rpcss is running.TERMSRV : Not Personal Workstation--termsrv.dll两个有效起始断点termsrv!DllMain和termsrv!ServiceMain
rpcss is running.TERMSRV : Not Personal Workstation
D:\srv03rtm\termsrv>grep "Not Personal Workstation" -nri D:\srv03rtm\termsrv
D:\srv03rtm\termsrv/winsta/server/icasrv.c:568: DbgPrint("TERMSRV : Not Personal Workstation\n");
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
0: kd> bl
0 e Disable Clear u 0001 (0001) (termsrv!DllMain)
1 e Disable Clear u 0001 (0001) (termsrv!ServiceMain)
23 e Disable Clear u 0001 (0001) (authui!WluirRequestCredentials)
/****************************************************************************/
// ServiceMain
//
// TermSrv service entry point.
/****************************************************************************/
VOID ServiceMain(DWORD dwArgc, LPTSTR *lpszArgv)
{
#if DBG
if( TRUE == g_bPersonalWks )
{
DbgPrint("TERMSRV : TS running on Personal Workstation\n");
}
else
{
DbgPrint("TERMSRV : Not Personal Workstation\n");
}
#endif
rpcss is running.
WINMM(p456:t460): ClientUpdatePnpInfo: warning: called in winlogon before logged on
WINMM(p456:t472): ClientUpdatePnpInfo: warning: called in winlogon before logged on
WINMM(p456:t460): ClientUpdatePnpInfo: warning: called in winlogon before logged on
WINMM(p456:t472): ClientUpdatePnpInfo: warning: called in winlogon before logged on
KD: write to 0x74882420 ok
KD: write to 0x74882B24 ok
Breakpoint 0 hit
termsrv!DllMain:
001b:74882420 55 push ebp
1: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 899a2278 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a200000 ObjectTable: e1000e38 HandleCount: 141.
Image: System
PROCESS 89508248 SessionId: none Cid: 0180 Peb: 7ffdf000 ParentCid: 0004
DirBase: 7bb68000 ObjectTable: e127a650 HandleCount: 15.
Image: smss.exe
PROCESS 89604350 SessionId: 0 Cid: 01b0 Peb: 7ffdf000 ParentCid: 0180
DirBase: 7b31b000 ObjectTable: e1438998 HandleCount: 131.
Image: csrss.exe
PROCESS 8978f020 SessionId: 0 Cid: 01c8 Peb: 7ffdf000 ParentCid: 0180
DirBase: 7ac20000 ObjectTable: e1437c50 HandleCount: 366.
Image: winlogon.exe
PROCESS 89806580 SessionId: 0 Cid: 01f4 Peb: 7ffdf000 ParentCid: 01c8
DirBase: 7aa4c000 ObjectTable: e14062d0 HandleCount: 181.
Image: services.exe
PROCESS 898f7d88 SessionId: 0 Cid: 0200 Peb: 7ffdf000 ParentCid: 01c8
DirBase: 7a814000 ObjectTable: e16c53d8 HandleCount: 276.
Image: lsass.exe
PROCESS 8950b020 SessionId: 0 Cid: 02d8 Peb: 7ffdf000 ParentCid: 01f4
DirBase: 7a398000 ObjectTable: e173d1a0 HandleCount: 92.
Image: svchost.exe
PROCESS 8987e518 SessionId: 0 Cid: 0300 Peb: 7ffdf000 ParentCid: 01f4
DirBase: 7a39f000 ObjectTable: e161e1a0 HandleCount: 54.
Image: svchost.exe
1: kd> .PROCESS /p 8987e518
Implicit process is now 8987e518
.cache forcedecodeuser done
1: kd> !peb
PEB at 7ffdf000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 01000000
NtGlobalFlag: 440000
NtGlobalFlag2: 0
Ldr 77fba600
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00182508 . 001837f8
Ldr.InLoadOrderModuleList: 001824a0 . 001837e8
Ldr.InMemoryOrderModuleList: 001824a8 . 001837f0
Base TimeStamp Module
1000000 66e5bf0e Sep 15 00:51:26 2024 C:\WINDOWS\System32\svchost.exe
77f20000 66e651b9 Sep 15 11:17:13 2024 C:\WINDOWS\system32\ntdll.dll
77e20000 66e651b9 Sep 15 11:17:13 2024 C:\WINDOWS\system32\kernel32.dll
77d70000 66e651bb Sep 15 11:17:15 2024 C:\WINDOWS\system32\ADVAPI32.dll
77bd0000 66e651bb Sep 15 11:17:15 2024 C:\WINDOWS\system32\RPCRT4.dll
768a0000 66e651c5 Sep 15 11:17:25 2024 C:\WINDOWS\System32\NTMARTA.DLL
77b00000 66e651bc Sep 15 11:17:16 2024 C:\WINDOWS\system32\msvcrt.dll
77ca0000 66e651bb Sep 15 11:17:15 2024 C:\WINDOWS\system32\USER32.dll
77b60000 66e651bb Sep 15 11:17:15 2024 C:\WINDOWS\system32\GDI32.dll
76be0000 66e651c3 Sep 15 11:17:23 2024 C:\WINDOWS\system32\WLDAP32.dll
59730000 66e65595 Sep 15 11:33:41 2024 C:\WINDOWS\System32\SAMLIB.dll
76ed0000 66e651c3 Sep 15 11:17:23 2024 C:\WINDOWS\system32\ole32.dll
74870000 66e651d2 Sep 15 11:17:38 2024 c:\windows\system32\termsrv.dll
74460000 66e651d5 Sep 15 11:17:41 2024 c:\windows\system32\ICAAPI.dll
76c30000 66e651c3 Sep 15 11:17:23 2024 c:\windows\system32\Secur32.dll
70550000 66e651ed Sep 15 11:18:05 2024 c:\windows\system32\WS2_32.dll
70540000 66e651ed Sep 15 11:18:05 2024 c:\windows\system32\WS2HELP.dll
76df0000 3e801272 Mar 25 16:25:22 2003 C:\WINDOWS\system32\OLEAUT32.dll
76880000 66e651c5 Sep 15 11:17:25 2024 c:\windows\system32\AUTHZ.dll
74660000 66e651d3 Sep 15 11:17:39 2024 c:\windows\system32\mstlsapi.dll
76a80000 66e651c5 Sep 15 11:17:25 2024 c:\windows\system32\ACTIVEDS.dll
76a50000 66e651c5 Sep 15 11:17:25 2024 c:\windows\system32\adsldpc.dll
705a0000 66e651ec Sep 15 11:18:04 2024 c:\windows\system32\NETAPI32.dll
76850000 66e651c5 Sep 15 11:17:25 2024 C:\WINDOWS\system32\imagehlp.dll
767b0000 66e651c5 Sep 15 11:17:25 2024 c:\windows\system32\credui.dll
77200000 66e651bc Sep 15 11:17:16 2024 C:\WINDOWS\system32\SHELL32.dll
770c0000 66e651c2 Sep 15 11:17:22 2024 C:\WINDOWS\system32\SHLWAPI.dll
76690000 3e801277 Mar 25 16:25:27 2003 c:\windows\system32\ATL.DLL
75c10000 66e651ca Sep 15 11:17:30 2024 C:\WINDOWS\system32\CRYPT32.dll
75bf0000 66e651ca Sep 15 11:17:30 2024 C:\WINDOWS\system32\MSASN1.dll
6f610000 66e651f2 Sep 15 11:18:10 2024 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.100.0_x-ww_8417450B\comctl32.dll
SubSystemData: 00000000
ProcessHeap: 00080000
ProcessParameters: 00020000
CurrentDirectory: 'C:\WINDOWS\system32\'
WindowTitle: 'C:\WINDOWS\System32\svchost.exe'
ImageFile: 'C:\WINDOWS\System32\svchost.exe'
CommandLine: 'C:\WINDOWS\System32\svchost.exe -k termsvcs'
DllPath: 'C:\WINDOWS\System32;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem'
Environment: 00010000
ALLUSERSPROFILE=C:\Documents and Settings\All Users
ClusterLog=C:\WINDOWS\Cluster\cluster.log
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NTDEV-QQTQSNLDX
ComSpec=C:\WINDOWS\system32\cmd.exe
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 5 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0503
ProgramFiles=C:\Program Files
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
USERPROFILE=C:\WINDOWS\system32\config\systemprofile
windir=C:\WINDOWS
1: kd> kc
#
00 termsrv!DllMain
01 ntdll!LdrpCallInitRoutine
02 ntdll!LdrpRunInitializeRoutines
03 ntdll!LdrpLoadDll
04 ntdll!LdrLoadDll
05 kernel32!LoadLibraryExW
06 svchost!GetServiceDllFunction
07 svchost!GetServiceMainFunctions
08 svchost!ServiceStarter
09 ADVAPI32!ScSvcctrlThreadA
0a kernel32!BaseThreadStart
stdENDP _LdrpCallInitRoutine
push ebp
mov ebp, esp
push esi ; save esi across the call
push edi ; save edi across the call
push ebx ; save ebx on the stack across the call
mov esi,esp ; save the stack pointer in esi across the call
push Context
push Reason
push DllHandle
call InitRoutine
mov esp,esi ; restore the stack pointer in case callee forgot to clean up
pop ebx ; restore ebx
pop edi ; restore edi
pop esi ; restore esi
pop ebp
stdRET _LdrpCallInitRoutine
1: kd> g
Breakpoint 1 hit
termsrv!ServiceMain:
001b:74882b24 55 push ebp
1: kd> kc
#
00 termsrv!ServiceMain
01 svchost!ServiceStarter
02 ADVAPI32!ScSvcctrlThreadA
03 kernel32!BaseThreadStart
1: kd> kv
# ChildEBP RetAddr Args to Child
00 007fff6c 01002ed6 00000001 00084870 00000000 termsrv!ServiceMain (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\winsta\server\icasrv.c @ 453]
01 007fffa4 77dc0bd4 00000001 00084870 00000000 svchost!ServiceStarter+0x132 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\screg\sc\svchost\svchost.c @ 1049]
02 007fffb8 77e41be7 00084868 00000000 00000000 ADVAPI32!ScSvcctrlThreadA+0x10 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\screg\sc\client\scapi.cxx @ 2760]
03 007fffec 00000000 77dc0bc4 00084868 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]
// type of LPSERVICE_MAIN_FUNCTIONW
//
VOID
WINAPI
ServiceStarter(
DWORD argc,
PWSTR argv[]
)
{
LPSERVICE_MAIN_FUNCTION pfnServiceMain = NULL;
LPSVCHOST_PUSH_GLOBAL_FUNCTION pfnPushGlobals = NULL;
LPCWSTR pszwService = argv[0];
LPWSTR pszwAbort = NULL;
DWORD dwError = ERROR_FILE_NOT_FOUND;
EnterCriticalSection (&ListLock);
{
UINT i;
for (i = 0; i < ServiceCount; i++)
{
if (0 == lstrcmpi (pszwService, ServiceArray[i].pszName))
{
#if DBG
if (FDebugBreakForService (pszwService))
{
SVCHOST_LOG1(TRACE,
"Attaching debugger before getting ServiceMain for %ws...",
pszwService);
DebugBreak ();
}
#endif
GetServiceMainFunctions(&ServiceArray[i],
&pfnServiceMain,
&pfnPushGlobals,
&dwError); //第一部分:
if (pfnServiceMain && pfnPushGlobals && !g_pSvchostSharedGlobals)
{
SvchostBuildSharedGlobals();
}
pszwAbort = argv[0];
break;
}
}
}
LeaveCriticalSection (&ListLock);
if (pfnPushGlobals && g_pSvchostSharedGlobals)
{
pfnPushGlobals (g_pSvchostSharedGlobals);
if (pfnServiceMain)
{
SVCHOST_LOG1(TRACE,
"Calling ServiceMain for %ws...\n",
pszwService);
pfnServiceMain (argc, argv); //第二部分:
}
else if (pszwAbort)
{
AbortSvchostService(pszwAbort,
dwError);
}
}
else if (pfnServiceMain && !pfnPushGlobals)
{
SVCHOST_LOG1(TRACE,
"Calling ServiceMain for %ws...\n",
pszwService);
pfnServiceMain (argc, argv);
}
else if (pszwAbort)
{
AbortSvchostService(pszwAbort,
dwError);
}
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
