In Windows kernel syscall traces, what are these mystery addresses?

Question

I am using Event Tracing for Windows (ETW) to do kernel tracing of syscalls in Windows Server 2008 R2.

I am running:

logman start "NT Kernel Logger" -p "Windows Kernel Trace" (process,thread,cswitch,syscall) -o events.etl -ets

In the resulting kernel traces, I am looking at the SysCallAddress attribute and I see lot of what I would expect: for example 0xFFFFF80001999EE0 which is nt!NtWriteFile.

The problem is that I am seeing a lot of address in the 0xFFFFF960 range, for example 0xFFFFF9600004421C and I don't know what is at these addresses. The ln command in the kernel debugger returns no information for any of these addresses. Does anybody know what lives at these addresses that the kernel tracer regards as syscalls?

Answer 1

Those are syscalls into win32k.sys. Think GetMessage, EndDraw, etc.