CommitChargePeak : Uint8B
+0x4f8 Vm : _MMSUPPORT
+0x5f0 MmProcessLinks : _LIST_ENTRY
+0x600 ModifiedPageCount : Uint4B
+0x604 ExitStatus : Int4B
+0x608 VadRoot : _RTL_AVL_TREE
+0x610 VadHint : Ptr64 Void
+0x618 VadCount : Uint8B
+0x620 VadPhysicalPages : Uint8B
+0x628 VadPhysicalPagesLimit : Uint8B
+0x630 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x650 TimerResolutionLink : _LIST_ENTRY
+0x660 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
+0x668 RequestedTimerResolution : Uint4B
+0x66c SmallestTimerResolution : Uint4B
+0x670 ExitTime : _LARGE_INTEGER
+0x678 InvertedFunctionTable : Ptr64 _INVERTED_FUNCTION_TABLE
+0x680 InvertedFunctionTableLock : _EX_PUSH_LOCK
+0x688 ActiveThreadsHighWatermark : Uint4B
+0x68c LargePrivateVadCount : Uint4B
+0x690 ThreadListLock : _EX_PUSH_LOCK
+0x698 WnfContext : Ptr64 Void
+0x6a0 Spare0 : Uint8B
+0x6a8 SignatureLevel : UChar
+0x6a9 SectionSignatureLevel : UChar
+0x6aa Protection : _PS_PROTECTION
+0x6ab HangCount : UChar
+0x6ac Flags3 : Uint4B
+0x6ac Minimal : Pos 0, 1 Bit
+0x6ac ReplacingPageRoot : Pos 1, 1 Bit
+0x6ac DisableNonSystemFonts : Pos 2, 1 Bit
+0x6ac AuditNonSystemFontLoading : Pos 3, 1 Bit
+0x6ac Crashed : Pos 4, 1 Bit
+0x6ac JobVadsAreTracked : Pos 5, 1 Bit
+0x6ac VadTrackingDisabled : Pos 6, 1 Bit
+0x6ac AuxiliaryProcess : Pos 7, 1 Bit
+0x6ac SubsystemProcess : Pos 8, 1 Bit
+0x6b0 DeviceAsid : Int4B
+0x6b8 SvmData : Ptr64 Void
+0x6c0 SvmProcessLock : _EX_PUSH_LOCK
+0x6c8 SvmLock : Uint8B
+0x6d0 SvmProcessDeviceListHead : _LIST_ENTRY
+0x6e0 LastFreezeInterruptTime : Uint8B
+0x6e8 DiskCounters : Ptr64 _PROCESS_DISK_COUNTERS
+0x6f0 PicoContext : Ptr64 Void
+0x6f8 TrustletIdentity : Uint8B
+0x700 KeepAliveCounter : Uint4B
+0x704 NoWakeKeepAliveCounter : Uint4B
+0x708 HighPriorityFaultsAllowed : Uint4B
+0x710 EnergyValues : Ptr64 _PROCESS_ENERGY_VALUES
+0x718 VmContext : Ptr64 Void
+0x720 Silo : Ptr64 _ESILO
+0x728 SiloEntry : _LIST_ENTRY
+0x738 SequenceNumber : Uint8B
+0x740 CreateInterruptTime : Uint8B
+0x748 CreateUnbiasedInterruptTime : Uint8B
+0x750 TotalUnbiasedFrozenTime : Uint8B
+0x758 LastAppStateUpdateTime : Uint8B
+0x760 LastAppStateUptime : Pos 0, 61 Bits
+0x760 LastAppState : Pos 61, 3 Bits
+0x768 SharedCommitCharge : Uint8B
+0x770 SharedCommitLock : _EX_PUSH_LOCK
+0x778 SharedCommitLinks : _LIST_ENTRY
+0x788 AllowedCpuSets : [20] Uint8B
+0x828 DefaultCpuSets : [20] Uint8B
kd> dt _ETHREAD
ntdll!_ETHREAD
+0x000 Tcb : _KTHREAD
+0x5d8 CreateTime : _LARGE_INTEGER
+0x5e0 ExitTime : _LARGE_INTEGER
+0x5e0 KeyedWaitChain : _LIST_ENTRY
+0x5f0 ChargeOnlySession : Ptr64 Void
+0x5f8 PostBlockList : _LIST_ENTRY
+0x5f8 ForwardLinkShadow : Ptr64 Void
+0x600 StartAddress : Ptr64 Void
+0x608 TerminationPort : Ptr64 _TERMINATION_PORT
+0x608 ReaperLink : Ptr64 _ETHREAD
+0x608 KeyedWaitValue : Ptr64 Void
+0x610 ActiveTimerListLock : Uint8B
+0x618 ActiveTimerListHead : _LIST_ENTRY
+0x628 Cid : _CLIENT_ID
+0x638 KeyedWaitSemaphore : _KSEMAPHORE
+0x638 AlpcWaitSemaphore : _KSEMAPHORE
+0x658 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0x660 IrpList : _LIST_ENTRY
+0x670 TopLevelIrp : Uint8B
+0x678 DeviceToVerify : Ptr64 _DEVICE_OBJECT
+0x680 Win32StartAddress : Ptr64 Void
+0x688 LegacyPowerObject : Ptr64 Void
+0x690 ThreadListEntry : _LIST_ENTRY
+0x6a0 RundownProtect : _EX_RUNDOWN_REF
+0x6a8 ThreadLock : _EX_PUSH_LOCK
+0x6b0 ReadClusterSize : Uint4B
+0x6b4 MmLockOrdering : Int4B
+0x6b8 CmLockOrdering : Int4B
+0x6bc CrossThreadFlags : Uint4B
+0x6bc Terminated : Pos 0, 1 Bit
+0x6bc ThreadInserted : Pos 1, 1 Bit
+0x6bc HideFromDebugger : Pos 2, 1 Bit
+0x6bc ActiveImpersonationInfo : Pos 3, 1 Bit
+0x6bc HardErrorsAreDisabled : Pos 4, 1 Bit
+0x6bc BreakOnTermination : Pos 5, 1 Bit
+0x6bc SkipCreationMsg : Pos 6, 1 Bit
+0x6bc SkipTerminationMsg : Pos 7, 1 Bit
+0x6bc CopyTokenOnOpen : Pos 8, 1 Bit
+0x6bc ThreadIoPriority : Pos 9, 3 Bits
+0x6bc ThreadPagePriority : Pos 12, 3 Bits
+0x6bc RundownFail : Pos 15, 1 Bit
+0x6bc UmsForceQueueTermination : Pos 16, 1 Bit
+0x6bc ReservedCrossThreadFlags : Pos 17, 15 Bits
+0x6c0 SameThreadPassiveFlags : Uint4B
+0x6c0 ActiveExWorker : Pos 0, 1 Bit
+0x6c0 MemoryMaker : Pos 1, 1 Bit
+0x6c0 ClonedThread : Pos 2, 1 Bit
+0x6c0 KeyedEventInUse : Pos 3, 1 Bit
+0x6c0 SelfTerminate : Pos 4, 1 Bit
+0x6c4 SameThreadApcFlags : Uint4B
+0x6c4 OwnsProcessAddressSpaceExclusive : Pos 0, 1 Bit
+0x6c4 OwnsProcessAddressSpaceShared : Pos 1, 1 Bit
+0x6c4 HardFaultBehavior : Pos 2, 1 Bit
+0x6c4 StartAddressInvalid : Pos 3, 1 Bit
+0x6c4 EtwCalloutActive : Pos 4, 1 Bit
+0x6c4 SuppressSymbolLoad : Pos 5, 1 Bit
+0x6c4 Prefetching : Pos 6, 1 Bit
+0x6c4 OwnsVadExclusive : Pos 7, 1 Bit
+0x6c5 SystemPagePriorityActive : Pos 0, 1 Bit
+0x6c5 SystemPagePriority : Pos 1, 3 Bits
+0x6c8 CacheManagerActive : UChar
+0x6c9 DisablePageFaultClustering : UChar
+0x6ca ActiveFaultCount : UChar
+0x6cb LockOrderState : UChar
+0x6d0 AlpcMessageId : Uint8B
+0x6d8 AlpcMessage : Ptr64 Void
+0x6d8 AlpcReceiveAttributeSet : Uint4B
+0x6e0 ExitStatus : Int4B
+0x6e8 AlpcWaitListEntry : _LIST_ENTRY
+0x6f8 CacheManagerCount : Uint4B
+0x6fc IoBoostCount : Uint4B
+0x700 BoostList : _LIST_ENTRY
+0x710 DeboostList : _LIST_ENTRY
+0x720 BoostListLock : Uint8B
+0x728 IrpListLock : Uint8B
+0x730 ReservedForSynchTracking : Ptr64 Void
+0x738 CmCallbackListHead : _SINGLE_LIST_ENTRY
+0x740 ActivityId : Ptr64 _GUID
+0x748 SeLearningModeListHead : _SINGLE_LIST_ENTRY
+0x750 VerifierContext : Ptr64 Void
+0x758 KernelStackReference : Uint4B
+0x760 AdjustedClientToken : Ptr64 Void
+0x768 WorkingOnBehalfClient : Ptr64 Void
+0x770 PropertySet : _PS_PROPERTY_SET
+0x788 PicoContext : Ptr64 Void
+0x790 UserFsBase : Uint4B
+0x798 UserGsBase : Uint8B
+0x7a0 EnergyValues : Ptr64 _THREAD_ENERGY_VALUES
+0x7a8 CmCellReferences : Uint4B
+0x7b0 SelectedCpuSets : Uint8B
+0x7b8 Silo : Ptr64 _ESILO
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment