O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Incomplete Session

It is a useful pattern for the analysis of memory dumps from terminal services environments. Normally, session processes include csrss.exe, winlogon.exe, wfshell.exe (in the case of some Citrix products), explorer.exe and a few user defined processes such as winword.exe, for example:

0: kd> !session
Sessions on machine: 6
Valid Sessions: 0 1 3 5 6 8
0: kd> !sprocess 6
Dumping Session 6
_MM_SESSION_SPACE fffffa6009447000
_MMSESSION fffffa6009447b40
PROCESS fffffa800fcee630
SessionId: 6 Cid: 1974 Peb: 7fffffd5000 ParentCid: 147c
DirBase: 158baf000 ObjectTable: fffff8801ef13b00 HandleCount: 532.
Image: csrss.exe
 PROCESS fffffa800fc77040 SessionId: 6 Cid: 1ae4 Peb: 7fffffde000 ParentCid: 147c DirBase: 15d2b4000 ObjectTable: ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required