none
Process Explorer not displaying the 32-bit stack for 32-bit processes on Win10 x64 RRS feed

  • Question

  • Hi, if I use Process Explorer to view the call stacks of 32-bit processes on my 64-bit Windows 10 system, Process Explorer only shows the 64-bit (upper) part of the call stack and not the more interesting (lower) 32-bit part. For example, the call stack of the main thread of a 32-bit wmplayer.exe process shows:

    ntoskrnl.exe!KiSwapContext+0x76
    ntoskrnl.exe!KiSwapThread+0x2c6
    ntoskrnl.exe!KiCommitThreadWait+0x13b
    ntoskrnl.exe!KeWaitForSingleObject+0x1ff
    ntoskrnl.exe!KiSchedulerApc+0x30a
    ntoskrnl.exe!KiDeliverApc+0x27b
    ntoskrnl.exe!KiSwapThread+0x501
    ntoskrnl.exe!KiCommitThreadWait+0x13b
    ntoskrnl.exe!KeWaitForSingleObject+0x1ff
    ntoskrnl.exe!KeWaitForMultipleObjects+0x4b5
    win32kfull.sys!xxxRealSleepThread+0x32a
    win32kfull.sys!xxxSleepThread2+0xa0
    win32kfull.sys!xxxRealInternalGetMessage+0xf19
    win32kfull.sys!NtUserGetMessage+0x8c
    ntoskrnl.exe!KiSystemServiceCopyEnd+0x13
    wow64win.dll!NtUserGetMessage+0x14
    wow64win.dll!whNtUserGetMessage+0x30
    wow64.dll!Wow64SystemServiceEx+0x153
    wow64cpu.dll!ServiceNoTurbo+0xb
    wow64cpu.dll!BTCpuSimulate+0x9
    wow64.dll!RunCpuSimulation+0xa
    wow64.dll!Wow64LdrpInitialize+0x120
    ntdll.dll!LdrpInitializeProcess+0x1887
    ntdll.dll!_LdrpInitialize+0x4aa45
    ntdll.dll!LdrpInitialize+0x3b
    ntdll.dll!LdrInitializeThunk+0xe
    0x0000000000000000

    Whereas the call stack for a 64-bit wmplayer.exe process (C:\Program Files\Windows Media Player\wmplayer.exe) is complete and also contains the calls in application code:

    ntoskrnl.exe!KiSwapContext+0x76
    ntoskrnl.exe!KiSwapThread+0x2c6
    ntoskrnl.exe!KiCommitThreadWait+0x13b
    ntoskrnl.exe!KeWaitForSingleObject+0x1ff
    ntoskrnl.exe!KiSchedulerApc+0x30a
    ntoskrnl.exe!KiDeliverApc+0x27b
    ntoskrnl.exe!KiSwapThread+0x501
    ntoskrnl.exe!KiCommitThreadWait+0x13b
    ntoskrnl.exe!KeWaitForSingleObject+0x1ff
    ntoskrnl.exe!KeWaitForMultipleObjects+0x4b5
    win32kfull.sys!xxxRealSleepThread+0x32a
    win32kfull.sys!xxxSleepThread2+0xa0
    win32kfull.sys!xxxRealInternalGetMessage+0xf19
    win32kfull.sys!NtUserGetMessage+0x8c
    ntoskrnl.exe!KiSystemServiceCopyEnd+0x13
    win32u.dll!NtUserGetMessage+0x14
    USER32.dll!GetMessageW+0x2b
    wmp.dll!Ordinal3002+0x731
    wmp.dll!Ordinal3002+0x65f
    wmp.dll!Ordinal3000+0x12e
    wmplayer.exe!_PlayerEntry+0x747
    KERNEL32.DLL!BaseThreadInitThunk+0x14
    ntdll.dll!RtlUserThreadStart+0x21

    If I would have to guess I would say that it's the 0x0000000000000000 address in the first stack that is preventing Process Explorer from going further down the 32-bit part, but I'm not 100% sure of that. How can I make Process Explorer show the 32-bit stack for 32-bit processes?

    Some more info about my setup:

    Windows 10 version 1803 build 17134.556
    Windows SDK 10.0.17763.132 installed

    Process Explorer version 16.22

    Symbol configuration:
    Dbghelp.dll path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll
    Symbols path: symsrv*symsrv.dll*C:\LocalSymbols*http://msdl.microsoft.com/download/symbols

    Thanks!

    Tim De Baets
    http://www.bm-productions.tk

    Wednesday, February 6, 2019 8:09 PM

All replies

  • Update: on another forum, someone suggested to try Process Hacker instead. That application does show the expected, 32-bit stacks. For the main thread of 32-bit wmplayer.exe, Process Hacker displays:

    0, wow64win.dll!NtUserGetMessage+0x14
    1, wow64win.dll!whNtUserGetMessage+0x30
    2, wow64.dll!Wow64SystemServiceEx+0x153
    3, wow64cpu.dll!ServiceNoTurbo+0xb
    4, wow64cpu.dll!BTCpuSimulate+0x9
    5, wow64.dll!RunCpuSimulation+0xa
    6, wow64.dll!Wow64LdrpInitialize+0x120
    7, ntdll.dll!LdrpInitializeProcess+0x1887
    8, ntdll.dll!_LdrpInitialize+0x4aa45
    9, ntdll.dll!LdrpInitialize+0x3b
    10, ntdll.dll!LdrInitializeThunk+0xe
    11, win32u.dll!NtUserGetMessage+0xc
    12, user32.dll!GetMessageW+0x30
    13, wmp.dll!DllGetClassObject+0x1bf48 (No unwind info)
    14, wmp.dll!DllGetClassObject+0x1bccb (No unwind info)
    15, wmp.dll!Ordinal3000+0x75 (No unwind info)
    16, wmplayer.exe!_PlayerEntry+0x4ff
    17, kernel32.dll!BaseThreadInitThunk+0x24
    18, ntdll.dll!__RtlUserThreadStart+0x2f
    19, ntdll.dll!_RtlUserThreadStart+0x1b

    I've also been able to confirm that the same issue occurs on a clean install of Windows 10 x64. That rules out a conflict with an existing driver or software on my system, and makes the theory of this being a bug in Process Explorer more and more likely. However, there doesn't appear to be any sign that this is going to get fixed anytime soon. Since I really need to be able to view 32-bit call stacks and Process Hacker still does this correctly, I see no other option but to stop using Process Explorer in favor of Process Hacker.


    Tim De Baets
    http://www.bm-productions.tk


    Thursday, March 7, 2019 9:07 PM
  • Thanks for reporting. I've added it to the ProcessExplorer backlog and will provide an update once this has been resolved

    MarkC(MSFT)

    Monday, April 1, 2019 9:27 AM