Search This Blog

Wednesday 17 September 2014

WinDbg : !handle Command

WinDbg : !handle Command extension 


Handles are used everywhere in Windows. A handle in Windows is an opaque pointer. Almost every Windows API uses a handle as a reference to the internal object. WinDbg has the !handle extension command to help us find more information regarding handles.

Here is the output of !handle when run on a user mode crash dump. There are differences in the output of !handle when executed via user mode and via kernel mode, we will soon see these differences.


0:000> !handle


Handle 0000000000000004
  Type         Directory
Handle 0000000000000008
  Type         File
Handle 000000000000000c
  Type         Key
Handle 0000000000000010
  Type         Event
Handle 0000000000000014
  Type         ALPC Port
Handle 0000000000000024
  Type         Key
Handle 0000000000000030
  Type         WaitCompletionPacket
Handle 0000000000000034
  Type         IoCompletion
Handle 0000000000000038
  Type         TpWorkerFactory
Handle 000000000000003c
  Type         IRTimer
Handle 0000000000000040
  Type         WaitCompletionPacket
Handle 0000000000000044
  Type         IRTimer
Handle 0000000000000048
  Type         WaitCompletionPacket
Handle 000000000000004c
  Type        
<Output Snipped due to space constraints>
Handle 0000000000000bf8
  Type         Thread
377 Handles
Type                     Count
None                     26
Event                   74
Section                 5
File                     7
Directory               2
Mutant                   115
Semaphore               17
Key                     104
Thread                   11
IoCompletion             2
TpWorkerFactory         1
ALPC Port               9
WaitCompletionPacket     4


The handle command takes a few flags. Here is the output for handle 10 for each of the flags, 1, 2, 4, 8 and f(all flags enabled)

0:000> !handle 10 1
Handle 0000000000000010
  Type          Event

0:000> !handle 10 2
Handle 0000000000000010
  Attributes   0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         Delete,ReadControl,WriteDac,WriteOwner,Synch
  HandleCount   2
  PointerCount 65537

0:000> !handle 10 4
Handle 0000000000000010
  Name         <none>

0:000> !handle 10 8
Handle 0000000000000010
  No object specific information available

0:000> !handle 10 f
Handle 0000000000000010
  Type         Event
  Attributes   0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount 65537
  Name         <none>
  Object specific information
    Event Type Auto Reset
    Event is Waiting

To get all information (0xf) about a particular type of handle (say for event objects) for all such events in the process (handle number 0 is all), we can use:

0:000> !handle 0 f event
Handle 0000000000000010
  Type         Event
  Attributes   0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount 65537
  Name         <none>
  Object specific information
    Event Type Auto Reset
    Event is Waiting
Handle 000000000000002c
  Type         Event
  Attributes   0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount 65538
  Name         <none>
  Object specific information
    Event Type Auto Reset
    Event is Waiting

<Output Snipped to save space>

Handle 0000000000000afc
  Type         Event
  Attributes   0
  GrantedAccess 0x100003:
         Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount 65512
  Name         <none>
  Object specific information
    Event Type Auto Reset
    Event is Waiting
74 handles of type Event


The output and capabilities of the !handle in kernel mode is different. It is more powerful since the debugger actually has access to the Kernel objects required to fetch such information.

kd> !handle

PROCESS 851d1348  SessionId: 1  Cid: 08b4    Peb: 7ffd4000  ParentCid: 0138
    DirBase: 1eed3420  ObjectTable: 93d06750  HandleCount:  71.
    Image: NotMyfault.exe

Handle table at 93d06750 with 71 entries in use

0004: Object: 8b265108  GrantedAccess: 00000003 Entry: 93d26008
Object: 8b265108  Type: (839b7e90) Directory
    ObjectHeader: 8b2650f0 (new version)
        HandleCount: 29  PointerCount: 67
        Directory Object: 874010e8  Name: KnownDlls

        Hash Address  Type          Name
        ---- -------  ----          ----
         00  875dd678 Section       gdi32.dll
             8b2569f0 Section       kernelbase.dll
             87439a48 Section       IMAGEHLP.dll
         02  875fec88 Section       NORMALIZ.dll
         03  8d82ec58 Section       ole32.dll
             8847b3b8 Section       URLMON.dll
         04  874ff820 Section       USP10.dll
         05  8b252458 Section       DEVOBJ.dll
         06  8ca6d948 Section       SHELL32.dll
             8b250af0 Section       CFGMGR32.dll
             875c71a8 Section       WLDAP32.dll
         09  874e84d0 Section       user32.dll
         14  875de3f8 Section       MSASN1.dll
         16  875edf98 SymbolicLink  KnownDllPath
             8b21ed58 Section       COMCTL32.dll
         17  87580268 Section       CRYPT32.dll
             8b24bba8 Section       PSAPI.DLL
         18  885ffb68 Section       advapi32.dll
             87537178 Section       OLEAUT32.dll
         19  8b3f8478 Section       SHLWAPI.dll
             875d3b50 Section       IERTUTIL.dll
             8755ba30 Section       ntdll.dll
         20  8755b780 Section       WS2_32.dll
         21  8ca6d758 Section       LPK.dll
         22  874d3850 Section       sechost.dll
         23  8745c768 Section       COMDLG32.dll
         24  8ca63f10 Section       difxapi.dll
         25  8758b888 Section       Setupapi.dll
         26  874cc3c8 Section       MSCTF.dll
             8b3e3338 Section       WININET.dll
         27  875d8b48 Section       WINTRUST.dll
             875cdd30 Section       IMM32.dll
         28  8ca533c8 Section       MSVCRT.dll
         31  874d33c8 Section       rpcrt4.dll
             875358b0 Section       clbcatq.dll
         32  8ca593e0 Section       kernel32.dll
         35  875fedf0 Section       NSI.dll

0008: Object: 851d11c0  GrantedAccess: 00100020 Entry: 93d26010
Object: 851d11c0  Type: (83a287a8) File
    ObjectHeader: 851d11a8 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Users\Win7SP1x86-Debug\Desktop\Tools\Notmyfault\exe\Release {HarddiskVolume2}

000c: Object: 850bd518  GrantedAccess: 00100020 Entry: 93d26018
Object: 850bd518  Type: (83a287a8) File
    ObjectHeader: 850bd500 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 {HarddiskVolume2}

0010: Object: 93cbdd48  GrantedAccess: 00020019 Entry: 93d26020
Object: 93cbdd48  Type: (83a2d388) Key
    ObjectHeader: 93cbdd30 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS

0014: Object: 851d19e8  GrantedAccess: 001f0001 Entry: 93d26028
Object: 851d19e8  Type: (83a298f0) ALPC Port
    ObjectHeader: 851d19d0 (new version)
        HandleCount: 1  PointerCount: 3

0018: Object: 93cf3ec8  GrantedAccess: 00000001 Entry: 93d26030
Object: 93cf3ec8  Type: (83a2d388) Key
    ObjectHeader: 93cf3eb0 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER

001c: Object: 850bd620  GrantedAccess: 00000804 Entry: 93d26038
Object: 850bd620  Type: (83a43f78) EtwRegistration
    ObjectHeader: 850bd608 (new version)
        HandleCount: 1  PointerCount: 1

0020: Object: 851cec08  GrantedAccess: 001f0003 (Protected) Entry: 93d26040
Object: 851cec08  Type: (83a33420) Event
    ObjectHeader: 851cebf0 (new version)
        HandleCount: 1  PointerCount: 2

0024: Object: 84ccffa8  GrantedAccess: 000f037f Entry: 93d26048
Object: 84ccffa8  Type: (83a28de8) WindowStation
    ObjectHeader: 84ccff90 (new version)
        HandleCount: 13  PointerCount: 24
        Directory Object: 95e31b38  Name: WinSta0

0028: Object: 84cd1d18  GrantedAccess: 000f01ff Entry: 93d26050
Object: 84cd1d18  Type: (83a28d20) Desktop
    ObjectHeader: 84cd1d00 (new version)
        HandleCount: 8  PointerCount: 476
        Directory Object: 00000000  Name: Default

002c: Object: 84ccffa8  GrantedAccess: 000f037f Entry: 93d26058
Object: 84ccffa8  Type: (83a28de8) WindowStation
    ObjectHeader: 84ccff90 (new version)
        HandleCount: 13  PointerCount: 24
        Directory Object: 95e31b38  Name: WinSta0

0030: Object: 90dbab80  GrantedAccess: 000f003f Entry: 93d26060
Object: 90dbab80  Type: (83a2d388) Key
    ObjectHeader: 90dbab68 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE

0034: Object: 851c79f8  GrantedAccess: 00000804 Entry: 93d26068
Object: 851c79f8  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851c79e0 (new version)
        HandleCount: 1  PointerCount: 1

0038: Object: 851c7990  GrantedAccess: 00000804 Entry: 93d26070
Object: 851c7990  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851c7978 (new version)
        HandleCount: 1  PointerCount: 1

003c: Object: 851c7928  GrantedAccess: 00000804 Entry: 93d26078
Object: 851c7928  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851c7910 (new version)
        HandleCount: 1  PointerCount: 1

0040: Object: 851d3cd8  GrantedAccess: 00000804 Entry: 93d26080
Object: 851d3cd8  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851d3cc0 (new version)
        HandleCount: 1  PointerCount: 1

0044: Object: 851cf428  GrantedAccess: 00000804 Entry: 93d26088
Object: 851cf428  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf410 (new version)
        HandleCount: 1  PointerCount: 1

0048: Object: 851cf490  GrantedAccess: 00000804 Entry: 93d26090
Object: 851cf490  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf478 (new version)
        HandleCount: 1  PointerCount: 1

004c: Object: 851cf3c0  GrantedAccess: 00000804 Entry: 93d26098
Object: 851cf3c0  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf3a8 (new version)
        HandleCount: 1  PointerCount: 1

0050: Object: 851cf358  GrantedAccess: 00000804 Entry: 93d260a0
Object: 851cf358  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf340 (new version)
        HandleCount: 1  PointerCount: 1

0054: Object: 851cf2f0  GrantedAccess: 00000804 Entry: 93d260a8
Object: 851cf2f0  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf2d8 (new version)
        HandleCount: 1  PointerCount: 1

0058: Object: 851cf288  GrantedAccess: 00000804 Entry: 93d260b0
Object: 851cf288  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cf270 (new version)
        HandleCount: 1  PointerCount: 1

005c: Object: 851cffd0  GrantedAccess: 00000804 Entry: 93d260b8
Object: 851cffd0  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cffb8 (new version)
        HandleCount: 1  PointerCount: 1

0060: Object: 851cff68  GrantedAccess: 00000804 Entry: 93d260c0
Object: 851cff68  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cff50 (new version)
        HandleCount: 1  PointerCount: 1

0064: Object: 851cff00  GrantedAccess: 00000804 Entry: 93d260c8
Object: 851cff00  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cfee8 (new version)
        HandleCount: 1  PointerCount: 1

0068: Object: 851cfea8  GrantedAccess: 001f0001 Entry: 93d260d0
Object: 851cfea8  Type: (83a25418) Mutant
    ObjectHeader: 851cfe90 (new version)
        HandleCount: 1  PointerCount: 1

006c: Object: 851d3b90  GrantedAccess: 001f0003 Entry: 93d260d8
Object: 851d3b90  Type: (83a33420) Event
    ObjectHeader: 851d3b78 (new version)
        HandleCount: 1  PointerCount: 1

0070: Object: 93d14c28  GrantedAccess: 00020019 Entry: 93d260e0
Object: 93d14c28  Type: (83a2d388) Key
    ObjectHeader: 93d14c10 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE

0074: Object: 93c85638  GrantedAccess: 00020019 Entry: 93d260e8
Object: 93c85638  Type: (83a2d388) Key
    ObjectHeader: 93c85620 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE\ALTERNATE SORTS

0078: Object: 8bbc5ab8  GrantedAccess: 00020019 Entry: 93d260f0
Object: 8bbc5ab8  Type: (83a2d388) Key
    ObjectHeader: 8bbc5aa0 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LANGUAGE GROUPS

007c: Object: 851cfe48  GrantedAccess: 00000804 Entry: 93d260f8
Object: 851cfe48  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851cfe30 (new version)
        HandleCount: 1  PointerCount: 1

0080: Object: 850be990  GrantedAccess: 00000804 Entry: 93d26100
Object: 850be990  Type: (83a43f78) EtwRegistration
    ObjectHeader: 850be978 (new version)
        HandleCount: 1  PointerCount: 1

0084: Object: 851d3038  GrantedAccess: 001f0001 Entry: 93d26108
Object: 851d3038  Type: (83a298f0) ALPC Port
    ObjectHeader: 851d3020 (new version)
        HandleCount: 1  PointerCount: 1

0088: Object: 8bb01590  GrantedAccess: 00000004 Entry: 93d26110
Object: 8bb01590  Type: (83a31b50) Section
    ObjectHeader: 8bb01578 (new version)
        HandleCount: 6  PointerCount: 6

008c: Object: 851d31b8  GrantedAccess: 00000804 Entry: 93d26118
Object: 851d31b8  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851d31a0 (new version)
        HandleCount: 1  PointerCount: 1

0090: Object: 851d3220  GrantedAccess: 00000804 Entry: 93d26120
Object: 851d3220  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851d3208 (new version)
        HandleCount: 1  PointerCount: 1

0094: Object: 849c05a8  GrantedAccess: 00120089 Entry: 93d26128
Object: 849c05a8  Type: (83a287a8) File
    ObjectHeader: 849c0590 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Windows\System32\en-US\user32.dll.mui {HarddiskVolume2}

0098: Object: 851d9098  GrantedAccess: 001f0003 Entry: 93d26130
Object: 851d9098  Type: (83a33420) Event
    ObjectHeader: 851d9080 (new version)
        HandleCount: 1  PointerCount: 1

009c: Object: 95e2ed60  GrantedAccess: 0000000f Entry: 93d26138
Object: 95e2ed60  Type: (839b7e90) Directory
    ObjectHeader: 95e2ed48 (new version)
        HandleCount: 8  PointerCount: 43
        Directory Object: 95e2d298  Name: BaseNamedObjects

        Hash Address  Type          Name
        ---- -------  ----          ----
         00  95e2fc68 SymbolicLink  Local
             8506b5d8 Mutant        ZonesCacheCounterMutex
         01  850d3ab8 Mutant        ZonesLockedCacheCounterMutex
             8515d8b0 Mutant        AccessibilitySoundAgentRunning
             84f40ff0 Event         ThemesStartEvent
         02  95e2c428 Directory     Restricted
         03  84cd0298 Event         ScNetDrvMsg
         04  8e5479f0 Section       windows_shell_global_counters
         07  850f9580 Event         ShellDesktopSwitchEvent
         09  8513eb80 Event         MSCTF.AsmCacheReady.Default1
             84f53ea8 Event         ThemeLoadedEvent
         10  8513ec20 Event         MSCTF.CtfActivated.Default1
             90db9c98 Section       C:*ProgramData*Microsoft*Windows*Caches*{7CD55808-3D38-4DD5-90C9-62F0E6EE60D4}.2.ver0x0000000000000001.db
             90d58340 Section       C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000007.db
         12  85145948 Mutant        MSCTF.CtfMonitorInstMutexDefault1
         13  84f96470 Event         ShellReadyEvent
             90d5eaa0 Section       C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
         14  90d59c58 Section       C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
         16  95e2d158 SymbolicLink  Global
         19  84d0e4d8 Event         WinSta0_DesktopSwitch
         20  848c5b18 Mutant        ZoneAttributeCacheCounterMutex
             84ccd208 Event         EventShutDownCSRSS
         21  8ba99b88 Section       windows_ie_global_counters
         22  84d79e10 Mutant        ALTTAB_RUNNING_MUTEX
         26  85100380 Event         MSCTF.CtfMonitorInitialized.Default1
         28  851450a8 Mutant        CicLoadWinStaWinSta0
             85182080 Mutant        _SHuassist.mtx
         29  849544e8 Mutant        ZonesCounterMutex
             85144700 Mutant        MSCTF.Asm.MutexDefault1
         30  95e1f100 SymbolicLink  Session
         31  8e551830 Section       UrlZonesSM_Win7SP1x86-Debug
         33  85141528 ALPC Port     Dwm-49D1-ApiPort-1BF9
             8e5ae7c8 Section       CTF.AsmListCache.FMPDefault1
         35  8513ebd0 Event         MSCTF.CtfDeactivated.Default1

00a0: Object: 851d1b90  GrantedAccess: 001f0003 Entry: 93d26140
Object: 851d1b90  Type: (83a33420) Event
    ObjectHeader: 851d1b78 (new version)
        HandleCount: 1  PointerCount: 1

00a4: Object: 851db930  GrantedAccess: 001f0003 Entry: 93d26148
Object: 851db930  Type: (83a33420) Event
    ObjectHeader: 851db918 (new version)
        HandleCount: 1  PointerCount: 1

00a8: Object: 851d2530  GrantedAccess: 00000804 Entry: 93d26150
Object: 851d2530  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851d2518 (new version)
        HandleCount: 1  PointerCount: 1

00ac: Object: 851d97d8  GrantedAccess: 00000804 Entry: 93d26158
Object: 851d97d8  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851d97c0 (new version)
        HandleCount: 1  PointerCount: 1

00b0: Object: 851c7df8  GrantedAccess: 001f0003 Entry: 93d26160
Object: 851c7df8  Type: (83a33420) Event
    ObjectHeader: 851c7de0 (new version)
        HandleCount: 1  PointerCount: 1

00b4: Object: 851d8d48  GrantedAccess: 001fffff Entry: 93d26168
Object: 851d8d48  Type: (839b78b0) Thread
    ObjectHeader: 851d8d30 (new version)
        HandleCount: 2  PointerCount: 4

00b8: Object: 851d96a0  GrantedAccess: 001f0001 Entry: 93d26170
Object: 851d96a0  Type: (83a298f0) ALPC Port
    ObjectHeader: 851d9688 (new version)
        HandleCount: 1  PointerCount: 1

00bc: Object: 852540f0  GrantedAccess: 0012019f Entry: 93d26178
Object: 852540f0  Type: (83a287a8) File
    ObjectHeader: 852540d8 (new version)
        HandleCount: 1  PointerCount: 3

00c0: Object: 8507f098  GrantedAccess: 001f0003 Entry: 93d26180
Object: 8507f098  Type: (83a28870) IoCompletion
    ObjectHeader: 8507f080 (new version)
        HandleCount: 1  PointerCount: 2

00c4: Object: 85255ee0  GrantedAccess: 000f00ff Entry: 93d26188
Object: 85255ee0  Type: (83a28c58) TpWorkerFactory
    ObjectHeader: 85255ec8 (new version)
        HandleCount: 1  PointerCount: 1

00c8: Object: 94078d00  GrantedAccess: 000f0003 Entry: 93d26190
Object: 94078d00  Type: (83a28eb0) KeyedEvent
    ObjectHeader: 94078ce8 (new version)
        HandleCount: 1  PointerCount: 1

00cc: Object: 850bfe38  GrantedAccess: 00100002 Entry: 93d26198
Object: 850bfe38  Type: (83a26350) Timer
    ObjectHeader: 850bfe20 (new version)
        HandleCount: 1  PointerCount: 2

00d0: Object: 850bfd70  GrantedAccess: 001f0003 Entry: 93d261a0
Object: 850bfd70  Type: (83a26350) Timer
    ObjectHeader: 850bfd58 (new version)
        HandleCount: 1  PointerCount: 2

00d4: Object: 850bfa88  GrantedAccess: 001fffff Entry: 93d261a8
Object: 850bfa88  Type: (839b78b0) Thread
    ObjectHeader: 850bfa70 (new version)
        HandleCount: 2  PointerCount: 3

00d8: Object: 850bfa88  GrantedAccess: 001fffff Entry: 93d261b0
Object: 850bfa88  Type: (839b78b0) Thread
    ObjectHeader: 850bfa70 (new version)
        HandleCount: 2  PointerCount: 3

00dc: Object: 851b1240  GrantedAccess: 001f0003 Entry: 93d261b8
Object: 851b1240  Type: (83a28870) IoCompletion
    ObjectHeader: 851b1228 (new version)
        HandleCount: 1  PointerCount: 2

00e0: Object: 850bf9e0  GrantedAccess: 000f00ff Entry: 93d261c0
Object: 850bf9e0  Type: (83a28c58) TpWorkerFactory
    ObjectHeader: 850bf9c8 (new version)
        HandleCount: 1  PointerCount: 1

00e4: Object: 850bf918  GrantedAccess: 00100002 Entry: 93d261c8
Object: 850bf918  Type: (83a26350) Timer
    ObjectHeader: 850bf900 (new version)
        HandleCount: 1  PointerCount: 2

00e8: Object: 850bf868  GrantedAccess: 00120089 Entry: 93d261d0
Object: 850bf868  Type: (83a287a8) File
    ObjectHeader: 850bf850 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Windows\Fonts\StaticCache.dat {HarddiskVolume2}

00ec: Object: 90d6b3b0  GrantedAccess: 000f0005 Entry: 93d261d8
Object: 90d6b3b0  Type: (83a31b50) Section
    ObjectHeader: 90d6b398 (new version)
        HandleCount: 1  PointerCount: 1

00f0: Object: 84d4c968  GrantedAccess: 001f0003 Entry: 93d261e0
Object: 84d4c968  Type: (83a33420) Event
    ObjectHeader: 84d4c950 (new version)
        HandleCount: 1  PointerCount: 1

00f4: Object: 851c8e88  GrantedAccess: 00000804 Entry: 93d261e8
Object: 851c8e88  Type: (83a43f78) EtwRegistration
    ObjectHeader: 851c8e70 (new version)
        HandleCount: 1  PointerCount: 1

00f8: Object: 84d50c78  GrantedAccess: 001f0003 Entry: 93d261f0
Object: 84d50c78  Type: (83a33420) Event
    ObjectHeader: 84d50c60 (new version)
        HandleCount: 1  PointerCount: 1

00fc: Object: 849fa258  GrantedAccess: 001f0003 Entry: 93d261f8
Object: 849fa258  Type: (83a33420) Event
    ObjectHeader: 849fa240 (new version)
        HandleCount: 1  PointerCount: 1

0100: Object: 84d70360  GrantedAccess: 001f0003 Entry: 93d26200
Object: 84d70360  Type: (83a33420) Event
    ObjectHeader: 84d70348 (new version)
        HandleCount: 1  PointerCount: 1

0104: Object: 851cc628  GrantedAccess: 001f0003 Entry: 93d26208
Object: 851cc628  Type: (83a33420) Event
    ObjectHeader: 851cc610 (new version)
        HandleCount: 1  PointerCount: 1

0108: Object: 8523bd38  GrantedAccess: 001f0003 Entry: 93d26210
Object: 8523bd38  Type: (83a33420) Event
    ObjectHeader: 8523bd20 (new version)
        HandleCount: 1  PointerCount: 1

010c: Object: 83a4c0f8  GrantedAccess: 001f0003 Entry: 93d26218
Object: 83a4c0f8  Type: (83a33420) Event
    ObjectHeader: 83a4c0e0 (new version)
        HandleCount: 1  PointerCount: 1

0110: Object: 851cf6d0  GrantedAccess: 001f0003 Entry: 93d26220
Object: 851cf6d0  Type: (83a33420) Event
    ObjectHeader: 851cf6b8 (new version)
        HandleCount: 1  PointerCount: 1

0114: Object: 85255318  GrantedAccess: 00100001 Entry: 93d26228
Object: 85255318  Type: (83a287a8) File
    ObjectHeader: 85255300 (new version)
        HandleCount: 1  PointerCount: 1

0118: Object: 93d12608  GrantedAccess: 000f003f Entry: 93d26230
Object: 93d12608  Type: (83a2d388) Key
    ObjectHeader: 93d125f0 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\USER\S-1-5-21-4213196723-1351097745-788781942-1001

011c: Object: 8e5479f0  GrantedAccess: 00000006 Entry: 93d26238
Object: 8e5479f0  Type: (83a31b50) Section
    ObjectHeader: 8e5479d8 (new version)
        HandleCount: 3  PointerCount: 4
        Directory Object: 95e2ed60  Name: windows_shell_global_counters

As we see the object information and name is given out with a horde of other useful stuff. 

Thus we see that to debug handle leaks etc, it is perhaps more useful to have a full kernel dump instead of just a process dump.

For example, assuming that we want to find out all open file handles for the process 'system'. We can do that with these steps below:

kd> !process 0 0 system
PROCESS 839afbf8  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 87401ca0  HandleCount: 463.
    Image: System

kd> .process /p /r 839afbf8
Implicit process is now 839afbf8
Loading User Symbols

kd> !handle 0 7 839afbf8 File

Searching for handles of type File

PROCESS 839afbf8  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 87401ca0  HandleCount: 463.
    Image: System

Kernel handle table at 87401ca0 with 463 entries in use

0054: Object: 849133f0  GrantedAccess: 00120116 Entry: 874030a8
Object: 849133f0  Type: (83a287a8) File
    ObjectHeader: 849133d8 (new version)
        HandleCount: 1  PointerCount: 1

0060: Object: 84871940  GrantedAccess: 00100001 Entry: 874030c0
Object: 84871940  Type: (83a287a8) File
    ObjectHeader: 84871928 (new version)
        HandleCount: 1  PointerCount: 1

0064: Object: 84dc24d0  GrantedAccess: 0012008b Entry: 874030c8
Object: 84dc24d0  Type: (83a287a8) File
    ObjectHeader: 84dc24b8 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Windows\System32\wdi\LogFiles\WdiContextLog.etl.003 {HarddiskVolume2}

0070: Object: 84c0ef80  GrantedAccess: 0012019f Entry: 874030e0
Object: 84c0ef80  Type: (83a287a8) File
    ObjectHeader: 84c0ef68 (new version)
        HandleCount: 1  PointerCount: 2

0088: Object: 84c42788  GrantedAccess: 0012019f Entry: 87403110
Object: 84c42788  Type: (83a287a8) File
    ObjectHeader: 84c42770 (new version)
        HandleCount: 1  PointerCount: 2
        Directory Object: 00000000  Name: \$Extend\$RmMetadata\$TxfLog\$TxfLog.blf {HarddiskVolume1}

008c: Object: 84c30268  GrantedAccess: 0012019f (Inherit) Entry: 87403118
Object: 84c30268  Type: (83a287a8) File
    ObjectHeader: 84c30250 (new version)
        HandleCount: 1  PointerCount: 2
        Directory Object: 00000000  Name: TxfLog {clfs}

0090: Object: 84c30310  GrantedAccess: 0012019f Entry: 87403120
Object: 84c30310  Type: (83a287a8) File
    ObjectHeader: 84c302f8 (new version)
        HandleCount: 1  PointerCount: 2
        Directory Object: 00000000  Name: \$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 {HarddiskVolume1}

<Output snipped>


0140: Object: 847e7e98  GrantedAccess: 00020003 (Protected) Entry: 87403280
Object: 847e7e98  Type: (83a287a8) File
    ObjectHeader: 847e7e80 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Windows\System32\config\SOFTWARE {HarddiskVolume2}


0728: free handle, Entry address 87403e50, Next Entry 00000744
0734: free handle, Entry address 87403e68, Next Entry 0000083c
0ffc: free handle, Entry address 91427ff8, Next Entry 00000000


<Output snipped>

I have deliberately snipped the output since it is very long. As we see, we have open handles for regular files, registry, transaction logs and what not.

We will revisit this topic again in a future post to see how this information can be extended to actually find which device is an IO bound to.


We can use the !object command to get even more useful information of the handle in question. Here is a link to a blog post which describes how the !object command works.

No comments:

Post a Comment