Search This Blog

Saturday, 30 August 2014

WinDbg : the !thread and the .thread Commands

WinDbg : !thread

The !thread extension command lists down some very useful information related to threads. depending on what switches are used, it can display information about one or all threads. Below are some examples.

kd> !thread
THREAD 851d8d48  Cid 08b4.08b8  Teb: 7ffdf000 Win32Thread: fe9fddd8 RUNNING on processor 0
IRP List:
    849bc610: (0006,0094) Flags: 00060000  Mdl: 00000000
Not impersonating
DeviceMap                 90cda830
Owning Process            851d1348       Image:         NotMyfault.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      3020           Ticks: 1 (0:00:00:00.015)
Context Switch Count      180            IdealProcessor: 0             
UserTime                  00:00:00.000
KernelTime                00:00:00.031
Win32 Start Address 0x00402627
Stack Init 91387fd0 Current 91387af8 Base 91388000 Limit 91385000 Call 0
Priority 12 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
ChildEBP RetAddr  Args to Child              
91387b3c 92deb579 badb0d00 839a9240 940b3800 nt!KiTrap0E+0x2cf (FPO: [0,0] TrapFrame @ 91387b3c)
WARNING: Stack unwind information not available. Following frames may be wrong.
91387bb8 92deb849 849bc610 91387bfc 92deb8ac myfault+0x579
91387bc4 92deb8ac 852540f0 00000001 00000000 myfault+0x849
91387bfc 8263f593 850bff08 849bc610 849bc610 myfault+0x8ac
91387c14 8283399f 852540f0 849bc610 849bc680 nt!IofCallDriver+0x63
91387c34 82836b71 850bff08 852540f0 00000000 nt!IopSynchronousServiceTail+0x1f8
91387cd0 8287d3f4 850bff08 849bc610 00000000 nt!IopXxxControlFile+0x6aa
91387d04 826461ea 000000bc 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
91387d04 77be70b4 000000bc 00000000 00000000 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 91387d34)

0012f994 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])

WinDbg : .thread


The .thread (dot thread) command is used to switch the debugger into the context of the thread. When in user mode, we usually attach to a particular process or the dump generated in user mode is of one process. However, in kernel mode, the dump or debugger attachment will be generic and to switch the context into that of the current process we would need the .process command. Examples below.

A total list of running threads in the system can be found with the !stacks command as explained here. Once we find the thread we are interested in we can switch context to it.

Here is a snipped output from the !stacks command for the process lsass.exe.


                            [84cdc860 lsass.exe]

 208.00021c  84ce1688 0000947 Blocked    Stack paged out
 208.000220  848f7b20 00008b5 Blocked    nt!KiSwapContext+0x26
                                        nt!KiSwapThread+0x266
                                        nt!KiCommitThreadWait+0x1df
                                        nt!KeWaitForSingleObject+0x393
                                        nt!NtWaitForSingleObject+0xc6
                                        nt!KiFastCallEntry+0x12a
                                        ntdll!KiFastSystemCallRet
 208.000224  84d047a8 00001ac Blocked    nt!KiSwapContext+0x26
                                        nt!KiSwapThread+0x266
                                        nt!KiCommitThreadWait+0x1df
                                        nt!KeWaitForMultipleObjects+0x535
                                        nt!ObpWaitForMultipleObjects+0x262
                                        nt!NtWaitForMultipleObjects+0xcd
                                        nt!KiFastCallEntry+0x12a
                                        ntdll!KiFastSystemCallRet
 208.000228  84d044c0 00008e4 Blocked    nt!KiSwapContext+0x26
                                        nt!KiSwapThread+0x266
                                        nt!KiCommitThreadWait+0x1df
                                        nt!KeRemoveQueueEx+0x4f8
                                        nt!IoRemoveIoCompletion+0x23
                                        nt!NtWaitForWorkViaWorkerFactory+0x1a1
                                        nt!KiFastCallEntry+0x12a
                                        ntdll!KiFastSystemCallRet
 208.00022c  84cfb030 0000901 Blocked    nt!KiSwapContext+0x26
                                        nt!KiSwapThread+0x266
                                        nt!KiCommitThreadWait+0x1df
                                        nt!KeRemoveQueueEx+0x4f8
                                        nt!IoRemoveIoCompletion+0x23
                                        nt!NtWaitForWorkViaWorkerFactory+0x1a1
                                        nt!KiFastCallEntry+0x12a
                                        ntdll!KiFastSystemCallRet
 208.000234  84d103a0 0000294 Blocked    nt!KiSwapContext+0x26
                                        nt!KiSwapThread+0x266
                                        nt!KiCommitThreadWait+0x1df
                                        nt!KeRemoveQueueEx+0x4f8
                                        nt!IoRemoveIoCompletion+0x23
                                        nt!NtWaitForWorkViaWorkerFactory+0x1a1
                                        nt!KiFastCallEntry+0x12a
                                        ntdll!KiFastSystemCallRet
 208.000270  84d23378 00006a8 Blocked    nt!KiSwapContext+0x26
                                        nt!KiSwapThread+0x266
                                        nt!KiCommitThreadWait+0x1df
                                        nt!KeRemoveQueueEx+0x4f8
                                        nt!IoRemoveIoCompletion+0x23
                                        nt!NtWaitForWorkViaWorkerFactory+0x1a1
                                        nt!KiFastCallEntry+0x12a
                                        ntdll!KiFastSystemCallRet
 208.00033c  84d72a60 00000aa Blocked    nt!KiSwapContext+0x26
                                        nt!KiSwapThread+0x266
                                        nt!KiCommitThreadWait+0x1df
                                        nt!KeRemoveQueueEx+0x4f8
                                        nt!IoRemoveIoCompletion+0x23
                                        nt!NtWaitForWorkViaWorkerFactory+0x1a1
                                        nt!KiFastCallEntry+0x12a
                                        ntdll!KiFastSystemCallRet
 208.000394  84eed338 00008c2 Blocked    nt!KiSwapContext+0x26
                                        nt!KiSwapThread+0x266
                                        nt!KiCommitThreadWait+0x1df
                                        nt!KeWaitForSingleObject+0x393
                                        nt!EtwpReceiveNotification+0xf4
                                        nt!NtTraceControl+0x281
                                        nt!KiFastCallEntry+0x12a
                                        ntdll!KiFastSystemCallRet
 208.000774  850cad48 00006b1 Blocked    nt!KiSwapContext+0x26
                                        nt!KiSwapThread+0x266
                                        nt!KiCommitThreadWait+0x1df
                                        nt!KeDelayExecutionThread+0x2aa
                                        nt!NtDelayExecution+0x8d
                                        nt!KiFastCallEntry+0x12a
                                        ntdll!KiFastSystemCallRet

then we change to the context of the thread we are interested in using teh .thread command.

kd> .thread /p /r 84eed338
Implicit thread is now 84eed338
Implicit process is now 84cdc860
Loading User Symbols
............................................................

************* Symbol Loading Error Summary **************
Module name            Error
myfault                The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
kd> kn
  *** Stack trace for last set context - .thread/.cxr resets it
 # ChildEBP RetAddr  
00 8a2d3b88 8268669d nt!KiSwapContext+0x26
01 8a2d3bc0 826854f7 nt!KiSwapThread+0x266
02 8a2d3be8 8267f0cf nt!KiCommitThreadWait+0x1df
03 8a2d3c60 827f14a4 nt!KeWaitForSingleObject+0x393
04 8a2d3cb8 82859c3c nt!EtwpReceiveNotification+0xf4
05 8a2d3d14 826461ea nt!NtTraceControl+0x281
06 8a2d3d14 77be70b4 nt!KiFastCallEntry+0x12a
07 0071fb44 77be6924 ntdll!KiFastSystemCallRet
08 0071fb48 77bbf505 ntdll!ZwTraceControl+0xc
09 0071fb78 76753c45 ntdll!EtwpNotificationThread+0x3d
0a 0071fb84 77c037f5 kernel32!BaseThreadInitThunk+0xe
0b 0071fbc4 77c037c8 ntdll!__RtlUserThreadStart+0x70
0c 0071fbdc 00000000 ntdll!_RtlUserThreadStart+0x1b

Comparing he stack trace from the !stacks and the current stack we know that we are in the right context.

We will see seeing practical uses of these commands in later posts.


WinDbg : the !stacks Command

WinDbg : !stacks

The !stacks extension command is used to display the kernel stacks. Examples.


kd> !stacks 0
Proc.Thread  .Thread  Ticks   ThreadState Blocker
                            [8273d640 Idle]
   0.000000  8273d380 000029f RUNNING    nt!KiIdleLoop+0xce
                            [839afbf8 System]
   4.000058  83a314b8 0000b39 Blocked    nt!MiModifiedPageWriter+0x39
   4.000068  83a2d430 000000d Blocked    nt!CcQueueLazyWriteScanThread+0x4a
   4.000074  83a29308 0000367 Blocked    nt!AlpcpReceiveMessagePort+0x245
   4.000078  83a46a88 000000d Blocked    nt!EtwpLogger+0xd0
   4.000080  83a51020 000000d Blocked    nt!EtwpLogger+0xd0
   4.000084  83a5c788 000000d Blocked    nt!EtwpLogger+0xd0
   4.000088  83a5c1f0 000000d Blocked    nt!EtwpLogger+0xd0
   4.00008c  83aa41c8 00001fc Blocked    nt!EtwpLogger+0xd0
   4.000090  842a7280 000000d Blocked    nt!EtwpLogger+0xd0
   4.000094  842b2020 0000645 Blocked    nt!EtwpLogger+0xd0
   4.000098  842b65c8 0000b37 Blocked    nt!WdipSemCheckTimeout+0x21d
   4.00009c  839b5020 00008db Blocked    ACPI!ACPIWorkerThread+0x47
   4.0000a0  84308428 0000b33 Blocked    ACPI!PciRootBusBiosMethodDispatcherOnResume+0x30
   4.0000a4  842c8d48 000008d Blocked    nt!EtwpLogger+0xd0
   4.0000a8  839ec020 0000b31 Blocked    vmbus!AwFinalizeWorkItem+0x4e
   4.0000ac  839ecd48 0000b31 Blocked    vmbus!AwFinalizeWorkItem+0x4e
   4.0000b0  839eca70 000064b Blocked    vmbus!AwFinalizeWorkItem+0x4e
   4.0000b4  842d9648 0000b2f Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.0000b8  846e1250 0000b2f Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.0000bc  846e2020 0000b2f Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.0000c0  846e2cf8 0000b2f Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.0000c4  846e2a20 0000b2f Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.0000c8  846e2610 0000b2f Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.0000cc  846e3020 0000b2f Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.0000d0  846e3d48 0000b2f Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.0000d8  846e3570 0000b2f Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.0000dc  8474a7a8 0000acf Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.0000e0  84780020 0000a04 Blocked    ndis!ndisThreadPoolTimerHandler+0xd9
   4.0000e8  847806d0 000034d Blocked    ndis!ndisCmWaitThread+0x5b
   4.0000ec  847d4d48 000000d Blocked    rdyboost!SMKM_STORE<SMD_TRAITS>::SmStWorker+0x64
   4.0000f0  847bfd48 0000003 Blocked    rdyboost!SmdRBMemoryWatchdogThread+0xc0
   4.0000fc  84851020 0000a8c Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.000100  849a6718 00009f7 Blocked    watchdog!SMgrGdiCalloutThread+0x35
   4.000108  8490d020 00009f7 Blocked    blbdrive!BlbIoWorkerThread+0x1e
   4.00010c  84938bc8 0000290 Blocked    nt!AlpcpReceiveMessagePort+0x245
   4.000128  84871d48 0000002 Blocked    VMBusVideoM!WorkerThreadRoutine+0xa9
   4.0001a0  84c3ed48 0000645 Blocked    nt!EtwpLogger+0xd0
   4.0001b4  83a24368 00001db Blocked    nt!IoRemoveIoCompletion+0x23
   4.0002b0  84d53508 0000310 Blocked    luafv!SynchronousFsControl+0x18f
   4.00032c  84d75d48 0000901 Blocked    nt!EtwpLogger+0xd0
   4.000374  84db5930 00001c4 Blocked    nt!EtwpLogger+0xd0
   4.0003a0  84eecd48 00008d2 Blocked    nt!EtwpLogger+0xd0
   4.0003c8  84f04d48 00008ca Blocked    nt!EtwpLogger+0xd0
   4.0003cc  84f1ad48 00008c2 Blocked    nt!EtwpLogger+0xd0
   4.0003f0  84eeb338 00008bd Blocked    csc!CscEnpEvictAutoThread+0x13e
   4.0003f4  84eebce0 00008bd Blocked    csc!CscEnpEvictAutoThread+0x13e
   4.0004c4  84f69d48 000087a Blocked    HTTP!UlpTimedWaitOnEvent+0x18
   4.0004c8  84f69a70 000073a Blocked    HTTP!UlpTimedWaitOnEvent+0x18
   4.0004cc  84f69798 000077a Blocked    HTTP!UlpScavengerThread+0x5e
   4.00051c  84f7b228 00006a5 Blocked    mpsdrv!AuditSuccessEvent+0x19b
   4.0005f8  84863300 0000813 Blocked    Wdf01000!FxSystemThread::Thread+0xea
   4.000670  85079750 000028f Blocked    srv2!SrvProcWorkerThread+0x113
   4.000688  850d51d8 0000290 Blocked    srv2!SrvProcWorkerThread+0x113
   4.00068c  85084bc0 00007eb Blocked    srv2!SrvProcWorkerThread+0x113
   4.000758  84fa3020 00000f2 Blocked    HTTP!UlpTimedWaitOnEvent+0x18
   4.0008cc  8495faf8 000028f Blocked    srv2!SrvProcWorkerThread+0x113
   4.0008d0  8495f820 000029a Blocked    srv2!SrvProcWorkerThread+0x113

                            [8490d9c8 smss.exe]
 110.000158  84907d48 0000907 Blocked    nt!IoRemoveIoCompletion+0x23

                            [84c3b030 csrss.exe]
 168.000174  83a17ca0 00005da Blocked    nt!AlpcpSignalAndWait+0x7b
 168.000178  83a237c8 0000822 Blocked    nt!ObpWaitForMultipleObjects+0x262
 168.00017c  83a23d48 000003c Blocked    nt!AlpcpReceiveMessagePort+0x245
 168.00019c  84c3ad48 000009f Blocked    nt!AlpcpReceiveMessagePort+0x245
 168.0001fc  84cce030 0000070 Blocked    nt!AlpcpReceiveMessagePort+0x245

                            [84bf2d40 wininit.exe]
 18c.0001a8  84c45d48 000018b Blocked    nt!ObpWaitForMultipleObjects+0x262
 18c.0001ac  84c48d48 00001c6 Blocked    nt!IoRemoveIoCompletion+0x23
 18c.0001b0  848ff770 000018b Blocked    nt!IoRemoveIoCompletion+0x23
 18c.0001f8  84d0f4d8 0000908 Blocked    nt!IoRemoveIoCompletion+0x23
 18c.000230  84ceed48 000090b Blocked    nt!IoRemoveIoCompletion+0x23
 18c.0002e8  84d71b78 000090b Blocked    nt!IoRemoveIoCompletion+0x23

                            [848a7d40 csrss.exe]
 194.0001b8  8490a030 0000367 Blocked    nt!AlpcpSignalAndWait+0x7b
 194.0001bc  8490ad48 0000649 Blocked    nt!ObpWaitForMultipleObjects+0x262
 194.0001c0  84900268 00001d3 Blocked    nt!AlpcpReceiveMessagePort+0x245
 194.0001d8  84cc4d48 00001dc Blocked    nt!AlpcpReceiveMessagePort+0x245
 194.000204  84ccda60 0000001 Blocked    win32k!xxxMsgWaitForMultipleObjects+0xe9

                            [84c54d40 winlogon.exe]
 1c8.0001cc  84900a08 000031c Blocked    nt!KiFastCallEntry+0x12a
 1c8.0001dc  84cc8978 000069a Blocked    nt!EtwpReceiveNotification+0xf4
 1c8.0001e0  84cc8030 0000187 Blocked    nt!ObpWaitForMultipleObjects+0x262
 1c8.0001e4  84cc9d48 0000187 Blocked    nt!IoRemoveIoCompletion+0x23
 1c8.0001f4  84d0fa40 000031c Blocked    nt!IoRemoveIoCompletion+0x23
 1c8.000358  84dd94d0 00008df Blocked    nt!IoRemoveIoCompletion+0x23

                            [84ccb408 services.exe]
 1ec.000240  84cea478 000003c Blocked    nt!ObpWaitForMultipleObjects+0x262
 1ec.000244  84cf5030 00007e1 Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.000248  84cf3418 00007e1 Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.00024c  84cee030 000034d Blocked    nt!ObpWaitForMultipleObjects+0x262
 1ec.000254  84d1f030 00007df Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.000258  84d1fd48 000018c Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.00025c  84c3ba68 0000649 Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.000260  84cef378 000092f Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.000268  84d20030 00007e1 Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.00026c  84d20d48 0000148 Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.0002ac  84d4aaf8 000003c Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.000468  84f3ec20 0000699 Blocked    nt!EtwpReceiveNotification+0xf4
 1ec.0004e0  842ad408 00007df Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.0006bc  850345a0 00007df Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.0006c0  850342b8 0000649 Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.0006c4  850a3030 0000645 Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.0006c8  850a3d48 000063e Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.0006cc  850a3a60 00003cd Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.0006d0  850a3778 00003cd Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.0006d4  850a3490 00007e1 Blocked    nt!IoRemoveIoCompletion+0x23
 1ec.0006d8  84d35b78 00007e1 Blocked    nt!IoRemoveIoCompletion+0x23

                            [84cdc860 lsass.exe]
 208.000220  848f7b20 00008b5 Blocked    nt!KiFastCallEntry+0x12a
 208.000224  84d047a8 00001ac Blocked    nt!ObpWaitForMultipleObjects+0x262
 208.000228  84d044c0 00008e4 Blocked    nt!IoRemoveIoCompletion+0x23
 208.00022c  84cfb030 0000901 Blocked    nt!IoRemoveIoCompletion+0x23
 208.000234  84d103a0 0000294 Blocked    nt!IoRemoveIoCompletion+0x23
 208.000270  84d23378 00006a8 Blocked    nt!IoRemoveIoCompletion+0x23
 208.00033c  84d72a60 00000aa Blocked    nt!IoRemoveIoCompletion+0x23
 208.000394  84eed338 00008c2 Blocked    nt!EtwpReceiveNotification+0xf4
 208.000774  850cad48 00006b1 Blocked    nt!KiFastCallEntry+0x12a
<OUTPUT SNIPPED>

There are other stitches for the !stacks command which you can explore. Since kernel threads are displayed for all processes running in the system to see the execution context of a process we need to shift to it. the post on processes here shows how one can do that.

Friday, 29 August 2014

WinDbg : the !peb Command

WinDbg : !peb

The process environment block (PEB) is one of the most critical data structures used by Windows to track processes. The PEB is the user mode portion of MS Windows process control structures. 

Note: For a kernel dump PEB wont be available this is because PEB is in NTDLL and we need a full dump to view it.

Since PEB is a user mode context, using this command while debugging user mode processes by attaching through them would mean that PEB would point to the current process. However in kernel mode PEB would be pointing to the current execution context. Kernel mode threads do not always run in the context of any process, in such cases the !peb command would error out. We would then need to explicitly set the PEB to the right context by supplying the command with the address of the PEB.

My blog post here would help you understand how to set a process context.

The below output is for lsass.exe.

kd> !peb
PEB at 7ffda000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No
    ImageBaseAddress:         00d90000
    Ldr                       77c77880
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 00331718 . 003b81a8
    Ldr.InLoadOrderModuleList:           00331688 . 003b8198
    Ldr.InMemoryOrderModuleList:         00331690 . 003b81a0
            Base TimeStamp                     Module
          d90000 4a5bbf3e Jul 14 04:41:58 2009 C:\Windows\system32\lsass.exe
        77ba0000 4ce7b96e Nov 20 17:35:02 2010 C:\Windows\SYSTEM32\ntdll.dll
        76700000 4ce7b8ef Nov 20 17:32:55 2010 C:\Windows\system32\kernel32.dll
        75d70000 4ce7b8f0 Nov 20 17:32:56 2010 C:\Windows\system32\KERNELBASE.dll
        76a80000 4a5bda6f Jul 14 06:37:59 2009 C:\Windows\system32\msvcrt.dll
        76970000 4ce7b9a2 Nov 20 17:35:54 2010 C:\Windows\system32\RPCRT4.dll
        75b30000 4ce7891f Nov 20 14:08:55 2010 C:\Windows\system32\SspiSrv.dll
        75a30000 4ce7b86a Nov 20 17:30:42 2010 C:\Windows\system32\lsasrv.dll
        76950000 4a5bdb04 Jul 14 06:40:28 2009 C:\Windows\SYSTEM32\sechost.dll
        75bd0000 4ce7ba24 Nov 20 17:38:04 2010 C:\Windows\system32\SspiCli.dll
        77850000 4ce7b706 Nov 20 17:24:46 2010 C:\Windows\system32\ADVAPI32.dll
        778f0000 4ce7ba26 Nov 20 17:38:06 2010 C:\Windows\system32\USER32.dll
        76510000 4ce7b80a Nov 20 17:29:06 2010 C:\Windows\system32\GDI32.dll
        77ce0000 4a5bda19 Jul 14 06:36:33 2009 C:\Windows\system32\LPK.dll
        76b30000 4ce7ba29 Nov 20 17:38:09 2010 C:\Windows\system32\USP10.dll
        759a0000 4ce7b9a2 Nov 20 17:35:54 2010 C:\Windows\system32\SAMSRV.dll
        75980000 4a5bda3a Jul 14 06:37:06 2009 C:\Windows\system32\cryptdll.dll
        75d60000 4ce7b8c9 Nov 20 17:32:17 2010 C:\Windows\system32\MSASN1.dll
        75930000 4a5bdb2d Jul 14 06:41:09 2009 C:\Windows\system32\wevtapi.dll
        76000000 4ce7b845 Nov 20 17:30:05 2010 C:\Windows\system32\IMM32.DLL
        76880000 4a5bda69 Jul 14 06:37:53 2009 C:\Windows\system32\MSCTF.dll
        75920000 4a5bc425 Jul 14 05:02:53 2009 C:\Windows\system32\cngaudit.dll
        75900000 4a5bd98c Jul 14 06:34:12 2009 C:\Windows\system32\AUTHZ.dll
        758c0000 4a5bda79 Jul 14 06:38:09 2009 C:\Windows\system32\ncrypt.dll
        758a0000 4a5bd986 Jul 14 06:34:06 2009 C:\Windows\system32\bcrypt.dll
        75870000 4a5bda4d Jul 14 06:37:25 2009 C:\Windows\system32\msprivs.DLL
        75840000 4ce7b902 Nov 20 17:33:14 2010 C:\Windows\system32\netjoin.dll
        75820000 4a5bda82 Jul 14 06:38:18 2009 C:\Windows\system32\negoexts.DLL
        75bb0000 4ce7b9d1 Nov 20 17:36:41 2010 C:\Windows\system32\Secur32.dll
        75c40000 4a5bbf41 Jul 14 04:42:01 2009 C:\Windows\system32\cryptbase.dll
        75790000 4ce7b8ee Nov 20 17:32:54 2010 C:\Windows\system32\kerberos.DLL
        75770000 4a5bda3d Jul 14 06:37:09 2009 C:\Windows\system32\CRYPTSP.dll
        779c0000 4ce7ba68 Nov 20 17:39:12 2010 C:\Windows\system32\WS2_32.dll
        77dc0000 4a5bdad9 Jul 14 06:39:45 2009 C:\Windows\system32\NSI.dll
        75730000 4ce7b8e8 Nov 20 17:32:48 2010 C:\Windows\system32\mswsock.dll
        75720000 4a5bdb56 Jul 14 06:41:50 2009 C:\Windows\System32\wship6.dll
        756d0000 4ce7b8dc Nov 20 17:32:36 2010 C:\Windows\system32\msv1_0.DLL
        75640000 4ce7b903 Nov 20 17:33:15 2010 C:\Windows\system32\netlogon.DLL
        755f0000 4ce7b7e6 Nov 20 17:28:30 2010 C:\Windows\system32\DNSAPI.dll
        755c0000 4ce7b865 Nov 20 17:30:37 2010 C:\Windows\system32\logoncli.dll
        75580000 4ce7b9b0 Nov 20 17:36:08 2010 C:\Windows\system32\schannel.DLL
        75e10000 4ce7b841 Nov 20 17:30:01 2010 C:\Windows\system32\CRYPT32.dll
        75550000 4a5bdb29 Jul 14 06:41:05 2009 C:\Windows\system32\wdigest.DLL
        75510000 4a5bdae0 Jul 14 06:39:52 2009 C:\Windows\system32\rsaenh.dll
        754f0000 4ce7ba1e Nov 20 17:37:58 2010 C:\Windows\system32\tspkg.DLL
        754b0000 4a5bdaea Jul 14 06:40:02 2009 C:\Windows\system32\pku2u.DLL
        75470000 4a5bd987 Jul 14 06:34:07 2009 C:\Windows\system32\bcryptprimitives.dll
        75ce0000 4ce7992f Nov 20 15:17:27 2010 C:\Windows\system32\RpcRtRemote.dll
        75460000 4a5bc461 Jul 14 05:03:53 2009 C:\Windows\system32\efslsaext.dll
        753e0000 4ce7b9ad Nov 20 17:36:05 2010 C:\Windows\system32\scecli.DLL
        75440000 4ce7b83d Nov 20 17:29:57 2010 C:\Windows\system32\credssp.dll
        75cb0000 4ce7ba4e Nov 20 17:38:46 2010 C:\Windows\system32\WINSTA.dll
        73fb0000 4ce7b859 Nov 20 17:30:25 2010 C:\Windows\system32\IPHLPAPI.DLL
        73fa0000 4a5bdb43 Jul 14 06:41:31 2009 C:\Windows\system32\WINNSI.DLL
        74570000 4ce795a6 Nov 20 15:02:22 2010 C:\Windows\system32\netutils.dll
        75280000 4a5bdb5a Jul 14 06:41:54 2009 C:\Windows\System32\wshtcpip.dll
        75350000 4ce7ba28 Nov 20 17:38:08 2010 C:\Windows\system32\USERENV.dll
        75cf0000 4a5bbf41 Jul 14 04:42:01 2009 C:\Windows\system32\profapi.dll
        6fa60000 4ce7b781 Nov 20 17:26:49 2010 C:\Windows\system32\certpoleng.dll
        74560000 4ce795a7 Nov 20 15:02:23 2010 C:\Windows\system32\wkscli.dll
    SubSystemData:     00000000
    ProcessHeap:       00330000
    ProcessParameters: 00330f18
    CurrentDirectory:  'C:\Windows\system32\'
    WindowTitle:  'C:\Windows\system32\lsass.exe'
    ImageFile:    'C:\Windows\system32\lsass.exe'
    CommandLine:  'C:\Windows\system32\lsass.exe'
    DllPath:      'C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\'
    Environment:  003307f0
        ALLUSERSPROFILE=C:\ProgramData
        CommonProgramFiles=C:\Program Files\Common Files
        COMPUTERNAME=VM-OG3S62HCORJH
        ComSpec=C:\Windows\system32\cmd.exe
        FP_NO_HOST_CHECK=NO
        NUMBER_OF_PROCESSORS=1
        OS=Windows_NT
        Path=C:\Windows\System32
        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
        PROCESSOR_ARCHITECTURE=x86
        PROCESSOR_IDENTIFIER=x86 Family 6 Model 26 Stepping 5, GenuineIntel
        PROCESSOR_LEVEL=6
        PROCESSOR_REVISION=1a05
        ProgramData=C:\ProgramData
        ProgramFiles=C:\Program Files
        PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
        PUBLIC=C:\Users\Public
        SystemDrive=C:
        SystemRoot=C:\Windows
        TEMP=C:\Windows\TEMP
        TMP=C:\Windows\TEMP
        USERNAME=SYSTEM
        USERPROFILE=C:\Windows\system32\config\systemprofile
        windir=C:\Windows
        windows_tracing_flags=3
        windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log

Now, lets try to get the PEB and type case it to the structure it represents. For he sake of example I have used the process explorer.exe here.

kd> !process 0 0 explorer.exe
PROCESS 8513fd40  SessionId: 1  Cid: 0138    Peb: 7ffda000  ParentCid: 07e0
    DirBase: 1eed3380  ObjectTable: 90d3d0d8  HandleCount: 845.
    Image: explorer.exe

kd> .process /p /r 8513fd40  
Implicit process is now 8513fd40
Loading User Symbols
................................................................
................................................................
...........


************* Symbol Loading Error Summary **************
Module name            Error
myfault                The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.

The address of the PEB is also available to us in a pseudo-register called $peb. We are going to use this for the following examples. We are also going to use the dt command, which is described in detail here.

kd> dt nt!_PEB @$peb
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0 ''
   +0x003 BitField         : 0x8 ''
   +0x003 ImageUsesLargePages : 0y0
   +0x003 IsProtectedProcess : 0y0
   +0x003 IsLegacyProcess  : 0y0
   +0x003 IsImageDynamicallyRelocated : 0y1
   +0x003 SkipPatchingUser32Forwarders : 0y0
   +0x003 SpareBits        : 0y000
   +0x004 Mutant           : 0xffffffff Void
   +0x008 ImageBaseAddress : 0x000e0000 Void
   +0x00c Ldr              : 0x77c77880 _PEB_LDR_DATA
   +0x010 ProcessParameters : 0x00441128 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : (null) 
   +0x018 ProcessHeap      : 0x00440000 Void
   +0x01c FastPebLock      : 0x77c77380 _RTL_CRITICAL_SECTION
   +0x020 AtlThunkSListPtr : (null) 
   +0x024 IFEOKey          : (null) 
   +0x028 CrossProcessFlags : 0
   +0x028 ProcessInJob     : 0y0
   +0x028 ProcessInitializing : 0y0
   +0x028 ProcessUsingVEH  : 0y0
   +0x028 ProcessUsingVCH  : 0y0
   +0x028 ProcessUsingFTH  : 0y0
   +0x028 ReservedBits0    : 0y000000000000000000000000000 (0)
   +0x02c KernelCallbackTable : 0x7790d568 Void
   +0x02c UserSharedInfoPtr : 0x7790d568 Void
   +0x030 SystemReserved   : [1] 0
   +0x034 AtlThunkSListPtr32 : 0x3245aa0
   +0x038 ApiSetMap        : 0x77de0000 Void
   +0x03c TlsExpansionCounter : 0
   +0x040 TlsBitmap        : 0x77c77260 Void
   +0x044 TlsBitmapBits    : [2] 0xffffffff
   +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 Void
   +0x050 HotpatchInformation : (null) 
   +0x054 ReadOnlyStaticServerData : 0x7f6f0590  -> (null) 
   +0x058 AnsiCodePageData : 0x7ffb0000 Void
   +0x05c OemCodePageData  : 0x7ffc0224 Void
   +0x060 UnicodeCaseTableData : 0x7ffd0648 Void
   +0x064 NumberOfProcessors : 1
   +0x068 NtGlobalFlag     : 0
   +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
   +0x078 HeapSegmentReserve : 0x100000
   +0x07c HeapSegmentCommit : 0x2000
   +0x080 HeapDeCommitTotalFreeThreshold : 0x10000
   +0x084 HeapDeCommitFreeBlockThreshold : 0x1000
   +0x088 NumberOfHeaps    : 0xd
   +0x08c MaximumNumberOfHeaps : 0x10
   +0x090 ProcessHeaps     : 0x77c77500  -> 0x00440000 Void
   +0x094 GdiSharedHandleTable : 0x00630000 Void
   +0x098 ProcessStarterHelper : (null) 
   +0x09c GdiDCAttributeList : 0x14
   +0x0a0 LoaderLock       : 0x77c77340 _RTL_CRITICAL_SECTION
   +0x0a4 OSMajorVersion   : 6
   +0x0a8 OSMinorVersion   : 1
   +0x0ac OSBuildNumber    : 0x1db1
   +0x0ae OSCSDVersion     : 0x100
   +0x0b0 OSPlatformId     : 2
   +0x0b4 ImageSubsystem   : 2
   +0x0b8 ImageSubsystemMajorVersion : 6
   +0x0bc ImageSubsystemMinorVersion : 1
   +0x0c0 ActiveProcessAffinityMask : 1
   +0x0c4 GdiHandleBuffer  : [34] 0
   +0x14c PostProcessInitRoutine : (null) 
   +0x150 TlsExpansionBitmap : 0x77c77268 Void
   +0x154 TlsExpansionBitmapBits : [32] 1
   +0x1d4 SessionId        : 1
   +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 0x0
   +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
   +0x1e8 pShimData        : (null) 
   +0x1ec AppCompatInfo    : (null) 
   +0x1f0 CSDVersion       : _UNICODE_STRING "Service Pack 1"
   +0x1f8 ActivationContextData : 0x00040000 _ACTIVATION_CONTEXT_DATA
   +0x1fc ProcessAssemblyStorageMap : 0x004723b8 _ASSEMBLY_STORAGE_MAP
   +0x200 SystemDefaultActivationContextData : 0x00030000 _ACTIVATION_CONTEXT_DATA
   +0x204 SystemAssemblyStorageMap : 0x004510b0 _ASSEMBLY_STORAGE_MAP
   +0x208 MinimumStackCommit : 0
   +0x20c FlsCallback      : 0x00452af8 _FLS_CALLBACK_INFO
   +0x210 FlsListHead      : _LIST_ENTRY [ 0x4527e0 - 0x469d1c8 ]
   +0x218 FlsBitmap        : 0x77c77270 Void
   +0x21c FlsBitmapBits    : [4] 0xf
   +0x22c FlsHighIndex     : 3
   +0x230 WerRegistrationData : 0x018e0000 Void
   +0x234 WerShipAssertPtr : (null) 
   +0x238 pContextData     : 0x00050000 Void
   +0x23c pImageHeaderHash : (null) 
   +0x240 TracingFlags     : 0
   +0x240 HeapTracingEnabled : 0y0
   +0x240 CritSecTracingEnabled : 0y0

   +0x240 SpareTracingBits : 0y000000000000000000000000000000 (0)


The output of dt command a lot more information that the !peb extension. Lets see if we can extract the actual environment variables from it. We have previously learnt how to use the dt command to expand substructures inside structures, in case you have missed that post, it can be found here.

kd> dt nt!_PEB @$peb -y Proc*
   +0x010 ProcessParameters : 0x00441128 _RTL_USER_PROCESS_PARAMETERS
   +0x018 ProcessHeap : 0x00440000 Void
   +0x028 ProcessInJob : 0y0
   +0x028 ProcessInitializing : 0y0
   +0x028 ProcessUsingVEH : 0y0
   +0x028 ProcessUsingVCH : 0y0
   +0x028 ProcessUsingFTH : 0y0
   +0x090 ProcessHeaps : 0x77c77500  -> 0x00440000 Void
   +0x098 ProcessStarterHelper : (null) 

   +0x1fc ProcessAssemblyStorageMap : 0x004723b8 _ASSEMBLY_STORAGE_MAP

The ProcessParameters is the structure that is of interest to us. So lets dereference it to see that is contains.

kd> dt nt!_PEB @$peb ProcessParameters->*
   +0x010 ProcessParameters   : 
      +0x000 MaximumLength       : 0x6c4
      +0x004 Length              : 0x6c4
      +0x008 Flags               : 0x6001
      +0x00c DebugFlags          : 0
      +0x010 ConsoleHandle       : (null) 
      +0x014 ConsoleFlags        : 0
      +0x018 StandardInput       : (null) 
      +0x01c StandardOutput      : (null) 
      +0x020 StandardError       : (null) 
      +0x024 CurrentDirectory    : _CURDIR
      +0x030 DllPath             : _UNICODE_STRING "C:\Windows;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\"
      +0x038 ImagePathName       : _UNICODE_STRING "C:\Windows\Explorer.EXE"
      +0x040 CommandLine         : _UNICODE_STRING "C:\Windows\Explorer.EXE"
      +0x048 Environment         : 0x00500c18 Void
      +0x04c StartingX           : 0
      +0x050 StartingY           : 0
      +0x054 CountX              : 0
      +0x058 CountY              : 0
      +0x05c CountCharsX         : 0
      +0x060 CountCharsY         : 0x409
      +0x064 FillAttribute       : 0x440000
      +0x068 WindowFlags         : 1
      +0x06c ShowWindowFlags     : 1
      +0x070 WindowTitle         : _UNICODE_STRING "C:\Windows\Explorer.EXE"
      +0x078 DesktopInfo         : _UNICODE_STRING "Winsta0\Default"
      +0x080 ShellInfo           : _UNICODE_STRING "C:\Windows\Explorer.EXE"
      +0x088 RuntimeData         : _UNICODE_STRING ""
      +0x090 CurrentDirectores   : [32] _RTL_DRIVE_LETTER_CURDIR
      +0x290 EnvironmentSize     : 0x93c

      +0x294 EnvironmentVersion  : 0x13

Other fields are also of interest. For example the Processheap and ProcessHeaps fields. These are discussed in detail in the post about process heaps.