第一部分：

1: kd> kc
#
00 sfc_os!SfcQueueValidationRequest
01 sfc_os!SfcWatchProtectedDirectoriesWorkerThread
02 kernel32!BaseThreadStart

1: kd> dv
RegVal = 0x01129164
ChangeType = 5
vrd = 0x012bfef0
Status = 0n1988337684
vrdexisting = 0x012bffdc

    //
// if we're in GUI-Setup, don't queue any validation requests
//
if (SFCDisable == SFC_DISABLE_SETUP) {
return STATUS_SUCCESS;
}

1: kd> x sfc_os!SFCDisable
768421b8          sfc_os!SFCDisable = 0

vrd->NextValidTime = GetTickCount() + (1000*SFCStall);
vrd->RegVal = RegVal;
vrd->ChangeType = ChangeType;
vrd->Signature = SFC_VRD_SIGNATURE;

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((sfc_os!_VALIDATION_REQUEST_DATA *)0x1fe0048)
((sfc_os!_VALIDATION_REQUEST_DATA *)0x1fe0048)                 : 0x1fe0048 [Type: _VALIDATION_REQUEST_DATA *]
[+0x000] Entry            [Type: _LIST_ENTRY]
[+0x008] Signature        : 0x69696969 [Type: unsigned long]
[+0x010] ImageValData     [Type: _COMPLETE_VALIDATION_DATA]
[+0x130] RegVal           : 0x1129164 [Type: _SFC_REGISTRY_VALUE *]
[+0x134] SourceInfo       [Type: _SOURCE_INFO]
[+0xd74] ChangeType       : 0x5 [Type: unsigned long]
[+0xd78] CopyCompleted    : 0 [Type: int]
[+0xd7c] Win32Error       : 0x0 [Type: unsigned long]
[+0xd80] SyncOnly         : 0 [Type: int]
[+0xd84] RetryCount       : 0x0 [Type: unsigned long]
[+0xd88] Flags            : 0x0 [Type: unsigned long]
[+0xd8c] NextValidTime    : 0xffd4b349 [Type: unsigned long]

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((sfc_os!_SFC_REGISTRY_VALUE *)0x1129164)  
((sfc_os!_SFC_REGISTRY_VALUE *)0x1129164)                 : 0x1129164 [Type: _SFC_REGISTRY_VALUE *]
[+0x000] Entry            [Type: _LIST_ENTRY]
[+0x008] FileName         : "pidgen.dll" [Type: _UNICODE_STRING]
[+0x010] DirName          : "c:\windows\system32" [Type: _UNICODE_STRING]
[+0x018] FullPathName     : "c:\windows\system32\pidgen.dll" [Type: _UNICODE_STRING]
[+0x020] InfName          : "" [Type: _UNICODE_STRING]
[+0x028] SourceFileName   : "" [Type: _UNICODE_STRING]
[+0x030] OriginalFileName [Type: unsigned short [128]]
[+0x130] DirHandle        : 0x24 [Type: void *]
[+0x134] pvWinSxsCookie   : 0x0 [Type: void *]
[+0x138] dwWinSxsFlags    : 0x0 [Type: unsigned long]

第二部分：

1: kd> p
sfc_os!SfcQueueValidationRequest+0xb9:
001b:76838ee2 e860e7ffff      call    sfc_os!IsFileInQueue (76837647)
1: kd> t
sfc_os!IsFileInQueue:
001b:76837647 55              push    ebp
1: kd> kc
#
00 sfc_os!IsFileInQueue
01 sfc_os!SfcQueueValidationRequest
02 sfc_os!SfcWatchProtectedDirectoriesWorkerThread
03 kernel32!BaseThreadStart

1: kd> x sfc_os!SfcErrorQueue
76840e80          sfc_os!SfcErrorQueue = struct _LIST_ENTRY [ 0x12380d0 - 0x12380d0 ]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_LIST_ENTRY *)0x76840e80))
(*((sfc_os!_LIST_ENTRY *)0x76840e80))                 [Type: _LIST_ENTRY]
[+0x000] Flink            : 0x12380d0 [Type: _LIST_ENTRY *]
[+0x004] Blink            : 0x12380d0 [Type: _LIST_ENTRY *]
1: kd> dt VALIDATION_REQUEST_DATA 0x12380d0
sfc_os!VALIDATION_REQUEST_DATA
+0x000 Entry            : _LIST_ENTRY [ 0x76840e80 - 0x76840e80 ]
+0x008 Signature        : 0x69696969
+0x010 ImageValData     : _COMPLETE_VALIDATION_DATA
+0x130 RegVal           : 0x01129164 _SFC_REGISTRY_VALUE        RegVal           : 0x01129164
+0x134 SourceInfo       : _SOURCE_INFO
+0xd74 ChangeType       : 3
+0xd78 CopyCompleted    : 0n1
+0xd7c Win32Error       : 0
+0xd80 SyncOnly         : 0n0
+0xd84 RetryCount       : 0
+0xd88 Flags            : 1
+0xd8c NextValidTime    : 0xffd2d959

        if (RegVal == vrd->RegVal) {
return vrd;        //VALIDATION_REQUEST_DATA 0x12380d0
}

        if (!vrdexisting || (vrdexisting->Flags & VRD_FLAG_REQUEST_PROCESSED) ) {

            DebugPrint1( LVL_VERBOSE,
L"Inserting [%ws] into error queue for validation",
RegVal->FullPathName.Buffer );

            InsertTailList( &SfcErrorQueue, &vrd->Entry );
ErrorQueueCount += 1;

            //
// do this to avoid free later on
//
vrdexisting = NULL;

        }

第三部分：

1: kd> p
sfc_os!IsFileInQueue+0x27:
001b:7683766e 5d              pop     ebp
1: kd> r
eax=012380d0

D:\srv03rtm\base\subsys\sm/sfc/dll/sfcp.h:471:#define VRD_FLAG_REQUEST_PROCESSED        0x00000001

+0xd88 Flags            : 1

1: kd> x sfc_os!ErrorQueueCount
76840e7c          sfc_os!ErrorQueueCount = 1

1: kd> x sfc_os!ErrorQueueCount
76840e7c          sfc_os!ErrorQueueCount = 2

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_LIST_ENTRY *)0x76840e80))
(*((sfc_os!_LIST_ENTRY *)0x76840e80))                 [Type: _LIST_ENTRY]
[+0x000] Flink            : 0x12380d0 [Type: _LIST_ENTRY *]
[+0x004] Blink            : 0x1fe0048 [Type: _LIST_ENTRY *]

1: kd> dt VALIDATION_REQUEST_DATA 0x1fe0048
sfc_os!VALIDATION_REQUEST_DATA
+0x000 Entry            : _LIST_ENTRY [ 0x76840e80 - 0x12380d0 ]
+0x008 Signature        : 0x69696969
+0x010 ImageValData     : _COMPLETE_VALIDATION_DATA
+0x130 RegVal           : 0x01129164 _SFC_REGISTRY_VALUE
+0x134 SourceInfo       : _SOURCE_INFO
+0xd74 ChangeType       : 5                //+0xd74 ChangeType       : 5
+0xd78 CopyCompleted    : 0n0
+0xd7c Win32Error       : 0
+0xd80 SyncOnly         : 0n0
+0xd84 RetryCount       : 0
+0xd88 Flags            : 0                //+0xd88 Flags            : 0    
+0xd8c NextValidTime    : 0xffd4b349

1: kd> dt VALIDATION_REQUEST_DATA 0x12380d0
sfc_os!VALIDATION_REQUEST_DATA
+0x000 Entry            : _LIST_ENTRY [ 0x76840e80 - 0x76840e80 ]
+0x008 Signature        : 0x69696969
+0x010 ImageValData     : _COMPLETE_VALIDATION_DATA
+0x130 RegVal           : 0x01129164 _SFC_REGISTRY_VALUE        RegVal           : 0x01129164
+0x134 SourceInfo       : _SOURCE_INFO
+0xd74 ChangeType       : 3                //+0xd74 ChangeType       : 3
+0xd78 CopyCompleted    : 0n1
+0xd7c Win32Error       : 0
+0xd80 SyncOnly         : 0n0
+0xd84 RetryCount       : 0
+0xd88 Flags            : 1                //+0xd88 Flags            : 1
+0xd8c NextValidTime    : 0xffd2d959

第四部分：

1: kd> x sfc_os!hErrorThread
76840e88          sfc_os!hErrorThread = 0x00000b4c

1: kd> !handle b4c

PROCESS 89ce3d88  SessionId: 0  Cid: 01d4    Peb: 7ffdf000  ParentCid: 018c
DirBase: 7c1c9000  ObjectTable: e136a268  HandleCount: 564.
Image: winlogon.exe

Handle table at e136a268 with 564 entries in use

0b4c: Object: 892d6da0  GrantedAccess: 001f03ff Entry: e1792698
Object: 892d6da0  Type: (89dd5710) Thread
ObjectHeader: 892d6d88 (old version)
HandleCount: 3  PointerCount: 5

       THREAD 892d6da0  Cid 01d4.03bc  Teb: 7ffdc000 Win32Thread: e10ecea8 RUNNING on processor 0
IRP List:
899d7838: (0006,01d8) Flags: 00000884  Mdl: 00000000
8936dcd8: (0006,0190) Flags: 00000000  Mdl: 00000000
Not impersonating
DeviceMap                 e10026b8
Owning Process            89ce3d88       Image:         winlogon.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      274695963      Ticks: 0
Context Switch Count      441            IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.156
KernelTime                00:00:00.156
Win32 Start Address sfc_os!SfcQueueValidationThread (0x7683856f)
Stack Init b9af1000 Current b9af0924 Base b9af1000 Limit b9aec000 Call 00000000
Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr  
b9af06f4 80aed4e8 nt!ExpAssertResource+0x71 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ex\resource.c @ 2913]
b9af0718 f713659e nt!ExReleaseResourceLite+0x18 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ex\resource.c @ 1410]
b9af071c f7135f80 Ntfs!NtfsCommonCreate+0x1da0 (FPO: [SEH]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 4202]
b9af0908 f712f53e Ntfs!NtfsCommonCreate+0x1782 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 4210]
b9af0a08 80a2675c Ntfs!NtfsFsdCreate+0x1f6 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 904]
b9af0a24 80c75af1 nt!IofCallDriver+0x62 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 2237]
b9af0b20 80c7607c nt!IopParseDevice+0xd7d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\parse.c @ 1317]
b9af0b58 80d1cb2c nt!IopParseFile+0x78 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\parse.c @ 2014]
b9af0bd4 80d16798 nt!ObpLookupObjectName+0x14a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obdir.c @ 1834]
b9af0c28 80c61f73 nt!ObOpenObjectByName+0x13e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obref.c @ 767]
b9af0ca4 80c63967 nt!IopCreateFile+0x44d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 5494]
b9af0cf0 80c6892f nt!IoCreateFile+0x73 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 4788]
b9af0d38 80afbcb2 nt!NtOpenFile+0x57 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\open.c @ 95]
b9af0d38 7ffe0304 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ b9af0d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
007cf674 77f2f1d8 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
007cf678 7682f536 ntdll!NtOpenFile+0xc (FPO: [6,0,0]) [d:\srv03rtm\base\ntdll\daytona\obj\i386\usrstubs.asm @ 1099]
007cf6c4 76837870 sfc_os!SfcOpenFile+0x8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\fileio.c @ 87]
007cf6ec 7683297d sfc_os!SfcGetValidationData+0x8b (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2126]
007cf724 76838b81 sfc_os!SfcRestoreFromCache+0x2fa (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\restore.c @ 1483]
007cffb8 77e41be7 sfc_os!SfcQueueValidationThread+0x612 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 1702]
007cffec 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]

第五部分：changtype=3

Breakpoint 4 hit
sfc_os!SfcQueueValidationRequest:
001b:76838e29 6a1c            push    1Ch
1: kd> dv
RegVal = 0x01129164
ChangeType = 3
vrd = 0x012bfef0
Status = 0n1988337684
vrdexisting = 0x012bffdc