Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,463 questions
Using EvtQuery API in parallel threads is blocking each other
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 71%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
satyan
1
Reputation point
I am trying to read evtx logs from different machines using EvtQuery API. Each thread will be querying a machine in parallel. But I can observe that all the threads are blocked when the EvtQuery API is called due to an internal critical section wait. This can be observed visibly when a querying machine is not reachable.
Is this an expected behavior, or am I doing any mistake? Please help.
Code:
EVT_HANDLE OpenRemoteSession(LPWSTR lpwszRemote)
{
EVT_HANDLE hRemote = NULL;
EVT_RPC_LOGIN Credentials;
RtlZeroMemory(&Credentials, sizeof(EVT_RPC_LOGIN));
Credentials.Server = lpwszRemote;
Credentials.Domain = L"greendir";
Credentials.User = L"greendir\test";
Credentials.Password = L"Test@123";
Credentials.Flags = EvtRpcLoginAuthNegotiate;
hRemote = EvtOpenSession(EvtRpcLogin, &Credentials, 0, 0);
if (hRemote == NULL) {
printf("EvtOpenSession failed %lu", GetLastError());
}
SecureZeroMemory(&Credentials, sizeof(EVT_RPC_LOGIN));
return hRemote;
}
void ReadMachineLogs(LPWSTR lpwszRemote) {
printf("\n%ws :: Read logs - START", lpwszRemote);
EVT_HANDLE sessionHandle = OpenRemoteSession(lpwszRemote);
printf("\n%ws :: Got remote handle", lpwszRemote);
if (sessionHandle == NULL) {
printf("\n%ws :: Open remote session failed", lpwszRemote);
}
else {
DWORD flagvalues = 0x1;
wchar_t* XPathQuery = NULL;
printf("\n%ws :: GenerateXPathQuery - START", lpwszRemote);
XPathQuery = GenerateXPathQuery(L"security", L"0");
printf("\n%ws :: GenerateXPathQuery - END", lpwszRemote);
printf("\n%ws :: EvtQuery - START", lpwszRemote);
EvtQuery(sessionHandle, L"security", XPathQuery, flagvalues);
printf("\n%ws :: EvtQuery - END", lpwszRemote);
}
//printf("\n%ws :: Read logs - END", lpwszRemote);
}
int main(int argc, char* argv[])
{
LPWSTR list[] = { L"orange-pc", L"apple-pc", L"mango-pc", L"papaya-pc" };
std::thread t1(ReadMachineLogs, list[0]);
std::thread t2(ReadMachineLogs, list[1]);
std::thread t3(ReadMachineLogs, list[2]);
std::thread t4(ReadMachineLogs, list[3]);
t1.join();
t2.join();
t3.join();
t4.join();
return 0;
}
Dump:
0:000> !locks
CritSec wevtapi!g_objectTable+0 at 00007ffac93e6960
WaiterWoken No
LockCount 3
RecursionCount 1
OwningThread 2eec
EntryCount 0
ContentionCount 7
*** Locked
Scanned 14 critical sections
0:000> ~*kv
. 0 Id: 6bf8.32e8 Suspend: 1 Teb: 00000067`4b0a1000 Unfrozen
Child-SP RetAddr : Args to Child : Call Site
00 000000674b2ff8a8 00007ffacca81e93 : 0000e189125ce14c 0000000000000000 0000000000000000 0000000000000000 : ntdll!NtWaitForSingleObject+0x14
01 000000674b2ff8b0 00007ffaab832bcf : 0000000000000000 00007ff7e864cb70 0000000000000000 0000000000000290 : KERNELBASE!WaitForSingleObjectEx+0x93
02 000000674b2ff950 00007ff7e864940d : 0000000000000000 0000000000000000 0000000000007590 00007ff700000002 : msvcp140!_Thrd_join+0x1f [d:\agent_work\2\s\src\vctools\crt\github\stl\src\cthread.cpp @ 56]
03 (Inline Function) ---------------- : ---------------- ---------------- ---------------- ---------------- : EvtBugDebug!std::thread::join+0x2d (Inline Function @ 00007ff7e864940d) [D:\IApps\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.27.29110\include\thread @ 113]
04 000000674b2ff980 00007ff7e864a220 : 000001d160817ec0 000001d160808280 000001d16081c290 0000000000000000 : EvtBugDebug!main+0x16d [D:\EvtBugDebugMain.cpp @ 294]
05 (Inline Function) ---------------- : ---------------- ---------------- ---------------- ---------------- : EvtBugDebug!invoke_main+0x22 (Inline Function @ 00007ff7e864a220) [D:\agent_work\9\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78]
06 000000674b2ffa10 00007fface5b7bd4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : EvtBugDebug!__scrt_common_main_seh+0x10c [D:\agent_work\9\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
07 000000674b2ffa50 00007ffacf74ce51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
08 000000674b2ffa80 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
1 Id: 6bf8.4180 Suspend: 1 Teb: 00000067`4b0a5000 Unfrozen
Child-SP RetAddr : Args to Child : Call Site
00 000000674b4ff758 00007ffacf713fe0 : 0000000000000000 0000000000000000 000001d1607ed810 0000000000000006 : ntdll!NtWaitForWorkViaWorkerFactory+0x14
01 000000674b4ff760 00007fface5b7bd4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x300
02 000000674b4ffb20 00007ffacf74ce51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
03 000000674b4ffb50 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
2 Id: 6bf8.7410 Suspend: 1 Teb: 00000067`4b0a7000 Unfrozen
Child-SP RetAddr : Args to Child : Call Site
00 000000674b5ff938 00007ffacf713fe0 : 0000000000000000 0000000000000000 000001d1607ed810 0000000000000008 : ntdll!NtWaitForWorkViaWorkerFactory+0x14
01 000000674b5ff940 00007fface5b7bd4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x300
02 000000674b5ffd00 00007ffacf74ce51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
03 000000674b5ffd30 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
3 Id: 6bf8.147c Suspend: 1 Teb: 00000067`4b0a9000 Unfrozen
Child-SP RetAddr : Args to Child : Call Site
00 000000674b6ff578 00007ffacf713fe0 : 0000006700000002 000000674b0a0000 000001d1607ed810 0000000000000000 : ntdll!NtWaitForWorkViaWorkerFactory+0x14
01 000000674b6ff580 00007fface5b7bd4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x300
02 000000674b6ff940 00007ffacf74ce51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
03 000000674b6ff970 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
4 Id: 6bf8.7e4c Suspend: 1 Teb: 00000067`4b0ab000 Unfrozen
Child-SP RetAddr : Args to Child : Call Site
00 000000674b3ff388 00007ffacf6e7619 : 00000000000007b7 000001d1607e0000 000000674b3ff468 00007ffacf7260b9 : ntdll!NtWaitForAlertByThreadId+0x14
01 000000674b3ff390 00007ffacf6e74d2 : 0000000000000000 0000000000000000 000000674b3ff478 00007ffac93e6968 : ntdll!RtlpWaitOnAddressWithTimeout+0x81
02 000000674b3ff3c0 00007ffacf6e72fd : 00007ffac93e6960 0000000000001722 0000000000000000 000001d1607e0000 : ntdll!RtlpWaitOnAddress+0xae
03 000000674b3ff430 00007ffacf6fb576 : 00007ffacc98a4f0 0000000000007e4c 00000000fffffff6 0000000000000000 : ntdll!RtlpWaitOnCriticalSection+0xfd
04 000000674b3ff510 00007ffacf6fb3c0 : 0000000000000000 000000674b3ff660 000000674b3ff688 0000000000000000 : ntdll!RtlpEnterCriticalSectionContended+0x1a6
05 000000674b3ff570 00007ffac939a761 : 0000000000000001 00007ffac9399626 0000000000000000 000000674b3ff698 : ntdll!RtlEnterCriticalSection+0x40
06 000000674b3ff5a0 00007ffac939a8fe : 00007ffac93e6960 000000674b3ff688 000001d160837460 0000000000000002 : wevtapi!HandleTable::Emplace<QueryResult,wmi::AutoRef<Session> &,wchar_t const * &,wchar_t const * &,unsigned long &>+0x45
07 000000674b3ff610 00007ffac939426d : 000001d160819030 0000000000000002 0000000000000000 0000000000000000 : wevtapi!ObjectTable::EmplaceObject<QueryResult,wmi::AutoRef<Session> & __ptr64,wchar_t const * __ptr64 & __ptr64,wchar_t const * __ptr64 & __ptr64,unsigned long & __ptr64>+0x2a
08 000000674b3ff650 00007ff7e8649277 : 00007ff7e867fdf8 00007ff7e867fe30 000000674b3ff658 000000674b3ff701 : wevtapi!EvtQuery+0xed
09 000000674b3ff7c0 00007ff7e864959f : 0000000000000000 000001d16081c6d0 0000000000000000 0000000000000000 : EvtBugDebug!ReadMachineLogs+0x147 [D:\EvtBugDebugMain.cpp @ 282]
0a (Inline Function) ---------------- : ---------------- ---------------- ---------------- ---------------- : EvtBugDebug!std::invoke+0x6 (Inline Function @ 00007ff7e864959f) [D:\IApps\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.27.29110\include\type_traits @ 1607]
0b 000000674b3ff830 00007ffacc8c0e82 : 0000000000000000 000001d1608064a0 0000000000000000 0000000000000000 : EvtBugDebug!std::thread::_Invoke<std::tuple<void (__cdecl*)(wchar_t *),wchar_t >,0,1>+0xf [D:\IApps\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.27.29110\include\thread @ 44]
0c 000000674b3ff860 00007fface5b7bd4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ucrtbase!thread_start<unsigned int (__cdecl)(void *),1>+0x42
0d 000000674b3ff890 00007ffacf74ce51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
0e 000000674b3ff8c0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
5 Id: 6bf8.2eec Suspend: 1 Teb: 00000067`4b0ad000 Unfrozen
Child-SP RetAddr : Args to Child : Call Site
00 000000674b7fd808 00007ffacca81e93 : 000000674b7fdb30 0000000000000000 0000b347689ee08f 0000000000000010 : ntdll!NtWaitForSingleObject+0x14
01 000000674b7fd810 00007fface7b1219 : 000000000000035c 000001d16084ab88 0000000000000000 00000000000002a8 : KERNELBASE!WaitForSingleObjectEx+0x93
02 000000674b7fd8b0 00007fface7af917 : 00000000000000e2 000001d16084a9a0 0000000000000000 0000000000000123 : rpcrt4!WS_OpenEx+0x2d9
03 000000674b7fda60 00007fface7af7d8 : 0000000000000000 000000674b7fde30 000001d1608279d6 0000000000000000 : rpcrt4!TCPOrHTTP_Open+0x127
04 000000674b7fdca0 00007fface7877f2 : 0000000000000000 0000000000000001 000001d1607f91c0 00007fface769a95 : rpcrt4!TCP_Open+0xa8
05 000000674b7fdd10 00007fface7873e8 : 0000000000000000 000001d16084a9b0 000000674b7fde00 000001d16084a6a0 : rpcrt4!OSF_CCONNECTION::TransOpen+0xd6
06 000000674b7fddb0 00007fface787150 : 000001d16084af30 000001d16084a6a0 0000000000000000 000001d1607f91c0 : rpcrt4!OSF_CCONNECTION::OpenConnectionAndBind+0x148
07 000000674b7fde60 00007fface7693d1 : 000001d16084a830 0000000000000001 000001d16084a6a0 000001d16084a6f0 : rpcrt4!OSF_CCALL::BindToServer+0xdc
08 000000674b7fdf00 00007fface769206 : 0000000000000000 000000674b7fe060 000001d16084a6f0 000001d100000000 : rpcrt4!OSF_BINDING_HANDLE::InitCCallWithAssociation+0xa5
09 000000674b7fdf60 00007fface768bd7 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : rpcrt4!OSF_BINDING_HANDLE::AllocateCCall+0x256
0a 000000674b7fe0c0 00007fface818edf : 000000674b7fe4a0 0000000000000000 000001d16084af30 0000000000000000 : rpcrt4!OSF_BINDING_HANDLE::NegotiateTransferSyntax+0x37
0b 000000674b7fe110 00007fface818161 : 00007fface823c90 0000000000000003 0000000000000000 00007fface81ed80 : rpcrt4!NdrpClientCall3+0x6df
0c 000000674b7fe470 00007fface766819 : 000001d16084a6a0 000000674b7fe8a0 0000000000000000 000001d16084a6a0 : rpcrt4!NdrClientCall3+0xf1
0d 000000674b7fe800 00007fface766609 : 000001d16084a310 0000000000000000 0000000000000000 0000000000000000 : rpcrt4!EP_LOOKUP_DATA::LookupNextChunk+0x115
0e 000000674b7fe8d0 00007fface79e2e5 : 000001d16081eb90 000001d16081c830 000001d160827950 0000000000000000 : rpcrt4!EP_LOOKUP_DATA::ResolveEndpoint+0x191
0f 000000674b7fe970 00007fface7aef3e : 000001d16081eb80 0000000000000000 0000000000000000 0000000000000000 : rpcrt4!ResolveEndpointWithEpMapper+0x95
10 000000674b7fe9e0 00007fface7ed0b0 : 0000000000000000 000000674b7febb0 00007ffac93d1640 000001d1607fd8b8 : rpcrt4!OSF_BINDING_HANDLE::ResolveBindingWorker+0xc6
11 000000674b7fea80 00007fface7c4bf4 : 0000000000000000 0000000000000000 0000000000000000 000001d1607fd8b8 : rpcrt4!OSF_BINDING_HANDLE::ResolveEndpointWithEpMapper+0x58
12 000000674b7feab0 00007fface768bd7 : 00007ffacc48e070 0000000000000000 0000000000000000 000001d1607fe530 : rpcrt4!OSF_BINDING_HANDLE::AllocateCCall+0x5bc44
13 000000674b7fec10 00007fface818edf : 000000674b7feff0 0000000000000000 00007ffa00000000 000000674b7feda0 : rpcrt4!OSF_BINDING_HANDLE::NegotiateTransferSyntax+0x37
14 000000674b7fec60 00007fface818161 : 00007ffac93d1500 0000000000000005 0000000000000000 00007ffac93d10e8 : rpcrt4!NdrpClientCall3+0x6df
15 000000674b7fefc0 00007ffac939a558 : 00000000d80005dd ffffffffffffffff 0000000000000000 000001d1607fd800 : rpcrt4!NdrClientCall3+0xf1
16 000000674b7ff350 00007ffac939a7e0 : 0000006700000003 000000674b7ff5c8 00007ffac93e6988 0000000000000000 : wevtapi!QueryResult::QueryResult+0x12c
17 000000674b7ff4e0 00007ffac939a8fe : 00007ffac93e6960 000000674b7ff5c8 000001d16082f4c0 0000000000000001 : wevtapi!HandleTable::Emplace<QueryResult,wmi::AutoRef<Session> &,wchar_t const * &,wchar_t const * &,unsigned long &>+0xc4
18 000000674b7ff550 00007ffac939426d : 000001d160818c90 0000000000000001 00000000000003ff 00000000000065a0 : wevtapi!ObjectTable::EmplaceObject<QueryResult,wmi::AutoRef<Session> & __ptr64,wchar_t const * __ptr64 & __ptr64,wchar_t const * __ptr64 & __ptr64,unsigned long & __ptr64>+0x2a
19 000000674b7ff590 00007ff7e8649277 : 00007ff7e867fdf8 00007ff7e867fe18 000000674b7fdb18 000001d16081d535 : wevtapi!EvtQuery+0xed
1a 000000674b7ff700 00007ff7e864959f : 0000000000000000 000001d16081c4d0 0000000000000000 0000000000000000 : EvtBugDebug!ReadMachineLogs+0x147 [D:\EvtBugDebugMain.cpp @ 282]
1b (Inline Function) ---------------- : ---------------- ---------------- ---------------- ---------------- : EvtBugDebug!std::invoke+0x6 (Inline Function @ 00007ff7e864959f) [D:\IApps\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.27.29110\include\type_traits @ 1607]
1c 000000674b7ff770 00007ffacc8c0e82 : 000001d160806680 0000000000000000 0000000000000000 0000000000000000 : EvtBugDebug!std::thread::_Invoke<std::tuple<void (__cdecl*)(wchar_t *),wchar_t >,0,1>+0xf [D:\IApps\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.27.29110\include\thread @ 44]
1d 000000674b7ff7a0 00007fface5b7bd4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ucrtbase!thread_start<unsigned int (__cdecl)(void *),1>+0x42
1e 000000674b7ff7d0 00007ffacf74ce51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
1f 000000674b7ff800 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
6 Id: 6bf8.7804 Suspend: 1 Teb: 00000067`4b0af000 Unfrozen
Child-SP RetAddr : Args to Child : Call Site
00 000000674b8ff968 00007ffacf6e7619 : 00000000000007dd 000001d1d30004d7 000001d1607eb350 00007ffacf7265d3 : ntdll!NtWaitForAlertByThreadId+0x14
01 000000674b8ff970 00007ffacf6e74d2 : 0000000000000000 0000000000000000 000000674b8ffa58 00007ffac93e6968 : ntdll!RtlpWaitOnAddressWithTimeout+0x81
02 000000674b8ff9a0 00007ffacf6e72fd : 00007ffac93e6960 0000000000001722 0000000000000000 000001d1607e0000 : ntdll!RtlpWaitOnAddress+0xae
03 000000674b8ffa10 00007ffacf6fb576 : 0000000000000001 00000000000003ff 00000000fffffff2 000001d16083dfa0 : ntdll!RtlpWaitOnCriticalSection+0xfd
04 000000674b8ffaf0 00007ffacf6fb3c0 : 00000000000003ff 000000674b8ffc40 000000674b8ffc68 0000000000000000 : ntdll!RtlpEnterCriticalSectionContended+0x1a6
05 000000674b8ffb50 00007ffac939a761 : 0000000000000001 00007ffac9399626 0000000000000000 000000674b8ffc78 : ntdll!RtlEnterCriticalSection+0x40
06 000000674b8ffb80 00007ffac939a8fe : 00007ffac93e6960 000000674b8ffc68 000001d16084b200 0000000000000004 : wevtapi!HandleTable::Emplace<QueryResult,wmi::AutoRef<Session> &,wchar_t const * &,wchar_t const * &,unsigned long &>+0x45
07 000000674b8ffbf0 00007ffac939426d : 000001d1607f7000 0000000000000004 00000000000003ff 00000000000065a0 : wevtapi!ObjectTable::EmplaceObject<QueryResult,wmi::AutoRef<Session> & __ptr64,wchar_t const * __ptr64 & __ptr64,wchar_t const * __ptr64 & __ptr64,unsigned long & __ptr64>+0x2a
08 000000674b8ffc30 00007ff7e8649277 : 00007ff7e867fdf8 00007ff7e867fe60 000000674b8fe1b8 000001d16081d535 : wevtapi!EvtQuery+0xed
09 000000674b8ffda0 00007ff7e864959f : 0000000000000000 000001d16081c1d0 0000000000000000 0000000000000000 : EvtBugDebug!ReadMachineLogs+0x147 [D:\EvtBugDebugMain.cpp @ 282]
0a (Inline Function) ---------------- : ---------------- ---------------- ---------------- ---------------- : EvtBugDebug!std::invoke+0x6 (Inline Function @ 00007ff7e864959f) [D:\IApps\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.27.29110\include\type_traits @ 1607]
0b 000000674b8ffe10 00007ffacc8c0e82 : 0000000000000000 000001d1608062f0 0000000000000000 0000000000000000 : EvtBugDebug!std::thread::_Invoke<std::tuple<void (__cdecl*)(wchar_t *),wchar_t >,0,1>+0xf [D:\IApps\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.27.29110\include\thread @ 44]
0c 000000674b8ffe40 00007fface5b7bd4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ucrtbase!thread_start<unsigned int (__cdecl)(void *),1>+0x42
0d 000000674b8ffe70 00007ffacf74ce51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
0e 000000674b8ffea0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
7 Id: 6bf8.7590 Suspend: 1 Teb: 00000067`4b0b1000 Unfrozen
Child-SP RetAddr : Args to Child : Call Site
00 000000674b9ff9d8 00007ffacf6e7619 : 0000000000000826 000001d1d30004d7 000001d1607eb350 00007ffacf7265d3 : ntdll!NtWaitForAlertByThreadId+0x14
01 000000674b9ff9e0 00007ffacf6e74d2 : 0000000000000000 0000000000000000 000000674b9ffac8 00007ffac93e6968 : ntdll!RtlpWaitOnAddressWithTimeout+0x81
02 000000674b9ffa10 00007ffacf6e72fd : 00007ffac93e6960 0000000000001722 0000000000000000 000001d1607e0000 : ntdll!RtlpWaitOnAddress+0xae
03 000000674b9ffa80 00007ffacf6fb576 : 00007ffacc98a4f0 0000000000007590 00000000fffffff2 0000000000000000 : ntdll!RtlpWaitOnCriticalSection+0xfd
04 000000674b9ffb60 00007ffacf6fb3c0 : 0000000000000000 000000674b9ffcb0 000000674b9ffcd8 0000000000000000 : ntdll!RtlpEnterCriticalSectionContended+0x1a6
05 000000674b9ffbc0 00007ffac939a761 : 0000000000000001 00007ffac9399626 0000000000000000 000000674b9ffce8 : ntdll!RtlEnterCriticalSection+0x40
06 000000674b9ffbf0 00007ffac939a8fe : 00007ffac93e6960 000000674b9ffcd8 000001d160843d70 0000000000000003 : wevtapi!HandleTable::Emplace<QueryResult,wmi::AutoRef<Session> &,wchar_t const * &,wchar_t const * &,unsigned long &>+0x45
07 000000674b9ffc60 00007ffac939426d : 000001d1607f3b10 0000000000000003 0000000000000000 0000000000000000 : wevtapi!ObjectTable::EmplaceObject<QueryResult,wmi::AutoRef<Session> & __ptr64,wchar_t const * __ptr64 & __ptr64,wchar_t const * __ptr64 & __ptr64,unsigned long & __ptr64>+0x2a
08 000000674b9ffca0 00007ff7e8649277 : 00007ff7e867fdf8 00007ff7e867fe48 000000674b9fe228 000001d16081d536 : wevtapi!EvtQuery+0xed
09 000000674b9ffe10 00007ff7e864959f : 0000000000000000 000001d16081c290 0000000000000000 0000000000000000 : EvtBugDebug!ReadMachineLogs+0x147 [D:\EvtBugDebugMain.cpp @ 282]
0a (Inline Function) ---------------- : ---------------- ---------------- ---------------- ---------------- : EvtBugDebug!std::invoke+0x6 (Inline Function @ 00007ff7e864959f) [D:\IApps\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.27.29110\include\type_traits @ 1607]
0b 000000674b9ffe80 00007ffacc8c0e82 : 0000000000000000 000001d1607feb60 0000000000000000 0000000000000000 : EvtBugDebug!std::thread::_Invoke<std::tuple<void (__cdecl*)(wchar_t *),wchar_t >,0,1>+0xf [D:\IApps\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.27.29110\include\thread @ 44]
0c 000000674b9ffeb0 00007fface5b7bd4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ucrtbase!thread_start<unsigned int (__cdecl)(void *),1>+0x42
0d 000000674b9ffee0 00007ffacf74ce51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
0e 000000674b9fff10 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
8 Id: 6bf8.2190 Suspend: 0 Teb: 00000067`4b0b3000 Unfrozen
Child-SP RetAddr : Args to Child : Call Site
00 000000674baff648 00007ffacf713fe0 : 0000000000000000 0000000000000000 000001d160852d60 0000000000000009 : ntdll!NtWaitForWorkViaWorkerFactory+0x14
01 000000674baff650 00007fface5b7bd4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x300
02 000000674baffa10 00007ffacf74ce51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
03 000000674baffa40 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
9 Id: 6bf8.7ae4 Suspend: 0 Teb: 00000067`4b0b5000 Unfrozen
Child-SP RetAddr : Args to Child : Call Site
00 000000674bbff898 00007ffacf713fe0 : 0000006700000002 000000674b0a0000 000001d160852d60 0000000000000000 : ntdll!NtWaitForWorkViaWorkerFactory+0x14
01 000000674bbff8a0 00007fface5b7bd4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x300
02 000000674bbffc60 00007ffacf74ce51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
03 000000674bbffc90 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
{count} votes
-
Rita Han - MSFT 2,161 Reputation points2020-09-18T08:46:04.93+00:00 Hello @satyan , the document seems not state that
EvtQueryfunction is thread-safe. You may need add multi-threaded synching mechanism forEvtQuery. -
RLWA32 41,696 Reputation points2020-09-18T21:33:55.387+00:00 Does the call to EvtQuery for an unreachable machine ever return?
If it does, do the other threads then resume executing? -
satyan 1 Reputation point
2020-09-21T02:01:07.213+00:00 Hi @Rita Han - MSFT , actually in my case even though I didn't add any explicit synching mechanism. The threads are blocked internally inside the EvtQuery function. Even though I am querying different machines, internally there is a lock. I want to know why there is a sync internally even for different machines.
-
-
RLWA32 41,696 Reputation points
2020-09-21T09:37:09.507+00:00 Since there is no actual deadlock it would seem that EvtQuery is using a critical section to protect a resource in a thread-safe manner but the delay is network related (the unreachable machine). To me, this doesn't seem to be a threading issue.
And taking steps to determine that a machine is not unreachable before spinning up a thread for EvtQuery doesn't guarantee that a subsequently occurring network issue that causes a lag in network response time will not result in a similar delay
-
satyan 1 Reputation point
2020-09-22T04:44:04.677+00:00 My question was regarding that internal critical section lock only. If I am querying the same machine, the lock seems to be logical. But if its to different machines, the locks seems to be unnecessary.
-
RLWA32 41,696 Reputation points
2020-09-22T11:58:00.003+00:00 Lets say that I use a container (thread safety is provided by a critical section) to store handles to various objects . If I use the same container to store handles to local objects or remote objects it doesn't change the thread-safety needs of container.
Sign in to comment