Irpfind mirpfind command broken?

benji · April 30, 2026, 7:54am

Hi,

Haven’t been using the irpfind / mirpfind commands ever because they never end, and give no results.

An older collegue of mine tells me that they used to work back in the days.

Are they broken ? Do I need to do something special to make them work ?

How can I list all the IRPs inside a memory dump ?

thank you

Scott_Noone_OSR · May 4, 2026, 1:04pm

What version of the OS? What version of the debugger? Full memory dump or kernel summary dump?

Also, what does “never end” mean? How long did you wait? And if you Ctrl+Alt+D is there debugger backend activity while the command is running or is it hung?

benji · May 5, 2026, 7:21am

Windows versions : Windows 10 and Windows 11.

Windbg version : 10.0.22621.2428

Full memory dumps.

One core is fully used by windbg.

Last time I ran it it took one or two hours i’d say. At the end Windbg finished the command and I had no result in return. If I hit Ctrl+alt+D I can see that it is working :

Amd64VtoP: Virt fffff801774682d8, pagedir 000000013acb0000
Amd64VtoP: PML4E 000000013acb0f80
Amd64VtoP: PDPE 00000000001e0028
Amd64VtoP: PDE 0000000000202dd0
Amd64VtoP: Large page mapped phys 00000001010682d8
Amd64VtoP: Virt ffffa408f23023c0, pagedir 000000013acb0000
Amd64VtoP: PML4E 000000013acb0a40
Amd64VtoP: PDPE 0000000101a12118
Amd64VtoP: PDE 0000000101a13c88
Amd64VtoP: PTE 0000000101a1c810
Amd64VtoP: Mapped phys 000000017cd0e3c0

Scott_Noone_OSR · May 5, 2026, 5:28pm

That’s a fairly old debugger, I’m using 26100.7175 and seems to work fine:

2: kd> vertarget
Windows 10 Kernel Version 28000 MP (4 procs) Free x64
Edition build lab: 28000.1719.amd64fre.br_release_svc_prod1.260305-1757
Kernel base = 0xfffff803`c9a00000 PsLoadedModuleList = 0xfffff803`ca8f9800
Debug session time: Tue May  5 13:23:01.247 2026 (UTC - 4:00)
System Uptime: 0 days 0:55:25.110
2: kd> !irpfind
Using a machine size of ce9f7 pages to configure the kd cache

*** CacheSize too low - increasing to 64 MB

Max cache size is       : 67108864 bytes (0x10000 KB) 
Total memory in cache   : 1048528 bytes (0x400 KB) 
Number of regions cached: 5454
303340 full reads broken into 592444 partial reads
    counts: 9020 cached/583424 uncached, 1.52% cached
    bytes : 93771 cached/2101114 uncached, 4.27% cached
** Transition PTEs are implicitly decoded
** Prototype PTEs are implicitly decoded

Scanning large pool allocation table for tag 0x3f707249 (Irp?) (ffffaa8dd6010000 : ffffaa8dd6210000)

  Irp            [ Thread ]         irpStack: (Mj,Mn)   DevObj          [Driver]         MDL Process
ffffaa8dd456a060 [0000000000000000] Irp is complete (CurrentLocation 6 > StackCount 5)
ffffaa8dd7960750 [0000000000000000] Irp is complete (CurrentLocation 4 > StackCount 3)
ffffaa8dd7960a80 [0000000000000000] Irp is complete (CurrentLocation 4 > StackCount 3)
ffffaa8dd8048060 [0000000000000000] Irp is complete (CurrentLocation 5 > StackCount 4)
ffffaa8ddc9ed0d0 [ffffaa8dddcf8080] irpStack: ( 3, 0)  ffffaa8dd7ca6280 [ \FileSystem\Npfs]

benji · May 7, 2026, 5:57am

Thank you very much Scott, it is now working.

Can’t believe it was only a version problem !

I was using the windbg shipped inside the SDK of our company, and it is not the latest one…

For other people coming by, I installed it using : Install WinDbg - Windows drivers | Microsoft Learn

Thanks again !