The debugger defines a set of pseudo registers, which can be used in expressions and always evaluate to certain special values. The full list of pseudo registers can be found here, but thought I’d highlight a few in their own post.
Always remember to prefix the pseudo register name with the @ symbol so that WinDBG knows you’re specifying a register name. If you don’t, be prepared to be punished when you fat finger the register name and WinDBG goes into a tailspin trying to resolve it!
$pagesize
This register contains the page size for the target platform. Most of us are only using the x86 and x64 so this will always evaluate out to 4K, but if you’re scripting better to use the pseudo register to be future proof.
$thread
The current ETHREAD address.
$peb
The current Process Environment Block addres.
$teb
The current Thread Environment Block address.
$ptrsize
The pointer size of the target machine.
$p
This one I love. $p contains the result of the previous Display Memory (d) command. For example, I can dump out a memory block and then evaluate a new expression using the contents of the memory location:
Back before the dps command was introduced this was the easiest way to evaluate a jump through a driver’s Import Address Table when you didn’t have symbols for the driver:
