How to get services _EPROCESS in the dump from W2K3?

How to get services _EPROCESS in the dump from W2K3?

Postby Guest » Fri Aug 25, 2006 7:21 pm

Hi!

Do you know any method except manually walking through svchost.exe processes?

Thanks
Guest
 

Postby Guest » Fri Aug 25, 2006 7:24 pm

The following script will do. Save it as text file and call it using the command: $$><script.txt

Code: Select all
$$ WinDbg script to get process command line for all processes in complete memory dump
r $t0 = nt!PsActiveProcessHead
.for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r $t1 = poi(@$t1))
{
    r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);

    .process @$t2

    .if (@$peb != 0)
    {
       .catch
       {
          r $t3 = @@c++(@$peb->ProcessParameters)        
          r? $t4 = @@c++(&((_RTL_USER_PROCESS_PARAMETERS *)@$t3)->CommandLine)
          .printf "_EPROCESS: %N Command Line: %msu\n", @$t2, @$t4
       }
    }   
}
Guest
 


Return to WinDbg

Who is online

Users browsing this forum: No registered users and 1 guest

cron