Hidden IRP

Sometimes we suspect a particular thread doing I/O but IRP is missing in the output of !thread WinDbg command. Here the best way is to examine the list of IRPs and associated threads from the output of !irpfind command. Here is a synthesized example from a few Virtualized (Volume 4, page 131) Young System (Volume 2, page 335) crash dumps:

0: kd> !thread fffffa8004e2d280

THREAD fffffa8004e2d280 Cid 0004.0020 Teb: 0000000000000000
Win32Thread: 0000000000000000 WAIT: (Executive) KernelMode Non-Alertable
fffff880009ec440 NotificationEvent
Not impersonating
[...]

0: kd> !irpfind

Irp [ Thread ] irpStack: (Mj,Mn) DevObj [Driver] MDL Process
[...]
fffffa800424e4e0 [fffffa8004e2d280] irpStack: (3, 0) fffffa8004ed6d40
[ DriverDriverA]
[...]

Now we can inspect the found IRP (!irp command) and device object (for example, by using !devobj and !devstack commands). Sometimes we can see the same IRP address as Execution Residue (Volume 2, page 239) among “Args to Child” values in the output of !thread command or kv (if the thread is current).

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.44.192