On Win2012R2 I have a winlogon.exe thread that calls CreateWindowStation().
USERMODE: break at user32!NtUserCreateWindowStation
USERMODE: !gle: 0
USERMODE: step over syscall for NtUserCreateWindowStation
KERNMODE: break at win32k!NtUserCreateWindowStation
KERNMODE: !gle: 0
KERNMODE: step out of win32k!NtUserCreateWindowStation
KERNMODE: !gle: 0
USERMODE: break on instruction after syscall (ret)
USERMODE: !gle: 8 (ERROR_NO_MEMORY)
LastErrorValue: (Win32) 0x8 (8) - Not enough storage is available to process this command.
LastStatusValue: (NTSTATUS) 0xc0000017 - {Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation.
Can anyone give a pointer or otherwise shed light on how or where this
error occurs? My goal is to figure out why the call fails, but I don’t
understand where it comes from.
Thanks!
-Nathan
On 12/01/18 11:22 AM, xxxxx@spicycrypto.ca wrote:
On Win2012R2 I have a winlogon.exe thread that calls CreateWindowStation().
USERMODE: break at user32!NtUserCreateWindowStation
USERMODE: !gle: 0
USERMODE: step over syscall for NtUserCreateWindowStation
KERNMODE: break at win32k!NtUserCreateWindowStation
KERNMODE: !gle: 0
KERNMODE: step out of win32k!NtUserCreateWindowStation
KERNMODE: !gle: 0
USERMODE: break on instruction after syscall (ret)
USERMODE: !gle: 8 (ERROR_NO_MEMORY)
> LastErrorValue: (Win32) 0x8 (8) - Not enough storage is available to process this command.
> LastStatusValue: (NTSTATUS) 0xc0000017 - {Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation.
Can anyone give a pointer or otherwise shed light on how or where this
error occurs?
Answer: !gle isn’t strictly reliable in kernel mode. Instead break on
win32k!UserSetLastError and look at rcx. (Which, curiously, may cause
!gle to return the expected error value.)
-Nathan