Jaa


How to catch shutdowns that don’t go to debugger or cause bugchecks

Sometimes a system just goes offline or reboots and we cannot catch it in the debugger or it is not a stop error (bugcheck) so that machine just reboots from underneath you. One technique you can use is to set a breakpoint on nt!NtSetSystemPowerState. This function is the last thing called during ANY type of reboot. So you will see the calling function by using this.

Most of the time when I use this its a system that is stuck in a reboot loop on boot and it keeps loading the OS and then reboots again.  I think the last time I hit this it was because someone copied over an x64 binary onto an x86 system for NTDSAI.dll so LSASS was tanking.

Here's an example:

kd> bp nt!NtSetSystemPowerState //Set the BP

kd> g
Breakpoint 0 hit
nt!NtSetSystemPowerState:
809c7c84 68bc000000 push 0BCh
kd> k
ChildEBP RetAddr
f6667d44 809b297d nt!NtSetSystemPowerState
f6667d58 808234cb nt!NtShutdownSystem+0x32
f6667d58 7c8285ec nt!KiFastCallEntry+0xf8
0134ff74 7c827b9b ntdll!KiFastSystemCallRet
0134ffb8 77e64829 ntdll!ZwShutdownSystem+0xc
0134ffa0 0101f1ce kernel32!BaseThreadStart+0x34

kd> .reload
Connected to Windows Server 2003 3790 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
..........................................................................................
Loading User Symbols
..........................................................................
Loading unloaded module list
...................
kd> k
ChildEBP RetAddr
f6667d44 809b297d nt!NtSetSystemPowerState
f6667d58 808234cb nt!NtShutdownSystem+0x32
f6667d58 7c8285ec nt!KiFastCallEntry+0xf8
0134ff74 7c827b9b ntdll!KiFastSystemCallRet
0134ff78 0102ad63 ntdll!ZwShutdownSystem+0xc
0134ffa0 0101f1ce winlogon!ShutdownThread+0x18c
0134ffb8 77e64829 winlogon!LogoffThreadProc+0x36
0134ffec 00000000 kernel32!BaseThreadStart+0x34

kd> !pcr
KPCR for Processor 0 at ffdff000:
Major 1 Minor 1
NtTib.ExceptionList: f666764c
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: 80042000
NtTib.Version: 0002492d
NtTib.UserPointer: 00000001
NtTib.SelfTib: 7ffa5000

                    SelfPcr: ffdff000
Prcb: ffdff120
Irql: 00000000
IRR: 00000000
IDR: ffff24f0
InterruptMode: 00000000
IDT: 8003f400
GDT: 8003f000
TSS: 80042000

              CurrentThread: 82aa03a8
NextThread: 00000000
IdleThread: 8089fd80

                  DpcQueue:
kd> !thread 82aa03a8 //Looks like this instance it was Winlogon that was shutting the system down.
THREAD 82aa03a8 Cid 0160.046c Teb: 7ffa5000 Win32Thread: e1032868 RUNNING on processor 0
Not impersonating
DeviceMap e1001358
Owning Process 82b36548 Image: winlogon.exe
Wait Start TickCount 176590 Ticks: 0
Context Switch Count 175 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.290
Win32 Start Address winlogon!LogoffThreadProc (0x0101f198)
Start Address kernel32!BaseThreadStartThunk (0x77e617ec)
Stack Init f6668000 Current f6667a84 Base f6668000 Limit f6663000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f6667d44 809b297d 00000005 00000004 c0000004 nt!NtSetSystemPowerState (FPO: [Non-Fpo])
f6667d58 808234cb 00000001 0134ffa0 7c8285ec nt!NtShutdownSystem+0x32 (FPO: [Non-Fpo])
f6667d58 7c8285ec 00000001 0134ffa0 7c8285ec nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6667d64)
0134ff74 7c827b9b 0102ad63 00000001 00002000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0134ff78 0102ad63 00000001 00002000 0007ab38 ntdll!ZwShutdownSystem+0xc (FPO: [1,0,0])
0134ffa0 0101f1ce 0134ffc0 00000000 00000000 winlogon!ShutdownThread+0x18c (FPO: [Non-Fpo])
0134ffb8 77e64829 00003907 00000000 00000000 winlogon!LogoffThreadProc+0x36 (FPO: [Non-Fpo])
0134ffec 00000000 0101f198 012ffa68 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo])

Comments

  • Anonymous
    February 15, 2010
    This was very useful, awesome. Thanks. I have an issue with wininit.exe causing the shutdown after installing several drivers. Couldn't corelate this to the drivers through.....