Hello everyone,
is there a command in windbg to find dll’s loaded for a particular process ?
thought we have to troubleshoot the thread and thread stack , i was curious to know is there a way to find ?
Following is the command, you need to be in context of the process if you are in kernel mode.
lm
Date: Thu, 16 Dec 2010 05:19:52 -0500
From: xxxxx@live.com
To: xxxxx@lists.osr.com
Subject: [windbg] Find dll’s of a specific processHello everyone,
is there a command in windbg to find dll’s loaded for a particular process ?
thought we have to troubleshoot the thread and thread stack , i was curious to know is there a way to find ?
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> Following is the command, you need to be in context of the process if you are in kernel mode.
lm
To display only user-mode modules make better use of u-option:
lm u
!manish lm is not specific to process context , which means , when you execute lm , it would display all the modules which were captured during the memory dump creation.
eg: if you change process context from lsass.exe to test.exe and run lm command the modules would remain the same.
what i am trying to understand is "which process is using specific modules " ?
In order to switch processes and look at the user module list you need to
do:
.process /r /p
That will switch processes and refresh the user loaded module list (WinDBG
only maintains a single user module list at any point).
As an aside, this will all be described in detail in the next issue of The
NT Insider.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
Hope to see you at the next OSR kernel debugging class February 14th in
Columbia, MD!
Hey scott,
thanks for reply, i was trying to check process explorer behavior of a process. When i right click a process i could see usermode / kernel mode dll’s loaded.
similarly i was trying to check in windbg . per process specific dll’s
eg: from a complete memory dump , i have 20 process . Process A might use test.dll , process b might use test1.dll . but when i run lm, both test.dll and test1.dll are listed.
i would like to know which dll’s are being used by processes.
On Thu, Dec 16, 2010 at 4:37 PM, wrote:
> i would like to know which dll’s are being used by processes.
I would try what Scott suggested with one extra step:
.reload /u
lm u
Alternatively maybe you should look at !dlls.
Kris
On Thu, Dec 16, 2010 at 5:19 PM, Krzysztof Uchronski wrote:
> I would try what Scott suggested with one extra step:
> .reload /u
> lm u
And of course I forgot about crucial part:
.reload /u
.process /r /p
lm u
Kris
*example*:
*find kernel32.dll*
windbg command : lmfm ker*
0:001> lmfm ker*
start end module name
7c800000 7c8f6000 kernel32 C:\WINDOWS\system32\kernel32.dll
Hi All,
i have followed scott’s , manish suggestion.
I have switched the processes and analyzed it accordingly. For my test i took “iexplorer” and “lsass”
and i was able to view all the loaded dll’s of that process.
I opened up process explorer and checked the same for lsass and iexplorer processes, results were 99% matching , but i see some dll’s which are listed in process explorer are not listed in windbg.