179 terms

WinDbg - Kernel-Mode Extension Commands

Kernel-Mode Extension Commands from WinDbg Help
STUDY
PLAY
!ahcache
The !ahcache extension displays the application compatibility cache.
!ahcache [Flags]
!alignmentfaults
The !alignmentfaults extension displays all current type alignment faults by location and image, sorted by frequencies.
!alignmentfaults
!analyzebugcheck
The !analyzebugcheck extension command is obsolete. Use !analyze instead
!apc
The !apc extension formats and displays the contents of one or more asynchronous procedure calls (APCs).
!apc
!apc proc Process
!apc thre Thread
!apc KAPC
!apicerr
The !apicerr extension displays the local Advanced Programmable Interrupt Controller (APIC) error log.
!apicerr [Format]
!arbinst
The !arbinst extension displays information about a specified arbiter.
!arbinst Address [Flags]
!arbiter
The !arbiter extension displays the current system resource arbiters and arbitrated ranges.
!arbiter [Flags]
!ate
The !ate extension displays the alternate page table entry (ATE) for the specified address.
!ate Address
!bcb
The !bcb extension displays the specified buffer control block.
!bcb Address
!blockeddrv
The !blockeddrv extension displays the list of blocked drivers on the target computer.
!blockeddrv
!bpid
The !bpid extension requests that a process on the target computer break into the debugger or requests that a user-mode debugger be attached to a process on the target computer.
!bpid [Options] PID
!btb
The !btb extension displays the Itanium-based processor, branch traces buffer (BTB) configuration and trace registers for the current processor.
!btb
!bth
The !bth extension displays the Itanium-based branch traces history for the specified processor.
!bth [Processor]
!bugdump
The !bugdump extension formats and displays the information contained in the bug check callback buffers.
!bugdump [Component]
!bushnd
The !bushnd extension displays a HAL BUS_HANDLER structure.
!bushnd [Address]
!ca
The !ca extension displays the control area for the specified section.
!ca Address
!callback
The !callback extension displays the callback data related to the trap for the specified thread.
!callback Address [Number]
!calldata
The !calldata extension displays performance information in the form of procedure call statistics from the named table.
!calldata Table
!can_write_kdump
The !can_write_kdump extension verifies that there is enough disk space on the target computer to write a kernel dump file of the specified type.
!can_write_kdump [-dn] [Options]
!cbreg
The !cbreg extension displays CardBus Socket registers and CardBus Exchangable Card Architecture (ExCA) registers.
!cbreg [%%]Address
!cchelp
The !cchelp extension displays some brief Help text in the Debugger command window for some of the cache management extensions.
!cchelp
!checklowmem
The !chklowmem extension determines whether physical memory pages below 4 GB are filled with the required fill pattern on a computer that was booted with the /pae and /nolowmem options.
!chklowmem
!cmreslist
The !cmreslist extension displays the CM_RESOURCE_LIST structure for the specified device object.
!cmreslist Address
!cpuinfo
The !cpuinfo extension displays detailed information about the target computer's CPU.
Syntax in Windows 2000
!cpuinfo
Syntax in Windows XP and later
!cpuinfo [Processor]
!db, !dc, !dd, !dp, !dq, !du, and !dw
The !db, !dc, !dd, !dp, !dq, !du, and !dw extensions display data at the specified physical address on the target computer.
These extension commands should not be confused with the d* (Display Memory) command, or with the !ntsdexts.dp extension command.
!db [Caching] [-m] [PhysicalAddress] [L Size]
!dc [Caching] [-m] [PhysicalAddress] [L Size]
!dd [Caching] [-m] [PhysicalAddress] [L Size]
!dp [Caching] [-m] [PhysicalAddress] [L Size]
!dq [Caching] [-m] [PhysicalAddress] [L Size]
!du [Caching] [-m] [PhysicalAddress] [L Size]
!dw [Caching] [-m] [PhysicalAddress] [L Size]
!dbgprint
The !dbgprint extension displays a string that was previously sent to the DbgPrint buffer.
!dbgprint
!dblink
The !dblink extension displays a linked list in the backward direction.
!dblink Address [Count] [Bias]
!dcr
The !dcr extension displays the default control register (DCR) at the specified address.
!dcr Expression [DisplayLevel]
!dcs
The !dcs extension is obsolete. To display the PCI configuration space, use !pci 100 Bus Device Function.
!deadlock
The !deadlock extension displays information about deadlocks collected by the Deadlock Detection option of Driver Verifier.
!deadlock
!deadlock 1
!defwrites
The !defwrites extension displays the values of the kernel variables used by the cache manager.
!defwrites
!devtext
The !devext extension displays bus-specific device extension information for devices on a variety of buses.
!devext Address TypeCode
!devhandles
The !devhandles extension displays the open handles for the specified device.
!devhandles Address
!devnode
The !devnode extension displays information about a node in the device tree.
!devnode Address [Flags] [Service]
!devnode 1
!devnode 2
!devobj
The !devobj extension displays detailed information about a DEVICE_OBJECT structure.
!devobj DeviceObject
!devstack
The !devstack extension displays a formatted view of the device stack associated with a device object.
!devstack DeviceObject
!dflink
The !dflink extension displays a linked list in the forward direction.
!dflink Address [Count] [Bias]
!diskspace
The !diskspace extension displays the amount of free space on a hard disk of the target computer.
!diskspace Drive[:]
!dma
The !dma extension displays information about the Direct Memory Access (DMA) subsystem, and the DMA Verifier option of Driver Verifier.
!dma
!dma Adapter [Flags]
!dpa
The !dpa extension displays pool allocation information.
!dpa Options
!dpa -?
!dpcs
The !dpcs extension displays the deferred procedure call (DPC) queues for a specified processor.
!dpcs [Processor]
!driveinfo
The !driveinfo extension displays volume information for the specified drive.
!driveinfo Drive[:]
!driveinfo
!drivers
In operating systems prior to Windows XP, the !drivers extension displays a list of all drivers loaded on the target computer, along with summary information about their memory use.
In Windows XP and later versions of Windows, the !drivers extension is obsolete. To display information about loaded drivers and other modules, use the lm command. The command lm t n displays information in a format very similar to the old !drivers extension. However, this command will not display the memory usage of the drivers as the !drivers extension did. It will only display the drivers' start and end addresses, image names, and timestamps. The !vm and !memusage extensions can be used to display memory usage statistics.
!drivers [Flags]
!drvobj
The !drvobj extension displays detailed information about a DRIVER_OBJECT.
!drvobj DriverObject [Flags]
!dskheap
The !dskheap extension displays desktop heap information for a specified session.
!dskheap [-v] [-s SessionID]
!eb, !ed
The !eb and !ed extensions write a sequence of values into a specified physical address.
These extension commands should not be confused with the e* (Enter Values) command.
!eb [Flag] PhysicalAddress Data [ ... ]
!ed [Flag] PhysicalAddress Data [ ... ]
!ecb, !ecd, !ecw
The !ecb, !ecd, and !ecw extensions write to the PCI configuration space.
!ec Bus.Device.Function Offset Data
!ecs
The !ecs extension is obsolete. To edit the PCI configuration space, use !ecb, !ecd, or !ecw.
!errlog
The !errlog extension displays the contents of any pending entries in the I/O system's error log.
!errlog
!errpkt
The !errpkt extension displays the contents of a Windows Hardware Error Architecture (WHEA) hardware error packet.
!errpkt Address
!errrec
The !errrec extension displays the contents of a Windows Hardware Error Architecture (WHEA) error record.
!errrec Address
!exca
The !exca extension displays PC-Card Interrupt Controller (PCIC) Exchangable Card Architecture (ExCA) registers.
!exca BasePort.SocketNumber
!exqueue
The !exqueue extension displays a list of items currently queued in the ExWorkerQueue work queues.
!exqueue [Flags]
!filecache
The !filecache extension displays information regarding the system file cache memory and PTE use.
!filecache
!filelock
The !filelock extension displays a file lock structure.
Syntax varies with the version of Windows
!fileobj
The !fileobj extension displays detailed information about a FILE_OBJECT structure.
!fileobj FileObject
!filetime
The !filetime extension converts a 64-bit FILETIME structure into a human-readable time.
!filetime Time
!finddata
The !finddata extension displays the cached data at a given offset within a specified file object.
!finddata FileObject Offset
!findfilelockowner
The !findfilelockowner extension attempts to find the owner of a file object lock by examining all threads for a thread that is blocked in an IopSynchronousServiceTail assert and that has the file object as a parameter.
!findfilelockowner [FileObject]
!for_each_process
The !for_each_process extension executes the specified debugger command once for each process in the target.
!for_each_process ["CommandString"]
!for_each_process -?
!for_each_thread
The !for_each_thread extension executes the specified debugger command once for each thread in the target.
!for_each_thread ["CommandString"]
!for_each_thread -?
!fpsearch
The !fpsearch extension searches the freed special pool for a specified address.
!fpsearch [Address] [Flag]
!frag
The !frag extension displays fragmentation information about pool memory on the target system.
!frag [Flags]
!frozen
The !frozen extension displays the state of each processor.
!frozen
!fwver
The !fwver extension displays the Itanium firmware version.
!fwver
!gbl
The !gbl extension displays header information from the ACPI BIOS Root System Description (RSDT) table of the target computer.
!gbl [-v]
!gentable
The !gentable extension displays an RTL_GENERIC_TABLE.
Syntax varies by version of Windows
!hidppd
The !hidppd extension displays the contents of the HIDP_PREPARSED_DATA structure.
!hidppd Address
!ib, !id, !iw
The !ib, !id, and !iw extension commands are obsolete. Use the ib, id, iw (Input from Port) commands instead.
!icpleak
The !icpleak extension examines all I/O completion objects in the system for the object with the largest number of queued entries.
!icpleak [HandleFlag]
!idt
The !idt extension displays the interrupt service routines (ISRs) for a specified interrupt dispatch table (IDT).
!idt IDT
!idt [-a]
!idt -?
!ih
The !ih extension displays the interrupt history record for the specified processor.
!ih Processor
!ihs
The !ihs extension displays the interrupt history record for the specified processor, using program counter symbols.
!ihs Processor
!ioresdes
The !ioresdes extension displays the IO_RESOURCE_DESCRIPTOR structure at the specified address.
!ioresdes Address
!ioreslist
The !ioreslist extension displays an IO_RESOURCE_REQUIREMENTS_LIST structure.
!ioreslist Address
!iovirp
The !iovirp extension displays detailed information for a specified I/O Verifier IRP.
!iovirp [IRP]
!ipi
The !ipi extension displays the interprocessor interrupt (IPI) state for a specified processor.
!ipi [Processor]
!irp
The !irp extension displays information about an I/O request packet (IRP).
!irp Address [Detail]
!irpfind
The !irpfind extension displays information about all I/O request packets (IRP) currently allocated in the target system, or about those IRPs matching the specified search criteria.
Syntax varies with the version of Windows
!irpzone
The !irpzone extension command is obsolete. Use !irpfind instead.
!irql
The !irql extension displays the interrupt request level (IRQL) of a processor on the target computer before the debugger break.
!irql [Processor]
!isainfo
The !isainfo extension displays information about PNPISA cards or devices present in the system..
!isainfo [Card]
!isr
The !isr extension displays the Itanium Interruption Status Register (ISR) at the specified address.
!isr Expression [DisplayLevel]
!ivt
The !ivt extension displays the Itanium interrupt vector table.
!ivt [-v] [-a] [Vector]
!ivt -?
!job
The !job extension displays a job object.
!job [Process [Flags]]
!kb, !kv
The !kb and !kv extension commands are obsolete. Use the kb (Display Stack Backtrace) and kv (Display Stack Backtrace) commands instead.
!loadermemorylist
The !loadermemorylist extension displays the memory allocation list that the Windows boot loader passes to Windows.
!loadermemorylist ListHeadAddress
!lockedpages
The !lockedpages extension displays driver-locked pages for the current process in Windows 2000 and for a specified process in Windows XP and later.
Syntax varies with version of Windows
!locks (!kdext*.locks)
The !locks extension in Kdextx86.dll and Kdexts.dll displays information about kernel ERESOURCE locks.
This extension command should not be confused with the !ntsdexts.locks extension command.
!locks [Options] [Address]
!logonsession
The !logonsession extension displays information about a specified logon session.
Free Build Syntax
!logonsession LUID
Checked Build Syntax
!logonsession LUID [InfoLevel]
!lookaside
The !lookaside extension displays information about look-aside lists, resets the counters of look-aside lists, or modifies the depth of a look-aside list.
!lookaside [Address [Options [Depth]]]
!lookaside [-all]
!lookaside 0 [-all]
!lpc
The !lpc extension displays information about all local procedure call (LPC) ports and messages in the target system.
Syntax varies with the version of Windows
!mca
On an x86 target computer, the !mca extension displays the machine check architecture (MCA) registers. On an Itanium target computer, the !mca extension displays the MCA error record.
Syntax for x86 target computer
!mca
Syntax for Itanium target computer
!mca Address [Flags]
!memlist
The !memlist extension scans physical memory lists from the page frame number (PFN) database in order to check them for consistency.
!memlist Flags
!memusage
The !memusage extension displays summary statistics about physical memory use.
Syntax varies with version of Windows
!mps
The !mps extension displays BIOS information for the Intel Multiprocessor Specification (MPS) of the target computer.
!mps [Address]
!mtrr
The !mtrr extension displays the contents of the MTRR register.
!mtrr
!npx
The !npx extension displays the contents of the floating-point register save area.
!npx Address
!ob, !od, !ow
The !ob, !od, and !ow extension commands are obsolete. Use the ob, od, ow (Output to Port) commands instead.
!object
The !object extension displays information about a system object.
!object Address
!object 0 Name
!object Path
!object -r
!obtrace
The !obtrace extension displays object reference tracing data for the specified object.
!obtrace Object
!openmaps
The !openmaps extension displays the referenced buffer control blocks (BCBs) and virtual address control blocks (VACBs) for the specified shared cache map.
!openmaps Address [Flag]
!pars
The !pars extension displays a specified processor application registers file.
!pars Address
!pat
The !pat extension displays the Page Attribute Table (PAT) registers for the target processor.
!pat Flag
!pat
!pci
The !pci extension displays the current status of the peripheral component interconnect (PCI) buses, as well as any devices attached to those buses.
!pci [Flags [Segment] [Bus [Device [Function [MinAddress
MaxAddress]]]]]
!pciir
The !pciir extension displays the contents of the hardware routing of peripheral component interconnect (PCI) devices to interrupt controller inputs.
!pciir
!pcitree
The !pcitree extension displays information about PCI device objects, including child PCI buses and CardBus buses, and the devices attached to them.
!pcitree
!pcm
The !pcm extension displays the specified private cache map. This extension is only available in Windows 2000.
!pcm Address
!pcr
The !pcr extension displays the current status of the Processor Control Region (PCR) on a specific processor.
!pcr [Processor]
!pcrs
The !pcrs extension displays the Intel Itanium-specific processor control registers.
!pcrs Address
!pfn
The !pfn extension displays information about a specific page frame or the entire page frame database.
!pfn PageFrame
!pmc
The !pmc extension displays the Performance Monitor Counter (PMC) register at the specified address.
This extension is supported only on an Itanium-based target computer.
!pmc [- Option] Expression [DisplayLevel]
!pmssa
The !pmssa extension displays a specified processor Minimal State Save Area (also known as Min-StateSave Area).
This extension can only be used with an Itanium-based target computer.
!pmssa Address
!pnpevent
The !pnpevent extension displays the Plug and Play device event queue.
!pnpevent [DeviceEvent]
!pocaps
The !pocaps extension displays the power capabilities of the target computer.
!pocaps
!pool
The !pool extension displays information about a specific pool allocation or about the entire system-wide pool.
!pool [Address [Flags]]
!poolfind
The !poolfind extension finds all instances of a specific pool tag in either nonpaged or paged memory pools.
!poolfind TagString [PoolType]
!poolfind TagValue [PoolType]
!poolused
The !poolused extension displays memory use summaries, based on the tag used for each pool allocation.
!poolused [Flags [TagString]]
!poolval
The !poolval extension analyzes the headers for a pool page and diagnoses any possible corruption. This extension is only available in Windows XP and later versions.
!poolval Address [DisplayLevel]
!popolicy
The !popolicy extension displays the power policy of the target computer.
!popolicy [Address]
!pplookaside
[This documentation is preliminary and is subject to change.]

The !pplookaside command displays LookasideLists for processorss in the taget computer.
!prcb
The !prcb extension displays the processor control block (PRCB).
!prcb [Processor]
!process
The !process extension displays information about the specified process, or about all processes, including the EPROCESS block.

This extension can be used only during kernel-mode debugging.
Syntax varies with the version of Windows
!processfields
The !processfields extension displays the names and offsets of the fields within the executive process (EPROCESS) block.
!processfields
!psp
The !psp extension displays the processor state parameter (PSP) register at the specified address.
This extension is supported only on Itanium-based target computers.
!psp Address [DisplayLevel]
!pte
The !pte extension displays the page table entry (PTE) and page directory entry (PDE) for the specified address.
Syntax varies with the version of Windows
!pte2va
The !pte2va extension displays the virtual address that corresponds to the specified page table entry (PTE).
!pte2va Address
!ptov
The !ptov extension displays the entire physical-to-virtual map for a given process.
!ptov PFN
!qlocks
The !qlocks extension displays the state of all queued spin locks.
!qlocks
!ready
The !ready extension displays summary information about each thread in the system in a READY state.
!ready [Flags]
!reg
The !reg extension displays and searches through registry data.
(Many command options)
!regkcb
The !regkcb extension displays a registry key control block.
!regkcb Address
!rellist
The !rellist extension displays a Plug and Play relation list.
!rellist Address [Flags]
!running
The !running extension displays a list of running threads on all processors of the target computer.
!running [-i] [-t]
!scm
The !scm extension displays the specified shared cache map.
!scm Address
!search
The !search extension searches pages in physical memory for pointer-sized data that matches the specified criteria.
Syntax varies with the version of Windows
!searchpte
The !searchpte extension searches physical memory for the specified page frame number (PFN).
!searchpte PFN
!searchpte -?
!sel
The !sel extension command is obsolete. Use the dg (Display Selector) command instead.
!session
In Windows 2000, the !session extension displays one or more user sessions, or displays a specified process running in multiple user sessions.

In Windows XP and later versions of Windows, the !session extension controls the session context. It can also display a list of all user sessions.

Syntax varies with the version of Windows
!smt
The !smt extension displays a summary of the simultaneous multithreaded processor information.
!smt
!spoolsum
The !spoolsum extension summarizes pool information for the current session.
!spoolsum [-Option]
!spoolsum -?
!spoolused
The !spoolused extension displays memory use summaries for the paged pool owned by the specified session.
!spoolused -p [-s Session] [TagString]]
!spoolused -?
!sprocess
The !sprocess extension displays information about the specified session process, or about all processes in the specified session.
!sprocess Session [Flags [ImageName]]
!sprocess -?
!srb
The !srb extension displays information about a SCSI Request Block (SRB).
!srb Address
!stacks
The !stacks extension displays information about the kernel stacks.
Syntax varies with the version of Windows
!swd
The !swd extension displays the software watchdog timer states for the specified processor, including the deferred procedure call (DPC) and the watchdog timer states for threads.
!swd [Processor]
!sysinfo
The !sysinfo extension reads and displays specified SMBIOS, Advanced Configuration and Power Interface (ACPI), and CPU information from a dump file or live system.
(Many options available)
!sysptes
The !sysptes extension displays a formatted view of the system page table entries (PTEs).
!sysptes [Flags]
!thread
The !thread extension displays summary information about a thread on the target system, including the ETHREAD block. This command can be used only during kernel-mode debugging.

This extension command is not the same as the .thread (Set Register Context) command.
Syntax varies with the version of Windows
!threadfields
The !threadfields extension displays the names and offsets of the fields within the executive thread (ETHREAD) block.
!threadfields
!time
The !time extension command is obsolete. Use the .time (Display System Time) command instead.
!timer
The !timer extension displays a detailed listing of all system timer use.
!timer
!tokenfields
The !tokenfields extension displays the names and offsets of the fields within the access token object (the TOKEN structure).
!tokenfields
!trap
The !trap extension command is obsolete. Use the .trap (Display Trap Frame) command instead.
!tss
The !tss extension command is obsolete. Use the .tss (Display Task State Segment) command instead.
!tz
The !tz extension displays the specified power thermal zone structure.
!tz [Address]
!tzinfo
The !tzinfo extension displays the contents of the specified thermal zone information structure.
!tzinfo Address
!ubc
The !ubc extension clears a user-space breakpoint.
!ubc BreakpointNumber
!ubd
The !ubd extension temporarily disables a user-space breakpoint.
!ubd BreakpointNumber
!ube
The !ube extension re-enables a user-space breakpoint.
!ube BreakpointNumber
!ubl
The !ubl extension lists all user-space breakpoints and their current status.
!ubl
!ubp
The !ubp extension sets a breakpoint in user space.
!ubp Address
!urb
The !urb extension command is obsolete. Use the dt URB command instead.
!vad
The !vad extension displays details of a virtual address descriptor (VAD) or a tree of VADs.
Displays details of one virtual addres descriptor (VAD)
Displays details of a tree of VADs.
Displays information about the VADs for a particular user-mode module and provides a string that you can use to load the symbols for that module.
!vad VAD-Root [Flag]
!vad Address 1
!vad_reload
The !vad_reload extension reloads the user-mode modules for a specified process by using the virtual address descriptors (VADs) of that process.
!vad_reload Process
!valiatelist
The !validatelist extension verifies that the backward and forward links in a doubly-linked list are valid.
!validatelist Address
!verifier
The !verifier extension displays the status of Driver Verifier and its actions.

Driver Verifier is included in Windows. It works on both checked and free builds. For information about Driver Verifier, see the Driver Verifier topic in the Windows Driver Kit (WDK) documentation.
Syntax varies with the version of Windows
!vm
The !vm extension displays summary information about virtual memory use statistics on the target system.
!vm [Flags]
!vpb
The !vpb extension displays a volume parameter block (VPB).
!vpb Address
!vpdd
The !vpdd extension is obsolete. Use !vtop or !ptov instead.
!vtop
The !vtop extension converts a virtual address to the corresponding physical address, and displays other page table and page directory information.
!walklist
The !walklist extension searches for an address in a session list for the current session.
!walklist [-a] [-o Offset] StartAddress SearchAddress
!walklist -?
!wdmaud
Displays a variety of WDM Audio (WDMAud) structures.
!wdmaud Address Flags
!whattime
The !whattime extension converts a tick count into a standard time value.
!whattime Ticks
!whatperftime
The !whatperftime extension converts a high-resolution performance counter value into a standard time value.
!whatperftime Count
!whea
The !whea extension displays top-level Windows Hardware Error Architecture (WHEA) information.
!whea
!wsle
The !wsle extension displays all working set list entries (WSLEs).
Syntax varies with the version of Windows
!xpoolmap
(Windows XP only.) The !xpoolmap extension displays a map of pool use.
!xpoolmap [Pool]
!xpoolmap -?
!zombies
The !zombies extension displays all dead ("zombie") processes or threads.
!zombies [Flags [RestartAddress]]
YOU MIGHT ALSO LIKE...