Examining IRPs to determine the owning process (Windows)
This comes up often in Windows debugging forums. Here's how you use the excellent SysInternals LiveKd
debugger to figure out which process is responsible for a given IRP.
First fire up LiveKd:
Then use it to find the IRP you want to know about:
0: kd> !irpfind
Scanning large pool allocation table for Tag: Irp? (fffffa800c600000 : fffffa800cc00000)
Irp [ Thread ] irpStack: (Mj,Mn) DevObj [Driver] MDL Process
fffffa8008d226a0 [fffffa8005000310] irpStack: ( c, 2) fffffa8006be3030 [ \FileSystem\Ntfs]
fffffa8008051ae0 [fffffa8008236a90] irpStack: ( d, 0) fffffa800718dc00 [ \FileSystem\Npfs]
fffffa8007896880 [00000000] Irp is complete (CurrentLocation 3 > StackCount 2)
fffffa800a291c10 [fffffa8008ca1b50] irpStack: ( c, 2) fffffa8006be9030 [ \FileSystem\Ntfs]
fffffa800a2d8300 [fffffa800a425b50] irpStack: ( c, 2) fffffa8006be3030 [ \FileSystem\Ntfs]
fffffa800a2d8800 [fffffa800a425b50] irpStack: ( c, 2) fffffa8006be3030 [ \FileSystem\Ntfs]
fffffa800a2d8c10 [fffffa800bb37060] irpStack: ( c, 2) fffffa8006be3030 [ \FileSystem\Ntfs]
fffffa8006be4e10 [00000000] irpStack: (16, 0) fffffa8004ebe7f0 [ \Driver\ACPI]
fffffa80078f3680 [00000000] Irp is complete (CurrentLocation 4 > StackCount 3)
fffffa8007bb1d90 [fffffa8007beb1f0] irpStack: ( d, 0) fffffa800718dc00 [ \FileSystem\Npfs]
...
fffffa800ed49010 [fffffa80089daa50] Irp is complete (CurrentLocation 16 > StackCount 15) 0x0000000000000000
fffffa800ee07c10 [fffffa800a425b50] irpStack: ( c, 2) fffffa8006be9030 [ \FileSystem\Ntfs]
fffffa800ee17010 [00000000] Irp is complete (CurrentLocation 3 > StackCount 2) 0x0000000000000000
fffffa800ee28c00 [00000000] Irp is complete (CurrentLocation 3 > StackCount 2) 0x0000000000000000
The highlighted IRP is the one we want to know more about, so use !irp to examine the IRP:
0: kd> !irp fffffa800ee07c10
Irp is active with 3 stacks 2 is current (= 0xfffffa800ee07f68)
No Mdl: No System Buffer: Thread fffffa800a425b50: Irp stack trace.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
>[ c, 2] 1 1 fffffa8006be9030 fffffa80053067b0 00000000-00000000 pending
\FileSystem\Ntfs
Args: 00000020 00000003 00000000 00000000
[ c, 2] 1 0 fffffa8007d031c0 fffffa80053067b0 00000000-00000000
\FileSystem\INO_FLTR
Args: 00000020 00000003 00000000 00000000
0: kd&gr;
The debugger shows the active stack location with a > in the the first column. We can see that the major function number is
c which is IRP_MJ_DIRECTORY_CONTROL. Now use !devobj to examine the device
object associated with this IRP:
0: kd> !devobj fffffa8006be9030
Device object (fffffa8006be9030) is for:
\FileSystem\Ntfs DriverObject fffffa80068c1c20
Current Irp 00000000 RefCount 0 Type 00000008 Flags 00040000
DevExt fffffa8006be9180 DevObjExt fffffa8006beaad0
ExtensionFlags (0x00000800)
Unknown flags 0x00000800
AttachedDevice (Upper) fffffa8007256590 \FileSystem\FltMgr
Device queue is not busy.
This tells us it's an ntfs filesystem driver. Now we can use !thread on the thread we got from !irp
0: kd> !thread fffffa800a425b50
THREAD fffffa800a425b50 Cid 1940.1448 Teb: 00000000fff34000 Win32Thread: fffff900c226dc20 WAIT: (UserRequest) UserMode Alertable
fffffa8005306848 NotificationEvent
fffffa8006bcedb8 NotificationEvent
fffffa8008b8f738 NotificationEvent
fffffa8008b60948 NotificationEvent
fffffa80082e5bc8 NotificationEvent
fffffa8007960988 NotificationEvent
fffffa800887d988 NotificationEvent
...
IRP List:
fffffa800deeb160: (0006,03e8) Flags: 00060000 Mdl: 00000000
fffffa800ee07c10: (0006,03e8) Flags: 00060000 Mdl: 00000000
fffffa800ba64810: (0006,03e8) Flags: 00060000 Mdl: 00000000
fffffa800ba64c10: (0006,03e8) Flags: 00060000 Mdl: 00000000
fffffa800a2ab4f0: (0006,03e8) Flags: 00060000 Mdl: 00000000
...
Not impersonating
DeviceMap fffff8a002eaec40
Owning Process fffffa80075acb30 Image: devenv.exe
Attached Process N/A Image: N/A
Wait Start TickCount 149721348 Ticks: 831268 (0:03:36:07.863)
Context Switch Count 1885 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:00.140
Win32 Start Address 0x000000006fc8bb88
Stack Init fffff8800bd94db0 Current fffff8800bd93fc0
Base fffff8800bd95000 Limit fffff8800bd8f000 Call 0
Priority 10 BasePriority 7 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr : Args to Child : Call Site
fffff880`0bd94000 fffff800`0286d652 : 00000000`00000000 fffffa80`0a425b50 00000000`00000000 00000000`00000000 : nt!KiSwapContext+0x7a
fffff880`0bd94140 fffff800`0287a1ea : fffff880`0bd90000 fffff880`0144f020 000000a8`00000000 00000000`1f7cc2d2 : nt!KiCommitThreadWait+0x1d2
fffff880`0bd941d0 fffff800`02b719bf : 00000000`00000040 fffff880`0bd94520 fffff880`00000001 fffff880`00000006 : nt!KeWaitForMultipleObjects+0x272
fffff880`0bd94490 fffff800`02b9ddfd : fffffa80`0c0a0601 fffff880`01202bcf fffffa80`00000001 fffffa80`0deeb101 : nt!ObpWaitForMultipleObjects+0x294
fffff880`0bd94960 fffff800`02876ed3 : 00000000`74732450 00000000`07edf150 00000000`07edfd20 00000000`fff34000 : nt!NtWaitForMultipleObjects32+0xec
fffff880`0bd94bb0 00000000`74732e09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0bd94c20)
00000000`07edf0d8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x74732e09
0: kd>
which gives us the owning process and the name of the running image. It also gives a nice dump of the kernel stack so we can
see what the driver was up to at the time we took this snapshot.
Return to Jeff Loughlin's home page
Content Copyright Jeff Loughlin - Downingtown, PA. All rights reserved.
Last update: April 17, 2013