OS is Windows Server 2008 R2 Standard (Microsoft Windows [Version 6.1.7601])

Hi Alexander,

Thread PID==0x0 it is part of so called System Idle Process which have a special thread which runs only in the case when any other thread is not scheduled to run at the current moment(time).This one of two processes(second is Process PID == 4) which is not related to specific image file.

Autocheck.exe is the checking disc utility.It is quite possible than in case of low system activity autocheck.exe will run or it has been invoked by other process to run.

>>> from my point of view it is strange as almost all IO drivers working in the systems was executed in the context of thread 0x0.  I would rather think that thread 0 belongs to idle process 0>>>

It is quite possible because drivers run in thread arbitrary context and in your case curruntly running thread is Idle Process Thread.

If you would like to get a better picture of thread/DPC activity it is advised to use Xperf tool.

>>>2. Is it correct that Thread tid 0x0 belongs to autochk.exe?>>>

No it is incorrect,because System Idle Process is not related to any executable.Aotocheck.exe could be invoked from TID == 0x0 and as bulk of the autocheck scanning is done in kernel mode probably by using disk.sys driver and upper layer file system drivers so the autocheck.exe thread which is communicating with the driver could spent some of its execution time in kernel mode while its kernel module(driver) could run in arbitrary context.

So if all above is true then it is a defect in vTune to show thread with tid 0x0 as part of process autochk.exe

Right?

Can you use Xperf tool to obtain the better picture?Please close VTune before running Xperf(because of Kernel Logger accesses)?

I know that when you are dealing with idle process and idle thread there will be some anomalies generated by profilling tools and debuggers.Because of strange "nature" of the these  objects which do not have user mode address space and are represented by minimal internal data structures. Idle thread only runs KiIdleLoop function. If you have installed windbg you can use its kernel mode version to obtain the relevant information by execution !pcrx , where x = number of cpu command and dump _KPCR structrure you will see adress of idle loop structure.

>>>Aotocheck.exe could be invoked from TID == 0x0 >>>

Sorry a mistake.Afaik idle process thread only runs nt!KiIdleLoop function.

Hi Alexander,

did you verifiy with the other tool all threads ID?

Does any of sysinternals tools allow to find out thread to process relationship?

Yes of course.

Please use Process Explorer and try to reproduce the same situation which was measured with VTune.

Hi Alexander,

did you check with process explorer?