Type something to search...
to navigateto selectESC to close

Session Space

When debugging Windows kernels, sometimes you see addresses that “looks” like kernel space memory. It begins with 0xffff, resides within module present in System process (PID 4, win32kbase module). But reading them with d* command shows all ?.

12: kd> !thread ffffbc04`06b7a040
THREAD ffffbc0406b7a040  Cid 0004.1374  Teb: 0000000000000000 Win32Thread: ffffa68116596ea0 WAIT: (WrUserRequest) KernelMode Non-Alertable
    ffffbc04157e8c90  SynchronizationEvent
Not impersonating
DeviceMap                 ffffe5096164d8c0
Owning Process            ffffbc03f5b79040       Image:         System
Attached Process          ffffbc040736b140       Image:         csrss.exe
Wait Start TickCount      1883320        Ticks: 38399 (0:00:09:59.984)
Context Switch Count      11102          IdealProcessor: 6             
UserTime                  00:00:00.000
KernelTime                00:00:00.031
Win32 Start Address nt!ExpWorkerThread (0xfffff805390b64d0)
Stack Init ffffa681165975f0 Current ffffa68116596680
Base ffffa68116598000 Limit ffffa68116591000 Call 0000000000000000
Priority 13 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr               : Args to Child                                                           : Call Site
ffffa681`165966c0 fffff805`3903f405     : ffff9481`48911180 00000000`00000000 ffffbc03`f5bb0040 00000000`00000000 : nt!KiSwapContext+0x76 [minkernel\ntos\ke\amd64\ctxswap.asm @ 134] 
ffffa681`16596800 fffff805`3903d764     : ffffbc04`06b7a040 ffffbc03`00000000 00000000`00000000 00000000`00000000 : nt!KiSwapThread+0xab5 [minkernel\ntos\ke\thredsup.c @ 14593] 
ffffa681`16596950 fffff805`3903c996     : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x134 [minkernel\ntos\ke\waitsup.c @ 795] 
ffffa681`16596a00 fffff99b`3c078c87     : ffffbc04`00000000 ffffbc04`157e8c80 ffffa681`16597248 ffffbc04`11c49480 : nt!KeWaitForSingleObject+0x256 [minkernel\ntos\ke\wait.c @ 867] 
ffffa681`16596da0 fffff99b`3c0787b2     : ffffa681`16597248 00000000`00000005 00000000`6f707355 00000000`00000044 : **win32kbase!QueuePowerRequest**+0x187
ffffa681`16596e00 fffff99b`3c0e35d6     : 00000000`00000000 00000000`00000001 ffffa681`16597248 00000000`00000000 : win32kbase!UserPowerStateCallout+0x126
ffffa681`16596e50 fffff99b`3c5710cb     : 00000000`00000004 fffff805`39a69600 ffffa681`165970d0 00000000`00000001 : win32kbase!W32CalloutDispatch+0x1a6
ffffa681`16596fa0 fffff805`395f168b     : 00000000`00000000 ffffbc03`ffc7b540 ffffbc04`0736b140 fffff805`3923f970 : win32k!W32CalloutDispatchThunk+0x2b
ffffa681`16596fd0 fffff805`394d3612     : 00000000`00000010 00000000`00040082 ffffa681`165970b8 ffff9481`48911180 : nt!ExCallSessionCallBack+0xa3 [minkernel\ntos\ex\callback.c @ 1738] 
ffffa681`16597090 fffff805`395784b7     : ffffbc04`1c36f640 fffff805`39a3f3e0 00000000`00000000 fffff805`3903fa8b : nt!PsInvokeWin32Callout+0x82 [minkernel\ntos\ps\callback.c @ 1754] 
ffffa681`165970c0 fffff805`39578307     : 00000000`00000004 ffffa681`16597248 ffffa681`16597248 00000000`00000000 : nt!PopInvokeWin32Callout+0x177 [minkernel\ntos\po\session.c @ 1051] 
(Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : nt!PerfIsGroupOnInGroupMask+0x25 (Inline Function @ fffff805`39578307) [onecore\internal\sdk\inc\minwin\ntwmi.h @ 4097] 
ffffa681`165971a0 fffff805`395f9630     : 00000000`00000014 00000000`00000000 00000000`00000014 00000000`00000000 : nt!PopDispatchStateCallout+0x5b [minkernel\ntos\po\paction.c @ 2798] 
(Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : nt!PoStartPowerStateTasks+0x25 (Inline Function @ fffff805`395f9630) [minkernel\ntos\po\paction.c @ 1574] 
ffffa681`16597210 fffff805`395f9b20     : 00000000`00000000 ffffbc03`f5b06230 ffffbc04`06b7a040 fffff805`390b6bff : nt!PopIssueActionRequest+0x1b8 [minkernel\ntos\po\paction.c @ 1895] 
ffffa681`165972c0 fffff805`3915ac68     : ffffbc04`06b7a000 00000000`00000002 00000000`fffffffb fffff805`39b4aac0 : nt!PopPolicyWorkerAction+0x80 [minkernel\ntos\po\paction.c @ 1093] 
ffffa681`16597340 fffff805`390b6625     : ffffbc03`00000001 ffffbc04`06b7a040 ffffa681`16597480 ffffbc03`f5b06230 : nt!PopPolicyWorkerThread+0xa8 [minkernel\ntos\po\pwork.c @ 271] 
ffffa681`16597380 fffff805`390e5c07     : ffffbc04`06b7a040 00000000`000002f7 ffffbc04`06b7a040 fffff805`390b64d0 : nt!ExpWorkerThread+0x155 [minkernel\ntos\ex\worker.c @ 4308] 
ffffa681`16597570 fffff805`3923f044     : ffff9481`48718180 ffffbc04`06b7a040 fffff805`390e5bb0 00000000`00000000 : nt!PspSystemThreadStartup+0x57 [minkernel\ntos\ps\psexec.c @ 10885] 
ffffa681`165975c0 00000000`00000000     : ffffa681`16598000 ffffa681`16591000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x34 [minkernel\ntos\ke\amd64\threadbg.asm @ 83]

Win32k is in session space memory. In order to view its content, you must switch to the correct session and use hardware breakpoints when live debugging.

To switch session space:

11: kd> !session
Sessions on machine: 2
Valid Sessions: 0 1
Current Session 0

11: kd> !session -s 1
Sessions on machine: 2
Implicit process is now ffffce01`1779e080
.cache forcedecodeptes done
Using session 1l

If you’re coming from a process (e.g. an interactive process you know is in correct session), use .process /P <PEPROCESS>

Use hardware breakpoints since the same code VA could point to different physical address due to address space difference.

Tags :

Related Posts

!pte "Levels not implemented for this platform"

!pte command comes from extension kdexts.dll, which is bundled with debuggers for Windows package. The command performs machine type check with t

read more

Recursively Debug User-Mode Child Process

When you enable “debug child process” in WinDbg, it only attempts to debug the children. 0:000> sxe -c ".childdbg 1;bu wlanapi!WlanQueryInterfac

read more

Rundown Protection

Acquire with nt!ExAcquireRundownProtection. 0: kd> uf fffff802`148c8d80 nt!ExAcquireRundownProtection [minkernel\ntos\ex\rundown.c @ 333]: 3

read more

DISPATCHER_HEADER

See DISPATCHER_HEADER (geoffchappell.com)

read more

Power IRP Source

All Windows drivers / component / internally dispatch Power IRP with the routine. 0: kd> dt nt!PoRequestPowerIrp PoRequestPowerIrp long ( _D

read more

WDF

WDF is object based, the objects have to be created and manipulated by function calls to WDF itself. WDF objects are used by handles! Not their ptr t

read more

Block Linux driver with PCI Device ID

1. Find the device ID to blacklist nick@swae-ws:~$ lspci | grep VGA 43:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI]

read more

WinDbg System Uptime

Trace print code of “System Uptime” unicode string. 0:007> !for_each_module s-u @#Base @#End "System Uptime" 00007ffe`d8ec8e30 0053 0079 0073

read more

NT Wait Times

NT Wait Time OS store shared data as nt!_KUSER_SHARED_DATA . It is always mapped to 0xfffff78000000000 in all process. It is done through page t

read more

Self-Signed WHQL Certificate for Testing

Root Certificate $params = @{ Type = 'Custom' SerialNumber = '28cc3a25bfba44ac449a9b586b4339aa' KeyAlgorithm = 'RSA' HashAlgo

read more

When entering S3/S4, GFX receives D0 request

What is the D0? Set BP on our handler, and filter by cond BP for set power state 12: kd> bl 0 e Disable Clear fffff802`7b359020 000

read more

0x19C.50 Stx S3S4Restart

6: kd> .bugcheck Bugcheck code 0000019C Arguments 00000000`00000050 ffff800b`a18fa380 00000000`00000000 00000000`000000006: kd> .thread

read more

0x9F.3 Strix Stress ACP

6: kd> .bugcheck Bugcheck code 0000009F Arguments 00000000`00000003 ffff948f`e9be4060 ffffe381`3d0ef040 ffff948f`ee90eba06: kd> !addrMap

read more

0x19C.50 Stx S4 Resume Video Playing

5: kd> .bugcheck Bugcheck code 0000019C Arguments 00000000`00000050 ffff808e`23621380 00000000`00000000 00000000`000000005: kd> !thread

read more

0x133.1 3xW6400 PBR

0: kd> .bugcheck Bugcheck code 00000133 Arguments 00000000`00000001 00000000`00001e00 fffff807`0a91c340 00000000`000000000: kd> !corelis

read more

0x9F.3 Strix S4

5: kd> .bugcheck Bugcheck code 0000009F Arguments 00000000`00000003 ffff800f`943e4360 ffffc906`fbaa7178 ffff800f`a4a6c7505: kd> !irp ffff

read more

0x50 AcpBt EBox Plug In

Issue Description Repro step:Boot system without EBOX connected normally connect EBOX with RTX3060 Wait 5s System BSODIssue CND if

read more

0x0 Live AcpWdfWorkItem Leak

Customer observed higher memory usage after using Edge to play music overnight. Captured live dump after playing music for a while. 0: kd> !p

read more

0x0 Live Lid Close Open Screen Dim

Symptom The display dims automatically 5s after lid close → open. Issue occurs only on SKUs with ToF sensor (HPD). Display Connect a live syste

read more

0x19C.50 Lid

2: kd> .bugcheck Bugcheck code 0000019C Arguments 00000000`00000050 ffffbf87`de64a3c0 00000000`00000000 00000000`000000002: kd> !thread

read more

0x9F.3 Gfx Stuck Cause Acp PoIrp Timeout

5: kd> .bugcheck Bugcheck code 0000009F Arguments 00000000`00000003 ffffcf07`04d3caf0 ffffcd04`6bb4f010 ffffcf07`0dec88a0 9: kd> k # Child-SP

read more

0x19C.50 WuReject PostT7Delay

In dce110_edp_backlight_control, we request a wait of "post_T7_delay". This wait was n

read more

0x133.0 NPU Line Interrupt

The BSOD sequence of event looks like this:OS is starting up NPU device.Something w

read more