Skip to content

Instantly share code, notes, and snippets.

@ntddk

ntddk/gist:f11b1157d914fc9b1a52

Last active August 29, 2015 14:07
Show Gist options
  • Save ntddk/f11b1157d914fc9b1a52 to your computer and use it in GitHub Desktop.
Save ntddk/f11b1157d914fc9b1a52 to your computer and use it in GitHub Desktop.
Download ZIP
livekd on #Windows10 Technical Preview
Raw
gistfile1.txt
C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64>livekd.exe
LiveKd v5.31 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2013 Mark Russinovich and Ken Johnson
Launching C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\kd.exe:
Microsoft (R) Windows Debugger Version 6.3.9600.17237 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\livekd.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'LiveKD live system view'
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 UP Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9841.0.amd64fre.fbl_release.140912-1613
Machine Name:
Kernel base = 0xfffff801`75a7f000 PsLoadedModuleList = 0xfffff801`75d6e8b0
Debug session time: Thu Oct 2 21:25:28.711 2014 (UTC + 9:00)
System Uptime: 0 days 0:06:10.396
Loading Kernel Symbols
...............................................................
................................................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
................
.................................
Loading User Symbols
....................................
Loading unloaded module list
..........
kd> !idt -a
*** ERROR: Module load completed but symbols could not be loaded for LiveKdD.SYS
Dumping IDT: fffff80177510080
00: fffff80175ba9a00 nt!KiDivideErrorFault
01: fffff80175ba9b00 nt!KiDebugTrapOrFault
02: fffff80175ba9cc0 nt!KiNmiInterrupt Stack = 0xFFFFF8017752B000
03: fffff80175baa040 nt!KiBreakpointTrap
04: fffff80175baa140 nt!KiOverflowTrap
05: fffff80175baa240 nt!KiBoundFault
06: fffff80175baa340 nt!KiInvalidOpcodeFault
07: fffff80175baa580 nt!KiNpxNotAvailableFault
08: fffff80175baa640 nt!KiDoubleFaultAbort Stack = 0xFFFFF80177529000
09: fffff80175baa700 nt!KiNpxSegmentOverrunAbort
0a: fffff80175baa7c0 nt!KiInvalidTssFault
0b: fffff80175baa880 nt!KiSegmentNotPresentFault
0c: fffff80175baa9c0 nt!KiStackFault
0d: fffff80175baab00 nt!KiGeneralProtectionFault
0e: fffff80175baac00 nt!KiPageFault
0f: fffff80175ba3e68 nt!KxUnexpectedInterrupt0+0x78
10: fffff80175baafc0 nt!KiFloatingErrorFault
11: fffff80175bab140 nt!KiAlignmentFault
12: fffff80175bab240 nt!KiMcheckAbort Stack = 0xFFFFF8017752D000
13: fffff80175bab8c0 nt!KiXmmException
14: fffff80175ba3e90 nt!KxUnexpectedInterrupt0+0xA0
15: fffff80175ba3e98 nt!KxUnexpectedInterrupt0+0xA8
16: fffff80175ba3ea0 nt!KxUnexpectedInterrupt0+0xB0
17: fffff80175ba3ea8 nt!KxUnexpectedInterrupt0+0xB8
18: fffff80175ba3eb0 nt!KxUnexpectedInterrupt0+0xC0
19: fffff80175ba3eb8 nt!KxUnexpectedInterrupt0+0xC8
1a: fffff80175ba3ec0 nt!KxUnexpectedInterrupt0+0xD0
1b: fffff80175ba3ec8 nt!KxUnexpectedInterrupt0+0xD8
1c: fffff80175ba3ed0 nt!KxUnexpectedInterrupt0+0xE0
1d: fffff80175ba3ed8 nt!KxUnexpectedInterrupt0+0xE8
1e: fffff80175ba3ee0 nt!KxUnexpectedInterrupt0+0xF0
1f: fffff80175ba54a0 nt!KiApcInterrupt
20: fffff80175ba8fc0 nt!KiSwInterrupt
21: fffff80175ba3ef8 nt!KxUnexpectedInterrupt0+0x108
22: fffff80175ba3f00 nt!KxUnexpectedInterrupt0+0x110
23: fffff80175ba3f08 nt!KxUnexpectedInterrupt0+0x118
24: fffff80175ba3f10 nt!KxUnexpectedInterrupt0+0x120
25: fffff80175ba3f18 nt!KxUnexpectedInterrupt0+0x128
26: fffff80175ba3f20 nt!KxUnexpectedInterrupt0+0x130
27: fffff80175ba3f28 nt!KxUnexpectedInterrupt0+0x138
28: fffff80175ba3f30 nt!KxUnexpectedInterrupt0+0x140
29: fffff80175baba80 nt!KiRaiseSecurityCheckFailure
2a: fffff80175ba3f40 nt!KxUnexpectedInterrupt0+0x150
2b: fffff80175ba3f48 nt!KxUnexpectedInterrupt0+0x158
2c: fffff80175babb80 nt!KiRaiseAssertion
2d: fffff80175babc80 nt!KiDebugServiceTrap
2e: fffff80175ba3f60 nt!KxUnexpectedInterrupt0+0x170
2f: fffff80175ba5770 nt!KiDpcInterrupt
30: fffff80175ba59a0 nt!KiHvInterrupt
31: fffff80175ba5d10 nt!KiVmbusInterrupt0
32: fffff80175ba6070 nt!KiVmbusInterrupt1
33: fffff80175ba63d0 nt!KiVmbusInterrupt2
34: fffff80175ba6730 nt!KiVmbusInterrupt3
35: fffff80175a62090 hal!HalpInterruptCmciService (KINTERRUPT fffff80175a62000)
36: fffff80175ba3fa0 nt!KxUnexpectedInterrupt0+0x1B0
37: fffff80175ba3fa8 nt!KxUnexpectedInterrupt0+0x1B8
38: fffff80175ba3fb0 nt!KxUnexpectedInterrupt0+0x1C0
39: fffff80175ba3fb8 nt!KxUnexpectedInterrupt0+0x1C8
3a: fffff80175ba3fc0 nt!KxUnexpectedInterrupt0+0x1D0
3b: fffff80175ba3fc8 nt!KxUnexpectedInterrupt0+0x1D8
3c: fffff80175ba3fd0 nt!KxUnexpectedInterrupt0+0x1E0
3d: fffff80175ba3fd8 nt!KxUnexpectedInterrupt0+0x1E8
3e: fffff80175ba3fe0 nt!KxUnexpectedInterrupt0+0x1F0
3f: fffff80175ba3fe8 nt!KxUnexpectedInterrupt0+0x1F8
40: fffff80175ba3ff0 nt!KxUnexpectedInterrupt0+0x200
41: fffff80175ba3ff8 nt!KxUnexpectedInterrupt0+0x208
42: fffff80175ba4000 nt!KxUnexpectedInterrupt0+0x210
43: fffff80175ba4008 nt!KxUnexpectedInterrupt0+0x218
44: fffff80175ba4010 nt!KxUnexpectedInterrupt0+0x220
45: fffff80175ba4018 nt!KxUnexpectedInterrupt0+0x228
46: fffff80175ba4020 nt!KxUnexpectedInterrupt0+0x230
47: fffff80175ba4028 nt!KxUnexpectedInterrupt0+0x238
48: fffff80175ba4030 nt!KxUnexpectedInterrupt0+0x240
49: fffff80175ba4038 nt!KxUnexpectedInterrupt0+0x248
4a: fffff80175ba4040 nt!KxUnexpectedInterrupt0+0x250
4b: fffff80175ba4048 nt!KxUnexpectedInterrupt0+0x258
4c: fffff80175ba4050 nt!KxUnexpectedInterrupt0+0x260
4d: fffff80175ba4058 nt!KxUnexpectedInterrupt0+0x268
4e: fffff80175ba4060 nt!KxUnexpectedInterrupt0+0x270
4f: fffff80175ba4068 nt!KxUnexpectedInterrupt0+0x278
50: ffffd001f3860810 serial!SerialCIsrSw (KINTERRUPT ffffd001f3860780)
51: ffffd001f353f810 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f353f780)
52: ffffd001f456ee50 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456edc0)
53: ffffd001f456e590 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456e500)
54: ffffd001f456fbd0 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456fb40)
55: ffffd001f3860d10 ataport!IdePortInterrupt (KINTERRUPT ffffd001f3860c80)
56: ffffd001f3860310 ndis!ndisMiniportMessageIsr (KINTERRUPT ffffd001f3860280)
57: fffff80175ba40a8 nt!KxUnexpectedInterrupt0+0x2B8
58: fffff80175ba40b0 nt!KxUnexpectedInterrupt0+0x2C0
59: fffff80175ba40b8 nt!KxUnexpectedInterrupt0+0x2C8
5a: fffff80175ba40c0 nt!KxUnexpectedInterrupt0+0x2D0
5b: fffff80175ba40c8 nt!KxUnexpectedInterrupt0+0x2D8
5c: fffff80175ba40d0 nt!KxUnexpectedInterrupt0+0x2E0
5d: fffff80175ba40d8 nt!KxUnexpectedInterrupt0+0x2E8
5e: fffff80175ba40e0 nt!KxUnexpectedInterrupt0+0x2F0
5f: fffff80175ba40e8 nt!KxUnexpectedInterrupt0+0x2F8
60: fffff80175ba40f0 nt!KxUnexpectedInterrupt0+0x300
61: ffffd001f353f950 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f353f8c0)
62: ffffd001f353f090 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f353f000)
63: ffffd001f456e6d0 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456e640)
64: ffffd001f456fd10 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456fc80)
65: ffffd001f3860e50 ataport!IdePortInterrupt (KINTERRUPT ffffd001f3860dc0)
66: fffff80175ba4120 nt!KxUnexpectedInterrupt0+0x330
67: ffffd001f3860450 HDAudBus!HdaController::Isr (KINTERRUPT ffffd001f38603c0)
68: fffff80175ba4130 nt!KxUnexpectedInterrupt0+0x340
69: fffff80175ba4138 nt!KxUnexpectedInterrupt0+0x348
6a: fffff80175ba4140 nt!KxUnexpectedInterrupt0+0x350
6b: fffff80175ba4148 nt!KxUnexpectedInterrupt0+0x358
6c: fffff80175ba4150 nt!KxUnexpectedInterrupt0+0x360
6d: fffff80175ba4158 nt!KxUnexpectedInterrupt0+0x368
6e: fffff80175ba4160 nt!KxUnexpectedInterrupt0+0x370
6f: fffff80175ba4168 nt!KxUnexpectedInterrupt0+0x378
70: ffffd001f3860950 i8042prt!I8042MouseInterruptService (KINTERRUPT ffffd001f38608c0)
71: ffffd001f353fa90 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f353fa00)
72: ffffd001f353f1d0 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f353f140)
73: ffffd001f456e810 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456e780)
74: ffffd001f456fe50 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456fdc0)
75: ffffd001f456f590 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456f500)
76: ffffd001f5371d10 USBXHCI!Interrupter_WdfEvtInterruptIsr (KMDF) (KINTERRUPT ffffd001f5371c80)
77: ffffd001f38606d0 USBPORT!USBPORT_InterruptService (KINTERRUPT ffffd001f3860640)
78: fffff80175ba41b0 nt!KxUnexpectedInterrupt0+0x3C0
79: fffff80175ba41b8 nt!KxUnexpectedInterrupt0+0x3C8
7a: fffff80175ba41c0 nt!KxUnexpectedInterrupt0+0x3D0
7b: fffff80175ba41c8 nt!KxUnexpectedInterrupt0+0x3D8
7c: fffff80175ba41d0 nt!KxUnexpectedInterrupt0+0x3E0
7d: fffff80175ba41d8 nt!KxUnexpectedInterrupt0+0x3E8
7e: fffff80175ba41e0 nt!KxUnexpectedInterrupt0+0x3F0
7f: fffff80175ba41e8 nt!KxUnexpectedInterrupt0+0x3F8
80: ffffd001f3860a90 i8042prt!I8042KeyboardInterruptService (KINTERRUPT ffffd001f3860a00)
81: ffffd001f353fbd0 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f353fb40)
82: ffffd001f353f310 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f353f280)
83: ffffd001f456e950 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456e8c0)
84: ffffd001f456e090 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456e000)
85: ffffd001f456f6d0 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456f640)
86: ffffd001f3860bd0 storport!RaidpAdapterMSIInterruptRoutine (KINTERRUPT ffffd001f3860b40)
87: ffffd001f3860590 USBPORT!USBPORT_InterruptService (KINTERRUPT ffffd001f3860500)
dxgkrnl!DpiFdoLineInterruptRoutine (KINTERRUPT ffffd001f5371b40)
88: fffff80175ba4230 nt!KxUnexpectedInterrupt0+0x440
89: fffff80175ba4238 nt!KxUnexpectedInterrupt0+0x448
8a: fffff80175ba4240 nt!KxUnexpectedInterrupt0+0x450
8b: fffff80175ba4248 nt!KxUnexpectedInterrupt0+0x458
8c: fffff80175ba4250 nt!KxUnexpectedInterrupt0+0x460
8d: fffff80175ba4258 nt!KxUnexpectedInterrupt0+0x468
8e: fffff80175ba4260 nt!KxUnexpectedInterrupt0+0x470
8f: fffff80175ba4268 nt!KxUnexpectedInterrupt0+0x478
90: fffff80175ba4270 nt!KxUnexpectedInterrupt0+0x480
91: ffffd001f353fd10 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f353fc80)
92: ffffd001f353f450 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f353f3c0)
93: ffffd001f456ea90 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456ea00)
94: ffffd001f456e1d0 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456e140)
95: ffffd001f456f810 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456f780)
96: ffffd001f456f090 storport!RaidpAdapterMSIInterruptRoutine (KINTERRUPT ffffd001f456f000)
97: ffffd001f5371e50 ndis!ndisMiniportMessageIsr (KINTERRUPT ffffd001f5371dc0)
98: fffff80175ba42b0 nt!KxUnexpectedInterrupt0+0x4C0
99: fffff80175ba42b8 nt!KxUnexpectedInterrupt0+0x4C8
9a: fffff80175ba42c0 nt!KxUnexpectedInterrupt0+0x4D0
9b: fffff80175ba42c8 nt!KxUnexpectedInterrupt0+0x4D8
9c: fffff80175ba42d0 nt!KxUnexpectedInterrupt0+0x4E0
9d: fffff80175ba42d8 nt!KxUnexpectedInterrupt0+0x4E8
9e: fffff80175ba42e0 nt!KxUnexpectedInterrupt0+0x4F0
9f: fffff80175ba42e8 nt!KxUnexpectedInterrupt0+0x4F8
a0: fffff80175ba42f0 nt!KxUnexpectedInterrupt0+0x500
a1: ffffd001f456f450 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456f3c0)
a2: ffffd001f353f590 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f353f500)
a3: ffffd001f456ebd0 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456eb40)
a4: ffffd001f456e310 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456e280)
a5: ffffd001f456f950 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456f8c0)
a6: ffffd001f456f1d0 *** ERROR: Symbol file could not be found. Defaulted to export symbols for vmci.sys -
vmci!DllInitialize+0x9c8 (KINTERRUPT ffffd001f456f140)
a7: ffffd001f3860090 ndis!ndisMiniportMessageIsr (KINTERRUPT ffffd001f3860000)
a8: fffff80175ba4330 nt!KxUnexpectedInterrupt0+0x540
a9: fffff80175ba4338 nt!KxUnexpectedInterrupt0+0x548
aa: fffff80175ba4340 nt!KxUnexpectedInterrupt0+0x550
ab: fffff80175ba4348 nt!KxUnexpectedInterrupt0+0x558
ac: fffff80175ba4350 nt!KxUnexpectedInterrupt0+0x560
ad: fffff80175ba4358 nt!KxUnexpectedInterrupt0+0x568
ae: fffff80175ba4360 nt!KxUnexpectedInterrupt0+0x570
af: fffff80175ba4368 nt!KxUnexpectedInterrupt0+0x578
b0: ffffd001f353fe50 ACPI!ACPIInterruptServiceRoutine (KINTERRUPT ffffd001f353fdc0)
b1: fffff80175ba4378 nt!KxUnexpectedInterrupt0+0x588
b2: ffffd001f353f6d0 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f353f640)
b3: ffffd001f456ed10 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456ec80)
b4: ffffd001f456e450 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456e3c0)
b5: ffffd001f456fa90 pci!ExpressRootPortMessageRoutine (KINTERRUPT ffffd001f456fa00)
b6: ffffd001f456f310 vmci!DllInitialize+0x9c8 (KINTERRUPT ffffd001f456f280)
b7: ffffd001f38601d0 ndis!ndisMiniportMessageIsr (KINTERRUPT ffffd001f3860140)
b8: fffff80175ba43b0 nt!KxUnexpectedInterrupt0+0x5C0
b9: fffff80175ba43b8 nt!KxUnexpectedInterrupt0+0x5C8
ba: fffff80175ba43c0 nt!KxUnexpectedInterrupt0+0x5D0
bb: fffff80175ba43c8 nt!KxUnexpectedInterrupt0+0x5D8
bc: fffff80175ba43d0 nt!KxUnexpectedInterrupt0+0x5E0
bd: fffff80175ba43d8 nt!KxUnexpectedInterrupt0+0x5E8
be: fffff80175ba43e0 nt!KxUnexpectedInterrupt0+0x5F0
bf: fffff80175ba43e8 nt!KxUnexpectedInterrupt0+0x5F8
c0: fffff80175ba43f0 nt!KxUnexpectedInterrupt0+0x600
c1: fffff80175ba43f8 nt!KxUnexpectedInterrupt0+0x608
c2: fffff80175ba4400 nt!KxUnexpectedInterrupt0+0x610
c3: fffff80175ba4408 nt!KxUnexpectedInterrupt0+0x618
c4: fffff80175ba4410 nt!KxUnexpectedInterrupt0+0x620
c5: fffff80175ba4418 nt!KxUnexpectedInterrupt0+0x628
c6: fffff80175ba4420 nt!KxUnexpectedInterrupt0+0x630
c7: fffff80175ba4428 nt!KxUnexpectedInterrupt0+0x638
c8: fffff80175ba4430 nt!KxUnexpectedInterrupt0+0x640
c9: fffff80175ba4438 nt!KxUnexpectedInterrupt0+0x648
ca: fffff80175ba4440 nt!KxUnexpectedInterrupt0+0x650
cb: fffff80175ba4448 nt!KxUnexpectedInterrupt0+0x658
cc: fffff80175ba4450 nt!KxUnexpectedInterrupt0+0x660
cd: fffff80175ba4458 nt!KxUnexpectedInterrupt0+0x668
ce: fffff80175a62a90 hal!HalpIommuInterruptRoutine (KINTERRUPT fffff80175a62a00)
cf: fffff80175ba4468 nt!KxUnexpectedInterrupt0+0x678
d0: fffff80175ba4470 nt!KxUnexpectedInterrupt0+0x680
d1: fffff80175a62890 hal!HalpTimerClockInterrupt (KINTERRUPT fffff80175a62800)
d2: fffff80175a62790 hal!HalpTimerClockIpiRoutine (KINTERRUPT fffff80175a62700)
d3: fffff80175ba4488 nt!KxUnexpectedInterrupt0+0x698
d4: fffff80175ba4490 nt!KxUnexpectedInterrupt0+0x6A0
d5: fffff80175ba4498 nt!KxUnexpectedInterrupt0+0x6A8
d6: fffff80175ba44a0 nt!KxUnexpectedInterrupt0+0x6B0
d7: fffff80175a62590 hal!HalpInterruptRebootService (KINTERRUPT fffff80175a62500)
d8: fffff80175a62390 hal!HalpInterruptStubService (KINTERRUPT fffff80175a62300)
d9: fffff80175ba44b8 nt!KxUnexpectedInterrupt0+0x6C8
da: fffff80175ba44c0 nt!KxUnexpectedInterrupt0+0x6D0
db: fffff80175ba44c8 nt!KxUnexpectedInterrupt0+0x6D8
dc: fffff80175ba44d0 nt!KxUnexpectedInterrupt0+0x6E0
dd: fffff80175ba44d8 nt!KxUnexpectedInterrupt0+0x6E8
de: fffff80175ba44e0 nt!KxUnexpectedInterrupt0+0x6F0
df: fffff80175a62290 hal!HalpInterruptSpuriousService (KINTERRUPT fffff80175a62200)
e0: fffff80175ba44f0 nt!KxUnexpectedInterrupt0+0x700
e1: fffff80175ba6aa0 nt!KiIpiInterrupt
e2: fffff80175a62490 hal!HalpInterruptLocalErrorService (KINTERRUPT fffff80175a62400)
e3: fffff80175a62190 hal!HalpInterruptDeferredRecoveryService (KINTERRUPT fffff80175a62100)
e4: fffff80175ba4510 nt!KxUnexpectedInterrupt0+0x720
e5: fffff80175ba4518 nt!KxUnexpectedInterrupt0+0x728
e6: fffff80175ba4520 nt!KxUnexpectedInterrupt0+0x730
e7: fffff80175ba4528 nt!KxUnexpectedInterrupt0+0x738
e8: fffff80175ba4530 nt!KxUnexpectedInterrupt0+0x740
e9: fffff80175ba4538 nt!KxUnexpectedInterrupt0+0x748
ea: fffff80175ba4540 nt!KxUnexpectedInterrupt0+0x750
eb: fffff80175ba4548 nt!KxUnexpectedInterrupt0+0x758
ec: fffff80175ba4550 nt!KxUnexpectedInterrupt0+0x760
ed: fffff80175ba4558 nt!KxUnexpectedInterrupt0+0x768
ee: fffff80175ba4560 nt!KxUnexpectedInterrupt0+0x770
ef: fffff80175ba4568 nt!KxUnexpectedInterrupt0+0x778
f0: fffff80175ba4570 nt!KxUnexpectedInterrupt0+0x780
f1: fffff80175ba4578 nt!KxUnexpectedInterrupt0+0x788
f2: fffff80175ba4580 nt!KxUnexpectedInterrupt0+0x790
f3: fffff80175ba4588 nt!KxUnexpectedInterrupt0+0x798
f4: fffff80175ba4590 nt!KxUnexpectedInterrupt0+0x7A0
f5: fffff80175ba4598 nt!KxUnexpectedInterrupt0+0x7A8
f6: fffff80175ba45a0 nt!KxUnexpectedInterrupt0+0x7B0
f7: fffff80175ba45a8 nt!KxUnexpectedInterrupt0+0x7B8
f8: fffff80175ba45b0 nt!KxUnexpectedInterrupt0+0x7C0
f9: fffff80175ba45b8 nt!KxUnexpectedInterrupt0+0x7C8
fa: fffff80175ba45c0 nt!KxUnexpectedInterrupt0+0x7D0
fb: fffff80175ba45c8 nt!KxUnexpectedInterrupt0+0x7D8
fc: fffff80175ba45d0 nt!KxUnexpectedInterrupt0+0x7E0
fd: fffff80175a62990 hal!HalpTimerProfileInterrupt (KINTERRUPT fffff80175a62900)
fe: fffff80175a62690 hal!HalpPerfInterrupt (KINTERRUPT fffff80175a62600)
ff: fffff80175ba45e8 nt!KxUnexpectedInterrupt0+0x7F8
kd> dds KiServiceTable
fffff801`75d38a70 fd6ae544
fffff801`75d38a74 fe041a00
fffff801`75d38a78 01eae3c2
fffff801`75d38a7c 03770e40
fffff801`75d38a80 011a2b00
fffff801`75d38a84 fe6c7300
fffff801`75d38a88 017b8805
fffff801`75d38a8c 011dcd06
fffff801`75d38a90 0165d005
fffff801`75d38a94 01153b01
fffff801`75d38a98 01d21e00
fffff801`75d38a9c 010eac00
fffff801`75d38aa0 01766e80
fffff801`75d38aa4 0179a600
fffff801`75d38aa8 016cef00
fffff801`75d38aac 012cad00
fffff801`75d38ab0 01d2c201
fffff801`75d38ab4 01651e01
fffff801`75d38ab8 01417500
fffff801`75d38abc 0144c802
fffff801`75d38ac0 013ea200
fffff801`75d38ac4 01e19240
fffff801`75d38ac8 01420401
fffff801`75d38acc 0142ac02
fffff801`75d38ad0 01204602
fffff801`75d38ad4 01ae1a01
fffff801`75d38ad8 01cfb301
fffff801`75d38adc 01ddb445
fffff801`75d38ae0 01529800
fffff801`75d38ae4 01458e43
fffff801`75d38ae8 011f3200
fffff801`75d38aec 036e43c0
kd> !process
PROCESS ffffe001df21e8c0
SessionId: 1 Cid: 09b0 Peb: 7ff64a97f000 ParentCid: 0788
DirBase: 138eb4000 ObjectTable: ffffc0013ffda240 HandleCount: <Data Not Accessible>
Image: kd.exe
VadRoot ffffe001decb0920 Vads 98 Clone 0 Private 3023. Modified 42. Locked 6.
DeviceMap ffffc0013f643d20
Token ffffc0013f91c600
ElapsedTime 00:00:00.551
UserTime 00:00:00.000
KernelTime 00:00:00.015
QuotaPoolUsage[PagedPool] 174448
QuotaPoolUsage[NonPagedPool] 13800
Working Set Sizes (now,min,max) (4983, 50, 345) (19932KB, 200KB, 1380KB)
PeakWorkingSetSize 4934
VirtualSize 101 Mb
PeakVirtualSize 101 Mb
PageFaultCount 7526
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 3180
THREAD ffffe001ded5d840 Cid 09b0.0ee4 Teb: 00007ff64a97d000 Win32Thread: fffff9014427bb50 RUNNING on processor 0
TYPE mismatch for thread object at ffffe001df501840
kd> !thread
THREAD ffffe001ded5d840 Cid 09b0.0ee4 Teb: 00007ff64a97d000 Win32Thread: fffff9014427bb50 RUNNING on processor 0
IRP List:
ffffe001df4b05d0: (f8c0,dddb) Flags: 00000000 Mdl: ffffe001df31f2b0
Unable to read nt!_IRP @ badbadfabadbadda
Not impersonating
DeviceMap ffffc0013f643d20
Owning Process ffffe001df21e8c0 Image: kd.exe
Attached Process N/A Image: N/A
Wait Start TickCount 24579
Context Switch Count 688 IdealProcessor: 0
UserTime 00:00:00.953
KernelTime 00:00:02.468
*** ERROR: Module load completed but symbols could not be loaded for kd.exe
Win32 Start Address kd (0x00007ff64acbde08)
Stack Init ffffd001f9f75c90 Current ffffd001f9f75300
Base ffffd001f9f76000 Limit ffffd001f9f70000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
ffffd001`f9086660 00000000`80000000 : ffffe001`ddcba570 fffff801`75a8ea41 00000000`000004bc ffffe001`dedd1678 : LiveKdD+0x2a18
ffffd001`f9086690 ffffe001`ddcba570 : fffff801`75a8ea41 00000000`000004bc ffffe001`dedd1678 fffff580`10804000 : 0x80000000
ffffd001`f9086698 fffff801`75a8ea41 : 00000000`000004bc ffffe001`dedd1678 fffff580`10804000 00007ffe`4b6ef000 : 0xffffe001`ddcba570
ffffd001`f90866a0 fffff801`75a91610 : ffffe001`dca66180 fffff6bf`ff25b778 00000000`00000000 00000000`00000001 : nt!MiAllocateWsle+0x281
ffffd001`f9086700 fffff801`75a90df1 : ffffe001`ddcba570 fffff801`75cb3100 00000000`00000000 00000000`00000000 : nt!MiCompleteProtoPteFault+0x220
ffffd001`f90867c0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiResolveProtoPteFault+0x201
kd> !peb
PEB at 00007ff64a97f000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 00007ff64acb0000
Ldr 00007ffe4e31a960
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00000071ff911c60 . 00000071ff9503c0
Ldr.InLoadOrderModuleList: 00000071ff911dc0 . 00000071ff951b40
Ldr.InMemoryOrderModuleList: 00000071ff911dd0 . 00000071ff951b50
Base TimeStamp Module
7ff64acb0000 5391c81d Jun 06 22:54:37 2014 C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\kd.exe
7ffe4e1e0000 5413c504 Sep 13 13:16:04 2014 C:\Windows\SYSTEM32\ntdll.dll
7ffe4d030000 5413c342 Sep 13 13:08:34 2014 C:\Windows\system32\KERNEL32.DLL
7ffe4b6d0000 5413b2e5 Sep 13 11:58:45 2014 C:\Windows\system32\KERNELBASE.dll
7ffe4ba80000 5413c4bf Sep 13 13:14:55 2014 C:\Windows\system32\msvcrt.dll
7ffe4d5d0000 5413b1aa Sep 13 11:53:30 2014 C:\Windows\system32\ADVAPI32.dll
7ffe4d9e0000 5413b2b4 Sep 13 11:57:56 2014 C:\Windows\system32\sechost.dll
7ffe4d0e0000 5413b042 Sep 13 11:47:30 2014 C:\Windows\system32\RPCRT4.dll
7ffe33ac0000 53c6be2e Jul 17 03:02:22 2014 C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\dbgeng.dll
7ffe4dca0000 5413a381 Sep 13 10:53:05 2014 C:\Windows\system32\SHLWAPI.dll
7ffe4d3a0000 5413aa92 Sep 13 11:23:14 2014 C:\Windows\system32\combase.dll
7ffe4d220000 5413ac3f Sep 13 11:30:23 2014 C:\Windows\system32\USER32.dll
7ffe4de10000 5413bad4 Sep 13 12:32:36 2014 C:\Windows\system32\GDI32.dll
7ffe33f70000 5391c8b4 Jun 06 22:57:08 2014 C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\dbghelp.dll
7ffe44ee0000 5413c38a Sep 13 13:09:46 2014 C:\Windows\SYSTEM32\VERSION.dll
7ffe447c0000 5413b6e0 Sep 13 12:15:44 2014 C:\Windows\SYSTEM32\XmlLite.dll
7ffe4d7d0000 5413ac74 Sep 13 11:31:16 2014 C:\Windows\system32\IMM32.DLL
7ffe4d680000 5413aae3 Sep 13 11:24:35 2014 C:\Windows\system32\MSCTF.dll
7ffe4b220000 5413b349 Sep 13 12:00:25 2014 C:\Windows\SYSTEM32\CRYPTBASE.dll
7ffe4b1b0000 5413ba4c Sep 13 12:30:20 2014 C:\Windows\SYSTEM32\bcryptPrimitives.dll
7ffe41c50000 5391c07f Jun 06 22:22:07 2014 C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symsrv.dll
7ffe4b940000 5413ae56 Sep 13 11:39:18 2014 C:\Windows\system32\WS2_32.dll
7ffe4d820000 5413c4ea Sep 13 13:15:38 2014 C:\Windows\system32\NSI.dll
7ffe3f4c0000 5413a101 Sep 13 10:42:25 2014 C:\Windows\SYSTEM32\WININET.dll
7ffe43140000 5413b0fa Sep 13 11:50:34 2014 C:\Windows\SYSTEM32\iertutil.dll
7ffe48ad0000 5413ae79 Sep 13 11:39:53 2014 C:\Windows\SYSTEM32\Secur32.dll
7ffe4afd0000 5413ae83 Sep 13 11:40:03 2014 C:\Windows\SYSTEM32\SSPICLI.DLL
7ffe4bb20000 5413a563 Sep 13 11:01:07 2014 C:\Windows\system32\SHELL32.dll
7ffe49430000 5413aa65 Sep 13 11:22:29 2014 C:\Windows\SYSTEM32\SHCORE.dll
7ffe4b380000 5413ae80 Sep 13 11:40:00 2014 C:\Windows\SYSTEM32\profapi.dll
7ffe3a700000 5413b98a Sep 13 12:27:06 2014 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
7ffe4a310000 5413b926 Sep 13 12:25:26 2014 C:\Windows\SYSTEM32\kernel.appcore.dll
7ffe48b20000 5413a9d9 Sep 13 11:20:09 2014 C:\Windows\SYSTEM32\winhttp.dll
7ffe4ac70000 5413ae65 Sep 13 11:39:33 2014 C:\Windows\system32\mswsock.dll
7ffe47cb0000 5413b047 Sep 13 11:47:35 2014 C:\Windows\SYSTEM32\IPHLPAPI.DLL
7ffe47c90000 5413baf2 Sep 13 12:33:06 2014 C:\Windows\SYSTEM32\WINNSI.DLL
SubSystemData: 0000000000000000
ProcessHeap: 00000071ff910000
ProcessParameters: 00000071ff9113b0
CurrentDirectory: 'C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\'
WindowTitle: 'C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\livekd64.exe'
ImageFile: 'C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\kd.exe'
CommandLine: 'kd.exe -z C:\Windows\livekd.dmp'
DllPath: '< Name not readable >'
Environment: 00000071ff955110
=C:=C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Yuma\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=WIN-V88P73JGUUJ
ComSpec=C:\Windows\system32\cmd.exe
DBGENG_NO_BUGCHECK_ANALYSIS=1
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default
HOMEDRIVE=C:
HOMEPATH=\Users\Yuma
LOCALAPPDATA=C:\Users\Yuma\AppData\Local
LOGONSERVER=\\MicrosoftAccount
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\winext\arcade;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2a07
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Yuma\AppData\Local\Temp
TMP=C:\Users\Yuma\AppData\Local\Temp
USERDOMAIN=WIN-V88P73JGUUJ
USERDOMAIN_ROAMINGPROFILE=WIN-V88P73JGUUJ
USERNAME=Yuma
USERPROFILE=C:\Users\Yuma
windir=C:\Windows
_NT_SYMBOL_PATH=srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
kd> dt _KTHREAD
ntdll!_KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x018 SListFaultAddress : Ptr64 Void
+0x020 QuantumTarget : Uint8B
+0x028 InitialStack : Ptr64 Void
+0x030 StackLimit : Ptr64 Void
+0x038 StackBase : Ptr64 Void
+0x040 ThreadLock : Uint8B
+0x048 CycleTime : Uint8B
+0x050 CurrentRunTime : Uint4B
+0x054 ExpectedRunTime : Uint4B
+0x058 KernelStack : Ptr64 Void
+0x060 StateSaveArea : Ptr64 _XSAVE_FORMAT
+0x068 SchedulingGroup : Ptr64 _KSCHEDULING_GROUP
+0x070 WaitRegister : _KWAIT_STATUS_REGISTER
+0x071 Running : UChar
+0x072 Alerted : [2] UChar
+0x074 AutoBoostActive : Pos 0, 1 Bit
+0x074 ReadyTransition : Pos 1, 1 Bit
+0x074 ProcessReadyQueue : Pos 2, 1 Bit
+0x074 WaitNext : Pos 3, 1 Bit
+0x074 SystemAffinityActive : Pos 4, 1 Bit
+0x074 Alertable : Pos 5, 1 Bit
+0x074 UserStackWalkActive : Pos 6, 1 Bit
+0x074 ApcInterruptRequest : Pos 7, 1 Bit
+0x074 QuantumEndMigrate : Pos 8, 1 Bit
+0x074 UmsDirectedSwitchEnable : Pos 9, 1 Bit
+0x074 TimerActive : Pos 10, 1 Bit
+0x074 SystemThread : Pos 11, 1 Bit
+0x074 ProcessDetachActive : Pos 12, 1 Bit
+0x074 CalloutActive : Pos 13, 1 Bit
+0x074 ScbReadyQueue : Pos 14, 1 Bit
+0x074 ApcQueueable : Pos 15, 1 Bit
+0x074 ReservedStackInUse : Pos 16, 1 Bit
+0x074 UmsPerformingSyscall : Pos 17, 1 Bit
+0x074 ApcPendingReload : Pos 18, 1 Bit
+0x074 TimerSuspended : Pos 19, 1 Bit
+0x074 SuspendedWaitMode : Pos 20, 1 Bit
+0x074 Reserved : Pos 21, 11 Bits
+0x074 MiscFlags : Int4B
+0x078 AutoAlignment : Pos 0, 1 Bit
+0x078 DisableBoost : Pos 1, 1 Bit
+0x078 UserAffinitySet : Pos 2, 1 Bit
+0x078 AlertedByThreadId : Pos 3, 1 Bit
+0x078 QuantumDonation : Pos 4, 1 Bit
+0x078 EnableStackSwap : Pos 5, 1 Bit
+0x078 GuiThread : Pos 6, 1 Bit
+0x078 DisableQuantum : Pos 7, 1 Bit
+0x078 ChargeOnlySchedulingGroup : Pos 8, 1 Bit
+0x078 DeferPreemption : Pos 9, 1 Bit
+0x078 QueueDeferPreemption : Pos 10, 1 Bit
+0x078 ForceDeferSchedule : Pos 11, 1 Bit
+0x078 SharedReadyQueueAffinity : Pos 12, 1 Bit
+0x078 FreezeCount : Pos 13, 1 Bit
+0x078 TerminationApcRequest : Pos 14, 1 Bit
+0x078 AutoBoostEntriesExhausted : Pos 15, 1 Bit
+0x078 KernelStackResident : Pos 16, 1 Bit
+0x078 ThreadFlagsSpare : Pos 17, 7 Bits
+0x078 EtwStackTraceApcInserted : Pos 24, 8 Bits
+0x078 ThreadFlags : Int4B
+0x07c Tag : UChar
+0x07d SystemHeteroCpuPolicy : UChar
+0x07e UserHeteroCpuPolicy : Pos 0, 7 Bits
+0x07e ExplicitSystemHeteroCpuPolicy : Pos 7, 1 Bit
+0x07f Spare0 : [1] UChar
+0x080 SystemCallNumber : Uint4B
+0x084 Spare10 : Uint4B
+0x088 FirstArgument : Ptr64 Void
+0x090 TrapFrame : Ptr64 _KTRAP_FRAME
+0x098 ApcState : _KAPC_STATE
+0x098 ApcStateFill : [43] UChar
+0x0c3 Priority : Char
+0x0c4 UserIdealProcessor : Uint4B
+0x0c8 WaitStatus : Int8B
+0x0d0 WaitBlockList : Ptr64 _KWAIT_BLOCK
+0x0d8 WaitListEntry : _LIST_ENTRY
+0x0d8 SwapListEntry : _SINGLE_LIST_ENTRY
+0x0e8 Queue : Ptr64 _DISPATCHER_HEADER
+0x0f0 Teb : Ptr64 Void
+0x0f8 RelativeTimerBias : Uint8B
+0x100 Timer : _KTIMER
+0x140 WaitBlock : [4] _KWAIT_BLOCK
+0x140 WaitBlockFill4 : [20] UChar
+0x154 ContextSwitches : Uint4B
+0x140 WaitBlockFill5 : [68] UChar
+0x184 State : UChar
+0x185 NpxState : Char
+0x186 WaitIrql : UChar
+0x187 WaitMode : Char
+0x140 WaitBlockFill6 : [116] UChar
+0x1b4 WaitTime : Uint4B
+0x140 WaitBlockFill7 : [164] UChar
+0x1e4 KernelApcDisable : Int2B
+0x1e6 SpecialApcDisable : Int2B
+0x1e4 CombinedApcDisable : Uint4B
+0x140 WaitBlockFill8 : [40] UChar
+0x168 ThreadCounters : Ptr64 _KTHREAD_COUNTERS
+0x140 WaitBlockFill9 : [88] UChar
+0x198 XStateSave : Ptr64 _XSTATE_SAVE
+0x140 WaitBlockFill10 : [136] UChar
+0x1c8 Win32Thread : Ptr64 Void
+0x140 WaitBlockFill11 : [176] UChar
+0x1f0 Ucb : Ptr64 _UMS_CONTROL_BLOCK
+0x1f8 Uch : Ptr64 _KUMS_CONTEXT_HEADER
+0x200 TebMappedLowVa : Ptr64 Void
+0x208 QueueListEntry : _LIST_ENTRY
+0x218 NextProcessor : Uint4B
+0x218 NextProcessorNumber : Pos 0, 31 Bits
+0x218 SharedReadyQueue : Pos 31, 1 Bit
+0x21c QueuePriority : Int4B
+0x220 Process : Ptr64 _KPROCESS
+0x228 UserAffinity : _GROUP_AFFINITY
+0x228 UserAffinityFill : [10] UChar
+0x232 PreviousMode : Char
+0x233 BasePriority : Char
+0x234 PriorityDecrement : Char
+0x234 ForegroundBoost : Pos 0, 4 Bits
+0x234 UnusualBoost : Pos 4, 4 Bits
+0x235 Preempted : UChar
+0x236 AdjustReason : UChar
+0x237 AdjustIncrement : Char
+0x238 Affinity : _GROUP_AFFINITY
+0x238 AffinityFill : [10] UChar
+0x242 ApcStateIndex : UChar
+0x243 WaitBlockCount : UChar
+0x244 IdealProcessor : Uint4B
+0x248 ApcStatePointer : [2] Ptr64 _KAPC_STATE
+0x258 SavedApcState : _KAPC_STATE
+0x258 SavedApcStateFill : [43] UChar
+0x283 WaitReason : UChar
+0x284 SuspendCount : Char
+0x285 Saturation : Char
+0x286 SListFaultCount : Uint2B
+0x288 SchedulerApc : _KAPC
+0x288 SchedulerApcFill0 : [1] UChar
+0x289 ResourceIndex : UChar
+0x288 SchedulerApcFill1 : [3] UChar
+0x28b QuantumReset : UChar
+0x288 SchedulerApcFill2 : [4] UChar
+0x28c KernelTime : Uint4B
+0x288 SchedulerApcFill3 : [64] UChar
+0x2c8 WaitPrcb : Ptr64 _KPRCB
+0x288 SchedulerApcFill4 : [72] UChar
+0x2d0 LegoData : Ptr64 Void
+0x288 SchedulerApcFill5 : [83] UChar
+0x2db CallbackNestingLevel : UChar
+0x2dc UserTime : Uint4B
+0x2e0 SuspendEvent : _KEVENT
+0x2f8 ThreadListEntry : _LIST_ENTRY
+0x308 MutantListHead : _LIST_ENTRY
+0x318 AbEntrySummary : UChar
+0x319 AbWaitEntryCount : UChar
+0x31a Spare20 : Uint2B
+0x31c SecureThreadCookie : Uint4B
+0x320 LockEntries : [6] _KLOCK_ENTRY
+0x560 PropagateBoostsEntry : _SINGLE_LIST_ENTRY
+0x568 IoSelfBoostsEntry : _SINGLE_LIST_ENTRY
+0x570 PriorityFloorCounts : [16] UChar
+0x580 PriorityFloorSummary : Uint4B
+0x584 AbCompletedIoBoostCount : Int4B
+0x588 AbReferenceCount : Int2B
+0x58a AbOrphanedEntrySummary : UChar
+0x58b AbOwnedEntryCount : UChar
+0x58c ForegroundLossTime : Uint4B
+0x590 GlobalForegroundListEntry : _LIST_ENTRY
+0x590 ForegroundDpcStackListEntry : _SINGLE_LIST_ENTRY
+0x598 InGlobalForegroundList : Uint8B
+0x5a0 ReadOperationCount : Int8B
+0x5a8 WriteOperationCount : Int8B
+0x5b0 OtherOperationCount : Int8B
+0x5b8 ReadTransferCount : Int8B
+0x5c0 WriteTransferCount : Int8B
+0x5c8 OtherTransferCount : Int8B
kd> dt _ETHREAD
ntdll!_ETHREAD
+0x000 Tcb : _KTHREAD
+0x5d0 CreateTime : _LARGE_INTEGER
+0x5d8 ExitTime : _LARGE_INTEGER
+0x5d8 KeyedWaitChain : _LIST_ENTRY
+0x5e8 ChargeOnlySession : Ptr64 Void
+0x5f0 PostBlockList : _LIST_ENTRY
+0x5f0 ForwardLinkShadow : Ptr64 Void
+0x5f8 StartAddress : Ptr64 Void
+0x600 TerminationPort : Ptr64 _TERMINATION_PORT
+0x600 ReaperLink : Ptr64 _ETHREAD
+0x600 KeyedWaitValue : Ptr64 Void
+0x608 ActiveTimerListLock : Uint8B
+0x610 ActiveTimerListHead : _LIST_ENTRY
+0x620 Cid : _CLIENT_ID
+0x630 KeyedWaitSemaphore : _KSEMAPHORE
+0x630 AlpcWaitSemaphore : _KSEMAPHORE
+0x650 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0x658 IrpList : _LIST_ENTRY
+0x668 TopLevelIrp : Uint8B
+0x670 DeviceToVerify : Ptr64 _DEVICE_OBJECT
+0x678 Win32StartAddress : Ptr64 Void
+0x680 LegacyPowerObject : Ptr64 Void
+0x688 ThreadListEntry : _LIST_ENTRY
+0x698 RundownProtect : _EX_RUNDOWN_REF
+0x6a0 ThreadLock : _EX_PUSH_LOCK
+0x6a8 ReadClusterSize : Uint4B
+0x6ac MmLockOrdering : Int4B
+0x6b0 CmLockOrdering : Int4B
+0x6b4 CrossThreadFlags : Uint4B
+0x6b4 Terminated : Pos 0, 1 Bit
+0x6b4 ThreadInserted : Pos 1, 1 Bit
+0x6b4 HideFromDebugger : Pos 2, 1 Bit
+0x6b4 ActiveImpersonationInfo : Pos 3, 1 Bit
+0x6b4 HardErrorsAreDisabled : Pos 4, 1 Bit
+0x6b4 BreakOnTermination : Pos 5, 1 Bit
+0x6b4 SkipCreationMsg : Pos 6, 1 Bit
+0x6b4 SkipTerminationMsg : Pos 7, 1 Bit
+0x6b4 CopyTokenOnOpen : Pos 8, 1 Bit
+0x6b4 ThreadIoPriority : Pos 9, 3 Bits
+0x6b4 ThreadPagePriority : Pos 12, 3 Bits
+0x6b4 RundownFail : Pos 15, 1 Bit
+0x6b4 UmsForceQueueTermination : Pos 16, 1 Bit
+0x6b4 ReservedCrossThreadFlags : Pos 17, 15 Bits
+0x6b8 SameThreadPassiveFlags : Uint4B
+0x6b8 ActiveExWorker : Pos 0, 1 Bit
+0x6b8 MemoryMaker : Pos 1, 1 Bit
+0x6b8 ClonedThread : Pos 2, 1 Bit
+0x6b8 KeyedEventInUse : Pos 3, 1 Bit
+0x6b8 SelfTerminate : Pos 4, 1 Bit
+0x6bc SameThreadApcFlags : Uint4B
+0x6bc OwnsProcessAddressSpaceExclusive : Pos 0, 1 Bit
+0x6bc OwnsProcessAddressSpaceShared : Pos 1, 1 Bit
+0x6bc HardFaultBehavior : Pos 2, 1 Bit
+0x6bc StartAddressInvalid : Pos 3, 1 Bit
+0x6bc EtwCalloutActive : Pos 4, 1 Bit
+0x6bc SuppressSymbolLoad : Pos 5, 1 Bit
+0x6bc Prefetching : Pos 6, 1 Bit
+0x6bc OwnsVadExclusive : Pos 7, 1 Bit
+0x6bd SystemPagePriorityActive : Pos 0, 1 Bit
+0x6bd SystemPagePriority : Pos 1, 3 Bits
+0x6c0 CacheManagerActive : UChar
+0x6c1 DisablePageFaultClustering : UChar
+0x6c2 ActiveFaultCount : UChar
+0x6c3 LockOrderState : UChar
+0x6c8 AlpcMessageId : Uint8B
+0x6d0 AlpcMessage : Ptr64 Void
+0x6d0 AlpcReceiveAttributeSet : Uint4B
+0x6d8 ExitStatus : Int4B
+0x6e0 AlpcWaitListEntry : _LIST_ENTRY
+0x6f0 CacheManagerCount : Uint4B
+0x6f4 IoBoostCount : Uint4B
+0x6f8 BoostList : _LIST_ENTRY
+0x708 DeboostList : _LIST_ENTRY
+0x718 BoostListLock : Uint8B
+0x720 IrpListLock : Uint8B
+0x728 ReservedForSynchTracking : Ptr64 Void
+0x730 CmCallbackListHead : _SINGLE_LIST_ENTRY
+0x738 ActivityId : Ptr64 _GUID
+0x740 SeLearningModeListHead : _SINGLE_LIST_ENTRY
+0x748 VerifierContext : Ptr64 Void
+0x750 KernelStackReference : Uint4B
+0x758 AdjustedClientToken : Ptr64 Void
+0x760 WorkingOnBehalfClient : Ptr64 _ETHREAD
+0x768 UserFsBase : Uint4B
+0x770 UserGsBase : Uint8B
+0x778 PicoContext : Ptr64 Void
+0x780 EnergyValues : Ptr64 _PROCESS_ENERGY_VALUES
kd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x2d0 ProcessLock : _EX_PUSH_LOCK
+0x2d8 RundownProtect : _EX_RUNDOWN_REF
+0x2e0 UniqueProcessId : Ptr64 Void
+0x2e8 ActiveProcessLinks : _LIST_ENTRY
+0x2f8 Flags2 : Uint4B
+0x2f8 JobNotReallyActive : Pos 0, 1 Bit
+0x2f8 AccountingFolded : Pos 1, 1 Bit
+0x2f8 NewProcessReported : Pos 2, 1 Bit
+0x2f8 ExitProcessReported : Pos 3, 1 Bit
+0x2f8 ReportCommitChanges : Pos 4, 1 Bit
+0x2f8 LastReportMemory : Pos 5, 1 Bit
+0x2f8 ForceWakeCharge : Pos 6, 1 Bit
+0x2f8 CrossSessionCreate : Pos 7, 1 Bit
+0x2f8 NeedsHandleRundown : Pos 8, 1 Bit
+0x2f8 RefTraceEnabled : Pos 9, 1 Bit
+0x2f8 DisableDynamicCode : Pos 10, 1 Bit
+0x2f8 EmptyJobEvaluated : Pos 11, 1 Bit
+0x2f8 DefaultPagePriority : Pos 12, 3 Bits
+0x2f8 PrimaryTokenFrozen : Pos 15, 1 Bit
+0x2f8 ProcessVerifierTarget : Pos 16, 1 Bit
+0x2f8 StackRandomizationDisabled : Pos 17, 1 Bit
+0x2f8 AffinityPermanent : Pos 18, 1 Bit
+0x2f8 AffinityUpdateEnable : Pos 19, 1 Bit
+0x2f8 PropagateNode : Pos 20, 1 Bit
+0x2f8 ExplicitAffinity : Pos 21, 1 Bit
+0x2f8 ProcessExecutionState : Pos 22, 2 Bits
+0x2f8 DisallowStrippedImages : Pos 24, 1 Bit
+0x2f8 HighEntropyASLREnabled : Pos 25, 1 Bit
+0x2f8 ExtensionPointDisable : Pos 26, 1 Bit
+0x2f8 ForceRelocateImages : Pos 27, 1 Bit
+0x2f8 ProcessStateChangeRequest : Pos 28, 2 Bits
+0x2f8 ProcessStateChangeInProgress : Pos 30, 1 Bit
+0x2f8 DisallowWin32kSystemCalls : Pos 31, 1 Bit
+0x2fc Flags : Uint4B
+0x2fc CreateReported : Pos 0, 1 Bit
+0x2fc NoDebugInherit : Pos 1, 1 Bit
+0x2fc ProcessExiting : Pos 2, 1 Bit
+0x2fc ProcessDelete : Pos 3, 1 Bit
+0x2fc ControlFlowGuardEnabled : Pos 4, 1 Bit
+0x2fc VmDeleted : Pos 5, 1 Bit
+0x2fc OutswapEnabled : Pos 6, 1 Bit
+0x2fc Outswapped : Pos 7, 1 Bit
+0x2fc Spare1 : Pos 8, 1 Bit
+0x2fc Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x2fc AddressSpaceInitialized : Pos 10, 2 Bits
+0x2fc SetTimerResolution : Pos 12, 1 Bit
+0x2fc BreakOnTermination : Pos 13, 1 Bit
+0x2fc DeprioritizeViews : Pos 14, 1 Bit
+0x2fc WriteWatch : Pos 15, 1 Bit
+0x2fc ProcessInSession : Pos 16, 1 Bit
+0x2fc OverrideAddressSpace : Pos 17, 1 Bit
+0x2fc HasAddressSpace : Pos 18, 1 Bit
+0x2fc LaunchPrefetched : Pos 19, 1 Bit
+0x2fc Background : Pos 20, 1 Bit
+0x2fc VmTopDown : Pos 21, 1 Bit
+0x2fc ImageNotifyDone : Pos 22, 1 Bit
+0x2fc PdeUpdateNeeded : Pos 23, 1 Bit
+0x2fc VdmAllowed : Pos 24, 1 Bit
+0x2fc ProcessRundown : Pos 25, 1 Bit
+0x2fc ProcessInserted : Pos 26, 1 Bit
+0x2fc DefaultIoPriority : Pos 27, 3 Bits
+0x2fc ProcessSelfDelete : Pos 30, 1 Bit
+0x2fc SetTimerResolutionLink : Pos 31, 1 Bit
+0x300 CreateTime : _LARGE_INTEGER
+0x308 ProcessQuotaUsage : [2] Uint8B
+0x318 ProcessQuotaPeak : [2] Uint8B
+0x328 PeakVirtualSize : Uint8B
+0x330 VirtualSize : Uint8B
+0x338 SessionProcessLinks : _LIST_ENTRY
+0x348 ExceptionPortData : Ptr64 Void
+0x348 ExceptionPortValue : Uint8B
+0x348 ExceptionPortState : Pos 0, 3 Bits
+0x350 Token : _EX_FAST_REF
+0x358 WorkingSetPage : Uint8B
+0x360 AddressCreationLock : _EX_PUSH_LOCK
+0x368 PageTableCommitmentLock : _EX_PUSH_LOCK
+0x370 RotateInProgress : Ptr64 _ETHREAD
+0x378 ForkInProgress : Ptr64 _ETHREAD
+0x380 CommitChargeJob : Ptr64 _EJOB
+0x388 CloneRoot : _RTL_AVL_TREE
+0x390 NumberOfPrivatePages : Uint8B
+0x398 NumberOfLockedPages : Uint8B
+0x3a0 Win32Process : Ptr64 Void
+0x3a8 Job : Ptr64 _EJOB
+0x3b0 SectionObject : Ptr64 Void
+0x3b8 SectionBaseAddress : Ptr64 Void
+0x3c0 Cookie : Uint4B
+0x3c8 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY
+0x3d0 Win32WindowStation : Ptr64 Void
+0x3d8 InheritedFromUniqueProcessId : Ptr64 Void
+0x3e0 LdtInformation : Ptr64 Void
+0x3e8 OwnerProcessId : Uint8B
+0x3f0 Peb : Ptr64 _PEB
+0x3f8 Session : Ptr64 Void
+0x400 AweInfo : Ptr64 Void
+0x408 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK
+0x410 ObjectTable : Ptr64 _HANDLE_TABLE
+0x418 DebugPort : Ptr64 Void
+0x420 Wow64Process : Ptr64 Void
+0x428 DeviceMap : Ptr64 Void
+0x430 EtwDataSource : Ptr64 Void
+0x438 PageDirectoryPte : Uint8B
+0x440 ImageFileName : [15] UChar
+0x44f PriorityClass : UChar
+0x450 SecurityPort : Ptr64 Void
+0x458 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x460 JobLinks : _LIST_ENTRY
+0x470 HighestUserAddress : Ptr64 Void
+0x478 ThreadListHead : _LIST_ENTRY
+0x488 ActiveThreads : Uint4B
+0x48c ImagePathHash : Uint4B
+0x490 DefaultHardErrorProcessing : Uint4B
+0x494 LastThreadExitStatus : Int4B
+0x498 PrefetchTrace : _EX_FAST_REF
+0x4a0 LockedPagesList : Ptr64 Void
+0x4a8 ReadOperationCount : _LARGE_INTEGER
+0x4b0 WriteOperationCount : _LARGE_INTEGER
+0x4b8 OtherOperationCount : _LARGE_INTEGER
+0x4c0 ReadTransferCount : _LARGE_INTEGER
+0x4c8 WriteTransferCount : _LARGE_INTEGER
+0x4d0 OtherTransferCount : _LARGE_INTEGER
+0x4d8 CommitChargeLimit : Uint8B
+0x4e0 CommitCharge : Uint8B
+0x4e8 CommitChargePeak : Uint8B
+0x4f0 Vm : _MMSUPPORT
+0x5d8 MmProcessLinks : _LIST_ENTRY
+0x5e8 ModifiedPageCount : Uint4B
+0x5ec ExitStatus : Int4B
+0x5f0 VadRoot : _RTL_AVL_TREE
+0x5f8 VadHint : Ptr64 Void
+0x600 VadCount : Uint8B
+0x608 VadPhysicalPages : Uint8B
+0x610 VadPhysicalPagesLimit : Uint8B
+0x618 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x638 TimerResolutionLink : _LIST_ENTRY
+0x648 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
+0x650 RequestedTimerResolution : Uint4B
+0x654 SmallestTimerResolution : Uint4B
+0x658 ExitTime : _LARGE_INTEGER
+0x660 InvertedFunctionTable : Ptr64 _INVERTED_FUNCTION_TABLE
+0x668 InvertedFunctionTableLock : _EX_PUSH_LOCK
+0x670 ActiveThreadsHighWatermark : Uint4B
+0x674 LargePrivateVadCount : Uint4B
+0x678 ThreadListLock : _EX_PUSH_LOCK
+0x680 WnfContext : Ptr64 Void
+0x688 Spare0 : Uint8B
+0x690 SignatureLevel : UChar
+0x691 SectionSignatureLevel : UChar
+0x692 Protection : _PS_PROTECTION
+0x693 SpareByte20 : [1] UChar
+0x694 Flags3 : Uint4B
+0x694 Minimal : Pos 0, 1 Bit
+0x694 ReplacingPageRoot : Pos 1, 1 Bit
+0x698 SvmReserved : Int4B
+0x6a0 SvmReserved1 : Ptr64 Void
+0x6a8 SvmReserved2 : Uint8B
+0x6b0 LastFreezeInterruptTime : Uint8B
+0x6b8 DiskCounters : Ptr64 _PROCESS_DISK_COUNTERS
+0x6c0 PicoContext : Ptr64 Void
+0x6c8 SecretIdentity : Uint8B
+0x6d0 SecurePid : Uint8B
+0x6d8 ContextBuffer : Ptr64 Void
+0x6e0 KeepAliveCounter : Uint4B
+0x6e4 NoWakeKeepAliveCounter : Uint4B
+0x6e8 HighPriorityFaultsAllowed : Uint4B
+0x6f0 EnergyValues : Ptr64 _PROCESS_ENERGY_VALUES
+0x6f8 VmContext : Ptr64 Void
kd> dt _ETHREAD
ntdll!_ETHREAD
+0x000 Tcb : _KTHREAD
+0x5d0 CreateTime : _LARGE_INTEGER
+0x5d8 ExitTime : _LARGE_INTEGER
+0x5d8 KeyedWaitChain : _LIST_ENTRY
+0x5e8 ChargeOnlySession : Ptr64 Void
+0x5f0 PostBlockList : _LIST_ENTRY
+0x5f0 ForwardLinkShadow : Ptr64 Void
+0x5f8 StartAddress : Ptr64 Void
+0x600 TerminationPort : Ptr64 _TERMINATION_PORT
+0x600 ReaperLink : Ptr64 _ETHREAD
+0x600 KeyedWaitValue : Ptr64 Void
+0x608 ActiveTimerListLock : Uint8B
+0x610 ActiveTimerListHead : _LIST_ENTRY
+0x620 Cid : _CLIENT_ID
+0x630 KeyedWaitSemaphore : _KSEMAPHORE
+0x630 AlpcWaitSemaphore : _KSEMAPHORE
+0x650 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0x658 IrpList : _LIST_ENTRY
+0x668 TopLevelIrp : Uint8B
+0x670 DeviceToVerify : Ptr64 _DEVICE_OBJECT
+0x678 Win32StartAddress : Ptr64 Void
+0x680 LegacyPowerObject : Ptr64 Void
+0x688 ThreadListEntry : _LIST_ENTRY
+0x698 RundownProtect : _EX_RUNDOWN_REF
+0x6a0 ThreadLock : _EX_PUSH_LOCK
+0x6a8 ReadClusterSize : Uint4B
+0x6ac MmLockOrdering : Int4B
+0x6b0 CmLockOrdering : Int4B
+0x6b4 CrossThreadFlags : Uint4B
+0x6b4 Terminated : Pos 0, 1 Bit
+0x6b4 ThreadInserted : Pos 1, 1 Bit
+0x6b4 HideFromDebugger : Pos 2, 1 Bit
+0x6b4 ActiveImpersonationInfo : Pos 3, 1 Bit
+0x6b4 HardErrorsAreDisabled : Pos 4, 1 Bit
+0x6b4 BreakOnTermination : Pos 5, 1 Bit
+0x6b4 SkipCreationMsg : Pos 6, 1 Bit
+0x6b4 SkipTerminationMsg : Pos 7, 1 Bit
+0x6b4 CopyTokenOnOpen : Pos 8, 1 Bit
+0x6b4 ThreadIoPriority : Pos 9, 3 Bits
+0x6b4 ThreadPagePriority : Pos 12, 3 Bits
+0x6b4 RundownFail : Pos 15, 1 Bit
+0x6b4 UmsForceQueueTermination : Pos 16, 1 Bit
+0x6b4 ReservedCrossThreadFlags : Pos 17, 15 Bits
+0x6b8 SameThreadPassiveFlags : Uint4B
+0x6b8 ActiveExWorker : Pos 0, 1 Bit
+0x6b8 MemoryMaker : Pos 1, 1 Bit
+0x6b8 ClonedThread : Pos 2, 1 Bit
+0x6b8 KeyedEventInUse : Pos 3, 1 Bit
+0x6b8 SelfTerminate : Pos 4, 1 Bit
+0x6bc SameThreadApcFlags : Uint4B
+0x6bc OwnsProcessAddressSpaceExclusive : Pos 0, 1 Bit
+0x6bc OwnsProcessAddressSpaceShared : Pos 1, 1 Bit
+0x6bc HardFaultBehavior : Pos 2, 1 Bit
+0x6bc StartAddressInvalid : Pos 3, 1 Bit
+0x6bc EtwCalloutActive : Pos 4, 1 Bit
+0x6bc SuppressSymbolLoad : Pos 5, 1 Bit
+0x6bc Prefetching : Pos 6, 1 Bit
+0x6bc OwnsVadExclusive : Pos 7, 1 Bit
+0x6bd SystemPagePriorityActive : Pos 0, 1 Bit
+0x6bd SystemPagePriority : Pos 1, 3 Bits
+0x6c0 CacheManagerActive : UChar
+0x6c1 DisablePageFaultClustering : UChar
+0x6c2 ActiveFaultCount : UChar
+0x6c3 LockOrderState : UChar
+0x6c8 AlpcMessageId : Uint8B
+0x6d0 AlpcMessage : Ptr64 Void
+0x6d0 AlpcReceiveAttributeSet : Uint4B
+0x6d8 ExitStatus : Int4B
+0x6e0 AlpcWaitListEntry : _LIST_ENTRY
+0x6f0 CacheManagerCount : Uint4B
+0x6f4 IoBoostCount : Uint4B
+0x6f8 BoostList : _LIST_ENTRY
+0x708 DeboostList : _LIST_ENTRY
+0x718 BoostListLock : Uint8B
+0x720 IrpListLock : Uint8B
+0x728 ReservedForSynchTracking : Ptr64 Void
+0x730 CmCallbackListHead : _SINGLE_LIST_ENTRY
+0x738 ActivityId : Ptr64 _GUID
+0x740 SeLearningModeListHead : _SINGLE_LIST_ENTRY
+0x748 VerifierContext : Ptr64 Void
+0x750 KernelStackReference : Uint4B
+0x758 AdjustedClientToken : Ptr64 Void
+0x760 WorkingOnBehalfClient : Ptr64 _ETHREAD
+0x768 UserFsBase : Uint4B
+0x770 UserGsBase : Uint8B
+0x778 PicoContext : Ptr64 Void
+0x780 EnergyValues : Ptr64 _PROCESS_ENERGY_VALUES
kd>
@ntddk
Copy link
Author

ntddk commented Oct 2, 2014

https://twitter.com/mj0011sec/status/350252532007833601

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment