Context record address

Rotor_Clix · March 17, 2011, 1:04pm

Hi
.cxr command displays the context record saved at the specified address.
But how can i find context record address?
(I searched and i realized that eprocess or ethread doesn’t have any related members. Right?)

Pavel_Lebedinsky · March 17, 2011, 1:47pm

This command is typically used when debugging unhandled exceptions. The pointer to the context record is passed to the exception filter as a parameter.

Thanks,
Pavel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, March 17, 2011 10:03 AM
To: Kernel Debugging Interest List
Subject: [windbg] Context record address

Hi
.cxr command displays the context record saved at the specified address.
But how can i find context record address?
(I searched and i realized that eprocess or ethread doesn’t have any related members. Right?)

Rotor_Clix · March 17, 2011, 2:10pm

Hmm. OK.
I want to get the cpu registers via eprocess and ethread data structures.
Which members give it to me?

Pavel_Lebedinsky · March 17, 2011, 7:54pm

It depends on what the thread is doing, and what context you are interested in. If a thread is running then the contents of CPU registers are in the CPU itself. If it’s blocked or has been preempted the current context is saved on the kernel stack. If a thread traps into the kernel, volatile registers from its user context are saved in the trap frame on the kernel stack, and non-volatile registers are preserved through normal calling convention rules, etc.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, March 17, 2011 11:09 AM
To: Kernel Debugging Interest List
Subject: RE:[windbg] Context record address

Hmm. OK.
I want to get the cpu registers via eprocess and ethread data structures.
Which members give it to me?

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Rotor_Clix · March 17, 2011, 9:43pm

KPCRB has a member(ProcessorState) that represents CPU registers.
For example GetThreadContext function, how can it retrieve the values? I thought there must be a member of ethread, so kernel mode portion of code just reads and returns the values, but I haven’t seen it yet.

Pavel_Lebedinsky · March 18, 2011, 1:58am

> KPCRB has a member(ProcessorState) that represents CPU registers.

It looks like it’s only populated at a few very specific places like when a processor is frozen by the kernel debugger.

For example GetThreadContext function, how can it retrieve the values? I thought there must be a member of ethread, so kernel mode portion of code just reads and returns the values, but I haven’t seen it yet.

It’s more complicated than that. GetThreadContext calls a system service which queues an APC to the thread. What happens next is architecture-specific, and I’m not very familiar with that part of the kernel. On x64 it looks like the APC routine reconstructs the user context using volatile registers saved in the trap frame, and performs a virtual unwind to obtain values of non-volatile registers.