如果我使用Process Explorer在我的64位Windows 10系统上查看32位进程的调用堆栈,Process Explorer仅显示调用堆栈的64位(上部)部分,而不是更有趣的(下部) )的32位部分。例如,一个32位wmplayer.exe进程的主线程的调用堆栈显示:
ntoskrnl.exe!KiSwapContext+0x76
ntoskrnl.exe!KiSwapThread+0x2c6
ntoskrnl.exe!KiCommitThreadWait+0x13b
ntoskrnl.exe!KeWaitForSingleObject+0x1ff
ntoskrnl.exe!KiSchedulerApc+0x30a
ntoskrnl.exe!KiDeliverApc+0x27b
ntoskrnl.exe!KiSwapThread+0x501
ntoskrnl.exe!KiCommitThreadWait+0x13b
ntoskrnl.exe!KeWaitForSingleObject+0x1ff
ntoskrnl.exe!KeWaitForMultipleObjects+0x4b5
win32kfull.sys!xxxRealSleepThread+0x32a
win32kfull.sys!xxxSleepThread2+0xa0
win32kfull.sys!xxxRealInternalGetMessage+0xf19
win32kfull.sys!NtUserGetMessage+0x8c
ntoskrnl.exe!KiSystemServiceCopyEnd+0x13
wow64win.dll!NtUserGetMessage+0x14
wow64win.dll!whNtUserGetMessage+0x30
wow64.dll!Wow64SystemServiceEx+0x153
wow64cpu.dll!ServiceNoTurbo+0xb
wow64cpu.dll!BTCpuSimulate+0x9
wow64.dll!RunCpuSimulation+0xa
wow64.dll!Wow64LdrpInitialize+0x120
ntdll.dll!LdrpInitializeProcess+0x1887
ntdll.dll!_LdrpInitialize+0x4aa45
ntdll.dll!LdrpInitialize+0x3b
ntdll.dll!LdrInitializeThunk+0xe
0x0000000000000000
对于64位wmplayer.exe进程(C:\ Program Files \ Windows Media Player \ wmplayer.exe)的调用堆栈已完成,并且还包含应用程序代码中的调用:
ntoskrnl.exe!KiSwapContext+0x76
ntoskrnl.exe!KiSwapThread+0x2c6
ntoskrnl.exe!KiCommitThreadWait+0x13b
ntoskrnl.exe!KeWaitForSingleObject+0x1ff
ntoskrnl.exe!KiSchedulerApc+0x30a
ntoskrnl.exe!KiDeliverApc+0x27b
ntoskrnl.exe!KiSwapThread+0x501
ntoskrnl.exe!KiCommitThreadWait+0x13b
ntoskrnl.exe!KeWaitForSingleObject+0x1ff
ntoskrnl.exe!KeWaitForMultipleObjects+0x4b5
win32kfull.sys!xxxRealSleepThread+0x32a
win32kfull.sys!xxxSleepThread2+0xa0
win32kfull.sys!xxxRealInternalGetMessage+0xf19
win32kfull.sys!NtUserGetMessage+0x8c
ntoskrnl.exe!KiSystemServiceCopyEnd+0x13
win32u.dll!NtUserGetMessage+0x14
USER32.dll!GetMessageW+0x2b
wmp.dll!Ordinal3002+0x731
wmp.dll!Ordinal3002+0x65f
wmp.dll!Ordinal3000+0x12e
wmplayer.exe!_PlayerEntry+0x747
KERNEL32.DLL!BaseThreadInitThunk+0x14
ntdll.dll!RtlUserThreadStart+0x21
如果我不得不猜测的话,那就是第一个堆栈中的0x0000000000000000地址阻止了Process Explorer深入到32位部分,但是我不确定100%是否如此。如何使Process Explorer显示32位进程的32位堆栈?
有关我的设置的更多信息:
Windows 10 version 1803 build 17134.556
Windows SDK 10.0.17763.132 installed
Process Explorer version 16.22
Symbol configuration:
Dbghelp.dll path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll
Symbols path: symsrv*symsrv.dll*C:\LocalSymbols*http://msdl.microsoft.com/download/symbols
更新:使用Process Hacker(而不是Process Explorer)查看32位进程的调用堆栈时,将显示预期的32位堆栈。对于32位wmplayer.exe的主线程,Process Hacker显示:
0, wow64win.dll!NtUserGetMessage+0x14
1, wow64win.dll!whNtUserGetMessage+0x30
2, wow64.dll!Wow64SystemServiceEx+0x153
3, wow64cpu.dll!ServiceNoTurbo+0xb
4, wow64cpu.dll!BTCpuSimulate+0x9
5, wow64.dll!RunCpuSimulation+0xa
6, wow64.dll!Wow64LdrpInitialize+0x120
7, ntdll.dll!LdrpInitializeProcess+0x1887
8, ntdll.dll!_LdrpInitialize+0x4aa45
9, ntdll.dll!LdrpInitialize+0x3b
10, ntdll.dll!LdrInitializeThunk+0xe
11, win32u.dll!NtUserGetMessage+0xc
12, user32.dll!GetMessageW+0x30
13, wmp.dll!DllGetClassObject+0x1bf48 (No unwind info)
14, wmp.dll!DllGetClassObject+0x1bccb (No unwind info)
15, wmp.dll!Ordinal3000+0x75 (No unwind info)
16, wmplayer.exe!_PlayerEntry+0x4ff
17, kernel32.dll!BaseThreadInitThunk+0x24
18, ntdll.dll!__RtlUserThreadStart+0x2f
19, ntdll.dll!_RtlUserThreadStart+0x1b
更新2:,该问题仅通过64位Process Explorer(procexp64.exe)显现出来。强制Process Explorer以32位运行时,它显示32位堆栈:
0x00000000
win32u.dll!NtUserGetMessage+0xc
USER32.dll!GetMessageW+0x30
wmp.dll!DllGetClassObject+0x1bf48
wmp.dll!DllGetClassObject+0x1bccb
wmp.dll!Ordinal3000+0x75
wmplayer.exe!_PlayerEntry+0x4ff
KERNEL32.DLL!BaseThreadInitThunk+0x24
ntdll.dll!__RtlUserThreadStart+0x2f
ntdll.dll!_RtlUserThreadStart+0x1b
更新3:,与此同时,我已经能够确认在Windows 10 x64全新安装中也会发生相同的问题。这就排除了与我的系统上现有驱动程序或软件的冲突,并且使这成为Process Explorer中的错误的可能性越来越大。但是,似乎没有任何迹象表明这种情况很快就会得到解决。由于我确实确实需要能够查看32位调用堆栈,并且Process Hacker仍然可以正确执行此操作,因此我没有别的选择,只能停止使用Process Explorer来支持Process Hacker。