Is there a command to get the unloaded modules?

Don_Burn_1 · March 7, 2006, 8:21pm

One reason I used !drivers instead of lm was that the former gave you a list
of drivers that had been loaded then unloaded. This can be extremely useful
for debugging certain driver load problems. Today I encountered a driver
load problem, and was wondering if there is a replacement in the current
WinDBG?

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

Doron_Holan · March 7, 2006, 10:57pm

lm has a list of recently unloaded modules, I don’t know how that list
is built though.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Tuesday, March 07, 2006 5:20 PM
To: Kernel Debugging Interest List
Subject: [windbg] Is there a command to get the unloaded modules?

One reason I used !drivers instead of lm was that the former gave you a
list
of drivers that had been loaded then unloaded. This can be extremely
useful
for debugging certain driver load problems. Today I encountered a
driver
load problem, and was wondering if there is a replacement in the current

WinDBG?

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

You are currently subscribed to windbg as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Alex_Ionescu-2 · March 8, 2006, 4:48am

Don Burn wrote:

One reason I used !drivers instead of lm was that the former gave you a list
of drivers that had been loaded then unloaded. This can be extremely useful
for debugging certain driver load problems. Today I encountered a driver
load problem, and was wondering if there is a replacement in the current
WinDBG?

Hi Don,

lm still gives you this information. Eg., On my system:

Unloaded modules:
f6524000 f6539000 Serial.SYS
f7597000 f75a5000 imapi.sys
f6898000 f68ac000 redbook.sys
f698e000 f69a1000 i8042prt.sys
f698c000 f69a1000 cdrom.sys
f7787000 f778f000 Sfloppy.SYS
f76f7000 f7701000 Flpydisk.SYS
f76e7000 f76f2000 Fdc.SYS

Best regards,
Alex Ionescu

Alex_Ionescu-2 · March 8, 2006, 4:57am

Doron Holan wrote:

lm has a list of recently unloaded modules, I don’t know how that list
is built though.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Tuesday, March 07, 2006 5:20 PM
To: Kernel Debugging Interest List
Subject: [windbg] Is there a command to get the unloaded modules?

One reason I used !drivers instead of lm was that the former gave you a
list
of drivers that had been loaded then unloaded. This can be extremely
useful
for debugging certain driver load problems. Today I encountered a
driver
load problem, and was wondering if there is a replacement in the current

WinDBG?

Hi Doron,

See MmUnloadedDrivers. It’s an array of:

typedef struct _UNLOADED_DRIVERS {
UNICODE_STRING Name;
PVOID StartAddress;
PVOID EndAddress;
LARGE_INTEGER CurrentTime;
} UNLOADED_DRIVERS, *PUNLOADED_DRIVERS;

Loop the array while i < MmLastUnloadedDriver.

Best regards,
Alex Ionescu