Find string in output

OSR_Community_User · August 14, 2006, 9:56am

Can i do a:

!handles | find “string”

i have tried .foreach with no luck.

thanks

All New Yahoo! Mail – Tired of Vi@gr@! come-ons? Let our SpamGuard protect you.

raj_r · August 14, 2006, 1:28pm

On 8/14/06, Nathan wrote:

> Can i do a:
>
> > !handles | find “string”
>
> i have tried .foreach with no luck.
>
> thanks
>

!handle in user mode returns an out put that doesnt look like
it would have some strings printed out

0:000> !handle
Handle 420
Type Event
Handle 42c
Type Event
Handle 55c
Type File
Handle 7e0
Type WindowStation
Handle 7e4
Type Event
Handle 7ec
Type Port
Handle 7f0
Type Directory
Handle 7f8
Type Directory
Handle 7fc
Type KeyedEvent
9 Handles
Type Count
Event 3
File 1
Port 1
Directory 2
WindowStation 1
KeyedEvent 1

now what string are you trying to grep there ?

if you want to know information about some type

then you can use

0:000> !handle 0 f Windowstation

0 specifies you need info for all handles
f specifies all the possible bits in umflags
you give it a name like you are looking for info on
windowstation

Handle 7e0
Type WindowStation
Attributes 0
GrantedAccess 0xf037f:
Delete,ReadControl,WriteDac,WriteOwner

EnumDesktops,ReadAttr,Clipboard,CreateDesktop,WriteAttr,GlobalAtom,ExitWindows,Enumerate,ReadScreen
HandleCount 24
PointerCount 40
Name \Windows\WindowStations\WinSta0
No Object Specific Information available
1 handles of type WindowStation

0:000> !handle 0 f event
Handle 420
Type Event
Attributes 0
GrantedAccess 0x100002:
Synch
ModifyState
HandleCount 8
PointerCount 16
Name \BaseNamedObjects\mixercallback
Object Specific Information
Handle 42c
Type Event
Attributes 0
GrantedAccess 0x100002:
Synch
ModifyState
HandleCount 8
PointerCount 17
Name \BaseNamedObjects\hardwaremixercallback
Object Specific Information
Handle 7e4
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 3
PointerCount 4
Name
Object Specific Information
Event Type Manual Reset
Event is Set
3 handles of type Event

i am not much aware about the output in kmode

OSR_Community_User · August 14, 2006, 1:47pm

Use .shell, as then you can run an arbitrary external program, such as
find, against debugger output. For example,

.shell -ci “<arbitrary_debugger_command>” external_program

will run external_program and feed the output of the debugger command to
it as stdin.

You could also do something similar with a log file, but the above is
more direct.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nathan
Sent: Monday, August 14, 2006 6:56 AM
To: Kernel Debugging Interest List
Subject: [windbg] Find string in output

Can i do a:

> !handles | find “string”

i have tried .foreach with no luck.

thanks

All New Yahoo! Mail
http:tp://us.rd.yahoo.com/evt=40565/*http://uk.docs.yahoo.com/nowyoucan.html>
- Tired of Vi@gr@! come-ons? Let our SpamGuard protect you. — You are
currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com</http:></arbitrary_debugger_command>

raj_r · August 14, 2006, 2:16pm

On 8/14/06, Drew Bliss wrote:
>
> Use .shell, as then you can run an arbitrary external program, such as
> find, against debugger output. For example,
>
> .shell -ci “<arbitrary_debugger_command>” external_program
>
> will run external_program and feed the output of the debugger command to
> it as stdin.
>
> You could also do something similar with a log file, but the above is more
> direct.
>

nice to know that

0:000> .shell -ci “!handle” findstr /E “WindowStation”
Type WindowStation
.shell: Process exited

lkd> .shell -ci “!handle” findstr “\REGISTRY\MACHINE\SYSTEM\CONTROLSET001”
Directory Object: 00000000 Name:
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NETWORKPROVIDER\HWORDER
Directory Object: 00000000 Name:
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE
Directory Object: 00000000 Name:
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE\ALTERNATE SORTS
Directory Object: 00000000 Name:
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LANGUAGE GROUPS
Directory Object: 00000000 Name:
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9
Directory Object: 00000000 Name:
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5
Directory Object: 00000000 Name:
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001
.shell: Process exited</arbitrary_debugger_command>

OSR_Community_User · August 15, 2006, 4:50am

ok thanks i did try find could not get it to work findstr is cool though

raj_r wrote:

On 8/14/06, Drew Bliss wrote: Use .shell, as then you can run an arbitrary external program, such as find, against debugger output. For example,

.shell -ci “<arbitrary_debugger_command>” external_program

will run external_program and feed the output of the debugger command to it as stdin.

You could also do something similar with a log file, but the above is more direct.

nice to know that

0:000> .shell -ci “!handle” findstr /E “WindowStation”
Type WindowStation
.shell: Process exited

lkd> .shell -ci “!handle” findstr “\REGISTRY\MACHINE\SYSTEM\CONTROLSET001”
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NETWORKPROVIDER\HWORDER
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE\ALTERNATE SORTS
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LANGUAGE GROUPS
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001
.shell: Process exited

— You are currently subscribed to windbg as: xxxxx@yahoo.co.uk To unsubscribe send a blank email to xxxxx@lists.osr.com

---------------------------------
Try the all-new Yahoo! Mail . “The New Version is radically easier to use” – The Wall Street Journal</arbitrary_debugger_command>

bank_kus · September 10, 2006, 12:31am

Is there a way of achieving a reverse direction traffic. For example feeding
windbg commands shell output. For example I would want to !ed with some
special data obtained from a script.

thanks
banks

“Drew Bliss” wrote in message
news:xxxxx@windbg…
Use .shell, as then you can run an arbitrary external program, such as find,
against debugger output. For example,

.shell -ci “<arbitrary_debugger_command>” external_program

will run external_program and feed the output of the debugger command to it
as stdin.

You could also do something similar with a log file, but the above is more
direct.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nathan
Sent: Monday, August 14, 2006 6:56 AM
To: Kernel Debugging Interest List
Subject: [windbg] Find string in output

Can i do a:

> !handles | find “string”

i have tried .foreach with no luck.

thanks

All New Yahoo! Mail - Tired of Vi@gr@! come-ons? Let our SpamGuard protect
you. — You are currently subscribed to windbg as:
xxxxx@winse.microsoft.com To unsubscribe send a blank email to
xxxxx@lists.osr.com</arbitrary_debugger_command>

OSR_Community_User · September 10, 2006, 7:22pm

There isn’t a direct input redirect, but you can achieve virtually the
same effect by putting your debugger command in a script file with the
input and invoking it with $<. For example, put

ed

in a script file and invoke that.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
Sent: Saturday, September 09, 2006 9:31 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] Find string in output

Is there a way of achieving a reverse direction traffic. For example
feeding windbg commands shell output. For example I would want to !ed
with some special data obtained from a script.

thanks
banks

------------------------------------------------------------------------
---------------------------------------------------------------

“Drew Bliss” wrote in message
news:xxxxx@windbg…
Use .shell, as then you can run an arbitrary external program, such as
find, against debugger output. For example,

.shell -ci “<arbitrary_debugger_command>” external_program

will run external_program and feed the output of the debugger command to
it as stdin.

You could also do something similar with a log file, but the above is
more direct.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nathan
Sent: Monday, August 14, 2006 6:56 AM
To: Kernel Debugging Interest List
Subject: [windbg] Find string in output

Can i do a:

> !handles | find “string”

i have tried .foreach with no luck.

thanks

All New Yahoo! Mail - Tired of Vi@gr@! come-ons? Let our SpamGuard
protect
you. — You are currently subscribed to windbg as:
xxxxx@winse.microsoft.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

—
You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</arbitrary_debugger_command>