09.02.2014 Views

Windows sysinternals

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

422 Part III Troubleshooting—”The Case of the Unexplained...”<br />

locked, the thread ID of the thread owning the lock, and the number of threads waiting to<br />

acquire it. Andrew used a similar command, !critlist from the Sieext.dll debugger extension 3 .<br />

The output showed that multiple threads were piled up waiting for thread 223 to release a<br />

critical section:<br />

0:000> !sieext.critlist<br />

CritSec at 608e244c. Owned by thread 223.<br />

Waiting Threads: 43 218 219 220 221 222 224 226 227 228 230 231 232 233<br />

His next step was to see what the owning thread was doing, which might point at the code<br />

responsible for the long delays. He switched to the owning thread’s register context using<br />

the ~ command and then dumped the thread’s stack with the k command:<br />

0:000> ~223s<br />

eax=61192840 ebx=00000080 ecx=0000000f edx=00000074 esi=7c829e37 edi=40100080<br />

eip=7c82860c esp=61191c40 ebp=61191cdc icpl=0<br />

nv up ei pl nz na po nc<br />

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000<br />

efl=00000202<br />

ntdll!KiFastSystemCallRet:<br />

7c82860c c3<br />

ret<br />

0:223> knL<br />

# ChildEBP RetAddr<br />

00 61191c3c 7c826e09 ntdll!KiFastSystemCallRet<br />

01 61191c40 77e649ff ntdll!ZwCreateFile+0xc<br />

02 61191cdc 608c6b70 kernel32!CreateFileW+0x377<br />

WARNING: Stack unwind information not available. Following frames may be wrong.<br />

03 61191cfc 7527e1a6 SAVFMSEVSAPI+0x6b70<br />

04 00000000 00000000 0x7527e1a6<br />

As sometimes happens, the debugger was unsure how to interpret the stack when it came<br />

across a stack frame pointing into Savfmsevsapi, an image for which it couldn’t obtain<br />

symbols. Most <strong>Windows</strong> images have their symbols posted on the Microsoft symbol server,<br />

so this was likely a third-party DLL loaded into Exchange’s Store.exe process and was therefore<br />

a suspect in the hangs. The list modules (lm) command dumps version information for<br />

loaded images, and the path of the image made it obvious that Savfmsevsapi was part of<br />

Symantec’s mail security product:<br />

0:000> lmvm SAVFMSEVSAPI<br />

start end module name<br />

608c0000 608e9000 SAVFMSEVSAPI T (no symbols)<br />

Loaded symbol image file: SAVFMSEVSAPI.dll<br />

Image path: C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSEVSAPI.dll<br />

Image name: SAVFMSEVSAPI.dll<br />

Timestamp: Wed Jul 08 03:09:42 2009 (4A547066)<br />

CheckSum: 00033066<br />

ImageSize: 00029000<br />

File version: 6.0.9.286<br />

Product version: 6.0.9.286<br />

3 The public version, SieExtPub.dll, can be downloaded from microsoft.com.<br />

www.it-ebooks.info

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!