「Windowsメモリダンプ解析サービス」のご案内
豊田孝の「IT談話館」 Windowsメモリダンプ解析を依頼する




「Windowsメモリダンプ解析サービス」のご案内



Windowsシステム分析(2/4)

||1:lkd> vertarget
Windows 10 Kernel Version 18362 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff804`67c00000 PsLoadedModuleList = 0xfffff804`680480b0
Debug session time: Fri Nov  8 09:11:56.153 2019 (UTC + 9:00)
System Uptime: 3 days 13:56:07.992

+0xffffb50aaac68040	Type->02	Signer->07	Critical->0	SubsystemProcess->0	System
+0xffffb50aaadd6040	Type->02	Signer->07	Critical->0	SubsystemProcess->0	Registry
+0xffffb50aac9d6040	Type->01	Signer->06	Critical->1	SubsystemProcess->0	smss.exe
+0xffffb50aae7bf080	Type->01	Signer->06	Critical->1	SubsystemProcess->1	csrss.exe
+0xffffb50ab02a4080	Type->01	Signer->06	Critical->1	SubsystemProcess->0	wininit.exe
+0xffffb50ab02ab3c0	Type->01	Signer->06	Critical->1	SubsystemProcess->1	csrss.exe
+0xffffb50ab02ed2c0	Type->01	Signer->06	Critical->1	SubsystemProcess->0	services.exe
-0xffffb50ab02e90c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	lsass.exe
-0xffffb50ab035e080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0361080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	fontdrvhost.ex
+0xffffb50ab0366080	Type->00	Signer->00	Critical->1	SubsystemProcess->0	svchost.exe
-0xffffb50ab03a64c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	winlogon.exe
-0xffffb50ab0a32480	ProtectionLevel->00	Critical->0	SubsystemProcess->0	fontdrvhost.ex
+0xffffb50ab0a52440	Type->00	Signer->00	Critical->1	SubsystemProcess->0	svchost.exe
-0xffffb50ab0a65080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0aa5080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	dwm.exe
-0xffffb50ab0b53080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0ba1080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0bc6080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0bd5080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0bd4080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0c0b080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0c790c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0c87080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0d7a0c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0d7d080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0d7b080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
+0xffffb50ab0da2040	Type->02	Signer->07	Critical->0	SubsystemProcess->0	MemCompression
+0xffffb50ab0e06080	Type->00	Signer->00	Critical->1	SubsystemProcess->0	svchost.exe
-0xffffb50ab0e07080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0e1b080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0e19080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0e1a080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0e1e080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	WUDFHost.exe
-0xffffb50ab0e80080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0eb40c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0eef080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0ef3080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0ef4080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0f410c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0f97080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0fca080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab1023080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab103f0c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50aaacca0c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50aaad2f080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50aaad1e080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50aaac620c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab1168080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab11f50c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	spoolsv.exe
+0xffffb50ab1220080	Type->00	Signer->00	Critical->1	SubsystemProcess->0	svchost.exe
-0xffffb50ab0f2f080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab11f90c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	armsvc.exe
-0xffffb50ab1374300	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab136b0c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab131c080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab1388080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab1389080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab1387080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab134e080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab13c1080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	mqsvc.exe
-0xffffb50ab13c5080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	SMSvcHost.exe
-0xffffb50ab13d0080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	Sysmon.exe
-0xffffb50ab13d3080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
+0xffffb50ab13d90c0	Type->01	Signer->03	Critical->0	SubsystemProcess->0	MsMpEng.exe
-0xffffb50ab13de300	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50aae89c080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab13ce080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab16d4080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab178e0c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab17a1080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab1b9d080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
+0xffffb50ab19c84c0	Type->01	Signer->03	Critical->0	SubsystemProcess->0	NisSrv.exe
-0xffffb50ab1281080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	sihost.exe
-0xffffb50ab1270080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50aaccab480	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0ffb080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50aaccb1080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	taskhostw.exe
-0xffffb50aac647080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50aaccbc080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	ctfmon.exe
-0xffffb50aac61e080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	explorer.exe
-0xffffb50ab1e8d080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab1e93080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50aacde8340	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab0a9f080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	StartMenuExper
-0xffffb50aacf2f080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	RuntimeBroker.
-0xffffb50aae165080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	dllhost.exe
-0xffffb50aacca6080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	SearchUI.exe
-0xffffb50ab211b080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	RuntimeBroker.
-0xffffb50ab21bb080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	SecurityHealth
+0xffffb50ab1fe4080	Type->01	Signer->05	Critical->0	SubsystemProcess->0	SecurityHealth
-0xffffb50ab22ab080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	RAVCpl64.exe
-0xffffb50ab1247080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab22dd080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab23c6080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
+0xffffb50ab24bc080	Type->02	Signer->06	Critical->0	SubsystemProcess->0	SgrmBroker.exe
-0xffffb50ab1b95080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
+0xffffb50aae150080	Type->01	Signer->05	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab2384080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	SearchIndexer.
-0xffffb50ab24bb080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab2395080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab23e7080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	ShellExperienc
-0xffffb50ab2db3080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab1b744c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	LockApp.exe
-0xffffb50ab22b4080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	RuntimeBroker.
-0xffffb50ab299d080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50aaccb2080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab37f6080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	SettingSyncHos
-0xffffb50ab2cf7080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab2a2a080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	WindowsInterna
-0xffffb50ab2f46080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab177c080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab3941080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	GameBar.exe
-0xffffb50ab396d0c0	ProtectionLevel->00	Critical->0	SubsystemProcess->0	RuntimeBroker.
-0xffffb50ab41cb240	ProtectionLevel->00	Critical->0	SubsystemProcess->0	GameBarFT.exe
+0xffffb50ab35a60c0	Type->01	Signer->05	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab68cb080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	SecurityHealth
-0xffffb50ab68c2080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab6d21080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	svchost.exe
-0xffffb50ab6b2d080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	WmiPrvSE.exe
-0xffffb50ab3be6240	ProtectionLevel->00	Critical->0	SubsystemProcess->0	windbg.exe
-0xffffb50ab6579080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	notepad.exe
-0xffffb50ab3961080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	ImeBroker.exe
-0xffffb50ab6d2c080	ProtectionLevel->00	Critical->0	SubsystemProcess->0	audiodg.exe
 この出力情報は、保護プロセス(Protected Process)に関するものですが、Windowsビルド毎に異なります。情報内にはいろいろなデータ項目が含まれています。システム分析を進める場合には、独自解析コードにIF文などを追加し、情報を絞り切ります。たとえば、「ProtectionLevel->00」の値で必要情報を絞り切ります。次の出力例は、「ProtectionLevel->00」以外のデータを示しています。なお、解析コードの開発知識の習得には、「時間と予算の投資」が必要です。

次へ




「Windowsメモリダンプ解析サービス」のご案内




Windowsシステム分析
Windows内部解析技術資料

Copyright©豊田孝 2004- 2020
本日は2020-02-17です。