2025年国内最新TOP思维培训机构推荐排名 I 最新全维度推荐 - 博客万
2025/12/25 13:25:38
nt!RtlQueryTimeZoneInformation函数里的nt!RtlpCallQueryRegistryRoutine函数分析
1: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 899a2278 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a200000 ObjectTable: e1000e38 HandleCount: 8.
Image: System
1: kd> kc
#
00 nt!RtlpCallQueryRegistryRoutine
01 nt!RtlQueryRegistryValues
02 nt!RtlQueryTimeZoneInformation
03 nt!ExpRefreshTimeZoneInformation
04 nt!Phase1Initialization
05 nt!PspSystemThreadStartup
06 nt!KiThreadStartup
1: kd> kv
# ChildEBP RetAddr Args to Child
00 f789a5bc 80d64ed5 f789a648 e12858b4 f789a61c nt!RtlpCallQueryRegistryRoutine+0x3a0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\rtl\regutil.c @ 643]
01 f789a620 80d654ed 00000000 00000084 00000001 nt!RtlQueryRegistryValues+0x2db (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\rtl\regutil.c @ 1070]
02 f789a73c 80db86a3 f789a750 000001e0 00000000 nt!RtlQueryTimeZoneInformation+0x141 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\rtl\regutil.c @ 1744]
03 f789a838 80e630e8 f789ad58 00000000 899a1020 nt!ExpRefreshTimeZoneInformation+0xf1 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ex\systime.c @ 841]
04 f789adac 80d391f0 80077000 00000000 00000000 nt!Phase1Initialization+0x79e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\init\init.c @ 2049]
05 f789addc 80b00d52 80e6294a 80077000 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]
06 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]
1: kd> dv
QueryTable = 0xf789a648
KeyValueInformation = 0xe1285898
PKeyValueInfoLength = 0xf789a61c
1: kd> pr
eax=00000004 ebx=e1285898 ecx=00000004 edx=f789a648 esi=e128591a edi=e1285898
eip=80d64834 esp=f789a590 ebp=f789a5bc iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!RtlpCallQueryRegistryRoutine+0xdc:
80d64834 8b730c mov esi,dword ptr [ebx+0Ch] ds:0023:e12858a4=00000004
1: kd> dt KEY_VALUE_FULL_INFORMATION e1285898
nt!KEY_VALUE_FULL_INFORMATION
+0x000 TitleIndex : 0
+0x004 Type : 4
+0x008 DataOffset : 0x1c
+0x00c DataLength : 4
+0x010 NameLength : 8
+0x014 Name : [1] 0x42
1: kd> dx -id 0,0,899a2278 -r1 (*((ntkrnlmp!unsigned short (*)[1])0xe12858ac))
(*((ntkrnlmp!unsigned short (*)[1])0xe12858ac)) [Type: unsigned short [1]]
[0] : 0x42 [Type: unsigned short]
1: kd> db 0xe12858ac
e12858ac 42 00 69 00 61 00 73 00-e0 01 00 00 00 00 00 00 B.i.a.s.........
e12858bc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 .......
//
// No special process of the registry value required so just call
// the query routine.
//
if (QueryTable->Flags & RTL_QUERY_REGISTRY_DIRECT) {
Status = RtlpQueryRegistryDirect( ValueType,
ValueData,
ValueLength,
QueryTable->EntryContext
);
} else {
Status = (QueryTable->QueryRoutine)( ValueName,
ValueType,
ValueData,
ValueLength,
Context,
QueryTable->EntryContext
);
}
#define RTL_QUERY_REGISTRY_DIRECT 0x00000020 // QueryRoutine field ignored. EntryContext
// field points to location to store value.
// For null terminated strings, EntryContext
// points to UNICODE_STRING structure that
// that describes maximum size of buffer.
// If .Buffer field is NULL then a buffer is
// allocated.
1: kd> p
eax=e12858b4 ebx=e1285898 ecx=00000004 edx=f789a648 esi=00000004 edi=e1285898
eip=80d64af8 esp=f789a590 ebp=f789a5bc iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!RtlpCallQueryRegistryRoutine+0x3a0:
80d64af8 f6420420 test byte ptr [edx+4],20h ds:0023:f789a64c=20
1: kd> dt ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE f789a648
+0x000 QueryRoutine : (null)
+0x004 Flags : 0x20
+0x008 Name : 0x80dd6c10 -> 0x42
+0x00c EntryContext : 0xf789a750 Void
+0x010 DefaultType : 0
+0x014 DefaultData : (null)
+0x018 DefaultLength : 0
1: kd> t
Breakpoint 0 hit
eax=f789a61c ebx=00000082 ecx=00000008 edx=80a3dd5d esi=e1285898 edi=f789a664
eip=80d64758 esp=f789a5c0 ebp=f789a620 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
nt!RtlpCallQueryRegistryRoutine:
80d64758 55 push ebp
1: kd> dv
QueryTable = 0xf789a664
KeyValueInformation = 0xe1285898
PKeyValueInfoLength = 0xf789a61c
Context = 0x00000000
Environment = 0x00000000
KeyValueInfoLength = 0xf789a620
Status = 0n0
ValueData = 0xe1285898
ValueType = 8
EndFreeMem = 0x00000008 "--- memory read error at address 0x00000008 ---"
ValueName = 0x80d64758
s = 0x00000000
FreeMemSize = 0n0
ValueSpaceNeeded = 0n-517449576
ValueEnd = 0x00000000
Source = ""
RequiredLength = 0
Destination = struct _UNICODE_STRING "--- memory read error at address 0x00000082 ---"
1: kd> dx -r1 ((ntkrnlmp!_KEY_VALUE_FULL_INFORMATION *)0xe1285898)
((ntkrnlmp!_KEY_VALUE_FULL_INFORMATION *)0xe1285898) : 0xe1285898 [Type: _KEY_VALUE_FULL_INFORMATION *]
[+0x000] TitleIndex : 0x0 [Type: unsigned long]
[+0x004] Type : 0x1 [Type: unsigned long]
[+0x008] DataOffset : 0x2c [Type: unsigned long]
[+0x00c] DataLength : 0x2c [Type: unsigned long]
[+0x010] NameLength : 0x18 [Type: unsigned long]
[+0x014] Name [Type: unsigned short [1]]
1: kd> dx -r1 (*((ntkrnlmp!unsigned short (*)[1])0xe12858ac))
(*((ntkrnlmp!unsigned short (*)[1])0xe12858ac)) [Type: unsigned short [1]]
[0] : 0x53 [Type: unsigned short]
1: kd> db 0xe12858ac
e12858ac 53 00 74 00 61 00 6e 00-64 00 61 00 72 00 64 00 S.t.a.n.d.a.r.d.
e12858bc 4e 00 61 00 6d 00 65 00-50 00 61 00 63 00 69 00 N.a.m.e.P.a.c.i.
e12858cc 66 00 69 00 63 00 20 00-53 00 74 00 61 00 6e 00 f.i.c. .S.t.a.n.
e12858dc 64 00 61 00 72 00 64 00-20 00 54 00 69 00 6d 00 d.a.r.d. .T.i.m.
e12858ec 65 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 e...............
e12858fc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
e128590c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
e128591c 00 00 00 00 12 08 25 04-4f 62 53 71 50 5a 28 e1 ......%.ObSqPZ(.
1: kd> dx -r1 ((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a664)
((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a664) : 0xf789a664 [Type: _RTL_QUERY_REGISTRY_TABLE *]
[+0x000] QueryRoutine : 0x0 [Type: long (*)(unsigned short *,unsigned long,void *,unsigned long,void *,void *)]
[+0x004] Flags : 0x20 [Type: unsigned long]
[+0x008] Name : 0x80dd6c1c : 0x53 [Type: unsigned short *]
[+0x00c] EntryContext : 0xf789a730 [Type: void *]
[+0x010] DefaultType : 0x0 [Type: unsigned long]
[+0x014] DefaultData : 0x0 [Type: void *]
[+0x018] DefaultLength : 0x0 [Type: unsigned long]
1: kd> gu
eax=00000000 ebx=00000082 ecx=00000000 edx=00000001 esi=e1285898 edi=f789a664
eip=80d64ed5 esp=f789a5d8 ebp=f789a620 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000217
nt!RtlQueryRegistryValues+0x2db:
80d64ed5 3d230000c0 cmp eax,0C0000023h
} else {
//
// KeyResultLength holds the length of the data returned by ZwQueryKeyValue.
// If this is a MULTI_SZ value, catenate a NUL.
//
if ( KeyValueInformation->Type == REG_MULTI_SZ ) {
*(PWCHAR) ((PUCHAR)KeyValueInformation + KeyResultLength) = UNICODE_NULL;
KeyValueInformation->DataLength += sizeof(UNICODE_NULL);
}
KeyResultLength = (ULONG)KeyValueInfoLength;
Status = RtlpCallQueryRegistryRoutine( QueryTable,
KeyValueInformation,
&KeyResultLength,
Context,
Environment
);
1: kd> t
Breakpoint 0 hit
eax=f789a61c ebx=00000082 ecx=00000008 edx=80a3dd5d esi=e1285898 edi=f789a680
eip=80d64758 esp=f789a5c0 ebp=f789a620 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293
nt!RtlpCallQueryRegistryRoutine:
80d64758 55 push ebp
1: kd> dv
QueryTable = 0xf789a680
KeyValueInformation = 0xe1285898
PKeyValueInfoLength = 0xf789a61c
Context = 0x00000000
Environment = 0x00000000
KeyValueInfoLength = 0xf789a620
Status = 0n0
ValueData = 0xe1285898
ValueType = 8
EndFreeMem = 0x00000008 "--- memory read error at address 0x00000008 ---"
ValueName = 0x80d64758
s = 0x00000000
FreeMemSize = 0n0
ValueSpaceNeeded = 0n-517449576
ValueEnd = 0x00000000
Source = ""
RequiredLength = 0
Destination = struct _UNICODE_STRING "--- memory read error at address 0x00000082 ---"
1: kd> dx -r1 ((ntkrnlmp!_KEY_VALUE_FULL_INFORMATION *)0xe1285898)
((ntkrnlmp!_KEY_VALUE_FULL_INFORMATION *)0xe1285898) : 0xe1285898 [Type: _KEY_VALUE_FULL_INFORMATION *]
[+0x000] TitleIndex : 0x0 [Type: unsigned long]
[+0x004] Type : 0x4 [Type: unsigned long]
[+0x008] DataOffset : 0x2c [Type: unsigned long]
[+0x00c] DataLength : 0x4 [Type: unsigned long]
[+0x010] NameLength : 0x18 [Type: unsigned long]
[+0x014] Name [Type: unsigned short [1]]
1: kd> dx -r1 (*((ntkrnlmp!unsigned short (*)[1])0xe12858ac))
(*((ntkrnlmp!unsigned short (*)[1])0xe12858ac)) [Type: unsigned short [1]]
[0] : 0x53 [Type: unsigned short]
1: kd> db 0xe12858ac
e12858ac 53 00 74 00 61 00 6e 00-64 00 61 00 72 00 64 00 S.t.a.n.d.a.r.d.
e12858bc 42 00 69 00 61 00 73 00-00 00 00 00 63 00 69 00 B.i.a.s.....c.i.
e12858cc 66 00 69 00 63 00 20 00-53 00 74 00 61 00 6e 00 f.i.c. .S.t.a.n.
e12858dc 64 00 61 00 72 00 64 00-20 00 54 00 69 00 6d 00 d.a.r.d. .T.i.m.
e12858ec 65 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 e...............
e12858fc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
e128590c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
e128591c 00 00 00 00 12 08 25 04-4f 62 53 71 50 5a 28 e1 ......%.ObSqPZ(.
1: kd> gu
eax=00000000 ebx=00000082 ecx=00000000 edx=00000004 esi=e1285898 edi=f789a680
eip=80d64ed5 esp=f789a5d8 ebp=f789a620 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000217
nt!RtlQueryRegistryValues+0x2db:
80d64ed5 3d230000c0 cmp eax,0C0000023h
1: kd> t
Breakpoint 0 hit
eax=f789a61c ebx=00000082 ecx=00000008 edx=80a3dd5d esi=e1285898 edi=f789a69c
eip=80d64758 esp=f789a5c0 ebp=f789a620 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
nt!RtlpCallQueryRegistryRoutine:
80d64758 55 push ebp
1: kd> dv
QueryTable = 0xf789a69c
KeyValueInformation = 0xe1285898
PKeyValueInfoLength = 0xf789a61c
Context = 0x00000000
Environment = 0x00000000
KeyValueInfoLength = 0xf789a620
Status = 0n0
ValueData = 0xe1285898
ValueType = 8
EndFreeMem = 0x00000008 "--- memory read error at address 0x00000008 ---"
ValueName = 0x80d64758
s = 0x00000000
FreeMemSize = 0n0
ValueSpaceNeeded = 0n-517449576
ValueEnd = 0x00000000
Source = ""
RequiredLength = 0
Destination = struct _UNICODE_STRING "--- memory read error at address 0x00000082 ---"
1: kd> dx -r1 ((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a69c)
((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a69c) : 0xf789a69c [Type: _RTL_QUERY_REGISTRY_TABLE *]
[+0x000] QueryRoutine : 0x0 [Type: long (*)(unsigned short *,unsigned long,void *,unsigned long,void *,void *)]
[+0x004] Flags : 0x20 [Type: unsigned long]
[+0x008] Name : 0x80dd6c54 : 0x53 [Type: unsigned short *]
[+0x00c] EntryContext : 0xf789a794 [Type: void *]
[+0x010] DefaultType : 0x0 [Type: unsigned long]
[+0x014] DefaultData : 0x0 [Type: void *]
[+0x018] DefaultLength : 0x0 [Type: unsigned long]
1: kd> db 0x80dd6c54
80dd6c54 53 00 74 00 61 00 6e 00-64 00 61 00 72 00 64 00 S.t.a.n.d.a.r.d.
80dd6c64 53 00 74 00 61 00 72 00-74 00 00 00 44 00 61 00 S.t.a.r.t...D.a.
80dd6c74 79 00 6c 00 69 00 67 00-68 00 74 00 4e 00 61 00 y.l.i.g.h.t.N.a.
80dd6c84 6d 00 65 00 00 00 00 00-44 00 61 00 79 00 6c 00 m.e.....D.a.y.l.
80dd6c94 69 00 67 00 68 00 74 00-42 00 69 00 61 00 73 00 i.g.h.t.B.i.a.s.
80dd6ca4 00 00 00 00 44 00 61 00-79 00 6c 00 69 00 67 00 ....D.a.y.l.i.g.
80dd6cb4 68 00 74 00 53 00 74 00-61 00 72 00 74 00 00 00 h.t.S.t.a.r.t...
80dd6cc4 00 00 00 00 7b 00 25 00-30 00 38 00 6c 00 78 00 ....{.%.0.8.l.x.
1: kd> gu
eax=00000000 ebx=00000082 ecx=00000000 edx=00000003 esi=e1285898 edi=f789a69c
eip=80d64ed5 esp=f789a5d8 ebp=f789a620 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000217
nt!RtlQueryRegistryValues+0x2db:
80d64ed5 3d230000c0 cmp eax,0C0000023h
1: kd> t
Breakpoint 0 hit
eax=f789a61c ebx=00000082 ecx=00000008 edx=80a3dd5d esi=e1285898 edi=f789a6b8
eip=80d64758 esp=f789a5c0 ebp=f789a620 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
nt!RtlpCallQueryRegistryRoutine:
80d64758 55 push ebp
1: kd> dv
QueryTable = 0xf789a6b8
KeyValueInformation = 0xe1285898
PKeyValueInfoLength = 0xf789a61c
Context = 0x00000000
Environment = 0x00000000
KeyValueInfoLength = 0xf789a620
Status = 0n0
ValueData = 0xe1285898
ValueType = 8
EndFreeMem = 0x00000008 "--- memory read error at address 0x00000008 ---"
ValueName = 0x80d64758
s = 0x00000000
FreeMemSize = 0n0
ValueSpaceNeeded = 0n-517449576
ValueEnd = 0x00000000
Source = ""
RequiredLength = 0
Destination = struct _UNICODE_STRING "--- memory read error at address 0x00000082 ---"
1: kd> dx -r1 ((ntkrnlmp!_KEY_VALUE_FULL_INFORMATION *)0xe1285898)
((ntkrnlmp!_KEY_VALUE_FULL_INFORMATION *)0xe1285898) : 0xe1285898 [Type: _KEY_VALUE_FULL_INFORMATION *]
[+0x000] TitleIndex : 0x0 [Type: unsigned long]
[+0x004] Type : 0x1 [Type: unsigned long]
[+0x008] DataOffset : 0x2c [Type: unsigned long]
[+0x00c] DataLength : 0x2c [Type: unsigned long]
[+0x010] NameLength : 0x18 [Type: unsigned long]
[+0x014] Name [Type: unsigned short [1]]
1: kd> dx -r1 ((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a6b8)
((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a6b8) : 0xf789a6b8 [Type: _RTL_QUERY_REGISTRY_TABLE *]
[+0x000] QueryRoutine : 0x0 [Type: long (*)(unsigned short *,unsigned long,void *,unsigned long,void *,void *)]
[+0x004] Flags : 0x20 [Type: unsigned long]
[+0x008] Name : 0x80dd6c70 : 0x44 [Type: unsigned short *]
[+0x00c] EntryContext : 0xf789a728 [Type: void *]
[+0x010] DefaultType : 0x0 [Type: unsigned long]
[+0x014] DefaultData : 0x0 [Type: void *]
[+0x018] DefaultLength : 0x0 [Type: unsigned long]
1: kd> db 0x80dd6c70
80dd6c70 44 00 61 00 79 00 6c 00-69 00 67 00 68 00 74 00 D.a.y.l.i.g.h.t.
80dd6c80 4e 00 61 00 6d 00 65 00-00 00 00 00 44 00 61 00 N.a.m.e.....D.a.
80dd6c90 79 00 6c 00 69 00 67 00-68 00 74 00 42 00 69 00 y.l.i.g.h.t.B.i.
80dd6ca0 61 00 73 00 00 00 00 00-44 00 61 00 79 00 6c 00 a.s.....D.a.y.l.
80dd6cb0 69 00 67 00 68 00 74 00-53 00 74 00 61 00 72 00 i.g.h.t.S.t.a.r.
80dd6cc0 74 00 00 00 00 00 00 00-7b 00 25 00 30 00 38 00 t.......{.%.0.8.
80dd6cd0 6c 00 78 00 2d 00 25 00-30 00 34 00 78 00 2d 00 l.x.-.%.0.4.x.-.
80dd6ce0 25 00 30 00 34 00 78 00-2d 00 25 00 30 00 32 00 %.0.4.x.-.%.0.2.
1: kd> gu
eax=00000000 ebx=00000082 ecx=00000000 edx=00000001 esi=e1285898 edi=f789a6b8
eip=80d64ed5 esp=f789a5d8 ebp=f789a620 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000217
nt!RtlQueryRegistryValues+0x2db:
80d64ed5 3d230000c0 cmp eax,0C0000023h
1: kd> t
Breakpoint 0 hit
eax=f789a61c ebx=00000082 ecx=00000008 edx=80a3dd5d esi=e1285898 edi=f789a6d4
eip=80d64758 esp=f789a5c0 ebp=f789a620 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293
nt!RtlpCallQueryRegistryRoutine:
80d64758 55 push ebp
1: kd> dv
QueryTable = 0xf789a6d4
KeyValueInformation = 0xe1285898
PKeyValueInfoLength = 0xf789a61c
Context = 0x00000000
Environment = 0x00000000
KeyValueInfoLength = 0xf789a620
Status = 0n0
ValueData = 0xe1285898
ValueType = 8
EndFreeMem = 0x00000008 "--- memory read error at address 0x00000008 ---"
ValueName = 0x80d64758
s = 0x00000000
FreeMemSize = 0n0
ValueSpaceNeeded = 0n-517449576
ValueEnd = 0x00000000
Source = ""
RequiredLength = 0
Destination = struct _UNICODE_STRING "--- memory read error at address 0x00000082 ---"
1: kd> dx -r1 ((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a6d4)
((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a6d4) : 0xf789a6d4 [Type: _RTL_QUERY_REGISTRY_TABLE *]
[+0x000] QueryRoutine : 0x0 [Type: long (*)(unsigned short *,unsigned long,void *,unsigned long,void *,void *)]
[+0x004] Flags : 0x20 [Type: unsigned long]
[+0x008] Name : 0x80dd6c8c : 0x44 [Type: unsigned short *]
[+0x00c] EntryContext : 0xf789a7f8 [Type: void *]
[+0x010] DefaultType : 0x0 [Type: unsigned long]
[+0x014] DefaultData : 0x0 [Type: void *]
[+0x018] DefaultLength : 0x0 [Type: unsigned long]
1: kd> db 0x80dd6c8c
80dd6c8c 44 00 61 00 79 00 6c 00-69 00 67 00 68 00 74 00 D.a.y.l.i.g.h.t.
80dd6c9c 42 00 69 00 61 00 73 00-00 00 00 00 44 00 61 00 B.i.a.s.....D.a.
80dd6cac 79 00 6c 00 69 00 67 00-68 00 74 00 53 00 74 00 y.l.i.g.h.t.S.t.
80dd6cbc 61 00 72 00 74 00 00 00-00 00 00 00 7b 00 25 00 a.r.t.......{.%.
80dd6ccc 30 00 38 00 6c 00 78 00-2d 00 25 00 30 00 34 00 0.8.l.x.-.%.0.4.
80dd6cdc 78 00 2d 00 25 00 30 00-34 00 78 00 2d 00 25 00 x.-.%.0.4.x.-.%.
80dd6cec 30 00 32 00 78 00 25 00-30 00 32 00 78 00 2d 00 0.2.x.%.0.2.x.-.
80dd6cfc 25 00 30 00 32 00 78 00-25 00 30 00 32 00 78 00 %.0.2.x.%.0.2.x.
1: kd> gu
eax=00000000 ebx=00000082 ecx=00000000 edx=00000004 esi=e1285898 edi=f789a6d4
eip=80d64ed5 esp=f789a5d8 ebp=f789a620 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000217
nt!RtlQueryRegistryValues+0x2db:
80d64ed5 3d230000c0 cmp eax,0C0000023h
1: kd> t
Breakpoint 0 hit
eax=f789a61c ebx=00000082 ecx=00000008 edx=80a3dd5d esi=e1285898 edi=f789a6f0
eip=80d64758 esp=f789a5c0 ebp=f789a620 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
nt!RtlpCallQueryRegistryRoutine:
80d64758 55 push ebp
1: kd> dv
QueryTable = 0xf789a6f0
KeyValueInformation = 0xe1285898
PKeyValueInfoLength = 0xf789a61c
Context = 0x00000000
Environment = 0x00000000
KeyValueInfoLength = 0xf789a620
Status = 0n0
ValueData = 0xe1285898
ValueType = 8
EndFreeMem = 0x00000008 "--- memory read error at address 0x00000008 ---"
ValueName = 0x80d64758
s = 0x00000000
FreeMemSize = 0n0
ValueSpaceNeeded = 0n-517449576
ValueEnd = 0x00000000
Source = ""
RequiredLength = 0
Destination = struct _UNICODE_STRING "--- memory read error at address 0x00000082 ---"
1: kd> dx -r1 ((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a6f0)
((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a6f0) : 0xf789a6f0 [Type: _RTL_QUERY_REGISTRY_TABLE *]
[+0x000] QueryRoutine : 0x0 [Type: long (*)(unsigned short *,unsigned long,void *,unsigned long,void *,void *)]
[+0x004] Flags : 0x20 [Type: unsigned long]
[+0x008] Name : 0x80dd6ca8 : 0x44 [Type: unsigned short *]
[+0x00c] EntryContext : 0xf789a7e8 [Type: void *]
[+0x010] DefaultType : 0x0 [Type: unsigned long]
[+0x014] DefaultData : 0x0 [Type: void *]
[+0x018] DefaultLength : 0x0 [Type: unsigned long]
1: kd> db 0x80dd6ca8
80dd6ca8 44 00 61 00 79 00 6c 00-69 00 67 00 68 00 74 00 D.a.y.l.i.g.h.t.
80dd6cb8 53 00 74 00 61 00 72 00-74 00 00 00 00 00 00 00 S.t.a.r.t.......
80dd6cc8 7b 00 25 00 30 00 38 00-6c 00 78 00 2d 00 25 00 {.%.0.8.l.x.-.%.
80dd6cd8 30 00 34 00 78 00 2d 00-25 00 30 00 34 00 78 00 0.4.x.-.%.0.4.x.
80dd6ce8 2d 00 25 00 30 00 32 00-78 00 25 00 30 00 32 00 -.%.0.2.x.%.0.2.
80dd6cf8 78 00 2d 00 25 00 30 00-32 00 78 00 25 00 30 00 x.-.%.0.2.x.%.0.
80dd6d08 32 00 78 00 25 00 30 00-32 00 78 00 25 00 30 00 2.x.%.0.2.x.%.0.
80dd6d18 32 00 78 00 25 00 30 00-32 00 78 00 25 00 30 00 2.x.%.0.2.x.%.0.
1: kd> gu
eax=00000000 ebx=00000082 ecx=00000000 edx=00000003 esi=e1285898 edi=f789a6f0
eip=80d64ed5 esp=f789a5d8 ebp=f789a620 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000217
nt!RtlQueryRegistryValues+0x2db:
80d64ed5 3d230000c0 cmp eax,0C0000023h
1: kd> gu
eax=00000000 ebx=00000000 ecx=00010001 edx=00000000 esi=fffffff0 edi=f789a728
eip=80d654ed esp=f789a63c ebp=f789a73c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!RtlQueryTimeZoneInformation+0x141:
80d654ed ff75fc push dword ptr [ebp-4] ss:0010:f789a738=80000398
1: kd> dv
TimeZoneInformation = 0xf789a750
Key = 0x80000398
DaylightName = "Pacific Daylight Time"
StandardName = "Pacific Standard Time"
RegistryConfigurationTable = struct _RTL_QUERY_REGISTRY_TABLE [8]
1: kd> dx -r1 ((ntkrnlmp!_RTL_TIME_ZONE_INFORMATION *)0xf789a750)
((ntkrnlmp!_RTL_TIME_ZONE_INFORMATION *)0xf789a750) : 0xf789a750 [Type: _RTL_TIME_ZONE_INFORMATION *]
[+0x000] Bias : 480 [Type: long]
[+0x004] StandardName [Type: unsigned short [32]]
[+0x044] StandardStart [Type: _TIME_FIELDS]
[+0x054] StandardBias : 0 [Type: long]
[+0x058] DaylightName [Type: unsigned short [32]]
[+0x098] DaylightStart [Type: _TIME_FIELDS]
[+0x0a8] DaylightBias : -60 [Type: long]
1: kd> dx -r1 (*((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE (*)[8])0xf789a648))
(*((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE (*)[8])0xf789a648)) [Type: _RTL_QUERY_REGISTRY_TABLE [8]]
[0] [Type: _RTL_QUERY_REGISTRY_TABLE]
[1] [Type: _RTL_QUERY_REGISTRY_TABLE]
[2] [Type: _RTL_QUERY_REGISTRY_TABLE]
[3] [Type: _RTL_QUERY_REGISTRY_TABLE]
[4] [Type: _RTL_QUERY_REGISTRY_TABLE]
[5] [Type: _RTL_QUERY_REGISTRY_TABLE]
[6] [Type: _RTL_QUERY_REGISTRY_TABLE]
[7] [Type: _RTL_QUERY_REGISTRY_TABLE]
1: kd> dx -r1 (*((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a648))
(*((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a648)) [Type: _RTL_QUERY_REGISTRY_TABLE]
[+0x000] QueryRoutine : 0x0 [Type: long (*)(unsigned short *,unsigned long,void *,unsigned long,void *,void *)]
[+0x004] Flags : 0x20 [Type: unsigned long]
[+0x008] Name : 0x80dd6c10 : 0x42 [Type: unsigned short *]
[+0x00c] EntryContext : 0xf789a750 [Type: void *]
[+0x010] DefaultType : 0x0 [Type: unsigned long]
[+0x014] DefaultData : 0x0 [Type: void *]
[+0x018] DefaultLength : 0x0 [Type: unsigned long]
1: kd> dx -r1 (*((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a664))
(*((ntkrnlmp!_RTL_QUERY_REGISTRY_TABLE *)0xf789a664)) [Type: _RTL_QUERY_REGISTRY_TABLE]
[+0x000] QueryRoutine : 0x0 [Type: long (*)(unsigned short *,unsigned long,void *,unsigned long,void *,void *)]
[+0x004] Flags : 0x20 [Type: unsigned long]
[+0x008] Name : 0x80dd6c1c : 0x53 [Type: unsigned short *]
[+0x00c] EntryContext : 0xf789a730 [Type: void *]
[+0x010] DefaultType : 0x0 [Type: unsigned long]
[+0x014] DefaultData : 0x0 [Type: void *]
[+0x018] DefaultLength : 0x0 [Type: unsigned long]
1: kd> dx -r1 (*((ntkrnlmp!unsigned short (*)[32])0xf789a754))
(*((ntkrnlmp!unsigned short (*)[32])0xf789a754)) [Type: unsigned short [32]]
[0] : 0x50 [Type: unsigned short]
[1] : 0x61 [Type: unsigned short]
[2] : 0x63 [Type: unsigned short]
[3] : 0x69 [Type: unsigned short]
[4] : 0x66 [Type: unsigned short]
[5] : 0x69 [Type: unsigned short]
[6] : 0x63 [Type: unsigned short]
[7] : 0x20 [Type: unsigned short]
[8] : 0x53 [Type: unsigned short]
[9] : 0x74 [Type: unsigned short]
[10] : 0x61 [Type: unsigned short]
[11] : 0x6e [Type: unsigned short]
[12] : 0x64 [Type: unsigned short]
[13] : 0x61 [Type: unsigned short]
[14] : 0x72 [Type: unsigned short]
[15] : 0x64 [Type: unsigned short]
[16] : 0x20 [Type: unsigned short]
[17] : 0x54 [Type: unsigned short]
[18] : 0x69 [Type: unsigned short]
[19] : 0x6d [Type: unsigned short]
[20] : 0x65 [Type: unsigned short]
[21] : 0x0 [Type: unsigned short]
[22] : 0x0 [Type: unsigned short]
[23] : 0x0 [Type: unsigned short]
[24] : 0x0 [Type: unsigned short]
[25] : 0x0 [Type: unsigned short]
[26] : 0x0 [Type: unsigned short]
[27] : 0x0 [Type: unsigned short]
[28] : 0x0 [Type: unsigned short]
[29] : 0x0 [Type: unsigned short]
[30] : 0x0 [Type: unsigned short]
[31] : 0x0 [Type: unsigned short]
1: kd> db 0xf789a754
f789a754 50 00 61 00 63 00 69 00-66 00 69 00 63 00 20 00 P.a.c.i.f.i.c. .
f789a764 53 00 74 00 61 00 6e 00-64 00 61 00 72 00 64 00 S.t.a.n.d.a.r.d.
f789a774 20 00 54 00 69 00 6d 00-65 00 00 00 00 00 00 00 .T.i.m.e.......
f789a784 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f789a794 00 00 0a 00 05 00 02 00-00 00 00 00 00 00 00 00 ................
f789a7a4 00 00 00 00 50 00 61 00-63 00 69 00 66 00 69 00 ....P.a.c.i.f.i.
f789a7b4 63 00 20 00 44 00 61 00-79 00 6c 00 69 00 67 00 c. .D.a.y.l.i.g.
f789a7c4 68 00 74 00 20 00 54 00-69 00 6d 00 65 00 00 00 h.t. .T.i.m.e...
1: kd> dx -r1 (*((ntkrnlmp!_TIME_FIELDS *)0xf789a794))
(*((ntkrnlmp!_TIME_FIELDS *)0xf789a794)) [Type: _TIME_FIELDS]
[+0x000] Year : 0 [Type: short]
[+0x002] Month : 10 [Type: short]
[+0x004] Day : 5 [Type: short]
[+0x006] Hour : 2 [Type: short]
[+0x008] Minute : 0 [Type: short]
[+0x00a] Second : 0 [Type: short]
[+0x00c] Milliseconds : 0 [Type: short]
[+0x00e] Weekday : 0 [Type: short]
1: kd> dx -r1 (*((ntkrnlmp!_TIME_FIELDS *)0xf789a7e8))
(*((ntkrnlmp!_TIME_FIELDS *)0xf789a7e8)) [Type: _TIME_FIELDS]
[+0x000] Year : 0 [Type: short]
[+0x002] Month : 4 [Type: short]
[+0x004] Day : 1 [Type: short]
[+0x006] Hour : 2 [Type: short]
[+0x008] Minute : 0 [Type: short]
[+0x00a] Second : 0 [Type: short]
[+0x00c] Milliseconds : 0 [Type: short]
[+0x00e] Weekday : 0 [Type: short]
1: kd> dx -r1 (*((ntkrnlmp!_TIME_FIELDS *)0xf789a7e8))
(*((ntkrnlmp!_TIME_FIELDS *)0xf789a7e8)) [Type: _TIME_FIELDS]
[+0x000] Year : 0 [Type: short]
[+0x002] Month : 4 [Type: short]
[+0x004] Day : 1 [Type: short]
[+0x006] Hour : 2 [Type: short]
[+0x008] Minute : 0 [Type: short]
[+0x00a] Second : 0 [Type: short]
[+0x00c] Milliseconds : 0 [Type: short]
[+0x00e] Weekday : 0 [Type: short]
1: kd> dx -r1 (*((ntkrnlmp!unsigned short (*)[32])0xf789a7a8))
(*((ntkrnlmp!unsigned short (*)[32])0xf789a7a8)) [Type: unsigned short [32]]
[0] : 0x50 [Type: unsigned short]
[1] : 0x61 [Type: unsigned short]
[2] : 0x63 [Type: unsigned short]
[3] : 0x69 [Type: unsigned short]
[4] : 0x66 [Type: unsigned short]
[5] : 0x69 [Type: unsigned short]
[6] : 0x63 [Type: unsigned short]
[7] : 0x20 [Type: unsigned short]
[8] : 0x44 [Type: unsigned short]
[9] : 0x61 [Type: unsigned short]
[10] : 0x79 [Type: unsigned short]
[11] : 0x6c [Type: unsigned short]
[12] : 0x69 [Type: unsigned short]
[13] : 0x67 [Type: unsigned short]
[14] : 0x68 [Type: unsigned short]
[15] : 0x74 [Type: unsigned short]
[16] : 0x20 [Type: unsigned short]
[17] : 0x54 [Type: unsigned short]
[18] : 0x69 [Type: unsigned short]
[19] : 0x6d [Type: unsigned short]
[20] : 0x65 [Type: unsigned short]
[21] : 0x0 [Type: unsigned short]
[22] : 0x0 [Type: unsigned short]
[23] : 0x0 [Type: unsigned short]
[24] : 0x0 [Type: unsigned short]
[25] : 0x0 [Type: unsigned short]
[26] : 0x0 [Type: unsigned short]
[27] : 0x0 [Type: unsigned short]
[28] : 0x0 [Type: unsigned short]
[29] : 0x0 [Type: unsigned short]
[30] : 0x0 [Type: unsigned short]
[31] : 0x0 [Type: unsigned short]
1: kd> db 0xf789a7a8
f789a7a8 50 00 61 00 63 00 69 00-66 00 69 00 63 00 20 00 P.a.c.i.f.i.c. .
f789a7b8 44 00 61 00 79 00 6c 00-69 00 67 00 68 00 74 00 D.a.y.l.i.g.h.t.
f789a7c8 20 00 54 00 69 00 6d 00-65 00 00 00 00 00 00 00 .T.i.m.e.......
f789a7d8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f789a7e8 00 00 04 00 01 00 02 00-00 00 00 00 00 00 00 00 ................
1: kd> dv
TimeZoneInformation = 0xf789a750
Key = 0x80000398
DaylightName = "Pacific Daylight Time"
StandardName = "Pacific Standard Time"
RegistryConfigurationTable = struct _RTL_QUERY_REGISTRY_TABLE [8]
1: kd> !handle 398
PROCESS 899a2278 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a200000 ObjectTable: e1000e38 HandleCount: 8.
Image: System
Kernel handle table at e1000e38 with 8 entries in use
0398: Object: e126d170 GrantedAccess: 000f003f Entry: e1004730
Object: e126d170 Type: (89996048) Key
ObjectHeader: e126d158 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\TIMEZONEINFORMATION