Search This Blog
Showing posts with label LIST_ENTRY. Show all posts
Showing posts with label LIST_ENTRY. Show all posts

Thursday, 18 September 2014

WinDbg : An Introduction To Windows Heaps

WinDbg : An Introduction To Windows Heaps 
  1. dt
  2. dd
  3. !process
  4. .process


 Heaps are used by applications which need to allocate and release memory dynamically. Even though the heap is the most common facility to accommodate dynamic memory allocations, it is not the only way. Several other methods are available:

  • Memory can be requested through the C run time (CRT).
  • The virtual memory manager or some other private memory manager.
Even though these methods are different, they are tightly coupled internally at the memory manager's level.

When a process starts, the heap manager automatically creates a new heap called the 'default process heap'. Although some processes are known to use the default heap, a very very large number rely on the CRT heap (using malloc/free family of APIs, or the default new/delete family of APIs).

Some processes however also create additional heaps (via HeapCreate(...) ). this method has advantage of isolating different components running in the process. Thus memory leaks can be easier to detect and debug, if we know exactly which heap is leaking. It is indeed good programming practice. Kernel programmers are used to using different tags for allocating memory for different objects, this method described above is the usermode solution to the problem.

The Windows heap manager has two sub components. 

  • Front End Allocator.
  • Back End Allocator.
The Front End Allocator is an optimization layer for the actual Back End Allocator. Thus, by choosing different front end allocators applications with differnt memory requirements can function appropriately. Example, some programs might expect small bursts of allocations, and thus might prefer to use a low fragmentation front end allocator. 

Windows supplies two different front end allocators:

  • Low fragmentation (LF) Front End Allocator.
  • Look aside List (LAL) Front End Allocator.
Vista and above use the LF allocator by default, where as all older generations use the LAL allocator. The differences between these allocators re beyond the scope of the current discussion.

If the Front End Allocator is unable to satisfy the allocation requests, then the Back End Allocator takes over. It is made up of free lists. Each list has blocks of specific sizes. Such free blocks are sorted in ascending order of sizes. Again, a more elaborate discussion on how this is managed, or of it's algorithms is beyond the scope of this current article.

Enough theory, lets get into some practicals.

The first step for us is to determine which all heaps are active for a process.


kd> $ Lets use the lsass process as an example.
kd> $ First we need to find it's EPROCESS

kd> !process 0 0 lsass.exe
PROCESS 84cdc860  SessionId: 0  Cid: 0208    Peb: 7ffda000  ParentCid: 018c
    DirBase: 1eed30e0  ObjectTable: 95f00d18  HandleCount: 513.
    Image: lsass.exe

kd> $ Next we need to switch contexts to this process (this is because this session is running from Kernel mode)

kd> .process /p /r 84cdc860  
Implicit process is now 84cdc860
Loading User Symbols
............................................................

kd> $ The Process execution block (_PEB) helps us with finding the active heaps, so lets use dt to find it

kd> dt _PEB @$peb
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0 ''
   +0x003 BitField         : 0x8 ''
   +0x003 ImageUsesLargePages : 0y0
   +0x003 IsProtectedProcess : 0y0
   +0x003 IsLegacyProcess  : 0y0
   +0x003 IsImageDynamicallyRelocated : 0y1
   +0x003 SkipPatchingUser32Forwarders : 0y0
   +0x003 SpareBits        : 0y000
   +0x004 Mutant           : 0xffffffff Void
   +0x008 ImageBaseAddress : 0x00d90000 Void
   +0x00c Ldr              : 0x77c77880 _PEB_LDR_DATA
   +0x010 ProcessParameters : 0x00330f18 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : (null) 
   +0x018 ProcessHeap      : 0x00330000 Void
   +0x01c FastPebLock      : 0x77c77380 _RTL_CRITICAL_SECTION
   +0x020 AtlThunkSListPtr : (null) 
   +0x024 IFEOKey          : (null) 
   +0x028 CrossProcessFlags : 0
   +0x028 ProcessInJob     : 0y0
   +0x028 ProcessInitializing : 0y0
   +0x028 ProcessUsingVEH  : 0y0
   +0x028 ProcessUsingVCH  : 0y0
   +0x028 ProcessUsingFTH  : 0y0
   +0x028 ReservedBits0    : 0y000000000000000000000000000 (0)
   +0x02c KernelCallbackTable : 0x7790d568 Void
   +0x02c UserSharedInfoPtr : 0x7790d568 Void
   +0x030 SystemReserved   : [1] 0
   +0x034 AtlThunkSListPtr32 : 0
   +0x038 ApiSetMap        : 0x77de0000 Void
   +0x03c TlsExpansionCounter : 0
   +0x040 TlsBitmap        : 0x77c77260 Void
   +0x044 TlsBitmapBits    : [2] 0x1fffff
   +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 Void
   +0x050 HotpatchInformation : (null) 
   +0x054 ReadOnlyStaticServerData : 0x7f6f0590  -> (null) 
   +0x058 AnsiCodePageData : 0x7ffb0000 Void
   +0x05c OemCodePageData  : 0x7ffc0224 Void
   +0x060 UnicodeCaseTableData : 0x7ffd0648 Void
   +0x064 NumberOfProcessors : 1
   +0x068 NtGlobalFlag     : 0
   +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
   +0x078 HeapSegmentReserve : 0x100000
   +0x07c HeapSegmentCommit : 0x2000
   +0x080 HeapDeCommitTotalFreeThreshold : 0x10000
   +0x084 HeapDeCommitFreeBlockThreshold : 0x1000
   +0x088 NumberOfHeaps    : 4
   +0x08c MaximumNumberOfHeaps : 0x10
   +0x090 ProcessHeaps     : 0x77c77500  -> 0x00330000 Void
   +0x094 GdiSharedHandleTable : 0x004d0000 Void
   +0x098 ProcessStarterHelper : (null) 
   +0x09c GdiDCAttributeList : 0x14
   +0x0a0 LoaderLock       : 0x77c77340 _RTL_CRITICAL_SECTION
   +0x0a4 OSMajorVersion   : 6
   +0x0a8 OSMinorVersion   : 1
   +0x0ac OSBuildNumber    : 0x1db1
   +0x0ae OSCSDVersion     : 0x100
   +0x0b0 OSPlatformId     : 2
   +0x0b4 ImageSubsystem   : 2
   +0x0b8 ImageSubsystemMajorVersion : 6
   +0x0bc ImageSubsystemMinorVersion : 1
   +0x0c0 ActiveProcessAffinityMask : 1
   +0x0c4 GdiHandleBuffer  : [34] 0
   +0x14c PostProcessInitRoutine : (null) 
   +0x150 TlsExpansionBitmap : 0x77c77268 Void
   +0x154 TlsExpansionBitmapBits : [32] 1
   +0x1d4 SessionId        : 0
   +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 0x0
   +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
   +0x1e8 pShimData        : (null) 
   +0x1ec AppCompatInfo    : (null) 
   +0x1f0 CSDVersion       : _UNICODE_STRING "Service Pack 1"
   +0x1f8 ActivationContextData : 0x00040000 _ACTIVATION_CONTEXT_DATA
   +0x1fc ProcessAssemblyStorageMap : (null) 
   +0x200 SystemDefaultActivationContextData : 0x00030000 _ACTIVATION_CONTEXT_DATA
   +0x204 SystemAssemblyStorageMap : (null) 
   +0x208 MinimumStackCommit : 0
   +0x20c FlsCallback      : 0x0033daa0 _FLS_CALLBACK_INFO
   +0x210 FlsListHead      : _LIST_ENTRY [ 0x347828 - 0x3cb680 ]
   +0x218 FlsBitmap        : 0x77c77270 Void
   +0x21c FlsBitmapBits    : [4] 7
   +0x22c FlsHighIndex     : 2
   +0x230 WerRegistrationData : (null) 
   +0x234 WerShipAssertPtr : (null) 
   +0x238 pContextData     : 0x00050000 Void
   +0x23c pImageHeaderHash : (null) 
   +0x240 TracingFlags     : 0
   +0x240 HeapTracingEnabled : 0y0
   +0x240 CritSecTracingEnabled : 0y0
   +0x240 SpareTracingBits : 0y000000000000000000000000000000 (0)

kd> $ Now lets use dd to see what this address contains


kd> dd 0x77c77500  
77c77500  00330000 00010000 00250000 00d10000
77c77510  00000000 00000000 00000000 00000000
77c77520  00000000 00000000 00000000 00000000
77c77530  00000000 00000000 00000000 00000000
77c77540  00000000 77c77340 77c7ab08 77c77220
77c77550  00000000 00000004 00000000 00000000
77c77560  77c77220 003e3198 00000000 00000000
77c77570  00000000 00000000 00000000 00000000

The Default Process heap pointer is always the first one in this list. Since most applications work with the default heap, we will focus our attention on that.

The _HEAP structure in Windows is used to maintain a heap. So lets typecast this address to it.

kd> dt _HEAP 0x00330000
ntdll!_HEAP
   +0x000 Entry            : _HEAP_ENTRY
   +0x008 SegmentSignature : 0xffeeffee
   +0x00c SegmentFlags     : 0
   +0x010 SegmentListEntry : _LIST_ENTRY [ 0x3300a8 - 0x3300a8 ]
   +0x018 Heap             : 0x00330000 _HEAP
   +0x01c BaseAddress      : 0x00330000 Void
   +0x020 NumberOfPages    : 0x100
   +0x024 FirstEntry       : 0x00330588 _HEAP_ENTRY
   +0x028 LastValidEntry   : 0x00430000 _HEAP_ENTRY
   +0x02c NumberOfUnCommittedPages : 0x47
   +0x030 NumberOfUnCommittedRanges : 1
   +0x034 SegmentAllocatorBackTraceIndex : 0
   +0x036 Reserved         : 0
   +0x038 UCRSegmentList   : _LIST_ENTRY [ 0x3e8ff0 - 0x3e8ff0 ]
   +0x040 Flags            : 2
   +0x044 ForceFlags       : 0
   +0x048 CompatibilityFlags : 0
   +0x04c EncodeFlagMask   : 0x100000
   +0x050 Encoding         : _HEAP_ENTRY
   +0x058 PointerKey       : 0x37d910ba
   +0x05c Interceptor      : 0
   +0x060 VirtualMemoryThreshold : 0xfe00
   +0x064 Signature        : 0xeeffeeff
   +0x068 SegmentReserve   : 0x100000
   +0x06c SegmentCommit    : 0x2000
   +0x070 DeCommitFreeBlockThreshold : 0x800
   +0x074 DeCommitTotalFreeThreshold : 0x2000
   +0x078 TotalFreeSize    : 0xac0
   +0x07c MaximumAllocationSize : 0x7ffdefff
   +0x080 ProcessHeapsListIndex : 1
   +0x082 HeaderValidateLength : 0x138
   +0x084 HeaderValidateCopy : (null) 
   +0x088 NextAvailableTagIndex : 0
   +0x08a MaximumTagIndex  : 0
   +0x08c TagEntries       : (null) 
   +0x090 UCRList          : _LIST_ENTRY [ 0x3e8fe8 - 0x3e8fe8 ]
   +0x098 AlignRound       : 0xf
   +0x09c AlignMask        : 0xfffffff8
   +0x0a0 VirtualAllocdBlocks : _LIST_ENTRY [ 0x3300a0 - 0x3300a0 ]
   +0x0a8 SegmentList      : _LIST_ENTRY [ 0x330010 - 0x330010 ]
   +0x0b0 AllocatorBackTraceIndex : 0
   +0x0b4 NonDedicatedListLength : 0
   +0x0b8 BlocksIndex      : 0x00330150 Void
   +0x0bc UCRIndex         : 0x00330590 Void
   +0x0c0 PseudoTagEntries : (null) 
   +0x0c4 FreeLists        : _LIST_ENTRY [ 0x3db6a8 - 0x3de378 ]
   +0x0cc LockVariable     : 0x00330138 _HEAP_LOCK
   +0x0d0 CommitRoutine    : 0x37d910ba     long  +37d910ba
   +0x0d4 FrontEndHeap     : 0x00336548 Void
   +0x0d8 FrontHeapLockCount : 0
   +0x0da FrontEndHeapType : 0x2 ''
   +0x0dc Counters         : _HEAP_COUNTERS
   +0x130 TuningParameters : _HEAP_TUNING_PARAMETERS

Note: The _HEAP structure might be different for different versions of Windows.

A point to note here is that inside the _PEB there are two fields:

kd> dt _PEB ProcessH*
ntdll!_PEB
   +0x018 ProcessHeap : Ptr32 Void
   +0x090 ProcessHeaps : Ptr32 Ptr32 Void

The ProcessHeaps is an array of pointers to the various heaps for the process. The ProcessHeap on the other hand will always store the address of the default heap of the process.

To browse all heaps in this process, we can use the WinDbg .for command, which is described here.

kd> .for (r $t0 = 0; @$t0 < 0x4; r $t0 = @$t0 + 1){dt _HEAP poi(0x77c77500 + ((@$t0)*4)) - y SegmentSignature}
ntdll!_HEAP
   +0x008 SegmentSignature : 0xffeeffee
ntdll!_HEAP
   +0x008 SegmentSignature : 0xffeeffee
ntdll!_HEAP
   +0x008 SegmentSignature : 0xffeeffee
ntdll!_HEAP
   +0x008 SegmentSignature : 0xffeeffee

We will revisit heaps again for further elaborate discussions and even walking the heaps when we explore heap corruption scenarios.
Posted by at No comments:
Labels: , , , , , , , , , , , , , , , , , , ,

Wednesday, 27 August 2014

WinDbg : the d Command & it's variations

WinDbg : d, db, dd, dt and many more
The d command and it's addendum are some of the most used commands in WinDbg. Several variants of it are used to display memory in different formats. While it is not my intent to explore the command fully, I leave that to you, here are some examples below.


 For dumping the first few bytes of the nt kernel loaded in memory in byte format.

 kd> db nt
82608000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............
82608010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......
82608020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
82608030  00 00 00 00 00 00 00 00-00 00 00 00 78 02 00 00  ............x...
82608040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th
82608050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno
82608060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS 

82608070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......

 The same address now being dumped in dword format.

 kd> dd nt
82608000  00905a4d 00000003 00000004 0000ffff
82608010  000000b8 00000000 00000040 00000000
82608020  00000000 00000000 00000000 00000000
82608030  00000000 00000000 00000000 00000278
82608040  0eba1f0e cd09b400 4c01b821 685421cd
82608050  70207369 72676f72 63206d61 6f6e6e61
82608060  65622074 6e757220 206e6920 20534f44

82608070  65646f6d 0a0d0d2e 00000024 00000000

 Note: Memory in x86 is in little endian format.

 We can specify the length of the output we seek with the L keyword.
kd> db nt L1
82608000  4d                                               M
kd> db nt L2

82608000  4d 5a                                            MZ

 The L keyword will display output depending on which variant of d we are using. The same command on dd will produce the following output:

 kd> dd nt l1
82608000  00905a4d
kd> dd nt l2

82608000  00905a4d 00000003


 Types
Another very useful usage of the d command with to evaluate types. The dt command is used to typecast memory into specific structures or types. It can also be used to display the structure members. 

 kd> dt nt!_KPROCESS
   +0x000 Header           : _DISPATCHER_HEADER
   +0x010 ProfileListHead  : _LIST_ENTRY
   +0x018 DirectoryTableBase : Uint4B
   +0x01c LdtDescriptor    : _KGDTENTRY
   +0x024 Int21Descriptor  : _KIDTENTRY
   +0x02c ThreadListHead   : _LIST_ENTRY
   +0x034 ProcessLock      : Uint4B
   +0x038 Affinity         : _KAFFINITY_EX
   +0x044 ReadyListHead    : _LIST_ENTRY
   +0x04c SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x050 ActiveProcessors : _KAFFINITY_EX
   +0x05c AutoAlignment    : Pos 0, 1 Bit
   +0x05c DisableBoost     : Pos 1, 1 Bit
   +0x05c DisableQuantum   : Pos 2, 1 Bit
   +0x05c ActiveGroupsMask : Pos 3, 1 Bit
   +0x05c ReservedFlags    : Pos 4, 28 Bits
   +0x05c ProcessFlags     : Int4B
   +0x060 BasePriority     : Char
   +0x061 QuantumReset     : Char
   +0x062 Visited          : UChar
   +0x063 Unused3          : UChar
   +0x064 ThreadSeed       : [1] Uint4B
   +0x068 IdealNode        : [1] Uint2B
   +0x06a IdealGlobalNode  : Uint2B
   +0x06c Flags            : _KEXECUTE_OPTIONS
   +0x06d Unused1          : UChar
   +0x06e IopmOffset       : Uint2B
   +0x070 Unused4          : Uint4B
   +0x074 StackCount       : _KSTACK_COUNT
   +0x078 ProcessListEntry : _LIST_ENTRY
   +0x080 CycleTime        : Uint8B
   +0x088 KernelTime       : Uint4B
   +0x08c UserTime         : Uint4B

   +0x090 VdmTrapcHandler  : Ptr32 Void

 As we see that if the structure type is defined, it displays the members of the structure. We can also give the member name we are interested in, so that it will only be printed instead of the entire structure.

 kd> dt nt!_KPROCESS ThreadListhead

   +0x02c ThreadListHead : _LIST_ENTRY

 Wildcards are also accepted:

 kd> dt nt!_KPROCESS ThreadList*

   +0x02c ThreadListHead : _LIST_ENTRY

 kd> dt nt!_KPROCESS Disable*
   +0x05c DisableBoost : Pos 1, 1 Bit

   +0x05c DisableQuantum : Pos 2, 1 Bit

SubStructures
Sometimes these structures are composed of substructures. In the above example we see that _KPROCESS has a _DISPATCH_HEADER inside of it.

 kd> dt nt!_KPROCESS Header

   +0x000 Header : _DISPATCHER_HEADER

To Expand the members of this substructure, add a dot (.) to the name of the member which is to be expanded.

 kd> dt nt!_KPROCESS Header.
   +0x000 Header  : 
      +0x000 Type    : UChar
      +0x001 TimerControlFlags : UChar
      +0x001 Absolute : Pos 0, 1 Bit
      +0x001 Coalescable : Pos 1, 1 Bit
      +0x001 KeepShifting : Pos 2, 1 Bit
      +0x001 EncodedTolerableDelay : Pos 3, 5 Bits
      +0x001 Abandoned : UChar
      +0x001 Signalling : UChar
      +0x002 ThreadControlFlags : UChar
      +0x002 CpuThrottled : Pos 0, 1 Bit
      +0x002 CycleProfiling : Pos 1, 1 Bit
      +0x002 CounterProfiling : Pos 2, 1 Bit
      +0x002 Reserved : Pos 3, 5 Bits
      +0x002 Hand    : UChar
      +0x002 Size    : UChar
      +0x003 TimerMiscFlags : UChar
      +0x003 Index   : Pos 0, 1 Bit
      +0x003 Processor : Pos 1, 5 Bits
      +0x003 Inserted : Pos 6, 1 Bit
      +0x003 Expired : Pos 7, 1 Bit
      +0x003 DebugActive : UChar
      +0x003 ActiveDR7 : Pos 0, 1 Bit
      +0x003 Instrumented : Pos 1, 1 Bit
      +0x003 Reserved2 : Pos 2, 4 Bits
      +0x003 UmsScheduled : Pos 6, 1 Bit
      +0x003 UmsPrimary : Pos 7, 1 Bit
      +0x003 DpcActive : UChar
      +0x000 Lock    : Int4B
      +0x004 SignalState : Int4B

      +0x008 WaitListHead : _LIST_ENTRY
More a more elaborate discussion and explanation of the dot(.) and it's usage, please read the  WinDbg : The Difference Between The Dot (.) & The Arrow (->) In The dt Command post.
If a memory address is supplied to the dt command, it will also show the typecasted values for each member along in the output.

 kd> dt nt!_KPROCESS 839afbf8  
   +0x000 Header           : _DISPATCHER_HEADER
   +0x010 ProfileListHead  : _LIST_ENTRY [ 0x839afc08 - 0x839afc08 ]
   +0x018 DirectoryTableBase : 0x185000
   +0x01c LdtDescriptor    : _KGDTENTRY
   +0x024 Int21Descriptor  : _KIDTENTRY
   +0x02c ThreadListHead   : _LIST_ENTRY [ 0x839afb00 - 0x8495fa00 ]
   +0x034 ProcessLock      : 0
   +0x038 Affinity         : _KAFFINITY_EX
   +0x044 ReadyListHead    : _LIST_ENTRY [ 0x839afc3c - 0x839afc3c ]
   +0x04c SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x050 ActiveProcessors : _KAFFINITY_EX
   +0x05c AutoAlignment    : 0y0
   +0x05c DisableBoost     : 0y0
   +0x05c DisableQuantum   : 0y0
   +0x05c ActiveGroupsMask : 0y1
   +0x05c ReservedFlags    : 0y0000000000000000000000000000 (0)
   +0x05c ProcessFlags     : 0n8
   +0x060 BasePriority     : 8 ''
   +0x061 QuantumReset     : 6 ''
   +0x062 Visited          : 0 ''
   +0x063 Unused3          : 0 ''
   +0x064 ThreadSeed       : [1] 0
   +0x068 IdealNode        : [1] 0
   +0x06a IdealGlobalNode  : 0
   +0x06c Flags            : _KEXECUTE_OPTIONS
   +0x06d Unused1          : 0 ''
   +0x06e IopmOffset       : 0x20ac
   +0x070 Unused4          : 0
   +0x074 StackCount       : _KSTACK_COUNT
   +0x078 ProcessListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x080 CycleTime        : 0x298ea6de
   +0x088 KernelTime       : 0x1b
   +0x08c UserTime         : 0

   +0x090 VdmTrapcHandler  : (null) 

 kd> dt nt!_KPROCESS 839afbf8  Header.
   +0x000 Header  : 
      +0x000 Type    : 0x3 ''
      +0x001 TimerControlFlags : 0 ''
      +0x001 Absolute : 0y0
      +0x001 Coalescable : 0y0
      +0x001 KeepShifting : 0y0
      +0x001 EncodedTolerableDelay : 0y00000 (0)
      +0x001 Abandoned : 0 ''
      +0x001 Signalling : 0 ''
      +0x002 ThreadControlFlags : 0x26 '&'
      +0x002 CpuThrottled : 0y0
      +0x002 CycleProfiling : 0y1
      +0x002 CounterProfiling : 0y1
      +0x002 Reserved : 0y00100 (0x4)
      +0x002 Hand    : 0x26 '&'
      +0x002 Size    : 0x26 '&'
      +0x003 TimerMiscFlags : 0 ''
      +0x003 Index   : 0y0
      +0x003 Processor : 0y00000 (0)
      +0x003 Inserted : 0y0
      +0x003 Expired : 0y0
      +0x003 DebugActive : 0 ''
      +0x003 ActiveDR7 : 0y0
      +0x003 Instrumented : 0y0
      +0x003 Reserved2 : 0y0000
      +0x003 UmsScheduled : 0y0
      +0x003 UmsPrimary : 0y0
      +0x003 DpcActive : 0 ''
      +0x000 Lock    : 0n2490371
      +0x004 SignalState : 0n0

      +0x008 WaitListHead : _LIST_ENTRY [ 0x839afc00 - 0x839afc00 ]

 We can also expand multiple levels of indirection.

 kd> dt nt!_EPROCESS 8274af18 Pcb.Header.size
   +0x000 Pcb             : 
      +0x000 Header          : 

         +0x002 Size            : 0x9a ''
The -y switch instructs dt that the next parameter is the beginning of a name, but not necessarily the entire name. If -y is included all matches are listed (wild cards) if -y is not included only exact matches are displayed.

kd> x nt!psacti*
8274af18          nt!PsActiveProcessHead = <no type information>

kd> dt nt!_EPROCESS 8274af18 -y ImageFileName
   +0x16c ImageFileName : [15]  ""

kd> dt nt!_EPROCESS 8274af18 -y Image
   +0x16c ImageFileName : [15]  ""
   +0x19c ImagePathHash : 0
   +0x270 ImageNotifyDone : 0y0

 To print multiple members we can separate them with spaces. Also wild cards are permitted.

 kd> dt nt!_EPROCESS 8274af18 -y Image* Numa*
   +0x16c ImageFileName : [15]  ""
   +0x19c ImagePathHash : 0
   +0x26c NumaAware : 0y0

   +0x270 ImageNotifyDone : 0y0


Arrays
The dt command can also expand arrays for us. Below is an example.

kd> x nt!kiprocessorb*
827728c0 nt!KiProcessorBlock = <no type information>

this is an array of processor info shown also by the !pcr command.

since it is an array the dt command with -a option can expand it for us. by default the first 4 elements of the array will be expanded.

kd> dt -a nt!_KPRCB 827728c0 
[0] @ 827728c0 
---------------------------------------------
   +0x000 MinorVersion     : 0x3d20
   +0x002 MajorVersion     : 0x8273
   +0x004 CurrentThread    : (null) 
   +0x008 NextThread       : (null) 
   +0x00c IdleThread       : (null) 
   +0x010 LegacyNumber     : 0 ''
   +0x011 NestingLevel     : 0 ''
   +0x012 BuildType        : 0
   +0x014 CpuType          : 0 ''
   +0x015 CpuID            : 0 ''
   +0x016 CpuStep          : 0
   +0x016 CpuStepping      : 0 ''
   +0x017 CpuModel         : 0 ''
   +0x018 ProcessorState   : _KPROCESSOR_STATE
   +0x338 KernelReserved   : [16] 0
   +0x378 HalReserved      : [16] 0
   +0x3b8 CFlushSize       : 0
   +0x3bc CoresPerPhysicalProcessor : 0 ''
   +0x3bd LogicalProcessorsPerCore : 0 ''
   +0x3be PrcbPad0         : [2]  ""
   +0x3c0 MHz              : 0
   +0x3c4 CpuVendor        : 0 ''
   +0x3c5 GroupIndex       : 0 ''
   +0x3c6 Group            : 0
   +0x3c8 GroupSetMember   : 0
   +0x3cc Number           : 0
   +0x3d0 PrcbPad1         : [72]  ""
   +0x418 LockQueue        : [17] _KSPIN_LOCK_QUEUE
   +0x4a0 NpxThread        : (null) 
   +0x4a4 InterruptCount   : 0
   +0x4a8 KernelTime       : 0
   +0x4ac UserTime         : 0
   +0x4b0 DpcTime          : 0
   +0x4b4 DpcTimeCount     : 0
   +0x4b8 InterruptTime    : 0
   +0x4bc AdjustDpcThreshold : 0
   +0x4c0 PageColor        : 0
   +0x4c4 DebuggerSavedIRQL : 0 ''
   +0x4c5 NodeColor        : 0 ''
   +0x4c6 PrcbPad20        : [2]  ""
   +0x4c8 NodeShiftedColor : 0
   +0x4cc ParentNode       : (null) 
   +0x4d0 SecondaryColorMask : 0
   +0x4d4 DpcTimeLimit     : 0
   +0x4d8 PrcbPad21        : [2] 0
   +0x4e0 CcFastReadNoWait : 0
   +0x4e4 CcFastReadWait   : 0
   +0x4e8 CcFastReadNotPossible : 0
   +0x4ec CcCopyReadNoWait : 0
   +0x4f0 CcCopyReadWait   : 0
   +0x4f4 CcCopyReadNoWaitMiss : 0
   +0x4f8 MmSpinLockOrdering : 0n0
   +0x4fc IoReadOperationCount : 0n0
   +0x500 IoWriteOperationCount : 0n0
   +0x504 IoOtherOperationCount : 0n0
   +0x508 IoReadTransferCount : _LARGE_INTEGER 0x0
   +0x510 IoWriteTransferCount : _LARGE_INTEGER 0x0
   +0x518 IoOtherTransferCount : _LARGE_INTEGER 0x0
   +0x520 CcFastMdlReadNoWait : 0
   +0x524 CcFastMdlReadWait : 0
   +0x528 CcFastMdlReadNotPossible : 0
   +0x52c CcMapDataNoWait  : 0
   +0x530 CcMapDataWait    : 0
   +0x534 CcPinMappedDataCount : 0
   +0x538 CcPinReadNoWait  : 0
   +0x53c CcPinReadWait    : 0
   +0x540 CcMdlReadNoWait  : 0
   +0x544 CcMdlReadWait    : 0
   +0x548 CcLazyWriteHotSpots : 0
   +0x54c CcLazyWriteIos   : 0
   +0x550 CcLazyWritePages : 0
   +0x554 CcDataFlushes    : 0
   +0x558 CcDataPages      : 0
   +0x55c CcLostDelayedWrites : 0
   +0x560 CcFastReadResourceMiss : 0
   +0x564 CcCopyReadWaitMiss : 0
   +0x568 CcFastMdlReadResourceMiss : 0
   +0x56c CcMapDataNoWaitMiss : 0
   +0x570 CcMapDataWaitMiss : 0
   +0x574 CcPinReadNoWaitMiss : 0
   +0x578 CcPinReadWaitMiss : 0
   +0x57c CcMdlReadNoWaitMiss : 0
   +0x580 CcMdlReadWaitMiss : 0
   +0x584 CcReadAheadIos   : 0
   +0x588 KeAlignmentFixupCount : 0
   +0x58c KeExceptionDispatchCount : 0
   +0x590 KeSystemCalls    : 0
   +0x594 AvailableTime    : 0
   +0x598 PrcbPad22        : [2] 0
   +0x5a0 PPLookasideList  : [16] _PP_LOOKASIDE_LIST
   +0x620 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0xf20 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x1820 PacketBarrier    : 0
   +0x1824 ReverseStall     : 0n0
   +0x1828 IpiFrame         : (null) 
   +0x182c PrcbPad3         : [52]  ""
   +0x1860 CurrentPacket    : [3] (null) 
   +0x186c TargetSet        : 0
   +0x1870 WorkerRoutine    : (null) 
   +0x1874 IpiFrozen        : 0
   +0x1878 PrcbPad4         : [40]  ""
   +0x18a0 RequestSummary   : 0
   +0x18a4 SignalDone       : (null) 
   +0x18a8 PrcbPad50        : [56]  ""
   +0x18e0 DpcData          : [2] _KDPC_DATA
   +0x1908 DpcStack         : (null) 
   +0x190c MaximumDpcQueueDepth : 0n0
   +0x1910 DpcRequestRate   : 0
   +0x1914 MinimumDpcRate   : 0
   +0x1918 DpcLastCount     : 0
   +0x191c PrcbLock         : 0
   +0x1920 DpcGate          : _KGATE
   +0x1930 ThreadDpcEnable  : 0 ''
   +0x1931 QuantumEnd       : 0 ''
   +0x1932 DpcRoutineActive : 0 ''
   +0x1933 IdleSchedule     : 0 ''
   +0x1934 DpcRequestSummary : 0n0
   +0x1934 DpcRequestSlot   : [2] 0n0
   +0x1934 NormalDpcState   : 0n0
   +0x1936 DpcThreadActive  : 0y0
   +0x1936 ThreadDpcState   : 0n0
   +0x1938 TimerHand        : 0
   +0x193c LastTick         : 0
   +0x1940 MasterOffset     : 0n0
   +0x1944 PrcbPad41        : [2] 0
   +0x194c PeriodicCount    : 0
   +0x1950 PeriodicBias     : 0
   +0x1958 TickOffset       : 0
   +0x1960 TimerTable       : _KTIMER_TABLE
   +0x31a0 CallDpc          : _KDPC
   +0x31c0 ClockKeepAlive   : 0n-2031551403
   +0x31c4 ClockCheckSlot   : 0x6d 'm'
   +0x31c5 ClockPollCycle   : 0xf6 ''
   +0x31c6 PrcbPad6         : [2]  "???G???"
   +0x31c8 DpcWatchdogPeriod : 0n-2088171449
   +0x31cc DpcWatchdogCount : 0n252
   +0x31d0 ThreadWatchdogPeriod : 0n-1996208245
   +0x31d4 ThreadWatchdogCount : 0n65667
   +0x31d8 KeSpinLockOrdering : 0n79399168
   +0x31dc PrcbPad70        : [1] 0xeb000001
   +0x31e0 WaitListHead     : _LIST_ENTRY [ 0x6a046a29 - 0x14cba00 ]
   +0x31e8 WaitLock         : 0x3353c000
   +0x31ec ReadySummary     : 0xfc5589c9
   +0x31f0 QueueIndex       : 0xf66d58e8
   +0x31f4 DeferredReadyListHead : _SINGLE_LIST_ENTRY
   +0x31f8 StartCycles      : 0xb3890000`00fcbb89
   +0x3200 CycleTime        : 0x1048389`00000100
   +0x3208 HighCycleTime    : 0x758b0000
   +0x320c PrcbPad71        : 0xe8cbe808
   +0x3210 PrcbPad72        : [2] 0xfec5e9fc`458b0013
   +0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY [ 0xec8b55ff - 0x5338ec83 ]
   +0x3320 ChainedInterruptList : 0x7cde3bff Void
   +0x3324 LookasideIrpFloat : 0n1166890537
   +0x3328 MmPageFaultCount : 0n-11120632
   +0x332c MmCopyOnWriteCount : 0n1998590005
   +0x3330 MmTransitionCount : 0n-16618878
   +0x3334 MmCacheTransitionCount : 0n434697333
   +0x3338 MmDemandZeroCount : 0n-1962931374
   +0x333c MmPageReadCount  : 0n1979648077
   +0x3340 MmPageReadIoCount : 0n1275955700
   +0x3344 MmCacheReadCount : 0n-1954384115
   +0x3348 MmCacheIoCount   : 0n-550573864
   +0x334c MmDirtyPagesWriteCount : 0n-1014235156
   +0x3350 MmDirtyWriteIoCount : 0n-916758945
   +0x3354 MmMappedPagesWriteCount : 0n-1879046974
   +0x3358 MmMappedWriteIoCount : 0n-1869574000
   +0x335c CachedCommit     : 0x8b55ff8b
   +0x3360 CachedResidentAvailable : 0x8b5753ec
   +0x3364 HyperPte         : 0xff85107d Void
   +0x3368 PrcbPad8         : [4]  "???"
   +0x336c VendorString     : [13]  ""
   +0x3379 InitialApicId    : 0x83 ''
   +0x337a LogicalProcessorsPerPhysicalProcessor : 0x7d '}'
   +0x337b PrcbPad9         : [5]  "???"
   +0x3380 FeatureBits      : 0x83000000
   +0x3388 UpdateSignature  : _LARGE_INTEGER 0x8b645600`00008985
   +0x3390 IsrTime          : 0x80078b00`00002035
   +0x3398 RuntimeAccumulation : 0x210`45c72a38
   +0x33a0 PowerState       : _PROCESSOR_POWER_STATE
   +0x3468 DpcWatchdogDpc   : _KDPC
   +0x3488 DpcWatchdogTimer : _KTIMER
   +0x34b0 WheaInfo         : 0xff7c8d8d Void
   +0x34b4 EtwSupport       : 0x5051ffff Void
   +0x34b8 InterruptObjectPool : _SLIST_HEADER
   +0x34c0 HypercallPageList : _SLIST_HEADER
   +0x34c8 HypercallPageVirtual : 0xffecee90 Void
   +0x34cc VirtualApicAssist : 0x000005bf Void
   +0x34d0 StatisticsPage   : 0x8d43eb80  -> 0x56454426`37373031
   +0x34d4 RateControl      : 0xf03b9445 Void
   +0x34d8 Cache            : [5] _CACHE_DESCRIPTOR
   +0x3514 CacheCount       : 0xd88bffec
   +0x3518 CacheProcessorMask : [5] 0xb774df3b
   +0x352c PackageProcessorSet : _KAFFINITY_EX
   +0x3538 PrcbPad91        : [1] 0x189ffff
   +0x353c CoreProcessorSet : 0x17b80ceb
   +0x3540 TimerExpirationDpc : _KDPC
   +0x3560 SpinLockAcquireCount : 0xe85bcd33
   +0x3564 SpinLockContentionCount : 0xfff0c6c0
   +0x3568 SpinLockSpinCount : 0x4c2c9
   +0x356c IpiSendRequestBroadcastCount : 0x90909090
   +0x3570 IpiSendRequestRoutineCount : 0x55ff8b90
   +0x3574 IpiSendSoftwareInterruptCount : 0x458bec8b
   +0x3578 ExInitializeResourceCount : 0xdccb908
   +0x357c ExReInitializeResourceCount : 0x1878274
   +0x3580 ExDeleteResourceCount : 0x4c25d
   +0x3584 ExecutiveResourceAcquiresCount : 0x90909090
   +0x3588 ExecutiveResourceContentionsCount : 0x55ff8b90
   +0x358c ExecutiveResourceReleaseExclusiveCount : 0x4d8bec8b
   +0x3590 ExecutiveResourceReleaseSharedCount : 0x50c03310
   +0x3594 ExecutiveResourceConvertsCount : 0x831475ff
   +0x3598 ExAcqResExclusiveAttempts : 0x45f634c1
   +0x359c ExAcqResExclusiveAcquiresExclusive : 0x5051020c
   +0x35a0 ExAcqResExclusiveAcquiresExclusiveRecursive : 0x75ff5050
   +0x35a4 ExAcqResExclusiveWaits : 0xe8077408
   +0x35a8 ExAcqResExclusiveNotAcquires : 0xffead85c
   +0x35ac ExAcqResSharedAttempts : 0x46e805eb
   +0x35b0 ExAcqResSharedAcquiresExclusive : 0x5d000fbc
   +0x35b4 ExAcqResSharedAcquiresShared : 0x900010c2
   +0x35b8 ExAcqResSharedAcquiresSharedRecursive : 0x90909090
   +0x35bc ExAcqResSharedWaits : 0x8b55ff8b
   +0x35c0 ExAcqResSharedNotAcquires : 0x8458bec
   +0x35c4 ExAcqResSharedStarveExclusiveAttempts : 0x974168b9
   +0x35c8 ExAcqResSharedStarveExclusiveAcquiresExclusive : 0x5d018782
   +0x35cc ExAcqResSharedStarveExclusiveAcquiresShared : 0x900004c2
   +0x35d0 ExAcqResSharedStarveExclusiveAcquiresSharedRecursive : 0x90909090
   +0x35d4 ExAcqResSharedStarveExclusiveWaits : 0x8b55ff8b
   +0x35d8 ExAcqResSharedStarveExclusiveNotAcquires : 0x30ec83ec
   +0x35dc ExAcqResSharedWaitForExclusiveAttempts : 0x68575653
   +0x35e0 ExAcqResSharedWaitForExclusiveAcquiresExclusive : 0x62747346
   +0x35e4 ExAcqResSharedWaitForExclusiveAcquiresShared : 0xf633106a
   +0x35e8 ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive : 0x3157e856
   +0x35ec ExAcqResSharedWaitForExclusiveWaits : 0xd88bfffb
   +0x35f0 ExAcqResSharedWaitForExclusiveNotAcquires : 0xc75de3b
   +0x35f4 ExSetResOwnerPointerExclusive : 0x9ab8
   +0x35f8 ExSetResOwnerPointerSharedNew : 0x5b5e5fc0
   +0x35fc ExSetResOwnerPointerSharedOld : 0xcc2c9
   +0x3600 ExTryToAcqExclusiveAttempts : 0xe8535656
   +0x3604 ExTryToAcqExclusiveAcquires : 0xffec9a69
   +0x3608 ExBoostExclusiveOwner : 0x50f4458d
   +0x360c ExBoostSharedOwners : 0x186a5653
   +0x3610 ExEtwSynchTrackingNotificationsCount : 0x560c75ff
   +0x3614 ExEtwSynchTrackingNotificationsAccountedCount : 0x875ff56
   +0x3618 Context          : 0x07000068 _CONTEXT
   +0x361c ContextFlags     : 0x790ae800
   +0x3620 ExtendedState    : 0xc63b000d _XSAVE_AREA

[1] @ 82775ee8 
---------------------------------------------
   +0x000 MinorVersion     : 0xcde8
   +0x002 MajorVersion     : 0xfb3b
   +0x004 CurrentThread    : 0x8bc5ebff _KTHREAD
   +0x008 NextThread       : 0xd08b084d _KTHREAD
   +0x00c IdleThread       : 0xec9636e8 _KTHREAD
   +0x010 LegacyNumber     : 0xff ''
   +0x011 NestingLevel     : 0x8b ''
   +0x012 BuildType        : 0x81f8
   +0x014 CpuType          : -1 ''
   +0x015 CpuID            : 3 ''
   +0x016 CpuStep          : 1
   +0x016 CpuStepping      : 0x1 ''
   +0x017 CpuModel         : 0 ''
   +0x018 ProcessorState   : _KPROCESSOR_STATE
   +0x338 KernelReserved   : [16] 0xffe9349e
   +0x378 HalReserved      : [16] 0x367c0010
   +0x3b8 CFlushSize       : 0xfebc0b7
   +0x3bc CoresPerPhysicalProcessor : 0xf ''
   +0x3bd LogicalProcessorsPerCore : 0xbf ''
   +0x3be PrcbPad0         : [2]  "???|???"
   +0x3c0 MHz              : 0x288c7c
   +0x3c4 CpuVendor        : 0xf ''
   +0x3c5 GroupIndex       : 0x85 ''
   +0x3c6 Group            : 0x81
   +0x3c8 GroupSetMember   : 0x66480000
   +0x3cc Number           : 0xec7dc085
   +0x3d0 PrcbPad1         : [72]  "???"
   +0x418 LockQueue        : [17] _KSPIN_LOCK_QUEUE
   +0x4a0 NpxThread        : 0x8b20084e _KTHREAD
   +0x4a4 InterruptCount   : 0x48890c4d
   +0x4a8 KernelTime       : 0x104d8b0c
   +0x4ac UserTime         : 0x8708957
   +0x4b0 DpcTime          : 0xe8bff08b
   +0x4b4 DpcTimeCount     : 0x89827707
   +0x4b8 InterruptTime    : 0xb4e81048
   +0x4bc AdjustDpcThreshold : 0x5fffe986
   +0x4c0 PageColor        : 0xcc25d5e
   +0x4c4 DebuggerSavedIRQL : 0 ''
   +0x4c5 NodeColor        : 0x90 ''
   +0x4c6 PrcbPad20        : [2]  "??????"
   +0x4c8 NodeShiftedColor : 0xff8b9090
   +0x4cc ParentNode       : 0x56ec8b55 _KNODE
   +0x4d0 SecondaryColorMask : 0x17eb378b
   +0x4d4 DpcTimeLimit     : 0xcf3b0e8b
   +0x4d8 PrcbPad21        : [2] 0x7d800675
   +0x4e0 CcFastReadNoWait : 0x6acc468d
   +0x4e4 CcFastReadWait   : 0xf18b5001
   +0x4e8 CcFastReadNotPossible : 0x3b0855ff
   +0x4ec CcCopyReadNoWait : 0x5ee575f7
   +0x4f0 CcCopyReadWait   : 0x8c25d
   +0x4f4 CcCopyReadNoWaitMiss : 0x90909090
   +0x4f8 MmSpinLockOrdering : 0n1442810768
   +0x4fc IoReadOperationCount : 0n1750527115
   +0x500 IoWriteOperationCount : 0n1750298441
   +0x504 IoOtherOperationCount : 0n6949994
   +0x508 IoReadTransferCount : _LARGE_INTEGER 0x85f08bff`fb2c10e8
   +0x510 IoWriteTransferCount : _LARGE_INTEGER 0xc000009a`b80775f6
   +0x518 IoOtherTransferCount : _LARGE_INTEGER 0x8b57085d`8b5324eb
   +0x520 CcFastMdlReadNoWait : 0xc4e6e8cb
   +0x524 CcFastMdlReadWait : 0xd0bffff0
   +0x528 CcFastMdlReadNotPossible : 0x89827707
   +0x52c CcMapDataNoWait  : 0xeae8085e
   +0x530 CcMapDataWait    : 0x81ffe98c
   +0x534 CcPinMappedDataCount : 0x8001c4b
   +0x538 CcPinReadNoWait  : 0x335f0000
   +0x53c CcPinReadWait    : 0x5d5e5bc0
   +0x540 CcMdlReadNoWait  : 0x900004c2
   +0x544 CcMdlReadWait    : 0x90909090
   +0x548 CcLazyWriteHotSpots : 0x8b55ff8b
   +0x54c CcLazyWriteIos   : 0x503d83ec
   +0x550 CcLazyWritePages : 0x282771d
   +0x554 CcDataFlushes    : 0x89b80972
   +0x558 CcDataPages      : 0x5dc00001
   +0x55c CcLostDelayedWrites : 0x5d0004c2
   +0x560 CcFastReadResourceMiss : 0x22633ae9
   +0x564 CcCopyReadWaitMiss : 0x90909000
   +0x568 CcFastMdlReadResourceMiss : 0xff8b9090
   +0x56c CcMapDataNoWaitMiss : 0x83ec8b55
   +0x570 CcMapDataWaitMiss : 0x565324ec
   +0x574 CcPinReadNoWaitMiss : 0x6a006a57
   +0x578 CcPinReadWaitMiss : 0x19bb00
   +0x57c CcMdlReadNoWaitMiss : 0xff530002
   +0x580 CcMdlReadWaitMiss : 0x7d8d0875
   +0x584 CcReadAheadIos   : 0x2756e8f4
   +0x588 KeAlignmentFixupCount : 0xc0850004
   +0x58c KeExceptionDispatchCount : 0xc78c0f
   +0x590 KeSystemCalls    : 0x458d0000
   +0x594 AvailableTime    : 0x106850fc
   +0x598 PrcbPad22        : [2] 0xff8281f4
   +0x5a0 PPLookasideList  : [16] _PP_LOOKASIDE_LIST
   +0x620 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0xf20 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x1820 PacketBarrier    : 0x47501f8
   +0x1824 ReverseStall     : 0n65784115
   +0x1828 IpiFrame         : 0x8b104d8b Void
   +0x182c PrcbPad3         : [52]  "???"
   +0x1860 CurrentPacket    : [3] 0x18458900 Void
   +0x186c TargetSet        : 0x8b1374c0
   +0x1870 WorkerRoutine    : 0x4e2b104e     void  +4e2b104e
   +0x1874 IpiFrozen        : 0x41026a0c
   +0x1878 PrcbPad4         : [40]  "Q???"
   +0x18a0 RequestSummary   : 0x28980f6
   +0x18a4 SignalDone       : 0x89200000 _KPRCB
   +0x18a8 PrcbPad50        : [56]  "E???"
   +0x18e0 DpcData          : [2] _KDPC_DATA
   +0x1908 DpcStack         : 0x4e78e8ca Void
   +0x190c MaximumDpcQueueDepth : 0n1301020660
   +0x1910 DpcRequestRate   : 0x89a18010
   +0x1914 MinimumDpcRate   : 0xdf000002
   +0x1918 DpcLastCount     : 0x86818d
   +0x191c PrcbLock         : 0xff660000
   +0x1920 DpcGate          : _KGATE
   +0x1930 ThreadDpcEnable  : 0xe8 ''
   +0x1931 QuantumEnd       : 0x7c '|'
   +0x1932 DpcRoutineActive : 0x8c ''
   +0x1933 IdleSchedule     : 0xeb ''
   +0x1934 DpcRequestSummary : 0n-260209665
   +0x1934 DpcRequestSlot   : [2] 0n-31745
   +0x1934 NormalDpcState   : 0n-31745
   +0x1936 DpcThreadActive  : 0y1
   +0x1936 ThreadDpcState   : 0n-3971
   +0x1938 TimerHand        : 0x8b0b7501
   +0x193c LastTick         : 0x4e8b1046
   +0x1940 MasterOffset     : 0n1153427468
   +0x1944 PrcbPad41        : [2] 0x558b000c
   +0x194c PeriodicCount    : 0x8943da2b
   +0x1950 PeriodicBias     : 0xe0878d18
   +0x1958 TickOffset       : 0xdc8f`8d008b18
   +0x1960 TimerTable       : _KTIMER_TABLE
   +0x31a0 CallDpc          : _KDPC
   +0x31c0 ClockKeepAlive   : 0n66664
   +0x31c4 ClockCheckSlot   : 0 ''
   +0x31c5 ClockPollCycle   : 0x53 'S'
   +0x31c6 PrcbPad6         : [2]  "h??????"
   +0x31c8 DpcWatchdogPeriod : 0n-394103657
   +0x31cc DpcWatchdogCount : 0n-1274488
   +0x31d0 ThreadWatchdogPeriod : 0n133224
   +0x31d4 ThreadWatchdogCount : 0n-1066904832
   +0x31d8 KeSpinLockOrdering : 0n-394103656
   +0x31dc PrcbPad70        : [1] 0xffec8d78
   +0x31e0 WaitListHead     : _LIST_ENTRY [ 0x7498b0b8 - 0x30c48382 ]
   +0x31e8 WaitLock         : 0x9ac41d89
   +0x31ec ReadySummary     : 0xb4a38274
   +0x31f0 QueueIndex       : 0xa3827498
   +0x31f4 DeferredReadyListHead : _SINGLE_LIST_ENTRY
   +0x31f8 StartCycles      : 0x1d898274`98b81d89
   +0x3200 CycleTime        : 0xe9262ee8`827498bc
   +0x3208 HighCycleTime    : 0x5c65eff
   +0x320c PrcbPad71        : 0x82741ec3
   +0x3210 PrcbPad72        : [2] 0x90909090`90c35b01
   +0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY [ 0x33575653 - 0xfc458ddb ]
   +0x3320 ChainedInterruptList : 0xfffffe5c Void
   +0x3324 LookasideIrpFloat : 0n-27738743
   +0x3328 MmPageFaultCount : 0n-1115029505
   +0x332c MmCopyOnWriteCount : 0n-436
   +0x3330 MmTransitionCount : 0n-28787319
   +0x3334 MmCacheTransitionCount : 0n-1115029505
   +0x3338 MmDemandZeroCount : 0n-428
   +0x333c MmPageReadCount  : 0n-29311607
   +0x3340 MmPageReadIoCount : 0n-1115029505
   +0x3344 MmCacheReadCount : 0n-444
   +0x3348 MmCacheIoCount   : 0n175490875
   +0x334c MmDirtyPagesWriteCount : 0n3519
   +0x3350 MmDirtyWriteIoCount : 0n41609664
   +0x3354 MmMappedPagesWriteCount : 0n-147128320
   +0x3358 MmMappedWriteIoCount : 0n-1737952652
   +0x335c CachedCommit     : 0x8d000000
   +0x3360 CachedResidentAvailable : 0xffff6085
   +0x3364 HyperPte         : 0xe85057ff Void
   +0x3368 PrcbPad8         : [4]  "???"
   +0x336c VendorString     : [13]  "???"
   +0x3379 InitialApicId    : 0 ''
   +0x337a LogicalProcessorsPerPhysicalProcessor : 0 ''
   +0x337b PrcbPad9         : [5]  "???"
   +0x3380 FeatureBits      : 0xff5750ff
   +0x3388 UpdateSignature  : _LARGE_INTEGER 0xecadebe8`fffffe50
   +0x3390 IsrTime          : 0x1aff`81f88bff
   +0x3398 RuntimeAccumulation : 0x85000002`1d840f80
   +0x33a0 PowerState       : _PROCESSOR_POWER_STATE
   +0x3468 DpcWatchdogDpc   : _KDPC
   +0x3488 DpcWatchdogTimer : _KTIMER
   +0x34b0 WheaInfo         : 0x858b6600 Void
   +0x34b4 EtwSupport       : 0xfffffe4c Void
   +0x34b8 InterruptObjectPool : _SLIST_HEADER
   +0x34c0 HypercallPageList : _SLIST_HEADER
   +0x34c8 HypercallPageVirtual : 0x70858dff Void
   +0x34cc VirtualApicAssist : 0x50ffffff Void
   +0x34d0 StatisticsPage   : 0x001ec0e8  -> ??
   +0x34d4 RateControl      : 0x85f88b00 Void
   +0x34d8 Cache            : [5] _CACHE_DESCRIPTOR
   +0x3514 CacheCount       : 0x48858b0a
   +0x3518 CacheProcessorMask : [5] 0x85fffffe
   +0x352c PackageProcessorSet : _KAFFINITY_EX
   +0x3538 PrcbPad91        : [1] 0x58bd8d0b
   +0x353c CoreProcessorSet : 0xb9fffffe
   +0x3540 TimerExpirationDpc : _KDPC
   +0x3560 SpinLockAcquireCount : 0x448d8bff
   +0x3564 SpinLockContentionCount : 0x8bfffffe
   +0x3568 SpinLockSpinCount : 0x75d10bd0
   +0x356c IpiSendRequestBroadcastCount : 0x184e830a
   +0x3570 IpiSendRequestRoutineCount : 0x1c4e83ff
   +0x3574 IpiSendSoftwareInterruptCount : 0x8906ebff
   +0x3578 ExInitializeResourceCount : 0x4e891846
   +0x357c ExReInitializeResourceCount : 0x5c958b1c
   +0x3580 ExDeleteResourceCount : 0x8dfffffe
   +0x3584 ExecutiveResourceAcquiresCount : 0xfffe5485
   +0x3588 ExecutiveResourceContentionsCount : 0x46a50ff
   +0x358c ExecutiveResourceReleaseExclusiveCount : 0xbd8d046a
   +0x3590 ExecutiveResourceReleaseSharedCount : 0xfffffe58
   +0x3594 ExecutiveResourceConvertsCount : 0x8233b0b9
   +0x3598 ExAcqResExclusiveAttempts : 0x2605e882
   +0x359c ExAcqResExclusiveAcquiresExclusive : 0xf88b0000
   +0x35a0 ExAcqResExclusiveAcquiresExclusiveRecursive : 0xf7dff85
   +0x35a4 ExAcqResExclusiveWaits : 0x34ff81
   +0x35a8 ExAcqResExclusiveNotAcquires : 0x1075c000
   +0x35ac ExAcqResSharedAttempts : 0x7e89ff33
   +0x35b0 ExAcqResSharedAcquiresExclusive : 0x8b09eb20
   +0x35b4 ExAcqResSharedAcquiresShared : 0xfffe5485
   +0x35b8 ExAcqResSharedAcquiresSharedRecursive : 0x204689ff
   +0x35bc ExAcqResSharedWaits : 0xfe5cbd83
   +0x35c0 ExAcqResSharedNotAcquires : 0x7400ffff
   +0x35c4 ExAcqResSharedStarveExclusiveAttempts : 0x5cb5ff0b
   +0x35c8 ExAcqResSharedStarveExclusiveAcquiresExclusive : 0xe8fffffe
   +0x35cc ExAcqResSharedStarveExclusiveAcquiresShared : 0xffeca684
   +0x35d0 ExAcqResSharedStarveExclusiveAcquiresSharedRecursive : 0x8bfc4d8b
   +0x35d4 ExAcqResSharedStarveExclusiveWaits : 0x5fcd33c7
   +0x35d8 ExAcqResSharedStarveExclusiveNotAcquires : 0xf09023e8
   +0x35dc ExAcqResSharedWaitForExclusiveAttempts : 0x8c2c9ff
   +0x35e0 ExAcqResSharedWaitForExclusiveAcquiresExclusive : 0x90909000
   +0x35e4 ExAcqResSharedWaitForExclusiveAcquiresShared : 0xff8b9090
   +0x35e8 ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive : 0x83ec8b55
   +0x35ec ExAcqResSharedWaitForExclusiveWaits : 0x8b530cec
   +0x35f0 ExAcqResSharedWaitForExclusiveNotAcquires : 0xc033085d
   +0x35f4 ExSetResOwnerPointerExclusive : 0x45895756
   +0x35f8 ExSetResOwnerPointerSharedNew : 0x75d83b08
   +0x35fc ExSetResOwnerPointerSharedOld : 0x845c70c
   +0x3600 ExTryToAcqExclusiveAttempts : 0xc000000d
   +0x3604 ExTryToAcqExclusiveAcquires : 0x82e9
   +0x3608 ExBoostExclusiveOwner : 0xc453900
   +0x360c ExBoostSharedOwners : 0x4589ef74
   +0x3610 ExEtwSynchTrackingNotificationsCount : 0x284339fc
   +0x3614 ExEtwSynchTrackingNotificationsAccountedCount : 0x538d2276
   +0x3618 Context          : 0x8b3a8b30 _CONTEXT
   +0x361c ContextFlags     : 0x46a0c75
   +0x3620 ExtendedState    : 0x89c03359 _XSAVE_AREA

[2] @ 82779510 
---------------------------------------------
   +0x000 MinorVersion     : 0x1d74
   +0x002 MajorVersion     : 0x45ff
   +0x004 CurrentThread    : 0xfc458bfc _KTHREAD
   +0x008 NextThread       : 0x3b04c283 _KTHREAD
   +0x00c IdleThread       : 0xe1722843 _KTHREAD
   +0x010 LegacyNumber     : 0x83 ''
   +0x011 NestingLevel     : 0x7b '{'
   +0x012 BuildType        : 0x7c28
   +0x014 CpuType          : 114 'r'
   +0x015 CpuID            : 22 ''
   +0x016 CpuStep          : 0x45c7
   +0x016 CpuStepping      : 0xc7 ''
   +0x017 CpuModel         : 0x45 'E'
   +0x018 ProcessorState   : _KPROCESSOR_STATE
   +0x338 KernelReserved   : [16] 0xc508be8
   +0x378 HalReserved      : [16] 0x70696d57
   +0x3b8 CFlushSize       : 0xc2f60000
   +0x3bc CoresPerPhysicalProcessor : 0x2 ''
   +0x3bd LogicalProcessorsPerCore : 0x74 't'
   +0x3be PrcbPad0         : [2]  " ???N4???"
   +0x3c0 MHz              : 0x48b344e
   +0x3c4 CpuVendor        : 0x81 ''
   +0x3c5 GroupIndex       : 0x89 ''
   +0x3c6 Group            : 0xe045
   +0x3c8 GroupSetMember   : 0x6602508d
   +0x3cc Number           : 0x4040088b
   +0x3d0 PrcbPad1         : [72]  "f???"
   +0x418 LockQueue        : [17] _KSPIN_LOCK_QUEUE
   +0x4a0 NpxThread        : 0x59e4458b _KTHREAD
   +0x4a4 InterruptCount   : 0xe075ff59
   +0x4a8 KernelTime       : 0x57027b8d
   +0x4ac UserTime         : 0xeb449de8
   +0x4b0 DpcTime          : 0xec458dff
   +0x4b4 DpcTimeCount     : 0xe4458b50
   +0x4b8 InterruptTime    : 0x32f6e857
   +0x4bc AdjustDpcThreshold : 0xc78bffeb
   +0x4c0 PageColor        : 0x6602488d
   +0x4c4 DebuggerSavedIRQL : 0x8b ''
   +0x4c5 NodeColor        : 0x10 ''
   +0x4c6 PrcbPad20        : [2]  "@@"
   +0x4c8 NodeShiftedColor : 0x75d28566
   +0x4cc ParentNode       : 0xd1c12bf6 _KNODE
   +0x4d0 SecondaryColorMask : 0x448df8
   +0x4d4 DpcTimeLimit     : 0x3896602
   +0x4d8 PrcbPad21        : [2] 0xebdc7589
   +0x4e0 CcFastReadNoWait : 0xc7401a8
   +0x4e4 CcFastReadWait   : 0x3c0c7d83
   +0x4e8 CcFastReadNotPossible : 0x63830672
   +0x4ec CcCopyReadNoWait : 0xeeb0038
   +0x4f0 CcCopyReadWait   : 0xa7406a8
   +0x4f4 CcCopyReadNoWaitMiss : 0x340c7d83
   +0x4f8 MmSpinLockOrdering : 0n1669530738
   +0x4fc IoReadOperationCount : 0n1166737456
   +0x500 IoWriteOperationCount : 0n1958774248
   +0x504 IoOtherOperationCount : 0n546881290
   +0x508 IoReadTransferCount : _LARGE_INTEGER 0x8b00088b`f4e88273
   +0x510 IoWriteTransferCount : _LARGE_INTEGER 0x335e5fdc`458bfc4d
   +0x518 IoOtherTransferCount : _LARGE_INTEGER 0xc9fff08a`b9e85bcd
   +0x520 CcFastMdlReadNoWait : 0x900008c2
   +0x524 CcFastMdlReadWait : 0x90909090
   +0x528 CcFastMdlReadNotPossible : 0x8b55ff8b
   +0x52c CcMapDataNoWait  : 0xa8ec81ec
   +0x530 CcMapDataWait    : 0xa1000001
   +0x534 CcPinMappedDataCount : 0x82733a48
   +0x538 CcPinReadNoWait  : 0x4589c533
   +0x53c CcPinReadWait    : 0x1d40a1fc
   +0x540 CcMdlReadNoWait  : 0x85898277
   +0x544 CcMdlReadWait    : 0xfffffed4
   +0x548 CcLazyWriteHotSpots : 0x743b20a1
   +0x54c CcLazyWriteIos   : 0x24050b82
   +0x550 CcLazyWritePages : 0xc782743b
   +0x554 CcDataFlushes    : 0xfffed085
   +0x558 CcDataPages      : 0x446aff
   +0x55c CcLostDelayedWrites : 0x30840f00
   +0x560 CcFastReadResourceMiss : 0x8d000001
   +0x564 CcCopyReadWaitMiss : 0xfffed885
   +0x568 CcFastMdlReadResourceMiss : 0x85c750ff
   +0x56c CcMapDataNoWaitMiss : 0xfffffed8
   +0x570 CcMapDataWaitMiss : 0x11c
   +0x574 CcPinReadNoWaitMiss : 0x49c13e8
   +0x578 CcPinReadWaitMiss : 0xfc08500
   +0x57c CcMdlReadNoWaitMiss : 0x1128c
   +0x580 CcMdlReadWaitMiss : 0x28b0a100
   +0x584 CcReadAheadIos   : 0x85898277
   +0x588 KeAlignmentFixupCount : 0xfffffec8
   +0x58c KeExceptionDispatchCount : 0x7728b4a1
   +0x590 KeSystemCalls    : 0x89046a82
   +0x594 AvailableTime    : 0xfffecc85
   +0x598 PrcbPad22        : [2] 0x8dc933ff
   +0x5a0 PPLookasideList  : [16] _PP_LOOKASIDE_LIST
   +0x620 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0xf20 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x1820 PacketBarrier    : 0xfffde0bd
   +0x1824 ReverseStall     : 0n13494527
   +0x1828 IpiFrame         : 0xc0680000 Void
   +0x182c PrcbPad3         : [52]  "???"
   +0x1860 CurrentPacket    : [3] 0xfffde0bd Void
   +0x186c TargetSet        : 0x8d82820b
   +0x1870 WorkerRoutine    : 0xfffdcc85     void  +fffffffffffdcc85
   +0x1874 IpiFrozen        : 0x85c750ff
   +0x1878 PrcbPad4         : [40]  "???"
   +0x18a0 RequestSummary   : 0xfffffddc
   +0x18a4 SignalDone       : 0xfde0bd8d _KPRCB
   +0x18a8 PrcbPad50        : [56]  "???"
   +0x18e0 DpcData          : [2] _KDPC_DATA
   +0x1908 DpcStack         : 0x50000001 Void
   +0x190c MaximumDpcQueueDepth : 0n-1912846967
   +0x1910 DpcRequestRate   : 0xfffeec85
   +0x1914 MinimumDpcRate   : 0x26a50ff
   +0x1918 DpcLastCount     : 0xff1475ff
   +0x191c PrcbLock         : 0xe9e80875
   +0x1920 DpcGate          : _KGATE
   +0x1930 ThreadDpcEnable  : 0 ''
   +0x1931 QuantumEnd       : 0xc0 ''
   +0x1932 DpcRoutineActive : 0xeb ''
   +0x1933 IdleSchedule     : 0x3c '<'
   +0x1934 DpcRequestSummary : 0n-17791605
   +0x1934 DpcRequestSlot   : [2] 0n-31349
   +0x1934 NormalDpcState   : 0n-31349
   +0x1936 DpcThreadActive  : 0y0
   +0x1936 ThreadDpcState   : 0n-272
   +0x1938 TimerHand        : 0x453bffff
   +0x193c LastTick         : 0xb807740c
   +0x1940 MasterOffset     : 0n-1073741788
   +0x1944 PrcbPad41        : [2] 0x8b562aeb
   +0x194c PeriodicCount    : 0x76373bff
   +0x1950 PeriodicBias     : 0x23b807
   +0x1958 TickOffset       : 0x50fffffe`f8858d56
   +0x1960 TimerTable       : _KTIMER_TABLE
   +0x31a0 CallDpc          : _KDPC
   +0x31c0 ClockKeepAlive   : 0n-1869610992
   +0x31c4 ClockCheckSlot   : 0x90 ''
   +0x31c5 ClockPollCycle   : 0x90 ''
   +0x31c6 PrcbPad6         : [2]  "??????"
   +0x31c8 DpcWatchdogPeriod : 0n-815246849
   +0x31cc DpcWatchdogCount : 0n1753380805
   +0x31d0 ThreadWatchdogPeriod : 0n-2105411328
   +0x31d4 ThreadWatchdogCount : 0n1085800810
   +0x31d8 KeSpinLockOrdering : 0n-947751177
   +0x31dc PrcbPad70        : [1] 0x76f7bc05
   +0x31e0 WaitListHead     : _LIST_ENTRY [ 0x790c6482 - 0xc005c782 ]
   +0x31e8 WaitLock         : 0xd18276f7
   +0x31ec ReadySummary     : 0xc78277f8
   +0x31f0 QueueIndex       : 0x76f7c405
   +0x31f4 DeferredReadyListHead : _SINGLE_LIST_ENTRY
   +0x31f8 StartCycles      : 0x428276f7`7c05c782
   +0x3200 CycleTime        : 0x76f78005`c782790b
   +0x3208 HighCycleTime    : 0x776e7182
   +0x320c PrcbPad71        : 0x8405c782
   +0x3210 PrcbPad72        : [2] 0xc7828c7c`3d8276f7
   +0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY [ 0x7e882 - 0xc3590000 ]
   +0x3320 ChainedInterruptList : 0x585e3982 Void
   +0x3324 LookasideIrpFloat : 0n1187448693
   +0x3328 MmPageFaultCount : 0n-1852552360
   +0x332c MmCopyOnWriteCount : 0n1751005570
   +0x3330 MmTransitionCount : 0n1187448693
   +0x3334 MmCacheTransitionCount : 0n-1852406936
   +0x3338 MmDemandZeroCount : 0n1885223298
   +0x333c MmPageReadCount  : 0n1187448693
   +0x3340 MmPageReadIoCount : 0n2030913136
   +0x3344 MmCacheReadCount : 0n1952332162
   +0x3348 MmCacheIoCount   : 0n1187448693
   +0x334c MmDirtyPagesWriteCount : 0n2031315828
   +0x3350 MmDirtyWriteIoCount : 0n2019441026
   +0x3354 MmMappedPagesWriteCount : 0n1187448693
   +0x3358 MmMappedWriteIoCount : 0n2031404920
   +0x335c CachedCommit     : 0x7c5e3982
   +0x3360 CachedResidentAvailable : 0x46c70775
   +0x3364 HyperPte         : 0x77fc5d7c Void
   +0x3368 PrcbPad8         : [4]  "???"
   +0x336c VendorString     : [13]  ""
   +0x3379 InitialApicId    : 0x8d ''
   +0x337a LogicalProcessorsPerPhysicalProcessor : 0x86 ''
   +0x337b PrcbPad9         : [5]  "???"
   +0x3380 FeatureBits      : 0xc7067518
   +0x3388 UpdateSignature  : _LARGE_INTEGER 0x39000000`88868d82
   +0x3390 IsrTime          : 0x79400b00`c7067518
   +0x3398 RuntimeAccumulation : 0x46c70775`5c5e3982
   +0x33a0 PowerState       : _PROCESSOR_POWER_STATE
   +0x3468 DpcWatchdogDpc   : _KDPC
   +0x3488 DpcWatchdogTimer : _KTIMER
   +0x34b0 WheaInfo         : 0x8d084289 Void
   +0x34b4 EtwSupport       : 0x016a2856 Void
   +0x34b8 InterruptObjectPool : _SLIST_HEADER
   +0x34c0 HypercallPageList : _SLIST_HEADER
   +0x34c8 HypercallPageVirtual : 0x085d3800 Void
   +0x34cc VirtualApicAssist : 0xa1642874 Void
   +0x34d0 StatisticsPage   : 0x00000124  -> ??
   +0x34d4 RateControl      : 0x8688ff66 Void
   +0x34d8 Cache            : [5] _CACHE_DESCRIPTOR
   +0x3514 CacheCount       : 0xf75085d
   +0x3518 CacheProcessorMask : [5] 0xe7c0b953
   +0x352c PackageProcessorSet : _KAFFINITY_EX
   +0x3538 PrcbPad91        : [1] 0x1b7502c1
   +0x353c CoreProcessorSet : 0xfe418d41
   +0x3540 TimerExpirationDpc : _KDPC
   +0x3560 SpinLockAcquireCount : 0x86
   +0x3564 SpinLockContentionCount : 0xf00ff66
   +0x3568 SpinLockSpinCount : 0x3b6600b7
   +0x356c IpiSendRequestBroadcastCount : 0x8d0c75c3
   +0x3570 IpiSendRequestRoutineCount : 0x394041
   +0x3574 IpiSendSoftwareInterruptCount : 0xee80574
   +0x3578 ExInitializeResourceCount : 0x38ffeb3a
   +0x357c ExReInitializeResourceCount : 0xe74085d
   +0x3580 ExDeleteResourceCount : 0x89585e89
   +0x3584 ExecutiveResourceAcquiresCount : 0x5e89685e
   +0x3588 ExecutiveResourceContentionsCount : 0x7c5e8948
   +0x358c ExecutiveResourceReleaseExclusiveCount : 0x53532ceb
   +0x3590 ExecutiveResourceReleaseSharedCount : 0x5054468d
   +0x3594 ExecutiveResourceConvertsCount : 0xec2e88e8
   +0x3598 ExAcqResExclusiveAttempts : 0x8d5353ff
   +0x359c ExAcqResExclusiveAcquiresExclusive : 0xe8506446
   +0x35a0 ExAcqResExclusiveAcquiresExclusiveRecursive : 0xffec2e7d
   +0x35a4 ExAcqResExclusiveWaits : 0x468d5353
   +0x35a8 ExAcqResExclusiveNotAcquires : 0x72e85044
   +0x35ac ExAcqResSharedAttempts : 0x53ffec2e
   +0x35b0 ExAcqResSharedAcquiresExclusive : 0x78468d53
   +0x35b4 ExAcqResSharedAcquiresShared : 0x2e67e850
   +0x35b8 ExAcqResSharedAcquiresSharedRecursive : 0x86affec
   +0x35bc ExAcqResSharedWaits : 0x875ff59
   +0x35c0 ExAcqResSharedNotAcquires : 0x7c8dc033
   +0x35c4 ExAcqResSharedStarveExclusiveAttempts : 0xabf31424
   +0x35c8 ExAcqResSharedStarveExclusiveAcquiresExclusive : 0xa0868d
   +0x35cc ExAcqResSharedStarveExclusiveAcquiresShared : 0x8d500000
   +0x35d0 ExAcqResSharedStarveExclusiveAcquiresSharedRecursive : 0xc7182444
   +0x35d4 ExAcqResSharedStarveExclusiveWaits : 0x1182444
   +0x35d8 ExAcqResSharedStarveExclusiveNotAcquires : 0xc7ceb100
   +0x35dc ExAcqResSharedWaitForExclusiveAttempts : 0x501c2444
   +0x35e0 ExAcqResSharedWaitForExclusiveAcquiresExclusive : 0xc74c4e66
   +0x35e4 ExAcqResSharedWaitForExclusiveAcquiresShared : 0x1202444
   +0x35e8 ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive : 0xc7000000
   +0x35ec ExAcqResSharedWaitForExclusiveWaits : 0x38242444
   +0x35f0 ExAcqResSharedWaitForExclusiveNotAcquires : 0xc7000000
   +0x35f4 ExSetResOwnerPointerExclusive : 0x40282444
   +0x35f8 ExSetResOwnerPointerSharedNew : 0x89000000
   +0x35fc ExSetResOwnerPointerSharedOld : 0xc72c245c
   +0x3600 ExTryToAcqExclusiveAttempts : 0x12342444
   +0x3604 ExTryToAcqExclusiveAcquires : 0xc78283e6
   +0x3608 ExBoostExclusiveOwner : 0x77302444
   +0x360c ExBoostSharedOwners : 0xe8827a23
   +0x3610 ExEtwSynchTrackingNotificationsCount : 0x75
   +0x3614 ExEtwSynchTrackingNotificationsAccountedCount : 0xbe8dc033
   +0x3618 Context          : 0x00000150 _CONTEXT
   +0x361c ContextFlags     : 0xab086aab
   +0x3620 ExtendedState    : 0x01588e83 _XSAVE_AREA

[3] @ 8277cb38 
---------------------------------------------
   +0x000 MinorVersion     : 0x75ff
   +0x002 MajorVersion     : 0x3308
   +0x004 CurrentThread    : 0x247c8dc0 _KTHREAD
   +0x008 NextThread       : 0x81abf334 _KTHREAD
   +0x00c IdleThread       : 0x000100c6 _KTHREAD
   +0x010 LegacyNumber     : 0 ''
   +0x011 NestingLevel     : 0x56 'V'
   +0x012 BuildType        : 0x448d
   +0x014 CpuType          : 36 '$'
   +0x015 CpuID            : 56 '8'
   +0x016 CpuStep          : 0x44c7
   +0x016 CpuStepping      : 0xc7 ''
   +0x017 CpuModel         : 0x44 'D'
   +0x018 ProcessorState   : _KPROCESSOR_STATE
   +0x338 KernelReserved   : [16] 0x875ff00
   +0x378 HalReserved      : [16] 0xff6c458c
   +0x3b8 CFlushSize       : 0x40f88340
   +0x3bc CoresPerPhysicalProcessor : 0x72 'r'
   +0x3bd LogicalProcessorsPerCore : 0xe4 ''
   +0x3be PrcbPad0         : [2]  "???3???"
   +0x3c0 MHz              : 0x8966c933
   +0x3c4 CpuVendor        : 0x8c ''
   +0x3c5 GroupIndex       : 0x45 'E'
   +0x3c6 Group            : 0xfedc
   +0x3c8 GroupSetMember   : 0xf883ffff
   +0x3cc Number           : 0x77830f40
   +0x3d0 PrcbPad1         : [72]  "???"
   +0x418 LockQueue        : [17] _KSPIN_LOCK_QUEUE
   +0x4a0 NpxThread        : 0x9ee850ff _KTHREAD
   +0x4a4 InterruptCount   : 0x8bffffe2
   +0x4a8 KernelTime       : 0xfff85f8
   +0x4ac UserTime         : 0x29e8c
   +0x4b0 DpcTime          : 0x50958b00
   +0x4b4 DpcTimeCount     : 0x8dfffffe
   +0x4b8 InterruptTime    : 0xfffe3c85
   +0x4bc AdjustDpcThreshold : 0x46a50ff
   +0x4c0 PageColor        : 0xbd8d046a
   +0x4c4 DebuggerSavedIRQL : 0x48 'H'
   +0x4c5 NodeColor        : 0xfe ''
   +0x4c6 PrcbPad20        : [2]  "??????"
   +0x4c8 NodeShiftedColor : 0x823390b9
   +0x4cc ParentNode       : 0xea81e882 _KNODE
   +0x4d0 SecondaryColorMask : 0xf88bffff
   +0x4d4 DpcTimeLimit     : 0xf7dff85
   +0x4d8 PrcbPad21        : [2] 0x34ff81
   +0x4e0 CcFastReadNoWait : 0x26ae9
   +0x4e4 CcFastReadWait   : 0x8b0aeb00
   +0x4e8 CcFastReadNotPossible : 0xfffe3c85
   +0x4ec CcCopyReadNoWait : 0x75c085ff
   +0x4f0 CcCopyReadWait   : 0x1246c606
   +0x4f4 CcCopyReadNoWaitMiss : 0x8803ebff
   +0x4f8 MmSpinLockOrdering : 0n-1786047930
   +0x4fc IoReadOperationCount : 0n-432
   +0x500 IoWriteOperationCount : 0n-30636659
   +0x504 IoOtherOperationCount : 0n1783693311
   +0x508 IoReadTransferCount : _LARGE_INTEGER 0xfffe48bd`8d0b6a08
   +0x510 IoWriteTransferCount : _LARGE_INTEGER 0x38e88282`33a0b9ff
   +0x518 IoOtherTransferCount : _LARGE_INTEGER 0x7dff85f8`8bffffea
   +0x520 CcFastMdlReadNoWait : 0x34ff810f
   +0x524 CcFastMdlReadWait : 0x74c00000
   +0x528 CcFastMdlReadNotPossible : 0x221e919
   +0x52c CcMapDataNoWait  : 0x12eb0000
   +0x530 CcMapDataWait    : 0xfe2c858b
   +0x534 CcPinMappedDataCount : 0x8d8bffff
   +0x538 CcPinReadNoWait  : 0xfffffe30
   +0x53c CcPinReadWait    : 0xd10bd08b
   +0x540 CcMdlReadNoWait  : 0x4e830a75
   +0x544 CcMdlReadWait    : 0x4e83ff18
   +0x548 CcLazyWriteHotSpots : 0x6ebff1c
   +0x54c CcLazyWriteIos   : 0x89184689
   +0x550 CcLazyWritePages : 0x958b1c4e
   +0x554 CcDataFlushes    : 0xfffffe50
   +0x558 CcDataPages      : 0xfe38858d
   +0x55c CcLostDelayedWrites : 0x6a50ffff
   +0x560 CcFastReadResourceMiss : 0x8d046a04
   +0x564 CcCopyReadWaitMiss : 0xfffe48bd
   +0x568 CcFastMdlReadResourceMiss : 0x33b0b9ff
   +0x56c CcMapDataNoWaitMiss : 0xe0e88282
   +0x570 CcMapDataWaitMiss : 0x8bffffe9
   +0x574 CcPinReadNoWaitMiss : 0x7dff85f8
   +0x578 CcPinReadWaitMiss : 0x34ff8112
   +0x57c CcMdlReadNoWaitMiss : 0xfc00000
   +0x580 CcMdlReadWaitMiss : 0x1ca85
   +0x584 CcReadAheadIos   : 0x20668300
   +0x588 KeAlignmentFixupCount : 0x8b09eb00
   +0x58c KeExceptionDispatchCount : 0xfffe3885
   +0x590 KeSystemCalls    : 0x204689ff
   +0x594 AvailableTime    : 0xfe44858d
   +0x598 PrcbPad22        : [2] 0xff50ffff
   +0x5a0 PPLookasideList  : [16] _PP_LOOKASIDE_LIST
   +0x620 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0xf20 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x1820 PacketBarrier    : 0x458b1375
   +0x1824 ReverseStall     : 0n11996936
   +0x1828 IpiFrame         : 0x750c4539 Void
   +0x182c PrcbPad3         : [52]  "???"
   +0x1860 CurrentPacket    : [3] 0x3b7402a8 Void
   +0x186c TargetSet        : 0x75033914
   +0x1870 WorkerRoutine    : 0xf845ff2e     void  +fffffffff845ff2e
   +0x1874 IpiFrozen        : 0x3087501
   +0x1878 PrcbPad4         : [40]  "???"
   +0x18a0 RequestSummary   : 0x452b0441
   +0x18a4 SignalDone       : 0x157448f8 _KPRCB
   +0x18a8 PrcbPad50        : [56]  "k???"
   +0x18e0 DpcData          : [2] _KDPC_DATA
   +0x1908 DpcStack         : 0x90c06906 Void
   +0x190c MaximumDpcQueueDepth : 0n1744830464
   +0x1910 DpcRequestRate   : 0x42747346
   +0x1914 MinimumDpcRate   : 0x5030c083
   +0x1918 DpcLastCount     : 0xabafe853
   +0x191c PrcbLock         : 0xf88bfffa
   +0x1920 DpcGate          : _KGATE
   +0x1930 ThreadDpcEnable  : 0x47 'G'
   +0x1931 QuantumEnd       : 0x4 ''
   +0x1932 DpcRoutineActive : 0x8b ''
   +0x1933 IdleSchedule     : 0x46 'F'
   +0x1934 DpcRequestSummary : 0n138905860
   +0x1934 DpcRequestSlot   : [2] 0n-30460
   +0x1934 NormalDpcState   : 0n-30460
   +0x1936 DpcThreadActive  : 0y1
   +0x1936 ThreadDpcState   : 0n2119
   +0x1938 TimerHand        : 0x39fc5d89
   +0x193c LastTick         : 0x8d55761e
   +0x1940 MasterOffset     : 0n1200431950
   +0x1944 PrcbPad41        : [2] 0xf0588940
   +0x194c PeriodicCount    : 0x518bf850
   +0x1950 PeriodicBias     : 0xfc5089e9
   +0x1958 TickOffset       : 0x89f1518b`1089fc45
   +0x1960 TimerTable       : _KTIMER_TABLE
   +0x31a0 CallDpc          : _KDPC
   +0x31c0 ClockKeepAlive   : 0n-14932876
   +0x31c4 ClockCheckSlot   : 0x70 'p'
   +0x31c5 ClockPollCycle   : 0x1c ''
   +0x31c6 PrcbPad6         : [2]  "??????"
   +0x31c8 DpcWatchdogPeriod : 0n342949656
   +0x31cc DpcWatchdogCount : 0n-15699713
   +0x31d0 ThreadWatchdogPeriod : 0n1996430454
   +0x31d4 ThreadWatchdogCount : 0n-11316712
   +0x31d8 KeSpinLockOrdering : 0n-1175971721
   +0x31dc PrcbPad70        : [1] 0x85000102
   +0x31e0 WaitListHead     : _LIST_ENTRY [ 0x8b1c7cc0 - 0x488b2446 ]
   +0x31e8 WaitLock         : 0x8b0e0310
   +0x31ec ReadySummary     : 0x46131440
   +0x31f0 QueueIndex       : 0xffc18304
   +0x31f4 DeferredReadyListHead : _SINGLE_LIST_ENTRY
   +0x31f8 StartCycles      : 0x8bffffff`68e9084e
   +0x3200 CycleTime        : 0xc0840019`9d3de8cf
   +0x3208 HighCycleTime    : 0xff5c850f
   +0x320c PrcbPad71        : 0x5756ffff
   +0x3210 PrcbPad72        : [2] 0x51e90000`008897ff
   +0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY [ 0x6a51ff8b - 0xf9806800 ]
   +0x3320 ChainedInterruptList : 0x776fde82 Void
   +0x3324 LookasideIrpFloat : 0n-2079996030
   +0x3328 MmPageFaultCount : 0n1870821087
   +0x332c MmCopyOnWriteCount : 0n-947745665
   +0x3330 MmTransitionCount : 0n1994360837
   +0x3334 MmCacheTransitionCount : 0n2013166978
   +0x3338 MmDemandZeroCount : 0n-926422910
   +0x333c MmPageReadCount  : 0n-1017511937
   +0x3340 MmPageReadIoCount : 0n-1869574000
   +0x3344 MmCacheReadCount : 0n1442810768
   +0x3348 MmCacheIoCount   : 0n1301015691
   +0x334c MmDirtyPagesWriteCount : 0n272730888
   +0x3350 MmDirtyWriteIoCount : 0n856441131
   +0x3354 MmMappedPagesWriteCount : 0n141686738
   +0x3358 MmMappedWriteIoCount : 0n311901
   +0x335c CachedCommit     : 0x90909090
   +0x3360 CachedResidentAvailable : 0x55ff8b90
   +0x3364 HyperPte         : 0xec83ec8b Void
   +0x3368 PrcbPad8         : [4]  "8???"
   +0x336c VendorString     : [13]  "SVW???"
   +0x3379 InitialApicId    : 0 ''
   +0x337a LogicalProcessorsPerPhysicalProcessor : 0x56 'V'
   +0x337b PrcbPad9         : [5]  "3???"
   +0x3380 FeatureBits      : 0x9147e818
   +0x3388 UpdateSignature  : _LARGE_INTEGER 0x19684`0fc33bf4
   +0x3390 IsrTime          : 0x6a000004`00685700
   +0x3398 RuntimeAccumulation : 0x4589fffa`912fe801
   +0x33a0 PowerState       : _PROCESSOR_POWER_STATE
   +0x3468 DpcWatchdogDpc   : _KDPC
   +0x3488 DpcWatchdogTimer : _KTIMER
   +0x34b0 WheaInfo         : 0x39c00000 Void
   +0x34b4 EtwSupport       : 0x187df85d Void
   +0x34b8 InterruptObjectPool : _SLIST_HEADER
   +0x34c0 HypercallPageList : _SLIST_HEADER
   +0x34c8 HypercallPageVirtual : 0x3b46fff0 Void
   +0x34cc VirtualApicAssist : 0xef72d875 Void
   +0x34d0 StatisticsPage   : 0x76fec0b9  -> ??
   +0x34d4 RateControl      : 0x24ede882 Void
   +0x34d8 Cache            : [5] _CACHE_DESCRIPTOR
   +0x3514 CacheCount       : 0xfa9a69e8
   +0x3518 CacheProcessorMask : [5] 0xf8458bff
   +0x352c PackageProcessorSet : _KAFFINITY_EX
   +0x3538 PrcbPad91        : [1] 0x8b55ff8b
   +0x353c CoreProcessorSet : 0xf8e483ec
   +0x3540 TimerExpirationDpc : _KDPC
   +0x3560 SpinLockAcquireCount : 0xe8016a53
   +0x3564 SpinLockContentionCount : 0xfffa8f65
   +0x3568 SpinLockSpinCount : 0xf685f08b
   +0x356c IpiSendRequestBroadcastCount : 0x95840f
   +0x3570 IpiSendRequestRoutineCount : 0x448d0000
   +0x3574 IpiSendSoftwareInterruptCount : 0x53501c24
   +0x3578 ExInitializeResourceCount : 0xff006a56
   +0x357c ExReInitializeResourceCount : 0xff242474
   +0x3580 ExDeleteResourceCount : 0xe82c2474
   +0x3584 ExecutiveResourceAcquiresCount : 0xffec3fa4
   +0x3588 ExecutiveResourceContentionsCount : 0xff85f88b
   +0x358c ExecutiveResourceReleaseExclusiveCount : 0xff81207d
   +0x3590 ExecutiveResourceReleaseSharedCount : 0x80000005
   +0x3594 ExecutiveResourceConvertsCount : 0xff810874
   +0x3598 ExAcqResExclusiveAttempts : 0xc0000023
   +0x359c ExAcqResExclusiveAcquiresExclusive : 0x6a7075
   +0x35a0 ExAcqResExclusiveAcquiresExclusiveRecursive : 0x99dce856
   +0x35a4 ExAcqResExclusiveWaits : 0x5c8bfffa
   +0x35a8 ExAcqResExclusiveNotAcquires : 0xf6331c24
   +0x35ac ExAcqResSharedAttempts : 0x8b66a9eb
   +0x35b0 ExAcqResSharedAcquiresExclusive : 0x548b0c46
   +0x35b4 ExAcqResSharedAcquiresShared : 0x89661824
   +0x35b8 ExAcqResSharedAcquiresSharedRecursive : 0x66222444
   +0x35bc ExAcqResSharedWaits : 0x20244489
   +0x35c0 ExAcqResSharedNotAcquires : 0x8910468d
   +0x35c4 ExAcqResSharedStarveExclusiveAttempts : 0x68242444
   +0x35c8 ExAcqResSharedStarveExclusiveAcquiresExclusive : 0xf003f
   +0x35cc ExAcqResSharedStarveExclusiveAcquiresShared : 0x2424448d
   +0x35d0 ExAcqResSharedStarveExclusiveAcquiresSharedRecursive : 0x24448d50
   +0x35d4 ExAcqResSharedStarveExclusiveWaits : 0x241ee818
   +0x35d8 ExAcqResSharedStarveExclusiveNotAcquires : 0xf88b0008
   +0x35dc ExAcqResSharedWaitForExclusiveAttempts : 0x387cff85
   +0x35e0 ExAcqResSharedWaitForExclusiveAcquiresExclusive : 0x8d0c75ff
   +0x35e4 ExAcqResSharedWaitForExclusiveAcquiresShared : 0x50242444
   +0x35e8 ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive : 0x182474ff
   +0x35ec ExAcqResSharedWaitForExclusiveWaits : 0xff0855ff
   +0x35f0 ExAcqResSharedWaitForExclusiveNotAcquires : 0x8b102474
   +0x35f4 ExSetResOwnerPointerExclusive : 0x3a0ae8f8
   +0x35f8 ExSetResOwnerPointerSharedNew : 0xff85ffec
   +0x35fc ExSetResOwnerPointerSharedOld : 0x44ff1874
   +0x3600 ExTryToAcqExclusiveAttempts : 0x50e91424
   +0x3604 ExTryToAcqExclusiveAcquires : 0xbfffffff
   +0x3608 ExBoostExclusiveOwner : 0xc000009a
   +0x360c ExBoostSharedOwners : 0xff810aeb
   +0x3610 ExEtwSynchTrackingNotificationsCount : 0x8000001a
   +0x3614 ExEtwSynchTrackingNotificationsAccountedCount : 0xff330275
   +0x3618 Context          : 0x0874f685 _CONTEXT
   +0x361c ContextFlags     : 0xe856006a
   +0x3620 ExtendedState    : 0xfffa995e _XSAVE_AREA

[4] @ 82780160 
---------------------------------------------
   +0x000 MinorVersion     : 0x8b5b
   +0x002 MajorVersion     : 0x5de5
   +0x004 CurrentThread    : 0x900008c2 _KTHREAD
   +0x008 NextThread       : 0x90909090 _KTHREAD
   +0x00c IdleThread       : 0x8b55ff8b _KTHREAD
   +0x010 LegacyNumber     : 0xec ''
   +0x011 NestingLevel     : 0x53 'S'
   +0x012 BuildType        : 0x5756
   +0x014 CpuType          : -117 ''
   +0x015 CpuID            : 125 '}'
   +0x016 CpuStep          : 0x8b10
   +0x016 CpuStepping      : 0x10 ''
   +0x017 CpuModel         : 0x8b ''
   +0x018 ProcessorState   : _KPROCESSOR_STATE
   +0x338 KernelReserved   : [16] 0x840ff685
   +0x378 HalReserved      : [16] 0xe992c9e8
   +0x3b8 CFlushSize       : 0x3b0007ac
   +0x3bc CoresPerPhysicalProcessor : 0xc7 ''
   +0x3bd LogicalProcessorsPerCore : 0x7c '|'
   +0x3be PrcbPad0         : [2]  "Y???D$???"
   +0x3c0 MHz              : 0x83142444
   +0x3c4 CpuVendor        : 0x78 'x'
   +0x3c5 GroupIndex       : 0x4 ''
   +0x3c6 Group            : 0x7504
   +0x3c8 GroupSetMember   : 0xc788310
   +0x3cc Number           : 0x8b0a7204
   +0x3d0 PrcbPad1         : [72]  "H???"
   +0x418 LockQueue        : [17] _KSPIN_LOCK_QUEUE
   +0x4a0 NpxThread        : 0x852c7400 _KTHREAD
   +0x4a4 InterruptCount   : 0xd89e
   +0x4a8 KernelTime       : 0x83097400
   +0x4ac UserTime         : 0xe0be
   +0x4b0 DpcTime          : 0x1b740100
   +0x4b4 DpcTimeCount     : 0xd8be21
   +0x4b8 InterruptTime    : 0x868d0000
   +0x4bc AdjustDpcThreshold : 0xe0
   +0x4c0 PageColor        : 0x9002083
   +0x4c4 DebuggerSavedIRQL : 0x9e ''
   +0x4c5 NodeColor        : 0xd8 ''
   +0x4c6 PrcbPad20        : [2]  ""
   +0x4c8 NodeShiftedColor : 0x1d00c700
   +0x4cc ParentNode       : 0xf7000000 _KNODE
   +0x4d0 SecondaryColorMask : 0xd886
   +0x4d4 DpcTimeLimit     : 0x600000
   +0x4d8 PrcbPad21        : [2] 0x850d7400
   +0x4e0 CcFastReadNoWait : 0xe8057500
   +0x4e4 CcFastReadWait   : 0x14d402
   +0x4e8 CcFastReadNotPossible : 0xd8868b
   +0x4ec CcCopyReadNoWait : 0xc3230000
   +0x4f0 CcCopyReadWait   : 0xbe830974
   +0x4f4 CcCopyReadNoWaitMiss : 0xe0
   +0x4f8 MmSpinLockOrdering : 0n-2059766762
   +0x4fc IoReadOperationCount : 0n-2096532288
   +0x500 IoWriteOperationCount : 0n57534
   +0x504 IoOtherOperationCount : 0n762584320
   +0x508 IoReadTransferCount : _LARGE_INTEGER 0x75ff5014`468d016a
   +0x510 IoWriteTransferCount : _LARGE_INTEGER 0xc0850004`cacae808
   +0x518 IoOtherTransferCount : _LARGE_INTEGER 0xd8`be211b75
   +0x520 CcFastMdlReadNoWait : 0xe0868d
   +0x524 CcFastMdlReadWait : 0x20830000
   +0x528 CcFastMdlReadNotPossible : 0xd89e0900
   +0x52c CcMapDataNoWait  : 0xc7000000
   +0x530 CcMapDataWait    : 0x1600
   +0x534 CcPinMappedDataCount : 0x8d006a00
   +0x538 CcPinReadNoWait  : 0x6a501c46
   +0x53c CcPinReadWait    : 0x145e8d01
   +0x540 CcMdlReadNoWait  : 0xbc97e853
   +0x544 CcMdlReadWait    : 0x468b0003
   +0x548 CcLazyWriteHotSpots : 0xf9e85310
   +0x54c CcLazyWriteIos   : 0x8b0003a6
   +0x550 CcLazyWritePages : 0xe810244c
   +0x554 CcDataFlushes    : 0xfff0223c
   +0x558 CcDataPages      : 0x2024448d
   +0x55c CcLostDelayedWrites : 0x24448d50
   +0x560 CcFastReadResourceMiss : 0x46a5020
   +0x564 CcCopyReadWaitMiss : 0xff57ff33
   +0x568 CcFastMdlReadResourceMiss : 0x89202474
   +0x56c CcMapDataNoWaitMiss : 0xe830247c
   +0x570 CcMapDataWaitMiss : 0x3d297
   +0x574 CcPinReadNoWaitMiss : 0x2a7cc085
   +0x578 CcPinReadWaitMiss : 0x1c247c39
   +0x57c CcMdlReadNoWaitMiss : 0x74ff2474
   +0x580 CcMdlReadWaitMiss : 0x76ff1c24
   +0x584 CcReadAheadIos   : 0xff046a10
   +0x588 KeAlignmentFixupCount : 0x76fd2c15
   +0x58c KeExceptionDispatchCount : 0x7cc08582
   +0x590 KeSystemCalls    : 0xd88e8307
   +0x594 AvailableTime    : 0x40000000
   +0x598 PrcbPad22        : [2] 0x2474ff57
   +0x5a0 PPLookasideList  : [16] _PP_LOOKASIDE_LIST
   +0x620 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0xf20 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x1820 PacketBarrier    : 0x4852e8f4
   +0x1824 ReverseStall     : 0n-1010171927
   +0x1828 IpiFrame         : 0x90909090 Void
   +0x182c PrcbPad3         : [52]  "???"
   +0x1860 CurrentPacket    : [3] 0x8b827498 Void
   +0x186c TargetSet        : 0xf0418d05
   +0x1870 WorkerRoutine    : 0xc03302eb     void  +ffffffffc03302eb
   +0x1874 IpiFrozen        : 0x7502c1f6
   +0x1878 PrcbPad4         : [40]  "???"
   +0x18a0 RequestSummary   : 0xc0856600
   +0x18a4 SignalDone       : 0x418d1875 _KPRCB
   +0x18a8 PrcbPad50        : [56]  "@9"
   +0x18e0 DpcData          : [2] _KDPC_DATA
   +0x1908 DpcStack         : 0xffff7cf5 Void
   +0x190c MaximumDpcQueueDepth : 0n518582411
   +0x1910 DpcRequestRate   : 0x85000000
   +0x1914 MinimumDpcRate   : 0xc6097cf6
   +0x1918 DpcLastCount     : 0x74956805
   +0x191c PrcbLock         : 0x5eb0182
   +0x1920 DpcGate          : _KGATE
   +0x1930 ThreadDpcEnable  : 0x90 ''
   +0x1931 QuantumEnd       : 0xa1 ''
   +0x1932 DpcRoutineActive : 0xa8 ''
   +0x1933 IdleSchedule     : 0x98 ''
   +0x1934 DpcRequestSummary : 0n-1064992140
   +0x1934 DpcRequestSlot   : [2] 0n-32140
   +0x1934 NormalDpcState   : 0n-32140
   +0x1936 DpcThreadActive  : 0y1
   +0x1936 ThreadDpcState   : 0n-16251
   +0x1938 TimerHand        : 0x6a0f74
   +0x193c LastTick         : 0x8018e850
   +0x1940 MasterOffset     : 0n629407738
   +0x1944 PrcbPad41        : [2] 0x827498a8
   +0x194c PeriodicCount    : 0x8b909090
   +0x1950 PeriodicBias     : 0xec8b55ff
   +0x1958 TickOffset       : 0x5756085d`8b5300fc
   +0x1960 TimerTable       : _KTIMER_TABLE
   +0x31a0 CallDpc          : _KDPC
   +0x31c0 ClockKeepAlive   : 0n1717094981
   +0x31c4 ClockCheckSlot   : 0x89 ''
   +0x31c5 ClockPollCycle   : 0x45 'E'
   +0x31c6 PrcbPad6         : [2]  "??????"
   +0x31c8 DpcWatchdogPeriod : 0n1791903113
   +0x31cc DpcWatchdogCount : 0n-1989781501
   +0x31d0 ThreadWatchdogPeriod : 0n-1070346171
   +0x31d4 ThreadWatchdogCount : 0n-767194778
   +0x31d8 KeSpinLockOrdering : 0n1717047402
   +0x31dc PrcbPad70        : [1] 0x8bd44589
   +0x31e0 WaitListHead     : _LIST_ENTRY [ 0x458966c6 - 0x458966d6 ]
   +0x31e8 WaitLock         : 0x6ac033d8
   +0x31ec ReadySummary     : 0x45896614
   +0x31f0 QueueIndex       : 0x896658da
   +0x31f4 DeferredReadyListHead : _SINGLE_LIST_ENTRY
   +0x31f8 StartCycles      : 0xabf3e07d`8d59c033
   +0x3200 CycleTime        : 0x458dec45`89b8458d
   +0x3208 HighCycleTime    : 0xe44589f8
   +0x320c PrcbPad71        : 0x50e0458d
   +0x3210 PrcbPad72        : [2] 0xfc45c782`97447868
   +0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY [ 0xe045c7 - 0xc7000001 ]
   +0x3320 ChainedInterruptList : 0x743e40bf Void
   +0x3324 LookasideIrpFloat : 0n-18327678
   +0x3328 MmPageFaultCount : 0n-1962931885
   +0x332c MmCopyOnWriteCount : 0n2096530928
   +0x3330 MmTransitionCount : 0n1786276407
   +0x3334 MmCacheTransitionCount : 0n363904512
   +0x3338 MmDemandZeroCount : 0n-396983693
   +0x333c MmPageReadCount  : 0n-1316448
   +0x3340 MmPageReadIoCount : 0n1779221635
   +0x3344 MmCacheReadCount : 0n-1107531776
   +0x3348 MmCacheIoCount   : 0n-11107744
   +0x334c MmDirtyPagesWriteCount : 0n96930933
   +0x3350 MmDirtyWriteIoCount : 0n-2106387024
   +0x3354 MmMappedPagesWriteCount : 0n120
   +0x3358 MmMappedWriteIoCount : 0n-402098689
   +0x335c CachedCommit     : 0x15
   +0x3360 CachedResidentAvailable : 0xe8f08b57
   +0x3364 HyperPte         : 0x00096a54 Void
   +0x3368 PrcbPad8         : [4]  "_???"
   +0x336c VendorString     : [13]  "]???"
   +0x3379 InitialApicId    : 0xec ''
   +0x337a LogicalProcessorsPerPhysicalProcessor : 0x83 ''
   +0x337b PrcbPad9         : [5]  "???"
   +0x3380 FeatureBits      : 0x80
   +0x3388 UpdateSignature  : _LARGE_INTEGER 0x163e9`c000000d
   +0x3390 IsrTime          : 0x75783983`104d8b00
   +0x3398 RuntimeAccumulation : 0xee3b8108`5d8b53ee
   +0x33a0 PowerState       : _PROCESSOR_POWER_STATE
   +0x3468 DpcWatchdogDpc   : _KDPC
   +0x3488 DpcWatchdogTimer : _KTIMER
   +0x34b0 WheaInfo         : 0xf08bff33 Void
   +0x34b4 EtwSupport       : 0x74f87d39 Void
   +0x34b8 InterruptObjectPool : _SLIST_HEADER
   +0x34c0 HypercallPageList : _SLIST_HEADER
   +0x34c8 HypercallPageVirtual : 0x6be8d475 Void
   +0x34cc VirtualApicAssist : 0x89000966 Void
   +0x34d0 StatisticsPage   : 0x7d89d07d  -> ??
   +0x34d4 RateControl      : 0x7cf73bd4 Void
   +0x34d8 Cache            : [5] _CACHE_DESCRIPTOR
   +0x3514 CacheCount       : 0x78890789
   +0x3518 CacheProcessorMask : [5] 0x873ff04
   +0x352c PackageProcessorSet : _KAFFINITY_EX
   +0x3538 PrcbPad91        : [1] 0xffefbe29
   +0x353c CoreProcessorSet : 0xe6753639
   +0x3540 TimerExpirationDpc : _KDPC
   +0x3560 SpinLockAcquireCount : 0x8d505050
   +0x3564 SpinLockContentionCount : 0xe8501047
   +0x3568 SpinLockSpinCount : 0xffefb670
   +0x356c IpiSendRequestBroadcastCount : 0x696d5768
   +0x3570 IpiSendRequestRoutineCount : 0xe3e85770
   +0x3574 IpiSendSoftwareInterruptCount : 0x39fffa63
   +0x3578 ExInitializeResourceCount : 0x5fd97536
   +0x357c ExReInitializeResourceCount : 0x90c35b5e
   +0x3580 ExDeleteResourceCount : 0x90909090
   +0x3584 ExecutiveResourceAcquiresCount : 0x8b55ff8b
   +0x3588 ExecutiveResourceContentionsCount : 0x658351ec
   +0x358c ExecutiveResourceReleaseExclusiveCount : 0x565300fc
   +0x3590 ExecutiveResourceReleaseSharedCount : 0x840fff85
   +0x3594 ExecutiveResourceConvertsCount : 0x11b
   +0x3598 ExAcqResExclusiveAttempts : 0x10087d83
   +0x359c ExAcqResExclusiveAcquiresExclusive : 0x111820f
   +0x35a0 ExAcqResExclusiveAcquiresExclusiveRecursive : 0xa1640000
   +0x35a4 ExAcqResExclusiveWaits : 0x124
   +0x35a8 ExAcqResExclusiveNotAcquires : 0x8488ff66
   +0x35ac ExAcqResSharedAttempts : 0x6a000000
   +0x35b0 ExAcqResSharedAcquiresExclusive : 0x48006801
   +0x35b4 ExAcqResSharedAcquiresShared : 0xdce88274
   +0x35b8 ExAcqResSharedAcquiresSharedRecursive : 0x8bfff05d
   +0x35bc ExAcqResSharedWaits : 0x74483835
   +0x35c0 ExAcqResSharedNotAcquires : 0xf0c68382
   +0x35c4 ExAcqResSharedStarveExclusiveAttempts : 0xbb10468d
   +0x35c8 ExAcqResSharedStarveExclusiveAcquiresExclusive : 0x82744838
   +0x35cc ExAcqResSharedStarveExclusiveAcquiresShared : 0x1274c33b
   +0x35d0 ExAcqResSharedStarveExclusiveAcquiresSharedRecursive : 0xe390f8b
   +0x35d4 ExAcqResSharedStarveExclusiveWaits : 0x308b6574
   +0x35d8 ExAcqResSharedStarveExclusiveNotAcquires : 0x8d10ee83
   +0x35dc ExAcqResSharedWaitForExclusiveAttempts : 0xc33b1046
   +0x35e0 ExAcqResSharedWaitForExclusiveAcquiresExclusive : 0x7f80f075
   +0x35e4 ExAcqResSharedWaitForExclusiveAcquiresShared : 0x840f0004
   +0x35e8 ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive : 0x86
   +0x35ec ExAcqResSharedWaitForExclusiveWaits : 0x46524168
   +0x35f0 ExAcqResSharedWaitForExclusiveNotAcquires : 0x6a186a54
   +0x35f4 ExSetResOwnerPointerExclusive : 0x58abe801
   +0x35f8 ExSetResOwnerPointerSharedNew : 0xc085fffa
   +0x35fc ExSetResOwnerPointerSharedOld : 0xf8b3474
   +0x3600 ExTryToAcqExclusiveAttempts : 0x4f8b0889
   +0x3604 ExTryToAcqExclusiveAcquires : 0x8488908
   +0x3608 ExBoostExclusiveOwner : 0x890c4f8b
   +0x360c ExBoostSharedOwners : 0x708d0c48
   +0x3610 ExEtwSynchTrackingNotificationsCount : 0x4768910
   +0x3614 ExEtwSynchTrackingNotificationsAccountedCount : 0x488b3689
   +0x3618 Context          : 0xf176e80c _CONTEXT
   +0x361c ContextFlags     : 0x3ca1ffef
   +0x3620 ExtendedState    : 0x89827448 _XSAVE_AREA

Linked Lists
The versatile dt command is equipped to handle linked lists and traverse them as well. However, the linked list needs to be designed and implemented in a particular fashion. I am purposefully omitting this discussion here, and would like to discuss this in a separate blog entry, as it is a slightly advanced topic and also needs some explaining about how linked lists are organized in Windows.

 Update[11-Sept-2014]: I have created a blog entry to explain Linked Lists. here is the link to it.








Posted by at No comments:
Labels: , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)