Software Diagnostics Library

Complete Dump: User Space Critical Sections

Just a short note. Suppose we have a complete memory dump and we want to check critical sections to see any anomalies. We can do this by using !for_each_process extension command:

0: kd> !for_each_process ".process /r /p @#Process; !ntsdexts.locks" Implicit process is now a59a4648 Loading User Symbols

NTSDEXTS: Unable to resolve ntdll!RtlCriticalSectionList NTSDEXTS: Please check your symbols Implicit process is now a553cd88 Loading User Symbols ....

Scanned 11 critical sections Implicit process is now a518b1b0 Loading User Symbols ....

Scanned 105 critical sections Implicit process is now a513a348 Loading User Symbols ....

Scanned 977 critical sections Implicit process is now a5659d88 Loading User Symbols ....

Scanned 438 critical sections Implicit process is now a551abb8 Loading User Symbols .... ... ... ... ...

Here the first NTSDEXTS warning is normal because we don’t have user space for System process.

- Dmitry Vostokov @ DumpAnalysis.org -

This entry was posted on Friday, March 28th, 2008 at 3:46 pm and is filed under Crash Dump Analysis, WinDbg Tips and Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Complete Dump: User Space Critical Sections”

Dmitry Vostokov Says:
August 13th, 2010 at 7:33 pm
As !ntsdexts.locks no longer works here’s the modification for !cs command:

!for_each_process “.process /r /p @#Process; !cs -l -o -s”

You must be logged in to post a comment.

Complete Dump: User Space Critical Sections

One Response to “Complete Dump: User Space Critical Sections”

Leave a Reply