第一部分：
VOID
ExpTimerApcRoutine (
    IN PKAPC Apc,
    IN PKNORMAL_ROUTINE *NormalRoutine,
    IN PVOID *NormalContext,
    IN PVOID *SystemArgument1,
    IN PVOID *SystemArgument2
    )

/*++

Routine Description:

    This function is the special APC routine that is called to remove
    a timer from the current thread's active timer list.

Arguments:

    Apc - Supplies a pointer to the APC object used to invoke this routine.

    NormalRoutine - Supplies a pointer to a pointer to the normal routine
        function that was specified when the APC was initialized.

    NormalContext - Supplies a pointer to a pointer to an arbitrary data
        structure that was specified when the APC was initialized.

    SystemArgument1, SystemArgument2 - Supplies a set of two pointers to
        two arguments that contain untyped data.

Return Value:

    None.

--*/

{

    PETHREAD ExThread;
    PETIMER ExTimer;
    KIRQL OldIrql1;
    ULONG DerefCount;

    UNREFERENCED_PARAMETER (NormalContext);
    UNREFERENCED_PARAMETER (SystemArgument1);
    UNREFERENCED_PARAMETER (SystemArgument2);

    //
    // Get address of executive timer object and the current thread object.
    //

    ExThread = PsGetCurrentThread();
    ExTimer = CONTAINING_RECORD(Apc, ETIMER, TimerApc);

    //
    // If the timer is still in the current thread's active timer list, then
    // remove it if it is not a periodic timer and set APC associated FALSE.
    // It is possible for the timer not to be in the current thread's active
    // timer list since the APC could have been delivered, and then another
    // thread could have set the timer again with another APC. This would
    // have caused the timer to be removed from the current thread's active
    // timer list.
    //
    // N. B. The spin locks for the timer and the active timer list must be
    //  acquired in the order: 1) timer lock, 2) thread list lock.
    //

    DerefCount = 1;
    ExAcquireSpinLock(&ExTimer->Lock, &OldIrql1);
    ExAcquireSpinLockAtDpcLevel(&ExThread->ActiveTimerListLock);
    if ((ExTimer->ApcAssociated) && (&ExThread->Tcb == ExTimer->TimerApc.Thread)) {
        if (ExTimer->Period == 0) {
            RemoveEntryList(&ExTimer->ActiveTimerListEntry);
            ExTimer->ApcAssociated = FALSE;
            DerefCount++;
        }

    } else {
        *NormalRoutine = (PKNORMAL_ROUTINE)NULL;
    }

    ExReleaseSpinLockFromDpcLevel(&ExThread->ActiveTimerListLock);
    ExReleaseSpinLock(&ExTimer->Lock, OldIrql1);

    ObDereferenceObjectEx(ExTimer, DerefCount);

    return;
}

1: kd> dv
            Apc = 0x893b13b0
  NormalRoutine = 0xba30ed48
  NormalContext = 0xba30ed3c
SystemArgument1 = 0xba30ed40
SystemArgument2 = 0xba30ed44
       OldIrql1 = 0x89 ''
     DerefCount = 0x3d

1: kd> dt kapc 893b13b0
CSRSRV!KAPC
   +0x000 Type             : 0n18
   +0x002 Size             : 0n48
   +0x004 Spare0           : 0x220
   +0x008 Thread           : 0x896d9da0 _KTHREAD
   +0x00c ApcListEntry     : _LIST_ENTRY [ 0x896d9ddc - 0x896d9ddc ]
   +0x014 KernelRoutine    : 0x80af2e9a     void  nt!ExpTimerApcRoutine+0
   +0x018 RundownRoutine   : (null)
   +0x01c NormalRoutine    : 0x7340a79a     void  +7340a79a
   +0x020 NormalContext    : (null)
   +0x024 SystemArgument1  : 0x3218d5d4 Void
   +0x028 SystemArgument2  : 0x01db94bc Void
   +0x02c ApcStateIndex    : 0 ''
   +0x02d ApcMode          : 1 ''
   +0x02e Inserted         : 0x1 ''

    ExTimer = CONTAINING_RECORD(Apc, ETIMER, TimerApc);

//
// Executive timer object structure definition.
//

typedef struct _ETIMER {
    KTIMER KeTimer;
    KAPC TimerApc;
    KDPC TimerDpc;
    LIST_ENTRY ActiveTimerListEntry;
    KSPIN_LOCK Lock;
    LONG Period;
    BOOLEAN ApcAssociated;
    BOOLEAN WakeTimer;
    LIST_ENTRY WakeTimerListEntry;
} ETIMER, *PETIMER;

1: kd> dt _etimer 893b13b0-28
nt!_ETIMER
   +0x000 KeTimer          : _KTIMER
   +0x028 TimerApc         : _KAPC
   +0x058 TimerDpc         : _KDPC
   +0x078 ActiveTimerListEntry : _LIST_ENTRY [ 0x896d9f8c - 0x896d9f8c ]
   +0x080 Lock             : 0
   +0x084 Period           : 0n0
   +0x088 ApcAssociated    : 0x1 ''
   +0x089 WakeTimer        : 0 ''
   +0x08c WakeTimerListEntry : _LIST_ENTRY [ 0x0 - 0x5000000 ]
1: kd> dx -id 0,0,89601250 -r1 (*((ntkrnlmp!_KAPC *)0x893b13b0))
(*((ntkrnlmp!_KAPC *)0x893b13b0))                 [Type: _KAPC]
    [+0x000] Type             : 18 [Type: short]
    [+0x002] Size             : 48 [Type: short]
    [+0x004] Spare0           : 0x220 [Type: unsigned long]
    [+0x008] Thread           : 0x896d9da0 [Type: _KTHREAD *]
    [+0x00c] ApcListEntry     [Type: _LIST_ENTRY]
    [+0x014] KernelRoutine    : 0x80af2e9a [Type: void (*)(_KAPC *,void (**)(void *,void *,void *),void * *,void * *,void * *)]
    [+0x018] RundownRoutine   : 0x0 [Type: void (*)(_KAPC *)]
    [+0x01c] NormalRoutine    : 0x7340a79a [Type: void (*)(void *,void *,void *)]
    [+0x020] NormalContext    : 0x0 [Type: void *]
    [+0x024] SystemArgument1  : 0x3218d5d4 [Type: void *]
    [+0x028] SystemArgument2  : 0x1db94bc [Type: void *]
    [+0x02c] ApcStateIndex    : 0 [Type: char]
    [+0x02d] ApcMode          : 1 [Type: char]
    [+0x02e] Inserted         : 0x0 [Type: unsigned char]
1: kd> dx -id 0,0,89601250 -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x893b1400))
(*((ntkrnlmp!_LIST_ENTRY *)0x893b1400))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x896d9f8c [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x896d9f8c [Type: _LIST_ENTRY *]

0x896d9f8c-0x896d9da0=0x1ec

第二部分：    ExAcquireSpinLockAtDpcLevel(&ExThread->ActiveTimerListLock);之后

ExAcquireSpinLockAtDpcLevel(&ExThread->ActiveTimerListLock);之前
1: kd> dt eTHREAD 896d9da0
ntdll!ETHREAD
   +0x000 Tcb              : _KTHREAD
   +0x1c8 CreateTime       : _LARGE_INTEGER 0x0edca5e1`45f8e6e0
   +0x1c8 NestedFaultCount : 0y00
   +0x1c8 ApcNeeded        : 0y0
   +0x1d0 ExitTime         : _LARGE_INTEGER 0x896d9f70`896d9f70
   +0x1d0 LpcReplyChain    : _LIST_ENTRY [ 0x896d9f70 - 0x896d9f70 ]
   +0x1d0 KeyedWaitChain   : _LIST_ENTRY [ 0x896d9f70 - 0x896d9f70 ]
   +0x1d8 ExitStatus       : 0n0
   +0x1d8 OfsChain         : (null)
   +0x1dc PostBlockList    : _LIST_ENTRY [ 0x896d9f7c - 0x896d9f7c ]
   +0x1e4 TerminationPort  : 0xe15ae778 _TERMINATION_PORT
   +0x1e4 ReaperLink       : 0xe15ae778 _ETHREAD
   +0x1e4 KeyedWaitValue   : 0xe15ae778 Void
   +0x1e8 ActiveTimerListLock : 0
   +0x1ec ActiveTimerListHead : _LIST_ENTRY [ 0x893b1400 - 0x893b1400 ]

ExAcquireSpinLockAtDpcLevel(&ExThread->ActiveTimerListLock);之后

1: kd> dt eTHREAD 896d9da0
ntdll!ETHREAD
   +0x000 Tcb              : _KTHREAD
 
   +0x1e8 ActiveTimerListLock : 0x896d9da1

第三部分：RemoveEntryList(&ExTimer->ActiveTimerListEntry);之后

RemoveEntryList(&ExTimer->ActiveTimerListEntry);之前

1: kd> dt eTHREAD 896d9da0
ntdll!ETHREAD
   +0x000 Tcb              : _KTHREAD
   +0x1c8 CreateTime       : _LARGE_INTEGER 0x0edca5e1`45f8e6e0
   +0x1c8 NestedFaultCount : 0y00
   +0x1c8 ApcNeeded        : 0y0
   +0x1d0 ExitTime         : _LARGE_INTEGER 0x896d9f70`896d9f70
   +0x1d0 LpcReplyChain    : _LIST_ENTRY [ 0x896d9f70 - 0x896d9f70 ]
   +0x1d0 KeyedWaitChain   : _LIST_ENTRY [ 0x896d9f70 - 0x896d9f70 ]
   +0x1d8 ExitStatus       : 0n0
   +0x1d8 OfsChain         : (null)
   +0x1dc PostBlockList    : _LIST_ENTRY [ 0x896d9f7c - 0x896d9f7c ]
   +0x1e4 TerminationPort  : 0xe15ae778 _TERMINATION_PORT
   +0x1e4 ReaperLink       : 0xe15ae778 _ETHREAD
   +0x1e4 KeyedWaitValue   : 0xe15ae778 Void
   +0x1e8 ActiveTimerListLock : 0
   +0x1ec ActiveTimerListHead : _LIST_ENTRY [ 0x893b1400 - 0x893b1400 ]

1: kd> dx -id 0,0,89601250 -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x893b1400))
(*((ntkrnlmp!_LIST_ENTRY *)0x893b1400))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x896d9f8c [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x896d9f8c [Type: _LIST_ENTRY *]

RemoveEntryList(&ExTimer->ActiveTimerListEntry);之后

1: kd> dt eTHREAD 896d9da0
ntdll!ETHREAD
   +0x000 Tcb              : _KTHREAD

   +0x1e8 ActiveTimerListLock : 0x896d9da1
   +0x1ec ActiveTimerListHead : _LIST_ENTRY [ 0x896d9f8c - 0x896d9f8c ]

1: kd> dx -id 0,0,89601250 -r1 (*((ntdll!_LIST_ENTRY *)0x896d9f8c))
(*((ntdll!_LIST_ENTRY *)0x896d9f8c))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x896d9f8c [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x896d9f8c [Type: _LIST_ENTRY *]

第四部分：    ExReleaseSpinLockFromDpcLevel(&ExThread->ActiveTimerListLock);之后
1: kd> dt eTHREAD 896d9da0
ntdll!ETHREAD
   +0x000 Tcb              : _KTHREAD

   +0x1e8 ActiveTimerListLock : 0

第五部分：      ExReleaseSpinLock(&ExTimer->Lock, OldIrql1);之后
1: kd> dt _etimer 893b13b0-28
nt!_ETIMER
   +0x000 KeTimer          : _KTIMER
   +0x028 TimerApc         : _KAPC
   +0x058 TimerDpc         : _KDPC
   +0x078 ActiveTimerListEntry : _LIST_ENTRY [ 0x896d9f8c - 0x896d9f8c ]
   +0x080 Lock             : 0x896d9da1
   +0x084 Period           : 0n0
   +0x088 ApcAssociated    : 0 ''
   +0x089 WakeTimer        : 0 ''
   +0x08c WakeTimerListEntry : _LIST_ENTRY [ 0x0 - 0x5000000 ]

    ExReleaseSpinLock(&ExTimer->Lock, OldIrql1);之后

1: kd> dt _etimer 893b13b0-28
nt!_ETIMER
   +0x000 KeTimer          : _KTIMER
   +0x028 TimerApc         : _KAPC
   +0x058 TimerDpc         : _KDPC
   +0x078 ActiveTimerListEntry : _LIST_ENTRY [ 0x896d9f8c - 0x896d9f8c ]
   +0x080 Lock             : 0
   +0x084 Period           : 0n0
   +0x088 ApcAssociated    : 0 ''
   +0x089 WakeTimer        : 0 ''
   +0x08c WakeTimerListEntry : _LIST_ENTRY [ 0x0 - 0x5000000 ]