Search This Blog

Thursday 28 August 2014

WinDbg : the !process and the .process Commands

WinDbg : !process

The !process extension command lists down some very useful information related to processes. depending on what switches are used, it can display information about one or all processes. The command also has several switches to enhance and tune it's output. This extension is only available in kernel mode. Below are some examples.


kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 839afbf8  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 87401ca0  HandleCount: 463.
    Image: System

 PROCESS 8490d9c8  SessionId: none  Cid: 0110    Peb: 7ffdf000  ParentCid: 0004
    DirBase: 1eed3020  ObjectTable: 87502738  HandleCount:  29.
    Image: smss.exe

 PROCESS 84c3b030  SessionId: 0  Cid: 0168    Peb: 7ffdd000  ParentCid: 0160
    DirBase: 1eed3060  ObjectTable: 875fb0f0  HandleCount: 388.
    Image: csrss.exe

 PROCESS 84bf2d40  SessionId: 0  Cid: 018c    Peb: 7ffd8000  ParentCid: 0160
    DirBase: 1eed30a0  ObjectTable: 95e2ae60  HandleCount:  90.
    Image: wininit.exe

 PROCESS 848a7d40  SessionId: 1  Cid: 0194    Peb: 7ffdf000  ParentCid: 0184
    DirBase: 1eed3040  ObjectTable: 95e1fcf8  HandleCount: 151.
    Image: csrss.exe

 PROCESS 84c54d40  SessionId: 1  Cid: 01c8    Peb: 7ffd7000  ParentCid: 0184
    DirBase: 1eed30c0  ObjectTable: 95e60f18  HandleCount: 119.
    Image: winlogon.exe

 PROCESS 84ccb408  SessionId: 0  Cid: 01ec    Peb: 7ffdd000  ParentCid: 018c
    DirBase: 1eed3080  ObjectTable: 95e7e3b8  HandleCount: 224.
    Image: services.exe

 PROCESS 84cdc860  SessionId: 0  Cid: 0208    Peb: 7ffda000  ParentCid: 018c
    DirBase: 1eed30e0  ObjectTable: 95f00d18  HandleCount: 513.
    Image: lsass.exe

 PROCESS 84939030  SessionId: 0  Cid: 0210    Peb: 7ffdb000  ParentCid: 018c
    DirBase: 1eed3100  ObjectTable: 87a1b8a0  HandleCount: 148.
    Image: lsm.exe

 PROCESS 84d21858  SessionId: 0  Cid: 0278    Peb: 7ffd3000  ParentCid: 01ec
    DirBase: 1eed3120  ObjectTable: 87a37600  HandleCount: 364.
    Image: svchost.exe

 PROCESS 84d55030  SessionId: 0  Cid: 02b8    Peb: 7ffde000  ParentCid: 01ec
    DirBase: 1eed3140  ObjectTable: 87a48980  HandleCount: 230.
    Image: svchost.exe

 PROCESS 84d6db48  SessionId: 0  Cid: 02ec    Peb: 7ffdf000  ParentCid: 01ec
    DirBase: 1eed3160  ObjectTable: 87b44cd8  HandleCount: 377.
    Image: svchost.exe

 PROCESS 84dd9cd8  SessionId: 0  Cid: 0364    Peb: 7ffd6000  ParentCid: 01ec
    DirBase: 1eed31a0  ObjectTable: 95e28c50  HandleCount: 397.
    Image: svchost.exe

 PROCESS 84f12d40  SessionId: 0  Cid: 03a4    Peb: 7ffdf000  ParentCid: 01ec
    DirBase: 1eed31c0  ObjectTable: 8ba6a968  HandleCount: 792.
    Image: svchost.exe

 PROCESS 84f28af0  SessionId: 0  Cid: 0418    Peb: 7ffdf000  ParentCid: 01ec
    DirBase: 1eed31e0  ObjectTable: 87a52390  HandleCount: 282.
    Image: svchost.exe

 PROCESS 84f76030  SessionId: 0  Cid: 0470    Peb: 7ffd3000  ParentCid: 01ec
    DirBase: 1eed3200  ObjectTable: 87a5dc70  HandleCount: 417.
    Image: svchost.exe

 PROCESS 84f9ad40  SessionId: 0  Cid: 04d0    Peb: 7ffde000  ParentCid: 01ec
    DirBase: 1eed3220  ObjectTable: 8bb289d8  HandleCount: 283.
    Image: spoolsv.exe

 PROCESS 847edaf0  SessionId: 0  Cid: 04f8    Peb: 7ffdf000  ParentCid: 01ec
    DirBase: 1eed3240  ObjectTable: 8bb585e8  HandleCount: 318.
    Image: svchost.exe

 PROCESS 84ff0030  SessionId: 0  Cid: 054c    Peb: 7ffda000  ParentCid: 01ec
    DirBase: 1eed3260  ObjectTable: 8bb5eda0  HandleCount: 118.
    Image: vmicsvc.exe

 PROCESS 84ff6930  SessionId: 0  Cid: 0560    Peb: 7ffde000  ParentCid: 01ec
    DirBase: 1eed3280  ObjectTable: 8bae8cd0  HandleCount: 226.
    Image: vmicsvc.exe

 PROCESS 84fb88b8  SessionId: 0  Cid: 058c    Peb: 7ffde000  ParentCid: 01ec
    DirBase: 1eed32a0  ObjectTable: 87a5c7d0  HandleCount:  79.
    Image: vmicsvc.exe

 PROCESS 85025650  SessionId: 0  Cid: 05a4    Peb: 7ffdc000  ParentCid: 01ec
    DirBase: 1eed32c0  ObjectTable: 8bb6e6f8  HandleCount:  93.
    Image: vmicsvc.exe

 PROCESS 85039af0  SessionId: 0  Cid: 05c0    Peb: 7ffdc000  ParentCid: 01ec
    DirBase: 1eed32e0  ObjectTable: 8bbb55b0  HandleCount:  85.
    Image: vmicsvc.exe

 PROCESS 851315e8  SessionId: 1  Cid: 07b4    Peb: 7ffda000  ParentCid: 01ec
    DirBase: 1eed3320  ObjectTable: 8e5aa588  HandleCount: 156.
    Image: taskhost.exe

 PROCESS 85116d40  SessionId: 1  Cid: 07e0    Peb: 7ffdc000  ParentCid: 01c8
    DirBase: 1eed3340  ObjectTable: 90d1ab90  HandleCount:  47.
    Image: userinit.exe

 PROCESS 85116918  SessionId: 1  Cid: 07e8    Peb: 7ffdf000  ParentCid: 0364
    DirBase: 1eed3360  ObjectTable: 90d2b448  HandleCount:  71.
    Image: dwm.exe

 PROCESS 8513fd40  SessionId: 1  Cid: 0138    Peb: 7ffda000  ParentCid: 07e0
    DirBase: 1eed3380  ObjectTable: 90d3d0d8  HandleCount: 845.
    Image: explorer.exe

 PROCESS 84d9fd40  SessionId: 0  Cid: 07dc    Peb: 7ffd8000  ParentCid: 01ec
    DirBase: 1eed3300  ObjectTable: 8e5a5908  HandleCount: 611.
    Image: SearchIndexer.exe

 PROCESS 851b4508  SessionId: 0  Cid: 0330    Peb: 7ffde000  ParentCid: 07dc
    DirBase: 1eed33a0  ObjectTable: 93cbf100  HandleCount: 282.
    Image: SearchProtocolHost.exe

 PROCESS 846e9810  SessionId: 0  Cid: 0790    Peb: 7ffdf000  ParentCid: 07dc
    DirBase: 1eed33c0  ObjectTable: 93cbd818  HandleCount:  94.
    Image: SearchFilterHost.exe

 PROCESS 851d1348  SessionId: 1  Cid: 08b4    Peb: 7ffd4000  ParentCid: 0138
    DirBase: 1eed3420  ObjectTable: 93d06750  HandleCount:  71.
    Image: NotMyfault.exe

 This dumps information about all processes. However, if we want to get information about only one process, and if we know the name of this process, we can tune the putput by adding the optional ImageName parameter to it.

 kd> !process 0 0 lsass.exe
PROCESS 84cdc860  SessionId: 0  Cid: 0208    Peb: 7ffda000  ParentCid: 018c
    DirBase: 1eed30e0  ObjectTable: 95f00d18  HandleCount: 513.

    Image: lsass.exe

 We will see how to use the information given out to us by this command in a while.

WinDbg : .process

The .process (dot process) command is used to switch the debugger into the context of the process. When in user mode, we usually attach to a particular process or the dump generated in user mode is of one process. However, in kernel mode, the dump or debugger attachment will be generic and to switch the context into that of the current process we would need the .process command. Examples below.

Lets use the lsass.exe output from the last section as a base line and start with it.

 kd> !process 0 0 lsass.exe
PROCESS 84cdc860  SessionId: 0  Cid: 0208    Peb: 7ffda000  ParentCid: 018c
    DirBase: 1eed30e0  ObjectTable: 95f00d18  HandleCount: 513.

    Image: lsass.exe

 kd> .process /p /r 84cdc860  
Implicit process is now 84cdc860
Loading User Symbols

............................................................

 As we see, the debugger now is set to use this process implicitly. The means that the process execution block and other important registers like the CR3 (used for virtual addressing : more later on CR3) would now be mapped to this process in the debugger.

 In some future posts we will see how we can use these commands to salvage critical information related to the processes.


Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)