•DB/DW/DD/DQ display the contents of memory in the given range.
Example: dd 0xf75e98c0 l0x100
•.reload [module name]
–Example: .reload /f force to load sym immediately
–Example: reload /i Ignore a mismatch in the .pdb file versions.
–Example: reload /u Reload special symbol or all the symbol files.
•k, kb, kd, kp, kP, kv (Display Stack Backtrace)
•!analyze –v
–The !analyze extension displays information about the current exception or bug check.
•The !pte extension displays the page table entry (PTE) and page directory entry (PDE) for the specified address.
–kd> !pte 801544f4
801544F4 - PDE at C0300800 PTE at C0200550
contains 0003B163 contains 00154121
pfn 3b G-DA--KWV pfn 154 G--A--KRV
801544F4 - PDE at C0300800 PTE at C0200550
contains 0003B163 contains 00154121
pfn 3b G-DA--KWV pfn 154 G--A--KRV
•dt (Display Type)
–0:000> dt mt1
+0x000 a : 10
+0x004 b : 98 'b'
+0x006 c : 0xdd
+0x008 d : 0xabcd
+0x00c gn : [6] 0x1
+0x024 ex : 0x0
+0x000 a : 10
+0x004 b : 98 'b'
+0x006 c : 0xdd
+0x008 d : 0xabcd
+0x00c gn : [6] 0x1
+0x024 ex : 0x0
•The r command displays or modifies registers, floating-point registers, flags, pseudo-registers, and fixed-name aliases.
•kd> r
Last set context:
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=80403a0d esp=fd581c2c ebp=fd581c60 iopl=0 nv up di pl nz na pe nc
cs=0000 ss=0000 ds=0000 es=0000 fs=0000 gs=0000 efl=00000000
0000:3a0d ?? ???
Last set context:
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=80403a0d esp=fd581c2c ebp=fd581c60 iopl=0 nv up di pl nz na pe nc
cs=0000 ss=0000 ds=0000 es=0000 fs=0000 gs=0000 efl=00000000
0000:3a0d ?? ???
•lm command lists the specified loaded modules. The output includes the status and the path to the module.
–
•The !process extension displays information about the specified process, or about all processes.
–kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 80a02a60 Cid: 0002 Peb: 00000000 ParentCid: 0000
DirBase: 00006e05 ObjectTable: 80a03788 TableSize: 150.
Image: System
PROCESS 80986f40 Cid: 0012 Peb: 7ffde000 ParentCid: 0002
DirBase: 000bd605 ObjectTable: 8098fce8 TableSize: 38.
Image: smss.exe
PROCESS 80958020 Cid: 001a Peb: 7ffde000 ParentCid: 0012
DirBase: 0008b205 ObjectTable: 809782a8 TableSize: 150.
Image: csrss.exe
PROCESS 80955040 Cid: 0020 Peb: 7ffde000 ParentCid: 0012
DirBase: 00112005 ObjectTable: 80955ce8 TableSize: 54.
**** NT ACTIVE PROCESS DUMP ****
PROCESS 80a02a60 Cid: 0002 Peb: 00000000 ParentCid: 0000
DirBase: 00006e05 ObjectTable: 80a03788 TableSize: 150.
Image: System
PROCESS 80986f40 Cid: 0012 Peb: 7ffde000 ParentCid: 0002
DirBase: 000bd605 ObjectTable: 8098fce8 TableSize: 38.
Image: smss.exe
PROCESS 80958020 Cid: 001a Peb: 7ffde000 ParentCid: 0012
DirBase: 0008b205 ObjectTable: 809782a8 TableSize: 150.
Image: csrss.exe
PROCESS 80955040 Cid: 0020 Peb: 7ffde000 ParentCid: 0012
DirBase: 00112005 ObjectTable: 80955ce8 TableSize: 54.
•The .thread command specifies which thread will be used for the register context
–Use the .thread command with the address of the desired thread. This sets the register context and enables you to examine the important registers and the call stack for this thread.
–
•Ba/bp set break point.
•Bl list the break point list
•Bc clear the break point.
•The !irp extension displays information about an I/O request packet (IRP).
•The .crash command causes the target computer to issue a bug check.
Using context of thread ffaa43a0
kd> r
Last set context:
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=80403a0d esp=fd581c2c ebp=fd581c60 iopl=0 nv up di pl nz na pe nc
cs=0000 ss=0000 ds=0000 es=0000 fs=0000 gs=0000 efl=00000000
start end module name
f9f73000 f9f7fd80 sysaudio (deferred)
fa04b000 fa09b400 srv (deferred)
faab7000 faac8500 sr (deferred)
facac000 facbae00 serial (deferred)
fb008000 fb00ba80 serenum e:\mysymbols\SereEnum.pdb\.......
fb24f000 fb250000 swenum (deferred)
Unloaded modules:
f9f53000 f9f61000 swmidi.sys
fb0ae000 fb0b0000 splitter.sys
fb040000 fb043000 Sfloppy.SYS