What is xxx in win32k!xxxInternalGetMessage Anybody seen that?

[Shintaro]

I normally try to look up some of the calls in the stack trace to try and help me understand what is going on.

But win32k!xxxInternalGetMessage has got me stumped.
P.66 & 67 of Windows Internals 6th Ed. does not list "xxx"

Call Site
nt!KeBugCheckEx
nt!KiBugCheckDispatch
nt!KiSystemServiceHandler
nt!RtlpExecuteHandlerForException
nt!RtlDispatchException
nt!KiDispatchException
nt!KiExceptionDispatch
nt!KiGeneralProtectionFault
win32k!xxxWindowHitTest
win32k!xxxWindowHitTest2
win32k!xxxWindowHitTest
win32k!xxxScanSysQueue
win32k!xxxRealInternalGetMessage
win32k!xxxInternalGetMessage
win32k!NtUserGetMessage
nt!KiSystemServiceCopyEnd
0x0

Ke = Kernel
Ki = Kernel Interupt Handling
Rtl = Runtime Library
Nt = Native API calls

xxx= ???? ***??

Virus?? Malware??

Any ideas?? Anybody??

 

[writhziden]

It does not appear to be a virus or malware. I find multiple references to it in Windows debugging articles, books, etc. Here is the best source of information I found about what it is doing: http://blog.airesoft.co.uk/2010/10/a-negative-experience-in-getting-messages/

 

[Vir Gnarus]

I've been curious about this myself. There's some nomenclature for symbol (function) names that Windows uses that I've been trying to wrap my head around. This is one of them. If anyone can find out about it that'd be splendid, but so far all I've seen are people putting them to use, rather than describing them. Given that it's from win32k module, it's definite it relates to usermode stuff, and this in particular is relevant to window handling, so that much at least can be discerned.

 

[usasma]

Started looking into this, and I found a lot of stuff about these prefixes.

Here's my start page: http://www.carrona.org/stacpref.html

Then I found this: http://en.wikipedia.org/wiki/Native_API

The most compelling explanation I've found suggested is that the xxx is for experimental stuff. But going through the info on Native API's in MSDN rapidly gets confusing and goes well beyond my understanding: http://msdn.microsoft.com/en-us/library/ff553217(v=vs.85)

Got this before I got too confused:

Driver Support Routines
http://msdn.microsoft.com/en-us/library/ff544200(v=vs.85)


Ob - Object Manager
Mm - Memory Manager
Ps - Process and Thread Manager Routines
Io - I/O Manager Routines
Po - Power Manager Routines
Cm - Configuration Manager Routines
Tm (and Zw) - Kernel Transaction Manager (KTM) Routines
Se - Security Reference Monitor Routines
Ke - Core Kernel Library Support Routines
Ex - Executive Library Support Routines
Rtl - Run-Time Library (RTL) Routines/Safe String Library Routines/Safe Integer Library Routines
Dma - DMA Library Routines (?)
Hal - HAL Library Routines
Clfs - CLFS Management Library Routines
Zw - ZwXxx Routines
Aux - Auxiliary Kernel-Mode Library Routines and Structures

BTW - the ZwXxx Routines is a dead-end for the xxx prefix.
It actually stands for the the stuff after ZW when the routine is listed (for example, KeXxx is shorthand for the stuff after Ke here: KeBugCheckEx)

 

[Vir Gnarus]

Awesome googling there, usasma. Thanks a mil!

 

[writhziden]

Thank you both for adding to my (lack of) information. :grin1:

I know very little about the stack outside of what I do with it for C++ programming; it is one area I would like to improve upon. I just did a quick Google search to see if the xxx meant the trace showed an item that was malware related.

 

[Shintaro]

Thanks heaps Usasma.

Now down to reading more and trying to understand more.

 

[usasma]

Read it and read it again, then again!

I've read version 4 and version 5 of Windows Internals from cover-to-cover several times.
Each time through I understand a bit more.

Good luck!

 

[Vir Gnarus]

You're a better man than I. I have a hard time reading through a several pages without dozing off, yet to finish 5th edition.

 

[Patrick]

You're a better man than I. I have a hard time reading through a several pages without dozing off, yet to finish 5th edition.

Indeed. I have difficulty staying focused on what I'm reading and usually get sidetracked :bored2:

I still do wish I had the actual books though, it would make for great reference.

 

[Vir Gnarus]

I have both digital and hardback versions of 5th edition. I much prefer reading the printed version when I want to do extended reading on a subject, but digital is always vastly superior for reference given the ability to do text search and whatnot.

 

[Shintaro]

I must admit I like the physical books, but it is a pain to carry around. I went out and bought a $140 AUD 7" pad with Android 4 on it. I have all my books in PDF format on it.
I later on I might buy a 10" pad.

 

[Eclosion]

The xxx prefix means the function may leave the critical section.
The xxx name is a hint to Microsoft engineers that the function may leave the critical section, which has consequences on the way the code must be written: for example, objects need to be locked (refcounted) before calling an xxx function if you want to ensure they do not get deleted by some other thread before the xxx function returns.
xxx was chosen because it was easy to search for, easy to see.