• Setting conditional break point as following in “WinMgmt” context.
  • 0x82388888 means EPROCESS for WinMgmt.  0x751ae2f8 means the loaded address for wbemcore!CCoreQueue::LogError() function into winmgmt context.
  • poi(esp+8) = 0x800706ba means if the second parameter on the stack of wbemcore!CCoreQueue::LogError() is equal to 0x800706ba.
  • if the first parameter is equal to 0x800706ba then execute the following debugger extensions which are ‘.time;!thread -1;kv’. gc means “go to continue”.kd> bp /p 82388888 751ae2f8 “j poi(esp+8)=0x800706ba ‘.time;!thread -1;kv;gc’;’gc'”
  • The following conditional break point means that debugger executes the following debugger extensions which are ‘du poi(esp+8);du poi(esp+c)’.
  • 0x750eb7c7 means the loaded address for wbemess!CEss::ReloadProvider() function in winmgmt context. This function is unique in the system then we
  • cannot specify EPROCESS during debugging.  wbemess!CEss::ReloadProvider() function has 2 important parameters which is the second parameter means “name space” with UNICODE_STRING.
  • the second parameter measns “WMI Provider” name. kd> bp 750eb7c7 “j 1 ‘.time;!thread -1;du poi(esp+8);du poi(esp+c);gc’;’gc'”
     

Here we go.
kd> g

Resource_UnloadDLLs:ENTERResource_UnloadDLLs:EXITResource_LoadDLLs:ENTERResource_LoadDLLs:EXITGetSingleHotfixInfo entered Q147222

GetSingleHotfixInfo entered ServicePackUninstall

GetSingleHotfixInfo entered Q147222

GetSingleHotfixInfo entered ServicePackUninstall

Resource_GetHandle:ENTERResource_GetHandle:EXITDebug session time: Tue Aug 28 18:57:02.328 2007 (GMT+9)

System Uptime: 0 days 1:22:12.515

THREAD 82094bd8  Cid 0384.08c0  Teb: 7ff9f000 Win32Thread: bc38ab38 RUNNING on processor 0

Not impersonating

DeviceMap                 e1000178

Owning Process            82388888       Image:         svchost.exe

Wait Start TickCount      315681         Ticks: 0

Context Switch Count      28                 LargeStack

UserTime                  00:00:00.000

KernelTime                00:00:00.000

Win32 Start Address wbemcomn!CExecQueue::_ThreadEntry (0x74fd549f)

Start Address kernel32!BaseThreadStartThunk (0x7c8217ec)

Stack Init f68af000 Current f68aec78 Base f68af000 Limit f68ab000 Call 0

Priority 9 BasePriority 8 PriorityDecrement 0

ChildEBP RetAddr  Args to Child             

019aff28 750ebb4e 00000000 03df1328 0256d608 wbemess!CEss::ReloadProvider (FPO: [Non-Fpo])

019aff3c 74fd5668 024a6eb8 024a6a00 7c96a3ab wbemess!CProviderReloadRequest::Execute+0x29 (FPO: [0,0,0])

019aff50 74fd5802 024a6eb8 00000000 024a6eb8 wbemcomn!CExecQueue::Execute+0x17 (FPO: [Non-Fpo])

019aff80 750dc87c 00002ee0 00000000 00000000 wbemcomn!CExecQueue::ThreadMain+0x11f (FPO: [Non-Fpo])

019affac 74fd54ae 024a6eb8 019affec 7c824829 wbemess!CEventQueue::ThreadMain+0x22 (FPO: [Non-Fpo])

019affb8 7c824829 024a6eb8 00000000 00000000 wbemcomn!CExecQueue::_ThreadEntry+0xf (FPO: [Non-Fpo])

019affec 00000000 74fd549f 024a6eb8 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) 03df1328  “root\Citrix” -> name space
0256d608  “MetaFrameProv” -> WMI provider name

Debug session time: Tue Aug 28 18:57:02.640 2007 (GMT+9)

System Uptime: 0 days 1:22:12.828

THREAD 82094bd8  Cid 0384.08c0  Teb: 7ff9f000 Win32Thread: bc38ab38 RUNNING on processor 0

Not impersonating

DeviceMap                 e1000178

Owning Process            82388888       Image:         svchost.exe

Wait Start TickCount      315701         Ticks: 0

Context Switch Count      35                 LargeStack

UserTime                  00:00:00.000

KernelTime                00:00:00.031

Win32 Start Address wbemcomn!CExecQueue::_ThreadEntry (0x74fd549f)

Start Address kernel32!BaseThreadStartThunk (0x7c8217ec)

Stack Init f68af000 Current f68aec78 Base f68af000 Limit f68ab000 Call 0

Priority 9 BasePriority 8 PriorityDecrement 0

ChildEBP RetAddr  Args to Child             

019aff28 750ebb4e 00000000 03df43f0 02530720 wbemess!CEss::ReloadProvider (FPO: [Non-Fpo])

019aff3c 74fd5668 024a6eb8 024a6a00 7c96a3ab wbemess!CProviderReloadRequest::Execute+0x29 (FPO: [0,0,0])

019aff50 74fd5802 024a6eb8 00000000 024a6eb8 wbemcomn!CExecQueue::Execute+0x17 (FPO: [Non-Fpo])

019aff80 750dc87c 00002ee0 00000000 00000000 wbemcomn!CExecQueue::ThreadMain+0x11f (FPO: [Non-Fpo])

019affac 74fd54ae 024a6eb8 019affec 7c824829 wbemess!CEventQueue::ThreadMain+0x22 (FPO: [Non-Fpo])

019affb8 7c824829 024a6eb8 00000000 00000000 wbemcomn!CExecQueue::_ThreadEntry+0xf (FPO: [Non-Fpo])

019affec 00000000 74fd549f 024a6eb8 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) 03df43f0  “root\Citrix” -> name space
02530720  “CitrixFarmProv” -> WMI provider name

Debug session time: Tue Aug 28 18:57:02.765 2007 (GMT+9)

System Uptime: 0 days 1:22:12.953

THREAD 81f5ec28  Cid 0384.0d8c  Teb: 7ff91000 Win32Thread: bc5224f8 RUNNING on processor 0

Not impersonating

DeviceMap                 e1000178

Owning Process            82388888       Image:         svchost.exe

Wait Start TickCount      315709         Ticks: 0

Context Switch Count      61                 LargeStack

UserTime                  00:00:00.015

KernelTime                00:00:00.062

Win32 Start Address wbemcore!CCoreQueue::_ThreadEntryRescue (0x751a1d98)

Start Address kernel32!BaseThreadStartThunk (0x7c8217ec)

Stack Init f59b0000 Current f59afc78 Base f59b0000 Limit f59ac000 Call 0

Priority 9 BasePriority 8 PriorityDecrement 0

ChildEBP RetAddr  Args to Child             

01dffea4 751ae37f 02550508 800706ba 00000000 wbemcore!CCoreQueue::LogError (FPO: [Non-Fpo])

01dffed8 751aa445 02550508 00000000 02550508 wbemcore!CCoreQueue::pExecute+0x4a (FPO: [Non-Fpo])

01dfff08 751aa3df 025683e0 025683e0 0258ff18 wbemcore!CCoreQueue::Execute+0x18 (FPO: [Non-Fpo])

01dfff50 751a1d57 025683e0 025683e0 0250f7d8 wbemcore!CWbemQueue::Execute+0xf6 (FPO: [Non-Fpo])

01dfff84 751a1dee 00002ee0 00000000 00000000 wbemcore!CCoreQueue::ThreadMain+0x111 (FPO: [Non-Fpo])

01dfffb8 7c824829 025683e0 00000000 00000000 wbemcore!CCoreQueue::_ThreadEntryRescue+0x56 (FPO: [Non-Fpo])

01dfffec 00000000 751a1d98 025683e0 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) 
ChildEBP RetAddr  Args to Child             

01dffea4 751ae37f 02550508 800706ba 00000000 wbemcore!CCoreQueue::LogError (FPO: [Non-Fpo])

01dffed8 751aa445 02550508 00000000 02550508 wbemcore!CCoreQueue::pExecute+0x4a (FPO: [Non-Fpo])

01dfff08 751aa3df 025683e0 025683e0 0258ff18 wbemcore!CCoreQueue::Execute+0x18 (FPO: [Non-Fpo])

01dfff50 751a1d57 025683e0 025683e0 0250f7d8 wbemcore!CWbemQueue::Execute+0xf6 (FPO: [Non-Fpo])

01dfff84 751a1dee 00002ee0 00000000 00000000 wbemcore!CCoreQueue::ThreadMain+0x111 (FPO: [Non-Fpo])

01dfffb8 7c824829 025683e0 00000000 00000000 wbemcore!CCoreQueue::_ThreadEntryRescue+0x56 (FPO: [Non-Fpo])

01dfffec 00000000 751a1d98 025683e0 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo])

Debug session time: Tue Aug 28 18:57:04.828 2007 (GMT+9)

System Uptime: 0 days 1:22:15.015

THREAD 82094bd8  Cid 0384.08c0  Teb: 7ff9f000 Win32Thread: bc38ab38 RUNNING on processor 0

Not impersonating

DeviceMap                 e1000178

Owning Process            82388888       Image:         svchost.exe

Wait Start TickCount      315841         Ticks: 0

Context Switch Count      55                 LargeStack

UserTime                  00:00:00.000

KernelTime                00:00:00.062

Win32 Start Address wbemcomn!CExecQueue::_ThreadEntry (0x74fd549f)

Start Address kernel32!BaseThreadStartThunk (0x7c8217ec)

Stack Init f68af000 Current f68aec78 Base f68af000 Limit f68ab000 Call 0

Priority 9 BasePriority 8 PriorityDecrement 0

ChildEBP RetAddr  Args to Child              

019aff28 750ebb4e 00000000 024abbd8 0252f580 wbemess!CEss::ReloadProvider (FPO: [Non-Fpo])

019aff3c 74fd5668 024a6eb8 024a6a00 7c96a3ab wbemess!CProviderReloadRequest::Execute+0x29 (FPO: [0,0,0])

019aff50 74fd5802 024a6eb8 00000000 024a6eb8 wbemcomn!CExecQueue::Execute+0x17 (FPO: [Non-Fpo])

019aff80 750dc87c 00002ee0 00000000 00000000 wbemcomn!CExecQueue::ThreadMain+0x11f (FPO: [Non-Fpo])

019affac 74fd54ae 024a6eb8 019affec 7c824829 wbemess!CEventQueue::ThreadMain+0x22 (FPO: [Non-Fpo])

019affb8 7c824829 024a6eb8 00000000 00000000 wbemcomn!CExecQueue::_ThreadEntry+0xf (FPO: [Non-Fpo])

019affec 00000000 74fd549f 024a6eb8 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) 024abbd8  “root\Citrix\Management” -> name space
0252f580  “MgmtAPIProv” -> WMI provider name

Debug session time: Tue Aug 28 18:57:04.859 2007 (GMT+9)

System Uptime: 0 days 1:22:15.046

THREAD 81f5ec28  Cid 0384.0d8c  Teb: 7ff91000 Win32Thread: bc5224f8 RUNNING on processor 0

Not impersonating

DeviceMap                 e1000178

Owning Process            82388888       Image:         svchost.exe

Wait Start TickCount      315841         Ticks: 2 (0:00:00:00.031)

Context Switch Count      439                 LargeStack

UserTime                  00:00:00.031

KernelTime                00:00:00.250

Win32 Start Address wbemcore!CCoreQueue::_ThreadEntryRescue (0x751a1d98)

Start Address kernel32!BaseThreadStartThunk (0x7c8217ec)

Stack Init f59b0000 Current f59afcf0 Base f59b0000 Limit f59ac000 Call 0

Priority 8 BasePriority 8 PriorityDecrement 0

ChildEBP RetAddr  Args to Child             

01dffea4 751ae37f 03e6aaf0 800706ba 00000000 wbemcore!CCoreQueue::LogError (FPO: [Non-Fpo])

01dffed8 751aa445 03e6aaf0 00000000 03e6aaf0 wbemcore!CCoreQueue::pExecute+0x4a (FPO: [Non-Fpo])

01dfff08 751aa3df 025683e0 025683e0 0258ff18 wbemcore!CCoreQueue::Execute+0x18 (FPO: [Non-Fpo])

01dfff50 751a1d57 025683e0 025683e0 0250f7d8 wbemcore!CWbemQueue::Execute+0xf6 (FPO: [Non-Fpo])

01dfff84 751a1dee 00002ee0 00000000 00000000 wbemcore!CCoreQueue::ThreadMain+0x111 (FPO: [Non-Fpo])

01dfffb8 7c824829 025683e0 00000000 00000000 wbemcore!CCoreQueue::_ThreadEntryRescue+0x56 (FPO: [Non-Fpo])

01dfffec 00000000 751a1d98 025683e0 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) 
ChildEBP RetAddr  Args to Child             

01dffea4 751ae37f 03e6aaf0 800706ba 00000000 wbemcore!CCoreQueue::LogError (FPO: [Non-Fpo])

01dffed8 751aa445 03e6aaf0 00000000 03e6aaf0 wbemcore!CCoreQueue::pExecute+0x4a (FPO: [Non-Fpo])

01dfff08 751aa3df 025683e0 025683e0 0258ff18 wbemcore!CCoreQueue::Execute+0x18 (FPO: [Non-Fpo])

01dfff50 751a1d57 025683e0 025683e0 0250f7d8 wbemcore!CWbemQueue::Execute+0xf6 (FPO: [Non-Fpo])

01dfff84 751a1dee 00002ee0 00000000 00000000 wbemcore!CCoreQueue::ThreadMain+0x111 (FPO: [Non-Fpo])

01dfffb8 7c824829 025683e0 00000000 00000000 wbemcore!CCoreQueue::_ThreadEntryRescue+0x56 (FPO: [Non-Fpo])

01dfffec 00000000 751a1d98 025683e0 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo])

Debug session time: Tue Aug 28 18:57:07.609 2007 (GMT+9)

System Uptime: 0 days 1:22:17.796

THREAD 82094bd8  Cid 0384.08c0  Teb: 7ff9f000 Win32Thread: bc38ab38 RUNNING on processor 0

Not impersonating

DeviceMap                 e1000178

Owning Process            82388888       Image:         svchost.exe

Wait Start TickCount      316019         Ticks: 0

Context Switch Count      63                 LargeStack

UserTime                  00:00:00.000

KernelTime                00:00:00.093

Win32 Start Address wbemcomn!CExecQueue::_ThreadEntry (0x74fd549f)

Start Address kernel32!BaseThreadStartThunk (0x7c8217ec)

Stack Init f68af000 Current f68ae914 Base f68af000 Limit f68ab000 Call 0

Priority 9 BasePriority 8 PriorityDecrement 0

ChildEBP RetAddr  Args to Child              

019aff28 750ebb4e 00000000 0249d388 024b1b20 wbemess!CEss::ReloadProvider (FPO: [Non-Fpo])

019aff3c 74fd5668 024a6eb8 024a6a00 7c96a3ab wbemess!CProviderReloadRequest::Execute+0x29 (FPO: [0,0,0])

019aff50 74fd5802 024a6eb8 00000000 024a6eb8 wbemcomn!CExecQueue::Execute+0x17 (FPO: [Non-Fpo])

019aff80 750dc87c 00002ee0 00000000 00000000 wbemcomn!CExecQueue::ThreadMain+0x11f (FPO: [Non-Fpo])

019affac 74fd54ae 024a6eb8 019affec 7c824829 wbemess!CEventQueue::ThreadMain+0x22 (FPO: [Non-Fpo])

019affb8 7c824829 024a6eb8 00000000 00000000 wbemcomn!CExecQueue::_ThreadEntry+0xf (FPO: [Non-Fpo])

019affec 00000000 74fd549f 024a6eb8 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) 0249d388  “root\Citrix” <- name space
024b1b20  “MetaFrameEvHappeningsProv” -> WMI provider name

Debug session time: Tue Aug 28 18:57:07.656 2007 (GMT+9)

System Uptime: 0 days 1:22:17.843

THREAD 81f5ec28  Cid 0384.0d8c  Teb: 7ff91000 Win32Thread: bc5224f8 RUNNING on processor 0

Not impersonating

DeviceMap                 e1000178

Owning Process            82388888       Image:         svchost.exe

Wait Start TickCount      316022         Ticks: 0

Context Switch Count      461                 LargeStack

UserTime                  00:00:00.031

KernelTime                00:00:00.281

Win32 Start Address wbemcore!CCoreQueue::_ThreadEntryRescue (0x751a1d98)

Start Address kernel32!BaseThreadStartThunk (0x7c8217ec)

Stack Init f59b0000 Current f59afc20 Base f59b0000 Limit f59ac000 Call 0

Priority 9 BasePriority 8 PriorityDecrement 0

ChildEBP RetAddr  Args to Child             

01dffea4 751ae37f 03e6aaf0 800706ba 00000000 wbemcore!CCoreQueue::LogError (FPO: [Non-Fpo])

01dffed8 751aa445 03e6aaf0 00000000 03e6aaf0 wbemcore!CCoreQueue::pExecute+0x4a (FPO: [Non-Fpo])

01dfff08 751aa3df 025683e0 025683e0 0258ff18 wbemcore!CCoreQueue::Execute+0x18 (FPO: [Non-Fpo])

01dfff50 751a1d57 025683e0 025683e0 0250f7d8 wbemcore!CWbemQueue::Execute+0xf6 (FPO: [Non-Fpo])

01dfff84 751a1dee 00002ee0 00000000 00000000 wbemcore!CCoreQueue::ThreadMain+0x111 (FPO: [Non-Fpo])

01dfffb8 7c824829 025683e0 00000000 00000000 wbemcore!CCoreQueue::_ThreadEntryRescue+0x56 (FPO: [Non-Fpo])

01dfffec 00000000 751a1d98 025683e0 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) 
ChildEBP RetAddr  Args to Child             

01dffea4 751ae37f 03e6aaf0 800706ba 00000000 wbemcore!CCoreQueue::LogError (FPO: [Non-Fpo])

01dffed8 751aa445 03e6aaf0 00000000 03e6aaf0 wbemcore!CCoreQueue::pExecute+0x4a (FPO: [Non-Fpo])

01dfff08 751aa3df 025683e0 025683e0 0258ff18 wbemcore!CCoreQueue::Execute+0x18 (FPO: [Non-Fpo])

01dfff50 751a1d57 025683e0 025683e0 0250f7d8 wbemcore!CWbemQueue::Execute+0xf6 (FPO: [Non-Fpo])

01dfff84 751a1dee 00002ee0 00000000 00000000 wbemcore!CCoreQueue::ThreadMain+0x111 (FPO: [Non-Fpo])

01dfffb8 7c824829 025683e0 00000000 00000000 wbemcore!CCoreQueue::_ThreadEntryRescue+0x56 (FPO: [Non-Fpo])

01dfffec 00000000 751a1d98 025683e0 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) 


Global Escalation Manager Tokyo
-fb