kd> kp # ChildEBP RetAddr 00 f8181b88 80411c18 nt!CmpAcquireKcbLockExclusiveByIndex(unsigned long Index = 0x48)+0x44 [d:\reacto\reactos\ntoskrnl\include\internal\cm_x.h @ 120] 01 f8181b94 8041262b nt!CmpAcquireKcbLockExclusive(struct _CM_KEY_CONTROL_BLOCK * Kcb = 0xe189a620)+0x28 [d:\reacto\reactos\ntoskrnl\include\internal\cm_x.h @ 135] 02 f8181bd0 80411a62 nt!CmpEnumerateOpenSubKeys(struct _CM_KEY_CONTROL_BLOCK * RootKcb = 0xe184f008, unsigned char LockHeldExclusively = 0x00 '', unsigned char RemoveEmptyCacheEntries = 0x01 '', unsigned char DereferenceOpenedEntries = 0x00 '')+0x1db [d:\reacto\reactos\ntoskrnl\config\cmapi.c @ 2435] 03 f8181c04 80427705 nt!CmUnloadKey(struct _CM_KEY_CONTROL_BLOCK * Kcb = 0xe184f008, unsigned long Flags = 0)+0x1b2 [d:\reacto\reactos\ntoskrnl\config\cmapi.c @ 2245] 04 f8181cec 80427910 nt!NtUnloadKey2(struct _OBJECT_ATTRIBUTES * TargetKey = 0x0012eba0, unsigned long Flags = 0)+0x465 [d:\reacto\reactos\ntoskrnl\config\ntapi.c @ 1940] 05 f8181cfc 8040405e nt!NtUnloadKey(struct _OBJECT_ATTRIBUTES * KeyObjectAttributes = 0x0012eba0)+0x10 [d:\reacto\reactos\ntoskrnl\config\ntapi.c @ 1792] 06 f8181d10 8056b388 nt!KiSystemCallTrampoline+0x19 07 f8181d5c 80403ea5 nt!KiSystemServiceHandler(struct _KTRAP_FRAME * TrapFrame = 0xf8181d64, void * Arguments = 0x0012eb70)+0x278 [d:\reacto\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1840] 08 f8181d5c 7c936e3e nt!KiFastCallEntry+0x96 09 0012eb64 7c96a476 ntdll!KiFastSystemCallRet 0a 0012eb68 7c551398 ntdll!NtUnloadKey+0xc 0b 0012ebbc 7aa8a33e advapi32!RegUnLoadKeyW(struct HKEY__ * hKey = 0x80000003, wchar_t * lpSubKey = 0x0013a038 "S-1-5-21-930446131-64054603-1465959619-500")+0xa8 [d:\reacto\reactos\dll\win32\advapi32\reg\reg.c @ 5105] 0c 0012f8f4 7aa8a4ea userenv!CreateUserProfileExW(void * pSid = 0x00137c00, wchar_t * lpUserName = 0x0013a628 "Administrator", wchar_t * lpUserHive = 0x00000000 "", wchar_t * lpProfileDir = 0x00000000 "", unsigned long dwDirSize = 0, int bWin9xUpg = 0n0)+0xfce [d:\reacto\reactos\dll\win32\userenv\profile.c @ 1110] 0d 0012f914 7aa8dc01 userenv!CreateUserProfileW(void * pSid = 0x00137c00, wchar_t * lpUserName = 0x0013a628 "Administrator")+0x1a [d:\reacto\reactos\dll\win32\userenv\profile.c @ 757] 0e 0012fbd0 00405375 userenv!LoadUserProfileW(void * hToken = 0x000002d4, struct _PROFILEINFOW * lpProfileInfo = 0x0012fc08)+0x761 [d:\reacto\reactos\dll\win32\userenv\profile.c @ 2105] 0f 0012fc2c 004049e6 winlogon!HandleLogon(struct _WLSESSION * Session = 0x00131ca8)+0x175 [d:\reacto\reactos\base\system\winlogon\sas.c @ 497] 10 0012fc48 0040491d winlogon!DoGenericAction(struct _WLSESSION * Session = 0x00131ca8, unsigned long wlxAction = 1)+0x56 [d:\reacto\reactos\base\system\winlogon\sas.c @ 1029] 11 0012fc78 0040777a winlogon!DispatchSAS(struct _WLSESSION * Session = 0x00131ca8, unsigned long dwSasType = 1)+0x1ed [d:\reacto\reactos\base\system\winlogon\sas.c @ 1205] 12 0012fcdc 77aa492a winlogon!SASWindowProc(struct HWND__ * hwndDlg = 0x0002007a, unsigned int uMsg = 0x659, unsigned int wParam = 1, long lParam = 0n0)+0x72a [d:\reacto\reactos\base\system\winlogon\sas.c @ 1473] 13 0012fd0c 77a92b96 user32!CALL_EXTERN_WNDPROC+0x1a 14 0012fdf0 77a96c1b user32!IntCallWindowProcW(int IsAnsiProc = 0n0, * WndProc = 0x00407050, struct _WND * pWnd = 0x00551978, struct HWND__ * hWnd = 0x0002007a, unsigned int Msg = 0x659, unsigned int wParam = 1, long lParam = 0n0)+0x656 [d:\reacto\reactos\win32ss\user\user32\windows\message.c @ 1547] 15 0012fe24 77a9646b user32!IntCallMessageProc(struct _WND * Wnd = 0x00551978, struct HWND__ * hWnd = 0x0002007a, unsigned int Msg = 0x659, unsigned int wParam = 1, long lParam = 0n0, int Ansi = 0n0)+0x1eb [d:\reacto\reactos\win32ss\user\user32\windows\message.c @ 1798] 16 0012fe88 004105f9 user32!DispatchMessageW(struct tagMSG * lpmsg = 0x0012fec8 {msg=0x659 wp=0x1 lp=0x0})+0x22b [d:\reacto\reactos\win32ss\user\user32\windows\message.c @ 2046] 17 0012fef4 00415870 winlogon!WinMain(struct HINSTANCE__ * hInstance = 0x00400000, struct HINSTANCE__ * hPrevInstance = 0x00000000, char * lpCmdLine = 0x001346d4 "", int nShowCmd = 0n10)+0x789 [d:\reacto\reactos\base\system\winlogon\winlogon.c @ 612] 18 0012ff0c 004154ba winlogon!main(int flags = 0n1, char ** cmdline = 0x00134768, char ** inst = 0x00133d40)+0x20 [d:\reacto\reactos\sdk\lib\crt\startup\crt0_c.c @ 22] 19 0012ffe8 00415138 winlogon!__tmainCRTStartup(void)+0x2ba [d:\reacto\reactos\sdk\lib\crt\startup\crtexe.c @ 311] 1a 0012fff4 00000000 winlogon!WinMainCRTStartup(void)+0x28 [d:\reacto\reactos\sdk\lib\crt\startup\crtexe.c @ 157]