Author: Bazhan
Subject: ** Process Explorer Bugs **
Posted: 31 October 2014 at 12:06pm
Edited by Bazhan - 11 hours 23 minutes ago at 12:11pm
Subject: ** Process Explorer Bugs **
Posted: 31 October 2014 at 12:06pm
Hello, everyone.
The Process Explorer can cause the system to hang. Following is a re-post from my website:
In this case the system completely stopped responding and I used a feature of the operating system to force a system crash from the keyboard. You can configure it by adding a value named CrashOnCtrlScroll to the registry key:
- For PS/2 keyboards:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters - For USB keyboards:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters
and set it equal to a REG_DWORD value of 0×01.
After the crash dump file was generated, I started investigation with the !running command to see which threads were running on the system.
0: kd> !running -tSystem Processors: (000000000000000f) Idle Processors: (0000000000000000) Prcbs Current (pri) Next (pri) Idle 0 fffff80236365180 ffffe0003be9e080 (15) fffff802363cca00 ................ # Child-SP RetAddr Call Site00 fffff802`37a1cea8 fffff801`ee7ea44f nt!KeBugCheckEx01 fffff802`37a1ceb0 fffff801`ee7e9e03 i8042prt!I8xProcessCrashDump+0x24f02 fffff802`37a1cef0 fffff802`3614e363 i8042prt!I8042KeyboardInterruptService+0x37b03 fffff802`37a1cf70 fffff802`361d41e8 nt!KiCallInterruptServiceRoutine+0xa304 fffff802`37a1cfb0 fffff802`361d453b nt!KiInterruptSubDispatch+0x10805 ffffd001`fb92ab00 00007ffa`c07942ad nt!KiInterruptDispatch+0xfb06 00000000`157ee920 00007ffa`c0794e92 bcryptPrimitives!SymCryptSha1AppendBlocksAsm+0x51e07 00000000`157ee9b0 00007ffa`c0793285 bcryptPrimitives!SymCryptSha1Append+0xb308 00000000`157ee9e0 00007ffa`c0471318 bcryptPrimitives!MSCryptHashData+0x9109 00000000`157eea80 00007ffa`bfe82caa bcrypt!BCryptHashData+0x680a 00000000`157eead0 00007ffa`c0241d25 rsaenh!CPHashData+0xb20b 00000000`157eeb10 00007ffa`c0a011d7 CRYPTSP!CryptHashData+0x8d0c 00000000`157eeb90 00007ffa`c0a0c7cc Wintrust!DigestFileData+0xc70d 00000000`157eebd0 00007ffa`c0a0125b Wintrust!SIPObjectFlat_::GetDigestStream+0xb40e 00000000`157eec30 00007ffa`c09f9d2d Wintrust!SIPObject_::DigestFile+0x770f 00000000`157eed30 00007ffa`c09f9add Wintrust!SIPObject_::CreateIndirectData+0x18310 00000000`157eedb0 00007ffa`c0a924e5 Wintrust!InboxCryptSIPCreateIndirectData+0x6d11 00000000`157eede0 00007ffa`c09fa0ba CRYPT32!CryptSIPCreateIndirectData+0x8512 00000000`157eee70 00007ffa`c09f9f4a Wintrust!_CatAdminCalcHashFromFileHandle+0x15a13 00000000`157eeff0 00007ff6`efad580d Wintrust!CryptCATAdminCalcHashFromFileHandle+0x1e14 00000000`157ef030 00007ff6`efac2034 PROCEXP64+0x9580d15 00000000`157ef150 00007ff6`efac2325 PROCEXP64+0x8203416 00000000`157efb70 00007ff6`efb1fe9f PROCEXP64+0x8232517 00000000`157efba0 00007ff6`efb1ff49 PROCEXP64+0xdfe9f18 00000000`157efbd0 00007ffa`c2f016ad PROCEXP64+0xdff4919 00000000`157efc00 00007ffa`c36234a5 KERNEL32!BaseThreadInitThunk+0xd1a 00000000`157efc30 00000000`00000000 ntdll!RtlUserThreadStart+0x1d 1 ffffd001f7d04180 ffffe0003b8c2880 (15) ffffd001f7d102c0 ................ # Child-SP RetAddr Call Site00 00000000`7a37eb50 00007ffa`c0794e92 bcryptPrimitives!SymCryptSha1AppendBlocksAsm+0x92b01 00000000`7a37ebe0 00007ffa`c0793285 bcryptPrimitives!SymCryptSha1Append+0xb302 00000000`7a37ec10 00007ffa`c0471318 bcryptPrimitives!MSCryptHashData+0x9103 00000000`7a37ecb0 00007ffa`bfe82caa bcrypt!BCryptHashData+0x6804 00000000`7a37ed00 00007ffa`c0241d25 rsaenh!CPHashData+0xb205 00000000`7a37ed40 00007ffa`c0a011d7 CRYPTSP!CryptHashData+0x8d06 00000000`7a37edc0 00007ffa`c0a0c7cc Wintrust!DigestFileData+0xc707 00000000`7a37ee00 00007ffa`c0a0125b Wintrust!SIPObjectFlat_::GetDigestStream+0xb408 00000000`7a37ee60 00007ffa`c09f9d2d Wintrust!SIPObject_::DigestFile+0x7709 00000000`7a37ef60 00007ffa`c09f9add Wintrust!SIPObject_::CreateIndirectData+0x1830a 00000000`7a37efe0 00007ffa`c0a924e5 Wintrust!InboxCryptSIPCreateIndirectData+0x6d0b 00000000`7a37f010 00007ffa`c09fa0ba CRYPT32!CryptSIPCreateIndirectData+0x850c 00000000`7a37f0a0 00007ffa`c09f9f4a Wintrust!_CatAdminCalcHashFromFileHandle+0x15a0d 00000000`7a37f220 00007ff6`efad580d Wintrust!CryptCATAdminCalcHashFromFileHandle+0x1e0e 00000000`7a37f260 00007ff6`efac2034 PROCEXP64+0x9580d0f 00000000`7a37f380 00007ff6`efac2325 PROCEXP64+0x8203410 00000000`7a37fda0 00007ff6`efb1fe9f PROCEXP64+0x8232511 00000000`7a37fdd0 00007ff6`efb1ff49 PROCEXP64+0xdfe9f12 00000000`7a37fe00 00007ffa`c2f016ad PROCEXP64+0xdff4913 00000000`7a37fe30 00007ffa`c36234a5 KERNEL32!BaseThreadInitThunk+0xd14 00000000`7a37fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x1d 2 ffffd001f7ea4180 ffffe0003b492880 (15) ffffd001f7eb02c0 ................ # Child-SP RetAddr Call Site00 00000000`3394ebe0 00007ffa`c0794e92 bcryptPrimitives!SymCryptSha1AppendBlocksAsm+0xa7001 00000000`3394ec70 00007ffa`c0793285 bcryptPrimitives!SymCryptSha1Append+0xb302 00000000`3394eca0 00007ffa`c0471318 bcryptPrimitives!MSCryptHashData+0x9103 00000000`3394ed40 00007ffa`bfe82caa bcrypt!BCryptHashData+0x6804 00000000`3394ed90 00007ffa`c0241d25 rsaenh!CPHashData+0xb205 00000000`3394edd0 00007ffa`c0a011d7 CRYPTSP!CryptHashData+0x8d06 00000000`3394ee50 00007ffa`c0a0c7cc Wintrust!DigestFileData+0xc707 00000000`3394ee90 00007ffa`c0a0125b Wintrust!SIPObjectFlat_::GetDigestStream+0xb408 00000000`3394eef0 00007ffa`c09f9d2d Wintrust!SIPObject_::DigestFile+0x7709 00000000`3394eff0 00007ffa`c09f9add Wintrust!SIPObject_::CreateIndirectData+0x1830a 00000000`3394f070 00007ffa`c0a924e5 Wintrust!InboxCryptSIPCreateIndirectData+0x6d0b 00000000`3394f0a0 00007ffa`c09fa0ba CRYPT32!CryptSIPCreateIndirectData+0x850c 00000000`3394f130 00007ffa`c09f9f4a Wintrust!_CatAdminCalcHashFromFileHandle+0x15a0d 00000000`3394f2b0 00007ff6`efad580d Wintrust!CryptCATAdminCalcHashFromFileHandle+0x1e0e 00000000`3394f2f0 00007ff6`efac2034 PROCEXP64+0x9580d0f 00000000`3394f410 00007ff6`efac2325 PROCEXP64+0x8203410 00000000`3394fe30 00007ff6`efb1fe9f PROCEXP64+0x8232511 00000000`3394fe60 00007ff6`efb1ff49 PROCEXP64+0xdfe9f12 00000000`3394fe90 00007ffa`c2f016ad PROCEXP64+0xdff4913 00000000`3394fec0 00007ffa`c36234a5 KERNEL32!BaseThreadInitThunk+0xd14 00000000`3394fef0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d 3 ffffd001f7fe6180 ffffe0003b096880 (15) ffffd001f7ff22c0 ................ # Child-SP RetAddr Call Site00 00000000`3594e9e0 00007ffa`c0794e92 bcryptPrimitives!SymCryptSha1AppendBlocksAsm+0x78301 00000000`3594ea70 00007ffa`c0793285 bcryptPrimitives!SymCryptSha1Append+0xb302 00000000`3594eaa0 00007ffa`c0471318 bcryptPrimitives!MSCryptHashData+0x9103 00000000`3594eb40 00007ffa`bfe82caa bcrypt!BCryptHashData+0x6804 00000000`3594eb90 00007ffa`c0241d25 rsaenh!CPHashData+0xb205 00000000`3594ebd0 00007ffa`c0a011d7 CRYPTSP!CryptHashData+0x8d06 00000000`3594ec50 00007ffa`c0a0c7cc Wintrust!DigestFileData+0xc707 00000000`3594ec90 00007ffa`c0a0125b Wintrust!SIPObjectFlat_::GetDigestStream+0xb408 00000000`3594ecf0 00007ffa`c09f9d2d Wintrust!SIPObject_::DigestFile+0x7709 00000000`3594edf0 00007ffa`c09f9add Wintrust!SIPObject_::CreateIndirectData+0x1830a 00000000`3594ee70 00007ffa`c0a924e5 Wintrust!InboxCryptSIPCreateIndirectData+0x6d0b 00000000`3594eea0 00007ffa`c09fa0ba CRYPT32!CryptSIPCreateIndirectData+0x850c 00000000`3594ef30 00007ffa`c09f9f4a Wintrust!_CatAdminCalcHashFromFileHandle+0x15a0d 00000000`3594f0b0 00007ff6`efad580d Wintrust!CryptCATAdminCalcHashFromFileHandle+0x1e0e 00000000`3594f0f0 00007ff6`efac2034 PROCEXP64+0x9580d0f 00000000`3594f210 00007ff6`efac2325 PROCEXP64+0x8203410 00000000`3594fc30 00007ff6`efb1fe9f PROCEXP64+0x8232511 00000000`3594fc60 00007ff6`efb1ff49 PROCEXP64+0xdfe9f12 00000000`3594fc90 00007ffa`c2f016ad PROCEXP64+0xdff4913 00000000`3594fcc0 00007ffa`c36234a5 KERNEL32!BaseThreadInitThunk+0xd14 00000000`3594fcf0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
From the above we can see that all the threads belong to the PROCEXP64 process, have the highest priority 15 and are calling the same CryptCATAdminCalcHashFromFileHandle function that calculates the hash for a file. From the MSDN we know that the first argument to the function is a handle to the file whose hash is being calculated. Let’s find out what are those files.
0: kd> ub PROCEXP64+0x9580dPROCEXP64+0x957d5:00007ff6`efad57d5 48898424a0000000 mov qword ptr [rsp+0A0h],rax00007ff6`efad57dd 4883bc24a0000000ff cmp qword ptr [rsp+0A0h],0FFFFFFFFFFFFFFFFh00007ff6`efad57e6 0f847b010000 je PROCEXP64+0x95967 (00007ff6`efad5967)00007ff6`efad57ec 4533c9 xor r9d,r9d00007ff6`efad57ef 4c8d8424e0000000 lea r8,[rsp+0E0h]00007ff6`efad57f7 488d9424d0000000 lea rdx,[rsp+0D0h]00007ff6`efad57ff 488b8c24a0000000 mov rcx,qword ptr [rsp+0A0h]00007ff6`efad5807 ff15733c0d00 call qword ptr [PROCEXP64+0x169480 (00007ff6`efba9480)]0: kd> dq 00000000`157ef030+A0 L100000000`157ef0d0 00000000`00000ef00: kd> !handle ef0PROCESS ffffe0003abf5900 SessionId: 1 Cid: 13c4 Peb: 7ff6eee1a000 ParentCid: 0648 DirBase: 198250000 ObjectTable: ffffc0000f8bfe80 HandleCount: Image: procexp64.exeHandle Error reading handle count.0ef0: Object: ffffe0003afedec0 GrantedAccess: 00120089 (Protected) Entry: ffffc00012834bc0Object: ffffe0003afedec0 Type: (ffffe00038b44c60) File ObjectHeader: ffffe0003afede90 (new version) HandleCount: 1 PointerCount: 25794 Directory Object: 00000000 Name: \CrashDumps\MEMORY.DMP {HarddiskVolume3}0: kd> dq 00000000`7a37f260+A0 L100000000`7a37f300 00000000`00001e640: kd> !handle 1e64PROCESS ffffe0003abf5900 SessionId: 1 Cid: 13c4 Peb: 7ff6eee1a000 ParentCid: 0648 DirBase: 198250000 ObjectTable: ffffc0000f8bfe80 HandleCount: Image: procexp64.exeHandle Error reading handle count.1e64: Object: ffffe0003be922d0 GrantedAccess: 00120089 (Inherit) Entry: ffffc0001369a990Object: ffffe0003be922d0 Type: (ffffe00038b44c60) File ObjectHeader: ffffe0003be922a0 (new version) HandleCount: 1 PointerCount: 31959 Directory Object: 00000000 Name: \CrashDumps\MEMORY.DMP {HarddiskVolume3}0: kd> dq 00000000`3394f2f0+A0 L100000000`3394f390 00000000`00000b200: kd> !handle b20PROCESS ffffe0003abf5900 SessionId: 1 Cid: 13c4 Peb: 7ff6eee1a000 ParentCid: 0648 DirBase: 198250000 ObjectTable: ffffc0000f8bfe80 HandleCount: Image: procexp64.exeHandle Error reading handle count.0b20: Object: ffffe00039f588e0 GrantedAccess: 00120089 (Protected) (Inherit) Entry: ffffc000119ebc80Object: ffffe00039f588e0 Type: (ffffe00038b44c60) File ObjectHeader: ffffe00039f588b0 (new version) HandleCount: 1 PointerCount: 24454 Directory Object: 00000000 Name: \CrashDumps\MEMORY.DMP {HarddiskVolume3}0: kd> dq 00000000`3594f0f0+A0 L100000000`3594f190 00000000`00000e800: kd> !handle e80PROCESS ffffe0003abf5900 SessionId: 1 Cid: 13c4 Peb: 7ff6eee1a000 ParentCid: 0648 DirBase: 198250000 ObjectTable: ffffc0000f8bfe80 HandleCount: Image: procexp64.exeHandle Error reading handle count.0e80: Object: ffffe0003b038cf0 GrantedAccess: 00120089 (Audit) Entry: ffffc00012834a00Object: ffffe0003b038cf0 Type: (ffffe00038b44c60) File ObjectHeader: ffffe0003b038cc0 (new version) HandleCount: 1 PointerCount: 25454 Directory Object: 00000000 Name: \CrashDumps\MEMORY.DMP {HarddiskVolume3}Now we know that each thread opened the same file and calculates the hash for it. If we examine the information of the process we can see that there are 401 thread and almost all of them called the CryptCATAdminCalcHashFromFileHandle function and are trying to acquire exclusively pushlocks, such as process address creation lock, process working set lock and others.
0: kd> !process 0 7 procexp64.exePROCESS ffffe0003abf5900 SessionId: 1 Cid: 13c4 Peb: 7ff6eee1a000 ParentCid: 0648 DirBase: 198250000 ObjectTable: ffffc0000f8bfe80 HandleCount: Image: procexp64.exe VadRoot ffffe0003b840610 Vads 1602 Clone 0 Private 63178. Modified 722032. Locked 0. DeviceMap ffffc000107518a0 Token ffffc0000f8c0620 ElapsedTime 10:44:55.966 UserTime 00:00:13.015 KernelTime 00:00:16.109 QuotaPoolUsage[PagedPool] 9332440 QuotaPoolUsage[NonPagedPool] 205840 Working Set Sizes (now,min,max) (1123000, 50, 345) (4492000KB, 200KB, 1380KB) PeakWorkingSetSize 1151708 VirtualSize 4900 Mb PeakVirtualSize 12973 Mb PageFaultCount 65953278 MemoryPriority BACKGROUND BasePriority 13 CommitCharge 64625 Job ffffe0003ab4a060... THREAD ffffe0003bad5880 Cid 13c4.0888 Teb: 00007ff6eecee000 Win32Thread: fffff901407f3b60 WAIT: (WrPushLock) KernelMode Non-Alertable ffffd001f8b93660 SynchronizationEvent Not impersonating DeviceMap ffffc000107518a0 Owning Process ffffe0003abf5900 Image: procexp64.exe Attached Process N/A Image: N/A Wait Start TickCount 2478459 Ticks: 6 (0:00:00:00.093) Context Switch Count 37892 IdealProcessor: 0 UserTime 00:00:11.812 KernelTime 00:00:01.796 Win32 Start Address PROCEXP64 (0x00007ff6efb1feb4) Stack Init ffffd001f8b93c90 Current ffffd001f8b932f0 Base ffffd001f8b94000 Limit ffffd001f8b8e000 Call 0 Priority 15 BasePriority 13 UnusualBoost 2 ForegroundBoost 0 IoPriority 1 PagePriority 2 Child-SP RetAddr : Args to Child : Call Site ffffd001`f8b93330 fffff802`360d5d1e : fffff802`36365180 ffffe000`3bad5880 fffff802`0000000f fffff802`361d000f : nt!KiSwapContext+0x76 ffffd001`f8b93470 fffff802`360d5779 : 00007ffa`c0d21e48 00007ffa`c0d2375e 00000000`00000000 00000000`00000000 : nt!KiSwapThread+0x14e ffffd001`f8b93510 fffff802`360e5dfa : 00000000`20646156 00000000`00000000 fffff802`00000000 fffff802`360d0e20 : nt!KiCommitThreadWait+0x129 ffffd001`f8b93590 fffff802`360e3b45 : ffffd001`f8b93660 00000000`0000001c 00000000`20646100 fffff802`00000000 : nt!KeWaitForSingleObject+0x22a ffffd001`f8b93620 fffff802`360f7831 : 00000000`00000000 ffffe000`3bad5880 ffffd001`f8b93a18 ffffd001`00000000 : nt!ExfAcquirePushLockExclusiveEx+0x2b5 ffffd001`f8b936e0 fffff802`3647ebbf : 00000000`00000000 ffffd001`f8b937e9 ffffd001`f8b93a18 ffffe000`3c1e4df0 : nt!LOCK_ADDRESS_SPACE+0x119 ffffd001`f8b93710 fffff802`3647d584 : ffffe000`3b69c010 ffffe000`3abf5900 ffffd001`f8b93a20 00000000`00000400 : nt!MiMapViewOfDataSection+0x2f7 ffffd001`f8b93830 fffff802`365004b5 : 00000000`00501800 00007ffa`00000008 ffffe000`38a424d0 00000000`00000001 : nt!MiMapViewOfSection+0x290 ffffd001`f8b939b0 fffff802`361dea4b : 00000000`00000580 ffffe000`3bad5880 00000000`0590ece8 ffffd001`f8b93b80 : nt!NtMapViewOfSection+0x2bd ffffd001`f8b93a90 00007ffa`c364af8a : 00007ffa`c0d21e48 00000000`00000000 00000000`0590ed50 00000000`0245c9d0 : nt!KiSystemServiceExit+0x290 (TrapFrame @ ffffd001`f8b93b00) 00000000`0590ecc8 00007ffa`c0d21e48 : 00000000`00000000 00000000`0590ed50 00000000`0245c9d0 00007ffa`bfe82cb2 : ntdll!NtMapViewOfSection+0xa 00000000`0590ecd0 00007ffa`c0d2375e : 00000000`00000000 00000000`00000000 00000000`00000000 00007ffa`c0d21d54 : KERNELBASE!MapViewOfFileExNuma+0xbc 00000000`0590ed50 00007ffa`c0a00716 : 00000000`04b98c20 00000000`04b98c20 00000000`00000000 00000000`04b98c20 : KERNELBASE!MapViewOfFile+0x1e 00000000`0590eda0 00007ffa`c0a0c7fd : 00000000`00080000 00000000`00000000 00000000`7a600000 00000000`7317f33a : Wintrust!BigFileHashMapViewOfFileCallback+0x13e 00000000`0590edf0 00007ffa`c0a0125b : 00000000`00000000 00000000`0590ef80 00000000`04b98bb0 00000000`0590f0c0 : Wintrust!SIPObjectFlat_::GetDigestStream+0xdd 00000000`0590ee50 00007ffa`c09f9d2d : 00000000`000000c0 00007ffa`c09f2125 00000000`00000000 00000000`0590f0c0 : Wintrust!SIPObject_::DigestFile+0x77 00000000`0590ef50 00007ffa`c09f9add : 00000000`0590f120 00000000`04b98bb0 00000000`0590f0c0 00000000`0590f0c0 : Wintrust!SIPObject_::CreateIndirectData+0x183 00000000`0590efd0 00007ffa`c0a924e5 : 00000000`0590f120 00000000`00000000 00000000`02459510 00000000`00000000 : Wintrust!InboxCryptSIPCreateIndirectData+0x6d 00000000`0590f000 00007ffa`c09fa0ba : 00000000`00000000 00000000`00000000 00000000`0590f320 00000000`02459510 : CRYPT32!CryptSIPCreateIndirectData+0x85 00000000`0590f090 00007ffa`c09f9f4a : 00000000`0590f220 00007ff6`00000000 00000080`00000020 00000000`00000000 : Wintrust!_CatAdminCalcHashFromFileHandle+0x15a 00000000`0590f210 00007ff6`efad580d : 00000000`050836f0 00000000`0000005c 00000000`00000000 00000000`00000000 : Wintrust!CryptCATAdminCalcHashFromFileHandle+0x1e 00000000`0590f250 00007ff6`efac2034 : 00000000`050836f0 00000000`00000000 00000000`00000000 00000000`0590f600 : PROCEXP64+0x9580d 00000000`0590f370 00007ff6`efac2325 : 00000000`02a09900 00000000`00000001 00000000`00000000 00000000`00000000 : PROCEXP64+0x82034 00000000`0590fd90 00007ff6`efb1fe9f : 00000000`02a09900 00000000`00000000 00000000`00000000 00000000`00000000 : PROCEXP64+0x82325 00000000`0590fdc0 00007ff6`efb1ff49 : 00000000`02a293d0 00000000`00000000 00000000`00000000 00000000`00000000 : PROCEXP64+0xdfe9f 00000000`0590fdf0 00007ffa`c2f016ad : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PROCEXP64+0xdff49 00000000`0590fe20 00007ffa`c36234a5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0xd 00000000`0590fe50 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d... THREAD ffffe0003bb1b880 Cid 13c4.0514 Teb: 00007ff6eec40000 Win32Thread: fffff901455c44f0 READY on processor 80000000 Not impersonating DeviceMap ffffc000107518a0 Owning Process ffffe0003abf5900 Image: procexp64.exe Attached Process N/A Image: N/A Wait Start TickCount 2478465 Ticks: 0 Context Switch Count 28641 IdealProcessor: 2 UserTime 00:00:08.187 KernelTime 00:00:01.453 Win32 Start Address PROCEXP64 (0x00007ff6efb1feb4) Stack Init ffffd001fa418c90 Current ffffd001fa4185f0 Base ffffd001fa419000 Limit ffffd001fa413000 Call 0 Priority 15 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 1 PagePriority 2 Child-SP RetAddr : Args to Child : Call Site ffffd001`fa418630 fffff802`361d7ffa : ffffd001`fa418788 fffff802`362af34f fffffff6`00000002 00000001`ffffffff : nt!KxDispatchInterrupt+0x122 ffffd001`fa418770 fffff802`360e3a84 : ffffd002`0d846942 00000000`00000000 ffffe000`3bb1b880 00000000`00000000 : nt!KiDpcInterrupt+0xca (TrapFrame @ ffffd001`fa418770) ffffd001`fa418900 fffff802`360e6a09 : fffff802`000003f2 ffffe000`3bb1b880 ffffe000`3abf5dd8 ffffd001`00000200 : nt!ExfAcquirePushLockExclusiveEx+0x1f4 ffffd001`fa4189c0 fffff802`361dd22f : 00000000`00000000 00000000`b0675b3e 00000000`00000001 ffffd001`fa418b00 : nt!MmAccessFault+0x7e9 ffffd001`fa418b00 00007ffa`c0793dcd : 60789dbb`b4c8746e 079a1144`e6b966fb 9b3b1c3b`890a2ce1 285a6732`01adc808 : nt!KiPageFault+0x12f (TrapFrame @ ffffd001`fa418b00) 00000000`159ee850 00007ffa`c0794e92 : 00000000`00000010 00007ffa`c35eb3b2 00000000`002f0000 00000000`00000000 : bcryptPrimitives!SymCryptSha1AppendBlocksAsm+0x3e 00000000`159ee8e0 00007ffa`c0793285 : 00000000`00000000 00000000`3cf5bd30 00000000`7ac80000 00000000`00100000 : bcryptPrimitives!SymCryptSha1Append+0xb3 00000000`159ee910 00007ffa`c0471318 : 00007ffa`c07933e0 00000000`159eead8 00000000`024e6be0 00007ffa`bfe84858 : bcryptPrimitives!MSCryptHashData+0x91 00000000`159ee9b0 00007ffa`bfe82caa : 00000000`07f30600 00000000`0a181130 00000000`159eea40 00007ffa`00000001 : bcrypt!BCryptHashData+0x68 00000000`159eea00 00007ffa`c0241d25 : 00000000`00000000 00000000`00000000 00000000`00000000 00007ffa`c0d2375e : rsaenh!CPHashData+0xb2 00000000`159eea40 00007ffa`c0a011d7 : 00000000`00000000 00000000`159eeb80 00000000`9797f33a 00007ffa`c0a01128 : CRYPTSP!CryptHashData+0x8d 00000000`159eeac0 00007ffa`c0a0c7cc : 00000000`00000000 00000000`0243eff0 00000000`55e00000 00000000`9797f33a : Wintrust!DigestFileData+0xc7 00000000`159eeb00 00007ffa`c0a0125b : 00000000`00000000 00000000`159eec90 00000000`04bf1330 00000000`159eedd0 : Wintrust!SIPObjectFlat_::GetDigestStream+0xb4 00000000`159eeb60 00007ffa`c09f9d2d : 00000000`000000c0 00007ffa`c09f2125 00000000`00000000 00000000`159eedd0 : Wintrust!SIPObject_::DigestFile+0x77 00000000`159eec60 00007ffa`c09f9add : 00000000`159eee30 00000000`04bf1330 00000000`159eedd0 00000000`159eedd0 : Wintrust!SIPObject_::CreateIndirectData+0x183 00000000`159eece0 00007ffa`c0a924e5 : 00000000`159eee30 00000000`00000000 00000000`0243a070 00000000`00000000 : Wintrust!InboxCryptSIPCreateIndirectData+0x6d 00000000`159eed10 00007ffa`c09fa0ba : 00000000`00000000 00000000`00000000 00000000`159ef030 00000000`0243a070 : CRYPT32!CryptSIPCreateIndirectData+0x85 00000000`159eeda0 00007ffa`c09f9f4a : 00000000`159eef30 00007ff6`00000000 00000080`00000020 00000000`00000000 : Wintrust!_CatAdminCalcHashFromFileHandle+0x15a 00000000`159eef20 00007ff6`efad580d : 00000000`02afebb0 00000000`0000005c 00000000`00000000 00000000`00000000 : Wintrust!CryptCATAdminCalcHashFromFileHandle+0x1e 00000000`159eef60 00007ff6`efac2034 : 00000000`02afebb0 00000000`00000000 00000000`00000000 00000000`159ef300 : PROCEXP64+0x9580d 00000000`159ef080 00007ff6`efac2325 : 00000000`050b60f0 00000000`00000001 00000000`00000000 00000000`00000000 : PROCEXP64+0x82034 00000000`159efaa0 00007ff6`efb1fe9f : 00000000`050b60f0 00000000`00000000 00000000`00000000 00000000`00000000 : PROCEXP64+0x82325 00000000`159efad0 00007ff6`efb1ff49 : 00000000`050c6b80 00000000`00000000 00000000`00000000 00000000`00000000 : PROCEXP64+0xdfe9f 00000000`159efb00 00007ffa`c2f016ad : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PROCEXP64+0xdff49 00000000`159efb30 00007ffa`c36234a5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0xd 00000000`159efb60 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d...0: kd> ub nt!LOCK_ADDRESS_SPACE+0x119nt!LOCK_ADDRESS_SPACE+0x104:fffff802`360f781c 5e pop rsifffff802`360f781d c3 retfffff802`360f781e 498bfe mov rdi,r14fffff802`360f7821 ebc0 jmp nt!LOCK_ADDRESS_SPACE+0xcb (fffff802`360f77e3)fffff802`360f7823 4c8bc6 mov r8,rsifffff802`360f7826 488bd7 mov rdx,rdifffff802`360f7829 488bce mov rcx,rsifffff802`360f782c e85fc0feff call nt!ExfAcquirePushLockExclusiveEx (fffff802`360e3890)0: kd> u nt!ExfAcquirePushLockExclusiveExnt!ExfAcquirePushLockExclusiveEx:fffff802`360e3890 48895c2410 mov qword ptr [rsp+10h],rbxfffff802`360e3895 55 push rbpfffff802`360e3896 56 push rsifffff802`360e3897 57 push rdifffff802`360e3898 4154 push r12fffff802`360e389a 4155 push r13fffff802`360e389c 4156 push r14fffff802`360e389e 4157 push r150: kd> dps ffffd001`f8b936e0-8-8*2 L1ffffd001`f8b936c8 ffffe000`3abf5c580: kd> ? ffffe000`3abf5c58-ffffe0003abf5900Evaluate expression: 856 = 00000000`000003580: kd> dt nt!_EPROCESS -n AddressCreationLock +0x358 AddressCreationLock : _EX_PUSH_LOCK0: kd> ub nt!MmAccessFault+0x7e9nt!MmAccessFault+0x7cd:fffff802`360e69ed 33c0 xor eax,eaxfffff802`360e69ef 448bc8 mov r9d,eaxfffff802`360e69f2 48894528 mov qword ptr [rbp+28h],raxfffff802`360e69f6 e959fbffff jmp nt!MmAccessFault+0x334 (fffff802`360e6554)fffff802`360e69fb 4d8bc7 mov r8,r15fffff802`360e69fe 488bd6 mov rdx,rsifffff802`360e6a01 498bcf mov rcx,r15fffff802`360e6a04 e887ceffff call nt!ExfAcquirePushLockExclusiveEx (fffff802`360e3890)0: kd> u nt!ExfAcquirePushLockExclusiveExnt!ExfAcquirePushLockExclusiveEx:fffff802`360e3890 48895c2410 mov qword ptr [rsp+10h],rbxfffff802`360e3895 55 push rbpfffff802`360e3896 56 push rsifffff802`360e3897 57 push rdifffff802`360e3898 4154 push r12fffff802`360e389a 4155 push r13fffff802`360e389c 4156 push r14fffff802`360e389e 4157 push r150: kd> dps ffffd001`fa4189c0-8-8*7 L1ffffd001`fa418980 ffffe000`3abf5de80: kd> ? ffffe000`3abf5de8-ffffe000`3abf5900Evaluate expression: 1256 = 00000000`000004e80: kd> dt nt!_EPROCESS -n Vm.WorkingSetMutex +0x4d8 Vm : +0x010 WorkingSetMutex : _EX_PUSH_LOCK0: kd> dt nt!_EPROCESS ffffe0003abf5900 -n ActiveThreads +0x480 ActiveThreads : 0x1910: kd> ? 0x191Evaluate expression: 401 = 00000000`00000191
Also, by issuing the !ready command, we can see that a lot of threads are ready to execute and belong to our process.
0: kd> !readyKSHARED_READY_QUEUE fffff80236374ec0: (00) ****------------------------------------------------------------SharedReadyQueue fffff80236374ec0: Ready Threads at priority 15 THREAD ffffe0003c408080 Cid 13c4.146c Teb: 00007ff6eea9a000 Win32Thread: fffff9014632eb60 READY on processor 80000003 THREAD ffffe0003b9a9880 Cid 13c4.06c8 Teb: 00007ff6eec62000 Win32Thread: fffff90145ff3b60 READY on processor 80000002 THREAD ffffe0003b9cb080 Cid 13c4.10b8 Teb: 00007ff6eeb32000 Win32Thread: fffff90145ff7b60 READY on processor 80000000 THREAD ffffe0003bb1b880 Cid 13c4.0514 Teb: 00007ff6eec40000 Win32Thread: fffff901455c44f0 READY on processor 80000000 THREAD ffffe0003aa8b080 Cid 13c4.06f0 Teb: 00007ff6eea8e000 Win32Thread: fffff9014674db60 READY on processor 80000001SharedReadyQueue fffff80236374ec0: Ready Threads at priority 13 THREAD ffffe0003ab5e080 Cid 13c4.1e58 Teb: 00007ff6eec50000 Win32Thread: fffff90145c3fb60 READY on processor 80000003 THREAD ffffe0003bfbb500 Cid 13c4.11c0 Teb: 00007ff6eeab0000 Win32Thread: fffff9014613fb60 READY on processor 80000000 THREAD ffffe0003c6c3080 Cid 13c4.1a84 Teb: 00007ff6eebc6000 Win32Thread: fffff9014589e4d0 READY on processor 80000003 THREAD ffffe0003c0f6880 Cid 13c4.0c3c Teb: 00007ff6eece4000 Win32Thread: fffff901407d3b60 READY on processor 80000001 THREAD ffffe0003c184540 Cid 13c4.16b0 Teb: 00007ff6eea36000 Win32Thread: fffff90146358010 READY on processor 80000001 THREAD ffffe0003c447880 Cid 13c4.1a68 Teb: 00007ff6ee9e2000 Win32Thread: fffff9014679cac0 READY on processor 80000000 THREAD ffffe0003902b080 Cid 13c4.1824 Teb: 00007ff6eec86000 Win32Thread: fffff90145c367f0 READY on processor 80000001 THREAD ffffe0003bae3880 Cid 13c4.1d10 Teb: 00007ff6eecd8000 Win32Thread: fffff901407ed260 READY on processor 80000000 THREAD ffffe00039567880 Cid 13c4.0b98 Teb: 00007ff6eea38000 Win32Thread: fffff90146574b60 READY on processor 80000003 THREAD ffffe00039629080 Cid 13c4.13b8 Teb: 00007ff6eea0a000 Win32Thread: fffff90146743010 READY on processor 80000001 THREAD ffffe00038cee240 Cid 13c4.187c Teb: 00007ff6eeabc000 Win32Thread: fffff9014617f010 READY on processor 80000001 THREAD ffffe00038e73080 Cid 13c4.1740 Teb: 00007ff6eec24000 Win32Thread: fffff901425e9b60 READY on processor 80000002 THREAD ffffe0003c1554c0 Cid 13c4.1888 Teb: 00007ff6eeb2c000 Win32Thread: fffff90145ff1010 READY on processor 80000001 THREAD ffffe0003c9eb600 Cid 13c4.1490 Teb: 00007ff6ee9da000 Win32Thread: fffff901467be5c0 READY on processor 80000002 THREAD ffffe0003ac3f880 Cid 13c4.0fb0 Teb: 00007ff6eeca2000 Win32Thread: fffff90145c425c0 READY on processor 80000002 THREAD ffffe0003c19c080 Cid 13c4.0958 Teb: 00007ff6eeade000 Win32Thread: fffff9014613f4f0 READY on processor 80000001 THREAD ffffe0003c397680 Cid 13c4.16ec Teb: 00007ff6eeb48000 Win32Thread: fffff90145fd9b60 READY on processor 80000002 THREAD ffffe0003a405080 Cid 13c4.1ed8 Teb: 00007ff6eebe8000 Win32Thread: fffff90145ecbb60 READY on processor 80000003 THREAD ffffe0003bb65880 Cid 13c4.048c Teb: 00007ff6eec9a000 Win32Thread: fffff901425604b0 READY on processor 80000003 THREAD ffffe0003c255600 Cid 0688.1ec4 Teb: 00007ff64fbad000 Win32Thread: fffff901422ac010 READY on processor 80000000 THREAD ffffe0003cc1c400 Cid 0004.0f7c Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000003 THREAD ffffe00038e47880 Cid 13c4.1f18 Teb: 00007ff6eebe4000 Win32Thread: fffff90145d4d010 READY on processor 80000001 THREAD ffffe0003c6a9080 Cid 13c4.0e3c Teb: 00007ff6eec00000 Win32Thread: fffff90145e89b60 READY on processor 80000001 THREAD ffffe0003c6de880 Cid 13c4.15c8 Teb: 00007ff6eeb14000 Win32Thread: fffff901465e56b0 READY on processor 80000003 THREAD ffffe0003c58f880 Cid 13c4.15ec Teb: 00007ff6eea24000 Win32Thread: fffff90146727b60 READY on processor 80000001 THREAD ffffe0003b904880 Cid 13c4.1ce0 Teb: 00007ff6eec34000 Win32Thread: fffff901407ef920 READY on processor 80000001 THREAD ffffe0003c655500 Cid 13c4.0cd4 Teb: 00007ff6eeb0a000 Win32Thread: fffff90145feb010 READY on processor 80000002 THREAD ffffe0003b1bd080 Cid 13c4.17bc Teb: 00007ff6ee9ec000 Win32Thread: fffff9014678ab60 READY on processor 80000002 THREAD ffffe0003a45a880 Cid 13c4.1cc0 Teb: 00007ff6eec10000 Win32Thread: fffff90145431430 READY on processor 80000000 THREAD ffffe0003ab85880 Cid 13c4.0f30 Teb: 00007ff6eeb08000 Win32Thread: fffff90145febb60 READY on processor 80000003 THREAD ffffe0003bc25880 Cid 13c4.1c2c Teb: 00007ff6eeafc000 Win32Thread: fffff9014612b5e0 READY on processor 80000003 THREAD ffffe0003b490080 Cid 13c4.04e4 Teb: 00007ff6eeaba000 Win32Thread: fffff9014617db60 READY on processor 80000003 THREAD ffffe000398f9880 Cid 13c4.1c84 Teb: 00007ff6eea3e000 Win32Thread: fffff90146352010 READY on processor 80000002 THREAD ffffe00039166080 Cid 13c4.1a70 Teb: 00007ff6eeccc000 Win32Thread: fffff901400cd010 READY on processor 80000000 THREAD ffffe0003b1012c0 Cid 13c4.0cf0 Teb: 00007ff6eeaa6000 Win32Thread: fffff9014615c010 READY on processor 80000000 THREAD ffffe000393724c0 Cid 13c4.1c4c Teb: 00007ff6ee9e0000 Win32Thread: fffff9014679f0c0 READY on processor 80000001 THREAD ffffe0003b8d6080 Cid 13c4.1064 Teb: 00007ff6eea1a000 Win32Thread: fffff901465dcb60 READY on processor 80000001 THREAD ffffe0003c5e9080 Cid 13c4.1b8c Teb: 00007ff6eeca4000 Win32Thread: fffff901407f9010 READY on processor 80000003 THREAD ffffe0003acfb880 Cid 13c4.1e98 Teb: 00007ff6eebbe000 Win32Thread: fffff901453e4010 READY on processor 80000001 THREAD ffffe0003902c080 Cid 13c4.1fbc Teb: 00007ff6eeacc000 Win32Thread: fffff90146179b60 READY on processor 80000003 THREAD ffffe0003bec5340 Cid 13c4.1748 Teb: 00007ff6eec42000 Win32Thread: fffff90145474340 READY on processor 80000000 THREAD ffffe0003bae2880 Cid 13c4.1cb8 Teb: 00007ff6eec1e000 Win32Thread: fffff90145db1010 READY on processor 80000002 THREAD ffffe00039eed580 Cid 13c4.05d8 Teb: 00007ff6eea80000 Win32Thread: fffff9014633cb60 READY on processor 80000002 THREAD ffffe000399092c0 Cid 13c4.1420 Teb: 00007ff6eebac000 Win32Thread: fffff90145f8e010 READY on processor 80000003 THREAD ffffe0003bf94080 Cid 13c4.0e20 Teb: 00007ff6eea58000 Win32Thread: fffff901463b51f0 READY on processor 80000001 THREAD ffffe0003a418080 Cid 13c4.1dc0 Teb: 00007ff6eea14000 Win32Thread: fffff901467339a0 READY on processor 80000002 THREAD ffffe0003ae22080 Cid 13c4.1e6c Teb: 00007ff6eeb8c000 Win32Thread: fffff901465ceb60 READY on processor 80000003 THREAD ffffe0003a413780 Cid 13c4.0408 Teb: 00007ff6eea32000 Win32Thread: fffff90145fe26b0 READY on processor 80000001 THREAD ffffe00039daa080 Cid 13c4.1154 Teb: 00007ff6eecba000 Win32Thread: fffff90141d6bb60 READY on processor 80000000 THREAD ffffe0003bfb5080 Cid 13c4.14d0 Teb: 00007ff6eec70000 Win32Thread: fffff90142446b60 READY on processor 80000000 THREAD ffffe0003bfcd880 Cid 0004.1118 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000002 THREAD ffffe0003b9b2480 Cid 13c4.0aa0 Teb: 00007ff6eea7a000 Win32Thread: fffff90146350010 READY on processor 80000002 THREAD ffffe0003bf74780 Cid 13c4.1a90 Teb: 00007ff6eeaec000 Win32Thread: fffff9014612bb60 READY on processor 80000000 THREAD ffffe0003b61f880 Cid 13c4.0a30 Teb: 00007ff6eec18000 Win32Thread: fffff90145fcb010 READY on processor 80000003 THREAD ffffe0003b4aa080 Cid 13c4.1be4 Teb: 00007ff6eeaa4000 Win32Thread: fffff9014633a010 READY on processor 80000001 THREAD ffffe0003b8c9880 Cid 13c4.1688 Teb: 00007ff6eec90000 Win32Thread: fffff9014075b010 READY on processor 80000003 THREAD ffffe0003c3f4080 Cid 13c4.10e4 Teb: 00007ff6eeb4a000 Win32Thread: fffff90145fe2b60 READY on processor 80000002 THREAD ffffe0003c65f080 Cid 13c4.05ac Teb: 00007ff6eebca000 Win32Thread: fffff901465d7010 READY on processor 80000002 THREAD ffffe0003c3475c0 Cid 13c4.1944 Teb: 00007ff6ee9f2000 Win32Thread: fffff90146760010 READY on processor 80000003 THREAD ffffe0003c6ec080 Cid 13c4.1af0 Teb: 00007ff6eeada000 Win32Thread: fffff90146145010 READY on processor 80000000 THREAD ffffe0003be4b080 Cid 13c4.1968 Teb: 00007ff6eecaa000 Win32Thread: fffff901453e4b60 READY on processor 80000000 THREAD ffffe00038f1d880 Cid 13c4.1190 Teb: 00007ff6eebec000 Win32Thread: fffff90146351700 READY on processor 80000001 THREAD ffffe0003b9c3340 Cid 13c4.11a8 Teb: 00007ff6eeaa2000 Win32Thread: fffff9014633ab60 READY on processor 80000002 THREAD ffffe0003b9d5880 Cid 13c4.19a8 Teb: 00007ff6ee9dc000 Win32Thread: fffff901467ab9c0 READY on processor 80000002 THREAD ffffe0003cbce880 Cid 13c4.1510 Teb: 00007ff6eea02000 Win32Thread: fffff90146776b60 READY on processor 80000000 THREAD ffffe0003b73d080 Cid 13c4.1a50 Teb: 00007ff6eebbc000 Win32Thread: fffff90145ecb010 READY on processor 80000003 THREAD ffffe00039934080 Cid 13c4.0050 Teb: 00007ff6eea56000 Win32Thread: fffff901463b7b60 READY on processor 80000001 THREAD ffffe000396ea440 Cid 13c4.1068 Teb: 00007ff6eeb30000 Win32Thread: fffff90145fe5010 READY on processor 80000003 THREAD ffffe0003c472080 Cid 13c4.1260 Teb: 00007ff6eebe2000 Win32Thread: fffff90145d3db60 READY on processor 80000000 THREAD ffffe0003b434440 Cid 13c4.1c68 Teb: 00007ff6eeb1e000 Win32Thread: fffff90146367b60 READY on processor 80000002 THREAD ffffe0003c0ae880 Cid 13c4.1a88 Teb: 00007ff6eeb7e000 Win32Thread: fffff901467326b0 READY on processor 80000000 THREAD ffffe0003ab79880 Cid 13c4.0a84 Teb: 00007ff6eeca8000 Win32Thread: fffff9014546f010 READY on processor 80000000SharedReadyQueue fffff80236374ec0: Ready Threads at priority 12 THREAD ffffe0003c7df040 Cid 0004.1300 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000000 THREAD ffffe000396f8300 Cid 0004.1304 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000003 THREAD ffffe0003c7f2880 Cid 0004.1954 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000000 THREAD ffffe0003ad53080 Cid 06a8.05f0 Teb: 00007ff6f0cc6000 Win32Thread: fffff901406e5b60 READY on processor 80000001 THREAD ffffe0003ad407c0 Cid 06a8.04f0 Teb: 00007ff6f0cd0000 Win32Thread: fffff901406e1b60 READY on processor 80000000 THREAD ffffe0003c458080 Cid 0b28.175c Teb: 00007ff65a9cd000 Win32Thread: fffff90145e77b60 READY on processor 80000000 THREAD ffffe0003be1a080 Cid 0fcc.08e4 Teb: 000000007ffdb000 Win32Thread: fffff9014233ab60 READY on processor 80000000 THREAD ffffe000391e1080 Cid 06a8.0874 Teb: 00007ff6f0cc0000 Win32Thread: fffff9014657db60 READY on processor 80000000 THREAD ffffe0003c379080 Cid 1710.18f4 Teb: 00007ff7967ce000 Win32Thread: fffff90144f53480 READY on processor 80000002 THREAD ffffe00039a3f080 Cid 06a8.0f08 Teb: 00007ff6f0c84000 Win32Thread: fffff9014071b010 READY on processor 80000002 THREAD ffffe0003ac22700 Cid 06a8.06ac Teb: 00007ff6f0e0e000 Win32Thread: fffff901400f6560 READY on processor 80000002 THREAD ffffe0003bf39880 Cid 17fc.19fc Teb: 00000000febfd000 Win32Thread: fffff90144e6f010 READY on processor 80000003 THREAD ffffe0003bf113c0 Cid 14c0.1b08 Teb: 000000007e3bc000 Win32Thread: fffff90145872b60 READY on processor 80000000 THREAD ffffe000398cb080 Cid 0688.1a8c Teb: 00007ff64fa76000 Win32Thread: fffff90145eb3b60 READY on processor 80000003 THREAD ffffe0003c62f040 Cid 0004.1e70 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000002...
At the moment we know that many threads are working on the same crash dump file. Since we know that Process Explorer has feature “Verify Image Signatures” and part of its job is to call CryptCATAdminCalcHashFromFileHandle, let’s open Process Explorer, a crash dump file in WinDbg and click on the WinDbg process to see what will happen:
We see that WinDbg uses memory mapping mechanism to map portions of a crash dump file into its address space. By the number of threads in the Process Explorer we can guess that it created one thread for verification for each entry in the Lower Pane. Our guess is confirmed when we attach a debugger to the Process Explorer and examine the threads. If we leave it for a while, the threads will do their job and no harm will come. But if you click on the Process Explorer right away after it started the threads to calculate hashes, the problem happens. The problem is that when the Process Explorer is calling the CryptCATAdminCalcHashFromFileHandle function at some point a part of the file will be mapped into its address space,
KERNELBASE!MapViewOfFile+0x1eWintrust!BigFileHashMapViewOfFileCallback+0x13eWintrust!SIPObjectFlat_::GetDigestStream+0xddWintrust!SIPObject_::DigestFile+0x77Wintrust!SIPObject_::CreateIndirectData+0x183Wintrust!InboxCryptSIPCreateIndirectData+0x6dCRYPT32!CryptSIPCreateIndirectData+0x85Wintrust!_CatAdminCalcHashFromFileHandle+0x15aWintrust!CryptCATAdminCalcHashFromFileHandle+0x1e
it will show up in the Lower Pane and the new thread will be created, which in turn will call the CryptCATAdminCalcHashFromFileHandle function. Thus, the Process Explorer will create new threads until the system becomes unresponsive.
Edited by Bazhan - 11 hours 23 minutes ago at 12:11pm