Yet another WinDbg script
2009 (0x7D9) - The Year of Debugging
I got a dump with 30 IE processes running and I want to find the only one waiting for a specific function. I know there is one. The following script lists all processes and their stacks (of course, I already opened a log in WinDbg to save that huge amount of output):
$$
$$ List user processes and stacks
$$
r $t0 = nt!PsActiveProcessHead
.for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r $t1 = poi(@$t1))
{
r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
.process @$t2
.reload
!process @$t2
}
- Dmitry Vostokov -
_1125.png)
New Books:
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Also available:
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
May 15th, 2007 at 12:58 pm
In dumps coming from XP/W2K3 and higher systems you can get all of this plus PEB and module information for all processes by using
!process 0 ff
The command and flags sets process context for every process and reloads user symbols accordingly
May 22nd, 2007 at 9:32 am
Today I have found that !process 0 ff is less accurate in depicting user space stack traces in some complete memory dumps than the old combination of .reload/!process. To speed up reloading symbols I would recommend .reload /user
March 28th, 2008 at 3:50 pm
Another alternative would be to use the following command instead of the script:
!for_each_process ".process /r /p @#Process; !process @#Process"