WinDbg : !process
The !process extension command lists down some very useful information related to processes. depending on what switches are used, it can display information about one or all processes. The command also has several switches to enhance and tune it's output. This extension is only available in kernel mode. Below are some examples.
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 839afbf8 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00185000 ObjectTable: 87401ca0 HandleCount: 463.
Image: System
PROCESS 8490d9c8 SessionId: none Cid: 0110 Peb: 7ffdf000 ParentCid: 0004
DirBase: 1eed3020 ObjectTable: 87502738 HandleCount: 29.
Image: smss.exe
PROCESS 84c3b030 SessionId: 0 Cid: 0168 Peb: 7ffdd000 ParentCid: 0160
DirBase: 1eed3060 ObjectTable: 875fb0f0 HandleCount: 388.
Image: csrss.exe
PROCESS 84bf2d40 SessionId: 0 Cid: 018c Peb: 7ffd8000 ParentCid: 0160
DirBase: 1eed30a0 ObjectTable: 95e2ae60 HandleCount: 90.
Image: wininit.exe
PROCESS 848a7d40 SessionId: 1 Cid: 0194 Peb: 7ffdf000 ParentCid: 0184
DirBase: 1eed3040 ObjectTable: 95e1fcf8 HandleCount: 151.
Image: csrss.exe
PROCESS 84c54d40 SessionId: 1 Cid: 01c8 Peb: 7ffd7000 ParentCid: 0184
DirBase: 1eed30c0 ObjectTable: 95e60f18 HandleCount: 119.
Image: winlogon.exe
PROCESS 84ccb408 SessionId: 0 Cid: 01ec Peb: 7ffdd000 ParentCid: 018c
DirBase: 1eed3080 ObjectTable: 95e7e3b8 HandleCount: 224.
Image: services.exe
PROCESS 84cdc860 SessionId: 0 Cid: 0208 Peb: 7ffda000 ParentCid: 018c
DirBase: 1eed30e0 ObjectTable: 95f00d18 HandleCount: 513.
Image: lsass.exe
PROCESS 84939030 SessionId: 0 Cid: 0210 Peb: 7ffdb000 ParentCid: 018c
DirBase: 1eed3100 ObjectTable: 87a1b8a0 HandleCount: 148.
Image: lsm.exe
PROCESS 84d21858 SessionId: 0 Cid: 0278 Peb: 7ffd3000 ParentCid: 01ec
DirBase: 1eed3120 ObjectTable: 87a37600 HandleCount: 364.
Image: svchost.exe
PROCESS 84d55030 SessionId: 0 Cid: 02b8 Peb: 7ffde000 ParentCid: 01ec
DirBase: 1eed3140 ObjectTable: 87a48980 HandleCount: 230.
Image: svchost.exe
PROCESS 84d6db48 SessionId: 0 Cid: 02ec Peb: 7ffdf000 ParentCid: 01ec
DirBase: 1eed3160 ObjectTable: 87b44cd8 HandleCount: 377.
Image: svchost.exe
PROCESS 84dd9cd8 SessionId: 0 Cid: 0364 Peb: 7ffd6000 ParentCid: 01ec
DirBase: 1eed31a0 ObjectTable: 95e28c50 HandleCount: 397.
Image: svchost.exe
PROCESS 84f12d40 SessionId: 0 Cid: 03a4 Peb: 7ffdf000 ParentCid: 01ec
DirBase: 1eed31c0 ObjectTable: 8ba6a968 HandleCount: 792.
Image: svchost.exe
PROCESS 84f28af0 SessionId: 0 Cid: 0418 Peb: 7ffdf000 ParentCid: 01ec
DirBase: 1eed31e0 ObjectTable: 87a52390 HandleCount: 282.
Image: svchost.exe
PROCESS 84f76030 SessionId: 0 Cid: 0470 Peb: 7ffd3000 ParentCid: 01ec
DirBase: 1eed3200 ObjectTable: 87a5dc70 HandleCount: 417.
Image: svchost.exe
PROCESS 84f9ad40 SessionId: 0 Cid: 04d0 Peb: 7ffde000 ParentCid: 01ec
DirBase: 1eed3220 ObjectTable: 8bb289d8 HandleCount: 283.
Image: spoolsv.exe
PROCESS 847edaf0 SessionId: 0 Cid: 04f8 Peb: 7ffdf000 ParentCid: 01ec
DirBase: 1eed3240 ObjectTable: 8bb585e8 HandleCount: 318.
Image: svchost.exe
PROCESS 84ff0030 SessionId: 0 Cid: 054c Peb: 7ffda000 ParentCid: 01ec
DirBase: 1eed3260 ObjectTable: 8bb5eda0 HandleCount: 118.
Image: vmicsvc.exe
PROCESS 84ff6930 SessionId: 0 Cid: 0560 Peb: 7ffde000 ParentCid: 01ec
DirBase: 1eed3280 ObjectTable: 8bae8cd0 HandleCount: 226.
Image: vmicsvc.exe
PROCESS 84fb88b8 SessionId: 0 Cid: 058c Peb: 7ffde000 ParentCid: 01ec
DirBase: 1eed32a0 ObjectTable: 87a5c7d0 HandleCount: 79.
Image: vmicsvc.exe
PROCESS 85025650 SessionId: 0 Cid: 05a4 Peb: 7ffdc000 ParentCid: 01ec
DirBase: 1eed32c0 ObjectTable: 8bb6e6f8 HandleCount: 93.
Image: vmicsvc.exe
PROCESS 85039af0 SessionId: 0 Cid: 05c0 Peb: 7ffdc000 ParentCid: 01ec
DirBase: 1eed32e0 ObjectTable: 8bbb55b0 HandleCount: 85.
Image: vmicsvc.exe
PROCESS 851315e8 SessionId: 1 Cid: 07b4 Peb: 7ffda000 ParentCid: 01ec
DirBase: 1eed3320 ObjectTable: 8e5aa588 HandleCount: 156.
Image: taskhost.exe
PROCESS 85116d40 SessionId: 1 Cid: 07e0 Peb: 7ffdc000 ParentCid: 01c8
DirBase: 1eed3340 ObjectTable: 90d1ab90 HandleCount: 47.
Image: userinit.exe
PROCESS 85116918 SessionId: 1 Cid: 07e8 Peb: 7ffdf000 ParentCid: 0364
DirBase: 1eed3360 ObjectTable: 90d2b448 HandleCount: 71.
Image: dwm.exe
PROCESS 8513fd40 SessionId: 1 Cid: 0138 Peb: 7ffda000 ParentCid: 07e0
DirBase: 1eed3380 ObjectTable: 90d3d0d8 HandleCount: 845.
Image: explorer.exe
PROCESS 84d9fd40 SessionId: 0 Cid: 07dc Peb: 7ffd8000 ParentCid: 01ec
DirBase: 1eed3300 ObjectTable: 8e5a5908 HandleCount: 611.
Image: SearchIndexer.exe
PROCESS 851b4508 SessionId: 0 Cid: 0330 Peb: 7ffde000 ParentCid: 07dc
DirBase: 1eed33a0 ObjectTable: 93cbf100 HandleCount: 282.
Image: SearchProtocolHost.exe
PROCESS 846e9810 SessionId: 0 Cid: 0790 Peb: 7ffdf000 ParentCid: 07dc
DirBase: 1eed33c0 ObjectTable: 93cbd818 HandleCount: 94.
Image: SearchFilterHost.exe
PROCESS 851d1348 SessionId: 1 Cid: 08b4 Peb: 7ffd4000 ParentCid: 0138
DirBase: 1eed3420 ObjectTable: 93d06750 HandleCount: 71.
Image: NotMyfault.exe
This dumps information about all processes. However, if we want to get information about only one process, and if we know the name of this process, we can tune the putput by adding the optional ImageName parameter to it.
kd> !process 0 0 lsass.exe
PROCESS 84cdc860 SessionId: 0 Cid: 0208 Peb: 7ffda000 ParentCid: 018c
DirBase: 1eed30e0 ObjectTable: 95f00d18 HandleCount: 513.
Image: lsass.exe
We will see how to use the information given out to us by this command in a while.
WinDbg : .process
The .process (dot process) command is used to switch the debugger into the context of the process. When in user mode, we usually attach to a particular process or the dump generated in user mode is of one process. However, in kernel mode, the dump or debugger attachment will be generic and to switch the context into that of the current process we would need the .process command. Examples below.
Lets use the lsass.exe output from the last section as a base line and start with it.
kd> !process 0 0 lsass.exe
PROCESS 84cdc860 SessionId: 0 Cid: 0208 Peb: 7ffda000 ParentCid: 018c
DirBase: 1eed30e0 ObjectTable: 95f00d18 HandleCount: 513.
Image: lsass.exe
kd> .process /p /r 84cdc860
Implicit process is now 84cdc860
Loading User Symbols
............................................................
As we see, the debugger now is set to use this process implicitly. The means that the process execution block and other important registers like the CR3 (used for virtual addressing : more later on CR3) would now be mapped to this process in the debugger.
In some future posts we will see how we can use these commands to salvage critical information related to the processes.
The !process extension command lists down some very useful information related to processes. depending on what switches are used, it can display information about one or all processes. The command also has several switches to enhance and tune it's output. This extension is only available in kernel mode. Below are some examples.
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 839afbf8 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00185000 ObjectTable: 87401ca0 HandleCount: 463.
Image: System
PROCESS 8490d9c8 SessionId: none Cid: 0110 Peb: 7ffdf000 ParentCid: 0004
DirBase: 1eed3020 ObjectTable: 87502738 HandleCount: 29.
Image: smss.exe
PROCESS 84c3b030 SessionId: 0 Cid: 0168 Peb: 7ffdd000 ParentCid: 0160
DirBase: 1eed3060 ObjectTable: 875fb0f0 HandleCount: 388.
Image: csrss.exe
PROCESS 84bf2d40 SessionId: 0 Cid: 018c Peb: 7ffd8000 ParentCid: 0160
DirBase: 1eed30a0 ObjectTable: 95e2ae60 HandleCount: 90.
Image: wininit.exe
PROCESS 848a7d40 SessionId: 1 Cid: 0194 Peb: 7ffdf000 ParentCid: 0184
DirBase: 1eed3040 ObjectTable: 95e1fcf8 HandleCount: 151.
Image: csrss.exe
PROCESS 84c54d40 SessionId: 1 Cid: 01c8 Peb: 7ffd7000 ParentCid: 0184
DirBase: 1eed30c0 ObjectTable: 95e60f18 HandleCount: 119.
Image: winlogon.exe
PROCESS 84ccb408 SessionId: 0 Cid: 01ec Peb: 7ffdd000 ParentCid: 018c
DirBase: 1eed3080 ObjectTable: 95e7e3b8 HandleCount: 224.
Image: services.exe
PROCESS 84cdc860 SessionId: 0 Cid: 0208 Peb: 7ffda000 ParentCid: 018c
DirBase: 1eed30e0 ObjectTable: 95f00d18 HandleCount: 513.
Image: lsass.exe
PROCESS 84939030 SessionId: 0 Cid: 0210 Peb: 7ffdb000 ParentCid: 018c
DirBase: 1eed3100 ObjectTable: 87a1b8a0 HandleCount: 148.
Image: lsm.exe
PROCESS 84d21858 SessionId: 0 Cid: 0278 Peb: 7ffd3000 ParentCid: 01ec
DirBase: 1eed3120 ObjectTable: 87a37600 HandleCount: 364.
Image: svchost.exe
PROCESS 84d55030 SessionId: 0 Cid: 02b8 Peb: 7ffde000 ParentCid: 01ec
DirBase: 1eed3140 ObjectTable: 87a48980 HandleCount: 230.
Image: svchost.exe
PROCESS 84d6db48 SessionId: 0 Cid: 02ec Peb: 7ffdf000 ParentCid: 01ec
DirBase: 1eed3160 ObjectTable: 87b44cd8 HandleCount: 377.
Image: svchost.exe
PROCESS 84dd9cd8 SessionId: 0 Cid: 0364 Peb: 7ffd6000 ParentCid: 01ec
DirBase: 1eed31a0 ObjectTable: 95e28c50 HandleCount: 397.
Image: svchost.exe
PROCESS 84f12d40 SessionId: 0 Cid: 03a4 Peb: 7ffdf000 ParentCid: 01ec
DirBase: 1eed31c0 ObjectTable: 8ba6a968 HandleCount: 792.
Image: svchost.exe
PROCESS 84f28af0 SessionId: 0 Cid: 0418 Peb: 7ffdf000 ParentCid: 01ec
DirBase: 1eed31e0 ObjectTable: 87a52390 HandleCount: 282.
Image: svchost.exe
PROCESS 84f76030 SessionId: 0 Cid: 0470 Peb: 7ffd3000 ParentCid: 01ec
DirBase: 1eed3200 ObjectTable: 87a5dc70 HandleCount: 417.
Image: svchost.exe
PROCESS 84f9ad40 SessionId: 0 Cid: 04d0 Peb: 7ffde000 ParentCid: 01ec
DirBase: 1eed3220 ObjectTable: 8bb289d8 HandleCount: 283.
Image: spoolsv.exe
PROCESS 847edaf0 SessionId: 0 Cid: 04f8 Peb: 7ffdf000 ParentCid: 01ec
DirBase: 1eed3240 ObjectTable: 8bb585e8 HandleCount: 318.
Image: svchost.exe
PROCESS 84ff0030 SessionId: 0 Cid: 054c Peb: 7ffda000 ParentCid: 01ec
DirBase: 1eed3260 ObjectTable: 8bb5eda0 HandleCount: 118.
Image: vmicsvc.exe
PROCESS 84ff6930 SessionId: 0 Cid: 0560 Peb: 7ffde000 ParentCid: 01ec
DirBase: 1eed3280 ObjectTable: 8bae8cd0 HandleCount: 226.
Image: vmicsvc.exe
PROCESS 84fb88b8 SessionId: 0 Cid: 058c Peb: 7ffde000 ParentCid: 01ec
DirBase: 1eed32a0 ObjectTable: 87a5c7d0 HandleCount: 79.
Image: vmicsvc.exe
PROCESS 85025650 SessionId: 0 Cid: 05a4 Peb: 7ffdc000 ParentCid: 01ec
DirBase: 1eed32c0 ObjectTable: 8bb6e6f8 HandleCount: 93.
Image: vmicsvc.exe
PROCESS 85039af0 SessionId: 0 Cid: 05c0 Peb: 7ffdc000 ParentCid: 01ec
DirBase: 1eed32e0 ObjectTable: 8bbb55b0 HandleCount: 85.
Image: vmicsvc.exe
PROCESS 851315e8 SessionId: 1 Cid: 07b4 Peb: 7ffda000 ParentCid: 01ec
DirBase: 1eed3320 ObjectTable: 8e5aa588 HandleCount: 156.
Image: taskhost.exe
PROCESS 85116d40 SessionId: 1 Cid: 07e0 Peb: 7ffdc000 ParentCid: 01c8
DirBase: 1eed3340 ObjectTable: 90d1ab90 HandleCount: 47.
Image: userinit.exe
PROCESS 85116918 SessionId: 1 Cid: 07e8 Peb: 7ffdf000 ParentCid: 0364
DirBase: 1eed3360 ObjectTable: 90d2b448 HandleCount: 71.
Image: dwm.exe
PROCESS 8513fd40 SessionId: 1 Cid: 0138 Peb: 7ffda000 ParentCid: 07e0
DirBase: 1eed3380 ObjectTable: 90d3d0d8 HandleCount: 845.
Image: explorer.exe
PROCESS 84d9fd40 SessionId: 0 Cid: 07dc Peb: 7ffd8000 ParentCid: 01ec
DirBase: 1eed3300 ObjectTable: 8e5a5908 HandleCount: 611.
Image: SearchIndexer.exe
PROCESS 851b4508 SessionId: 0 Cid: 0330 Peb: 7ffde000 ParentCid: 07dc
DirBase: 1eed33a0 ObjectTable: 93cbf100 HandleCount: 282.
Image: SearchProtocolHost.exe
PROCESS 846e9810 SessionId: 0 Cid: 0790 Peb: 7ffdf000 ParentCid: 07dc
DirBase: 1eed33c0 ObjectTable: 93cbd818 HandleCount: 94.
Image: SearchFilterHost.exe
PROCESS 851d1348 SessionId: 1 Cid: 08b4 Peb: 7ffd4000 ParentCid: 0138
DirBase: 1eed3420 ObjectTable: 93d06750 HandleCount: 71.
Image: NotMyfault.exe
This dumps information about all processes. However, if we want to get information about only one process, and if we know the name of this process, we can tune the putput by adding the optional ImageName parameter to it.
kd> !process 0 0 lsass.exe
PROCESS 84cdc860 SessionId: 0 Cid: 0208 Peb: 7ffda000 ParentCid: 018c
DirBase: 1eed30e0 ObjectTable: 95f00d18 HandleCount: 513.
Image: lsass.exe
We will see how to use the information given out to us by this command in a while.
The .process (dot process) command is used to switch the debugger into the context of the process. When in user mode, we usually attach to a particular process or the dump generated in user mode is of one process. However, in kernel mode, the dump or debugger attachment will be generic and to switch the context into that of the current process we would need the .process command. Examples below.
Lets use the lsass.exe output from the last section as a base line and start with it.
kd> !process 0 0 lsass.exe
PROCESS 84cdc860 SessionId: 0 Cid: 0208 Peb: 7ffda000 ParentCid: 018c
DirBase: 1eed30e0 ObjectTable: 95f00d18 HandleCount: 513.
Image: lsass.exe
kd> .process /p /r 84cdc860
Implicit process is now 84cdc860
Loading User Symbols
............................................................
As we see, the debugger now is set to use this process implicitly. The means that the process execution block and other important registers like the CR3 (used for virtual addressing : more later on CR3) would now be mapped to this process in the debugger.
In some future posts we will see how we can use these commands to salvage critical information related to the processes.
No comments:
Post a Comment