Читаем Windows® Internals, Sixth Edition, Part 1 полностью

A final optimization worth mentioning is that instead of copying data as soon as it is sent, the kernel sets up the payload for a delayed copy, capturing only the needed information, but without any copying. The message data is copied only when the receiver requests the message. Obviously, if a message zone or shared memory is being used, there’s no advantage to this method, but in asynchronous, kernel-buffer message passing, this can be used to optimize cancellations and high-traffic scenarios.

Debugging and Tracing

On checked builds of the kernel, ALPC messages can be logged. All ALPC attributes, blobs, message zones, and dispatch transactions can be individually logged, and undocumented !alpc commands in WinDbg can dump the logs. On retail systems, IT administrators and troubleshooters can enable the ALPC Event Tracing for Windows (ETW) logger to monitor ALPC messages. ETW events do not include payload data, but they do contain connection, disconnection, and send/receive and wait/unblock information. Finally, even on retail systems, certain !alpc commands obtain information on ALPC ports and messages.

EXPERIMENT: Dumping a Connection Port

In this experiment, you’ll use the CSRSS API port for Windows processes running in Session 1, which is the typical interactive session for the console user. Whenever a Windows application launches, it connects to CSRSS’s API port in the appropriate session.

Start by obtaining a pointer to the connection port with the !object command:0: kd> !object \Sessions\1\Windows\ApiPort Object: fffffa8004dc2090 Type: (fffffa80027a2ed0) ALPC Port ObjectHeader: fffffa8004dc2060 (new version) HandleCount: 1 PointerCount: 50 Directory Object: fffff8a001a5fb30 Name: ApiPort

Now dump information on the port object itself with !alpc /p. This will confirm, for example, that CSRSS is the owner:0: kd> !alpc /p fffffa8004dc2090 Port @ fffffa8004dc2090 Type : ALPC_CONNECTION_PORT CommunicationInfo : fffff8a001a22560 ConnectionPort : fffffa8004dc2090 ClientCommunicationPort : 0000000000000000 ServerCommunicationPort : 0000000000000000 OwnerProcess : fffffa800502db30 (csrss.exe) SequenceNo : 0x000003C9 (969) CompletionPort : 0000000000000000 CompletionList : 0000000000000000 MessageZone : 0000000000000000 ConnectionPending : No ConnectionRefused : No Disconnected : No Closed : No FlushOnClose : Yes ReturnExtendedInfo : No Waitable : No Security : Static Wow64CompletionList : No Main queue is empty. Large message queue is empty. Pending queue is empty. Canceled queue is empty.

You can see what clients are connected to the port, which will include all Windows processes running in the session, with the undocumented !alpc /lpc command. You will also see the server and client communication ports associated with each connection and any pending messages on any of the queues:0: kd> !alpc /lpc fffffa8004dc2090 Port @fffffa8004dc2090 has 14 connections SRV:fffffa8004809c50 (m:0, p:0, l:0) <-> CLI:fffffa8004809e60 (m:0, p:0, l:0), Process=fffffa8004ffcb30 ('winlogon.exe') SRV:fffffa80054dfb30 (m:0, p:0, l:0) <-> CLI:fffffa80054dfe60 (m:0, p:0, l:0), Process=fffffa80054de060 ('dwm.exe') SRV:fffffa8005394dd0 (m:0, p:0, l:0) <-> CLI:fffffa80054e1440 (m:0, p:0, l:0), Process=fffffa80054e2290 ('winvnc.exe') SRV:fffffa80053965d0 (m:0, p:0, l:0) <-> CLI:fffffa8005396900 (m:0, p:0, l:0), Process=fffffa80054ed060 ('explorer.exe') SRV:fffffa80045a8070 (m:0, p:0, l:0) <-> CLI:fffffa80045af070 (m:0, p:0, l:0), Process=fffffa80045b1340 ('logonhlp.exe') SRV:fffffa8005197940 (m:0, p:0, l:0) <-> CLI:fffffa800519a900 (m:0, p:0, l:0), Process=fffffa80045da060 ('TSVNCache.exe') SRV:fffffa800470b070 (m:0, p:0, l:0) <-> CLI:fffffa800470f330 (m:0, p:0, l:0), Process=fffffa8004713060 ('vmware-tray.ex') SRV:fffffa80045d7670 (m:0, p:0, l:0) <-> CLI:fffffa80054b16f0 (m:0, p:0, l:0), Process=fffffa80056b8b30 ('WINWORD.EXE') SRV:fffffa80050e0e60 (m:0, p:0, l:0) <-> CLI:fffffa80056fee60 (m:0, p:0, l:0), Process=fffffa800478f060 ('Winobj.exe') SRV:fffffa800482e670 (m:0, p:0, l:0) <-> CLI:fffffa80047b7680 (m:0, p:0, l:0), Process=fffffa80056aab30 ('cmd.exe') SRV:fffffa8005166e60 (m:0, p:0, l:0) <-> CLI:fffffa80051481e0 (m:0, p:0, l:0), Process=fffffa8002823b30 ('conhost.exe') SRV:fffffa80054a2070 (m:0, p:0, l:0) <-> CLI:fffffa80056e6210 (m:0, p:0, l:0), Process=fffffa80055669e0 ('livekd.exe') SRV:fffffa80056aa390 (m:0, p:0, l:0) <-> CLI:fffffa80055a6c00 (m:0, p:0, l:0), Process=fffffa80051b28b0 ('livekd64.exe') SRV:fffffa8005551d90 (m:0, p:0, l:0) <-> CLI:fffffa80055bfc60 (m:0, p:0, l:0), Process=fffffa8002a69b30 ('kd.exe')