Microsoft (R) Windows Debugger Version 10.0.25136.1001 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\MEMORY.DMP] Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available. Dump completed successfully, progress percentage: 100 ************* Path validation summary ************** Response Time (ms) Location Deferred srv* Symbol search path is: srv* Executable search path is: Windows 10 Kernel Version 22000 MP (8 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Edition build lab: 22000.1.amd64fre.co_release.210604-1628 Machine Name: Kernel base = 0xfffff801`11a00000 PsLoadedModuleList = 0xfffff801`126297b0 Debug session time: Thu Sep 15 00:30:56.672 2022 (UTC + 3:00) System Uptime: 0 days 23:35:22.976 Loading Kernel Symbols ............................................................... ................................................................ ................................................................ ................................... Loading User Symbols ................................................................ ........................................ Loading unloaded module list ..................... For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff801`11e1acf0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffba8e`071df820=00000000000000ef 0: kd> !process PROCESS ffffd281882020c0 SessionId: 0 Cid: 0410 Peb: 13db8cc000 ParentCid: 03b0 DirBase: 1095fa002 ObjectTable: ffff8f8ce2bf0040 HandleCount: 1826. Image: svchost.exe VadRoot ffffd28187a5e880 Vads 180 Clone 0 Private 2928. Modified 26157. Locked 2. DeviceMap ffff8f8ce243abc0 Token ffff8f8ce766d0a0 ElapsedTime 23:35:18.419 UserTime 00:00:03.125 KernelTime 00:00:05.281 QuotaPoolUsage[PagedPool] 643928 QuotaPoolUsage[NonPagedPool] 30104 Working Set Sizes (now,min,max) (8565, 50, 345) (34260KB, 200KB, 1380KB) PeakWorkingSetSize 9358 VirtualSize 2101397 Mb PeakVirtualSize 2101427 Mb PageFaultCount 75837 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 3470 THREAD ffffd28188203080 Cid 0410.0414 Teb: 00000013db8cd000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd28187bd3b60 SynchronizationEvent THREAD ffffd2818822f240 Cid 0410.0494 Teb: 00000013db8e3000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28188234480 QueueObject THREAD ffffd281882f2080 Cid 0410.04fc Teb: 00000013db8ef000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd28187bf1ae0 SynchronizationEvent ffffd28187bf1a60 SynchronizationEvent THREAD ffffd2818837d080 Cid 0410.0584 Teb: 00000013db8fb000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd2817fce2ba0 NotificationEvent ffffd28187bf2e60 SynchronizationEvent ffffd28187bf2ee0 SynchronizationEvent THREAD ffffd281897f4580 Cid 0410.1f68 Teb: 00000013db901000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd2818945ba40 QueueObject THREAD ffffd2818b0d6080 Cid 0410.1148 Teb: 00000013db92b000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd2818b5ba600 QueueObject THREAD ffffd2818f856080 Cid 0410.2dac Teb: 00000013db949000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd2818baed5f0 SynchronizationTimer THREAD ffffd2818f215080 Cid 0410.5ff0 Teb: 00000013db97f000 Win32Thread: ffffd2819a245850 WAIT: (WrQueue) UserMode Alertable ffffd28187bccf80 QueueObject THREAD ffffd2819d25b080 Cid 0410.4a84 Teb: 00000013db987000 Win32Thread: ffffd2819a2449f0 WAIT: (WrQueue) UserMode Alertable ffffd28187bccf80 QueueObject THREAD ffffd2818afe2040 Cid 0410.1468 Teb: 00000013db989000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28187bcd300 QueueObject THREAD ffffd2818c3a2080 Cid 0410.5a40 Teb: 00000013db995000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28188304e80 QueueObject THREAD ffffd2818d2c5080 Cid 0410.1ec0 Teb: 00000013db997000 Win32Thread: ffffd281948931a0 WAIT: (WrQueue) UserMode Alertable ffffd28187bccf80 QueueObject THREAD ffffd2818ee78080 Cid 0410.4804 Teb: 00000013db999000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28187bccf80 QueueObject THREAD ffffd2818beb3080 Cid 0410.0208 Teb: 00000013db99b000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28187bccf80 QueueObject THREAD ffffd281897ed080 Cid 0410.3918 Teb: 00000013db99d000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28187bccf80 QueueObject THREAD ffffd281886db080 Cid 0410.5164 Teb: 00000013db99f000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28189f6ab80 QueueObject THREAD ffffd2818a4b9080 Cid 0410.2610 Teb: 00000013db9a1000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28188304e80 QueueObject THREAD ffffd28185f7d080 Cid 0410.2828 Teb: 00000013db9a3000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28188304e80 QueueObject THREAD ffffd2818f909080 Cid 0410.06a4 Teb: 00000013db9a5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28188304e80 QueueObject THREAD ffffd2818ad5e080 Cid 0410.5588 Teb: 00000013db9a9000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28188303600 QueueObject THREAD ffffd2818c985080 Cid 0410.394c Teb: 00000013db9ab000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd28188304e80 QueueObject 0: kd> !thread THREAD ffffd28188bea080 Cid 0cf0.0d98 Teb: 000000da571d6000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap ffff8f8ce243abc0 Owning Process ffffd28188baa0c0 Image: SbieSvc.exe Attached Process ffffd281882020c0 Image: svchost.exe Wait Start TickCount 5435070 Ticks: 0 Context Switch Count 724745 IdealProcessor: 5 UserTime 00:00:05.218 KernelTime 00:00:17.703 Win32 Start Address 0x00007ff684f85980 Stack Init ffffba8e071dfb70 Current ffffba8e071df620 Base ffffba8e071e0000 Limit ffffba8e071d9000 Call 0000000000000000 Priority 9 BasePriority 8 PriorityDecrement 16 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site ffffba8e`071df818 fffff801`123ad493 : 00000000`000000ef ffffd281`882020c0 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx ffffba8e`071df820 fffff801`122dfd6f : ffffd281`882020c0 fffff801`11c4376d 00000000`00000002 fffff801`11c4365b : nt!PspCatchCriticalBreak+0x11b ffffba8e`071df8b0 fffff801`120c4194 : ffffd281`882020c0 00000000`00000001 ffffd281`882020c0 00000000`00000101 : nt!PspTerminateAllThreads+0x121e2b ffffba8e`071df920 fffff801`120c3f70 : ffffffff`ffffffff ffffd281`88baa0c0 ffffd281`88bea080 00000000`00000001 : nt!PspTerminateProcess+0xe0 ffffba8e`071df960 fffff801`11e2d375 : ffffd281`00000410 ffffd281`88bea080 ffffd281`882020c0 ffffd281`00000000 : nt!NtTerminateProcess+0xb0 ffffba8e`071df9e0 00007ffb`6c2a4104 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffba8e`071df9e0) 000000da`595fe9f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtTerminateProcess+0x14