Techwiki:Win32k/desktops

From ReactOS Wiki
Revision as of 13:20, 2 November 2012 by Smiley (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This is WIP!


Desktop creation

xxxCreateDesktop2:
f6ef7a30 bf89c2a4 win32k!CreateDesktopHeap+0x73
f6ef7a80 bf879e12 win32k!xxxCreateDesktop2+0x195
f6ef7ab0 bf879dc0 win32k!ParseDesktop+0x93
f6ef7ae8 806024b0 win32k!ParseWindowStation+0xab
f6ef7b14 8060270c nt!ExpWin32SessionCallout+0x3c
f6ef7b58 805b37d9 nt!ExpWin32ParseProcedure+0x60
f6ef7be0 805b010b nt!ObpLookupObjectName+0x119
f6ef7c34 bf87aa19 nt!ObOpenObjectByName+0xeb
f6ef7cfc bf89d235 win32k!xxxCreateDesktop+0x6d
f6ef7d48 8053cbc8 win32k!NtUserCreateDesktop+0x95



Unmapping the startup desktop

kd> k
ChildEBP RetAddr  
f6f87aec 806024b0 win32k!UnmapDesktop
f6f87b18 80602572 nt!ExpWin32SessionCallout+0x3c
f6f87b44 805b11d3 nt!ExpWin32CloseProcedure+0x5c
f6f87b74 805b0b27 nt!ObpDecrementHandleCount+0x119
f6f87b9c 805b0bc5 nt!ObpCloseHandleTableEntry+0x14d
f6f87be4 805b0cd6 nt!ObpCloseHandle+0x87
f6f87bf8 bf87b773 nt!ObCloseHandle+0x12
f6f87c18 bf877114 win32k!DestroyProcessInfo+0x1f2
f6f87c40 bf8771bc win32k!xxxUserProcessCallout+0xb7
f6f87c5c 805c761b win32k!W32pProcessCallout+0x42
f6f87d08 805c7a3a nt!PspExitThread+0x423
f6f87d28 805c7c15 nt!PspTerminateThreadByPointer+0x52
f6f87d54 8053cbc8 nt!NtTerminateProcess+0x105
f6f87d54 7c91eb94 nt!KiFastCallEntry+0xf8
0022fdc4 7c91e89a ntdll!KiFastSystemCallRet
0022fe84 7c91f0aa ntdll!NtTerminateProcess+0xc
kd> k
ChildEBP RetAddr  
f9aad9d0 806024b0 win32k!FreeDesktop
f9aad9fc 8060262f nt!ExpWin32SessionCallout+0x3c
f9aada14 805afb2f nt!ExpWin32DeleteProcedure+0x41
f9aada30 80522181 nt!ObpRemoveObjectRoutine+0xdf
f9aada54 bf8038ee nt!ObfDereferenceObject+0x5f
f9aada5c bf8029d3 win32k!UserDereferenceObject+0xe
f9aada68 bf8a58ba win32k!PopAndFreeW32ThreadLock+0x25
f9aadd30 bf88dc63 win32k!xxxDesktopThread+0x864
f9aadd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a
f9aadd54 8053cbc8 win32k!NtUserCallOneParam+0x23
f9aadd54 7c91eb94 nt!KiFastCallEntry+0xf8
012dffe0 75b0ba1a ntdll!KiFastSystemCallRet
kd> k
ChildEBP RetAddr  
f9aad9d0 806024b0 win32k!FreeDesktop
f9aad9fc 8060262f nt!ExpWin32SessionCallout+0x3c
f9aada14 805afb2f nt!ExpWin32DeleteProcedure+0x41
f9aada30 80522181 nt!ObpRemoveObjectRoutine+0xdf
f9aada54 bf8038ee nt!ObfDereferenceObject+0x5f
f9aada5c bf8029d3 win32k!UserDereferenceObject+0xe
f9aada68 bf8a58ba win32k!PopAndFreeW32ThreadLock+0x25
f9aadd30 bf88dc63 win32k!xxxDesktopThread+0x864
f9aadd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a
f9aadd54 8053cbc8 win32k!NtUserCallOneParam+0x23
f9aadd54 7c91eb94 nt!KiFastCallEntry+0xf8
012dffe0 75b0ba1a ntdll!KiFastSystemCallRet
kd> k
ChildEBP RetAddr  
f6845b34 806024b0 win32k!UnmapDesktop
f6845b60 80602572 nt!ExpWin32SessionCallout+0x3c
f6845b8c 805b11d3 nt!ExpWin32CloseProcedure+0x5c
f6845bbc 805b0b27 nt!ObpDecrementHandleCount+0x119
f6845be4 805b72e3 nt!ObpCloseHandleTableEntry+0x14d
f6845c04 8060329f nt!ObpCloseHandleProcedure+0x1f
f6845c34 805b73dc nt!ExSweepHandleTable+0x4f
f6845c60 805c77e1 nt!ObKillProcess+0x5c
f6845d08 805c7a3a nt!PspExitThread+0x5e9
f6845d28 805c7c15 nt!PspTerminateThreadByPointer+0x52
f6845d54 8053cbc8 nt!NtTerminateProcess+0x105
f6845d54 7c91eb94 nt!KiFastCallEntry+0xf8
0022fdc4 7c91e89a ntdll!KiFastSystemCallRet
0022fe84 7c91f0aa ntdll!NtTerminateProcess+0xc
0022fec4 7c81ca96 ntdll!RtlAnsiStringToUnicodeString+0x7d

Desktop heap mapping

f6ef77b0 bf879ccd nt!MmMapViewOfSection
f6ef7828 806024b0 win32k!MapDesktop+0xe5
f6ef7854 8060269f nt!ExpWin32SessionCallout+0x3c
f6ef7880 805b1807 nt!ExpWin32OpenProcedure+0x67
f6ef7930 805b1ded nt!ObpIncrementHandleCount+0x2cf
f6ef7998 805b02ac nt!ObpCreateHandle+0x17d
f6ef79e8 bf87aa19 nt!ObOpenObjectByName+0x28c
f6ef7ab0 bf87833a win32k!xxxCreateDesktop+0x6d
f6ef7bc0 bf878d9c win32k!xxxResolveDesktop+0x815
f6ef7cc0 bf819e16 win32k!xxxCreateThreadInfo+0x4d5
f6ef7cd4 bf819f1c win32k!UserThreadCallout+0x72
f6ef7cf0 805c1785 win32k!W32pThreadCallout+0x3d
f6ef7d54 8053c8ce nt!PsConvertToGuiThread+0x139

f6ef7980 bf89bf8e nt!MmMapViewOfSection
f6ef79fc bf89c3f0 win32k!UserCreateHeap+0x4a
f6ef7a30 bf89c2a4 win32k!CreateDesktopHeap+0x73
f6ef7a80 bf879e12 win32k!xxxCreateDesktop2+0x195
f6ef7ab0 bf879dc0 win32k!ParseDesktop+0x93
f6ef7ae8 806024b0 win32k!ParseWindowStation+0xab
f6ef7b14 8060270c nt!ExpWin32SessionCallout+0x3c
f6ef7b58 805b37d9 nt!ExpWin32ParseProcedure+0x60
f6ef7be0 805b010b nt!ObpLookupObjectName+0x119
f6ef7c34 bf87aa19 nt!ObOpenObjectByName+0xeb
f6ef7cfc bf89d235 win32k!xxxCreateDesktop+0x6d
f6ef7d48 8053cbc8 win32k!NtUserCreateDesktop+0x95

f6ef79fc bf879ccd nt!MmMapViewOfSection
f6ef7a74 806024b0 win32k!MapDesktop+0xe5
f6ef7aa0 8060269f nt!ExpWin32SessionCallout+0x3c
f6ef7acc 805b1807 nt!ExpWin32OpenProcedure+0x67
f6ef7b7c 805b1ded nt!ObpIncrementHandleCount+0x2cf
f6ef7be4 805b02ac nt!ObpCreateHandle+0x17d
f6ef7c34 bf87aa19 nt!ObOpenObjectByName+0x28c
f6ef7cfc bf89d235 win32k!xxxCreateDesktop+0x6d
f6ef7d48 8053cbc8 win32k!NtUserCreateDesktop+0x95

f6ef7bd4 bf879ccd nt!MmMapViewOfSection
f6ef7c4c bf87ab0e win32k!MapDesktop+0xe5
f6ef7cfc bf89d235 win32k!xxxCreateDesktop+0x1bc
f6ef7d48 8053cbc8 win32k!NtUserCreateDesktop+0x95

f6f177b0 bf879ccd nt!MmMapViewOfSection
f6f17828 806024b0 win32k!MapDesktop+0xe5
f6f17854 8060269f nt!ExpWin32SessionCallout+0x3c
f6f17880 805b1807 nt!ExpWin32OpenProcedure+0x67
f6f17930 805b1ded nt!ObpIncrementHandleCount+0x2cf
f6f17998 805b02ac nt!ObpCreateHandle+0x17d
f6f179e8 bf87aa19 nt!ObOpenObjectByName+0x28c
f6f17ab0 bf87833a win32k!xxxCreateDesktop+0x6d
f6f17bc0 bf878d9c win32k!xxxResolveDesktop+0x815
f6f17cc0 bf819e16 win32k!xxxCreateThreadInfo+0x4d5
f6f17cd4 bf819f1c win32k!UserThreadCallout+0x72
f6f17cf0 805c1785 win32k!W32pThreadCallout+0x3d
f6f17d54 8053c8ce nt!PsConvertToGuiThread+0x139

win32k!MapDesktop

f9a1d944 806024b0 win32k!MapDesktop
f9a1d970 8060269f nt!ExpWin32SessionCallout+0x3c
f9a1d99c 805b1807 nt!ExpWin32OpenProcedure+0x67
f9a1da4c 805b1ded nt!ObpIncrementHandleCount+0x2cf
f9a1dab4 805b02ac nt!ObpCreateHandle+0x17d
f9a1db04 bf87aa19 nt!ObOpenObjectByName+0x28c
f9a1dbcc bf87833a win32k!xxxCreateDesktop+0x6d
f9a1dcdc bf89225a win32k!xxxResolveDesktop+0x815
f9a1dd4c 8053cbc8 win32k!NtUserResolveDesktop+0xdb
f701f828 806024b0 win32k!MapDesktop
f701f854 8060269f nt!ExpWin32SessionCallout+0x3c
f701f880 805b1807 nt!ExpWin32OpenProcedure+0x67
f701f930 805b1ded nt!ObpIncrementHandleCount+0x2cf
f701f998 805b02ac nt!ObpCreateHandle+0x17d
f701f9e8 bf87aa19 nt!ObOpenObjectByName+0x28c
f701fab0 bf87833a win32k!xxxCreateDesktop+0x6d
f701fbc0 bf878d9c win32k!xxxResolveDesktop+0x815
f701fcc0 bf819e16 win32k!xxxCreateThreadInfo+0x4d5
f701fcd4 bf819f1c win32k!UserThreadCallout+0x72
f701fcf0 805c1785 win32k!W32pThreadCallout+0x3d
f701fd54 8053c8ce nt!PsConvertToGuiThread+0x139
f701fa74 806024b0 win32k!MapDesktop
f701faa0 8060269f nt!ExpWin32SessionCallout+0x3c
f701facc 805b1807 nt!ExpWin32OpenProcedure+0x67
f701fb7c 805b1ded nt!ObpIncrementHandleCount+0x2cf
f701fbe4 805b02ac nt!ObpCreateHandle+0x17d
f701fc34 bf87aa19 nt!ObOpenObjectByName+0x28c
f701fcfc bf89d235 win32k!xxxCreateDesktop+0x6d
f701fd48 8053cbc8 win32k!NtUserCreateDesktop+0x95
f701fc4c bf87ab0e win32k!MapDesktop
f701fcfc bf89d235 win32k!xxxCreateDesktop+0x1bc
f701fd48 8053cbc8 win32k!NtUserCreateDesktop+0x95
f701f98c 806024b0 win32k!MapDesktop
f701f9b8 8060269f nt!ExpWin32SessionCallout+0x3c
f701f9e4 805b1807 nt!ExpWin32OpenProcedure+0x67
f701fa94 805b7932 nt!ObpIncrementHandleCount+0x2cf
f701fb38 80603c7c nt!ObDupHandleProcedure+0x9a
f701fb74 805b7982 nt!ExDupHandleTable+0x11a
f701fb9c 805c5ca6 nt!ObInitProcess+0x34
f701fce4 805c62f3 nt!PspCreateProcess+0x308
f701fd38 8053cbc8 nt!NtCreateProcessEx+0x77
f6fcf828 806024b0 win32k!MapDesktop
f6fcf854 8060269f nt!ExpWin32SessionCallout+0x3c
f6fcf880 805b1807 nt!ExpWin32OpenProcedure+0x67
f6fcf930 805b1ded nt!ObpIncrementHandleCount+0x2cf
f6fcf998 805b02ac nt!ObpCreateHandle+0x17d
f6fcf9e8 bf87aa19 nt!ObOpenObjectByName+0x28c
f6fcfab0 bf87833a win32k!xxxCreateDesktop+0x6d
f6fcfbc0 bf878d9c win32k!xxxResolveDesktop+0x815
f6fcfcc0 bf819e16 win32k!xxxCreateThreadInfo+0x4d5
f6fcfcd4 bf819f1c win32k!UserThreadCallout+0x72
f6fcfcf0 805c1785 win32k!W32pThreadCallout+0x3d
f6fcfd54 8053c8ce nt!PsConvertToGuiThread+0x139
f9a1da80 806024b0 win32k!MapDesktop
f9a1daac 8060269f nt!ExpWin32SessionCallout+0x3c
f9a1dad8 805b1807 nt!ExpWin32OpenProcedure+0x67
f9a1db88 805b1ded nt!ObpIncrementHandleCount+0x2cf
f9a1dbf0 805b0494 nt!ObpCreateHandle+0x17d
f9a1dcc0 bf89235f nt!ObOpenObjectByPointer+0xa4
f9a1dd10 bf8862a5 win32k!xxxSetCsrssThreadDesktop+0x6e
f9a1dd30 bf88615f win32k!xxxSetInformationThread+0x9a
f9a1dd4c 8053cbc8 win32k!NtUserSetInformationThread+0x31
f9a1dca8 bf86bc92 win32k!MapDesktop
f9a1dcd4 bf892383 win32k!xxxSetThreadDesktop+0x3a
f9a1dd10 bf8862a5 win32k!xxxSetCsrssThreadDesktop+0xc3
f9a1dd30 bf88615f win32k!xxxSetInformationThread+0x9a
f9a1dd4c 8053cbc8 win32k!NtUserSetInformationThread+0x31
f99fda38 bf86bc92 win32k!MapDesktop
f99fda64 bf8a5608 win32k!xxxSetThreadDesktop+0x3a
f99fdd30 bf88dc63 win32k!xxxDesktopThread+0x576
f99fdd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a
f99fdd54 8053cbc8 win32k!NtUserCallOneParam+0x23
f99fda38 bf86bc92 win32k!MapDesktop
f99fda64 bf8a5896 win32k!xxxSetThreadDesktop+0x3a
f99fdd30 bf88dc63 win32k!xxxDesktopThread+0x840
f99fdd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a
f99fdd54 8053cbc8 win32k!NtUserCallOneParam+0x23
f6d41d14 bf86bc92 win32k!MapDesktop
f6d41d40 bf86bde2 win32k!xxxSetThreadDesktop+0x3a
f6d41d58 8053cbc8 win32k!NtUserSetThreadDesktop+0x2f
f6d41d58 7c91eb94 nt!KiFastCallEntry+0xf8
00efff70 7e37f0ac ntdll!KiFastSystemCallRet
00efffb4 7c80b6a3 USER32!NtUserSetThreadDesktop+0xc
00efffec 00000000 KERNEL32!BaseThreadStart+0x37

SwitchDesktop

Desktop thread: 
ChildEBP RetAddr  Args to Child              
f87a0b78 bf81d7d7 00000000 81df6038 e1443310 win32k!xxxSetThreadDesktop
f87a0be0 bf85e762 bc6306e8 00000046 00000000 win32k!xxxDesktopWndProc+0xdb  WM_WINDOWPOSCHANGING
f87a0c44 bf846a6b e1484560 bf994180 e1484560 win32k!xxxReceiveMessage+0x293
f87a0c80 bf879dea f87a0cdc 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x1ce
f87a0d34 bf80b656 e1484560 00000001 f87a0d64 win32k!xxxDesktopThread+0x297
f87a0d44 bf874990 bf994180 f87a0d64 0071fff4 win32k!xxxCreateSystemThreads+0x68
f87a0d54 805303c4 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x20

winlogon threaad:
ChildEBP RetAddr  Args to Child              
f8760a0c 804fd59e 81e05618 81e055a8 81db2ad0 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f8760a1c 804f631c 00000240 e138aca8 00000000 nt!KiSwapThread+0x6a (FPO: [Uses EBP] [0,0,4])
f8760a44 bf87a528 00000000 0000000d 00000001 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f8760a80 bf846a3b 00000200 00000000 00000000 win32k!xxxSleepThread+0x189 (FPO: [Non-Fpo])
f8760b1c bf859111 bc6306e8 00000046 00000000 win32k!xxxInterSendMsgEx+0x6f9 (FPO: [Non-Fpo])
f8760b68 bf8714d3 bc6306e8 00000046 00000000 win32k!xxxSendMessageTimeout+0x11c (FPO: [Non-Fpo])
f8760b88 bf8457d8 bc6306e8 00000046 00000000 win32k!xxxSendMessage+0x1a (FPO: [4,0,0])
f8760c4c bf84563b bc6306e8 f8760cb0 00000000 win32k!xxxCalcValidRects+0xe4 (FPO: [2,40,3])
f8760ca8 bf845bb9 bf997c80 00000000 bf994180 win32k!xxxEndDeferWindowPosEx+0xb9 (FPO: [Non-Fpo])
f8760cc4 bf812274 bc6306e8 00000000 00000000 win32k!xxxSetWindowPos+0xbe (FPO: [Non-Fpo])
f8760d30 bf812637 00000794 81e055a8 81e95d5c win32k!xxxSwitchDesktop+0x274 (FPO: [Non-Fpo])
f8760d58 805303c4 00000558 806bcba9 00235000 win32k!NtUserSwitchDesktop+0x91 (FPO: [Non-Fpo])

win32k!ProcessMouseInput

kd> !thread 0x81d97888
THREAD 81d97888  Cid 0234.0264  Teb: 7ffd8000 Win32Thread: e1484560 RUNNING on processor 1
IRP List:
    81df0980: (0006,0190) Flags: 00000970  Mdl: 00000000
    81df3e70: (0006,0190) Flags: 00000970  Mdl: 00000000
Not impersonating
DeviceMap                 e10092b8
Owning Process            0       Image:         <Unknown>
Attached Process          81e04020       Image:         csrss.exe
Wait Start TickCount      13229          Ticks: 3 (0:00:00:00.046)
Context Switch Count      2405                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:02.234
Start Address 0x75aec252
Stack Init f87a1000 Current f87a0730 Base f87a1000 Limit f879e000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child              
f87a0614 bf8600d3 f7fec0e0 bd05362c 0000005c nt!memmove+0x33
f87a0638 bf87c8f3 0000000e 00000000 00000000 win32k!vSrcCopyS32D32Identity+0x59 (FPO: [Non-Fpo])
f87a084c bf87829e e13026f0 00000000 00000000 win32k!EngCopyBits+0x4e1 (FPO: [6,127,3])
f87a0894 bf83dd10 bf87c6e0 bf999bbc e13026f0 win32k!OffCopyBits+0x7b (FPO: [Non-Fpo])
f87a094c bf837112 e141f048 f87a09c0 e1114018 win32k!vSpWriteToScreen+0x97 (FPO: [Non-Fpo])
f87a09dc bf83d7e1 e1114018 00000002 00000216 win32k!vSpRedrawUncoveredArea+0x186 (FPO: [Non-Fpo])
f87a0aa8 bf83e68d e141f048 f87a0acc 00000000 win32k!bSpUpdatePosition+0x171 (FPO: [3,44,3])
f87a0ad8 bf82da04 e13026f0 000001a0 00000216 win32k!EngMovePointer+0x13e (FPO: [Non-Fpo])
f87a0afc bf82d980 e141f008 000001a0 00000216 win32k!vMovePointer+0x70 (FPO: [Non-Fpo])
f87a0b20 bf821a3a e141f008 000001a0 00000216 win32k!GreMovePointer+0xd7 (FPO: [Non-Fpo])
f87a0b5c bf821d98 000001a0 00000216 00000000 win32k!xxxMoveEventAbsolute+0x136 (FPO: [Non-Fpo])
f87a0b94 bf821e1b 0003276f 81d97888 804f9a9a win32k!ProcessMouseInput+0x16f (FPO: [Non-Fpo])
f87a0ba0 804f9a9a e1483eb8 e1483ee0 00000000 win32k!InputApc+0x4b (FPO: [3,0,1])
f87a0be8 806bcd40 00000000 00000000 f87a0c00 nt!KiDeliverApc+0x122 (FPO: [Non-Fpo])
f87a0be8 806bca20 00000000 00000000 f87a0c00 hal!HalpApcInterrupt+0xb0 (FPO: [0,2] TrapFrame @ f87a0c00)
f87a0c70 bf879e6e bf994180 e1484560 00000000 hal!HalRequestSoftwareInterrupt+0x3c (FPO: [0,0,0])
f87a0c88 bf879dd2 00000002 81df1568 bf80c937 win32k!xxxMsgWaitForMultipleObjects+0x77 (FPO: [Non-Fpo])
f87a0d34 bf80b656 e1484560 00000001 f87a0d64 win32k!xxxDesktopThread+0x182 (FPO: [1,34,3])
f87a0d44 bf874990 bf994180 f87a0d64 0071fff4 win32k!xxxCreateSystemThreads+0x68 (FPO: [Non-Fpo])
f87a0d54 805303c4 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x20 (FPO: [2,0,2])
f87a0d54 7ffe0304 00000000 00000022 00000000 nt!KiSystemService+0xc9 (FPO: [0,0] TrapFrame @ f87a0d64)
00000000 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])

Another interesting trace from here: http://www.pcreview.co.uk/forums/need-help-windbg-log-t3767870.html

f6da7a8c bf885998 804e37aa 00000001 00000000 win32k!zzzSetFMouseMoved+0x42
f6da7ad4 bf89fc64 00000022 006efff4 bf801087 win32k!ProcessQueuedMouseEvents+0x1c8
f6da7d30 bf884635 f6db7490 00000002 f6da7d54 win32k!RawInputThread+0x5b9
f6da7d40 bf8010aa f6db7490 f6da7d64 006efff4 win32k!xxxCreateSystemThreads+0x60
f6da7d54 804dd99f 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23

Desktop thread creation

NtUserCreateWindowStation does an lpc call to csrss to create the system threads

3: kd> !thread 0x81e6eb30
THREAD 81e6eb30  Cid 024c.0250  Teb: 7ffde000 Win32Thread: e1502638 RUNNING on processor 3
IRP List:
    81ed4220: (0006,0094) Flags: 00000800  Mdl: 00000000
Not impersonating
DeviceMap                 e10092b8
Owning Process            0       Image:         <Unknown>
Attached Process          81e6eda8       Image:         winlogon.exe
Wait Start TickCount      1705           Ticks: 30 (0:00:00:00.468)
Context Switch Count      12                 LargeStack
UserTime                  00:00:00.156
KernelTime                00:00:04.359
Start Address winlogon!__delayLoadHelper2 (0x0103c559)
Stack Init f87b1000 Current f87b0c48 Base f87b1000 Limit f87ac000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr  Args to Child              
f87b048c bf80b4c1 e145bde0 f87b04a4 f87b04a4 nt!LpcRequestWaitReplyPort (FPO: [3,0,0])
f87b04ec bf80a89a bf994180 bf80a92a bf994180 win32k!xxxInitInput+0x57 (FPO: [Non-Fpo])
f87b04f4 bf80a92a bf994180 00000000 bf994180 win32k!CreateTerminalInput+0x15 (FPO: [1,0,0])
f87b0558 bf80a8a9 000000a8 7ffdec0e 01015182 win32k!xxxInitTerminal+0xae (FPO: [Non-Fpo])
f87b07ac bf811324 81f57850 81f57850 02000000 win32k!xxxCreateWindowStation+0xce (FPO: [Non-Fpo])
f87b0d40 805303c4 0006fb54 02000000 000000a4 win32k!NtUserCreateWindowStation+0x2d3 (FPO: [Non-Fpo])
f87b0d40 7ffe0304 0006fb54 02000000 000000a4 nt!KiSystemService+0xc9 (FPO: [0,0] TrapFrame @ f87b0d64)
0006f840 77d21e04 77d21dbc 0006fb54 02000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
WARNING: Stack unwind information not available. Following frames may be wrong.
0006fb8c 77d21c87 0006fba0 02000000 00000000 USER32!CreateWindowStationW+0x19e
0006fba8 01030e65 01015174 00000000 02000000 USER32!CreateWindowStationW+0x21
0006ff14 01031309 77e5ad86 0006fff4 00072364 winlogon!CreatePrimaryTerminal+0x120 (FPO: [Non-Fpo])
0006ff50 0103c6d6 01000000 00000000 00072364 winlogon!MiscInitialization+0x1ca (FPO: [Uses EBP] [4,10,4])
0006fff4 00000000 7ffdf000 000000c8 00000100 winlogon!__delayLoadHelper2+0x23f (FPO: [Non-Fpo])

3: kd> dp f87b04a4
f87b04a4  00400028 00000000 bf813ca0 bf813b94
f87b04b4  f87b04c0 00000000 00000000 0003040a
f87b04c4  0000068c 00000001 00000000 f87b04ec
f87b04d4  bf813cfc 00000001 001f0003 bf994180
f87b04e4  bf994180 81f8d3a8 f87b0558 bf80a89a
f87b04f4  bf994180 bf80a92a bf994180 00000000
f87b0504  bf994180 00000000 00000054 81f57890
f87b0514  00000000 00000000 e1014118 00000000

The system threads are created

2: kd> kb
ChildEBP RetAddr  Args to Child              
f87c0d44 bf874990 00000000 f87c0d64 006dfff4 win32k!xxxCreateSystemThreads
f87c0d54 805303c4 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x20
f87c0d54 7ffe0304 00000000 00000022 00000000 nt!KiSystemService+0xc9
006dffe0 75ae4f9e 75aec264 00000000 00000022 SharedUserData!SystemCallStub+0x4
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 f000ff53 f000ff53 f000ff53 f000ff53 0x75ae4f9e
00000000 00000000 f000ff53 f000ff53 f000ff53 0xf000ff53

And NtUserCreateWindowStation waits until the system threads are initialized

2: kd> !thread 0x81e6eb30
THREAD 81e6eb30  Cid 024c.0250  Teb: 7ffde000 Win32Thread: e1502638 WAIT: (WrUserRequest) KernelMode Non-Alertable
    81f8d3a8  SynchronizationEvent
IRP List:
    81ed4220: (0006,0094) Flags: 00000800  Mdl: 00000000
Not impersonating
DeviceMap                 e10092b8
Owning Process            0       Image:         <Unknown>
Attached Process          81e6eda8       Image:         winlogon.exe
Wait Start TickCount      1736           Ticks: 0
Context Switch Count      13                 LargeStack
UserTime                  00:00:00.156
KernelTime                00:00:04.375
Start Address winlogon!__delayLoadHelper2 (0x0103c559)
Stack Init f87b1000 Current f87b0434 Base f87b1000 Limit f87ac000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for USER32.dll - 
ChildEBP RetAddr  Args to Child              
f87b044c 804fd59e 81e6eba0 81e6eb30 81f8d3a8 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f87b045c 804f631c 001f0003 00000000 00000000 nt!KiSwapThread+0x6a (FPO: [Uses EBP] [0,0,4])
f87b0484 bf80b4d3 00000000 0000000d 00000000 nt!KeWaitForSingleObject+0x1c0 (FPO: [Non-Fpo])
f87b04ec bf80a89a bf994180 bf80a92a bf994180 win32k!xxxInitInput+0x69 (FPO: [Non-Fpo])
f87b04f4 bf80a92a bf994180 00000000 bf994180 win32k!CreateTerminalInput+0x15 (FPO: [1,0,0])
f87b0558 bf80a8a9 000000a8 7ffdec0e 01015182 win32k!xxxInitTerminal+0xae (FPO: [Non-Fpo])
f87b07ac bf811324 81f57850 81f57850 02000000 win32k!xxxCreateWindowStation+0xce (FPO: [Non-Fpo])
f87b0d40 805303c4 0006fb54 02000000 000000a4 win32k!NtUserCreateWindowStation+0x2d3 (FPO: [Non-Fpo])
f87b0d40 7ffe0304 0006fb54 02000000 000000a4 nt!KiSystemService+0xc9 (FPO: [0,0] TrapFrame @ f87b0d64)
0006f840 77d21e04 77d21dbc 0006fb54 02000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
WARNING: Stack unwind information not available. Following frames may be wrong.
0006fb8c 77d21c87 0006fba0 02000000 00000000 USER32!CreateWindowStationW+0x19e
0006fba8 01030e65 01015174 00000000 02000000 USER32!CreateWindowStationW+0x21
0006ff14 01031309 77e5ad86 0006fff4 00072364 winlogon!CreatePrimaryTerminal+0x120 (FPO: [Non-Fpo])
0006ff50 0103c6d6 01000000 00000000 00072364 winlogon!MiscInitialization+0x1ca (FPO: [Uses EBP] [4,10,4])
0006fff4 00000000 7ffdf000 000000c8 00000100 winlogon!__delayLoadHelper2+0x23f (FPO: [Non-Fpo])