I have a Windows 2008 terminal server that is locking up once or twice
a day and has to be power cycled to get it back up again. I've enabled
the Ctrl+Scroll Lock+Scroll Lock dump file generation and am now
trying to analyse the dump generated with WinDbg.

I started looking at the locks but couldn't find a dead lock so I took
one that was holding up several threads and worked back to the process
that owned the lock which was SYSTEM. The thread details show 'Waiting
for reply to ALPC Message' which is owned by EKERN.EXE (Eset Nod32
Anti-virus). Viewing the threads in EKERN.EXE I see a couple that have
spent a long time in the kernel so I currently suspect the anti-virus
software is causing the lock-up. Am I on the right track or is this
normal behaviour?

Here is the cut-down output from Windbg:

1: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held
locks....................................................................................................................................................................

[...]

KD: Scanning for held locks..........................

Resource @ 0xfffffa800e508dc0 Exclusively owned
Contention Count = 6
NumberOfExclusiveWaiters = 5
Threads: fffffa800f19db50-01<*>
Threads Waiting On Exclusive Access:
fffffa8011cb22a0 fffffa800e194bb0
fffffa800d5c0040 fffffa800d5bebb0
fffffa8010797620

[...]

18108 total locks, 16 locks currently held

1: kd> !thread fffffa800f19db50

THREAD fffffa800f19db50 Cid 0004.4f68 Teb: 0000000000000000
Win32Thread: 0000000000000000 WAIT: (WrLpcReply) KernelMode Non-
Alertable
fffffa800f19dee0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff88015bfa130 : queued at port
fffffa800db078e0 : owned by process fffffa800d1e8c10
IRP List:
fffffa801156bb50: (0006,03e8) Flags: 00000884 Mdl: 00000000
Impersonation token: fffff88010b3a060 (Level Impersonation)
Owning Process 0 Image: <Unknown>
Attached Process fffffa800b2150b0 Image: System
Wait Start TickCount 3907564 Ticks: 20201 (0:00:05:15.137)
Context Switch Count 2797
UserTime 00:00:00.000
KernelTime 00:00:00.374
Win32 Start Address srv!WorkerThread (0xfffffa6008b891c0)
Stack Init fffffa60156fddb0 Current fffffa60156fcb60
Base fffffa60156fe000 Limit fffffa60156f8000 Call 0
Priority 14 BasePriority 9 PriorityDecrement 4 IoPriority 2
PagePriority 5
Child-SP RetAddr : Args to
Child : Call
Site
fffffa60`156fcba0 fffff800`01ab3f8a : 00000000`00000000
fffff800`01d2eb64 fffffa80`00020002 00000000`00000000 : nt!
KiSwapContext+0x7f
fffffa60`156fcce0 fffff800`01ab576a : 00000000`00000001
00000000`00000800 00000000`00000001 00000000`00000000 : nt!
KiSwapThread
+0x2fa
fffffa60`156fcd50 fffff800`01ae5cab : 00000000`00000000
00000000`00000011 00000000`00000000 00000000`00000000 : nt!
KeWaitForSingleObject+0x2da
fffffa60`156fcde0 fffff800`01d37024 : fffffa60`156fcf28
00000000`00000000 fffffa80`0f19db50 00000000`00000000 : nt!
AlpcpSignalAndWait+0x7b
fffffa60`156fce20 fffff800`01d3c2c6 : fffffa80`0d460260
00000000`00000000 00000000`00000000 fffffa60`00000000 : nt!
AlpcpReceiveSynchronousReply+0x44
fffffa60`156fce80 fffff800`01d40962 : fffffa80`0d460260
fffffa60`00020002 fffffa60`156fd070 00000000`00000000 : nt!
AlpcpProcessSynchronousRequest+0x24f
fffffa60`156fcfa0 fffff800`01cee5e9 : fffffa80`0c9ed4f0
fffffa80`11b29c48 fffffa80`0c9ef010 00000000`00000000 : nt!
LpcpRequestWaitReplyPort+0x91
fffffa60`156fd000 fffffa60`0780608d : 00000000`00000000
fffffa60`0786e3a0 00000000`00000010 00000000`00000082 : nt!
LpcRequestWaitReplyPort+0x19
fffffa60`156fd040 fffffa60`07808df9 : fffffa80`1231e1c0
fffffa60`156fd268 fffffa80`0cd3b7b0 00000000`00000004 : eamon+0x508d
fffffa60`156fd1d0 fffffa60`07806ea9 : 00000000`1156be01
fffffa80`00000000 fffffa80`1156bb50 fffffa80`0cd3b7b0 : eamon+0x7df9
fffffa60`156fd260 fffff800`01d33d83 : 00000000`00000000
00000000`00000004 00000000`00020089 00000000`1156be01 : eamon+0x5ea9
fffffa60`156fd2f0 fffff800`01d2d672 : fffffa80`0cd3b660
00000000`00000000 fffffa80`106ee590 fffffa80`0d793d00 : nt!
IopParseDevice+0x5e3
fffffa60`156fd490 fffff800`01d31944 : ffffffff`80000948
fffffa80`0b215200 fffffa80`00000040 00000000`00000000 : nt!
ObpLookupObjectName+0x202
fffffa60`156fd5a0 fffff800`01d3dee0 : fffffa80`00020089
fffffa60`156fda68 fffffa80`0ca0c300 fffffa80`0c002350 : nt!
ObOpenObjectByName+0x2f4
fffffa60`156fd670 fffff800`01d0fe7b : fffffa60`156fdac0
fffffa60`00020089 00000000`00000000 fffffa60`156fdaa8 : nt!
IopCreateFile+0x290
fffffa60`156fd710 fffffa60`08b8a6b1 : fffffa60`08b5c550
fffff880`10b3a060 00000000`00000000 00000000`c0000022 : nt!
IoCreateFile
+0x8b
fffffa60`156fd7a0 fffffa60`08b8d0d4 : ffffffff`fd9da600
fffffa60`156fdac0 fffffa80`00020089 fffffa60`156fda68 : srv!
SrvIoCreateFile+0x461
fffffa60`156fd9a0 fffffa60`08b8c3f3 : fffffa80`0f19db00
00000000`00000016 fffffa60`00020089 00000000`00000000 : srv!
SrvNtCreateFile+0x524
fffffa60`156fdb70 fffffa60`08b400f7 : fffffa80`0da90012
00000000`00000000 fffffa80`0da8a950 00000000`00000000 : srv!
SrvSmbNtCreateAndX+0x193
fffffa60`156fdc50 fffffa60`08b402d4 : fffffa80`0d99f1e0
fffffa80`0d7edba0 fffffa80`0d99f1e0 fffffa60`08b89100 : srv!
SrvProcessSmb+0x97
fffffa60`156fdcc0 fffffa60`08b8928d : 00000000`00000002
fffffa80`0d5bc340 00000000`00000001 fffffa80`0da8a960 : srv!
SrvRestartReceive+0xa4
fffffa60`156fdd00 fffff800`01cd0ff3 : fffffa80`0da8a950
fffffa80`0f19db50 00000000`00000080 fffffa80`0d5bc340 : srv!
WorkerThread+0xcd
fffffa60`156fdd50 fffff800`01ae8546 : fffffa60`01966180
fffffa80`0f19db50 fffffa80`0d5be720 00000000`00000001 : nt!
PspSystemThreadStartup+0x57
fffffa60`156fdd80 00000000`00000000 : 00000000`00000000
00000000`00000000 00000000`00000000 00000000`00000000 : nt!
KxStartSystemThread+0x16

1: kd> !process fffffa800d1e8c10
PROCESS fffffa800d1e8c10
SessionId: 0 Cid: 0770 Peb: 7efdf000 ParentCid: 02a4
DirBase: ada2e000 ObjectTable: fffff8800a2509d0 HandleCount:
351.
Image: ekrn.exe
VadRoot fffffa800d253360 Vads 198 Clone 0 Private 12588. Modified
85171. Locked 0.
DeviceMap fffff880000061f0
Token fffff8800a253ad0
ElapsedTime 17:00:00.197
UserTime 00:02:04.519
KernelTime 00:00:35.864
QuotaPoolUsage[PagedPool] 128784
QuotaPoolUsage[NonPagedPool] 22288
Working Set Sizes (now,min,max) (11897, 50, 345) (47588KB, 200KB,
1380KB)
PeakWorkingSetSize 25473
VirtualSize 130 Mb
PeakVirtualSize 202 Mb
PageFaultCount 3471459
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 13213

THREAD fffffa800d1ed060 Cid 0770.0774 Teb: 000000007efdb000
Win32Thread: fffff900c07b7790 WAIT: (Executive) UserMode Non-Alertable
fffffa800d2319d8 NotificationEvent
IRP List:
fffffa8011ffc4d0: (0006,0118) Flags: 00060900 Mdl:
00000000
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3762997 Ticks: 164768
(0:00:42:50.397)
Context Switch Count 94 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.062
Win32 Start Address 0x0000000000484fb0
Stack Init fffffa6008249db0 Current fffffa60082497f0
Base fffffa600824a000 Limit fffffa6008242000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2
PagePriority 5
Kernel stack not resident.

THREAD fffffa800d150bb0 Cid 0770.07c0 Teb: 000000007efd8000
Win32Thread: fffff900c07a6d50 WAIT: (UserRequest) UserMode Non-
Alertable
fffffa800cd28cc0 NotificationEvent
fffffa800d1d0cf0 SynchronizationEvent
fffffa800d253c00 SynchronizationEvent
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3927578 Ticks: 187
(0:00:00:02.917)
Context Switch Count 37184 LargeStack
UserTime 00:00:01.185
KernelTime 00:00:00.327
Win32 Start Address 0x00000000752fd1b9
Stack Init fffffa600811adb0 Current fffffa600811a230
Base fffffa600811b000 Limit fffffa6008112000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`0811a270 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`0811a3b0 fffff800`01ab3596 nt!KiSwapThread+0x2fa
fffffa60`0811a420 fffff800`01d29ace nt!
KeWaitForMultipleObjects
+0x2d6
fffffa60`0811a4a0 fffff800`01ca1b02 nt!
ObpWaitForMultipleObjects+0x26e
fffffa60`0811a960 fffff800`01aaddf3 nt!
NtWaitForMultipleObjects32+0xe5
fffffa60`0811abb0 00000000`7519374f nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`0811ac20)
00000000`002ff0e8 00000000`00000000 0x7519374f

THREAD fffffa800d256bb0 Cid 0770.05a8 Teb: 000000007efd5000
Win32Thread: 0000000000000000 WAIT: (WrLpcReceive) UserMode Non-
Alertable
fffffa800d256f40 Semaphore Limit 0x1
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3927763 Ticks: 2
(0:00:00:00.031)
Context Switch Count 171156
UserTime 00:00:00.358
KernelTime 00:00:00.405
Win32 Start Address 0x000000000045af60
Stack Init fffffa60083e9db0 Current fffffa60083e97d0
Base fffffa60083ea000 Limit fffffa60083e4000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 1 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`083e9810 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`083e9950 fffff800`01ab576a nt!KiSwapThread+0x2fa
fffffa60`083e99c0 fffff800`01d31007 nt!KeWaitForSingleObject
+0x2da
fffffa60`083e9a50 fffff800`01cea61b nt!AlpcpReceiveMessagePort
+0x287
fffffa60`083e9ab0 fffff800`01ceaf7e nt!
AlpcpReceiveLegacyMessage+0x122
fffffa60`083e9b50 fffff800`01ceb4ff nt!
NtReplyWaitReceivePortEx
+0xc1
fffffa60`083e9be0 fffff800`01aaddf3 nt!NtReplyWaitReceivePort
+0xf
fffffa60`083e9c20 00000000`77555b2a nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`083e9c20)
00000000`013fe7e8 00000000`00000000 0x77555b2a

THREAD fffffa800d27c740 Cid 0770.02f0 Teb: 000000007efa7000
Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-
Alertable
fffffa800d28fb00 SynchronizationEvent
fffffa800d287850 NotificationEvent
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 8166 Ticks: 3919599
(0:16:59:06.136)
Context Switch Count 14
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x000000000041e290
Stack Init fffffa6002f19db0 Current fffffa6002f19230
Base fffffa6002f1a000 Limit fffffa6002f14000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 2 IoPriority 2
PagePriority 5
Kernel stack not resident.

THREAD fffffa800d27bbb0 Cid 0770.075c Teb: 000000007efa4000
Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-
Alertable
fffffa800d1258d0 SynchronizationEvent
fffffa800d1e1600 SynchronizationEvent
fffffa800d293a10 SynchronizationEvent
fffffa800d29ce80 SynchronizationEvent
fffffa800d28f4c0 SynchronizationEvent
fffffa800d27bc68 NotificationTimer
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3926038 Ticks: 1727
(0:00:00:26.941)
Context Switch Count 1249
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x0000000000462880
Stack Init fffffa60084eadb0 Current fffffa60084ea230
Base fffffa60084eb000 Limit fffffa60084e5000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`084ea270 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`084ea3b0 fffff800`01ab3596 nt!KiSwapThread+0x2fa
fffffa60`084ea420 fffff800`01d29ace nt!
KeWaitForMultipleObjects
+0x2d6
fffffa60`084ea4a0 fffff800`01ca1b02 nt!
ObpWaitForMultipleObjects+0x26e
fffffa60`084ea960 fffff800`01aaddf3 nt!
NtWaitForMultipleObjects32+0xe5
fffffa60`084eabb0 00000000`7519374f nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`084eac20)
00000000`03d6f0e8 00000000`00000000 0x7519374f

THREAD fffffa800d25abb0 Cid 0770.0768 Teb: 000000007efa1000
Win32Thread: fffff900c07c9010 WAIT: (WrLpcReply) UserMode Non-
Alertable
fffffa800d25af40 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff8800b0b6780 : queued at
port fffffa800cd0d940 : owned by process fffffa800cd12c10
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3914725 Ticks: 13040
(0:00:03:23.425)
Context Switch Count 51526 LargeStack
UserTime 00:00:22.916
KernelTime 00:00:05.038
Win32 Start Address 0x0000000000420e90
Stack Init fffffa600844edb0 Current fffffa600844e6c0
Base fffffa600844f000 Limit fffffa6008448000 Call 0
Priority 9 BasePriority 7 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`0844e700 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`0844e840 fffff800`01ab576a nt!KiSwapThread+0x2fa
fffffa60`0844e8b0 fffff800`01ae5cab nt!KeWaitForSingleObject
+0x2da
fffffa60`0844e940 fffff800`01d37024 nt!AlpcpSignalAndWait+0x7b
fffffa60`0844e980 fffff800`01d3c2c6 nt!
AlpcpReceiveSynchronousReply+0x44
fffffa60`0844e9e0 fffff800`01d3133f nt!
AlpcpProcessSynchronousRequest+0x24f
fffffa60`0844eb00 fffff800`01aaddf3 nt!
NtAlpcSendWaitReceivePort+0x19f
fffffa60`0844ebb0 00000000`775562ca nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`0844ec20)
00000000`03ece7f8 00000000`00000000 0x775562ca

THREAD fffffa800db4a760 Cid 0770.1508 Teb: 000000007ef9b000
Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-
Alertable
fffffa800d2493b0 SynchronizationEvent
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 8166 Ticks: 3919599
(0:16:59:06.136)
Context Switch Count 13
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x0000000021306c30
Stack Init fffffa6009d92db0 Current fffffa6009d92940
Base fffffa6009d93000 Limit fffffa6009d8d000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2
PagePriority 5
Kernel stack not resident.

THREAD fffffa800d6eb060 Cid 0770.150c Teb: 000000007ef98000
Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-
Alertable
fffffa800dadd320 SynchronizationEvent
fffffa800d6eb118 NotificationTimer
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3927702 Ticks: 63
(0:00:00:00.982)
Context Switch Count 63691
UserTime 00:00:00.015
KernelTime 00:00:00.000
Win32 Start Address 0x00000000213069b0
Stack Init fffffa6009ca5db0 Current fffffa6009ca5940
Base fffffa6009ca6000 Limit fffffa6009ca0000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`09ca5980 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`09ca5ac0 fffff800`01ab576a nt!KiSwapThread+0x2fa
fffffa60`09ca5b30 fffff800`01d27f08 nt!KeWaitForSingleObject
+0x2da
fffffa60`09ca5bc0 fffff800`01aaddf3 nt!NtWaitForSingleObject
+0x98
fffffa60`09ca5c20 00000000`75193d09 nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`09ca5c20)
00000000`0436f118 00000000`00000000 0x75193d09

THREAD fffffa800db4ebb0 Cid 0770.1518 Teb: 000000007ef95000
Win32Thread: 0000000000000000 WAIT: (Executive) UserMode Non-Alertable
fffffa6009dcd4e0 NotificationEvent
IRP List:
fffffa80124609c0: (0006,03e8) Flags: 00000884 Mdl:
00000000
Impersonation token: fffff8800f590060 (Level Impersonation)
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3906871 Ticks: 20894
(0:00:05:25.948)
Context Switch Count 513038 NoStackSwap
UserTime 00:00:35.880
KernelTime 00:00:19.328
Win32 Start Address 0x0000000021305540
Stack Init fffffa6009dcddb0 Current fffffa6009dcd100
Base fffffa6009dce000 Limit fffffa6009dc8000 Call 0
Priority 13 BasePriority 8 PriorityDecrement 4 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`09dcd140 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`09dcd280 fffff800`01ab576a nt!KiSwapThread+0x2fa
fffffa60`09dcd2f0 fffffa60`0129bf9d nt!KeWaitForSingleObject
+0x2da
fffffa60`09dcd380 fffffa60`012df5f2 Ntfs!
NtfsWaitForCreateEvent
+0x4d
fffffa60`09dcd3c0 fffffa60`00d61342 Ntfs!NtfsFsdCreate+0x232
fffffa60`09dcd560 fffffa60`00d9795e fltmgr!FltpCreate+0x333
fffffa60`09dcd610 fffffa60`07806fee symsnap+0xe95e
fffffa60`09dcd670 fffff800`01d33d83 eamon+0x5fee
fffffa60`09dcd700 fffff800`01d2da59 nt!IopParseDevice+0x5e3
fffffa60`09dcd8a0 fffff800`01d31944 nt!ObpLookupObjectName
+0x5eb
fffffa60`09dcd9b0 fffff800`01d3dee0 nt!ObOpenObjectByName
+0x2f4
fffffa60`09dcda80 fffff800`01d3ea0c nt!IopCreateFile+0x290
fffffa60`09dcdb20 fffff800`01aaddf3 nt!NtCreateFile+0x78
fffffa60`09dcdbb0 00000000`77555fca nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`09dcdc20)
00000000`043ae778 00000000`00000000 0x77555fca

THREAD fffffa800db23060 Cid 0770.151c Teb: 000000007ef92000
Win32Thread: 0000000000000000 WAIT: (Executive) UserMode Non-Alertable
fffffa6009cd54e0 NotificationEvent
IRP List:
fffffa800be726a0: (0006,03e8) Flags: 00000884 Mdl:
00000000
Impersonation token: fffff8801051a860 (Level Impersonation)
DeviceMap fffff8801365cf20
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3906879 Ticks: 20886
(0:00:05:25.823)
Context Switch Count 501299 NoStackSwap
UserTime 00:00:38.641
KernelTime 00:00:20.904
Win32 Start Address 0x0000000021305540
Stack Init fffffa6009cd5db0 Current fffffa6009cd5100
Base fffffa6009cd6000 Limit fffffa6009cd0000 Call 0
Priority 13 BasePriority 8 PriorityDecrement 4 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`09cd5140 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`09cd5280 fffff800`01ab576a nt!KiSwapThread+0x2fa
fffffa60`09cd52f0 fffffa60`0129bf9d nt!KeWaitForSingleObject
+0x2da
fffffa60`09cd5380 fffffa60`012df5f2 Ntfs!
NtfsWaitForCreateEvent
+0x4d
fffffa60`09cd53c0 fffffa60`00d61342 Ntfs!NtfsFsdCreate+0x232
fffffa60`09cd5560 fffffa60`00d9795e fltmgr!FltpCreate+0x333
fffffa60`09cd5610 fffffa60`07806fee symsnap+0xe95e
fffffa60`09cd5670 fffff800`01d33d83 eamon+0x5fee
fffffa60`09cd5700 fffff800`01d2da59 nt!IopParseDevice+0x5e3
fffffa60`09cd58a0 fffff800`01d31944 nt!ObpLookupObjectName
+0x5eb
fffffa60`09cd59b0 fffff800`01d3dee0 nt!ObOpenObjectByName
+0x2f4
fffffa60`09cd5a80 fffff800`01d3ea0c nt!IopCreateFile+0x290
fffffa60`09cd5b20 fffff800`01aaddf3 nt!NtCreateFile+0x78
fffffa60`09cd5bb0 00000000`77555fca nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`09cd5c20)
00000000`0477e778 00000000`00000000 0x77555fca

THREAD fffffa800db20bb0 Cid 0770.1524 Teb: 000000007ef8c000
Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-
Alertable
fffffa800dac7c50 SynchronizationEvent
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 8166 Ticks: 3919599
(0:16:59:06.136)
Context Switch Count 13
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x0000000021304e40
Stack Init fffffa6009e38db0 Current fffffa6009e38940
Base fffffa6009e39000 Limit fffffa6009e33000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2
PagePriority 5
Kernel stack not resident.

THREAD fffffa800ce8fab0 Cid 0770.491c Teb: 000000007ef6b000
Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-
Alertable
fffffa800d251040 SynchronizationEvent
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3914716 Ticks: 13049
(0:00:03:23.565)
Context Switch Count 2912
UserTime 00:00:00.109
KernelTime 00:00:00.592
Win32 Start Address 0x0000000020303c24
Stack Init fffffa600b424db0 Current fffffa600b424940
Base fffffa600b425000 Limit fffffa600b41f000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`0b424980 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`0b424ac0 fffff800`01ab576a nt!KiSwapThread+0x2fa
fffffa60`0b424b30 fffff800`01d27f08 nt!KeWaitForSingleObject
+0x2da
fffffa60`0b424bc0 fffff800`01aaddf3 nt!NtWaitForSingleObject
+0x98
fffffa60`0b424c20 00000000`75193d09 nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`0b424c20)
00000000`02aef118 00000000`00000000 0x75193d09

THREAD fffffa8011cc1060 Cid 0770.4f78 Teb: 000000007ef7d000
Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
fffffa800d2d54e0 QueueObject
fffffa8011cc1118 NotificationTimer
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3914716 Ticks: 13049
(0:00:03:23.565)
Context Switch Count 6
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00000000739959da
Stack Init fffffa600da2fdb0 Current fffffa600da2f7e0
Base fffffa600da30000 Limit fffffa600da2a000 Call 0
Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`0da2f820 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`0da2f960 fffff800`01aba20e nt!KiSwapThread+0x2fa
fffffa60`0da2f9d0 fffff800`01d27c27 nt!KeRemoveQueueEx+0x4fe
fffffa60`0da2fa80 fffff800`01d1c3bd nt!IoRemoveIoCompletion
+0x47
fffffa60`0da2fb00 fffff800`01aaddf3 nt!NtRemoveIoCompletion
+0x13d
fffffa60`0da2fbb0 00000000`751939b2 nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`0da2fc20)
00000000`01e5f0b8 00000000`00000000 0x751939b2

THREAD fffffa8011980bb0 Cid 0770.066c Teb: 000000007ef71000
Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-
Alertable
fffffa800dcab1f0 SynchronizationEvent
fffffa8011980c68 NotificationTimer
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3924386 Ticks: 3379
(0:00:00:52.712)
Context Switch Count 281
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x0000000000462880
Stack Init fffffa600b6eddb0 Current fffffa600b6ed940
Base fffffa600b6ee000 Limit fffffa600b6e8000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`0b6ed980 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`0b6edac0 fffff800`01ab576a nt!KiSwapThread+0x2fa
fffffa60`0b6edb30 fffff800`01d27f08 nt!KeWaitForSingleObject
+0x2da
fffffa60`0b6edbc0 fffff800`01aaddf3 nt!NtWaitForSingleObject
+0x98
fffffa60`0b6edc20 00000000`75193d09 nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`0b6edc20)
00000000`0296f118 00000000`00000000 0x75193d09

THREAD fffffa801317a1d0 Cid 0770.35dc Teb: 000000007ef6e000
Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-
Alertable
fffffa8011b705c0 SynchronizationEvent
fffffa801317a288 NotificationTimer
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3927636 Ticks: 129
(0:00:00:02.012)
Context Switch Count 4971
UserTime 00:00:00.015
KernelTime 00:00:00.031
Win32 Start Address 0x0000000000462880
Stack Init fffffa600df16db0 Current fffffa600df16940
Base fffffa600df17000 Limit fffffa600df11000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`0df16980 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`0df16ac0 fffff800`01ab576a nt!KiSwapThread+0x2fa
fffffa60`0df16b30 fffff800`01d27f08 nt!KeWaitForSingleObject
+0x2da
fffffa60`0df16bc0 fffff800`01aaddf3 nt!NtWaitForSingleObject
+0x98
fffffa60`0df16c20 00000000`75193d09 nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`0df16c20)
00000000`02aaf118 00000000`00000000 0x75193d09

THREAD fffffa800f2f1060 Cid 0770.3b9c Teb: 000000007ef68000
Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-
Alertable
fffffa800f2f13f0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff8800d3d1af0 : queued at
port fffffa800cc256e0 : owned by process fffffa800cc0bc10
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3906878 Ticks: 20887
(0:00:05:25.839)
Context Switch Count 657
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address 0x0000000000462880
Stack Init fffffa6016ab8db0 Current fffffa6016ab86c0
Base fffffa6016ab9000 Limit fffffa6016ab3000 Call 0
Priority 7 BasePriority 6 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`16ab8700 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`16ab8840 fffff800`01ab576a nt!KiSwapThread+0x2fa
fffffa60`16ab88b0 fffff800`01ae5cab nt!KeWaitForSingleObject
+0x2da
fffffa60`16ab8940 fffff800`01d37024 nt!AlpcpSignalAndWait+0x7b
fffffa60`16ab8980 fffff800`01d3c2c6 nt!
AlpcpReceiveSynchronousReply+0x44
fffffa60`16ab89e0 fffff800`01d3133f nt!
AlpcpProcessSynchronousRequest+0x24f
fffffa60`16ab8b00 fffff800`01aaddf3 nt!
NtAlpcSendWaitReceivePort+0x19f
fffffa60`16ab8bb0 00000000`775562ca nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`16ab8c20)
00000000`02d2e7f8 00000000`00000000 0x775562ca

THREAD fffffa80117b02f0 Cid 0770.24c4 Teb: 000000007efad000
Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
fffffa800d2c0530 QueueObject
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3922852 Ticks: 4913
(0:00:01:16.643)
Context Switch Count 6
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00000000759b1c50
Stack Init fffffa6016bf6db0 Current fffffa6016bf67e0
Base fffffa6016bf7000 Limit fffffa6016bf1000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`16bf6820 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`16bf6960 fffff800`01aba20e nt!KiSwapThread+0x2fa
fffffa60`16bf69d0 fffff800`01d27c27 nt!KeRemoveQueueEx+0x4fe
fffffa60`16bf6a80 fffff800`01d1c3bd nt!IoRemoveIoCompletion
+0x47
fffffa60`16bf6b00 fffff800`01aaddf3 nt!NtRemoveIoCompletion
+0x13d
fffffa60`16bf6bb0 00000000`751939b2 nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`16bf6c20)
00000000`0062f0b8 00000000`00000000 0x751939b2

THREAD fffffa8010ef3190 Cid 0770.2924 Teb: 000000007ef9e000
Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-
Alertable
fffffa80122ae8a0 SynchronizationEvent
fffffa8010ef3248 NotificationTimer
Not impersonating
DeviceMap fffff880000061f0
Owning Process 0 Image: <Unknown>
Attached Process fffffa800d1e8c10
Image: ekrn.exe
Wait Start TickCount 3927763 Ticks: 2
(0:00:00:00.031)
Context Switch Count 1935
UserTime 00:00:00.031
KernelTime 00:00:00.000
Win32 Start Address 0x0000000000462880
Stack Init fffffa6008c5bdb0 Current fffffa6008c5b940
Base fffffa6008c5c000 Limit fffffa6008c56000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
fffffa60`08c5b980 fffff800`01ab3f8a nt!KiSwapContext+0x7f
fffffa60`08c5bac0 fffff800`01ab576a nt!KiSwapThread+0x2fa
fffffa60`08c5bb30 fffff800`01d27f08 nt!KeWaitForSingleObject
+0x2da
fffffa60`08c5bbc0 fffff800`01aaddf3 nt!NtWaitForSingleObject
+0x98
fffffa60`08c5bc20 00000000`75193d09 nt!KiSystemServiceCopyEnd
+0x13 (TrapFrame @ fffffa60`08c5bc20)
00000000`0135f118 00000000`00000000 0x75193d09