Analyze -v

I’ve talked about WinDBG and process context before and thought I’d share another tip on the subject that comes in handy to me day to day.

Both !process and !thread accept a flags value that will cause them to switch to the appropriate process context before displaying stack traces. This is great because it allows you to see the entire call stack all the way back into user mode when working with a live debug target or a complete memory dump.

The flags value in question is 0×10, and can be used in combination with any other flags values that you might use. The WinDBG documentation for !process describes the bit as follows:

Bit 4 (0×10)

(Windows XP and later) Sets the process context equal to the specified process for the duration of this command. This results in a more accurate display of thread stacks. Because this flag is equivalent to using .process /p /r for the specified process, any existing user-mode module list will be discarded. If Process is zero, the debugger displays all processes, and the process context is changed for each one. If you are only displaying a single process and its user-mode state has already been refreshed (for example, with .process /p /r), it is not necessary to use this flag. This flag is only effective when used with Bit 0 (0×1).

We can see the effect of the bit by running an experiment with LiveKD. Let’s check out the CMD process without the 0×10 flags value supplied:

 

 

Notice again how the stack walks off the end off the cliff when it hits user mode. Let’s try this again with 0x1f as the flags instead of 0xf:

  

I’ll leaving running a similar experiment with !thread as an exercise for the reader.

This entry was posted on Thursday, February 4th, 2010 at 9:08 pm and is filed under WinDBG. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.