O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

One-Thread Process

Processes with one thread like Notepad are rare. Such a process is always suspicious especially if it is a service or belongs to a complex product. Usually this happens when all other threads terminated and the remaining thread is blocked in some wait chain. For example, this process has a thread which is blocked (Volume 6, page 34) in an ALPC request to itself (the same process):

0: kd> !process fffffa8013ed9b30 3f
PROCESS fffffa8013ed9b30 SessionId: 0 Cid: 44b4 Peb: 7fffffd8000 ParentCid: 0114 DirBase: 2da448000 ObjectTable: fffff8a01948c670 HandleCount: 660. Image: ServiceA.exe VadRoot fffffa801356dd10 Vads 398 Clone 0 Private 5795. Modified 204253. Locked 0. DeviceMap fffff8a000008340 Token fffff8a01b546060 ElapsedTime ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required