Techwiki:Win32k/desktops
This is WIP!
Contents
Desktop creation
xxxCreateDesktop2: f6ef7a30 bf89c2a4 win32k!CreateDesktopHeap+0x73 f6ef7a80 bf879e12 win32k!xxxCreateDesktop2+0x195 f6ef7ab0 bf879dc0 win32k!ParseDesktop+0x93 f6ef7ae8 806024b0 win32k!ParseWindowStation+0xab f6ef7b14 8060270c nt!ExpWin32SessionCallout+0x3c f6ef7b58 805b37d9 nt!ExpWin32ParseProcedure+0x60 f6ef7be0 805b010b nt!ObpLookupObjectName+0x119 f6ef7c34 bf87aa19 nt!ObOpenObjectByName+0xeb f6ef7cfc bf89d235 win32k!xxxCreateDesktop+0x6d f6ef7d48 8053cbc8 win32k!NtUserCreateDesktop+0x95
Unmapping the startup desktop
kd> k ChildEBP RetAddr f6f87aec 806024b0 win32k!UnmapDesktop f6f87b18 80602572 nt!ExpWin32SessionCallout+0x3c f6f87b44 805b11d3 nt!ExpWin32CloseProcedure+0x5c f6f87b74 805b0b27 nt!ObpDecrementHandleCount+0x119 f6f87b9c 805b0bc5 nt!ObpCloseHandleTableEntry+0x14d f6f87be4 805b0cd6 nt!ObpCloseHandle+0x87 f6f87bf8 bf87b773 nt!ObCloseHandle+0x12 f6f87c18 bf877114 win32k!DestroyProcessInfo+0x1f2 f6f87c40 bf8771bc win32k!xxxUserProcessCallout+0xb7 f6f87c5c 805c761b win32k!W32pProcessCallout+0x42 f6f87d08 805c7a3a nt!PspExitThread+0x423 f6f87d28 805c7c15 nt!PspTerminateThreadByPointer+0x52 f6f87d54 8053cbc8 nt!NtTerminateProcess+0x105 f6f87d54 7c91eb94 nt!KiFastCallEntry+0xf8 0022fdc4 7c91e89a ntdll!KiFastSystemCallRet 0022fe84 7c91f0aa ntdll!NtTerminateProcess+0xc
kd> k ChildEBP RetAddr f9aad9d0 806024b0 win32k!FreeDesktop f9aad9fc 8060262f nt!ExpWin32SessionCallout+0x3c f9aada14 805afb2f nt!ExpWin32DeleteProcedure+0x41 f9aada30 80522181 nt!ObpRemoveObjectRoutine+0xdf f9aada54 bf8038ee nt!ObfDereferenceObject+0x5f f9aada5c bf8029d3 win32k!UserDereferenceObject+0xe f9aada68 bf8a58ba win32k!PopAndFreeW32ThreadLock+0x25 f9aadd30 bf88dc63 win32k!xxxDesktopThread+0x864 f9aadd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a f9aadd54 8053cbc8 win32k!NtUserCallOneParam+0x23 f9aadd54 7c91eb94 nt!KiFastCallEntry+0xf8 012dffe0 75b0ba1a ntdll!KiFastSystemCallRet
kd> k ChildEBP RetAddr f9aad9d0 806024b0 win32k!FreeDesktop f9aad9fc 8060262f nt!ExpWin32SessionCallout+0x3c f9aada14 805afb2f nt!ExpWin32DeleteProcedure+0x41 f9aada30 80522181 nt!ObpRemoveObjectRoutine+0xdf f9aada54 bf8038ee nt!ObfDereferenceObject+0x5f f9aada5c bf8029d3 win32k!UserDereferenceObject+0xe f9aada68 bf8a58ba win32k!PopAndFreeW32ThreadLock+0x25 f9aadd30 bf88dc63 win32k!xxxDesktopThread+0x864 f9aadd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a f9aadd54 8053cbc8 win32k!NtUserCallOneParam+0x23 f9aadd54 7c91eb94 nt!KiFastCallEntry+0xf8 012dffe0 75b0ba1a ntdll!KiFastSystemCallRet
kd> k ChildEBP RetAddr f6845b34 806024b0 win32k!UnmapDesktop f6845b60 80602572 nt!ExpWin32SessionCallout+0x3c f6845b8c 805b11d3 nt!ExpWin32CloseProcedure+0x5c f6845bbc 805b0b27 nt!ObpDecrementHandleCount+0x119 f6845be4 805b72e3 nt!ObpCloseHandleTableEntry+0x14d f6845c04 8060329f nt!ObpCloseHandleProcedure+0x1f f6845c34 805b73dc nt!ExSweepHandleTable+0x4f f6845c60 805c77e1 nt!ObKillProcess+0x5c f6845d08 805c7a3a nt!PspExitThread+0x5e9 f6845d28 805c7c15 nt!PspTerminateThreadByPointer+0x52 f6845d54 8053cbc8 nt!NtTerminateProcess+0x105 f6845d54 7c91eb94 nt!KiFastCallEntry+0xf8 0022fdc4 7c91e89a ntdll!KiFastSystemCallRet 0022fe84 7c91f0aa ntdll!NtTerminateProcess+0xc 0022fec4 7c81ca96 ntdll!RtlAnsiStringToUnicodeString+0x7d
Desktop heap mapping
f6ef77b0 bf879ccd nt!MmMapViewOfSection f6ef7828 806024b0 win32k!MapDesktop+0xe5 f6ef7854 8060269f nt!ExpWin32SessionCallout+0x3c f6ef7880 805b1807 nt!ExpWin32OpenProcedure+0x67 f6ef7930 805b1ded nt!ObpIncrementHandleCount+0x2cf f6ef7998 805b02ac nt!ObpCreateHandle+0x17d f6ef79e8 bf87aa19 nt!ObOpenObjectByName+0x28c f6ef7ab0 bf87833a win32k!xxxCreateDesktop+0x6d f6ef7bc0 bf878d9c win32k!xxxResolveDesktop+0x815 f6ef7cc0 bf819e16 win32k!xxxCreateThreadInfo+0x4d5 f6ef7cd4 bf819f1c win32k!UserThreadCallout+0x72 f6ef7cf0 805c1785 win32k!W32pThreadCallout+0x3d f6ef7d54 8053c8ce nt!PsConvertToGuiThread+0x139 f6ef7980 bf89bf8e nt!MmMapViewOfSection f6ef79fc bf89c3f0 win32k!UserCreateHeap+0x4a f6ef7a30 bf89c2a4 win32k!CreateDesktopHeap+0x73 f6ef7a80 bf879e12 win32k!xxxCreateDesktop2+0x195 f6ef7ab0 bf879dc0 win32k!ParseDesktop+0x93 f6ef7ae8 806024b0 win32k!ParseWindowStation+0xab f6ef7b14 8060270c nt!ExpWin32SessionCallout+0x3c f6ef7b58 805b37d9 nt!ExpWin32ParseProcedure+0x60 f6ef7be0 805b010b nt!ObpLookupObjectName+0x119 f6ef7c34 bf87aa19 nt!ObOpenObjectByName+0xeb f6ef7cfc bf89d235 win32k!xxxCreateDesktop+0x6d f6ef7d48 8053cbc8 win32k!NtUserCreateDesktop+0x95 f6ef79fc bf879ccd nt!MmMapViewOfSection f6ef7a74 806024b0 win32k!MapDesktop+0xe5 f6ef7aa0 8060269f nt!ExpWin32SessionCallout+0x3c f6ef7acc 805b1807 nt!ExpWin32OpenProcedure+0x67 f6ef7b7c 805b1ded nt!ObpIncrementHandleCount+0x2cf f6ef7be4 805b02ac nt!ObpCreateHandle+0x17d f6ef7c34 bf87aa19 nt!ObOpenObjectByName+0x28c f6ef7cfc bf89d235 win32k!xxxCreateDesktop+0x6d f6ef7d48 8053cbc8 win32k!NtUserCreateDesktop+0x95 f6ef7bd4 bf879ccd nt!MmMapViewOfSection f6ef7c4c bf87ab0e win32k!MapDesktop+0xe5 f6ef7cfc bf89d235 win32k!xxxCreateDesktop+0x1bc f6ef7d48 8053cbc8 win32k!NtUserCreateDesktop+0x95 f6f177b0 bf879ccd nt!MmMapViewOfSection f6f17828 806024b0 win32k!MapDesktop+0xe5 f6f17854 8060269f nt!ExpWin32SessionCallout+0x3c f6f17880 805b1807 nt!ExpWin32OpenProcedure+0x67 f6f17930 805b1ded nt!ObpIncrementHandleCount+0x2cf f6f17998 805b02ac nt!ObpCreateHandle+0x17d f6f179e8 bf87aa19 nt!ObOpenObjectByName+0x28c f6f17ab0 bf87833a win32k!xxxCreateDesktop+0x6d f6f17bc0 bf878d9c win32k!xxxResolveDesktop+0x815 f6f17cc0 bf819e16 win32k!xxxCreateThreadInfo+0x4d5 f6f17cd4 bf819f1c win32k!UserThreadCallout+0x72 f6f17cf0 805c1785 win32k!W32pThreadCallout+0x3d f6f17d54 8053c8ce nt!PsConvertToGuiThread+0x139
win32k!MapDesktop
f9a1d944 806024b0 win32k!MapDesktop f9a1d970 8060269f nt!ExpWin32SessionCallout+0x3c f9a1d99c 805b1807 nt!ExpWin32OpenProcedure+0x67 f9a1da4c 805b1ded nt!ObpIncrementHandleCount+0x2cf f9a1dab4 805b02ac nt!ObpCreateHandle+0x17d f9a1db04 bf87aa19 nt!ObOpenObjectByName+0x28c f9a1dbcc bf87833a win32k!xxxCreateDesktop+0x6d f9a1dcdc bf89225a win32k!xxxResolveDesktop+0x815 f9a1dd4c 8053cbc8 win32k!NtUserResolveDesktop+0xdb
f701f828 806024b0 win32k!MapDesktop f701f854 8060269f nt!ExpWin32SessionCallout+0x3c f701f880 805b1807 nt!ExpWin32OpenProcedure+0x67 f701f930 805b1ded nt!ObpIncrementHandleCount+0x2cf f701f998 805b02ac nt!ObpCreateHandle+0x17d f701f9e8 bf87aa19 nt!ObOpenObjectByName+0x28c f701fab0 bf87833a win32k!xxxCreateDesktop+0x6d f701fbc0 bf878d9c win32k!xxxResolveDesktop+0x815 f701fcc0 bf819e16 win32k!xxxCreateThreadInfo+0x4d5 f701fcd4 bf819f1c win32k!UserThreadCallout+0x72 f701fcf0 805c1785 win32k!W32pThreadCallout+0x3d f701fd54 8053c8ce nt!PsConvertToGuiThread+0x139
f701fa74 806024b0 win32k!MapDesktop f701faa0 8060269f nt!ExpWin32SessionCallout+0x3c f701facc 805b1807 nt!ExpWin32OpenProcedure+0x67 f701fb7c 805b1ded nt!ObpIncrementHandleCount+0x2cf f701fbe4 805b02ac nt!ObpCreateHandle+0x17d f701fc34 bf87aa19 nt!ObOpenObjectByName+0x28c f701fcfc bf89d235 win32k!xxxCreateDesktop+0x6d f701fd48 8053cbc8 win32k!NtUserCreateDesktop+0x95
f701fc4c bf87ab0e win32k!MapDesktop f701fcfc bf89d235 win32k!xxxCreateDesktop+0x1bc f701fd48 8053cbc8 win32k!NtUserCreateDesktop+0x95
f701f98c 806024b0 win32k!MapDesktop f701f9b8 8060269f nt!ExpWin32SessionCallout+0x3c f701f9e4 805b1807 nt!ExpWin32OpenProcedure+0x67 f701fa94 805b7932 nt!ObpIncrementHandleCount+0x2cf f701fb38 80603c7c nt!ObDupHandleProcedure+0x9a f701fb74 805b7982 nt!ExDupHandleTable+0x11a f701fb9c 805c5ca6 nt!ObInitProcess+0x34 f701fce4 805c62f3 nt!PspCreateProcess+0x308 f701fd38 8053cbc8 nt!NtCreateProcessEx+0x77
f6fcf828 806024b0 win32k!MapDesktop f6fcf854 8060269f nt!ExpWin32SessionCallout+0x3c f6fcf880 805b1807 nt!ExpWin32OpenProcedure+0x67 f6fcf930 805b1ded nt!ObpIncrementHandleCount+0x2cf f6fcf998 805b02ac nt!ObpCreateHandle+0x17d f6fcf9e8 bf87aa19 nt!ObOpenObjectByName+0x28c f6fcfab0 bf87833a win32k!xxxCreateDesktop+0x6d f6fcfbc0 bf878d9c win32k!xxxResolveDesktop+0x815 f6fcfcc0 bf819e16 win32k!xxxCreateThreadInfo+0x4d5 f6fcfcd4 bf819f1c win32k!UserThreadCallout+0x72 f6fcfcf0 805c1785 win32k!W32pThreadCallout+0x3d f6fcfd54 8053c8ce nt!PsConvertToGuiThread+0x139
f9a1da80 806024b0 win32k!MapDesktop f9a1daac 8060269f nt!ExpWin32SessionCallout+0x3c f9a1dad8 805b1807 nt!ExpWin32OpenProcedure+0x67 f9a1db88 805b1ded nt!ObpIncrementHandleCount+0x2cf f9a1dbf0 805b0494 nt!ObpCreateHandle+0x17d f9a1dcc0 bf89235f nt!ObOpenObjectByPointer+0xa4 f9a1dd10 bf8862a5 win32k!xxxSetCsrssThreadDesktop+0x6e f9a1dd30 bf88615f win32k!xxxSetInformationThread+0x9a f9a1dd4c 8053cbc8 win32k!NtUserSetInformationThread+0x31
f9a1dca8 bf86bc92 win32k!MapDesktop f9a1dcd4 bf892383 win32k!xxxSetThreadDesktop+0x3a f9a1dd10 bf8862a5 win32k!xxxSetCsrssThreadDesktop+0xc3 f9a1dd30 bf88615f win32k!xxxSetInformationThread+0x9a f9a1dd4c 8053cbc8 win32k!NtUserSetInformationThread+0x31
f99fda38 bf86bc92 win32k!MapDesktop f99fda64 bf8a5608 win32k!xxxSetThreadDesktop+0x3a f99fdd30 bf88dc63 win32k!xxxDesktopThread+0x576 f99fdd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a f99fdd54 8053cbc8 win32k!NtUserCallOneParam+0x23
f99fda38 bf86bc92 win32k!MapDesktop f99fda64 bf8a5896 win32k!xxxSetThreadDesktop+0x3a f99fdd30 bf88dc63 win32k!xxxDesktopThread+0x840 f99fdd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a f99fdd54 8053cbc8 win32k!NtUserCallOneParam+0x23
f6d41d14 bf86bc92 win32k!MapDesktop f6d41d40 bf86bde2 win32k!xxxSetThreadDesktop+0x3a f6d41d58 8053cbc8 win32k!NtUserSetThreadDesktop+0x2f f6d41d58 7c91eb94 nt!KiFastCallEntry+0xf8 00efff70 7e37f0ac ntdll!KiFastSystemCallRet 00efffb4 7c80b6a3 USER32!NtUserSetThreadDesktop+0xc 00efffec 00000000 KERNEL32!BaseThreadStart+0x37
SwitchDesktop
Desktop thread: ChildEBP RetAddr Args to Child f87a0b78 bf81d7d7 00000000 81df6038 e1443310 win32k!xxxSetThreadDesktop f87a0be0 bf85e762 bc6306e8 00000046 00000000 win32k!xxxDesktopWndProc+0xdb WM_WINDOWPOSCHANGING f87a0c44 bf846a6b e1484560 bf994180 e1484560 win32k!xxxReceiveMessage+0x293 f87a0c80 bf879dea f87a0cdc 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x1ce f87a0d34 bf80b656 e1484560 00000001 f87a0d64 win32k!xxxDesktopThread+0x297 f87a0d44 bf874990 bf994180 f87a0d64 0071fff4 win32k!xxxCreateSystemThreads+0x68 f87a0d54 805303c4 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x20 winlogon threaad: ChildEBP RetAddr Args to Child f8760a0c 804fd59e 81e05618 81e055a8 81db2ad0 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4]) f8760a1c 804f631c 00000240 e138aca8 00000000 nt!KiSwapThread+0x6a (FPO: [Uses EBP] [0,0,4]) f8760a44 bf87a528 00000000 0000000d 00000001 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo]) f8760a80 bf846a3b 00000200 00000000 00000000 win32k!xxxSleepThread+0x189 (FPO: [Non-Fpo]) f8760b1c bf859111 bc6306e8 00000046 00000000 win32k!xxxInterSendMsgEx+0x6f9 (FPO: [Non-Fpo]) f8760b68 bf8714d3 bc6306e8 00000046 00000000 win32k!xxxSendMessageTimeout+0x11c (FPO: [Non-Fpo]) f8760b88 bf8457d8 bc6306e8 00000046 00000000 win32k!xxxSendMessage+0x1a (FPO: [4,0,0]) f8760c4c bf84563b bc6306e8 f8760cb0 00000000 win32k!xxxCalcValidRects+0xe4 (FPO: [2,40,3]) f8760ca8 bf845bb9 bf997c80 00000000 bf994180 win32k!xxxEndDeferWindowPosEx+0xb9 (FPO: [Non-Fpo]) f8760cc4 bf812274 bc6306e8 00000000 00000000 win32k!xxxSetWindowPos+0xbe (FPO: [Non-Fpo]) f8760d30 bf812637 00000794 81e055a8 81e95d5c win32k!xxxSwitchDesktop+0x274 (FPO: [Non-Fpo]) f8760d58 805303c4 00000558 806bcba9 00235000 win32k!NtUserSwitchDesktop+0x91 (FPO: [Non-Fpo])
win32k!ProcessMouseInput
kd> !thread 0x81d97888
THREAD 81d97888 Cid 0234.0264 Teb: 7ffd8000 Win32Thread: e1484560 RUNNING on processor 1
IRP List:
81df0980: (0006,0190) Flags: 00000970 Mdl: 00000000
81df3e70: (0006,0190) Flags: 00000970 Mdl: 00000000
Not impersonating
DeviceMap e10092b8
Owning Process 0 Image: <Unknown>
Attached Process 81e04020 Image: csrss.exe
Wait Start TickCount 13229 Ticks: 3 (0:00:00:00.046)
Context Switch Count 2405 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:02.234
Start Address 0x75aec252
Stack Init f87a1000 Current f87a0730 Base f87a1000 Limit f879e000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
f87a0614 bf8600d3 f7fec0e0 bd05362c 0000005c nt!memmove+0x33
f87a0638 bf87c8f3 0000000e 00000000 00000000 win32k!vSrcCopyS32D32Identity+0x59 (FPO: [Non-Fpo])
f87a084c bf87829e e13026f0 00000000 00000000 win32k!EngCopyBits+0x4e1 (FPO: [6,127,3])
f87a0894 bf83dd10 bf87c6e0 bf999bbc e13026f0 win32k!OffCopyBits+0x7b (FPO: [Non-Fpo])
f87a094c bf837112 e141f048 f87a09c0 e1114018 win32k!vSpWriteToScreen+0x97 (FPO: [Non-Fpo])
f87a09dc bf83d7e1 e1114018 00000002 00000216 win32k!vSpRedrawUncoveredArea+0x186 (FPO: [Non-Fpo])
f87a0aa8 bf83e68d e141f048 f87a0acc 00000000 win32k!bSpUpdatePosition+0x171 (FPO: [3,44,3])
f87a0ad8 bf82da04 e13026f0 000001a0 00000216 win32k!EngMovePointer+0x13e (FPO: [Non-Fpo])
f87a0afc bf82d980 e141f008 000001a0 00000216 win32k!vMovePointer+0x70 (FPO: [Non-Fpo])
f87a0b20 bf821a3a e141f008 000001a0 00000216 win32k!GreMovePointer+0xd7 (FPO: [Non-Fpo])
f87a0b5c bf821d98 000001a0 00000216 00000000 win32k!xxxMoveEventAbsolute+0x136 (FPO: [Non-Fpo])
f87a0b94 bf821e1b 0003276f 81d97888 804f9a9a win32k!ProcessMouseInput+0x16f (FPO: [Non-Fpo])
f87a0ba0 804f9a9a e1483eb8 e1483ee0 00000000 win32k!InputApc+0x4b (FPO: [3,0,1])
f87a0be8 806bcd40 00000000 00000000 f87a0c00 nt!KiDeliverApc+0x122 (FPO: [Non-Fpo])
f87a0be8 806bca20 00000000 00000000 f87a0c00 hal!HalpApcInterrupt+0xb0 (FPO: [0,2] TrapFrame @ f87a0c00)
f87a0c70 bf879e6e bf994180 e1484560 00000000 hal!HalRequestSoftwareInterrupt+0x3c (FPO: [0,0,0])
f87a0c88 bf879dd2 00000002 81df1568 bf80c937 win32k!xxxMsgWaitForMultipleObjects+0x77 (FPO: [Non-Fpo])
f87a0d34 bf80b656 e1484560 00000001 f87a0d64 win32k!xxxDesktopThread+0x182 (FPO: [1,34,3])
f87a0d44 bf874990 bf994180 f87a0d64 0071fff4 win32k!xxxCreateSystemThreads+0x68 (FPO: [Non-Fpo])
f87a0d54 805303c4 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x20 (FPO: [2,0,2])
f87a0d54 7ffe0304 00000000 00000022 00000000 nt!KiSystemService+0xc9 (FPO: [0,0] TrapFrame @ f87a0d64)
00000000 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
Another interesting trace from here: http://www.pcreview.co.uk/forums/need-help-windbg-log-t3767870.html
f6da7a8c bf885998 804e37aa 00000001 00000000 win32k!zzzSetFMouseMoved+0x42
f6da7ad4 bf89fc64 00000022 006efff4 bf801087 win32k!ProcessQueuedMouseEvents+0x1c8
f6da7d30 bf884635 f6db7490 00000002 f6da7d54 win32k!RawInputThread+0x5b9
f6da7d40 bf8010aa f6db7490 f6da7d64 006efff4 win32k!xxxCreateSystemThreads+0x60
f6da7d54 804dd99f 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23
