我有系统挂起的内核转储,我偶然发现了系统线程中的一些占用的ALPC端口。从nt!AlpcpReceiveMessage我可以看到线程正在等待的端口。从端口我可以看到正在等待的线程。但是线程本身并不表示典型的 - thread X is waiting for ALPC message Y on ALPC port Z。
主题:
0: kd> !thread fffffa80069dc040
THREAD fffffa80069dc040 Cid 0004.00b0 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
fffffa80069dc408 Semaphore Limit 0x1
Not impersonating
DeviceMap fffff8a000008ca0
Owning Process fffffa80069a9740 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 16772 Ticks: 501 (0:00:00:07.815)
Context Switch Count 408 IdealProcessor: 4
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!PopUmpoMessageThread (0xfffff8000308c8e4)
Stack Init fffff88003952c70 Current fffff88003952470
Base fffff88003953000 Limit fffff8800394d000 Call 0
Priority 14 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff880`039524b0 fffff800`030c45f2 : 00000000`00000000 fffffa80`069dc040 00000000`00000000 00000000`00000009 : nt!KiSwapContext+0x7a
fffff880`039525f0 fffff800`030d599f : 00000000`00000000 00000000`00000000 fffffa80`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
fffff880`03952680 fffff800`033dc5f9 : 00000000`00000000 00000000`00000010 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
fffff880`03952720 fffff800`033dc07c : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!AlpcpReceiveMessagePort+0x189
fffff880`03952780 fffff800`033ddd56 : fffffa80`069db1c0 00000000`00000000 00000000`00000000 fffffa80`069db1c0 : nt!AlpcpReceiveMessage+0x2d9
fffff880`03952820 fffff800`030cde53 : fffffa80`069dc040 fffff880`039529c0 fffff880`03952af8 fffff800`0320230d : nt!NtAlpcSendWaitReceivePort+0x1e6
fffff880`039528d0 fffff800`030ca410 : fffff800`0308c996 00000000`00000000 fffff880`03952b30 00000000`6f706d55 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03952940)
fffff880`03952ad8 fffff800`0308c996 : 00000000`00000000 fffff880`03952b30 00000000`6f706d55 00000000`000007ff : nt!KiServiceLinkage
fffff880`03952ae0 fffff800`0336a73a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!PopUmpoMessageThread+0xb2
fffff880`03952c00 fffff800`030bf8e6 : fffff880`009b3180 fffffa80`069dc040 fffffa80`069c6040 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`03952c40 00000000`00000000 : fffff880`03953000 fffff880`0394d000 fffff880`03952470 00000000`00000000 : nt!KxStartSystemThread+0x16
端口:
0: kd> !alpc /p fffffa80`069db1c0
Port fffffa80069db1c0
Type : ALPC_CONNECTION_PORT
CommunicationInfo : fffff8a0000a3230
ConnectionPort : fffffa80069db1c0 (PowerPort)
ClientCommunicationPort : 0000000000000000
ServerCommunicationPort : 0000000000000000
OwnerProcess : fffffa80069a9740 (System)
SequenceNo : 0x00000001 (1)
CompletionPort : 0000000000000000
CompletionList : 0000000000000000
ConnectionPending : No
ConnectionRefused : No
Disconnected : No
Closed : No
FlushOnClose : Yes
ReturnExtendedInfo : No
Waitable : No
Security : Static
Wow64CompletionList : No
1 thread(s) are waiting on the port:
THREAD fffffa80069dc040 Cid 0004.00b0 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT
Main queue is empty.
Large message queue is empty.
Pending queue is empty.
Canceled queue is empty.
答案 0 :(得分:1)
这是一个接收器线程。这个正在监听n等待lpc消息。换句话说,它是空闲的。
如果您正在寻找alpc等待链,您应该寻找具有WrLPCReply或类似内容的线程。