Exported NTDLL and kernel structures
It happens sometimes that during crash dump analysis or debugging session I forget exact structure name when I want to use it in dt WinDbg command. In this case wildcards help me: dt module!*, for example,
0:000> dt ntdll!*
ntdll!LIST_ENTRY64
ntdll!LIST_ENTRY32
ntdll!_ULARGE_INTEGER
ntdll!_LIST_ENTRY
ntdll!_IMAGE_NT_HEADERS
ntdll!_IMAGE_FILE_HEADER
ntdll!_IMAGE_OPTIONAL_HEADER
ntdll!_IMAGE_NT_HEADERS
ntdll!_LARGE_INTEGER
ntdll!_LUID
ntdll!_KPRCB
ntdll!_KTHREAD
ntdll!_KPROCESSOR_STATE
ntdll!_KSPIN_LOCK_QUEUE
ntdll!_KNODE
ntdll!_PP_LOOKASIDE_LIST
ntdll!_KPRCB
ntdll!_KDPC_DATA
ntdll!_KEVENT
ntdll!_KDPC
ntdll!_SINGLE_LIST_ENTRY
ntdll!_FX_SAVE_AREA
ntdll!_PROCESSOR_POWER_STATE
ntdll!_KPRCB
ntdll!_KPCR
ntdll!_NT_TIB
ntdll!_EXCEPTION_REGISTRATION_RECORD
ntdll!_KIDTENTRY
ntdll!_KGDTENTRY
ntdll!_KTSS
ntdll!_KPCR
ntdll!_KAPC
ntdll!_SINGLE_LIST_ENTRY
ntdll!_KDPC_IMPORTANCE
ntdll!_KDPC
ntdll!_DISPATCHER_HEADER
ntdll!_KAPC_STATE
ntdll!_KWAIT_BLOCK
ntdll!_KGATE
ntdll!_KQUEUE
ntdll!_KTIMER
ntdll!_KTRAP_FRAME
ntdll!_KPROCESS
ntdll!_KSEMAPHORE
ntdll!_KTHREAD
ntdll!_KSPIN_LOCK_QUEUE_NUMBER
ntdll!_FAST_MUTEX
ntdll!_SLIST_HEADER
ntdll!_NPAGED_LOOKASIDE_LIST
ntdll!_GENERAL_LOOKASIDE
ntdll!_NPAGED_LOOKASIDE_LIST
ntdll!_PAGED_LOOKASIDE_LIST
ntdll!_PP_NPAGED_LOOKASIDE_NUMBER
ntdll!_POOL_TYPE
ntdll!_GENERAL_LOOKASIDE
ntdll!_EX_RUNDOWN_REF
ntdll!_EX_FAST_REF
ntdll!_EX_PUSH_LOCK
ntdll!_EX_PUSH_LOCK_WAIT_BLOCK
ntdll!_EX_PUSH_LOCK_CACHE_AWARE
ntdll!_ETHREAD
ntdll!_TERMINATION_PORT
ntdll!_CLIENT_ID
ntdll!_PS_IMPERSONATION_INFORMATION
ntdll!_DEVICE_OBJECT
ntdll!_EPROCESS
ntdll!_ETHREAD
ntdll!_HANDLE_TABLE
ntdll!_KGUARDED_MUTEX
ntdll!_MM_AVL_TABLE
ntdll!_EJOB
ntdll!_EPROCESS_QUOTA_BLOCK
ntdll!_PAGEFAULT_HISTORY
ntdll!_HARDWARE_PTE_X86
ntdll!_PEB
ntdll!_SE_AUDIT_PROCESS_CREATION_INFO
ntdll!_MMSUPPORT
ntdll!_EPROCESS
ntdll!_OBJECT_HEADER
ntdll!_OBJECT_TYPE
ntdll!_OBJECT_CREATE_INFORMATION
ntdll!_QUAD
ntdll!_OBJECT_HEADER
ntdll!_OBJECT_HEADER_QUOTA_INFO
ntdll!_OBJECT_HEADER_HANDLE_INFO
ntdll!_OBJECT_HANDLE_COUNT_DATABASE
ntdll!_OBJECT_HANDLE_COUNT_ENTRY
ntdll!_OBJECT_HEADER_HANDLE_INFO
ntdll!_OBJECT_HEADER_NAME_INFO
ntdll!_OBJECT_DIRECTORY
ntdll!_UNICODE_STRING
ntdll!_OBJECT_HEADER_NAME_INFO
ntdll!_OBJECT_HEADER_CREATOR_INFO
ntdll!_OBJECT_ATTRIBUTES
ntdll!_ERESOURCE
ntdll!_OBJECT_TYPE_INITIALIZER
ntdll!_OBJECT_TYPE
ntdll!_OBJECT_HANDLE_INFORMATION
ntdll!_PERFINFO_GROUPMASK
ntdll!_KGUARDED_MUTEX
ntdll!_DISPATCHER_HEADER
ntdll!_PF_SCENARIO_TYPE
ntdll!_HANDLE_TRACE_DEBUG_INFO
ntdll!_HANDLE_TABLE
ntdll!_KWAIT_BLOCK
ntdll!_MMSUPPORT_FLAGS
ntdll!_MMWSL
ntdll!_MMSUPPORT
ntdll!_EPROCESS_QUOTA_ENTRY
ntdll!_EPROCESS_QUOTA_BLOCK
ntdll!_UNICODE_STRING
ntdll!_NT_TIB
ntdll!_PS_JOB_TOKEN_FILTER
ntdll!_IO_COUNTERS
ntdll!_EJOB
ntdll!_PEB_LDR_DATA
ntdll!_RTL_USER_PROCESS_PARAMETERS
ntdll!_RTL_CRITICAL_SECTION
ntdll!_PEB_FREE_BLOCK
ntdll!_ACTIVATION_CONTEXT_DATA
ntdll!_ASSEMBLY_STORAGE_MAP
ntdll!_PEB
ntdll!_KGATE
ntdll!_IMAGE_FILE_HEADER
ntdll!_RTL_STACK_TRACE_ENTRY
ntdll!_PEB_FREE_BLOCK
ntdll!_KSPIN_LOCK_QUEUE
ntdll!_PP_LOOKASIDE_LIST
ntdll!_KEXECUTE_OPTIONS
ntdll!_KPROCESS
ntdll!_PEB_LDR_DATA
ntdll!_DPH_BLOCK_INFORMATION
ntdll!_SECURITY_IMPERSONATION_LEVEL
ntdll!_PS_IMPERSONATION_INFORMATION
ntdll!_EPROCESS_QUOTA_ENTRY
ntdll!_FNSAVE_FORMAT
ntdll!_FX_SAVE_AREA
ntdll!PROCESSOR_IDLE_TIMES
ntdll!PROCESSOR_PERF_STATE
ntdll!_PROCESSOR_POWER_STATE
ntdll!_IO_COUNTERS
ntdll!_KiIoAccessMap
ntdll!_KTSS
ntdll!_KIDTENTRY
ntdll!_MMSUPPORT_FLAGS
ntdll!_HEAP
ntdll!_HEAP_ENTRY
ntdll!_HEAP_TAG_ENTRY
ntdll!_HEAP_UCR_SEGMENT
ntdll!_HEAP_UNCOMMMTTED_RANGE
ntdll!_HEAP_SEGMENT
ntdll!_HEAP_PSEUDO_TAG_ENTRY
ntdll!_HEAP_LOCK
ntdll!_HEAP
ntdll!_TERMINATION_PORT
ntdll!LSA_FOREST_TRUST_RECORD_TYPE
ntdll!_HEAP_UNCOMMMTTED_RANGE
ntdll!_OBJECT_HANDLE_COUNT_DATABASE
ntdll!_FNSAVE_FORMAT
ntdll!PROCESSOR_PERF_STATE
ntdll!PROCESSOR_IDLE_TIMES
ntdll!_HANDLE_TRACE_DB_ENTRY
ntdll!_HANDLE_TRACE_DEBUG_INFO
ntdll!_PROCESS_WS_WATCH_INFORMATION
ntdll!_PAGEFAULT_HISTORY
ntdll!_SECURITY_QUALITY_OF_SERVICE
ntdll!_OBJECT_CREATE_INFORMATION
ntdll!_MMADDRESS_NODE
ntdll!_MM_AVL_TABLE
ntdll!_HARDWARE_PTE_X86
ntdll!_HEAP_ENTRY
ntdll!_GENERIC_MAPPING
ntdll!_OBJECT_DUMP_CONTROL
ntdll!_OB_OPEN_REASON
ntdll!_ACCESS_STATE
ntdll!_SECURITY_OPERATION_CODE
ntdll!_OBJECT_NAME_INFORMATION
ntdll!_OBJECT_TYPE_INITIALIZER
ntdll!_LARGE_INTEGER
ntdll!_RTL_TRACE_BLOCK
ntdll!_HEAP_UCR_SEGMENT
ntdll!_KEXECUTE_OPTIONS
ntdll!_OWNER_ENTRY
ntdll!_ERESOURCE
ntdll!_GENERIC_MAPPING
ntdll!_SID_AND_ATTRIBUTES
ntdll!_LUID_AND_ATTRIBUTES
ntdll!_PS_JOB_TOKEN_FILTER
ntdll!_MEMORY_CACHING_TYPE_ORIG
ntdll!_KiIoAccessMap
ntdll!_EXCEPTION_DISPOSITION
ntdll!_EXCEPTION_RECORD
ntdll!_CONTEXT
ntdll!_EXCEPTION_REGISTRATION_RECORD
ntdll!_DRIVER_OBJECT
ntdll!_IRP
ntdll!_IO_TIMER
ntdll!_VPB
ntdll!_WAIT_CONTEXT_BLOCK
ntdll!_KDEVICE_QUEUE
ntdll!_DEVOBJ_EXTENSION
ntdll!_DEVICE_OBJECT
ntdll!_PROCESS_WS_WATCH_INFORMATION
ntdll!_SECURITY_QUALITY_OF_SERVICE
ntdll!_FLOATING_SAVE_AREA
ntdll!_CONTEXT
ntdll!_IMAGE_DATA_DIRECTORY
ntdll!_IMAGE_OPTIONAL_HEADER
ntdll!_KUSER_SHARED_DATA
ntdll!_KSYSTEM_TIME
ntdll!_NT_PRODUCT_TYPE
ntdll!_ALTERNATIVE_ARCHITECTURE_TYPE
ntdll!_KUSER_SHARED_DATA
ntdll!_QUAD
ntdll!_KAPC_STATE
ntdll!_MODE
ntdll!_HEAP_PSEUDO_TAG_ENTRY
ntdll!_RTL_CRITICAL_SECTION_DEBUG
ntdll!_RTL_CRITICAL_SECTION
ntdll!_HEAP_SEGMENT
ntdll!_KTRAP_FRAME
ntdll!_KGDTENTRY
ntdll!_KDEVICE_QUEUE_ENTRY
ntdll!_IO_ALLOCATION_ACTION
ntdll!_WAIT_CONTEXT_BLOCK
ntdll!_KTIMER
ntdll!_MDL
ntdll!_IO_STATUS_BLOCK
ntdll!_IO_STACK_LOCATION
ntdll!_FILE_OBJECT
ntdll!_IRP
ntdll!_VPB
ntdll!_KOBJECTS
ntdll!_KSEMAPHORE
ntdll!_MMADDRESS_NODE
ntdll!_CURDIR
ntdll!_RTL_DRIVE_LETTER_CURDIR
ntdll!_RTL_USER_PROCESS_PARAMETERS
ntdll!_OWNER_ENTRY
ntdll!_SE_AUDIT_PROCESS_CREATION_INFO
ntdll!_OBJECT_HANDLE_COUNT_ENTRY
ntdll!_CLIENT_ID
ntdll!_RTL_TRACE_DATABASE
ntdll!_RTL_TRACE_SEGMENT
ntdll!_RTL_TRACE_DATABASE
ntdll!_HEAP_LOCK
ntdll!_HANDLE_TRACE_DB_ENTRY
ntdll!ReplacesCorHdrNumericDefines
ntdll!_MEMORY_TYPE
ntdll!_IO_TIMER
ntdll!_FXSAVE_FORMAT
ntdll!_OBJECT_DIRECTORY_ENTRY
ntdll!_DEVICE_MAP
ntdll!_OBJECT_DIRECTORY
ntdll!_STACK_TRACE_DATABASE
ntdll!_KDPC_DATA
ntdll!_STRING
ntdll!_RTL_DRIVE_LETTER_CURDIR
ntdll!_SID_AND_ATTRIBUTES
ntdll!_DPH_HEAP_ROOT
ntdll!_DPH_HEAP_BLOCK
ntdll!_RTL_AVL_TABLE
ntdll!_DPH_HEAP_ROOT
ntdll!_DEVICE_OBJECT_POWER_EXTENSION
ntdll!_DEVOBJ_EXTENSION
ntdll!_FLOATING_SAVE_AREA
ntdll!_KSYSTEM_TIME
ntdll!_KQUEUE
ntdll!_RTL_BALANCED_LINKS
ntdll!_RTL_GENERIC_COMPARE_RESULTS
ntdll!_RTL_AVL_TABLE
ntdll!_HEAP_TAG_ENTRY
ntdll!_RTL_CRITICAL_SECTION_DEBUG
ntdll!_MDL
ntdll!_DPH_HEAP_BLOCK
ntdll!_PS_QUOTA_TYPE
ntdll!_flags
ntdll!_KNODE
ntdll!_LDR_DATA_TABLE_ENTRY
ntdll!_ACTIVATION_CONTEXT
ntdll!_LDR_DATA_TABLE_ENTRY
ntdll!_TEB
ntdll!_ACTIVATION_CONTEXT_STACK
ntdll!_GDI_TEB_BATCH
ntdll!_TEB_ACTIVE_FRAME
ntdll!_TEB
ntdll!_KEVENT
ntdll!_IO_STATUS_BLOCK
ntdll!_RTL_TRACE_SEGMENT
ntdll!_SECURITY_SUBJECT_CONTEXT
ntdll!_INITIAL_PRIVILEGE_SET
ntdll!_PRIVILEGE_SET
ntdll!_ACCESS_STATE
ntdll!_KSPECIAL_REGISTERS
ntdll!_KPROCESSOR_STATE
ntdll!_STRING
ntdll!_flags
ntdll!_REG_NOTIFY_CLASS
ntdll!_OBJECT_DUMP_CONTROL
ntdll!_SECURITY_SUBJECT_CONTEXT
ntdll!_RTL_ACTIVATION_CONTEXT_STACK_FRAME
ntdll!_ACTIVATION_CONTEXT_STACK
ntdll!_MMSYSTEM_PTE_POOL_TYPE
ntdll!_KDEVICE_QUEUE
ntdll!_LUID_AND_ATTRIBUTES
ntdll!_EXCEPTION_RECORD
ntdll!_INITIAL_PRIVILEGE_SET
ntdll!_TEB_ACTIVE_FRAME_CONTEXT
ntdll!_TEB_ACTIVE_FRAME
ntdll!_OBJECT_NAME_INFORMATION
ntdll!_SECTION_OBJECT_POINTERS
ntdll!_IO_COMPLETION_CONTEXT
ntdll!_FILE_OBJECT
ntdll!_IO_COMPLETION_CONTEXT
ntdll!_DRIVER_EXTENSION
ntdll!_FAST_IO_DISPATCH
ntdll!_DRIVER_OBJECT
ntdll!_IO_CLIENT_EXTENSION
ntdll!_FS_FILTER_CALLBACKS
ntdll!_DRIVER_EXTENSION
ntdll!_TEB_ACTIVE_FRAME_CONTEXT
ntdll!_IMAGE_DATA_DIRECTORY
ntdll!_CURDIR
ntdll!_GDI_TEB_BATCH
ntdll!_RTL_BALANCED_LINKS
ntdll!_KDEVICE_QUEUE_ENTRY
ntdll!_SECTION_OBJECT_POINTERS
ntdll!_IO_CLIENT_EXTENSION
ntdll!_IO_SECURITY_CONTEXT
ntdll!_NAMED_PIPE_CREATE_PARAMETERS
ntdll!_MAILSLOT_CREATE_PARAMETERS
ntdll!_FILE_INFORMATION_CLASS
ntdll!_FSINFOCLASS
ntdll!_SCSI_REQUEST_BLOCK
ntdll!_FILE_GET_QUOTA_INFORMATION
ntdll!_DEVICE_RELATION_TYPE
ntdll!_GUID
ntdll!_INTERFACE
ntdll!_DEVICE_CAPABILITIES
ntdll!_IO_RESOURCE_REQUIREMENTS_LIST
ntdll!BUS_QUERY_ID_TYPE
ntdll!DEVICE_TEXT_TYPE
ntdll!_DEVICE_USAGE_NOTIFICATION_TYPE
ntdll!_SYSTEM_POWER_STATE
ntdll!_POWER_SEQUENCE
ntdll!_POWER_STATE_TYPE
ntdll!_POWER_STATE
ntdll!POWER_ACTION
ntdll!_CM_RESOURCE_LIST
ntdll!_IO_STACK_LOCATION
ntdll!_INTERFACE
ntdll!_DEVICE_POWER_STATE
ntdll!_POWER_STATE
ntdll!_FS_FILTER_CALLBACK_DATA
ntdll!_FS_FILTER_CALLBACKS
ntdll!_DEVICE_MAP
ntdll!_INTERFACE_TYPE
ntdll!_IO_RESOURCE_LIST
ntdll!_IO_RESOURCE_REQUIREMENTS_LIST
ntdll!_SID
ntdll!_FILE_GET_QUOTA_INFORMATION
ntdll!_FS_FILTER_PARAMETERS
ntdll!_FS_FILTER_CALLBACK_DATA
ntdll!_FILE_BASIC_INFORMATION
ntdll!_FILE_STANDARD_INFORMATION
ntdll!_FILE_NETWORK_OPEN_INFORMATION
ntdll!_COMPRESSED_DATA_INFO
ntdll!_FAST_IO_DISPATCH
ntdll!_OBJECT_DIRECTORY_ENTRY
ntdll!_FILE_BASIC_INFORMATION
ntdll!_PRIVILEGE_SET
ntdll!_IO_SECURITY_CONTEXT
ntdll!_DESCRIPTOR
ntdll!_KSPECIAL_REGISTERS
ntdll!_RTL_ACTIVATION_CONTEXT_STACK_FRAME
ntdll!_MAILSLOT_CREATE_PARAMETERS
ntdll!_NAMED_PIPE_CREATE_PARAMETERS
ntdll!_IO_RESOURCE_DESCRIPTOR
ntdll!_IO_RESOURCE_LIST
ntdll!_FILE_NETWORK_OPEN_INFORMATION
ntdll!_CM_FULL_RESOURCE_DESCRIPTOR
ntdll!_CM_RESOURCE_LIST
ntdll!_POWER_SEQUENCE
ntdll!_IO_RESOURCE_DESCRIPTOR
ntdll!_FS_FILTER_SECTION_SYNC_TYPE
ntdll!_FS_FILTER_PARAMETERS
ntdll!_COMPRESSED_DATA_INFO
ntdll!_FILE_STANDARD_INFORMATION
ntdll!_DESCRIPTOR
ntdll!_GUID
ntdll!_SID_IDENTIFIER_AUTHORITY
ntdll!_SID
ntdll!_SID_IDENTIFIER_AUTHORITY
ntdll!_CM_PARTIAL_RESOURCE_LIST
ntdll!_CM_FULL_RESOURCE_DESCRIPTOR
ntdll!_DEVICE_CAPABILITIES
ntdll!_CM_PARTIAL_RESOURCE_DESCRIPTOR
ntdll!_CM_PARTIAL_RESOURCE_LIST
ntdll!_CM_PARTIAL_RESOURCE_DESCRIPTOR
ntdll!__unnamed
You might have noticed that many structures are listed twice in the output. Actually all of them appear twice and there are many __unnamed (I edited the output before posting to save space). I was wondering why they are listed twice and after some research I found that Visual Studio contains DIA SDK (Debug Interface Access SDK) and you can build DIA2Dump sample to dump PDB files. Unfortunately this tool displays them twice too without any hints:
UDT : LIST_ENTRY32
Data : this+0×0, Member, Type: unsigned long, Flink
Data : this+0×4, Member, Type: unsigned long, Blink
UDT : LIST_ENTRY32
Data : this+0×0, Member, Type: unsigned long, Flink
Data : this+0×4, Member, Type: unsigned long, Blink
__unnamed datatype is for unions, for example:
0:000> dt -r _ULARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Uint4B
+0x000 u : __unnamed
+0×000 LowPart : Uint4B
+0×004 HighPart : Uint4B
+0×000 QuadPart : Uint8B
Here’s the definition taken from winnt.h:
typedef union _ULARGE_INTEGER
{
struct
{
DWORD LowPart;
DWORD HighPart;
};
struct
{
DWORD LowPart;
DWORD HighPart;
} u;
ULONGLONG QuadPart;
} ULARGE_INTEGER, *PULARGE_INTEGER;
- Dmitry Vostokov -
March 27th, 2007 at 10:26 pm
Ahh, very nice tip, I had never come across the DIA2Dump sample. You spice this up a litte by using another Microsoft tools, logparser to filter out the duplicates and then sort Alphabetically…
c:\>”C:\Program Files\Microsoft Visual Studio 8\DIA SDK\Samples\DIA2Dump\Release\Dia2Dump.e
xe” -t C:\websymbols\ntdll.pdb\DCE823FCF71A4BF5AA489994520EA18F2\ntdll.pdb | logparser.exe -i:TEXTLI
NE -o:CSV “Select DISTINCT EXTRACT_SUFFIX(TEXT,0,’:') AS Type From STDIN WHERE TEXT LIKE ‘%UDT%’ ORD
ER BY Type ASC”
March 27th, 2007 at 10:37 pm
In case anyone is interested, the output from the above is 275 unique data types…
PROCESSOR_IDLE_TIMES
_CLIENT_ID
_CM_PARTIAL_RESOURCE_LIST
_CONTEXT
_CURDIR
_DESCRIPTOR
_DISPATCHER_HEADER
_ERESOURCE
_EX_FAST_REF
_EX_PUSH_LOCK
_EX_RUNDOWN_REF
_FAST_MUTEX
_FLOATING_SAVE_AREA
_FNSAVE_FORMAT
_FS_FILTER_PARAMETERS
_FXSAVE_FORMAT
_FX_SAVE_AREA
_GDI_TEB_BATCH
_GENERAL_LOOKASIDE
_GENERIC_MAPPING
_HARDWARE_PTE_X86
_HEAP_ENTRY
_IMAGE_FILE_HEADER
_IMAGE_OPTIONAL_HEADER
_INITIAL_PRIVILEGE_SET
_IO_COUNTERS
_IO_STATUS_BLOCK
_KAPC
_KAPC_STATE
_KDEVICE_QUEUE
_KDEVICE_QUEUE_ENTRY
_KDPC
_KEVENT
_KEXECUTE_OPTIONS
_KGATE
_KGDTENTRY
_KGUARDED_MUTEX
_KIDTENTRY
_KPRCB
_KPROCESS
_KPROCESSOR_STATE
_KSEMAPHORE
_KSPECIAL_REGISTERS
_KSYSTEM_TIME
_KTHREAD
_KTIMER
_LARGE_INTEGER
_LIST_ENTRY
_LUID
_MMADDRESS_NODE
_MMSUPPORT
_MMSUPPORT_FLAGS
_MM_AVL_TABLE
_NT_TIB
_OBJECT_HANDLE_COUNT_ENTRY
_OBJECT_TYPE_INITIALIZER
_POWER_STATE
_PRIVILEGE_SET
_PROCESSOR_POWER_STATE
_QUAD
_RTL_AVL_TABLE
_RTL_BALANCED_LINKS
_RTL_CRITICAL_SECTION
_SECURITY_QUALITY_OF_SERVICE
_SECURITY_SUBJECT_CONTEXT
_SE_AUDIT_PROCESS_CREATION_INFO
_SID
_SID_IDENTIFIER_AUTHORITY
_SINGLE_LIST_ENTRY
_SLIST_HEADER
_STRING
_ULARGE_INTEGER
_UNICODE_STRING
_WAIT_CONTEXT_BLOCK
__unnamed
_flags
LIST_ENTRY32
LIST_ENTRY64
PROCESSOR_IDLE_TIMES
PROCESSOR_PERF_STATE
_ACCESS_STATE
_ACTIVATION_CONTEXT
_ACTIVATION_CONTEXT_DATA
_ACTIVATION_CONTEXT_STACK
_ASSEMBLY_STORAGE_MAP
_CLIENT_ID
_CM_FULL_RESOURCE_DESCRIPTOR
_CM_PARTIAL_RESOURCE_DESCRIPTOR
_CM_PARTIAL_RESOURCE_LIST
_CM_RESOURCE_LIST
_COMPRESSED_DATA_INFO
_CONTEXT
_CURDIR
_DESCRIPTOR
_DEVICE_CAPABILITIES
_DEVICE_MAP
_DEVICE_OBJECT
_DEVICE_OBJECT_POWER_EXTENSION
_DEVOBJ_EXTENSION
_DISPATCHER_HEADER
_DPH_BLOCK_INFORMATION
_DPH_HEAP_BLOCK
_DPH_HEAP_ROOT
_DRIVER_EXTENSION
_DRIVER_OBJECT
_EJOB
_EPROCESS
_EPROCESS_QUOTA_BLOCK
_EPROCESS_QUOTA_ENTRY
_ERESOURCE
_ETHREAD
_EXCEPTION_RECORD
_EXCEPTION_REGISTRATION_RECORD
_EX_FAST_REF
_EX_PUSH_LOCK
_EX_PUSH_LOCK_CACHE_AWARE
_EX_PUSH_LOCK_WAIT_BLOCK
_EX_RUNDOWN_REF
_FAST_IO_DISPATCH
_FAST_MUTEX
_FILE_BASIC_INFORMATION
_FILE_GET_QUOTA_INFORMATION
_FILE_NETWORK_OPEN_INFORMATION
_FILE_OBJECT
_FILE_STANDARD_INFORMATION
_FLOATING_SAVE_AREA
_FNSAVE_FORMAT
_FS_FILTER_CALLBACKS
_FS_FILTER_CALLBACK_DATA
_FS_FILTER_PARAMETERS
_FXSAVE_FORMAT
_FX_SAVE_AREA
_GDI_TEB_BATCH
_GENERAL_LOOKASIDE
_GENERIC_MAPPING
_GUID
_HANDLE_TABLE
_HANDLE_TRACE_DB_ENTRY
_HANDLE_TRACE_DEBUG_INFO
_HARDWARE_PTE_X86
_HEAP
_HEAP_ENTRY
_HEAP_LOCK
_HEAP_PSEUDO_TAG_ENTRY
_HEAP_SEGMENT
_HEAP_TAG_ENTRY
_HEAP_UCR_SEGMENT
_HEAP_UNCOMMMTTED_RANGE
_IMAGE_DATA_DIRECTORY
_IMAGE_FILE_HEADER
_IMAGE_NT_HEADERS
_IMAGE_OPTIONAL_HEADER
_INITIAL_PRIVILEGE_SET
_INTERFACE
_IO_CLIENT_EXTENSION
_IO_COMPLETION_CONTEXT
_IO_COUNTERS
_IO_RESOURCE_DESCRIPTOR
_IO_RESOURCE_LIST
_IO_RESOURCE_REQUIREMENTS_LIST
_IO_SECURITY_CONTEXT
_IO_STACK_LOCATION
_IO_STATUS_BLOCK
_IO_TIMER
_IRP
_KAPC
_KAPC_STATE
_KDEVICE_QUEUE
_KDEVICE_QUEUE_ENTRY
_KDPC
_KDPC_DATA
_KEVENT
_KEXECUTE_OPTIONS
_KGATE
_KGDTENTRY
_KGUARDED_MUTEX
_KIDTENTRY
_KNODE
_KPCR
_KPRCB
_KPROCESS
_KPROCESSOR_STATE
_KQUEUE
_KSEMAPHORE
_KSPECIAL_REGISTERS
_KSPIN_LOCK_QUEUE
_KSYSTEM_TIME
_KTHREAD
_KTIMER
_KTRAP_FRAME
_KTSS
_KUSER_SHARED_DATA
_KWAIT_BLOCK
_KiIoAccessMap
_LARGE_INTEGER
_LDR_DATA_TABLE_ENTRY
_LIST_ENTRY
_LUID
_LUID_AND_ATTRIBUTES
_MAILSLOT_CREATE_PARAMETERS
_MDL
_MMADDRESS_NODE
_MMSUPPORT
_MMSUPPORT_FLAGS
_MMWSL
_MM_AVL_TABLE
_NAMED_PIPE_CREATE_PARAMETERS
_NPAGED_LOOKASIDE_LIST
_NT_TIB
_OBJECT_ATTRIBUTES
_OBJECT_CREATE_INFORMATION
_OBJECT_DIRECTORY
_OBJECT_DIRECTORY_ENTRY
_OBJECT_DUMP_CONTROL
_OBJECT_HANDLE_COUNT_DATABASE
_OBJECT_HANDLE_COUNT_ENTRY
_OBJECT_HANDLE_INFORMATION
_OBJECT_HEADER
_OBJECT_HEADER_CREATOR_INFO
_OBJECT_HEADER_HANDLE_INFO
_OBJECT_HEADER_NAME_INFO
_OBJECT_HEADER_QUOTA_INFO
_OBJECT_NAME_INFORMATION
_OBJECT_TYPE
_OBJECT_TYPE_INITIALIZER
_OWNER_ENTRY
_PAGED_LOOKASIDE_LIST
_PAGEFAULT_HISTORY
_PEB
_PEB_FREE_BLOCK
_PEB_LDR_DATA
_PERFINFO_GROUPMASK
_POWER_SEQUENCE
_POWER_STATE
_PP_LOOKASIDE_LIST
_PRIVILEGE_SET
_PROCESSOR_POWER_STATE
_PROCESS_WS_WATCH_INFORMATION
_PS_IMPERSONATION_INFORMATION
_PS_JOB_TOKEN_FILTER
_QUAD
_RTL_ACTIVATION_CONTEXT_STACK_FRAME
_RTL_AVL_TABLE
_RTL_BALANCED_LINKS
_RTL_CRITICAL_SECTION
_RTL_CRITICAL_SECTION_DEBUG
_RTL_DRIVE_LETTER_CURDIR
_RTL_STACK_TRACE_ENTRY
_RTL_TRACE_BLOCK
_RTL_TRACE_DATABASE
_RTL_TRACE_SEGMENT
_RTL_USER_PROCESS_PARAMETERS
_SCSI_REQUEST_BLOCK
_SECTION_OBJECT_POINTERS
_SECURITY_QUALITY_OF_SERVICE
_SECURITY_SUBJECT_CONTEXT
_SE_AUDIT_PROCESS_CREATION_INFO
_SID
_SID_AND_ATTRIBUTES
_SID_IDENTIFIER_AUTHORITY
_SINGLE_LIST_ENTRY
_SLIST_HEADER
_STACK_TRACE_DATABASE
_STRING
_TEB
_TEB_ACTIVE_FRAME
_TEB_ACTIVE_FRAME_CONTEXT
_TERMINATION_PORT
_ULARGE_INTEGER
_UNICODE_STRING
_VPB
_WAIT_CONTEXT_BLOCK
__unnamed
_flags
May 19th, 2008 at 1:22 pm
Did you report this to Microsoft?
May 19th, 2008 at 1:36 pm
If you mean the fact that wildcards don’t work in 6.9.3.113 version of WinDbg then I haven’t reported it yet.