February 12th, 2014

What is this extra thread in my process?

Raymond Chen
Raymond Chen

A customer liaison asked:

After applying Service Pack 2 to Windows Server 2003, my customer found that a simple MFC application (just using the template, no customization) has two threads when it is supposed to have only one. After five minutes, one of the threads exits. This doesn’t happen on Windows Server 2003 RTM or Windows Server 2003 Service Pack 1.

Here is a stack trace of the extra thread: 

0:001> kP
ntdll!KiFastSystemCallRet
ntdll!NtWaitForMultipleObjects+0xc
ntdll!EtwpWaitForMultipleObjectsEx+0xf7
ntdll!EtwpEventPump+0x27f
kernel32!BaseThreadStart+0x34

The parameters to Etwp­Wait­For­Multiple­Objects­Ex seem to be consistent with Wait­For­Multiple­Objects­Ex. Assuming that’s the case, the parameters are

nCount  = 0
lpHandles  = 00x004f4470
bWaitAll  = 0
dwMilliseconds  = 300000 = 5 minutes
bAlertable  = TRUE

Can you explain what the purpose of this thread is? Did this behavior change as a result of the update? It is important for the customer to know the purpose of this thread.

We asked, “Why does the customer need to know the purpose of this thread?”

We never heard back from the customer liaison. I guess it wasn’t that important after all.

In case you cared: From the names of the functions, it looks like this is the ETW event pump thread.

Category
Old New Thing
Topics
Code

Author

Raymond Chen

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.

Read next