Software Diagnostics Library

When looking at complete memory dumps and switching between process contexts we are usually interested in loaded user space modules, their timestamps, version information, vendor and description. lmt and lmv WinDbg commands show both user space and kernel space modules and it becomes annoying to see the same kernel modules over and over again in the output. The following commands list only user and kernel space modules separately: lmu and lmk. Here is an example:

lkd> !process
PROCESS fffffa80056b0c10
SessionId: 1  Cid: 0f6c    Peb: 7fffffdf000  ParentCid: 0a10
DirBase: 34b2b000  ObjectTable: fffff88009796470  HandleCount:  80.
Image: windbg.exe
VadRoot fffffa80056000a0 Vads 82 Clone 0 Private 5884. Modified 2109. Locked 1.
DeviceMap fffff88008c7e9c0
Token                             fffff8800bb3fa70
ElapsedTime                       00:01:27.560
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         176696
QuotaPoolUsage[NonPagedPool]      7984
Working Set Sizes (now,min,max)  (7860, 50, 345) (31440KB, 200KB, 1380KB)
PeakWorkingSetSize                7860
VirtualSize                       110 Mb
PeakVirtualSize                   110 Mb
PageFaultCount                    10117
MemoryPriority                    BACKGROUND
BasePriority                      8
CommitCharge                      6293

THREAD fffffa8005648790  Cid 0f6c.096c  Teb: 000007fffffdd000 Win32Thread: fffff900c21ef450 WAIT: (WrUserRequest) UserMode Non-Alertable
   fffffa80056692a0  SynchronizationEvent

THREAD fffffa800557c300  Cid 0f6c.0eb8  Teb: 000007fffffdb000 Win32Thread: fffff900c06402a0 RUNNING on processor 1

lkd> lmu
start             end                 module name
00000000`6d660000 00000000`6d943000   ext       
00000000`6d950000 00000000`6ddac000   dbgeng    
00000000`6e120000 00000000`6e191000   exts      
00000000`6e1a0000 00000000`6e309000   dbghelp   
00000000`6ed20000 00000000`6ed6c000   symsrv    
00000000`6ed70000 00000000`6edb4000   kext      
00000000`76da0000 00000000`76ecd000   kernel32  
00000000`76ed0000 00000000`76f9d000   USER32    
00000000`76fa0000 00000000`77126000   ntdll     
00000001`3f530000 00000001`3f5de000   windbg    
000007fe`f3f00000 000007fe`f40c3000   kdexts    
000007fe`f4600000 000007fe`f46b8000   MSFTEDIT  
000007fe`fb760000 000007fe`fb7b1000   UxTheme   
000007fe`fc200000 000007fe`fc24f000   OLEACC    
000007fe`fc250000 000007fe`fc289000   WINMM     
000007fe`fc4e0000 000007fe`fc6d9000   COMCTL32  
000007fe`fc6f0000 000007fe`fc6fb000   VERSION   
000007fe`fd370000 000007fe`fd389000   MPR       
000007fe`fd4f0000 000007fe`fd5c3000   OLEAUT32  
000007fe`fd5d0000 000007fe`fd7a8000   ole32     
000007fe`fda00000 000007fe`fda2d000   IMM32     
000007fe`fda30000 000007fe`fda3d000   LPK       
000007fe`fda40000 000007fe`fdb83000   RPCRT4    
000007fe`fdb90000 000007fe`fdc03000   SHLWAPI   
000007fe`fde10000 000007fe`fde9c000   COMDLG32  
000007fe`fdea0000 000007fe`feaf3000   SHELL32   
000007fe`feb00000 000007fe`feb64000   GDI32     
000007fe`fecf0000 000007fe`fedf8000   ADVAPI32  
000007fe`fee00000 000007fe`fee9c000   msvcrt    
000007fe`fefc0000 000007fe`ff0c2000   MSCTF     
000007fe`ff180000 000007fe`ff21a000   USP10  

lkd> lmk
start             end                 module name
fffff800`0181c000 fffff800`01d34000   nt        
fffff800`01d34000 fffff800`01d7a000   hal       
fffff960`00020000 fffff960`002d4000   win32k    
fffff960`00420000 fffff960`0043e000   dxg       
fffff960`006e0000 fffff960`006ea000   TSDDD     
fffff960`008e0000 fffff960`008e9000   framebuf  
fffffa60`00602000 fffffa60`0060c000   kdcom     
fffffa60`0060c000 fffffa60`00647000   mcupdate_GenuineIntel
fffffa60`00647000 fffffa60`0065b000   PSHED     
fffffa60`0065b000 fffffa60`006b8000   CLFS      
fffffa60`006b8000 fffffa60`0076a000   CI        
fffffa60`00786000 fffffa60`007d6000   msrpc     
fffffa60`007d6000 fffffa60`007fa000   ataport   
fffffa60`00800000 fffffa60`009c3000   NDIS      
fffffa60`009c3000 fffffa60`009d3000   PCIIDEX   
fffffa60`009d3000 fffffa60`009e6000   mountmgr  
fffffa60`00a0d000 fffffa60`00a66000   NETIO     
fffffa60`00a66000 fffffa60`00b40000   Wdf01000  
fffffa60`00b40000 fffffa60`00b4e000   WDFLDR    
fffffa60`00b4e000 fffffa60`00b7e000   pci       
fffffa60`00b7e000 fffffa60`00b92000   volmgr    
fffffa60`00b92000 fffffa60`00bf8000   volmgrx   
fffffa60`00c00000 fffffa60`00ced000   HDAudBus  
fffffa60`00ced000 fffffa60`00d09000   cdrom     
fffffa60`00d09000 fffffa60`00d42000   msiscsi   
fffffa60`00d43000 fffffa60`00d4c000   WMILIB    
fffffa60`00d4c000 fffffa60`00d7a000   SCSIPORT  
fffffa60`00d7a000 fffffa60`00dd0000   acpi      
fffffa60`00dd0000 fffffa60`00dda000   msisadrv  
fffffa60`00dda000 fffffa60`00def000   partmgr   
fffffa60`00def000 fffffa60`00df7000   intelide  
fffffa60`00df7000 fffffa60`00dff000   atapi     
fffffa60`00e0b000 fffffa60`00e52000   fltmgr    
fffffa60`00e52000 fffffa60`00ed9000   ksecdd    
fffffa60`00ed9000 fffffa60`00ee5000   tunnel    
fffffa60`00ee5000 fffffa60`00ef8000   intelppm  
fffffa60`00ef8000 fffffa60`00f06000   vgapnp    
fffffa60`00f06000 fffffa60`00f2b000   VIDEOPRT  
fffffa60`00f2b000 fffffa60`00f3b000   watchdog  
fffffa60`00f3b000 fffffa60`00f47000   usbuhci   
fffffa60`00f47000 fffffa60`00f8d000   USBPORT   
fffffa60`00f8d000 fffffa60`00f9e000   usbehci   
fffffa60`00f9e000 fffffa60`00fd7000   b57nd60a  
fffffa60`00fd7000 fffffa60`00ff3000   parport   
fffffa60`0100b000 fffffa60`01181000   tcpip     
fffffa60`01181000 fffffa60`011ad000   fwpkclnt  
fffffa60`011ad000 fffffa60`011c1000   disk      
fffffa60`011c1000 fffffa60`011ed000   CLASSPNP  
fffffa60`0120f000 fffffa60`0138f000   Ntfs      
fffffa60`0138f000 fffffa60`013d3000   volsnap   
fffffa60`013d3000 fffffa60`013db000   spldr     
fffffa60`013db000 fffffa60`013ed000   mup       
fffffa60`013ed000 fffffa60`013f7000   crcdisk   
fffffa60`02209000 fffffa60`02266000   storport  
fffffa60`02266000 fffffa60`02273000   TDI       
fffffa60`02273000 fffffa60`02296000   rasl2tp   
fffffa60`02296000 fffffa60`022a2000   ndistapi  
fffffa60`022a2000 fffffa60`022d3000   ndiswan   
fffffa60`022d3000 fffffa60`022e3000   raspppoe  
fffffa60`022e3000 fffffa60`02301000   raspptp   
fffffa60`02301000 fffffa60`02319000   rassstp   
fffffa60`02319000 fffffa60`023b3000   rdpdr     
fffffa60`023b3000 fffffa60`023c6000   termdd    
fffffa60`023c6000 fffffa60`023d4000   kbdclass  
fffffa60`023d4000 fffffa60`023e0000   mouclass  
fffffa60`023e0000 fffffa60`023e1480   swenum    
fffffa60`023e2000 fffffa60`023fd000   smb       
fffffa60`0240b000 fffffa60`0243f000   ks        
fffffa60`0243f000 fffffa60`0244a000   mssmbios  
fffffa60`0244a000 fffffa60`0245a000   umbus     
fffffa60`0245a000 fffffa60`024a2000   usbhub    
fffffa60`024a2000 fffffa60`024b6000   NDProxy   
fffffa60`024b6000 fffffa60`024ff000   HdAudio   
fffffa60`024ff000 fffffa60`0253a000   portcls   
fffffa60`0253a000 fffffa60`0255d000   drmk      
fffffa60`0255d000 fffffa60`02562180   ksthunk   
fffffa60`02563000 fffffa60`0256d000   Fs_Rec    
fffffa60`0256d000 fffffa60`02576000   Null      
fffffa60`02581000 fffffa60`02588b80   HIDPARSE  
fffffa60`02589000 fffffa60`02597000   vga       
fffffa60`02597000 fffffa60`025a0000   RDPCDD    
fffffa60`025a0000 fffffa60`025a9000   rdpencdd  
fffffa60`025a9000 fffffa60`025b4000   Msfs      
fffffa60`025b4000 fffffa60`025c5000   Npfs      
fffffa60`025c5000 fffffa60`025ce000   rasacd    
fffffa60`025ce000 fffffa60`025eb000   tdx       
fffffa60`02e0d000 fffffa60`02e78000   afd       
fffffa60`02e78000 fffffa60`02ebc000   netbt     
fffffa60`02ebc000 fffffa60`02eda000   pacer     
fffffa60`02eda000 fffffa60`02ee9000   netbios   
fffffa60`02f06000 fffffa60`02f21000   wanarp    
fffffa60`02f21000 fffffa60`02f6e000   rdbss     
fffffa60`02f6e000 fffffa60`02f7a000   nsiproxy  
fffffa60`02f7a000 fffffa60`02f97000   dfsc      
fffffa60`02f97000 fffffa60`02fa0000   hidusb    
fffffa60`02fa0000 fffffa60`02fb2000   HIDCLASS  
fffffa60`02fb2000 fffffa60`02fb3e00   USBD      
fffffa60`02fb4000 fffffa60`02fbf000   kbdhid    
fffffa60`02fbf000 fffffa60`02fca000   mouhid    
fffffa60`02fca000 fffffa60`02fd8000   crashdmp  
fffffa60`02fd8000 fffffa60`02fe4000   dump_dumpata
fffffa60`02fe4000 fffffa60`02fec000   dump_atapi
fffffa60`02fec000 fffffa60`02ff8000   Dxapi     
fffffa60`03a00000 fffffa60`03a22000   luafv     
fffffa60`03a22000 fffffa60`03a2a000   psxdrv    
fffffa60`03a2a000 fffffa60`03a3e000   lltdio    
fffffa60`03a3e000 fffffa60`03a56000   rspndr    
fffffa60`03a56000 fffffa60`03a74000   bowser    
fffffa60`03a74000 fffffa60`03a8e000   mpsdrv    
fffffa60`03a8e000 fffffa60`03ab5000   mrxdav    
fffffa60`03ab5000 fffffa60`03ade000   mrxsmb    
fffffa60`03ade000 fffffa60`03b27000   mrxsmb10  
fffffa60`03b27000 fffffa60`03b46000   mrxsmb20  
fffffa60`03b46000 fffffa60`03be9000   HTTP      
fffffa60`04400000 fffffa60`0449a000   spsys     
fffffa60`0449a000 fffffa60`04550000   peauth    
fffffa60`04550000 fffffa60`0455b000   secdrv    
fffffa60`0455b000 fffffa60`04584000   srvnet    
fffffa60`04584000 fffffa60`04594000   tcpipreg  
fffffa60`04594000 fffffa60`045c6000   srv2      
fffffa60`0480d000 fffffa60`0489e000   srv       
fffffa60`0489e000 fffffa60`048a9000   asyncmac  
fffffa60`048a9000 fffffa60`048c5000   cdfs      
fffffa60`048c5000 fffffa60`048cd000   kldbgdrv

Unloaded modules:
fffffa60`01200000 fffffa60`0120e000   crashdmp.sys
fffffa60`011ed000 fffffa60`011f9000   dump_ataport.sys
fffffa60`013f7000 fffffa60`013ff000   dump_atapi.sys
fffffa60`02ee9000 fffffa60`02f06000   serial.sys
fffffa60`02576000 fffffa60`02581000   kbdhid.sys
fffffa60`00c0f000 fffffa60`00d43000   sptd.sys
fffffa60`0076a000 fffffa60`00786000   sacdrv.sys

Of course, verbose equivalents also work: lmuv and lmkv.

- Dmitry Vostokov @ DumpAnalysis.org -

This entry was posted on Tuesday, January 5th, 2010 at 3:10 pm and is filed under Crash Dump Analysis, Debugging, WinDbg Tips and Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.