O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Frozen Process

Looks like Windows 8 reuses the debugging concept of a frozen thread for the so called a “deeply frozen” process:

0: kd> !sprocess 2
Dumping Session 2
[...]
PROCESS fffffa8002cb2940
SessionId: 2 Cid: 0c80 Peb: 7f6c41dd000 ParentCid: 0288
DeepFreeze
DirBase: 2ef45000 ObjectTable: fffff8a002f215c0 HandleCount: <Data Not
Accessible>
Image: iexplore.exe
[...]
 0: kd> dt nt!_KPROCESS fffffa8002cb2940 +0x000 Header : _DISPATCHER_HEADER +0x018 ProfileListHead : _LIST_ENTRY [ 0xfffffa80`02cb2958 - 0xfffffa80`02cb2958 ] +0x028 DirectoryTableBase : 0x2ef45000 +0x030 ThreadListHead : _LIST_ENTRY [ 0xfffffa80`01e4edf8 - 0xfffffa80`01f5bbf8 ] +0x040 ProcessLock : 0 +0x044 Spare0 : 0 +0x048 Affinity : _KAFFINITY_EX +0x0f0 ReadyListHead ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required