A change was made to Windows around the Server 2003 timeframe that can make for some confusing information in the !thread output. Specifically, I’m referring to the Owning Process and Attached Process fields:
The above output is from an XP machine and indicates that no information is available for the process that currently owns this thread, but the thread is attached to the System process. Let’s compare that with a similar thread from a Win7 machine:
On the Win7 machine, the information is switched! So, this indicates to us that the owning process is the System process and the thread is not attached to any process. What’s the deal? Are these threads running under different circumstances or is the debugger showing us bogus information?
Well, what happened is that changes have been made to the KTHREAD and WinDBG was modified to reflect the new changes. This ends up making the output a little misleading on older platforms.
Prior to Server 2003, the kernel only tracked the attached processes of the thread. Threads start out attached to the process that they were created for, but the O/S and drivers are able to temporarily attach a thread to another process with KeStackAttachProcess. While attached to another process, a thread runs under the context of that process and is able to reference that process’ handles, virtual address space, etc. Because the KTHREAD didn’t have a field that pointed directly to the process that the thread was originally created for, there was only one process to show in the !thread output. This is reflected in the example output shown in the !thread documentation, which was clearly captured from an older debugger version that made no mention of the Attached Process:
On Server 2003 and later, the KTHREAD keeps track of the original process that the thread was created for. This is what !thread is trying to leverage, showing both the Owning Process (process that the thread was originally created for) and Attached Process (the process under which the thread is currently running).
If you run !thread on a Server 2003 and later target, the Owning Process will show the process that the thread was created for and Attached Process will be NULL if the thread isn’t currently running under a different process context.
However, if you run !thread on XP, the extension will get an error when trying to get the owning process field from the KTHREAD. The way that !thread reports this to you is by showing <Unknown> in the output. The extension will then check the attached process info and get a valid result (since that’s all XP tracks). The output will then show the Attached Process information as being valid.
It’s also interesting to note that, as the name implies, KeStackAttachProcess calls can be nested. Unfortunately, on no version of Windows does the !thread output try to traverse the “stack” of processes that this thread is currently attached to, they all just show the current one.