Crash Dump Analysis and Debugging Forum

Recently I discovered wonderful WinDbg commands dpu (UNICODE strings) and dpa (ASCII strings). Look at WinDbg help for other d** equivalents like dpp.

I needed to examine raw stack data and check if any pointers on stack were pointing to strings. For example:

Code: Select all

0:143> !teb
TEB at 7ff2b000
...
    StackBase:            05e90000
    StackLimit:           05e89000
...
...
...
0:143> dpu 05e89000 05e90000
05e8f58c  00120010 ""
...
...
...
05e8f590  77e7723c "Debugger"
05e8f594  00000000
05e8f598  08dc0154
05e8f59c  01000040
05e8f5a0  05e8f5dc "G:\WINDOWS\system32\faultrep.dll"
05e8f5a4  0633adf0 ""
05e8f5a8  00000000
05e8f5ac  00000001
05e8f5b0  00000012
05e8f5b4  7c8723e0
05e8f5b8  ffffffff
05e8f5bc  00000004
05e8f5c0  69500000
05e8f5c4  00000000
05e8f5c8  00000aac
05e8f5cc  00000002
05e8f5d0  05e8f740
05e8f5d4  0633adfc "drwtsn32 -p %ld -e %ld -g"
05e8f5d8  00000000
...
...
...


Of course, you can apply these commands to any memory range, not only stack.

I use that a lot to dump strings from thread stacks. It's kind of long though and slow with it's output. You can also use the search command 's' if you know what your looking for, the output is short but searching can take time. One more method is the sysinternals tool called strings.exe. It can find strings based on some parameters in a dump, exe, or other file really really fast.

Agree it makes sense to use s command. I'm now thinking about creating a common search file to use in scripts
Thanks,
Dmitry