Analyzers
Talk to fellow users of Intel Analyzer tools (Intel VTune™ Profiler, Intel Advisor)

Why thread td 0x0 belongs to autochk.exe in vTune?

Alexander_Alexeev
499 Views

Hello

I am collecting data for whole system. As I could see 22% (picture is below) of the execution happens in thread with tid 0x0. Knowing that I found which process is an owner of thread tid=0x0. It happens to be autochk.exe, from my point of view it is strange as almost all IO drivers working in the systems was executed in the context of thread 0x0.  I would rather think that thread 0 belongs to idle process 0. At least it would explain why so many DPC and interrupts are handled in this thread.  

My questions are:

1. What does thread with tid 0x0 do in Windows? Does it have dedicated purpose?

2. Is it correct that Thread tid 0x0 belongs to autochk.exe?

3. Why so much drivers execution is attributed to thread tid 0x0

0 Kudos
13 Replies
SergeyKostrov
Valued Contributor II
499 Views
What Windows do you use?
0 Kudos
Alexander_Alexeev
499 Views

OS is Windows Server 2008 R2 Standard (Microsoft Windows [Version 6.1.7601])

0 Kudos
Bernard
Valued Contributor I
499 Views

Hi Alexander,

Thread PID==0x0 it is part of so called System Idle Process which have a special thread which runs only in the case when any other thread is not scheduled to run at the current moment(time).This one of two processes(second is Process PID == 4) which is not related to specific image file.

Autocheck.exe is the checking disc utility.It is quite possible than in case of low system activity autocheck.exe will run or it has been invoked by other process to run.

 

0 Kudos
Bernard
Valued Contributor I
499 Views

>>> from my point of view it is strange as almost all IO drivers working in the systems was executed in the context of thread 0x0.  I would rather think that thread 0 belongs to idle process 0>>>

It is quite possible because drivers run in thread arbitrary context and in your case curruntly running thread is Idle Process Thread.

If you would like to get a better picture of thread/DPC activity it is advised to use Xperf tool.

0 Kudos
Bernard
Valued Contributor I
499 Views

>>>2. Is it correct that Thread tid 0x0 belongs to autochk.exe?>>>

No it is incorrect,because System Idle Process is not related to any executable.Aotocheck.exe could be invoked from TID == 0x0 and as bulk of the autocheck scanning is done in kernel mode probably by using disk.sys driver and upper layer file system drivers so the autocheck.exe thread which is communicating with the driver could spent some of its execution time in kernel mode while its kernel module(driver) could run in arbitrary context.

0 Kudos
Alexander_Alexeev
499 Views

So if all above is true then it is a defect in vTune to show thread with tid 0x0 as part of process autochk.exe

Right?

0 Kudos
Bernard
Valued Contributor I
499 Views

 

Can you use Xperf tool to obtain the better picture?Please close VTune before running Xperf(because of Kernel Logger accesses)?

I know that when you are dealing with idle process and idle thread there will be some anomalies generated by profilling tools and debuggers.Because of strange "nature" of the these  objects which do not have user mode address space and are represented by minimal internal data structures. Idle thread only runs KiIdleLoop function. If you have installed windbg you can use its kernel mode version to obtain the relevant information by execution !pcrx , where x = number of cpu command and dump _KPCR structrure you will see adress of idle loop structure.

0 Kudos
Bernard
Valued Contributor I
499 Views

>>>Aotocheck.exe could be invoked from TID == 0x0 >>>

Sorry a mistake.Afaik idle process thread only runs nt!KiIdleLoop function.

0 Kudos
SergeyKostrov
Valued Contributor II
499 Views
Alexander, for verification try to use PSTAT.exe or PVIEW.exe utilities from Microsoft Platform SDK to review all TIDs on your system.
0 Kudos
Bernard
Valued Contributor I
499 Views

Hi Alexander,

did you verifiy with the other tool all threads ID?

0 Kudos
Alexander_Alexeev
499 Views

Does any of sysinternals tools allow to find out thread to process relationship?

0 Kudos
Bernard
Valued Contributor I
499 Views

Yes of course.

Please use Process Explorer and try to reproduce the same situation which was measured with VTune.

0 Kudos
Bernard
Valued Contributor I
499 Views

Hi Alexander,

did you check with process explorer?

0 Kudos
Reply