Lesson Learned – Orphan process

February 17th, 2012 3 comments

writing something after almost two months…not good but I was busy in lots of stuff, trying to learn new things which I will document later… But for today something on Analyzing dump for hangs due to orphan processes.

Recently while working on one issue, I found an interesting case scenario… this seems to be one common scenario… when users logoff from their session on TS\XenApp server, three processes stuck there – Csrss, Winlogon and LogonUI. Though they logged off but because of these processes, there session stuck, eating resources and some stage give unexpected behaviour…It is bit difficult to show the full stack here but I am documenting the technique that I used to find the root cause of the issue. So here’s what I did.

Complete Memory Dump – for hang related issue, it is good to take complete memory dump and atleast 2-3 to see the consistency (this what I usually do)…

Step 1 – Ensure symbols are loaded, may be a good idea to run lm command and too see what files are loaded and then run .reload /f to force the symbol download.

Step 2 – Find out all the processes, it will be good to have them in sort order by session so I ran command !sprocess -4 . this show me all the sessionss in proper order and also, what all processes are available in each session. Read more…