How to catch shutdowns that don’t go to debugger or cause bugchecks


Sometimes a system just goes offline or reboots and we cannot catch it in the debugger or it is not a stop error (bugcheck) so that machine just reboots from underneath you. One technique you can use is to set a breakpoint on nt!NtSetSystemPowerState. This function is the last thing called during ANY type of reboot. So you will see the calling function by using this.

Most of the time when I use this its a system that is stuck in a reboot loop on boot and it keeps loading the OS and then reboots again.  I think the last time I hit this it was because someone copied over an x64 binary onto an x86 system for NTDSAI.dll so LSASS was tanking.

Here’s an example:

kd> bp nt!NtSetSystemPowerState //Set the BP

kd> g
Breakpoint 0 hit
nt!NtSetSystemPowerState:
809c7c84 68bc000000      push    0BCh
kd> k
ChildEBP RetAddr
f6667d44 809b297d nt!NtSetSystemPowerState
f6667d58 808234cb nt!NtShutdownSystem+0x32
f6667d58 7c8285ec nt!KiFastCallEntry+0xf8
0134ff74 7c827b9b ntdll!KiFastSystemCallRet
0134ffb8 77e64829 ntdll!ZwShutdownSystem+0xc
0134ffa0 0101f1ce kernel32!BaseThreadStart+0x34

kd> .reload
Connected to Windows Server 2003 3790 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
………………………………………………………………………………
Loading User Symbols
………………………………………………………………..
Loading unloaded module list
……………….
kd> k
ChildEBP RetAddr
f6667d44 809b297d nt!NtSetSystemPowerState
f6667d58 808234cb nt!NtShutdownSystem+0x32
f6667d58 7c8285ec nt!KiFastCallEntry+0xf8
0134ff74 7c827b9b ntdll!KiFastSystemCallRet
0134ff78 0102ad63 ntdll!ZwShutdownSystem+0xc
0134ffa0 0101f1ce winlogon!ShutdownThread+0x18c
0134ffb8 77e64829 winlogon!LogoffThreadProc+0x36
0134ffec 00000000 kernel32!BaseThreadStart+0x34


kd> !pcr
KPCR for Processor 0 at ffdff000:
    Major 1 Minor 1
        NtTib.ExceptionList: f666764c
            NtTib.StackBase: 00000000
           NtTib.StackLimit: 00000000
         NtTib.SubSystemTib: 80042000
              NtTib.Version: 0002492d
          NtTib.UserPointer: 00000001
              NtTib.SelfTib: 7ffa5000

                    SelfPcr: ffdff000
                       Prcb: ffdff120
                       Irql: 00000000
                        IRR: 00000000
                        IDR: ffff24f0
              InterruptMode: 00000000
                        IDT: 8003f400
                        GDT: 8003f000
                        TSS: 80042000

              CurrentThread: 82aa03a8
                 NextThread: 00000000
                 IdleThread: 8089fd80

                  DpcQueue:
kd> !thread 82aa03a8  //Looks like this instance it was Winlogon that was shutting the system down.
THREAD 82aa03a8  Cid 0160.046c  Teb: 7ffa5000 Win32Thread: e1032868 RUNNING on processor 0
Not impersonating
DeviceMap                 e1001358
Owning Process            82b36548       Image:         winlogon.exe
Wait Start TickCount      176590         Ticks: 0
Context Switch Count      175                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.290
Win32 Start Address winlogon!LogoffThreadProc (0x0101f198)
Start Address kernel32!BaseThreadStartThunk (0x77e617ec)
Stack Init f6668000 Current f6667a84 Base f6668000 Limit f6663000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr  Args to Child
f6667d44 809b297d 00000005 00000004 c0000004 nt!NtSetSystemPowerState (FPO: [Non-Fpo])
f6667d58 808234cb 00000001 0134ffa0 7c8285ec nt!NtShutdownSystem+0x32 (FPO: [Non-Fpo])
f6667d58 7c8285ec 00000001 0134ffa0 7c8285ec nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6667d64)
0134ff74 7c827b9b 0102ad63 00000001 00002000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0134ff78 0102ad63 00000001 00002000 0007ab38 ntdll!ZwShutdownSystem+0xc (FPO: [1,0,0])
0134ffa0 0101f1ce 0134ffc0 00000000 00000000 winlogon!ShutdownThread+0x18c (FPO: [Non-Fpo])
0134ffb8 77e64829 00003907 00000000 00000000 winlogon!LogoffThreadProc+0x36 (FPO: [Non-Fpo])
0134ffec 00000000 0101f198 012ffa68 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo])

Comments (1)

  1. Raj says:

    This was very useful, awesome. Thanks. I have an issue with wininit.exe causing the shutdown after installing several drivers. Couldn’t corelate this to the drivers through…..