Yet another WinDbg script
I got a dump with 30 IE processes running and I want to find the only one waiting for a specific function. I know there is one. The following script lists all processes and their stacks (of course, I already opened a log in WinDbg to save that huge amount of output):
$$
$$ List user processes and stacks
$$
r $t0 = nt!PsActiveProcessHead
.for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r $t1 = poi(@$t1))
{
r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
.process @$t2
.reload
!process @$t2
}
- Dmitry Vostokov -
May 15th, 2007 at 12:58 pm
In dumps coming from XP/W2K3 and higher systems you can get all of this plus PEB and module information for all processes by using
!process 0 ff
The command and flags sets process context for every process and reloads user symbols accordingly
May 22nd, 2007 at 9:32 am
Today I have found that !process 0 ff is less accurate in depicting user space stack traces in some complete memory dumps than the old combination of .reload/!process. To speed up reloading symbols I would recommend .reload /user
March 28th, 2008 at 3:50 pm
Another alternative would be to use the following command instead of the script:
!for_each_process ".process /r /p @#Process; !process @#Process"