0

Looking the output of kb, this thread is waiting for some event. Now the first argument for this method is number of handles its waiting for but as you can in the output it has a value of 0024e154. I usually see a number like2, 3, 4 etc. Any ideas what does this mean? 

ChildEBP RetAddr  Args to Child  
0024e1a0 75c70208 0024e154 0024e1c8 00000000 kernel32!WaitForMultipleObjectsEx+0x11d
palm snow
  • 2,392
  • 4
  • 29
  • 49
  • 1
    +0x11d, that's too far into the function to assume you're looking at a reliable call stack. No Windows version mentioned either, no way to check. – Hans Passant Dec 02 '11 at 15:54
  • what does +0x11d indicate here? The process was running on 32-bit Windows Vista – palm snow Dec 02 '11 at 17:46

2 Answers2

0

The call stack does not look reliable. A couple of questions:

  • The correct symbols have been loaded?

  • If the correct symbols have been loaded the best approach is to look at the raw stack trace. You can do this by determining wehre the stack starts and ends. This can be determined with

    !teb

    Look for ExceptionBase and ExceptionLimit output and then dump the raw stack with

    dps begin end

    and analyze the stack

steve
  • 5,870
  • 1
  • 21
  • 22
0

+0x11d is offset from WaitForMultipleObjectsEx. Windbg take the nearest symbol, and when you see a such large offset, it usually mean that you don’t have good symbols. The stack frame are probably not in WaitForMultipleObjectsEx at all and therefore the parameters seems nonsense. Do a

 .symfix
 .reload

before looking at your stack again. If you see the:

WARNING: Frame IP not in any known module. Following frames may be wrong.

you can’t trust the output.

Kjell Gunnar
  • 3,017
  • 18
  • 24