Comments on: Crash Dump Analysis Patterns (Part 159) https://www.dumpanalysis.org/blog/index.php/2011/12/05/crash-dump-analysis-patterns-part-159/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Wed, 06 May 2026 17:19:14 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2011/12/05/crash-dump-analysis-patterns-part-159/#comment-767708 Dmitry Vostokov Fri, 04 Feb 2022 16:03:29 +0000 https://www.dumpanalysis.org/blog/index.php/2011/12/05/crash-dump-analysis-patterns-part-159/#comment-767708 There is also !findthreads command There is also !findthreads command

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2011/12/05/crash-dump-analysis-patterns-part-159/#comment-741715 Dmitry Vostokov Mon, 19 Sep 2016 11:21:46 +0000 https://www.dumpanalysis.org/blog/index.php/2011/12/05/crash-dump-analysis-patterns-part-159/#comment-741715 If we have an object address we can use !findhandle to find its process container: <p align="left">002c: Object: fffffa80a95cb610 GrantedAccess: 001fffff Entry: fffff8a0000030b0 Object: fffffa80a95cb610 Type: (fffffa80a943bf30) Thread ObjectHeader: fffffa80a95cb5e0 (new version) HandleCount: 1 PointerCount: 2</p> 0: kd> !findhandle fffffa80a95cb610 Now checking process fffffa80a943b6d0... [fffffa80a943b6d0 System] 2c: Entry fffff8a0000030b0 Granted Access 1fffff If we have an object address we can use !findhandle to find its process container:

002c: Object: fffffa80a95cb610 GrantedAccess: 001fffff Entry: fffff8a0000030b0
Object: fffffa80a95cb610 Type: (fffffa80a943bf30) Thread
ObjectHeader: fffffa80a95cb5e0 (new version)
HandleCount: 1 PointerCount: 2

0: kd> !findhandle fffffa80a95cb610
Now checking process fffffa80a943b6d0…
[fffffa80a943b6d0 System]
2c: Entry fffff8a0000030b0 Granted Access 1fffff

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2011/12/05/crash-dump-analysis-patterns-part-159/#comment-741674 Dmitry Vostokov Fri, 12 Jun 2015 17:44:40 +0000 https://www.dumpanalysis.org/blog/index.php/2011/12/05/crash-dump-analysis-patterns-part-159/#comment-741674 If we have an object with handle references to it we can search for its process handle container, for example, for zombie processes, we can dump all handle tables from all processes: !handle 0 3 0 Process If we have an object with handle references to it we can search for its process handle container, for example, for zombie processes, we can dump all handle tables from all processes:

!handle 0 3 0 Process

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2011/12/05/crash-dump-analysis-patterns-part-159/#comment-446944 Dmitry Vostokov Fri, 23 Mar 2012 13:22:18 +0000 https://www.dumpanalysis.org/blog/index.php/2011/12/05/crash-dump-analysis-patterns-part-159/#comment-446944 Useful command to find a value pointers in the whole virtual address space: !heap -x -v <value> Useful command to find a value pointers in the whole virtual address space:

!heap -x -v

]]>