- 7 minutes to read
The !process extension displays information about the specified process, or about all processes, including the EPROCESS block.
This extension can be used only during kernel-mode debugging.
!process [/s Session] [/m Module] [Process [Flags]]!process [/s Session] [/m Module] 0 Flags ImageName
/s **** Session
Specifies the session that owns the desired process.
/m **** Module
Specifies the module that owns the desired process.
Specifies the hexadecimal address or the process ID of the process on the target computer.
The value of Process determines whether the !process extension displays a process address or a process ID . If Process is omitted in any version of Windows, the debugger displays data only about the current system process. If Process is 0 and ImageName is omitted, the debugger displays information about all active processes. If -1 is specified for Process information about the current process is displayed.
Specifies the level of detail to display. Flags can be any combination of the following bits. If Flags is 0, only a minimal amount of information is displayed. The default varies according to the version of Windows and the value of Process. The default is 0x3 if Process is omitted or if Process is either 0 or -1; otherwise, the default is 0xF.
Bit 0 (0x1)
Displays time and priority statistics.
Bit 1 (0x2)
Displays a list of threads and events associated with the process, and their wait states.
Bit 2 (0x4)
Displays a list of threads associated with the process. If this is included without Bit 1 (0x2), each thread is displayed on a single line. If this is included along with Bit 1, each thread is displayed with a stack trace.
Bit 3 (0x8)
Displays the return address and the stack pointer for each function The display of function arguments is suppressed.
Bit 4 (0x10)
Sets the process context equal to the specified process for the duration of this command. This results in a more accurate display of thread stacks. Because this flag is equivalent to using .process /p /r for the specified process, any existing user-mode module list will be discarded. If Process is zero, the debugger displays all processes, and the process context is changed for each one. If you are only displaying a single process and its user-mode state has already been refreshed (for example, with .process /p /r), it is not necessary to use this flag. This flag is only effective when used with Bit 0 (0x1).
Specifies the name of the process to be displayed. The debugger displays all processes whose executable image names match ImageName. The image name must match that in the EPROCESS block. In general, this is the executable name that was invoked to start the process, including the file extension (usually .exe), and truncated after the fifteenth character. There is no way to specify an image name that contains a space. When ImageName is specified, Process must be zero.
For information about processes in kernel mode, see Changing Contexts. For more information about analyzing processes and threads, see Microsoft Windows Internals, by Mark Russinovich and David Solomon.
The following is an example of a !process 0 0 display:
kd> !process 0 0**** NT ACTIVE PROCESS DUMP ****PROCESS 80a02a60 Cid: 0002 Peb: 00000000 ParentCid: 0000 DirBase: 00006e05 ObjectTable: 80a03788 TableSize: 150. Image: SystemPROCESS 80986f40 Cid: 0012 Peb: 7ffde000 ParentCid: 0002 DirBase: 000bd605 ObjectTable: 8098fce8 TableSize: 38. Image: smss.exePROCESS 80958020 Cid: 001a Peb: 7ffde000 ParentCid: 0012 DirBase: 0008b205 ObjectTable: 809782a8 TableSize: 150. Image: csrss.exePROCESS 80955040 Cid: 0020 Peb: 7ffde000 ParentCid: 0012 DirBase: 00112005 ObjectTable: 80955ce8 TableSize: 54. Image: winlogon.exePROCESS 8094fce0 Cid: 0026 Peb: 7ffde000 ParentCid: 0020 DirBase: 00055005 ObjectTable: 80950cc8 TableSize: 222. Image: services.exePROCESS 8094c020 Cid: 0029 Peb: 7ffde000 ParentCid: 0020 DirBase: 000c4605 ObjectTable: 80990fe8 TableSize: 110. Image: lsass.exePROCESS 809258e0 Cid: 0044 Peb: 7ffde000 ParentCid: 0026 DirBase: 001e5405 ObjectTable: 80925c68 TableSize: 70. Image: SPOOLSS.EXE
The following table describes some of the elements of the !process 0 0 output.
The eight-character hexadecimal number after the word PROCESS is the address of the EPROCESS block. In the final entry in the preceding example, the process address is 0x809258E0.
Process ID (PID)
The hexadecimal number after the word Cid. In the final entry in the preceding example, the PID is 0x44, or decimal 68.
Process Environment Block (PEB)
The hexadecimal number after the word Peb is the address of the process environment block. In the final entry in the preceding example, the PEB is located at address 0x7FFDE000.
Parent process PID
The hexadecimal number after the word ParentCid is the PID of the parent process. In the final entry in the preceding example, the parent process PID is 0x26, or decimal 38.
The name of the module that owns the process. In the final entry in the preceding example, the owner is spoolss.exe. In the first entry, the owner is the operating system itself.
Process object address
The hexadecimal number after the word ObjectTable. In the final entry in the preceding example, the address of the process object is 0x80925c68.
To display full details on one process, set Flags to 7. The process itself can be specified by setting Process equal to the process address, setting Process equal to the process ID, or setting ImageName equal to the executable image name. Here is an example:
kd> !process fb667a00 7PROCESS fb667a00 Cid: 0002 Peb: 00000000 ParentCid: 0000 DirBase: 00030000 ObjectTable: e1000f88 TableSize: 112. Image: System VadRoot fb666388 Clone 0 Private 4. Modified 9850. Locked 0. FB667BBC MutantState Signalled OwningThread 0 Token e10008f0 ElapsedTime 15:06:36.0338 UserTime 0:00:00.0000 KernelTime 0:00:54.0818 QuotaPoolUsage[PagedPool] 1480Working Set Sizes (now,min,max) (3, 50, 345) PeakWorkingSetSize 118 VirtualSize 1 Mb PeakVirtualSize 1 Mb PageFaultCount 992 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 8 THREAD fb667780 Cid 2.1 Teb: 00000000 Win32Thread: 80144900 WAIT: (WrFreePage) KernelMode Non-Alertable 80144fc0 SynchronizationEvent Not impersonating Owning Process fb667a00 WaitTime (seconds) 32278 Context Switch Count 787 UserTime 0:00:00.0000 KernelTime 0:00:21.0821 Start Address Phase1Initialization (0x801aab44) Initial Sp fb26f000 Current Sp fb26ed00 Priority 0 BasePriority 0 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr Args to Child fb26ed18 80118efc c0502000 804044b0 00000000 KiSwapThread+0xb5 fb26ed3c 801289d9 80144fc0 00000008 00000000 KeWaitForSingleObject+0x1c2
Note that the address of the process object can be used as input to other extensions, such as !handle, to obtain further information.
The following table describes some of the elements in the previous example.
|WAIT||The parenthetical comment after this heading gives the reason for the wait. The command dt nt!_KWAIT_REASON will display a list of all wait reasons.|
Lists the amount of time that has elapsed since the process was created. This is displayed in units of Hours:Minutes:Seconds.Milliseconds.
Lists the amount of time the process has been running in user mode. If the value for UserTime is exceptionally high, it might identify a process that is depleting system resources. Units are the same as those of ElapsedTime.
Lists the amount of time the process has been running in kernel mode. If the value for KernelTime is exceptionally high, it might identify a process that is depleting system resources. Units are the same as those of ElapsedTime.
Working Set sizes
Lists the current, minimum and maximum working set size for the process, in pages. An exceptionally large working set size can be a sign of a process that is leaking memory or depleting system resources.
Lists the paged and nonpaged pool used by the process. On a system with a memory leak, looking for excessive nonpaged pool usage on all the processes can tell you which process has the memory leak.
Indicates whether or not the process was created by the POSIX or Interix subsystems.
Indicates the number of private (non-sharable) pages currently being used by the process. This includes both paged in and paged out memory.
In addition to the process list information, the thread information contains a list of the resources on which the thread has locks. This information is listed in the third line of output after the thread header. In this example, the thread has a lock on one resource, a SynchronizationEvent with an address of 80144fc0. By comparing this address to the list of locks shown by the !kdext*.locks extension, you can determine which threads have exclusive locks on resources.
The !stacks extension gives a brief summary of the state of every thread. This can be used instead of the !process extension to get a quick overview of the system, especially when debugging multithread issues, such as resource conflicts or deadlocks.
How do I attach a running process to WinDbg? ›
When WinDbg is in dormant mode, you can attach to a running process by choosing Attach to a Process from the File menu or by pressing F6. In the Attach to Process dialog box, select the process you want to debug, and select OK.What does WinDbg mean? ›
WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development.How do I disable WinDbg? ›
You can exit WinDbg by choosing Exit from the File menu or by pressing ALT+F4. If you are performing user-mode debugging, these commands close the application that you are debugging, unless you used the -pd command-line option when you started the debugger.How do I debug Windows drivers? ›
- Install Windows 10 to a virtual machine (VirtualBox);
- Turn on Test mode and set BCDEdit as local;
- Install WDK;
- Download OSR Loader;
- Copy files after a building to a VM (C:\DriverTest\TestKernelDriver2\; .cer, .inf, .pdb, .sys);
- Download winsdksetup.exe (or sdksetup.exe )
- Open Command Prompt.
- Navigate to the folder in which winsdksetup.exe is downloaded.
- Issue the following command: winsdksetup /layout.
- Select an empty folder into which WinDbg will be downloaded and press Next.
You can attach the Visual Studio debugger to a running process on a local or remote computer. After the process is running, select Debug > Attach to Process or press Ctrl+Alt+p in Visual Studio, and use the Attach to Process dialog to attach the debugger to the process.How do I push a process to run in the background? ›
Use bg to Send Running Commands to the Background
You can easily send such commands to the background by hitting the Ctrl + Z keys and then using the bg command. Hitting Ctrl + Z stops the running process, and bg takes it to the background.
Currently WinDbg Preview can be installed only on a Win 10 machine from the Windows Store. Join the github discussion if you want WinDbg Preview to be installed anywhere. In order to use WinDbg Preview on any Windows machine, copy the contents of C:\Program Files\WindowsApps\Microsoft.Where is WinDbg preview installed? ›
Currently WinDbg Preview can be installed only on a Win 10 machine from the Windows Store. Join the github discussion if you want WinDbg Preview to be installed anywhere. In order to use WinDbg Preview on any Windows machine, copy the contents of C:\Program Files\WindowsApps\Microsoft.How do I set WinDbg as default debugger? ›
To set the postmortem debugger to WinDbg, run windbg -I . (The I must be capitalized.) This command will display a success or failure message after it is used. To work with both 32 and 64 bit applications, run the command for the both the 64 and 32 debuggers.
How to download WinDbg without Microsoft Store? ›
Firstly, go to https://store.rg-adguard.net/ and paste the link of WinDBG Preview from Microsoft Store. Paste in the search bar and press the Tick button. The website will then obtain the package's URL for you to download the AppX file.How do I enable Windows biometrics? ›
- Select the Start button.
- Select Settings > Accounts.
- Click Sign-in options on the left. ...
- Click Get started.
- Enter your PIN.
- Scan your finger on the fingerprint reader. ...
- Click Add Another to repeat the process with another finger, or close the program.