Windows 7 and Windows Server 2008 R2 djoin (Offline Domain Join) utility.
Offline domain join is a new process that joins computers running Windows® 7 or Windows Server 2008 R2 to a domain in Active Directory Domain Services (AD DS)—without any network connectivity. This process includes a new command-line tool, Djoin.exe, which you can use to complete an offline domain join.
Run Djoin.exe to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a .txt file that you specify as part of the command. After you run the provisioning command, you can either run Djoin.exe again to request the computer account metadata and insert it into the Windows directory of the destination computer.
Following section covers the content of these computer account metadata files.
Here is what we see when we open the output file into an hexadecimal editor.
We ignore two first bytes, and the following sequence of bytes is an unicode base64 encoded string.
Decoded base64 string is a DATA_BLOB encrypted by NetpEncodeProvisioningBlob / NetpDecodeProvisioningBlob private APIs from netjoin.dll which is new toWindows 7/Windows Server 2008 R2. Both functions calls NdrMesTypeDecode2 / NdrMesTypeEncode2 from RPCRT4.dll to perferm the encryption/decryption process.
This dll is pretty interesting because of NetpLogPrintHelper() calls, e.g. the following in NetpDumpBlobToLog() function:
-
[…]
-
NetpLogPrintHelper("\tlpMachinePassword: %s\n", "omitted from log");
-
[…]
As you can see, sensitive information are removed from debug log (netsetup.log).
Decoded blob file contains a structure I called “PROVISION_DATA” which is composed of information about Domain Dns Policy, Domain Controller, miscelleneous information about the machine and so on.
-
#define NETSETUP_PROVISION_DOWNLEVEL_PRIV_SUPPORT 0×1
-
#define NETSETUP_PROVISION_REUSE_ACCOUNT 0×2
-
#define NETSETUP_PROVISION_USE_DEFAULT_PASSWORD 0×4
-
#define NETSETUP_PROVISION_SKIP_ACCOUNT_SEARCH 0×8
-
#define NETSETUP_PROVISION_ONLINE_CALLER 0×40000000
-
#define NETSETUP_PROVISION_CHECK_PWD_ONLY 0×80000000
-
-
typedef struct _DOMAIN_DNS_POLICY { // sizeof = 0×2C
-
TCHAR Name[4]; // 0×000
-
TCHAR DnsDomainName[4]; // 0×008
-
TCHAR DnsForestName[4]; // 0×010
-
GUID DomainGuid; // 0×018
-
PSID Sid; // 0×028
-
} DOMAIN_DNS_POLICY, *PDOMAIN_DNS_POLICY;
-
-
typedef struct _DOMAIN_CONTROLLER { // size of = 0×30
-
PCHAR DomainControllerName; // 0×000
-
PCHAR DomainControllerAddress; // 0×004
-
ULONG DomainControllerAddressType; // 0×008
-
GUID DomainGuid; // 0×00C
-
PCHAR DomainName; // 0×01C
-
PCHAR DnsForestName; // 0×020
-
ULONG Flags; // 0×024
-
PCHAR DcSiteName; // 0×28
-
PCHAR ClientSiteName; // 0×2C
-
} DOMAIN_CONTROLLER, *PDOMAIN_CONTROLLER;
-
-
typedef struct _DOMAIN_INFORMATION {
-
//
-
// Global Information
-
//
-
LPVOID lpDomainName; // 0×008
-
LPVOID lpMachineName; // 0×00C
-
LPVOID lpMachinePassword; // 0×010
-
-
//
-
// Domain Policy
-
//
-
DOMAIN_DNS_POLICY DomainPolicy; // 0×014
-
-
//
-
// Domain Controller
-
//
-
DOMAIN_CONTROLLER DomainController; // 0×048
-
-
//
-
// Options – NETSETUP_PROVISION
-
//
-
ULONG Options; // 0×078
-
-
} DOMAIN_INFORMATION, *PDOMAIN_INFORMATION;
-
-
typedef struct _PROVISION_DATA {
-
//
-
// ODJ Blob
-
//
-
ULONG Version; // 0×000
-
ULONG Size; // 0×004
-
-
PDOMAIN_INFORMATION DomainInformation;
-
-
} PROVISION_DATA, *PPROVISION_DATA;
I wrote a tool called “dinfo” for “Domain Information” to read these files, this tool works with user rights only under Windows 7 and Windows Server 2008 R2 because of dependency to netjoin.dll
Now it’s time to introduce dinfo.exe! Here is a screenshot of the tool in action.
PS1. Encoded data blob can also be retrived in the registry at the following magic key : “Software\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Microsoft-Windows-UnattendedJoin\Identification”.
PS2. Thomas aime les nouilles.
Download dinfo version 1.0.20090128
KPRCB structure modified in Win7. Another thing to fix into win32dd.
If you’re generating a Microsoft Crash Dump file under Windows Seven you might noticied that DirectoryTableBase field in the crash dump header is set to zero. The reason is the current version of win32dd choosed to retrieve cr3 register through the PROCESSOR_STATE structure stored into KPRCB. But since KPRCB had been updated in Windows 7 the following ugly piece of code doesn’t return a correct cr3 value.
-
DirectoryTableBase = __readKPCR()->PrcbData.ProcessorState.SpecialRegisters.Cr3;
If you take a look at these two structures, you can see SetMember 32bits ULONG had been removed. But don’t worry this value is still present in KPCR structure, I guess Microsoft kernel developpers removed it from KPRCB to clean the structure and avoid duplicated field.
Anyway, I’ll publish an update soon for win32dd. :-)
For people interested into technical details of these structures here is output of KPRCB structure under Windows Vista and Seven.
This is how look KPCRB structure under Windows Vista:
typedef struct _KPRCB // 129 elements, 0xEC0 bytes (sizeof)
{
/*0x000*/ UINT16 MinorVersion;
/*0x002*/ UINT16 MajorVersion;
/*0x004*/ struct _KTHREAD* CurrentThread;
/*0x008*/ struct _KTHREAD* NextThread;
/*0x00C*/ struct _KTHREAD* IdleThread;
/*0x010*/ CHAR Number;
/*0x011*/ CHAR Reserved;
/*0x012*/ UINT16 BuildType;
/*0x014*/ ULONG32 SetMember;
/*0x018*/ CHAR CpuType;
/*0x019*/ CHAR CpuID;
/*0x01A*/ UINT16 CpuStep;
/*0x01C*/ struct _KPROCESSOR_STATE ProcessorState;
/*0x33C*/ ULONG32 KernelReserved[16];
/*0x37C*/ ULONG32 HalReserved[16];
/*0x3BC*/ UINT8 PrcbPad0[92];
/*0x418*/ struct _KSPIN_LOCK_QUEUE LockQueue[33];
/*0x520*/ struct _KTHREAD* NpxThread;
/*0x524*/ ULONG32 InterruptCount;
/*0x528*/ ULONG32 KernelTime;
/*0x52C*/ ULONG32 UserTime;
/*0x530*/ ULONG32 DpcTime;
/*0x534*/ ULONG32 DebugDpcTime;
/*0x538*/ ULONG32 InterruptTime;
/*0x53C*/ ULONG32 AdjustDpcThreshold;
/*0x540*/ ULONG32 PageColor;
/*0x544*/ UINT8 SkipTick;
/*0x545*/ UINT8 DebuggerSavedIRQL;
/*0x546*/ UINT8 NodeColor;
/*0x547*/ UINT8 Spare1;
/*0x548*/ ULONG32 NodeShiftedColor;
/*0x54C*/ struct _KNODE* ParentNode;
/*0x550*/ ULONG32 MultiThreadProcessorSet;
/*0x554*/ struct _KPRCB* MultiThreadSetMaster;
/*0x558*/ ULONG32 SecondaryColorMask;
/*0x55C*/ LONG32 Sleeping;
/*0x560*/ ULONG32 CcFastReadNoWait;
/*0x564*/ ULONG32 CcFastReadWait;
/*0x568*/ ULONG32 CcFastReadNotPossible;
/*0x56C*/ ULONG32 CcCopyReadNoWait;
/*0x570*/ ULONG32 CcCopyReadWait;
/*0x574*/ ULONG32 CcCopyReadNoWaitMiss;
/*0x578*/ ULONG32 KeAlignmentFixupCount;
/*0x57C*/ ULONG32 SpareCounter0;
/*0x580*/ ULONG32 KeDcacheFlushCount;
/*0x584*/ ULONG32 KeExceptionDispatchCount;
/*0x588*/ ULONG32 KeFirstLevelTbFills;
/*0x58C*/ ULONG32 KeFloatingEmulationCount;
/*0x590*/ ULONG32 KeIcacheFlushCount;
/*0x594*/ ULONG32 KeSecondLevelTbFills;
/*0x598*/ ULONG32 KeSystemCalls;
/*0x59C*/ LONG32 IoReadOperationCount;
/*0x5A0*/ LONG32 IoWriteOperationCount;
/*0x5A4*/ LONG32 IoOtherOperationCount;
/*0x5A8*/ union _LARGE_INTEGER IoReadTransferCount;
/*0x5B0*/ union _LARGE_INTEGER IoWriteTransferCount;
/*0x5B8*/ union _LARGE_INTEGER IoOtherTransferCount;
/*0x5C0*/ ULONG32 SpareCounter1[8];
/*0x5E0*/ struct _PP_LOOKASIDE_LIST PPLookasideList[16];
/*0x660*/ struct _PP_LOOKASIDE_LIST PPNPagedLookasideList[32];
/*0x760*/ struct _PP_LOOKASIDE_LIST PPPagedLookasideList[32];
/*0x860*/ ULONG32 PacketBarrier;
/*0x864*/ ULONG32 ReverseStall;
/*0x868*/ VOID* IpiFrame;
/*0x86C*/ UINT8 PrcbPad2[52];
/*0x8A0*/ VOID* CurrentPacket[3];
/*0x8AC*/ ULONG32 TargetSet;
/*0x8B0*/ FUNCT_014C_02D2_WorkerRoutine* WorkerRoutine;
/*0x8B4*/ ULONG32 IpiFrozen;
/*0x8B8*/ UINT8 PrcbPad3[40];
/*0x8E0*/ ULONG32 RequestSummary;
/*0x8E4*/ struct _KPRCB* SignalDone;
/*0x8E8*/ UINT8 PrcbPad4[56];
/*0x920*/ struct _KDPC_DATA DpcData[2];
/*0x948*/ VOID* DpcStack;
/*0x94C*/ ULONG32 MaximumDpcQueueDepth;
/*0x950*/ ULONG32 DpcRequestRate;
/*0x954*/ ULONG32 MinimumDpcRate;
/*0x958*/ UINT8 DpcInterruptRequested;
/*0x959*/ UINT8 DpcThreadRequested;
/*0x95A*/ UINT8 DpcRoutineActive;
/*0x95B*/ UINT8 DpcThreadActive;
/*0x95C*/ ULONG32 PrcbLock;
/*0x960*/ ULONG32 DpcLastCount;
/*0x964*/ ULONG32 TimerHand;
/*0x968*/ ULONG32 TimerRequest;
/*0x96C*/ VOID* DpcThread;
/*0x970*/ struct _KEVENT DpcEvent;
/*0x980*/ UINT8 ThreadDpcEnable;
/*0x981*/ UINT8 QuantumEnd;
/*0x982*/ UINT8 PrcbPad50;
/*0x983*/ UINT8 IdleSchedule;
/*0x984*/ LONG32 DpcSetEventRequest;
/*0x988*/ UINT8 PrcbPad5[18];
/*0x99A*/ UINT8 _PADDING0_[0x2];
/*0x99C*/ LONG32 TickOffset;
/*0x9A0*/ struct _KDPC CallDpc;
/*0x9C0*/ ULONG32 PrcbPad7[8];
/*0x9E0*/ struct _LIST_ENTRY WaitListHead;
/*0x9E8*/ ULONG32 ReadySummary;
/*0x9EC*/ ULONG32 QueueIndex;
/*0x9F0*/ struct _LIST_ENTRY DispatcherReadyListHead[32];
/*0xAF0*/ struct _SINGLE_LIST_ENTRY DeferredReadyListHead;
/*0xAF4*/ ULONG32 PrcbPad72[11];
/*0xB20*/ VOID* ChainedInterruptList;
/*0xB24*/ LONG32 LookasideIrpFloat;
/*0xB28*/ LONG32 MmPageFaultCount;
/*0xB2C*/ LONG32 MmCopyOnWriteCount;
/*0xB30*/ LONG32 MmTransitionCount;
/*0xB34*/ LONG32 MmCacheTransitionCount;
/*0xB38*/ LONG32 MmDemandZeroCount;
/*0xB3C*/ LONG32 MmPageReadCount;
/*0xB40*/ LONG32 MmPageReadIoCount;
/*0xB44*/ LONG32 MmCacheReadCount;
/*0xB48*/ LONG32 MmCacheIoCount;
/*0xB4C*/ LONG32 MmDirtyPagesWriteCount;
/*0xB50*/ LONG32 MmDirtyWriteIoCount;
/*0xB54*/ LONG32 MmMappedPagesWriteCount;
/*0xB58*/ LONG32 MmMappedWriteIoCount;
/*0xB5C*/ ULONG32 SpareFields0[1];
/*0xB60*/ UINT8 VendorString[13];
/*0xB6D*/ UINT8 InitialApicId;
/*0xB6E*/ UINT8 LogicalProcessorsPerPhysicalProcessor;
/*0xB6F*/ UINT8 _PADDING1_[0x1];
/*0xB70*/ ULONG32 MHz;
/*0xB74*/ ULONG32 FeatureBits;
/*0xB78*/ union _LARGE_INTEGER UpdateSignature;
/*0xB80*/ UINT64 IsrTime;
/*0xB88*/ UINT64 SpareField1;
/*0xB90*/ struct _FX_SAVE_AREA NpxSaveArea;
/*0xDA0*/ struct _PROCESSOR_POWER_STATE PowerState;
}KPRCB, *PKPRCB;
And under Windows 7
typedef struct _KPRCB // 244 elements, 0x1EE8 bytes (sizeof)
{
/*0x000*/ UINT16 MinorVersion;
/*0x002*/ UINT16 MajorVersion;
/*0x004*/ struct _KTHREAD* CurrentThread;
/*0x008*/ struct _KTHREAD* NextThread;
/*0x00C*/ struct _KTHREAD* IdleThread;
/*0x010*/ UINT8 LegacyNumber;
/*0x011*/ UINT8 NestingLevel;
/*0x012*/ UINT16 BuildType;
/*0x014*/ CHAR CpuType;
/*0x015*/ CHAR CpuID;
/*0x016*/UINT16 CpuStep;
/*0x018*/ struct _KPROCESSOR_STATE ProcessorState;
/*0x338*/ ULONG32 KernelReserved[16];
/*0x378*/ ULONG32 HalReserved[16];
/*0x3B8*/ ULONG32 CFlushSize;
/*0x3BC*/ UINT8 CoresPerPhysicalProcessor;
/*0x3BD*/ UINT8 LogicalProcessorsPerCore;
/*0x3BE*/ UINT8 PrcbPad0[2];
/*0x3C0*/ ULONG32 MHz;
/*0x3C4*/ UINT8 CpuVendor;
/*0x3C5*/ UINT8 GroupIndex;
/*0x3C6*/ UINT16 Group;
/*0x3C8*/ ULONG32 GroupSetMember;
/*0x3CC*/ ULONG32 Number;
/*0x3D0*/ UINT8 PrcbPad1[72];
/*0x418*/ struct _KSPIN_LOCK_QUEUE LockQueue[49];
/*0x5A0*/ struct _KTHREAD* NpxThread;
/*0x5A4*/ ULONG32 InterruptCount;
/*0x5A8*/ ULONG32 KernelTime;
/*0x5AC*/ ULONG32 UserTime;
/*0x5B0*/ ULONG32 DpcTime;
/*0x5B4*/ ULONG32 DpcTimeCount;
/*0x5B8*/ ULONG32 InterruptTime;
/*0x5BC*/ ULONG32 AdjustDpcThreshold;
/*0x5C0*/ ULONG32 PageColor;
/*0x5C4*/ UINT8 DebuggerSavedIRQL;
/*0x5C5*/ UINT8 NodeColor;
/*0x5C6*/ UINT8 PrcbPad20[2];
/*0x5C8*/ ULONG32 NodeShiftedColor;
/*0x5CC*/ struct _KNODE* ParentNode;
/*0x5D0*/ ULONG32 SecondaryColorMask;
/*0x5D4*/ ULONG32 DpcTimeLimit;
/*0x5D8*/ ULONG32 PrcbPad21[2];
/*0x5E0*/ ULONG32 CcFastReadNoWait;
/*0x5E4*/ ULONG32 CcFastReadWait;
/*0x5E8*/ ULONG32 CcFastReadNotPossible;
/*0x5EC*/ ULONG32 CcCopyReadNoWait;
/*0x5F0*/ ULONG32 CcCopyReadWait;
/*0x5F4*/ ULONG32 CcCopyReadNoWaitMiss;
/*0x5F8*/ LONG32 MmSpinLockOrdering;
/*0x5FC*/ LONG32 IoReadOperationCount;
/*0x600*/ LONG32 IoWriteOperationCount;
/*0x604*/ LONG32 IoOtherOperationCount;
/*0x608*/ union _LARGE_INTEGER IoReadTransferCount;
/*0x610*/ union _LARGE_INTEGER IoWriteTransferCount;
/*0x618*/ union _LARGE_INTEGER IoOtherTransferCount;
/*0x620*/ ULONG32 CcFastMdlReadNoWait;
/*0x624*/ ULONG32 CcFastMdlReadWait;
/*0x628*/ ULONG32 CcFastMdlReadNotPossible;
/*0x62C*/ ULONG32 CcMapDataNoWait;
/*0x630*/ ULONG32 CcMapDataWait;
/*0x634*/ ULONG32 CcPinMappedDataCount;
/*0x638*/ ULONG32 CcPinReadNoWait;
/*0x63C*/ ULONG32 CcPinReadWait;
/*0x640*/ ULONG32 CcMdlReadNoWait;
/*0x644*/ ULONG32 CcMdlReadWait;
/*0x648*/ ULONG32 CcLazyWriteHotSpots;
/*0x64C*/ ULONG32 CcLazyWriteIos;
/*0x650*/ ULONG32 CcLazyWritePages;
/*0x654*/ ULONG32 CcDataFlushes;
/*0x658*/ ULONG32 CcDataPages;
/*0x65C*/ ULONG32 CcLostDelayedWrites;
/*0x660*/ ULONG32 CcFastReadResourceMiss;
/*0x664*/ ULONG32 CcCopyReadWaitMiss;
/*0x668*/ ULONG32 CcFastMdlReadResourceMiss;
/*0x66C*/ ULONG32 CcMapDataNoWaitMiss;
/*0x670*/ ULONG32 CcMapDataWaitMiss;
/*0x674*/ ULONG32 CcPinReadNoWaitMiss;
/*0x678*/ ULONG32 CcPinReadWaitMiss;
/*0x67C*/ ULONG32 CcMdlReadNoWaitMiss;
/*0x680*/ ULONG32 CcMdlReadWaitMiss;
/*0x684*/ ULONG32 CcReadAheadIos;
/*0x688*/ ULONG32 KeAlignmentFixupCount;
/*0x68C*/ ULONG32 KeExceptionDispatchCount;
/*0x690*/ ULONG32 KeSystemCalls;
/*0x694*/ ULONG32 AvailableTime;
/*0x698*/ ULONG32 PrcbPad22[2];
/*0x6A0*/ struct _PP_LOOKASIDE_LIST PPLookasideList[16];
/*0x720*/ struct _GENERAL_LOOKASIDE_POOL PPNPagedLookasideList[32];
/*0x1020*/ struct _GENERAL_LOOKASIDE_POOL PPPagedLookasideList[32];
/*0x1920*/ ULONG32 PacketBarrier;
/*0x1924*/ LONG32 ReverseStall;
/*0x1928*/ VOID* IpiFrame;
/*0x192C*/ UINT8 PrcbPad3[52];
/*0x1960*/ VOID* CurrentPacket[3];
/*0x196C*/ ULONG32 TargetSet;
/*0x1970*/ FUNCT_009A_0657_WorkerRoutine* WorkerRoutine;
/*0x1974*/ ULONG32 IpiFrozen;
/*0x1978*/ UINT8 PrcbPad4[40];
/*0x19A0*/ ULONG32 RequestSummary;
/*0x19A4*/ struct _KPRCB* SignalDone;
/*0x19A8*/ UINT8 PrcbPad50[56];
/*0x19E0*/ struct _KDPC_DATA DpcData[2];
/*0x1A08*/ VOID* DpcStack;
/*0x1A0C*/ LONG32 MaximumDpcQueueDepth;
/*0x1A10*/ ULONG32 DpcRequestRate;
/*0x1A14*/ ULONG32 MinimumDpcRate;
/*0x1A18*/ ULONG32 PrcbPad41;
/*0x1A1C*/ ULONG32 PrcbLock;
/*0x1A20*/ ULONG32 DpcLastCount;
/*0x1A24*/ ULONG32 TimerHand;
/*0x1A28*/ ULONG32 TimerRequest;
/*0x1A2C*/ struct _KTIMER** TimerExpiry;
/*0x1A30*/ struct _KGATE DpcGate;
/*0x1A40*/ UINT8 ThreadDpcEnable;
/*0x1A41*/ UINT8 QuantumEnd;
/*0x1A42*/ UINT8 DpcRoutineActive;
/*0x1A43*/ UINT8 IdleSchedule;
union // 3 elements, 0x4 bytes (sizeof)
{
/*0x1A44*/ LONG32 DpcRequestSummary;
/*0x1A44*/ INT16 DpcRequestSlot[2];
struct// 2 elements, 0x4 bytes (sizeof)
{
/*0x1A44*/INT16 NormalDpcState;
union// 2 elements, 0x2 bytes (sizeof)
{
/*0x1A46*/ UINT16 DpcThreadActive : 1; // 0 BitPosition
/*0x1A46*/ INT16 ThreadDpcState;
};
};
};
/*0x1A48*/ ULONG32 PrcbPad42;
/*0x1A4C*/ ULONG32 PeriodicCount;
/*0x1A50*/ ULONG32 PeriodicBias;
/*0x1A54*/ UINT8 _PADDING0_[0x4];
/*0x1A58*/ UINT64 TickOffset;
/*0x1A60*/ struct _KDPC CallDpc; // 9 elements, 0x20 bytes (sizeof)
/*0x1A80*/ LONG32 ClockKeepAlive;
/*0x1A84*/ UINT8 ClockCheckSlot;
/*0x1A85*/ UINT8 ClockPollCycle;
/*0x1A86*/ UINT8 PrcbPad6[2];
/*0x1A88*/ LONG32 DpcWatchdogPeriod;
/*0x1A8C*/ LONG32 DpcWatchdogCount;
/*0x1A90*/ LONG32 ThreadWatchdogPeriod;
/*0x1A94*/ LONG32 ThreadWatchdogCount;
/*0x1A98*/ LONG32 KeSpinLockOrdering;
/*0x1A9C*/ ULONG32 PrcbPad70[1];
/*0x1AA0*/ struct _LIST_ENTRY WaitListHead;
/*0x1AA8*/ ULONG32 WaitLock;
/*0x1AAC*/ ULONG32 ReadySummary;
/*0x1AB0*/ ULONG32 QueueIndex;
/*0x1AB4*/ struct _SINGLE_LIST_ENTRY DeferredReadyListHead;
/*0x1AB8*/ UINT64 StartCycles;
/*0x1AC0*/ UINT64 CycleTime;
/*0x1AC8*/ ULONG32 HighCycleTime;
/*0x1ACC*/ ULONG32 PrcbPad71;
/*0x1AD0*/ UINT64 PrcbPad72[2];
/*0x1AE0*/ struct _LIST_ENTRY DispatcherReadyListHead[32];
/*0x1BE0*/ VOID* ChainedInterruptList;
/*0x1BE4*/ LONG32 LookasideIrpFloat;
/*0x1BE8*/ LONG32 MmPageFaultCount;
/*0x1BEC*/ LONG32 MmCopyOnWriteCount;
/*0x1BF0*/ LONG32 MmTransitionCount;
/*0x1BF4*/ LONG32 MmCacheTransitionCount;
/*0x1BF8*/ LONG32 MmDemandZeroCount;
/*0x1BFC*/ LONG32 MmPageReadCount;
/*0x1C00*/ LONG32 MmPageReadIoCount;
/*0x1C04*/ LONG32 MmCacheReadCount;
/*0x1C08*/ LONG32 MmCacheIoCount;
/*0x1C0C*/ LONG32 MmDirtyPagesWriteCount;
/*0x1C10*/ LONG32 MmDirtyWriteIoCount;
/*0x1C14*/ LONG32 MmMappedPagesWriteCount;
/*0x1C18*/ LONG32 MmMappedWriteIoCount;
/*0x1C1C*/ ULONG32 CachedCommit;
/*0x1C20*/ ULONG32 CachedResidentAvailable;
/*0x1C24*/ VOID* HyperPte;
/*0x1C28*/ UINT8 PrcbPad8[4];
/*0x1C2C*/ UINT8 VendorString[13];
/*0x1C39*/ UINT8 InitialApicId;
/*0x1C3A*/ UINT8 LogicalProcessorsPerPhysicalProcessor;
/*0x1C3B*/ UINT8 PrcbPad9[5];
/*0x1C40*/ ULONG32 FeatureBits;
/*0x1C44*/ UINT8 _PADDING1_[0x4];
/*0x1C48*/ union _LARGE_INTEGER UpdateSignature;
/*0x1C50*/ UINT64 IsrTime;
/*0x1C58*/ UINT64 RuntimeAccumulation;
/*0x1C60*/ struct _PROCESSOR_POWER_STATE PowerState;
/*0x1D30*/ struct _KDPC DpcWatchdogDpc;
/*0x1D50*/ struct _KTIMER DpcWatchdogTimer;
/*0x1D78*/ VOID* WheaInfo;
/*0x1D7C*/ VOID* EtwSupport;
/*0x1D80*/ union _SLIST_HEADER InterruptObjectPool;
/*0x1D88*/ union _SLIST_HEADER HypercallPageList;
/*0x1D90*/ VOID* HypercallPageVirtual;
/*0x1D94*/ VOID* VirtualApicAssist;
/*0x1D98*/ UINT64* StatisticsPage;
/*0x1D9C*/ VOID* RateControl;
/*0x1DA0*/ struct _CACHE_DESCRIPTOR Cache[5];
/*0x1DDC*/ ULONG32 CacheCount;
/*0x1DE0*/ ULONG32 CacheProcessorMask[5];
/*0x1DF4*/ ULONG32 PackageProcessorSet;
/*0x1DF8*/ ULONG32 CoreProcessorSet;
/*0x1DFC*/ UINT8 PrcbPad10[36];
/*0x1E20*/ ULONG32 SpinLockAcquireCount;
/*0x1E24*/ ULONG32 SpinLockContentionCount;
/*0x1E28*/ ULONG32 SpinLockSpinCount;
/*0x1E2C*/ ULONG32 IpiSendRequestBroadcastCount;
/*0x1E30*/ ULONG32 IpiSendRequestRoutineCount;
/*0x1E34*/ ULONG32 IpiSendSoftwareInterruptCount;
/*0x1E38*/ ULONG32 ExInitializeResourceCount;
/*0x1E3C*/ ULONG32 ExReInitializeResourceCount;
/*0x1E40*/ ULONG32 ExDeleteResourceCount;
/*0x1E44*/ ULONG32 ExecutiveResourceAcquiresCount;
/*0x1E48*/ ULONG32 ExecutiveResourceContentionsCount;
/*0x1E4C*/ ULONG32 ExecutiveResourceReleaseExclusiveCount;
/*0x1E50*/ ULONG32 ExecutiveResourceReleaseSharedCount;
/*0x1E54*/ ULONG32 ExecutiveResourceConvertsCount;
/*0x1E58*/ ULONG32 ExAcqResExclusiveAttempts;
/*0x1E5C*/ ULONG32 ExAcqResExclusiveAcquiresExclusive;
/*0x1E60*/ ULONG32 ExAcqResExclusiveAcquiresExclusiveRecursive;
/*0x1E64*/ ULONG32 ExAcqResExclusiveWaits;
/*0x1E68*/ ULONG32 ExAcqResExclusiveNotAcquires;
/*0x1E6C*/ ULONG32 ExAcqResSharedAttempts;
/*0x1E70*/ ULONG32 ExAcqResSharedAcquiresExclusive;
/*0x1E74*/ ULONG32 ExAcqResSharedAcquiresShared;
/*0x1E78*/ ULONG32 ExAcqResSharedAcquiresSharedRecursive;
/*0x1E7C*/ ULONG32 ExAcqResSharedWaits;
/*0x1E80*/ ULONG32 ExAcqResSharedNotAcquires;
/*0x1E84*/ ULONG32 ExAcqResSharedStarveExclusiveAttempts;
/*0x1E88*/ ULONG32 ExAcqResSharedStarveExclusiveAcquiresExclusive;
/*0x1E8C*/ ULONG32 ExAcqResSharedStarveExclusiveAcquiresShared;
/*0x1E90*/ ULONG32 ExAcqResSharedStarveExclusiveAcquiresSharedRecursive;
/*0x1E94*/ ULONG32 ExAcqResSharedStarveExclusiveWaits;
/*0x1E98*/ ULONG32 ExAcqResSharedStarveExclusiveNotAcquires;
/*0x1E9C*/ ULONG32 ExAcqResSharedWaitForExclusiveAttempts;
/*0x1EA0*/ ULONG32 ExAcqResSharedWaitForExclusiveAcquiresExclusive;
/*0x1EA4*/ ULONG32 ExAcqResSharedWaitForExclusiveAcquiresShared;
/*0x1EA8*/ ULONG32 ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive;
/*0x1EAC*/ ULONG32 ExAcqResSharedWaitForExclusiveWaits;
/*0x1EB0*/ ULONG32 ExAcqResSharedWaitForExclusiveNotAcquires;
/*0x1EB4*/ ULONG32 ExSetResOwnerPointerExclusive;
/*0x1EB8*/ ULONG32 ExSetResOwnerPointerSharedNew;
/*0x1EBC*/ ULONG32 ExSetResOwnerPointerSharedOld;
/*0x1EC0*/ ULONG32 ExTryToAcqExclusiveAttempts;
/*0x1EC4*/ ULONG32 ExTryToAcqExclusiveAcquires;
/*0x1EC8*/ ULONG32 ExBoostExclusiveOwner;
/*0x1ECC*/ ULONG32 ExBoostSharedOwners;
/*0x1ED0*/ ULONG32 ExEtwSynchTrackingNotificationsCount;
/*0x1ED4*/ ULONG32 ExEtwSynchTrackingNotificationsAccountedCount;
/*0x1ED8*/ struct _CONTEXT* Context;
/*0x1EDC*/ ULONG32 ContextFlags;
/*0x1EE0*/ struct _XSAVE_AREA* ExtendedState;
/*0x1EE4*/ UINT8 _PADDING2_[0x4];
}KPRCB, *PKPRCB;
Update: win32dd 1.2.1
First of all problem reported and explained in my previous blogpost regarding multi-processors computers and Microsoft crash dump generation is fixed. The limitation had been raised from 1 to 32 processors.
KeQueryActiveProcessorCount() API only exist in Vista and later version of Windows, that’s why I wrote xxxKeQueryActiveProcessorCount in driver/private/ke.c because compatibility matter. By the way, about compatibility let me tell you that win32dd is compatible with Microsoft O.S. from Windows 2000 to Windows Seven. :-) Check the screenshot below of win32dd in action under Windows 7.
Download win32dd v1.2.20090106 now!
By the way, I suggest you to read this article if you still wondering about the efficiency and usefulness of win32dd crash dump generation mode. Microsoft Help and Support: Complete memory dumps are not available on computers that have 2 or more gigabytes of RAM
Thanks you all for using win32dd and your feedbacks!
Multi-Processors and KdVersionBlock
Tomorrow, I’ll publish a bugfix for win32dd about the following problem: on multi-processors computers a BSOD occurs when user try to generate a Microsoft Crash dump file through the -d option.
The problem is located inside KdGetDebuggerDataBlock function, when the function try to read KdVersionBlock field an invalid pointer is returned because this field is only valid in the 1st processor KPCR.
lkd> dt nt!_KPCR ffdff000 +0x000 NtTib : _NT_TIB +0x01c SelfPcr : 0xffdff000 _KPCR +0x020 Prcb : 0xffdff120 _KPRCB +0x024 Irql : 0 '' +0x028 IRR : 0 +0x02c IrrActive : 0 +0x030 IDR : 0xffffffff +0x034 KdVersionBlock : 0x805562b8 +0x038 IDT : 0x8003f400 _KIDTENTRY +0x03c GDT : 0x8003f000 _KGDTENTRY +0x040 TSS : 0x80042000 _KTSS +0x044 MajorVersion : 1 +0x046 MinorVersion : 1 +0x048 SetMember : 1 +0x04c StallScaleFactor : 0x6bb +0x050 DebugActive : 0 '' +0x051 Number : 0 '' +0x052 Spare0 : 0 '' +0x053 SecondLevelCacheAssociativity : 0x10 '' +0x054 VdmAlert : 0 +0x058 KernelReserved : [14] 0 +0x090 SecondLevelCacheSize : 0x80000 +0x094 HalReserved : [16] 0 +0x0d4 InterruptMode : 0 +0x0d8 Spare1 : 0 '' +0x0dc KernelReserved2 : [17] 0 +0x120 PrcbData : _KPRCB lkd> dt nt!_KPCR f9c2c000 +0x000 NtTib : _NT_TIB +0x01c SelfPcr : 0xf9c2c000 _KPCR +0x020 Prcb : 0xf9c2c120 _KPRCB +0x024 Irql : 0 '' +0x028 IRR : 0 +0x02c IrrActive : 0 +0x030 IDR : 0xffffffff +0x034 KdVersionBlock : (null) +0x038 IDT : 0xf9c30590 _KIDTENTRY +0x03c GDT : 0xf9c30190 _KGDTENTRY +0x040 TSS : 0xf9c2cd70 _KTSS +0x044 MajorVersion : 1 +0x046 MinorVersion : 1 +0x048 SetMember : 2 +0x04c StallScaleFactor : 0x650 +0x050 DebugActive : 0 '' +0x051 Number : 0x1 '' +0x052 Spare0 : 0 '' +0x053 SecondLevelCacheAssociativity : 0x10 '' +0x054 VdmAlert : 0 +0x058 KernelReserved : [14] 0 +0x090 SecondLevelCacheSize : 0x80000 +0x094 HalReserved : [16] 1 +0x0d4 InterruptMode : 0 +0x0d8 Spare1 : 0 '' +0x0dc KernelReserved2 : [17] 0 +0x120 PrcbData : _KPRCB
This piece of code is your friend if you are also experiencing some problem with it.
//
// Multi Processors (MP)
// To ensure that it's running on a specific processor.
//
KeSetSystemAffinityThread(1);
_asm {
mov eax, fs:[0x1C] // SelfPCR
mov eax, [eax + 0x34] // KdVersionBlock
mov KdVersionBlock, eax
}
//
// Go back to default affinity.
//
KeRevertToUserAffinityThread();
MSDN documentation suggests to Windows Vista and later developpers to use KeSetSystemAffinityThreadEx instead of KeSetSystemAffinityThread and to use KeRevertToUserAffinityThreadEx instead of KeRevertToUserAffinityThread.
Even if there is no entry for KeRevertToUserAffinityThread inside the MSDN there is a blogpost from Windows Driver Kit (WDK) Documentation Blog about Windows Kernel Routine Name Conventions that says
Suffix – Ex – indicates that this is a new version of KeRevertToUserAffinityThread. “Ex” is an abbreviation for extension. It is a common Windows naming convention for new versions of a routine.
Thanks to Sebastien and Martim for reporting the bug.
Hey people ! Happy new year from a lazy man 2.0 :-)
I was looking for the shortest way to wish to people I know happy new year for 2009.
Here is a flowchart to explain what’s going on just after I press the “Publish” wordpress button.
As you can see I use Wordpress, Twitter, and Facebook technology — that’s pretty useless but that’s funny :-)
Update will be show as “Blog [new]: #title# ( http://tinyurl.com/xxxxxx )”. It means I’ve free 98 (140 – 42) characters to wish you happy new year!
* Tools/Plugins:
Twitter updater plugin for Wordpress
Facebook application to update facebook status from Twitter
PS.I’m not dead and I’ll soonly publish an update(1.2.1) for win32dd to fix a bug with multi-core computers and Microsoft crashdump file generation.
