Difference between revisions of "Techwiki:Win32k/security"

From ReactOS Wiki
Jump to: navigation, search
(Calls from winlogon that initialize security in win32k)
 
Line 1: Line 1:
  
 
== Calls from winlogon that initialize security in win32k ==
 
== Calls from winlogon that initialize security in win32k ==
 +
  
kd> kb
+
kd> kb
ChildEBP RetAddr Args to Child            
+
ChildEBP RetAddr Args to Child
f7ea6d40 80885614 0006f868 02000000 000000c4 win32k!NtUserCreateWindowStation
+
f7ea6d40 80885614 0006f868 02000000 000000c4 win32k!NtUserCreateWindowStation
f7ea6d40 7c82845c 0006f868 02000000 000000c4 nt!KiSystemServicePostCall
+
f7ea6d40 7c82845c 0006f868 02000000 000000c4 nt!KiSystemServicePostCall
0006f828 77384086 77384025 0006f868 02000000 ntdll!KiFastSystemCallRet
+
0006f828 77384086 77384025 0006f868 02000000 ntdll!KiFastSystemCallRet
0006fb74 77383e8e 0006fb8c 02000000 00000000 USER32!NtUserCreateWindowStation+0xc
+
0006fb74 77383e8e 0006fb8c 02000000 00000000 USER32!NtUserCreateWindowStation+0xc
0006fb94 01030c70 01012734 00000000 02000000 USER32!CreateWindowStationW+0x26
+
0006fb94 01030c70 01012734 00000000 02000000 USER32!CreateWindowStationW+0x26
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x13e
+
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x13e
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
+
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
+
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
  
-----------------------
 
kd> kb
 
ChildEBP RetAddr  Args to Child             
 
0006fb64 010277ea 000000c8 0006fb8c 0007cf80 USER32!SetUserObjectSecurity
 
0006fb80 0102792a 0007ca70 00000004 000000c8 winlogon!AceListSetWinstaSecurity+0x30
 
0006fba0 01030c88 00020166 77e62f8d 77e42014 winlogon!InitializeWinstaSecurity+0x130
 
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x156
 
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
 
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
 
kd> dps esp
 
0006fb68  010277ea winlogon!AceListSetWinstaSecurity+0x30
 
0006fb6c  000000c8
 
0006fb70  0006fb8c
 
0006fb74  0007cf80
 
0006fb78  0007c090
 
0006fb7c  0007ca70
 
0006fb80  0006fba0
 
0006fb84  0102792a winlogon!InitializeWinstaSecurity+0x130
 
  
-----------------------
+
kd> kb
kd> kb
+
ChildEBP RetAddr Args to Child
ChildEBP RetAddr Args to Child            
+
0006fb64 010277ea 000000c8 0006fb8c 0007cf80 USER32!SetUserObjectSecurity
f7ea6d48 80885614 0006fb3c 00000000 00000000 win32k!NtUserCreateDesktop
+
0006fb80 0102792a 0007ca70 00000004 000000c8 winlogon!AceListSetWinstaSecurity+0x30
f7ea6d48 7c82845c 0006fb3c 00000000 00000000 nt!KiSystemServicePostCall
+
0006fba0 01030c88 00020166 77e62f8d 77e42014 winlogon!InitializeWinstaSecurity+0x130
0006fb1c 77384147 77384132 0006fb3c 00000000 ntdll!KiFastSystemCallRet
+
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x156
0006fb54 773840d0 0006fb7c 00000000 00000000 USER32!NtUserCreateDesktop+0xc
+
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
0006fb8c 01030ca1 01011ccc 00000000 00000000 USER32!CreateDesktopW+0x42
+
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x16f
+
kd> dps esp
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
+
  0006fb68 010277ea winlogon!AceListSetWinstaSecurity+0x30
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
+
  0006fb6c 000000c8
kd> dps esp
+
  0006fb70 0006fb8c
f7ea6d4c 80885614 nt!KiSystemServicePostCall
+
  0006fb74 0007cf80
f7ea6d50 0006fb3c
+
  0006fb78 0007c090
f7ea6d54 00000000
+
  0006fb7c 0007ca70
f7ea6d58 00000000
+
  0006fb80 0006fba0
f7ea6d5c 00000000
+
  0006fb84 0102792a winlogon!InitializeWinstaSecurity+0x130
f7ea6d60 02000000
 
f7ea6d64 0006fb54
 
f7ea6d68 7c82845c ntdll!KiFastSystemCallRet
 
  
-----------------------
 
kd> kb
 
ChildEBP RetAddr  Args to Child             
 
f7ea6d48 80885614 0006fb3c 00000000 00000000 win32k!NtUserCreateDesktop
 
f7ea6d48 7c82845c 0006fb3c 00000000 00000000 nt!KiSystemServicePostCall
 
0006fb1c 77384147 77384132 0006fb3c 00000000 ntdll!KiFastSystemCallRet
 
0006fb54 773840d0 0006fb7c 00000000 00000000 USER32!NtUserCreateDesktop+0xc
 
0006fb8c 01030cbc 01011cbc 00000000 00000000 USER32!CreateDesktopW+0x42
 
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x18a
 
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
 
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
 
kd> dps esp
 
f7ea6d4c  80885614 nt!KiSystemServicePostCall
 
f7ea6d50  0006fb3c
 
f7ea6d54  00000000
 
f7ea6d58  00000000
 
f7ea6d5c  00000000
 
f7ea6d60  02000000
 
f7ea6d64  0006fb54
 
f7ea6d68  7c82845c ntdll!KiFastSystemCallRet
 
  
-----------------------
+
kd> kb
kd> kb
+
ChildEBP RetAddr Args to Child
ChildEBP RetAddr Args to Child            
+
f7ea6d48 80885614 0006fb3c 00000000 00000000 win32k!NtUserCreateDesktop
0006fb68 01027e5e 000000c0 0006fba8 0007cf60 USER32!SetUserObjectSecurity
+
f7ea6d48 7c82845c 0006fb3c 00000000 00000000 nt!KiSystemServicePostCall
0006fb9c 01030cd5 000000c0 00000004 77e62f8d winlogon!SetWinlogonDesktopSecurity+0x54
+
0006fb1c 77384147 77384132 0006fb3c 00000000 ntdll!KiFastSystemCallRet
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x1a3
+
0006fb54 773840d0 0006fb7c 00000000 00000000 USER32!NtUserCreateDesktop+0xc
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
+
0006fb8c 01030ca1 01011ccc 00000000 00000000 USER32!CreateDesktopW+0x42
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
+
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x16f
kd> dps esp
+
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
0006fb6c 01027e5e winlogon!SetWinlogonDesktopSecurity+0x54
+
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
0006fb70 000000c0
+
kd> dps esp
0006fb74 0006fba8
+
  f7ea6d4c 80885614 nt!KiSystemServicePostCall
0006fb78 0007cf60
+
  f7ea6d50 0006fb3c
0006fb7c 02000000
+
  f7ea6d54 00000000
0006fb80 0007c090
+
  f7ea6d58 00000000
0006fb84  00079800
+
  f7ea6d5c 00000000
0006fb88  000f01ff
+
  f7ea6d60 02000000
0006fb8c  0006ff00
+
  f7ea6d64 0006fb54
0006fb90  00079e78
+
  f7ea6d68 7c82845c ntdll!KiFastSystemCallRet
0006fb94 000f0040
 
0006fb98 00000004
 
0006fb9c  0006ff0c
 
0006fba0  01030cd5 winlogon!CreatePrimaryTerminal+0x1a3
 
  
-----------------------
 
kd> kb
 
ChildEBP RetAddr  Args to Child             
 
0006fb48 01027f05 000000d0 0006fba8 0007cf40 USER32!SetUserObjectSecurity
 
0006fb98 01030ce4 000000d0 00000000 00000004 winlogon!SetUserDesktopSecurity+0x97
 
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x1b2
 
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
 
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
 
kd> dps esp
 
0006fb4c  01027f05 winlogon!SetUserDesktopSecurity+0x97
 
0006fb50  000000d0
 
0006fb54  0006fba8
 
0006fb58  0007cf40
 
0006fb5c  02000000
 
0006fb60  0007c090
 
0006fb64  00000000
 
0006fb68  00079800
 
0006fb6c  000f01ff
 
0006fb70  0006fb00
 
0006fb74  00079e78
 
0006fb78  200000c7
 
0006fb7c  02000000
 
0006fb80  0007aaf0
 
0006fb84  000f01ff
 
0006fb88  000f0100
 
0006fb8c  0006ff00
 
0006fb90  00079e78
 
0006fb94  000f0040
 
0006fb98  0006ff0c
 
0006fb9c  01030ce4 winlogon!CreatePrimaryTerminal+0x1b2
 
  
-----------------------
+
kd> kb
kd> kb
+
ChildEBP RetAddr Args to Child
ChildEBP RetAddr Args to Child            
+
f7ea6d48 80885614 0006fb3c 00000000 00000000 win32k!NtUserCreateDesktop
0006fe80 01027f05 000000d0 0006fee0 0007cf20 USER32!SetUserObjectSecurity
+
f7ea6d48 7c82845c 0006fb3c 00000000 00000000 nt!KiSystemServicePostCall
0006fed0 0102800a 000000d0 00079800 00000004 winlogon!SetUserDesktopSecurity+0x97
+
0006fb1c 77384147 77384132 0006fb3c 00000000 ntdll!KiFastSystemCallRet
0006fef8 01031868 0007abc8 00000000 00000000 winlogon!SecurityChangeUser+0x51
+
0006fb54 773840d0 0006fb7c 00000000 00000000 USER32!NtUserCreateDesktop+0xc
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x24a
+
0006fb8c 01030cbc 01011cbc 00000000 00000000 USER32!CreateDesktopW+0x42
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
+
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x18a
kd> dps esp
+
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
0006fe84 01027f05 winlogon!SetUserDesktopSecurity+0x97
+
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
0006fe88 000000d0
+
kd> dps esp
0006fe8c 0006fee0
+
  f7ea6d4c 80885614 nt!KiSystemServicePostCall
0006fe90  0007cf20
+
  f7ea6d50 0006fb3c
0006fe94  0007abc8
+
  f7ea6d54 00000000
0006fe98  0007c090
+
  f7ea6d58 00000000
0006fe9c 00000000
+
  f7ea6d5c 00000000
0006fea0  00079800
+
  f7ea6d60 02000000
0006fea4  000f01ff
+
  f7ea6d64 0006fb54
0006fea8 00000000
+
  f7ea6d68 7c82845c ntdll!KiFastSystemCallRet
0006feac  00079e78
 
0006feb0 200000c7
 
0006feb4 0006ff00
 
0006feb8 0007aaf0
 
0006febc  000f01ff
 
0006fec0  ffffff00
 
0006fec4  00079800
 
0006fec8  000f01ff
 
0006fecc  00000000
 
0006fed0  0006fef8
 
0006fed4  0102800a winlogon!SecurityChangeUser+0x51
 
  
  
-----------------------
+
kd> kb
kd> kb
+
ChildEBP RetAddr Args to Child
ChildEBP RetAddr Args to Child            
+
0006fb68 01027e5e 000000c0 0006fba8 0007cf60 USER32!SetUserObjectSecurity
f7ea6d54 80885614 00000000 00000000 0006fe9c win32k!NtUserUpdatePerUserSystemParameters
+
0006fb9c 01030cd5 000000c0 00000004 77e62f8d winlogon!SetWinlogonDesktopSecurity+0x54
f7ea6d54 7c82845c 00000000 00000000 0006fe9c nt!KiSystemServicePostCall
+
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x1a3
0006fe60 773850b2 77385078 00000000 00000000 ntdll!KiFastSystemCallRet
+
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
0006fe9c 0101eaa8 00000000 00000000 77e62409 USER32!NtUserUpdatePerUserSystemParameters+0xc
+
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
0006febc 0102daa4 0007abc8 00000000 0007abc8 winlogon!InitSystemParametersInfo+0x6d
+
kd> dps esp
0006fed8 0102806f 0007abc8 77e62f8d 77e42014 winlogon!ResetEnvironment+0xba
+
0006fb6c 01027e5e winlogon!SetWinlogonDesktopSecurity+0x54
0006fef8 01031868 0007abc8 00000000 00000000 winlogon!SecurityChangeUser+0xb6
+
0006fb70 000000c0
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x24a
+
0006fb74 0006fba8
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
+
0006fb78 0007cf60
 +
0006fb7c 02000000
 +
0006fb80 0007c090
 +
0006fb84 00079800
 +
0006fb88 000f01ff
 +
0006fb8c 0006ff00
 +
0006fb90 00079e78
 +
0006fb94 000f0040
 +
0006fb98 00000004
 +
0006fb9c 0006ff0c
 +
0006fba0 01030cd5 winlogon!CreatePrimaryTerminal+0x1a3
  
-----------------------
 
kd> kb
 
ChildEBP RetAddr  Args to Child             
 
f7ea6d4c 80885614 000000c8 0006fef0 00000000 win32k!NtUserSetWindowStationUser
 
f7ea6d4c 7c82845c 000000c8 0006fef0 00000000 nt!KiSystemServicePostCall
 
0006feac 77384934 77384e9f 000000c8 0006fef0 ntdll!KiFastSystemCallRet
 
0006fecc 0102807e 000000c8 0006fef0 00000000 USER32!NtUserSetWindowStationUser+0xc
 
0006fef8 01031868 0007abc8 00000000 00000000 winlogon!SecurityChangeUser+0xc5
 
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x24a
 
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
 
kd> dps esp
 
f7ec6d50  80885614 nt!KiSystemServicePostCall
 
f7ec6d54  000000c8
 
f7ec6d58  0006fef0
 
f7ec6d5c  00000000
 
f7ec6d60  00000000
 
f7ec6d64  0006fecc
 
f7ec6d68  7c82845c ntdll!KiFastSystemCallRet
 
  
-----------------------
+
kd> kb
 +
ChildEBP RetAddr Args to Child
 +
0006fb48 01027f05 000000d0 0006fba8 0007cf40 USER32!SetUserObjectSecurity
 +
0006fb98 01030ce4 000000d0 00000000 00000004 winlogon!SetUserDesktopSecurity+0x97
 +
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x1b2
 +
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
 +
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
 +
kd> dps esp
 +
0006fb4c 01027f05 winlogon!SetUserDesktopSecurity+0x97
 +
0006fb50 000000d0
 +
0006fb54 0006fba8
 +
0006fb58 0007cf40
 +
0006fb5c 02000000
 +
0006fb60 0007c090
 +
0006fb64 00000000
 +
0006fb68 00079800
 +
0006fb6c 000f01ff
 +
0006fb70 0006fb00
 +
0006fb74 00079e78
 +
0006fb78 200000c7
 +
0006fb7c 02000000
 +
0006fb80 0007aaf0
 +
0006fb84 000f01ff
 +
0006fb88 000f0100
 +
0006fb8c 0006ff00
 +
0006fb90 00079e78
 +
0006fb94 000f0040
 +
0006fb98 0006ff0c
 +
0006fb9c 01030ce4 winlogon!CreatePrimaryTerminal+0x1b2
  
LOGIN HERE
 
  
-----------------------
+
kd> kb
kd> kb
+
ChildEBP RetAddr Args to Child
ChildEBP RetAddr Args to Child            
+
0006fe80 01027f05 000000d0 0006fee0 0007cf20 USER32!SetUserObjectSecurity
0006f778 010277ea 000000c8 0006f7a0 00bbd908 USER32!SetUserObjectSecurity
+
0006fed0 0102800a 000000d0 00079800 00000004 winlogon!SetUserDesktopSecurity+0x97
0006f794 01027cbe 0007ca70 00000004 000000c8 winlogon!AceListSetWinstaSecurity+0x30
+
0006fef8 01031868 0007abc8 00000000 00000000 winlogon!SecurityChangeUser+0x51
0006f84c 01027ff9 0007c090 00bb0f68 00000154 winlogon!AddUserToWinsta+0x154
+
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x24a
0006f874 01035c5e 0007abc8 00000154 00000000 winlogon!SecurityChangeUser+0x40
+
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x675
+
kd> dps esp
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
+
  0006fe84 01027f05 winlogon!SetUserDesktopSecurity+0x97
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
+
  0006fe88 000000d0
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
+
  0006fe8c 0006fee0
kd> dps esp
+
  0006fe90 0007cf20
0006f77c 010277ea winlogon!AceListSetWinstaSecurity+0x30
+
  0006fe94 0007abc8
0006f780  000000c8
+
  0006fe98 0007c090
0006f784 0006f7a0
+
  0006fe9c 00000000
0006f788 00bbd908
+
  0006fea0 00079800
0006f78c 0007c090
+
  0006fea4 000f01ff
0006f790  00bbd368
+
  0006fea8 00000000
0006f794  0006f84c
+
  0006feac 00079e78
0006f798  01027cbe winlogon!AddUserToWinsta+0x154
+
  0006feb0 200000c7
0006f79c  0007ca70
+
  0006feb4 0006ff00
0006f7a0  00000004
+
  0006feb8 0007aaf0
0006f7a4  000000c8
+
  0006febc 000f01ff
0006f7a8 0007abc8
+
  0006fec0 ffffff00
0006f7ac 0007c090
+
  0006fec4 00079800
0006f7b0 00000154
+
  0006fec8 000f01ff
0006f7b4  00000024
+
  0006fecc 00000000
0006f7b8  0da0b4a4
+
  0006fed0 0006fef8
0006f7bc  00bbd368
+
  0006fed4 0102800a winlogon!SecurityChangeUser+0x51
0006f7c0  00bbd5d0
 
0006f7c4 0007c090
 
0006f7c8 0006f7d0
 
0006f7cc 00000000
 
0006f7d0 00000501
 
0006f7d4 05000000
 
0006f7d8 00000015
 
0006f7dc a3f04f18
 
0006f7e0 ea205f0e
 
0006f7e4 0ff25102
 
0006f7e8 000003eb
 
0006f7ec 00bb0a68
 
0006f7f0 00000000
 
0006f7f4 00070000
 
0006f7f8 00000000
 
  
-----------------------
 
kd> kb
 
ChildEBP RetAddr  Args to Child             
 
0006f7fc 01027f05 000000d0 0006f85c 00bbd690 USER32!SetUserObjectSecurity
 
0006f84c 0102800a 000000d0 00bb0f68 00000004 winlogon!SetUserDesktopSecurity+0x97
 
0006f874 01035c5e 0007abc8 00000154 00000000 winlogon!SecurityChangeUser+0x51
 
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x675
 
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
 
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
 
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
 
kd> dps esp
 
0006f800  01027f05 winlogon!SetUserDesktopSecurity+0x97
 
0006f804  000000d0
 
0006f808  0006f85c
 
0006f80c  00bbd690
 
0006f810  0007abc8
 
0006f814  0007c090
 
0006f818  00000154
 
0006f81c  00079800
 
0006f820  000f01ff
 
0006f824  0006f800
 
0006f828  00079e78
 
0006f82c  200000c7
 
0006f830  0007c000
 
0006f834  0007aaf0
 
0006f838  000f01ff
 
0006f83c  0106e000 winlogon!_NULL_IMPORT_DESCRIPTOR+0x880
 
0006f840  00bb0f68
 
0006f844  000f01ff
 
0006f848  00007e00
 
0006f84c  0006f874
 
0006f850  0102800a winlogon!SecurityChangeUser+0x51
 
  
 +
kd> kb
 +
ChildEBP RetAddr Args to Child
 +
f7ea6d54 80885614 00000000 00000000 0006fe9c win32k!NtUserUpdatePerUserSystemParameters
 +
f7ea6d54 7c82845c 00000000 00000000 0006fe9c nt!KiSystemServicePostCall
 +
0006fe60 773850b2 77385078 00000000 00000000 ntdll!KiFastSystemCallRet
 +
0006fe9c 0101eaa8 00000000 00000000 77e62409 USER32!NtUserUpdatePerUserSystemParameters+0xc
 +
0006febc 0102daa4 0007abc8 00000000 0007abc8 winlogon!InitSystemParametersInfo+0x6d
 +
0006fed8 0102806f 0007abc8 77e62f8d 77e42014 winlogon!ResetEnvironment+0xba
 +
0006fef8 01031868 0007abc8 00000000 00000000 winlogon!SecurityChangeUser+0xb6
 +
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x24a
 +
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
  
-----------------------
 
kd> kb
 
ChildEBP RetAddr  Args to Child             
 
f7ec6d54 80885614 00000154 00000001 0006e700 win32k!NtUserUpdatePerUserSystemParameters
 
f7ec6d54 7c82845c 00000154 00000001 0006e700 nt!KiSystemServicePostCall
 
0006e6c4 773850b2 77385078 00000154 00000001 ntdll!KiFastSystemCallRet
 
0006e700 0101eaa8 00000154 00000001 0007c090 USER32!NtUserUpdatePerUserSystemParameters+0xc
 
0006e720 0102e1f5 0007abc8 00000001 77e62409 winlogon!InitSystemParametersInfo+0x6d
 
0006f884 0103603b 0007abc8 00000002 0007abc8 winlogon!SetupUserEnvironment+0x26a
 
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x7b2
 
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
 
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
 
0006fff4 00000000 7ffde000 000000c8 000001b1 winlogon!__report_gsfailure+0x267
 
  
-----------------------
+
kd> kb
kd> kb
+
ChildEBP RetAddr Args to Child
ChildEBP RetAddr Args to Child            
+
f7ea6d4c 80885614 000000c8 0006fef0 00000000 win32k!NtUserSetWindowStationUser
f7ec6d4c 80885614 000000c8 0007c148 00ba9db8 win32k!NtUserSetWindowStationUser
+
f7ea6d4c 7c82845c 000000c8 0006fef0 00000000 nt!KiSystemServicePostCall
f7ec6d4c 7c82845c 000000c8 0007c148 00ba9db8 nt!KiSystemServicePostCall
+
0006feac 77384934 77384e9f 000000c8 0006fef0 ntdll!KiFastSystemCallRet
0006f858 77384934 77384e9f 000000c8 0007c148 ntdll!KiFastSystemCallRet
+
0006fecc 0102807e 000000c8 0006fef0 00000000 USER32!NtUserSetWindowStationUser+0xc
0006f878 01036073 000000c8 0007c148 00ba9db8 USER32!NtUserSetWindowStationUser+0xc
+
0006fef8 01031868 0007abc8 00000000 00000000 winlogon!SecurityChangeUser+0xc5
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x7ea
+
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x24a
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
+
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
+
kd> dps esp
0006fff4 00000000 7ffde000 000000c8 000001b1 winlogon!__report_gsfailure+0x267
+
f7ec6d50 80885614 nt!KiSystemServicePostCall
kd> dps esp
+
f7ec6d54 000000c8
f7ec6d50 80885614 nt!KiSystemServicePostCall
+
f7ec6d58 0006fef0
f7ec6d54 000000c8
+
  f7ec6d5c 00000000
f7ec6d58  0007c148
+
  f7ec6d60 00000000
f7ec6d5c 00ba9db8
+
  f7ec6d64 0006fecc
f7ec6d60 00000014
+
  f7ec6d68 7c82845c ntdll!KiFastSystemCallRet
f7ec6d64 0006f878
 
f7ec6d68 7c82845c ntdll!KiFastSystemCallRet
 
  
-----------------------
 
  
END.
+
-----------------------
 +
  LOGIN HERE
 +
-----------------------
 +
kd> kb
 +
ChildEBP RetAddr Args to Child
 +
0006f778 010277ea 000000c8 0006f7a0 00bbd908 USER32!SetUserObjectSecurity
 +
0006f794 01027cbe 0007ca70 00000004 000000c8 winlogon!AceListSetWinstaSecurity+0x30
 +
0006f84c 01027ff9 0007c090 00bb0f68 00000154 winlogon!AddUserToWinsta+0x154
 +
0006f874 01035c5e 0007abc8 00000154 00000000 winlogon!SecurityChangeUser+0x40
 +
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x675
 +
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
 +
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
 +
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
 +
kd> dps esp
 +
0006f77c 010277ea winlogon!AceListSetWinstaSecurity+0x30
 +
0006f780 000000c8
 +
0006f784 0006f7a0
 +
0006f788 00bbd908
 +
0006f78c 0007c090
 +
0006f790 00bbd368
 +
0006f794 0006f84c
 +
0006f798 01027cbe winlogon!AddUserToWinsta+0x154
 +
0006f79c 0007ca70
 +
0006f7a0 00000004
 +
0006f7a4 000000c8
 +
0006f7a8 0007abc8
 +
0006f7ac 0007c090
 +
0006f7b0 00000154
 +
0006f7b4 00000024
 +
0006f7b8 0da0b4a4
 +
0006f7bc 00bbd368
 +
0006f7c0 00bbd5d0
 +
0006f7c4 0007c090
 +
0006f7c8 0006f7d0
 +
0006f7cc 00000000
 +
0006f7d0 00000501
 +
0006f7d4 05000000
 +
0006f7d8 00000015
 +
0006f7dc a3f04f18
 +
0006f7e0 ea205f0e
 +
0006f7e4 0ff25102
 +
0006f7e8 000003eb
 +
0006f7ec 00bb0a68
 +
0006f7f0 00000000
 +
0006f7f4 00070000
 +
0006f7f8 00000000
 +
 
 +
 
 +
kd> kb
 +
ChildEBP RetAddr Args to Child
 +
0006f7fc 01027f05 000000d0 0006f85c 00bbd690 USER32!SetUserObjectSecurity
 +
0006f84c 0102800a 000000d0 00bb0f68 00000004 winlogon!SetUserDesktopSecurity+0x97
 +
0006f874 01035c5e 0007abc8 00000154 00000000 winlogon!SecurityChangeUser+0x51
 +
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x675
 +
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
 +
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
 +
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
 +
kd> dps esp
 +
0006f800 01027f05 winlogon!SetUserDesktopSecurity+0x97
 +
0006f804 000000d0
 +
0006f808 0006f85c
 +
0006f80c 00bbd690
 +
0006f810 0007abc8
 +
0006f814 0007c090
 +
0006f818 00000154
 +
0006f81c 00079800
 +
0006f820 000f01ff
 +
0006f824 0006f800
 +
0006f828 00079e78
 +
0006f82c 200000c7
 +
0006f830 0007c000
 +
0006f834 0007aaf0
 +
0006f838 000f01ff
 +
0006f83c 0106e000 winlogon!_NULL_IMPORT_DESCRIPTOR+0x880
 +
0006f840 00bb0f68
 +
0006f844 000f01ff
 +
0006f848 00007e00
 +
0006f84c 0006f874
 +
0006f850 0102800a winlogon!SecurityChangeUser+0x51
 +
 
 +
 
 +
kd> kb
 +
ChildEBP RetAddr Args to Child
 +
f7ec6d54 80885614 00000154 00000001 0006e700 win32k!NtUserUpdatePerUserSystemParameters
 +
f7ec6d54 7c82845c 00000154 00000001 0006e700 nt!KiSystemServicePostCall
 +
0006e6c4 773850b2 77385078 00000154 00000001 ntdll!KiFastSystemCallRet
 +
0006e700 0101eaa8 00000154 00000001 0007c090 USER32!NtUserUpdatePerUserSystemParameters+0xc
 +
0006e720 0102e1f5 0007abc8 00000001 77e62409 winlogon!InitSystemParametersInfo+0x6d
 +
0006f884 0103603b 0007abc8 00000002 0007abc8 winlogon!SetupUserEnvironment+0x26a
 +
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x7b2
 +
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
 +
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
 +
0006fff4 00000000 7ffde000 000000c8 000001b1 winlogon!__report_gsfailure+0x267
 +
 
 +
 
 +
kd> kb
 +
ChildEBP RetAddr Args to Child
 +
f7ec6d4c 80885614 000000c8 0007c148 00ba9db8 win32k!NtUserSetWindowStationUser
 +
f7ec6d4c 7c82845c 000000c8 0007c148 00ba9db8 nt!KiSystemServicePostCall
 +
0006f858 77384934 77384e9f 000000c8 0007c148 ntdll!KiFastSystemCallRet
 +
0006f878 01036073 000000c8 0007c148 00ba9db8 USER32!NtUserSetWindowStationUser+0xc
 +
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x7ea
 +
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
 +
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
 +
0006fff4 00000000 7ffde000 000000c8 000001b1 winlogon!__report_gsfailure+0x267
 +
kd> dps esp
 +
f7ec6d50 80885614 nt!KiSystemServicePostCall
 +
f7ec6d54 000000c8
 +
f7ec6d58 0007c148
 +
f7ec6d5c 00ba9db8
 +
f7ec6d60 00000014
 +
f7ec6d64 0006f878
 +
f7ec6d68 7c82845c ntdll!KiFastSystemCallRet
 +
-----------------------
 +
END.

Latest revision as of 23:14, 22 March 2015

Calls from winlogon that initialize security in win32k

kd> kb
ChildEBP RetAddr Args to Child
f7ea6d40 80885614 0006f868 02000000 000000c4 win32k!NtUserCreateWindowStation
f7ea6d40 7c82845c 0006f868 02000000 000000c4 nt!KiSystemServicePostCall
0006f828 77384086 77384025 0006f868 02000000 ntdll!KiFastSystemCallRet
0006fb74 77383e8e 0006fb8c 02000000 00000000 USER32!NtUserCreateWindowStation+0xc
0006fb94 01030c70 01012734 00000000 02000000 USER32!CreateWindowStationW+0x26
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x13e
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267


kd> kb
ChildEBP RetAddr Args to Child
0006fb64 010277ea 000000c8 0006fb8c 0007cf80 USER32!SetUserObjectSecurity
0006fb80 0102792a 0007ca70 00000004 000000c8 winlogon!AceListSetWinstaSecurity+0x30
0006fba0 01030c88 00020166 77e62f8d 77e42014 winlogon!InitializeWinstaSecurity+0x130
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x156
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
kd> dps esp
0006fb68 010277ea winlogon!AceListSetWinstaSecurity+0x30
0006fb6c 000000c8
0006fb70 0006fb8c
0006fb74 0007cf80
0006fb78 0007c090
0006fb7c 0007ca70
0006fb80 0006fba0
0006fb84 0102792a winlogon!InitializeWinstaSecurity+0x130


kd> kb
ChildEBP RetAddr Args to Child
f7ea6d48 80885614 0006fb3c 00000000 00000000 win32k!NtUserCreateDesktop
f7ea6d48 7c82845c 0006fb3c 00000000 00000000 nt!KiSystemServicePostCall
0006fb1c 77384147 77384132 0006fb3c 00000000 ntdll!KiFastSystemCallRet
0006fb54 773840d0 0006fb7c 00000000 00000000 USER32!NtUserCreateDesktop+0xc
0006fb8c 01030ca1 01011ccc 00000000 00000000 USER32!CreateDesktopW+0x42
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x16f
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
kd> dps esp
f7ea6d4c 80885614 nt!KiSystemServicePostCall
f7ea6d50 0006fb3c
f7ea6d54 00000000
f7ea6d58 00000000
f7ea6d5c 00000000
f7ea6d60 02000000
f7ea6d64 0006fb54
f7ea6d68 7c82845c ntdll!KiFastSystemCallRet


kd> kb
ChildEBP RetAddr Args to Child
f7ea6d48 80885614 0006fb3c 00000000 00000000 win32k!NtUserCreateDesktop
f7ea6d48 7c82845c 0006fb3c 00000000 00000000 nt!KiSystemServicePostCall
0006fb1c 77384147 77384132 0006fb3c 00000000 ntdll!KiFastSystemCallRet
0006fb54 773840d0 0006fb7c 00000000 00000000 USER32!NtUserCreateDesktop+0xc
0006fb8c 01030cbc 01011cbc 00000000 00000000 USER32!CreateDesktopW+0x42
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x18a
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
kd> dps esp
f7ea6d4c 80885614 nt!KiSystemServicePostCall
f7ea6d50 0006fb3c
f7ea6d54 00000000
f7ea6d58 00000000
f7ea6d5c 00000000
f7ea6d60 02000000
f7ea6d64 0006fb54
f7ea6d68 7c82845c ntdll!KiFastSystemCallRet


kd> kb
ChildEBP RetAddr Args to Child
0006fb68 01027e5e 000000c0 0006fba8 0007cf60 USER32!SetUserObjectSecurity
0006fb9c 01030cd5 000000c0 00000004 77e62f8d winlogon!SetWinlogonDesktopSecurity+0x54
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x1a3
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
kd> dps esp
0006fb6c 01027e5e winlogon!SetWinlogonDesktopSecurity+0x54
0006fb70 000000c0
0006fb74 0006fba8
0006fb78 0007cf60
0006fb7c 02000000
0006fb80 0007c090
0006fb84 00079800
0006fb88 000f01ff
0006fb8c 0006ff00
0006fb90 00079e78
0006fb94 000f0040
0006fb98 00000004
0006fb9c 0006ff0c
0006fba0 01030cd5 winlogon!CreatePrimaryTerminal+0x1a3


kd> kb
ChildEBP RetAddr Args to Child
0006fb48 01027f05 000000d0 0006fba8 0007cf40 USER32!SetUserObjectSecurity
0006fb98 01030ce4 000000d0 00000000 00000004 winlogon!SetUserDesktopSecurity+0x97
0006ff0c 010317db ffffffff 00000004 00000000 winlogon!CreatePrimaryTerminal+0x1b2
0006ff50 0103e33b 01000000 00000000 000724e4 winlogon!WUNotify+0x1bd
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
kd> dps esp
0006fb4c 01027f05 winlogon!SetUserDesktopSecurity+0x97
0006fb50 000000d0
0006fb54 0006fba8
0006fb58 0007cf40
0006fb5c 02000000
0006fb60 0007c090
0006fb64 00000000
0006fb68 00079800
0006fb6c 000f01ff
0006fb70 0006fb00
0006fb74 00079e78
0006fb78 200000c7
0006fb7c 02000000
0006fb80 0007aaf0
0006fb84 000f01ff
0006fb88 000f0100
0006fb8c 0006ff00
0006fb90 00079e78
0006fb94 000f0040
0006fb98 0006ff0c
0006fb9c 01030ce4 winlogon!CreatePrimaryTerminal+0x1b2


kd> kb
ChildEBP RetAddr Args to Child
0006fe80 01027f05 000000d0 0006fee0 0007cf20 USER32!SetUserObjectSecurity
0006fed0 0102800a 000000d0 00079800 00000004 winlogon!SetUserDesktopSecurity+0x97
0006fef8 01031868 0007abc8 00000000 00000000 winlogon!SecurityChangeUser+0x51
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x24a
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
kd> dps esp
0006fe84 01027f05 winlogon!SetUserDesktopSecurity+0x97
0006fe88 000000d0
0006fe8c 0006fee0
0006fe90 0007cf20
0006fe94 0007abc8
0006fe98 0007c090
0006fe9c 00000000
0006fea0 00079800
0006fea4 000f01ff
0006fea8 00000000
0006feac 00079e78
0006feb0 200000c7
0006feb4 0006ff00
0006feb8 0007aaf0
0006febc 000f01ff
0006fec0 ffffff00
0006fec4 00079800
0006fec8 000f01ff
0006fecc 00000000
0006fed0 0006fef8
0006fed4 0102800a winlogon!SecurityChangeUser+0x51


kd> kb
ChildEBP RetAddr Args to Child
f7ea6d54 80885614 00000000 00000000 0006fe9c win32k!NtUserUpdatePerUserSystemParameters
f7ea6d54 7c82845c 00000000 00000000 0006fe9c nt!KiSystemServicePostCall
0006fe60 773850b2 77385078 00000000 00000000 ntdll!KiFastSystemCallRet
0006fe9c 0101eaa8 00000000 00000000 77e62409 USER32!NtUserUpdatePerUserSystemParameters+0xc
0006febc 0102daa4 0007abc8 00000000 0007abc8 winlogon!InitSystemParametersInfo+0x6d
0006fed8 0102806f 0007abc8 77e62f8d 77e42014 winlogon!ResetEnvironment+0xba
0006fef8 01031868 0007abc8 00000000 00000000 winlogon!SecurityChangeUser+0xb6
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x24a
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267


kd> kb
ChildEBP RetAddr Args to Child
f7ea6d4c 80885614 000000c8 0006fef0 00000000 win32k!NtUserSetWindowStationUser
f7ea6d4c 7c82845c 000000c8 0006fef0 00000000 nt!KiSystemServicePostCall
0006feac 77384934 77384e9f 000000c8 0006fef0 ntdll!KiFastSystemCallRet
0006fecc 0102807e 000000c8 0006fef0 00000000 USER32!NtUserSetWindowStationUser+0xc
0006fef8 01031868 0007abc8 00000000 00000000 winlogon!SecurityChangeUser+0xc5
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x24a
0006fff4 00000000 7ffda000 000000c8 000001a6 winlogon!__report_gsfailure+0x267
kd> dps esp
f7ec6d50 80885614 nt!KiSystemServicePostCall
f7ec6d54 000000c8
f7ec6d58 0006fef0
f7ec6d5c 00000000
f7ec6d60 00000000
f7ec6d64 0006fecc
f7ec6d68 7c82845c ntdll!KiFastSystemCallRet


-----------------------
 LOGIN HERE
-----------------------
kd> kb
ChildEBP RetAddr Args to Child
0006f778 010277ea 000000c8 0006f7a0 00bbd908 USER32!SetUserObjectSecurity
0006f794 01027cbe 0007ca70 00000004 000000c8 winlogon!AceListSetWinstaSecurity+0x30
0006f84c 01027ff9 0007c090 00bb0f68 00000154 winlogon!AddUserToWinsta+0x154
0006f874 01035c5e 0007abc8 00000154 00000000 winlogon!SecurityChangeUser+0x40
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x675
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
kd> dps esp
0006f77c 010277ea winlogon!AceListSetWinstaSecurity+0x30
0006f780 000000c8
0006f784 0006f7a0
0006f788 00bbd908
0006f78c 0007c090
0006f790 00bbd368
0006f794 0006f84c
0006f798 01027cbe winlogon!AddUserToWinsta+0x154
0006f79c 0007ca70
0006f7a0 00000004
0006f7a4 000000c8
0006f7a8 0007abc8
0006f7ac 0007c090
0006f7b0 00000154
0006f7b4 00000024
0006f7b8 0da0b4a4
0006f7bc 00bbd368
0006f7c0 00bbd5d0
0006f7c4 0007c090
0006f7c8 0006f7d0
0006f7cc 00000000
0006f7d0 00000501
0006f7d4 05000000
0006f7d8 00000015
0006f7dc a3f04f18
0006f7e0 ea205f0e
0006f7e4 0ff25102
0006f7e8 000003eb
0006f7ec 00bb0a68
0006f7f0 00000000
0006f7f4 00070000
0006f7f8 00000000


kd> kb
ChildEBP RetAddr Args to Child
0006f7fc 01027f05 000000d0 0006f85c 00bbd690 USER32!SetUserObjectSecurity
0006f84c 0102800a 000000d0 00bb0f68 00000004 winlogon!SetUserDesktopSecurity+0x97
0006f874 01035c5e 0007abc8 00000154 00000000 winlogon!SecurityChangeUser+0x51
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x675
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
0006fff4 00000000 7ffda000 000000c8 000001c6 winlogon!__report_gsfailure+0x267
kd> dps esp
0006f800 01027f05 winlogon!SetUserDesktopSecurity+0x97
0006f804 000000d0
0006f808 0006f85c
0006f80c 00bbd690
0006f810 0007abc8
0006f814 0007c090
0006f818 00000154
0006f81c 00079800
0006f820 000f01ff
0006f824 0006f800
0006f828 00079e78
0006f82c 200000c7
0006f830 0007c000
0006f834 0007aaf0
0006f838 000f01ff
0006f83c 0106e000 winlogon!_NULL_IMPORT_DESCRIPTOR+0x880
0006f840 00bb0f68
0006f844 000f01ff
0006f848 00007e00
0006f84c 0006f874
0006f850 0102800a winlogon!SecurityChangeUser+0x51


kd> kb
ChildEBP RetAddr Args to Child
f7ec6d54 80885614 00000154 00000001 0006e700 win32k!NtUserUpdatePerUserSystemParameters
f7ec6d54 7c82845c 00000154 00000001 0006e700 nt!KiSystemServicePostCall
0006e6c4 773850b2 77385078 00000154 00000001 ntdll!KiFastSystemCallRet
0006e700 0101eaa8 00000154 00000001 0007c090 USER32!NtUserUpdatePerUserSystemParameters+0xc
0006e720 0102e1f5 0007abc8 00000001 77e62409 winlogon!InitSystemParametersInfo+0x6d
0006f884 0103603b 0007abc8 00000002 0007abc8 winlogon!SetupUserEnvironment+0x26a
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x7b2
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
0006fff4 00000000 7ffde000 000000c8 000001b1 winlogon!__report_gsfailure+0x267


kd> kb
ChildEBP RetAddr Args to Child
f7ec6d4c 80885614 000000c8 0007c148 00ba9db8 win32k!NtUserSetWindowStationUser
f7ec6d4c 7c82845c 000000c8 0007c148 00ba9db8 nt!KiSystemServicePostCall
0006f858 77384934 77384e9f 000000c8 0007c148 ntdll!KiFastSystemCallRet
0006f878 01036073 000000c8 0007c148 00ba9db8 USER32!NtUserSetWindowStationUser+0xc
0006fee4 01037887 0007abc8 77e62f8d 77e42014 winlogon!LogonAttempt+0x7ea
0006ff08 01031b33 0007abc8 ffffffff 00000004 winlogon!MainLoop+0x1dd
0006ff50 0103e33b 0007abc8 00000000 000724e4 winlogon!WUNotify+0x515
0006fff4 00000000 7ffde000 000000c8 000001b1 winlogon!__report_gsfailure+0x267
kd> dps esp
f7ec6d50 80885614 nt!KiSystemServicePostCall
f7ec6d54 000000c8
f7ec6d58 0007c148
f7ec6d5c 00ba9db8
f7ec6d60 00000014
f7ec6d64 0006f878
f7ec6d68 7c82845c ntdll!KiFastSystemCallRet
-----------------------
END.