Community
cancel
Showing results for 
Search instead for 
Did you mean: 
163 Views

Why thread td 0x0 belongs to autochk.exe in vTune?

Hello

I am collecting data for whole system. As I could see 22% (picture is below) of the execution happens in thread with tid 0x0. Knowing that I found which process is an owner of thread tid=0x0. It happens to be autochk.exe, from my point of view it is strange as almost all IO drivers working in the systems was executed in the context of thread 0x0.  I would rather think that thread 0 belongs to idle process 0. At least it would explain why so many DPC and interrupts are handled in this thread.  

My questions are:

1. What does thread with tid 0x0 do in Windows? Does it have dedicated purpose?

2. Is it correct that Thread tid 0x0 belongs to autochk.exe?

3. Why so much drivers execution is attributed to thread tid 0x0

0 Kudos
13 Replies
SergeyKostrov
Valued Contributor II
163 Views

What Windows do you use?
163 Views

OS is Windows Server 2008 R2 Standard (Microsoft Windows [Version 6.1.7601])

Bernard
Black Belt
163 Views

Hi Alexander,

Thread PID==0x0 it is part of so called System Idle Process which have a special thread which runs only in the case when any other thread is not scheduled to run at the current moment(time).This one of two processes(second is Process PID == 4) which is not related to specific image file.

Autocheck.exe is the checking disc utility.It is quite possible than in case of low system activity autocheck.exe will run or it has been invoked by other process to run.

 

Bernard
Black Belt
163 Views

>>> from my point of view it is strange as almost all IO drivers working in the systems was executed in the context of thread 0x0.  I would rather think that thread 0 belongs to idle process 0>>>

It is quite possible because drivers run in thread arbitrary context and in your case curruntly running thread is Idle Process Thread.

If you would like to get a better picture of thread/DPC activity it is advised to use Xperf tool.

Bernard
Black Belt
163 Views

>>>2. Is it correct that Thread tid 0x0 belongs to autochk.exe?>>>

No it is incorrect,because System Idle Process is not related to any executable.Aotocheck.exe could be invoked from TID == 0x0 and as bulk of the autocheck scanning is done in kernel mode probably by using disk.sys driver and upper layer file system drivers so the autocheck.exe thread which is communicating with the driver could spent some of its execution time in kernel mode while its kernel module(driver) could run in arbitrary context.

163 Views

So if all above is true then it is a defect in vTune to show thread with tid 0x0 as part of process autochk.exe

Right?

Bernard
Black Belt
163 Views

 

Can you use Xperf tool to obtain the better picture?Please close VTune before running Xperf(because of Kernel Logger accesses)?

I know that when you are dealing with idle process and idle thread there will be some anomalies generated by profilling tools and debuggers.Because of strange "nature" of the these  objects which do not have user mode address space and are represented by minimal internal data structures. Idle thread only runs KiIdleLoop function. If you have installed windbg you can use its kernel mode version to obtain the relevant information by execution !pcrx , where x = number of cpu command and dump _KPCR structrure you will see adress of idle loop structure.

Bernard
Black Belt
163 Views

>>>Aotocheck.exe could be invoked from TID == 0x0 >>>

Sorry a mistake.Afaik idle process thread only runs nt!KiIdleLoop function.

SergeyKostrov
Valued Contributor II
163 Views

Alexander, for verification try to use PSTAT.exe or PVIEW.exe utilities from Microsoft Platform SDK to review all TIDs on your system.
Bernard
Black Belt
163 Views

Hi Alexander,

did you verifiy with the other tool all threads ID?

163 Views

Does any of sysinternals tools allow to find out thread to process relationship?

Bernard
Black Belt
163 Views

Yes of course.

Please use Process Explorer and try to reproduce the same situation which was measured with VTune.

Bernard
Black Belt
163 Views

Hi Alexander,

did you check with process explorer?

Reply