User:Alvinhochun/Localization/Misc. Traces
< User:Alvinhochun | Localization
Revision as of 08:00, 16 May 2015 by Alvinhochun (talk | contribs)
Miscellaneous traces mixed together in a single page.
[/XP SP3 MUI/]
Contents
XP SP3 Localized zh-HK
Default UI language
Brought to you by Process Monitor:
Access to HKU\.DEFAULT\Control Panel\Desktop\MUILanguagePending
"0","ntoskrnl.exe","KiFastCallEntry + 0xf8","0x804df7ec","C:\WINDOWS\system32\ntoskrnl.exe" "1","ntoskrnl.exe","ZwQueryValueKey + 0x11","0x804de4a1","C:\WINDOWS\system32\ntoskrnl.exe" "2","ntoskrnl.exe","NtSetDefaultUILanguage + 0x1c","0x805af820","C:\WINDOWS\system32\ntoskrnl.exe" "3","ntoskrnl.exe","KiFastCallEntry + 0xf8","0x804df7ec","C:\WINDOWS\system32\ntoskrnl.exe" "4","ntoskrnl.exe","ZwSetDefaultUILanguage + 0x11","0x804de7c1","C:\WINDOWS\system32\ntoskrnl.exe" "5","win32k.sys","NtUserUpdatePerUserSystemParameters + 0x13","0xbf89938a","C:\WINDOWS\System32\win32k.sys" "6","ntoskrnl.exe","KiFastCallEntry + 0xf8","0x804df7ec","C:\WINDOWS\system32\ntoskrnl.exe"
Access to HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId
"0","ntoskrnl.exe","KiFastCallEntry + 0xf8","0x804df7ec","C:\WINDOWS\system32\ntoskrnl.exe" "1","ntoskrnl.exe","ZwQueryValueKey + 0x11","0x804de4a1","C:\WINDOWS\system32\ntoskrnl.exe" "2","ntoskrnl.exe","NtQueryDefaultUILanguage + 0x49","0x8057fae7","C:\WINDOWS\system32\ntoskrnl.exe" "3","ntoskrnl.exe","KiFastCallEntry + 0xf8","0x804df7ec","C:\WINDOWS\system32\ntoskrnl.exe" "4","ntoskrnl.exe","ZwQueryDefaultUILanguage + 0x11","0x804de20d","C:\WINDOWS\system32\ntoskrnl.exe" "5","win32k.sys","NtUserUpdatePerUserSystemParameters + 0x13","0xbf89938a","C:\WINDOWS\System32\win32k.sys" "6","ntoskrnl.exe","KiFastCallEntry + 0xf8","0x804df7ec","C:\WINDOWS\system32\ntoskrnl.exe"
Same for HKCU of SYSTEM account is accessed later, same stack traces.
It says process is winlogon.exe but stack trace contain only kernel-mode stack :S
OK, here comes the WinDbg stack trace:
f874facc 804de7ec nt!NtSetDefaultUILanguage+0x11 f874facc 804dd7c1 nt!KiFastCallEntry+0xf8 f874fb48 bf8997f0 nt!ZwSetDefaultUILanguage+0x11 f874fd44 bf89938a win32k!xxxUpdatePerUserSystemParameters+0x483 f874fd54 804de7ec win32k!NtUserUpdatePerUserSystemParameters+0x13 f874fd54 7c90e4f4 nt!KiFastCallEntry+0xf8 0006fc58 7e4217b5 ntdll!KiFastSystemCallRet 0006fc8c 0101e4f7 USER32!NtUserUpdatePerUserSystemParameters+0xc 0006fcac 0102d3a8 winlogon!InitSystemParametersInfo+0x6d 0006fcc8 01027f5e winlogon!ResetEnvironment+0xba 0006fce8 01031864 winlogon!SecurityChangeUser+0xb6 0006ff50 0103e75e winlogon!WinMain+0x1f1 0006fff4 00000000 winlogon!WinMainCRTStartup+0x174
Installed MUI languages
Access to HKLM\System\CurrentControlSet\Control\Nls\MUILanguages
, by svchost.exe
"0","ntoskrnl.exe","KiFastCallEntry + 0xf8","0x804df7ec","C:\WINDOWS\system32\ntoskrnl.exe" "1","kernel32.dll","Internal_EnumUILanguages + 0xc0","0x7c82a980","C:\WINDOWS\system32\kernel32.dll" "2","kernel32.dll","EnumUILanguagesW + 0x15","0x7c82a8d9","C:\WINDOWS\system32\kernel32.dll" "3","advapi32.dll","WmipGetLanguageList + 0x47","0x77dbeb38","C:\WINDOWS\system32\advapi32.dll" "4","advapi32.dll","WmipProcessMofAddRemoveEvent + 0x65","0x77dc012e","C:\WINDOWS\system32\advapi32.dll" "5","advapi32.dll","WmipInternalNotification + 0x196","0x77dc0093","C:\WINDOWS\system32\advapi32.dll" "6","advapi32.dll","WmipReceiveNotifications + 0x129","0x77dbfff7","C:\WINDOWS\system32\advapi32.dll" "7","advapi32.dll","WmiReceiveNotificationsW + 0x1d","0x77dbfee7","C:\WINDOWS\system32\advapi32.dll" "8","wmisvc.dll","CWDMListener::EvtCallThis + 0x34","0x598ac5c2","C:\WINDOWS\system32\wbem\wmisvc.dll" "9","wmisvc.dll","CWDMListener::EvtCallBackAdd + 0x2f","0x598ac76e","C:\WINDOWS\system32\wbem\wmisvc.dll" "10","ntdll.dll","RtlpWaitOrTimerCallout + 0x73","0x7c947e71","C:\WINDOWS\System32\ntdll.dll" "11","ntdll.dll","RtlpAsyncWaitCallbackCompletion + 0x25","0x7c94b073","C:\WINDOWS\System32\ntdll.dll" "12","ntdll.dll","RtlpWorkerCallout + 0x70","0x7c947aa2","C:\WINDOWS\System32\ntdll.dll" "13","ntdll.dll","RtlpExecuteWorkerRequest + 0x1a","0x7c947ae3","C:\WINDOWS\System32\ntdll.dll" "14","ntdll.dll","RtlpApcCallout + 0x11","0x7c947ba5","C:\WINDOWS\System32\ntdll.dll" "15","ntdll.dll","RtlpWorkerThread + 0x87","0x7c947b7c","C:\WINDOWS\System32\ntdll.dll" "16","kernel32.dll","BaseThreadStart + 0x37","0x7c80b713","C:\WINDOWS\system32\kernel32.dll"
System Locale (non-Unicode setting)
Access to HKLM\System\CurrentControlSet\Control\Nls\Language\Default
by csrss.exe
"0","ntoskrnl.exe","KiFastCallEntry + 0xf8","0x804df7ec","C:\WINDOWS\system32\ntoskrnl.exe" "1","ntoskrnl.exe","ZwQueryValueKey + 0x11","0x804de4a1","C:\WINDOWS\system32\ntoskrnl.exe" "2","win32k.sys","InitializeGreCSRSS + 0x43","0xbf8a8292","C:\WINDOWS\System32\win32k.sys" "3","win32k.sys","NtUserInitialize + 0x62","0xbf8a822b","C:\WINDOWS\System32\win32k.sys" "4","ntoskrnl.exe","KiFastCallEntry + 0xf8","0x804df7ec","C:\WINDOWS\system32\ntoskrnl.exe"