I am collecting data for whole system. As I could see 22% (picture is below) of the execution happens in thread with tid 0x0. Knowing that I found which process is an owner of thread tid=0x0. It happens to be autochk.exe, from my point of view it is strange as almost all IO drivers working in the systems was executed in the context of thread 0x0. I would rather think that thread 0 belongs to idle process 0. At least it would explain why so many DPC and interrupts are handled in this thread.
My questions are:
1. What does thread with tid 0x0 do in Windows? Does it have dedicated purpose?
2. Is it correct that Thread tid 0x0 belongs to autochk.exe?
3. Why so much drivers execution is attributed to thread tid 0x0
Thread PID==0x0 it is part of so called System Idle Process which have a special thread which runs only in the case when any other thread is not scheduled to run at the current moment(time).This one of two processes(second is Process PID == 4) which is not related to specific image file.
Autocheck.exe is the checking disc utility.It is quite possible than in case of low system activity autocheck.exe will run or it has been invoked by other process to run.
>>> from my point of view it is strange as almost all IO drivers working in the systems was executed in the context of thread 0x0. I would rather think that thread 0 belongs to idle process 0>>>
It is quite possible because drivers run in thread arbitrary context and in your case curruntly running thread is Idle Process Thread.
If you would like to get a better picture of thread/DPC activity it is advised to use Xperf tool.
>>>2. Is it correct that Thread tid 0x0 belongs to autochk.exe?>>>
No it is incorrect,because System Idle Process is not related to any executable.Aotocheck.exe could be invoked from TID == 0x0 and as bulk of the autocheck scanning is done in kernel mode probably by using disk.sys driver and upper layer file system drivers so the autocheck.exe thread which is communicating with the driver could spent some of its execution time in kernel mode while its kernel module(driver) could run in arbitrary context.
Can you use Xperf tool to obtain the better picture?Please close VTune before running Xperf(because of Kernel Logger accesses)?
I know that when you are dealing with idle process and idle thread there will be some anomalies generated by profilling tools and debuggers.Because of strange "nature" of the these objects which do not have user mode address space and are represented by minimal internal data structures. Idle thread only runs KiIdleLoop function. If you have installed windbg you can use its kernel mode version to obtain the relevant information by execution !pcrx , where x = number of cpu command and dump _KPCR structrure you will see adress of idle loop structure.