process (WinDbg) - Windows drivers (2023)

Table of Contents
In this article Parameters DLL Additional Information Remarks FAQs Videos
  • Article
  • 7 minutes to read

The !process extension displays information about the specified process, or about all processes, including the EPROCESS block.

This extension can be used only during kernel-mode debugging.

Syntax

(Video) Windows Kernel Debugging with windbg - !process

!process [/s Session] [/m Module] [Process [Flags]]!process [/s Session] [/m Module] 0 Flags ImageName

Parameters

/s **** Session
Specifies the session that owns the desired process.

/m **** Module
Specifies the module that owns the desired process.

Process
Specifies the hexadecimal address or the process ID of the process on the target computer.

The value of Process determines whether the !process extension displays a process address or a process ID . If Process is omitted in any version of Windows, the debugger displays data only about the current system process. If Process is 0 and ImageName is omitted, the debugger displays information about all active processes. If -1 is specified for Process information about the current process is displayed.

Flags
Specifies the level of detail to display. Flags can be any combination of the following bits. If Flags is 0, only a minimal amount of information is displayed. The default varies according to the version of Windows and the value of Process. The default is 0x3 if Process is omitted or if Process is either 0 or -1; otherwise, the default is 0xF.

(Video) 01 Windows Device Driver Development using WDF --Introduction

Bit 0 (0x1)
Displays time and priority statistics.

Bit 1 (0x2)
Displays a list of threads and events associated with the process, and their wait states.

Bit 2 (0x4)
Displays a list of threads associated with the process. If this is included without Bit 1 (0x2), each thread is displayed on a single line. If this is included along with Bit 1, each thread is displayed with a stack trace.

Bit 3 (0x8)
Displays the return address and the stack pointer for each function The display of function arguments is suppressed.

Bit 4 (0x10)
Sets the process context equal to the specified process for the duration of this command. This results in a more accurate display of thread stacks. Because this flag is equivalent to using .process /p /r for the specified process, any existing user-mode module list will be discarded. If Process is zero, the debugger displays all processes, and the process context is changed for each one. If you are only displaying a single process and its user-mode state has already been refreshed (for example, with .process /p /r), it is not necessary to use this flag. This flag is only effective when used with Bit 0 (0x1).

(Video) Debug a windows service using WinDBG. Some techniques to try when attaching WinDBG

ImageName
Specifies the name of the process to be displayed. The debugger displays all processes whose executable image names match ImageName. The image name must match that in the EPROCESS block. In general, this is the executable name that was invoked to start the process, including the file extension (usually .exe), and truncated after the fifteenth character. There is no way to specify an image name that contains a space. When ImageName is specified, Process must be zero.

DLL

Kdexts.dll

Additional Information

For information about processes in kernel mode, see Changing Contexts. For more information about analyzing processes and threads, see Microsoft Windows Internals, by Mark Russinovich and David Solomon.

Remarks

The following is an example of a !process 0 0 display:

kd> !process 0 0**** NT ACTIVE PROCESS DUMP ****PROCESS 80a02a60 Cid: 0002 Peb: 00000000 ParentCid: 0000 DirBase: 00006e05 ObjectTable: 80a03788 TableSize: 150. Image: SystemPROCESS 80986f40 Cid: 0012 Peb: 7ffde000 ParentCid: 0002 DirBase: 000bd605 ObjectTable: 8098fce8 TableSize: 38. Image: smss.exePROCESS 80958020 Cid: 001a Peb: 7ffde000 ParentCid: 0012 DirBase: 0008b205 ObjectTable: 809782a8 TableSize: 150. Image: csrss.exePROCESS 80955040 Cid: 0020 Peb: 7ffde000 ParentCid: 0012 DirBase: 00112005 ObjectTable: 80955ce8 TableSize: 54. Image: winlogon.exePROCESS 8094fce0 Cid: 0026 Peb: 7ffde000 ParentCid: 0020 DirBase: 00055005 ObjectTable: 80950cc8 TableSize: 222. Image: services.exePROCESS 8094c020 Cid: 0029 Peb: 7ffde000 ParentCid: 0020 DirBase: 000c4605 ObjectTable: 80990fe8 TableSize: 110. Image: lsass.exePROCESS 809258e0 Cid: 0044 Peb: 7ffde000 ParentCid: 0026 DirBase: 001e5405 ObjectTable: 80925c68 TableSize: 70. Image: SPOOLSS.EXE

The following table describes some of the elements of the !process 0 0 output.

(Video) WinDbg: User and Kernel Mode Debugging: Windows Debuggers:

ElementMeaning

Process address

The eight-character hexadecimal number after the word PROCESS is the address of the EPROCESS block. In the final entry in the preceding example, the process address is 0x809258E0.

Process ID (PID)

The hexadecimal number after the word Cid. In the final entry in the preceding example, the PID is 0x44, or decimal 68.

Process Environment Block (PEB)

The hexadecimal number after the word Peb is the address of the process environment block. In the final entry in the preceding example, the PEB is located at address 0x7FFDE000.

Parent process PID

The hexadecimal number after the word ParentCid is the PID of the parent process. In the final entry in the preceding example, the parent process PID is 0x26, or decimal 38.

Image

The name of the module that owns the process. In the final entry in the preceding example, the owner is spoolss.exe. In the first entry, the owner is the operating system itself.

Process object address

The hexadecimal number after the word ObjectTable. In the final entry in the preceding example, the address of the process object is 0x80925c68.

To display full details on one process, set Flags to 7. The process itself can be specified by setting Process equal to the process address, setting Process equal to the process ID, or setting ImageName equal to the executable image name. Here is an example:

kd> !process fb667a00 7PROCESS fb667a00 Cid: 0002 Peb: 00000000 ParentCid: 0000 DirBase: 00030000 ObjectTable: e1000f88 TableSize: 112. Image: System VadRoot fb666388 Clone 0 Private 4. Modified 9850. Locked 0. FB667BBC MutantState Signalled OwningThread 0 Token e10008f0 ElapsedTime 15:06:36.0338 UserTime 0:00:00.0000 KernelTime 0:00:54.0818 QuotaPoolUsage[PagedPool] 1480Working Set Sizes (now,min,max) (3, 50, 345) PeakWorkingSetSize 118 VirtualSize 1 Mb PeakVirtualSize 1 Mb PageFaultCount 992 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 8 THREAD fb667780 Cid 2.1 Teb: 00000000 Win32Thread: 80144900 WAIT: (WrFreePage) KernelMode Non-Alertable 80144fc0 SynchronizationEvent Not impersonating Owning Process fb667a00 WaitTime (seconds) 32278 Context Switch Count 787 UserTime 0:00:00.0000 KernelTime 0:00:21.0821 Start Address Phase1Initialization (0x801aab44) Initial Sp fb26f000 Current Sp fb26ed00 Priority 0 BasePriority 0 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr Args to Child fb26ed18 80118efc c0502000 804044b0 00000000 KiSwapThread+0xb5 fb26ed3c 801289d9 80144fc0 00000008 00000000 KeWaitForSingleObject+0x1c2

Note that the address of the process object can be used as input to other extensions, such as !handle, to obtain further information.

The following table describes some of the elements in the previous example.

ElementMeaning
WAITThe parenthetical comment after this heading gives the reason for the wait. The command dt nt!_KWAIT_REASON will display a list of all wait reasons.

ElapsedTime

Lists the amount of time that has elapsed since the process was created. This is displayed in units of Hours:Minutes:Seconds.Milliseconds.

UserTime

Lists the amount of time the process has been running in user mode. If the value for UserTime is exceptionally high, it might identify a process that is depleting system resources. Units are the same as those of ElapsedTime.

KernelTime

Lists the amount of time the process has been running in kernel mode. If the value for KernelTime is exceptionally high, it might identify a process that is depleting system resources. Units are the same as those of ElapsedTime.

Working Set sizes

Lists the current, minimum and maximum working set size for the process, in pages. An exceptionally large working set size can be a sign of a process that is leaking memory or depleting system resources.

QuotaPoolUsage entries

Lists the paged and nonpaged pool used by the process. On a system with a memory leak, looking for excessive nonpaged pool usage on all the processes can tell you which process has the memory leak.

Clone

Indicates whether or not the process was created by the POSIX or Interix subsystems.

Private

Indicates the number of private (non-sharable) pages currently being used by the process. This includes both paged in and paged out memory.

In addition to the process list information, the thread information contains a list of the resources on which the thread has locks. This information is listed in the third line of output after the thread header. In this example, the thread has a lock on one resource, a SynchronizationEvent with an address of 80144fc0. By comparing this address to the list of locks shown by the !kdext*.locks extension, you can determine which threads have exclusive locks on resources.

The !stacks extension gives a brief summary of the state of every thread. This can be used instead of the !process extension to get a quick overview of the system, especially when debugging multithread issues, such as resource conflicts or deadlocks.

(Video) Windbg: User and Kernel Mode: Windows 10 Install

FAQs

How do I attach a running process to WinDbg? ›

When WinDbg is in dormant mode, you can attach to a running process by choosing Attach to a Process from the File menu or by pressing F6. In the Attach to Process dialog box, select the process you want to debug, and select OK.

Discover More
What does WinDbg mean? ›

WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development.

Learn More Now
How do I disable WinDbg? ›

You can exit WinDbg by choosing Exit from the File menu or by pressing ALT+F4. If you are performing user-mode debugging, these commands close the application that you are debugging, unless you used the -pd command-line option when you started the debugger.

Tell Me More
How do I debug Windows drivers? ›

How to debug a Windows kernel driver properly?
  1. Install Windows 10 to a virtual machine (VirtualBox);
  2. Turn on Test mode and set BCDEdit as local;
  3. Install WDK;
  4. Download OSR Loader;
  5. Copy files after a building to a VM (C:\DriverTest\TestKernelDriver2\; .cer, .inf, .pdb, .sys);
Feb 20, 2019

Learn More
How to install WinDbg from command line? ›

Step-by-step instructions:
  1. Download winsdksetup.exe (or sdksetup.exe )
  2. Open Command Prompt.
  3. Navigate to the folder in which winsdksetup.exe is downloaded.
  4. Issue the following command: winsdksetup /layout.
  5. Select an empty folder into which WinDbg will be downloaded and press Next.
Apr 12, 2017

View Details
How do I attach a process in Windows? ›

You can attach the Visual Studio debugger to a running process on a local or remote computer. After the process is running, select Debug > Attach to Process or press Ctrl+Alt+p in Visual Studio, and use the Attach to Process dialog to attach the debugger to the process.

Read On
How do I push a process to run in the background? ›

Use bg to Send Running Commands to the Background

You can easily send such commands to the background by hitting the Ctrl + Z keys and then using the bg command. Hitting Ctrl + Z stops the running process, and bg takes it to the background.

View Details
Where does WinDbg preview Install? ›

Currently WinDbg Preview can be installed only on a Win 10 machine from the Windows Store. Join the github discussion if you want WinDbg Preview to be installed anywhere. In order to use WinDbg Preview on any Windows machine, copy the contents of C:\Program Files\WindowsApps\Microsoft.

View More
Where is WinDbg preview installed? ›

Currently WinDbg Preview can be installed only on a Win 10 machine from the Windows Store. Join the github discussion if you want WinDbg Preview to be installed anywhere. In order to use WinDbg Preview on any Windows machine, copy the contents of C:\Program Files\WindowsApps\Microsoft.

Get More Info Here
How do I set WinDbg as default debugger? ›

To set the postmortem debugger to WinDbg, run windbg -I . (The I must be capitalized.) This command will display a success or failure message after it is used. To work with both 32 and 64 bit applications, run the command for the both the 64 and 32 debuggers.

Explore More

How to download WinDbg without Microsoft Store? ›

Firstly, go to https://store.rg-adguard.net/ and paste the link of WinDBG Preview from Microsoft Store. Paste in the search bar and press the Tick button. The website will then obtain the package's URL for you to download the AppX file.

Know More
How do I enable Windows biometrics? ›

To set the fingerprint under Windows Hello in Windows 10:
  1. Select the Start button.
  2. Select Settings > Accounts.
  3. Click Sign-in options on the left. ...
  4. Click Get started.
  5. Enter your PIN.
  6. Scan your finger on the fingerprint reader. ...
  7. Click Add Another to repeat the process with another finger, or close the program.

Explore More

Videos

1. WinDbg Preview Kernel Debugging
(Sam Bowne)
2. WinDbg Preview | Setup kernel debugging via fast network connection in WMware VM
(dennisbabkin)
3. Windows Kernel Programming Tutorial 4 - Troubleshoot Driver Issues
(Programming LoL)
4. Get in the Ring0 – Understanding Windows drivers Presented By Graham Sutherland
(44CON Information Security Conference)
5. Windows Internals - Processes Part 6 of 20 - Process related windbg commands.
(TheSourceLens)
6. How to install USB debug cable driver in WinDbg for Windows kernel debugging? (2 Solutions!!)
(Roel Van de Paar)
Top Articles
Latest Posts
Article information

Author: Dean Jakubowski Ret

Last Updated: 02/14/2023

Views: 5656

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Dean Jakubowski Ret

Birthday: 1996-05-10

Address: Apt. 425 4346 Santiago Islands, Shariside, AK 38830-1874

Phone: +96313309894162

Job: Legacy Sales Designer

Hobby: Baseball, Wood carving, Candle making, Jigsaw puzzles, Lacemaking, Parkour, Drawing

Introduction: My name is Dean Jakubowski Ret, I am a enthusiastic, friendly, homely, handsome, zealous, brainy, elegant person who loves writing and wants to share my knowledge and understanding with you.