O'Reilly logo

Accelerated Windows Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises with Notes, Fourth Edition by Software Diagnostics Services, Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Section 9

Wait Chain (Executive Resources)

Reprinted from Memory Dump Analysis Anthology, Volume 2, pages 147 – 150

The most common and easily detectable example of Wait Chain pattern (Volume 1, page 481) in the kernel and complete memory dumps is when objects are executive resources (Volume 1, page 323). In some complex cases, we can even have multiple wait chains. For example, in the output of !locks WinDbg command below we can find at least three wait chains marked in bold, italics and bold italics:

883db310 -> 8967d020 -> 889fa230​89a74228 -> 883ad4e0 -> 88d7a3e0​88e13990 -> 899da538 -> 8805fac8

The manual procedure to figure chains is simple. Pick ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required