Jump$: WinDbg : !handle Command

WinDbg : !handle Command extension

Handles are used everywhere in Windows. A handle in Windows is an opaque pointer. Almost every Windows API uses a handle as a reference to the internal object. WinDbg has the !handle extension command to help us find more information regarding handles.

Here is the output of !handle when run on a user mode crash dump. There are differences in the output of !handle when executed via user mode and via kernel mode, we will soon see these differences.

0:000> !handle

Handle 0000000000000004

Type Directory

Handle 0000000000000008

Type File

Handle 000000000000000c

Type Key

Handle 0000000000000010

Type Event

Handle 0000000000000014

Type ALPC Port

Handle 0000000000000024

Type Key

Handle 0000000000000030

Type WaitCompletionPacket

Handle 0000000000000034

Type IoCompletion

Handle 0000000000000038

Type TpWorkerFactory

Handle 000000000000003c

Type IRTimer

Handle 0000000000000040

Type WaitCompletionPacket

Handle 0000000000000044

Type IRTimer

Handle 0000000000000048

Type WaitCompletionPacket

Handle 000000000000004c

Type

Handle 0000000000000bf8

Type Thread

377 Handles

Type Count

None 26

Event 74

Section 5

File 7

Directory 2

Mutant 115

Semaphore 17

Key 104

Thread 11

IoCompletion 2

TpWorkerFactory 1

ALPC Port 9

WaitCompletionPacket 4

The handle command takes a few flags. Here is the output for handle 10 for each of the flags, 1, 2, 4, 8 and f(all flags enabled)

0:000> !handle 10 1

Handle 0000000000000010

Type Event

0:000> !handle 10 2

Handle 0000000000000010

Attributes 0

GrantedAccess 0x1f0003:

Delete,ReadControl,WriteDac,WriteOwner,Synch

HandleCount 2

PointerCount 65537

0:000> !handle 10 4

Handle 0000000000000010

Name <none>

0:000> !handle 10 8

Handle 0000000000000010

No object specific information available

0:000> !handle 10 f

Handle 0000000000000010

Type Event

Attributes 0

GrantedAccess 0x1f0003:

Delete,ReadControl,WriteDac,WriteOwner,Synch

QueryState,ModifyState

HandleCount 2

PointerCount 65537

Name <none>

Object specific information

Event Type Auto Reset

Event is Waiting

To get all information (0xf) about a particular type of handle (say for event objects) for all such events in the process (handle number 0 is all), we can use:

0:000> !handle 0 f event

Handle 0000000000000010

Type Event

Attributes 0

GrantedAccess 0x1f0003:

Delete,ReadControl,WriteDac,WriteOwner,Synch

QueryState,ModifyState

HandleCount 2

PointerCount 65537

Name <none>

Object specific information

Event Type Auto Reset

Event is Waiting

Handle 000000000000002c

Type Event

Attributes 0

GrantedAccess 0x1f0003:

Delete,ReadControl,WriteDac,WriteOwner,Synch

QueryState,ModifyState

HandleCount 2

PointerCount 65538

Name <none>

Object specific information

Event Type Auto Reset

Event is Waiting

Handle 0000000000000afc

Type Event

Attributes 0

GrantedAccess 0x100003:

Synch

QueryState,ModifyState

HandleCount 2

PointerCount 65512

Name <none>

Object specific information

Event Type Auto Reset

Event is Waiting

74 handles of type Event

The output and capabilities of the !handle in kernel mode is different. It is more powerful since the debugger actually has access to the Kernel objects required to fetch such information.

kd> !handle

PROCESS 851d1348 SessionId: 1 Cid: 08b4 Peb: 7ffd4000 ParentCid: 0138

DirBase: 1eed3420 ObjectTable: 93d06750 HandleCount: 71.

Image: NotMyfault.exe

Handle table at 93d06750 with 71 entries in use

0004: Object: 8b265108 GrantedAccess: 00000003 Entry: 93d26008

Object: 8b265108 Type: (839b7e90) Directory

ObjectHeader: 8b2650f0 (new version)

HandleCount: 29 PointerCount: 67

Directory Object: 874010e8 Name: KnownDlls

Hash Address Type Name

---- ------- ---- ----

00 875dd678 Section gdi32.dll

8b2569f0 Section kernelbase.dll

87439a48 Section IMAGEHLP.dll

02 875fec88 Section NORMALIZ.dll

03 8d82ec58 Section ole32.dll

8847b3b8 Section URLMON.dll

04 874ff820 Section USP10.dll

05 8b252458 Section DEVOBJ.dll

06 8ca6d948 Section SHELL32.dll

8b250af0 Section CFGMGR32.dll

875c71a8 Section WLDAP32.dll

09 874e84d0 Section user32.dll

14 875de3f8 Section MSASN1.dll

16 875edf98 SymbolicLink KnownDllPath

8b21ed58 Section COMCTL32.dll

17 87580268 Section CRYPT32.dll

8b24bba8 Section PSAPI.DLL

18 885ffb68 Section advapi32.dll

87537178 Section OLEAUT32.dll

19 8b3f8478 Section SHLWAPI.dll

875d3b50 Section IERTUTIL.dll

8755ba30 Section ntdll.dll

20 8755b780 Section WS2_32.dll

21 8ca6d758 Section LPK.dll

22 874d3850 Section sechost.dll

23 8745c768 Section COMDLG32.dll

24 8ca63f10 Section difxapi.dll

25 8758b888 Section Setupapi.dll

26 874cc3c8 Section MSCTF.dll

8b3e3338 Section WININET.dll

27 875d8b48 Section WINTRUST.dll

875cdd30 Section IMM32.dll

28 8ca533c8 Section MSVCRT.dll

31 874d33c8 Section rpcrt4.dll

875358b0 Section clbcatq.dll

32 8ca593e0 Section kernel32.dll

35 875fedf0 Section NSI.dll

0008: Object: 851d11c0 GrantedAccess: 00100020 Entry: 93d26010

Object: 851d11c0 Type: (83a287a8) File

ObjectHeader: 851d11a8 (new version)

HandleCount: 1 PointerCount: 1

Directory Object: 00000000 Name: \Users\Win7SP1x86-Debug\Desktop\Tools\Notmyfault\exe\Release {HarddiskVolume2}

000c: Object: 850bd518 GrantedAccess: 00100020 Entry: 93d26018

Object: 850bd518 Type: (83a287a8) File

ObjectHeader: 850bd500 (new version)

HandleCount: 1 PointerCount: 1

Directory Object: 00000000 Name: \Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 {HarddiskVolume2}

0010: Object: 93cbdd48 GrantedAccess: 00020019 Entry: 93d26020

Object: 93cbdd48 Type: (83a2d388) Key

ObjectHeader: 93cbdd30 (new version)

HandleCount: 1 PointerCount: 1

Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS

0014: Object: 851d19e8 GrantedAccess: 001f0001 Entry: 93d26028

Object: 851d19e8 Type: (83a298f0) ALPC Port

ObjectHeader: 851d19d0 (new version)

HandleCount: 1 PointerCount: 3

0018: Object: 93cf3ec8 GrantedAccess: 00000001 Entry: 93d26030

Object: 93cf3ec8 Type: (83a2d388) Key

ObjectHeader: 93cf3eb0 (new version)

HandleCount: 1 PointerCount: 1

Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER

001c: Object: 850bd620 GrantedAccess: 00000804 Entry: 93d26038

Object: 850bd620 Type: (83a43f78) EtwRegistration

ObjectHeader: 850bd608 (new version)

HandleCount: 1 PointerCount: 1

0020: Object: 851cec08 GrantedAccess: 001f0003 (Protected) Entry: 93d26040

Object: 851cec08 Type: (83a33420) Event

ObjectHeader: 851cebf0 (new version)

HandleCount: 1 PointerCount: 2

0024: Object: 84ccffa8 GrantedAccess: 000f037f Entry: 93d26048

Object: 84ccffa8 Type: (83a28de8) WindowStation

ObjectHeader: 84ccff90 (new version)

HandleCount: 13 PointerCount: 24

Directory Object: 95e31b38 Name: WinSta0

0028: Object: 84cd1d18 GrantedAccess: 000f01ff Entry: 93d26050

Object: 84cd1d18 Type: (83a28d20) Desktop

ObjectHeader: 84cd1d00 (new version)

HandleCount: 8 PointerCount: 476

Directory Object: 00000000 Name: Default

002c: Object: 84ccffa8 GrantedAccess: 000f037f Entry: 93d26058

Object: 84ccffa8 Type: (83a28de8) WindowStation

ObjectHeader: 84ccff90 (new version)

HandleCount: 13 PointerCount: 24

Directory Object: 95e31b38 Name: WinSta0

0030: Object: 90dbab80 GrantedAccess: 000f003f Entry: 93d26060

Object: 90dbab80 Type: (83a2d388) Key

ObjectHeader: 90dbab68 (new version)

HandleCount: 1 PointerCount: 1

Directory Object: 00000000 Name: \REGISTRY\MACHINE

0034: Object: 851c79f8 GrantedAccess: 00000804 Entry: 93d26068

Object: 851c79f8 Type: (83a43f78) EtwRegistration

ObjectHeader: 851c79e0 (new version)

HandleCount: 1 PointerCount: 1

0038: Object: 851c7990 GrantedAccess: 00000804 Entry: 93d26070

Object: 851c7990 Type: (83a43f78) EtwRegistration

ObjectHeader: 851c7978 (new version)

HandleCount: 1 PointerCount: 1

003c: Object: 851c7928 GrantedAccess: 00000804 Entry: 93d26078

Object: 851c7928 Type: (83a43f78) EtwRegistration

ObjectHeader: 851c7910 (new version)

HandleCount: 1 PointerCount: 1

0040: Object: 851d3cd8 GrantedAccess: 00000804 Entry: 93d26080

Object: 851d3cd8 Type: (83a43f78) EtwRegistration

ObjectHeader: 851d3cc0 (new version)

HandleCount: 1 PointerCount: 1

0044: Object: 851cf428 GrantedAccess: 00000804 Entry: 93d26088

Object: 851cf428 Type: (83a43f78) EtwRegistration

ObjectHeader: 851cf410 (new version)

HandleCount: 1 PointerCount: 1

0048: Object: 851cf490 GrantedAccess: 00000804 Entry: 93d26090

Object: 851cf490 Type: (83a43f78) EtwRegistration

ObjectHeader: 851cf478 (new version)

HandleCount: 1 PointerCount: 1

004c: Object: 851cf3c0 GrantedAccess: 00000804 Entry: 93d26098

Object: 851cf3c0 Type: (83a43f78) EtwRegistration

ObjectHeader: 851cf3a8 (new version)

HandleCount: 1 PointerCount: 1

0050: Object: 851cf358 GrantedAccess: 00000804 Entry: 93d260a0

Object: 851cf358 Type: (83a43f78) EtwRegistration

ObjectHeader: 851cf340 (new version)

HandleCount: 1 PointerCount: 1

0054: Object: 851cf2f0 GrantedAccess: 00000804 Entry: 93d260a8

Object: 851cf2f0 Type: (83a43f78) EtwRegistration

ObjectHeader: 851cf2d8 (new version)

HandleCount: 1 PointerCount: 1

0058: Object: 851cf288 GrantedAccess: 00000804 Entry: 93d260b0

Object: 851cf288 Type: (83a43f78) EtwRegistration

ObjectHeader: 851cf270 (new version)

HandleCount: 1 PointerCount: 1

005c: Object: 851cffd0 GrantedAccess: 00000804 Entry: 93d260b8

Object: 851cffd0 Type: (83a43f78) EtwRegistration

ObjectHeader: 851cffb8 (new version)

HandleCount: 1 PointerCount: 1

0060: Object: 851cff68 GrantedAccess: 00000804 Entry: 93d260c0

Object: 851cff68 Type: (83a43f78) EtwRegistration

ObjectHeader: 851cff50 (new version)

HandleCount: 1 PointerCount: 1

0064: Object: 851cff00 GrantedAccess: 00000804 Entry: 93d260c8

Object: 851cff00 Type: (83a43f78) EtwRegistration

ObjectHeader: 851cfee8 (new version)

HandleCount: 1 PointerCount: 1

0068: Object: 851cfea8 GrantedAccess: 001f0001 Entry: 93d260d0

Object: 851cfea8 Type: (83a25418) Mutant

ObjectHeader: 851cfe90 (new version)

HandleCount: 1 PointerCount: 1

006c: Object: 851d3b90 GrantedAccess: 001f0003 Entry: 93d260d8

Object: 851d3b90 Type: (83a33420) Event

ObjectHeader: 851d3b78 (new version)

HandleCount: 1 PointerCount: 1

0070: Object: 93d14c28 GrantedAccess: 00020019 Entry: 93d260e0

Object: 93d14c28 Type: (83a2d388) Key

ObjectHeader: 93d14c10 (new version)

HandleCount: 1 PointerCount: 1

Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE

0074: Object: 93c85638 GrantedAccess: 00020019 Entry: 93d260e8

Object: 93c85638 Type: (83a2d388) Key

ObjectHeader: 93c85620 (new version)

HandleCount: 1 PointerCount: 1

Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE\ALTERNATE SORTS

0078: Object: 8bbc5ab8 GrantedAccess: 00020019 Entry: 93d260f0

Object: 8bbc5ab8 Type: (83a2d388) Key

ObjectHeader: 8bbc5aa0 (new version)

HandleCount: 1 PointerCount: 1

Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LANGUAGE GROUPS

007c: Object: 851cfe48 GrantedAccess: 00000804 Entry: 93d260f8

Object: 851cfe48 Type: (83a43f78) EtwRegistration

ObjectHeader: 851cfe30 (new version)

HandleCount: 1 PointerCount: 1

0080: Object: 850be990 GrantedAccess: 00000804 Entry: 93d26100

Object: 850be990 Type: (83a43f78) EtwRegistration

ObjectHeader: 850be978 (new version)

HandleCount: 1 PointerCount: 1

0084: Object: 851d3038 GrantedAccess: 001f0001 Entry: 93d26108

Object: 851d3038 Type: (83a298f0) ALPC Port

ObjectHeader: 851d3020 (new version)

HandleCount: 1 PointerCount: 1

0088: Object: 8bb01590 GrantedAccess: 00000004 Entry: 93d26110

Object: 8bb01590 Type: (83a31b50) Section

ObjectHeader: 8bb01578 (new version)

HandleCount: 6 PointerCount: 6

008c: Object: 851d31b8 GrantedAccess: 00000804 Entry: 93d26118

Object: 851d31b8 Type: (83a43f78) EtwRegistration

ObjectHeader: 851d31a0 (new version)

HandleCount: 1 PointerCount: 1

0090: Object: 851d3220 GrantedAccess: 00000804 Entry: 93d26120

Object: 851d3220 Type: (83a43f78) EtwRegistration

ObjectHeader: 851d3208 (new version)

HandleCount: 1 PointerCount: 1

0094: Object: 849c05a8 GrantedAccess: 00120089 Entry: 93d26128

Object: 849c05a8 Type: (83a287a8) File

ObjectHeader: 849c0590 (new version)

HandleCount: 1 PointerCount: 1

Directory Object: 00000000 Name: \Windows\System32\en-US\user32.dll.mui {HarddiskVolume2}

0098: Object: 851d9098 GrantedAccess: 001f0003 Entry: 93d26130

Object: 851d9098 Type: (83a33420) Event

ObjectHeader: 851d9080 (new version)

HandleCount: 1 PointerCount: 1

009c: Object: 95e2ed60 GrantedAccess: 0000000f Entry: 93d26138

Object: 95e2ed60 Type: (839b7e90) Directory

ObjectHeader: 95e2ed48 (new version)

HandleCount: 8 PointerCount: 43

Directory Object: 95e2d298 Name: BaseNamedObjects

Hash Address Type Name

---- ------- ---- ----

00 95e2fc68 SymbolicLink Local

8506b5d8 Mutant ZonesCacheCounterMutex

01 850d3ab8 Mutant ZonesLockedCacheCounterMutex

8515d8b0 Mutant AccessibilitySoundAgentRunning

84f40ff0 Event ThemesStartEvent

02 95e2c428 Directory Restricted

03 84cd0298 Event ScNetDrvMsg

04 8e5479f0 Section windows_shell_global_counters

07 850f9580 Event ShellDesktopSwitchEvent

09 8513eb80 Event MSCTF.AsmCacheReady.Default1

84f53ea8 Event ThemeLoadedEvent

10 8513ec20 Event MSCTF.CtfActivated.Default1

90db9c98 Section C:*ProgramData*Microsoft*Windows*Caches*{7CD55808-3D38-4DD5-90C9-62F0E6EE60D4}.2.ver0x0000000000000001.db

90d58340 Section C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000007.db

12 85145948 Mutant MSCTF.CtfMonitorInstMutexDefault1

13 84f96470 Event ShellReadyEvent

90d5eaa0 Section C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro

14 90d59c58 Section C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db

16 95e2d158 SymbolicLink Global

19 84d0e4d8 Event WinSta0_DesktopSwitch

20 848c5b18 Mutant ZoneAttributeCacheCounterMutex

84ccd208 Event EventShutDownCSRSS

21 8ba99b88 Section windows_ie_global_counters

22 84d79e10 Mutant ALTTAB_RUNNING_MUTEX

26 85100380 Event MSCTF.CtfMonitorInitialized.Default1

28 851450a8 Mutant CicLoadWinStaWinSta0

85182080 Mutant _SHuassist.mtx

29 849544e8 Mutant ZonesCounterMutex

85144700 Mutant MSCTF.Asm.MutexDefault1

30 95e1f100 SymbolicLink Session

31 8e551830 Section UrlZonesSM_Win7SP1x86-Debug

33 85141528 ALPC Port Dwm-49D1-ApiPort-1BF9

8e5ae7c8 Section CTF.AsmListCache.FMPDefault1

35 8513ebd0 Event MSCTF.CtfDeactivated.Default1

00a0: Object: 851d1b90 GrantedAccess: 001f0003 Entry: 93d26140

Object: 851d1b90 Type: (83a33420) Event

ObjectHeader: 851d1b78 (new version)

HandleCount: 1 PointerCount: 1

00a4: Object: 851db930 GrantedAccess: 001f0003 Entry: 93d26148

Object: 851db930 Type: (83a33420) Event

ObjectHeader: 851db918 (new version)

HandleCount: 1 PointerCount: 1

00a8: Object: 851d2530 GrantedAccess: 00000804 Entry: 93d26150

Object: 851d2530 Type: (83a43f78) EtwRegistration

ObjectHeader: 851d2518 (new version)

HandleCount: 1 PointerCount: 1

00ac: Object: 851d97d8 GrantedAccess: 00000804 Entry: 93d26158

Object: 851d97d8 Type: (83a43f78) EtwRegistration

ObjectHeader: 851d97c0 (new version)

HandleCount: 1 PointerCount: 1

00b0: Object: 851c7df8 GrantedAccess: 001f0003 Entry: 93d26160

Object: 851c7df8 Type: (83a33420) Event

ObjectHeader: 851c7de0 (new version)

HandleCount: 1 PointerCount: 1

00b4: Object: 851d8d48 GrantedAccess: 001fffff Entry: 93d26168

Object: 851d8d48 Type: (839b78b0) Thread

ObjectHeader: 851d8d30 (new version)

HandleCount: 2 PointerCount: 4

00b8: Object: 851d96a0 GrantedAccess: 001f0001 Entry: 93d26170

Object: 851d96a0 Type: (83a298f0) ALPC Port

ObjectHeader: 851d9688 (new version)

HandleCount: 1 PointerCount: 1

00bc: Object: 852540f0 GrantedAccess: 0012019f Entry: 93d26178

Object: 852540f0 Type: (83a287a8) File

ObjectHeader: 852540d8 (new version)

HandleCount: 1 PointerCount: 3

00c0: Object: 8507f098 GrantedAccess: 001f0003 Entry: 93d26180

Object: 8507f098 Type: (83a28870) IoCompletion

ObjectHeader: 8507f080 (new version)

HandleCount: 1 PointerCount: 2

00c4: Object: 85255ee0 GrantedAccess: 000f00ff Entry: 93d26188

Object: 85255ee0 Type: (83a28c58) TpWorkerFactory

ObjectHeader: 85255ec8 (new version)

HandleCount: 1 PointerCount: 1

00c8: Object: 94078d00 GrantedAccess: 000f0003 Entry: 93d26190

Object: 94078d00 Type: (83a28eb0) KeyedEvent

ObjectHeader: 94078ce8 (new version)

HandleCount: 1 PointerCount: 1

00cc: Object: 850bfe38 GrantedAccess: 00100002 Entry: 93d26198

Object: 850bfe38 Type: (83a26350) Timer

ObjectHeader: 850bfe20 (new version)

HandleCount: 1 PointerCount: 2

00d0: Object: 850bfd70 GrantedAccess: 001f0003 Entry: 93d261a0

Object: 850bfd70 Type: (83a26350) Timer

ObjectHeader: 850bfd58 (new version)

HandleCount: 1 PointerCount: 2

00d4: Object: 850bfa88 GrantedAccess: 001fffff Entry: 93d261a8

Object: 850bfa88 Type: (839b78b0) Thread

ObjectHeader: 850bfa70 (new version)

HandleCount: 2 PointerCount: 3

00d8: Object: 850bfa88 GrantedAccess: 001fffff Entry: 93d261b0

Object: 850bfa88 Type: (839b78b0) Thread

ObjectHeader: 850bfa70 (new version)

HandleCount: 2 PointerCount: 3

00dc: Object: 851b1240 GrantedAccess: 001f0003 Entry: 93d261b8

Object: 851b1240 Type: (83a28870) IoCompletion

ObjectHeader: 851b1228 (new version)

HandleCount: 1 PointerCount: 2

00e0: Object: 850bf9e0 GrantedAccess: 000f00ff Entry: 93d261c0

Object: 850bf9e0 Type: (83a28c58) TpWorkerFactory

ObjectHeader: 850bf9c8 (new version)

HandleCount: 1 PointerCount: 1

00e4: Object: 850bf918 GrantedAccess: 00100002 Entry: 93d261c8

Object: 850bf918 Type: (83a26350) Timer

ObjectHeader: 850bf900 (new version)

HandleCount: 1 PointerCount: 2

00e8: Object: 850bf868 GrantedAccess: 00120089 Entry: 93d261d0

Object: 850bf868 Type: (83a287a8) File

ObjectHeader: 850bf850 (new version)

HandleCount: 1 PointerCount: 1

Directory Object: 00000000 Name: \Windows\Fonts\StaticCache.dat {HarddiskVolume2}

00ec: Object: 90d6b3b0 GrantedAccess: 000f0005 Entry: 93d261d8

Object: 90d6b3b0 Type: (83a31b50) Section

ObjectHeader: 90d6b398 (new version)

HandleCount: 1 PointerCount: 1

00f0: Object: 84d4c968 GrantedAccess: 001f0003 Entry: 93d261e0

Object: 84d4c968 Type: (83a33420) Event

ObjectHeader: 84d4c950 (new version)

HandleCount: 1 PointerCount: 1

00f4: Object: 851c8e88 GrantedAccess: 00000804 Entry: 93d261e8

Object: 851c8e88 Type: (83a43f78) EtwRegistration

ObjectHeader: 851c8e70 (new version)

HandleCount: 1 PointerCount: 1

00f8: Object: 84d50c78 GrantedAccess: 001f0003 Entry: 93d261f0

Object: 84d50c78 Type: (83a33420) Event

ObjectHeader: 84d50c60 (new version)

HandleCount: 1 PointerCount: 1

00fc: Object: 849fa258 GrantedAccess: 001f0003 Entry: 93d261f8

Object: 849fa258 Type: (83a33420) Event

ObjectHeader: 849fa240 (new version)

HandleCount: 1 PointerCount: 1

0100: Object: 84d70360 GrantedAccess: 001f0003 Entry: 93d26200

Object: 84d70360 Type: (83a33420) Event

ObjectHeader: 84d70348 (new version)

HandleCount: 1 PointerCount: 1

0104: Object: 851cc628 GrantedAccess: 001f0003 Entry: 93d26208

Object: 851cc628 Type: (83a33420) Event

ObjectHeader: 851cc610 (new version)

HandleCount: 1 PointerCount: 1

0108: Object: 8523bd38 GrantedAccess: 001f0003 Entry: 93d26210

Object: 8523bd38 Type: (83a33420) Event

ObjectHeader: 8523bd20 (new version)

HandleCount: 1 PointerCount: 1

010c: Object: 83a4c0f8 GrantedAccess: 001f0003 Entry: 93d26218

Object: 83a4c0f8 Type: (83a33420) Event

ObjectHeader: 83a4c0e0 (new version)

HandleCount: 1 PointerCount: 1

0110: Object: 851cf6d0 GrantedAccess: 001f0003 Entry: 93d26220

Object: 851cf6d0 Type: (83a33420) Event

ObjectHeader: 851cf6b8 (new version)

HandleCount: 1 PointerCount: 1

0114: Object: 85255318 GrantedAccess: 00100001 Entry: 93d26228

Object: 85255318 Type: (83a287a8) File

ObjectHeader: 85255300 (new version)

HandleCount: 1 PointerCount: 1

0118: Object: 93d12608 GrantedAccess: 000f003f Entry: 93d26230

Object: 93d12608 Type: (83a2d388) Key

ObjectHeader: 93d125f0 (new version)

HandleCount: 1 PointerCount: 1

Directory Object: 00000000 Name: \REGISTRY\USER\S-1-5-21-4213196723-1351097745-788781942-1001

011c: Object: 8e5479f0 GrantedAccess: 00000006 Entry: 93d26238

Object: 8e5479f0 Type: (83a31b50) Section

ObjectHeader: 8e5479d8 (new version)

HandleCount: 3 PointerCount: 4

Directory Object: 95e2ed60 Name: windows_shell_global_counters

As we see the object information and name is given out with a horde of other useful stuff.

Thus we see that to debug handle leaks etc, it is perhaps more useful to have a full kernel dump instead of just a process dump.

For example, assuming that we want to find out all open file handles for the process 'system'. We can do that with these steps below:

kd> !process 0 0 system
PROCESS 839afbf8 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00185000 ObjectTable: 87401ca0 HandleCount: 463.
Image: System

kd> .process /p /r 839afbf8
Implicit process is now 839afbf8
Loading User Symbols

kd> !handle 0 7 839afbf8 File

Searching for handles of type File

PROCESS 839afbf8 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00185000 ObjectTable: 87401ca0 HandleCount: 463.
Image: System

Kernel handle table at 87401ca0 with 463 entries in use

0054: Object: 849133f0 GrantedAccess: 00120116 Entry: 874030a8
Object: 849133f0 Type: (83a287a8) File
ObjectHeader: 849133d8 (new version)
HandleCount: 1 PointerCount: 1

0060: Object: 84871940 GrantedAccess: 00100001 Entry: 874030c0
Object: 84871940 Type: (83a287a8) File
ObjectHeader: 84871928 (new version)
HandleCount: 1 PointerCount: 1

0064: Object: 84dc24d0 GrantedAccess: 0012008b Entry: 874030c8
Object: 84dc24d0 Type: (83a287a8) File
ObjectHeader: 84dc24b8 (new version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \Windows\System32\wdi\LogFiles\WdiContextLog.etl.003 {HarddiskVolume2}

0070: Object: 84c0ef80 GrantedAccess: 0012019f Entry: 874030e0
Object: 84c0ef80 Type: (83a287a8) File
ObjectHeader: 84c0ef68 (new version)
HandleCount: 1 PointerCount: 2

0088: Object: 84c42788 GrantedAccess: 0012019f Entry: 87403110
Object: 84c42788 Type: (83a287a8) File
ObjectHeader: 84c42770 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \$Extend\$RmMetadata\$TxfLog\$TxfLog.blf {HarddiskVolume1}

008c: Object: 84c30268 GrantedAccess: 0012019f (Inherit) Entry: 87403118
Object: 84c30268 Type: (83a287a8) File
ObjectHeader: 84c30250 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: TxfLog {clfs}

0090: Object: 84c30310 GrantedAccess: 0012019f Entry: 87403120
Object: 84c30310 Type: (83a287a8) File
ObjectHeader: 84c302f8 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 {HarddiskVolume1}

<Output snipped>

0140: Object: 847e7e98 GrantedAccess: 00020003 (Protected) Entry: 87403280
Object: 847e7e98 Type: (83a287a8) File
ObjectHeader: 847e7e80 (new version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \Windows\System32\config\SOFTWARE {HarddiskVolume2}

0728: free handle, Entry address 87403e50, Next Entry 00000744
0734: free handle, Entry address 87403e68, Next Entry 0000083c
0ffc: free handle, Entry address 91427ff8, Next Entry 00000000

<Output snipped>

I have deliberately snipped the output since it is very long. As we see, we have open handles for regular files, registry, transaction logs and what not.

We will revisit this topic again in a future post to see how this information can be extended to actually find which device is an IO bound to.

We can use the !object command to get even more useful information of the handle in question. Here is a link to a blog post which describes how the !object command works.

Jump$

Search This Blog

Wednesday, 17 September 2014

WinDbg : !handle Command

No comments:

Post a Comment

Search This Blog

Wednesday, 17 September 2014

WinDbg : !handle Command

No comments:

Post a Comment

Subscribe To