Problem with .cache forcedecodeuser

Dear WinDbg team,

I found annoying problem in .cache command.
If I run the command without semicolon at end of line then everything
passing well:
kd> .cache forcedecodeuser

Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Transition PTEs are implicitly decoded
** User virtual addresses are translated to physical addresses before access
** Prototype PTEs are implicitly decoded

But if I run command with semicolon at the end then I have following result
of its execution:
kd> .cache forcedecodeuser;
Numeric expression missing from ‘;’

The problem became more important if I am using some script like below:
$$ Get process list LIST_ENTRY in $t0.
r @$t0 = nt!PsActiveProcessHead;

$$ Iterate over all processes in list.
.for (r @$t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r @$t1 = poi(@$t1))
{
r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
.process @$t2;
.cache forcedecodeuser;
.reload /user;
!process @$t2 7;
}

Kd tells me following:
kd> $$>< D:\WinDbgData\Scripts\proc.wds
Implicit process is now 820af9a0
Numeric expression missing from '; .reload /user; !process @$t2 7; ’

As background information:
kd> version
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Product: WinNt
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805451b8
Debug session time: Wed Aug 2 14:22:46.021 2006 (GMT+2)
System Uptime: 0 days 0:01:24.721
32-bit Full kernel dump: N:\4Alexey\MEMORY_60802_51012.DMP
command line: 'D:\WinDbg\windbg.exe -Q -QS ’ Debugger Process 0x3784
dbgeng: image 6.6.0007.5, built Sat Jul 08 22:12:40 2006
[path: D:\WinDbg\dbgeng.dll]
dbghelp: image 6.6.0007.5, built Sat Jul 08 22:11:32 2006
[path: D:\WinDbg\dbghelp.dll]
DIA version: 60516
Extension DLL search Path:

D:\WinDbg\winext;D:\WinDbg\winext\arcade;D:\WinDbg\W2KFre;D:\WinDbg\pri;D:\W
inDbg;D:\WinDbg\winext\arcade;C:\Program
Files\Far;C:\Perl\bin;C:\Perl\bin;C:\Tcl\bin;C:\WINDOWS\system32;C:\WINDOW
S;C:\WINDOWS\System32\Wbem;C:\Program
Files\UltraEdit;c:\bin;C:\GnuWin32\bin;d:\bin\smartstorage;D:\MSSDK\Bin.;D:
\MSSDK\Bin\WinNT.;C:\Program Files\Microsoft SQL
Server\80\Tools\Binn;C:\Program Files\MakeMsi;C:\Program
Files\cvsnt;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bin\WinNT.;C:\Program
Files\OpenSSH\bin;c:\bin\wix-2.0.4103.0-binaries;C:\Program Files\Microsoft
Driver Test
Manager\Controller;D:\VisualStudio6\Common\Tools\WinNT;D:\VisualStudio6\Com
mon\MSDev98\Bin;D:\VisualStudio6\Common\Tools;D:\VisualStudio6\VC98\bin;D:\M
SSDK\Bin.;D:\MSSDK\Bin\WinNT.;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bin\WinN
T.
Extension DLL chain:
dbghelp: image 6.6.0007.5, API 6.0.6, built Sat Jul 08 22:11:32 2006
[path: D:\WinDbg\dbghelp.dll]
ext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08 22:10:52 2006
[path: D:\WinDbg\winext\ext.dll]
kext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08 22:11:01 2006
[path: D:\WinDbg\winext\kext.dll]
kdextx86: image 5.00.2195.6883, API 5.0.5, built Tue Feb 22 02:38:44
2005
[path: D:\WinDbg\W2KFre\kdextx86.dll]
Free Extension dll for Build 2195 debugging Free kernel for Build 2195

Best regards,
Oleksiy Shatylo

Unfortunately .cache doesn’t make any attempt to parse its arguments, it
just looks at the whole line. We’ll get that fixed.

In the meantime, I think if you put your .cache command as a single line
in a script and then invoke that sub-script from your primary script it
should work.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Oleksiy Shatylo
Sent: Thursday, August 03, 2006 7:09 AM
To: Kernel Debugging Interest List
Subject: [windbg] Problem with .cache forcedecodeuser

Dear WinDbg team,

I found annoying problem in .cache command.
If I run the command without semicolon at end of line then everything
passing well:
kd> .cache forcedecodeuser

Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Transition PTEs are implicitly decoded
** User virtual addresses are translated to physical addresses before
access
** Prototype PTEs are implicitly decoded

But if I run command with semicolon at the end then I have following
result of its execution:
kd> .cache forcedecodeuser;
Numeric expression missing from ‘;’

The problem became more important if I am using some script like below:
$$ Get process list LIST_ENTRY in $t0.
r @$t0 = nt!PsActiveProcessHead;

$$ Iterate over all processes in list.
.for (r @$t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r @$t1 =
poi(@$t1)) {
r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
.process @$t2;
.cache forcedecodeuser;
.reload /user;
!process @$t2 7;
}

Kd tells me following:
kd> $$>< D:\WinDbgData\Scripts\proc.wds
Implicit process is now 820af9a0
Numeric expression missing from '; .reload /user; !process @$t2 7; ’

As background information:
kd> version
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Product: WinNt
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805451b8 Debug session
time: Wed Aug 2 14:22:46.021 2006 (GMT+2) System Uptime: 0 days
0:01:24.721 32-bit Full kernel dump: N:\4Alexey\MEMORY_60802_51012.DMP
command line: 'D:\WinDbg\windbg.exe -Q -QS ’ Debugger Process 0x3784
dbgeng: image 6.6.0007.5, built Sat Jul 08 22:12:40 2006
[path: D:\WinDbg\dbgeng.dll]
dbghelp: image 6.6.0007.5, built Sat Jul 08 22:11:32 2006
[path: D:\WinDbg\dbghelp.dll]
DIA version: 60516
Extension DLL search Path:

D:\WinDbg\winext;D:\WinDbg\winext\arcade;D:\WinDbg\W2KFre;D:\WinDbg\pri;
D:\W
inDbg;D:\WinDbg\winext\arcade;C:\Program
Files\Far;C:\Perl\bin;C:\Perl\bin;C:\Tcl\bin;C:\WINDOWS\system32;C:\WI
NDOW
S;C:\WINDOWS\System32\Wbem;C:\Program
Files\UltraEdit;c:\bin;C:\GnuWin32\bin;d:\bin\smartstorage;D:\MSSDK\Bin\
.;D:
\MSSDK\Bin\WinNT.;C:\Program Files\Microsoft SQL
Server\80\Tools\Binn;C:\Program Files\MakeMsi;C:\Program
Files\cvsnt;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bin\WinNT.;C:\Program
Files\OpenSSH\bin;c:\bin\wix-2.0.4103.0-binaries;C:\Program
Files\Microsoft Driver Test
Manager\Controller;D:\VisualStudio6\Common\Tools\WinNT;D:\VisualStudio6
\Com
mon\MSDev98\Bin;D:\VisualStudio6\Common\Tools;D:\VisualStudio6\VC98\bin;
D:\M
SSDK\Bin.;D:\MSSDK\Bin\WinNT.;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bin\
WinN
T.
Extension DLL chain:
dbghelp: image 6.6.0007.5, API 6.0.6, built Sat Jul 08 22:11:32 2006
[path: D:\WinDbg\dbghelp.dll]
ext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08 22:10:52 2006
[path: D:\WinDbg\winext\ext.dll]
kext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08 22:11:01 2006
[path: D:\WinDbg\winext\kext.dll]
kdextx86: image 5.00.2195.6883, API 5.0.5, built Tue Feb 22 02:38:44
2005
[path: D:\WinDbg\W2KFre\kdextx86.dll] Free Extension dll for
Build 2195 debugging Free kernel for Build 2195

Best regards,
Oleksiy Shatylo

You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Why bother with the semicolons at all? Provided your command is on its
own line it should work fine. Ive never had problems omitting them anyway…

Drew Bliss wrote:

Unfortunately .cache doesn’t make any attempt to parse its arguments, it
just looks at the whole line. We’ll get that fixed.

In the meantime, I think if you put your .cache command as a single line
in a script and then invoke that sub-script from your primary script it
should work.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Oleksiy Shatylo
Sent: Thursday, August 03, 2006 7:09 AM
To: Kernel Debugging Interest List
Subject: [windbg] Problem with .cache forcedecodeuser

Dear WinDbg team,

I found annoying problem in .cache command.
If I run the command without semicolon at end of line then everything
passing well:
kd> .cache forcedecodeuser

Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Transition PTEs are implicitly decoded
** User virtual addresses are translated to physical addresses before
access
** Prototype PTEs are implicitly decoded

But if I run command with semicolon at the end then I have following
result of its execution:
kd> .cache forcedecodeuser;
Numeric expression missing from ‘;’

The problem became more important if I am using some script like below:
$$ Get process list LIST_ENTRY in $t0.
r @$t0 = nt!PsActiveProcessHead;

$$ Iterate over all processes in list.
.for (r @$t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r @$t1 =
poi(@$t1)) {
r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
.process @$t2;
.cache forcedecodeuser;
.reload /user;
!process @$t2 7;
}

Kd tells me following:
kd> $$>< D:\WinDbgData\Scripts\proc.wds
Implicit process is now 820af9a0
Numeric expression missing from '; .reload /user; !process @$t2 7; ’

As background information:
kd> version
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Product: WinNt
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805451b8 Debug session
time: Wed Aug 2 14:22:46.021 2006 (GMT+2) System Uptime: 0 days
0:01:24.721 32-bit Full kernel dump: N:\4Alexey\MEMORY_60802_51012.DMP
command line: 'D:\WinDbg\windbg.exe -Q -QS ’ Debugger Process 0x3784
dbgeng: image 6.6.0007.5, built Sat Jul 08 22:12:40 2006
[path: D:\WinDbg\dbgeng.dll]
dbghelp: image 6.6.0007.5, built Sat Jul 08 22:11:32 2006
[path: D:\WinDbg\dbghelp.dll]
DIA version: 60516
Extension DLL search Path:

D:\WinDbg\winext;D:\WinDbg\winext\arcade;D:\WinDbg\W2KFre;D:\WinDbg\pri;
D:\W
inDbg;D:\WinDbg\winext\arcade;C:\Program
Files\Far;C:\Perl\bin;C:\Perl\bin;C:\Tcl\bin;C:\WINDOWS\system32;C:\WI
NDOW
S;C:\WINDOWS\System32\Wbem;C:\Program
Files\UltraEdit;c:\bin;C:\GnuWin32\bin;d:\bin\smartstorage;D:\MSSDK\Bin\
.;D:
\MSSDK\Bin\WinNT.;C:\Program Files\Microsoft SQL
Server\80\Tools\Binn;C:\Program Files\MakeMsi;C:\Program
Files\cvsnt;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bin\WinNT.;C:\Program
Files\OpenSSH\bin;c:\bin\wix-2.0.4103.0-binaries;C:\Program
Files\Microsoft Driver Test
Manager\Controller;D:\VisualStudio6\Common\Tools\WinNT;D:\VisualStudio6
\Com
mon\MSDev98\Bin;D:\VisualStudio6\Common\Tools;D:\VisualStudio6\VC98\bin;
D:\M
SSDK\Bin.;D:\MSSDK\Bin\WinNT.;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bin\
WinN
T.
Extension DLL chain:
dbghelp: image 6.6.0007.5, API 6.0.6, built Sat Jul 08 22:11:32 2006
[path: D:\WinDbg\dbghelp.dll]
ext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08 22:10:52 2006
[path: D:\WinDbg\winext\ext.dll]
kext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08 22:11:01 2006
[path: D:\WinDbg\winext\kext.dll]
kdextx86: image 5.00.2195.6883, API 5.0.5, built Tue Feb 22 02:38:44
2005
[path: D:\WinDbg\W2KFre\kdextx86.dll] Free Extension dll for
Build 2195 debugging Free kernel for Build 2195

Best regards,
Oleksiy Shatylo

---

You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---

You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

When using commands which have block statements, such as .for, the
entire statement has to be present in the same piece of input. The
special $>< concatenates all lines in a script file to make that easy,
but it also means that you can only use commands that properly obey
semicolon termination since everything gets glued together.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@bugcheck.org
Sent: Thursday, August 03, 2006 12:29 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Problem with .cache forcedecodeuser

Why bother with the semicolons at all? Provided your command is on its
own line it should work fine. Ive never had problems omitting them
anyway…

Drew Bliss wrote:

Unfortunately .cache doesn’t make any attempt to parse its arguments,
it just looks at the whole line. We’ll get that fixed.

In the meantime, I think if you put your .cache command as a single
line in a script and then invoke that sub-script from your primary
script it should work.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Oleksiy
Shatylo
Sent: Thursday, August 03, 2006 7:09 AM
To: Kernel Debugging Interest List
Subject: [windbg] Problem with .cache forcedecodeuser

Dear WinDbg team,

I found annoying problem in .cache command.
If I run the command without semicolon at end of line then everything
passing well:
kd> .cache forcedecodeuser

Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Transition PTEs are implicitly decoded
** User virtual addresses are translated to physical addresses before
access
** Prototype PTEs are implicitly decoded

But if I run command with semicolon at the end then I have following
result of its execution:
kd> .cache forcedecodeuser;
Numeric expression missing from ‘;’

The problem became more important if I am using some script like
below:
$$ Get process list LIST_ENTRY in $t0.
r @$t0 = nt!PsActiveProcessHead;

$$ Iterate over all processes in list.
.for (r @$t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r @$t1 =
poi(@$t1)) {
r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS,
ActiveProcessLinks);
.process @$t2;
.cache forcedecodeuser;
.reload /user;
!process @$t2 7;
}

Kd tells me following:
kd> $$>< D:\WinDbgData\Scripts\proc.wds
Implicit process is now 820af9a0
Numeric expression missing from '; .reload /user; !process @$t2 7;
’

As background information:
kd> version
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86
compatible
Product: WinNt
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805451b8 Debug session
time: Wed Aug 2 14:22:46.021 2006 (GMT+2) System Uptime: 0 days
0:01:24.721 32-bit Full kernel dump: N:\4Alexey\MEMORY_60802_51012.DMP

command line: 'D:\WinDbg\windbg.exe -Q -QS ’ Debugger Process 0x3784
dbgeng: image 6.6.0007.5, built Sat Jul 08 22:12:40 2006
[path: D:\WinDbg\dbgeng.dll]
dbghelp: image 6.6.0007.5, built Sat Jul 08 22:11:32 2006
[path: D:\WinDbg\dbghelp.dll]
DIA version: 60516
Extension DLL search Path:

D:\WinDbg\winext;D:\WinDbg\winext\arcade;D:\WinDbg\W2KFre;D:\WinDbg\pr
i;
D:\W
inDbg;D:\WinDbg\winext\arcade;C:\Program
Files\Far;C:\Perl\bin;C:\Perl\bin;C:\Tcl\bin;C:\WINDOWS\system32;C:\
WI
NDOW
S;C:\WINDOWS\System32\Wbem;C:\Program
Files\UltraEdit;c:\bin;C:\GnuWin32\bin;d:\bin\smartstorage;D:\MSSDK\Bi
n\
.;D:
\MSSDK\Bin\WinNT.;C:\Program Files\Microsoft SQL
Server\80\Tools\Binn;C:\Program Files\MakeMsi;C:\Program
Files\cvsnt;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bin\WinNT.;C:\Program
Files\OpenSSH\bin;c:\bin\wix-2.0.4103.0-binaries;C:\Program
Files\Microsoft Driver Test
Manager\Controller;D:\VisualStudio6\Common\Tools\WinNT;D:\VisualStudi
o6
\Com
mon\MSDev98\Bin;D:\VisualStudio6\Common\Tools;D:\VisualStudio6\VC98\bi
n;
D:\M
SSDK\Bin.;D:\MSSDK\Bin\WinNT.;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bi
n\
WinN
T.
Extension DLL chain:
dbghelp: image 6.6.0007.5, API 6.0.6, built Sat Jul 08 22:11:32
2006
[path: D:\WinDbg\dbghelp.dll]
ext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08 22:10:52 2006
[path: D:\WinDbg\winext\ext.dll]
kext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08 22:11:01 2006
[path: D:\WinDbg\winext\kext.dll]
kdextx86: image 5.00.2195.6883, API 5.0.5, built Tue Feb 22
02:38:44
2005
[path: D:\WinDbg\W2KFre\kdextx86.dll] Free Extension dll for
Build 2195 debugging Free kernel for Build 2195

Best regards,
Oleksiy Shatylo

---

You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---

You are currently subscribed to windbg as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Ah thanks for the clarification Drew. I suppose I’ve just never come
across one of those commands myself. In the example below the
workaround is to use .process /p @$t2 instead of the .cache which is
what i have in a similar script (and why i didn’t see the .cache error
before). The .reload /user can be simplified by using /r as well.

Drew Bliss wrote:

When using commands which have block statements, such as .for, the
entire statement has to be present in the same piece of input. The
special $>< concatenates all lines in a script file to make that easy,
but it also means that you can only use commands that properly obey
semicolon termination since everything gets glued together.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@bugcheck.org
Sent: Thursday, August 03, 2006 12:29 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Problem with .cache forcedecodeuser

Why bother with the semicolons at all? Provided your command is on its
own line it should work fine. Ive never had problems omitting them
anyway…

Drew Bliss wrote:

> Unfortunately .cache doesn’t make any attempt to parse its arguments,
> it just looks at the whole line. We’ll get that fixed.
>
> In the meantime, I think if you put your .cache command as a single
> line in a script and then invoke that sub-script from your primary
> script it should work.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Oleksiy
> Shatylo
> Sent: Thursday, August 03, 2006 7:09 AM
> To: Kernel Debugging Interest List
> Subject: [windbg] Problem with .cache forcedecodeuser
>
> Dear WinDbg team,
>
> I found annoying problem in .cache command.
> If I run the command without semicolon at end of line then everything
> passing well:
> kd> .cache forcedecodeuser
>
> Max cache size is : 1048576 bytes (0x400 KB)
> Total memory in cache : 0 bytes (0 KB)
> Number of regions cached: 0
> 0 full reads broken into 0 partial reads
> counts: 0 cached/0 uncached, 0.00% cached
> bytes : 0 cached/0 uncached, 0.00% cached
> ** Transition PTEs are implicitly decoded
> ** User virtual addresses are translated to physical addresses before
> access
> ** Prototype PTEs are implicitly decoded
>
> But if I run command with semicolon at the end then I have following
> result of its execution:
> kd> .cache forcedecodeuser;
> Numeric expression missing from ‘;’
>
> The problem became more important if I am using some script like
>
below:

> $$ Get process list LIST_ENTRY in $t0.
> r @$t0 = nt!PsActiveProcessHead;
>
> $$ Iterate over all processes in list.
> .for (r @$t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r @$t1 =
> poi(@$t1)) {
> r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS,
>
ActiveProcessLinks);

> .process @$t2;
> .cache forcedecodeuser;
> .reload /user;
> !process @$t2 7;
> }
>
> Kd tells me following:
> kd> $$>< D:\WinDbgData\Scripts\proc.wds
> Implicit process is now 820af9a0
> Numeric expression missing from '; .reload /user; !process @$t2 7;
>
’

> As background information:
> kd> version
> Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86
> compatible
> Product: WinNt
> Kernel base = 0x804d7000 PsLoadedModuleList = 0x805451b8 Debug session
> time: Wed Aug 2 14:22:46.021 2006 (GMT+2) System Uptime: 0 days
> 0:01:24.721 32-bit Full kernel dump: N:\4Alexey\MEMORY_60802_51012.DMP
>

> command line: 'D:\WinDbg\windbg.exe -Q -QS ’ Debugger Process 0x3784
> dbgeng: image 6.6.0007.5, built Sat Jul 08 22:12:40 2006
> [path: D:\WinDbg\dbgeng.dll]
> dbghelp: image 6.6.0007.5, built Sat Jul 08 22:11:32 2006
> [path: D:\WinDbg\dbghelp.dll]
> DIA version: 60516
> Extension DLL search Path:
>
> D:\WinDbg\winext;D:\WinDbg\winext\arcade;D:\WinDbg\W2KFre;D:\WinDbg\pr
> i;
> D:\W
> inDbg;D:\WinDbg\winext\arcade;C:\Program
> Files\Far;C:\Perl\bin;C:\Perl\bin;C:\Tcl\bin;C:\WINDOWS\system32;C:\
> WI
> NDOW
> S;C:\WINDOWS\System32\Wbem;C:\Program
> Files\UltraEdit;c:\bin;C:\GnuWin32\bin;d:\bin\smartstorage;D:\MSSDK\Bi
> n\
> .;D:
> \MSSDK\Bin\WinNT.;C:\Program Files\Microsoft SQL
> Server\80\Tools\Binn;C:\Program Files\MakeMsi;C:\Program
> Files\cvsnt;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bin\WinNT.;C:\Program
> Files\OpenSSH\bin;c:\bin\wix-2.0.4103.0-binaries;C:\Program
> Files\Microsoft Driver Test
> Manager\Controller;D:\VisualStudio6\Common\Tools\WinNT;D:\VisualStudi
> o6
> \Com
> mon\MSDev98\Bin;D:\VisualStudio6\Common\Tools;D:\VisualStudio6\VC98\bi
> n;
> D:\M
> SSDK\Bin.;D:\MSSDK\Bin\WinNT.;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bi
> n\
> WinN
> T.
> Extension DLL chain:
> dbghelp: image 6.6.0007.5, API 6.0.6, built Sat Jul 08 22:11:32
>
2006

> [path: D:\WinDbg\dbghelp.dll]
> ext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08 22:10:52 2006
> [path: D:\WinDbg\winext\ext.dll]
> kext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08 22:11:01 2006
> [path: D:\WinDbg\winext\kext.dll]
> kdextx86: image 5.00.2195.6883, API 5.0.5, built Tue Feb 22
> 02:38:44
> 2005
> [path: D:\WinDbg\W2KFre\kdextx86.dll] Free Extension dll for
> Build 2195 debugging Free kernel for Build 2195
>
> Best regards,
> Oleksiy Shatylo
>
>
> —
> You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag
>
argument: ‘’

> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

---

You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

---

You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hello,

I perfectly knew about “.process /p /r” command and I started exactly from
usage of this command.
I.e. my initial script was exactly as below:
----------------------------------------- proc.wds starts

$$ Get process list LIST_ENTRY in $t0.
r @$t0 = nt!PsActiveProcessHead;

$$ Iterate over all processes in list.
.for (r @$t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r @$t1 = poi(@$t1))
{
r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
.process /p /r @$t2;
!process @$t2 7;
};

----------------------------------------- proc.wds ends

But this script has not been working for Windows 2000 full kernel crash
dump. I had following output from it:

kd> $$><d:>Implicit process is now 820af9a0
Loading User Symbols

PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81edd8e0
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81ea6c40
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81e47ca0
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81e2b260
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81e354e0
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81e5a5a0
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81e06420
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81de6880
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

< and so on … >

I.e. information about threads stacks was absent. It was quite strange
because when I executed commands manually everything worked fine. Have a
look below into output for commands “.process /p /r” and “!process of the EPROCESS block> 7”:

kd> .PROCESS /p /r 81de6880
Implicit process is now 81de6880
Loading User Symbols
…
kd> !PROCESS 81de6880 7
PROCESS 81de6880 SessionId: 0 Cid: 0208 Peb: 7ffdf000 ParentCid: 00ec
DirBase: 1a225000 ObjectTable: 81e32b48 TableSize: 142.
Image: SPOOLSV.EXE
VadRoot 81de8328 Clone 0 Private 330. Modified 0. Locked 0.
DeviceMap 820af508
Token e20b80d0
ElapsedTime 0:00:48.0930
UserTime 0:00:00.0040
KernelTime 0:00:00.0120
QuotaPoolUsage[PagedPool] 23944
QuotaPoolUsage[NonPagedPool] 14656
Working Set Sizes (now,min,max) (961, 50, 345) (3844KB, 200KB, 1380KB)
PeakWorkingSetSize 963
VirtualSize 31 Mb
PeakVirtualSize 31 Mb
PageFaultCount 1250
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 665

THREAD 81de6600 Cid 208.204 Teb: 7ffde000 Win32Thread: 00000000
WAIT: (Executive) UserMode Non-Alertable
81de6204 NotificationEvent
IRP List:
81e34468: (0006,00b8) Flags: 00000970 Mdl: 00000000
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6266 Elapsed Ticks: 2194
Context Switch Count 20
UserTime 0:00:00.0000
KernelTime 0:00:00.0010
Start Address KERNEL32!BaseProcessStartThunk (0x7c4e87b3)
Win32 Start Address spoolsv!mainCRTStartup (0x01001170)
Stack Init bdc85000 Current bdc84bfc Base bdc85000 Limit bdc82000
Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdc84c14 80504e88 81e34468 00000000 8067bea0 nt!KiSwapThread+0xc5
bdc84c3c 80591263 81de6204 00000000 00000001
nt!KeWaitForSingleObject+0x1a1
bdc84c64 8057071b 81f35cf0 00000103 81de61a8
nt!IopSynchronousServiceTail+0xbf
bdc84d38 8053c691 00000030 00000000 00000000 nt!NtReadFile+0x5f4
bdc84d38 77f8c55d 00000030 00000000 00000000 nt!KiSystemService+0xc4
0006fbec 7c4e660d 00000030 00000000 00000000 ntdll!ZwReadFile+0xb
0006fc60 7c2e0135 00000030 0006fd38 00000216 KERNEL32!ReadFile+0x181
0006fc8c 7c2dffbb 00000030 0006fd38 00000216
ADVAPI32!ScGetPipeInput+0x28
0006fd08 7c2dfcca 00000030 0006fd38 00000216
ADVAPI32!ScDispatcherLoop+0x4a
0006ff68 01001295 0100b030 01001265 00000001
ADVAPI32!StartServiceCtrlDispatcherW+0xf6
0006ff70 01001265 00000001 002336f8 00232958 spoolsv!main+0xb
0006ffc0 7c4e87f5 0006f944 77fcc35c 7ffdf000
spoolsv!mainCRTStartup+0xff
0006fff0 00000000 01001170 00000000 000000c8
KERNEL32!BaseProcessStart+0x3d

THREAD 81de5540 Cid 208.20c Teb: 7ffdd000 Win32Thread: e20bdc08
WAIT: (UserRequest) UserMode Non-Alertable
81de5500 NotificationEvent
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6266 Elapsed Ticks: 2194
Context Switch Count 16 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address ADVAPI32!ScSvcctrlThreadA (0x7c2e02e9)
Stack Init bdcf5000 Current bdcf4ca0 Base bdcf5000 Limit bdcf2000
Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdcf4cb8 80504e88 00000000 00000000 8057d152 nt!KiSwapThread+0xc5
bdcf4ce0 8057d203 81de5500 00000006 00000001
nt!KeWaitForSingleObject+0x1a1
bdcf4d50 8053c691 0000005c 00000000 00000000
nt!NtWaitForSingleObject+0xb7
bdcf4d50 77f94091 0000005c 00000000 00000000 nt!KiSystemService+0xc4
0028ff5c 7c4fc4c2 0000005c 00000000 00000000
ntdll!NtWaitForSingleObject+0xb
0028ff84 7c4f1b1b 0000005c ffffffff 00000000
KERNEL32!WaitForSingleObjectEx+0x71
0028ff94 010012df 0000005c ffffffff 00074158
KERNEL32!WaitForSingleObject+0xf
0028ffa4 7c2e02f7 00000001 00074160 0006f984
spoolsv!SPOOLER_main+0x42
0028ffb4 7c4e987c 00074158 00000000 0006f984
ADVAPI32!ScSvcctrlThreadA+0xe
0028ffec 00000000 7c2e02e9 00074158 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81de59c0 Cid 208.210 Teb: 7ffdc000 Win32Thread: 00000000
WAIT: (WrEventPairLow) UserMode Non-Alertable
81de5f80 Unknown
81de5aa8 NotificationTimer
IRP List:
81e03b08: (0006,00b8) Flags: 00000800 Mdl: 00000000
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6571 Elapsed Ticks: 1889
Context Switch Count 3
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address RPCRT4!ThreadStartRoutine (0x77d3dcf3)
Stack Init bdc7d000 Current bdc7cc90 Base bdc7d000 Limit bdc7a000
Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdc7cca8 805061a7 bdc7cd64 00000000 8056ecd3 nt!KiSwapThread+0xc5
bdc7cccc 8056edb8 bdc7cd00 00000001 bdc7cd00 nt!KeRemoveQueue+0x195
bdc7cd48 8053c691 00000040 002cff0c 002cfefc
nt!NtRemoveIoCompletion+0xf1
bdc7cd48 77f8beb2 00000040 002cff0c 002cfefc nt!KiSystemService+0xc4
002cfeb8 7c4efea1 00000040 002cff0c 002cfefc
ntdll!NtRemoveIoCompletion+0xb
002cfee4 77d357c0 00000040 002cff1c 002cff0c
KERNEL32!GetQueuedCompletionStatus+0x27
002cff20 77d52899 000493e0 002cff60 002cff5c
RPCRT4!COMMON_ProcessCalls+0x9e
002cff74 77d52778 77d3dd59 00075008 0028faf2
RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x99
002cff78 77d3dd59 00075008 0028faf2 77f8c277
RPCRT4!ProcessIOEventsWrapper+0x9
002cffa8 77d3dd0b 00077b58 002cffec 7c4e987c
RPCRT4!BaseCachedThreadRoutine+0x4f
002cffb4 7c4e987c 00077b80 0028faf2 77f8c277
RPCRT4!ThreadStartRoutine+0x18
002cffec 00000000 77d3dcf3 00077b80 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81de4020 Cid 208.214 Teb: 7ffdb000 Win32Thread: 00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81e568a8 Semaphore Limit 0x7fffffff
81de4108 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 7435 Elapsed Ticks: 1025
Context Switch Count 19
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Stack Init bdc79000 Current bdc78c48 Base bdc79000 Limit bdc76000
Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdc78c60 80504e88 e206ac08 00000000 80545160 nt!KiSwapThread+0xc5
bdc78c88 8050bc5f 81e568a8 00000010 820ab701
nt!KeWaitForSingleObject+0x1a1
bdc78d48 8053c691 00000078 0030ff54 0030fe50
nt!NtReplyWaitReceivePortEx+0x3b1
bdc78d48 77f839c7 00000078 0030ff54 0030fe50 nt!KiSystemService+0xc4
0030fe24 77d3dbac 00000078 0030ff54 0030fe50
ntdll!NtReplyWaitReceivePortEx+0xb
0030ff74 77d3d9db 77d3dded 000765e0 77f91b34
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x74
0030ff78 77d3dded 000765e0 77f91b34 77d3dcf3
RPCRT4!RecvLotsaCallsWrapper+0x9
0030ffa8 77d3dd0b 00073dc8 0030ffec 7c4e987c
RPCRT4!BaseCachedThreadRoutine+0x11f
0030ffb4 7c4e987c 00077d28 77f91b34 77d3dcf3
RPCRT4!ThreadStartRoutine+0x18
0030ffec 00000000 77d3dcf3 00077d28 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81de4ca0 Cid 208.21c Teb: 7ffd9000 Win32Thread: e20be528
WAIT: (WrExecutive) UserMode Non-Alertable
810cdbe8 SynchronizationEvent
81de4d88 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6266 Elapsed Ticks: 2194
Context Switch Count 3 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address spoolsv!SpoolerGetSpoolMessage (0x01001961)
Stack Init bdce5000 Current bdce4c44 Base bdce5000 Limit bdce2000
Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdce4c5c 80504e88 0007883c 00000000 00000000 nt!KiSwapThread+0xc5
bdce4c84 a0083a25 810cdbe8 00000007 00000001
nt!KeWaitForSingleObject+0x1a1
bdce4d04 a0083962 0007883c 00078854 00001fe8
win32k!GreGetSpoolMessage+0x1ce
bdce4d4c 8053c691 0007883c 00002000 00078104
win32k!NtGdiGetSpoolMessage+0x8b
bdce4d4c 77f4726a 0007883c 00002000 00078104 nt!KiSystemService+0xc4
007dffb4 7c4e987c 00000000 00075868 00071eac
GDI32!NtGdiGetSpoolMessage+0xb
77f84bd7 00000000 f99dcc00 00000077 f99d8500
KERNEL32!BaseThreadStart+0x52

THREAD 81d21920 Cid 208.4e4 Teb: 7ffd8000 Win32Thread: e2228068
WAIT: (DelayExecution) UserMode Alertable
81d21a08 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 7324 Elapsed Ticks: 1136
Context Switch Count 24 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0020
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
LPC Server thread working on message Id 720
Stack Init bd726000 Current bd725cc4 Base bd726000 Limit bd722000
Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd725cdc 8050487a bd725d64 0081ff84 0081ff90 nt!KiSwapThread+0xc5
bd725d04 8058fb21 81cee901 00000001 bd725d34
nt!KeDelayExecutionThread+0x180
bd725d54 8053c691 00000001 0081ff90 00000000
nt!NtDelayExecution+0x7f
bd725d54 77f8915e 00000001 0081ff90 00000000 nt!KiSystemService+0xc4
0081ff74 77d3ddcd 00000001 0081ff90 00000000
ntdll!NtDelayExecution+0xb
0081ffa8 77d3dd0b 00073dc8 0081ffec 7c4e987c
RPCRT4!BaseCachedThreadRoutine+0xc3
0081ffb4 7c4e987c 00078510 00000000 00000000
RPCRT4!ThreadStartRoutine+0x18
0081ffec 00000000 77d3dcf3 00078510 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81c47da0 Cid 208.4e8 Teb: 7ffd7000 Win32Thread: 00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d241e0 SynchronizationEvent
81d241a0 SynchronizationEvent
81c47d60 SynchronizationEvent
81cb4b00 SynchronizationEvent
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6614 Elapsed Ticks: 1846
Context Switch Count 4
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address RTUTILS!TraceServerThread (0x778321fe)
Stack Init bd622000 Current bd621930 Base bd622000 Limit bd61f000
Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd621948 80504ba9 0000000c e20bcb18 81e32b48 nt!KiSwapThread+0xc5
bd62197c 80527b9b 00000004 bd6219f8 00000001
nt!KeWaitForMultipleObjects+0x266
bd621d48 8053c691 00000004 00c7fd48 00000001
nt!NtWaitForMultipleObjects+0x3a0
bd621d48 77f9323e 00000004 00c7fd48 00000001 nt!KiSystemService+0xc4
00c7fd20 7c4ebdd7 00000004 00c7fd48 00000001
ntdll!ZwWaitForMultipleObjects+0xb
00c7fd70 7c4fabfb 00c7fd48 00000001 00000000
KERNEL32!WaitForMultipleObjectsEx+0xea
00c7fd88 778322b2 00000004 00c7feb0 00000000
KERNEL32!WaitForMultipleObjects+0x17
00c7ffb4 7c4e987c 00000005 000b000a 7c2d02a7
RTUTILS!TraceServerThread+0xde
00c7ffec 00000000 778321fe 0007d838 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81c47500 Cid 208.4ec Teb: 7ffd6000 Win32Thread: e22d3168
WAIT: (UserRequest) UserMode Non-Alertable
81c47960 SynchronizationEvent
81ca3f00 SynchronizationEvent
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6644 Elapsed Ticks: 1816
Context Switch Count 290 LargeStack
UserTime 0:00:00.0020
KernelTime 0:00:00.0070
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address spoolsv!InitializeRouter (0x01001b1b)
Stack Init bd6f6000 Current bd6f5930 Base bd6f6000 Limit bd6f2000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd6f5948 80504ba9 00000004 e20bcc28 81e32b48 nt!KiSwapThread+0xc5
bd6f597c 80527b9b 00000002 bd6f59f8 00000001
nt!KeWaitForMultipleObjects+0x266
bd6f5d48 8053c691 00000002 00cdf85c 00000001
nt!NtWaitForMultipleObjects+0x3a0
bd6f5d48 77f9323e 00000002 00cdf85c 00000001 nt!KiSystemService+0xc4
00cdf834 7c4ebdd7 00000002 00cdf85c 00000001
ntdll!ZwWaitForMultipleObjects+0xb
00cdf884 77e13990 00cdf85c 00000001 00000000
KERNEL32!WaitForMultipleObjectsEx+0xea
00cdf8e0 77e13a5c 00cdf8ac 00cdf928 ffffffff
USER32!MsgWaitForMultipleObjectsEx+0x153
00cdf8fc 76a91f29 00000001 00cdf928 00000000
USER32!MsgWaitForMultipleObjects+0x1d
00cdf944 76a9156e 00000000 00000000 00075fb8
SPOOLSS!HandlePollNotifications+0x33
00cdffb4 7c4e987c 00c99518 00000000 00000000
SPOOLSS!InitializeRouter+0x35f
00cdffec 00000000 01001b1b 00075fb8 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81cb4020 Cid 208.218 Teb: 7ffda000 Win32Thread: 00000000
WAIT: (UserRequest) UserMode Non-Alertable
81de4ae0 SynchronizationEvent
IRP List:
820c74a8: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6612 Elapsed Ticks: 1848
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address SPOOLSS!PnpIPAddressChangeListener (0x76a91793)
Stack Init bdc75000 Current bdc74930 Base bdc75000 Limit bdc72000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdc74948 80504ba9 00000000 e20bcab0 81e32b48 nt!KiSwapThread+0xc5
bdc7497c 80527b9b 00000001 bdc749f8 00000001
nt!KeWaitForMultipleObjects+0x266
bdc74d48 8053c691 00000001 00d1ff30 00000001
nt!NtWaitForMultipleObjects+0x3a0
bdc74d48 77f9323e 00000001 00d1ff30 00000001 nt!KiSystemService+0xc4
00d1ff08 7c4ebdd7 00000001 00d1ff30 00000001
ntdll!ZwWaitForMultipleObjects+0xb
00d1ff58 7c4fabfb 00d1ff30 00000001 00000000
KERNEL32!WaitForMultipleObjectsEx+0xea
00d1ff70 76a917f7 00000001 00d1ffa8 00000000
KERNEL32!WaitForMultipleObjects+0x17
00d1ffb4 7c4e987c 00000128 00000000 00000000
SPOOLSS!PnpIPAddressChangeListener+0x60
00d1ffec 00000000 76a91793 00233c10 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81d204a0 Cid 208.4f4 Teb: 7ffd5000 Win32Thread: 00000000
WAIT: (DelayExecution) UserMode Non-Alertable
81d20588 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6639 Elapsed Ticks: 1821
Context Switch Count 2
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address localspl!ServerThread (0x76148015)
Stack Init bd61a000 Current bd619cc4 Base bd61a000 Limit bd617000
Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd619cdc 8050487a bd619d64 0146fe64 0146fe6c nt!KiSwapThread+0xc5
bd619d04 8058fb21 00000001 00000000 bd619d34
nt!KeDelayExecutionThread+0x180
bd619d54 8053c691 00000000 0146fe6c 00000000
nt!NtDelayExecution+0x7f
bd619d54 77f8915e 00000000 0146fe6c 00000000 nt!KiSystemService+0xc4
0146fe54 7c4faca5 00000000 0146fe6c 00000000
ntdll!NtDelayExecution+0xb
0146fe74 7c4fac79 0001d4c0 00000000 76148051 KERNEL32!SleepEx+0x32
0146fe80 76148051 0001d4c0 00000000 7c4ea4e1 KERNEL32!Sleep+0xb
0146ffb4 7c4e987c 00000000 00000000 7c4ea4e1
localspl!ServerThread+0x3c
0146ffec 00000000 76148015 00000000 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81d20220 Cid 208.4f8 Teb: 7ffd4000 Win32Thread: 00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d20720 SynchronizationEvent
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6639 Elapsed Ticks: 1821
Context Switch Count 2
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address localspl!SchedulerThread (0x76133013)
Stack Init bd616000 Current bd615ca0 Base bd616000 Limit bd613000
Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd615cb8 80504e88 00000000 00000000 8057d152 nt!KiSwapThread+0xc5
bd615ce0 8057d203 81d20720 00000006 00277001
nt!KeWaitForSingleObject+0x1a1
bd615d50 8053c691 00000198 00000000 00000000
nt!NtWaitForSingleObject+0xb7
bd615d50 77f94091 00000198 00000000 00000000 nt!KiSystemService+0xc4
014aff60 7c4fc4c2 00000198 00000000 00000000
ntdll!NtWaitForSingleObject+0xb
014aff88 7c4f1b1b 00000198 ffffffff 00000000
KERNEL32!WaitForSingleObjectEx+0x71
014aff98 7613303b 00000198 ffffffff 00000000
KERNEL32!WaitForSingleObject+0xf
014affb4 7c4e987c 00c920f0 00000000 00cdf320
localspl!SchedulerThread+0x30
014affec 00000000 76133013 00c920f0 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81ca3b40 Cid 208.504 Teb: 7ffad000 Win32Thread: 00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ca3e08 Semaphore Limit 0x7fffffff
81ca3c28 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6640 Elapsed Ticks: 1820
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address RPCRT4!ThreadStartRoutine (0x77d3dcf3)
Stack Init bd60e000 Current bd60dc48 Base bd60e000 Limit bd60b000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd60dc60 80504e88 bd60dd64 e22d39e0 00000000 nt!KiSwapThread+0xc5
bd60dc88 8050bd74 81ca3e08 00000010 80581401
nt!KeWaitForSingleObject+0x1a1
bd60dd48 8053c691 000002a0 0157ff54 00000000
nt!NtReplyWaitReceivePortEx+0x45e
bd60dd48 77f839c7 000002a0 0157ff54 00000000 nt!KiSystemService+0xc4
0157fe24 77d3dbac 000002a0 0157ff54 00000000
ntdll!NtReplyWaitReceivePortEx+0xb
0157ff74 77d3d9db 77d3dd59 00098650 4008bdc8
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x74
0157ff78 77d3dd59 00098650 4008bdc8 00000060
RPCRT4!RecvLotsaCallsWrapper+0x9
0157ffa8 77d3dd0b 0008c288 0157ffec 7c4e987c
RPCRT4!BaseCachedThreadRoutine+0x4f
0157ffb4 7c4e987c 0008c310 4008bdc8 00000060
RPCRT4!ThreadStartRoutine+0x18
0157ffec 00000000 77d3dcf3 0008c310 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81ca3820 Cid 208.508 Teb: 7ffac000 Win32Thread: 00000000
WAIT: (DelayExecution) UserMode Non-Alertable
81ca3908 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6640 Elapsed Ticks: 1820
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address OLE32!CRpcThreadCache::RpcWorkerThreadEntry
(0x77a8e915)
Stack Init bd60a000 Current bd609cc4 Base bd60a000 Limit bd607000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd609cdc 8050487a bd609d64 015bff6c 015bff74 nt!KiSwapThread+0xc5
bd609d04 8058fb21 81ca3901 00000000 bd609d34
nt!KeDelayExecutionThread+0x180
bd609d54 8053c691 00000000 015bff74 00000000
nt!NtDelayExecution+0x7f
bd609d54 77f8915e 00000000 015bff74 00000000 nt!KiSystemService+0xc4
015bff5c 7c4faca5 00000000 015bff74 7c4fc468
ntdll!NtDelayExecution+0xb
015bff7c 7c4fac79 0000ea60 00000000 77a60216 KERNEL32!SleepEx+0x32
015bff88 77a60216 0000ea60 77a8e970 00000000 KERNEL32!Sleep+0xb
015bff90 77a8e970 00000000 77a50000 0008e788
OLE32!CROIDTable::WorkerThreadLoop+0xc
015bffa8 77a8e92f 77a986dc 77a53c19 7c4e987c
OLE32!CRpcThread::WorkerLoop+0x22
015bffb4 7c4e987c 0008e788 77a986dc 77a53c19
OLE32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a
015bffec 00000000 77a8e915 0008e788 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81d20da0 Cid 208.510 Teb: 7ffaa000 Win32Thread: 00000000
WAIT: (DelayExecution) UserMode Alertable
81d20e88 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 7435 Elapsed Ticks: 1025
Context Switch Count 12
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
LPC Server thread working on message Id 728
Stack Init bd61e000 Current bd61dcc4 Base bd61e000 Limit bd61b000
Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd61dcdc 8050487a bd61dd64 0167ff84 0167ff90 nt!KiSwapThread+0xc5
bd61dd04 8058fb21 81cfec01 00000001 bd61dd34
nt!KeDelayExecutionThread+0x180
bd61dd54 8053c691 00000001 0167ff90 00000000
nt!NtDelayExecution+0x7f
bd61dd54 77f8915e 00000001 0167ff90 00000000 nt!KiSystemService+0xc4
0167ff74 77d3ddcd 00000001 0167ff90 00000000
ntdll!NtDelayExecution+0xb
0167ffa8 77d3dd0b 00073dc8 0167ffec 7c4e987c
RPCRT4!BaseCachedThreadRoutine+0xc3
0167ffb4 7c4e987c 000c0f28 00000000 00000000
RPCRT4!ThreadStartRoutine+0x18
0167ffec 00000000 77d3dcf3 000c0f28 00000000
KERNEL32!BaseThreadStart+0x52

Please, notice that for Windows XP full kernel memory dumps the script is
working perfectly.
As attempt to workaround the problem I decided to use pair of commands
“.cache forcedecodeuser” and “.reload /user” but I run into new problem that
I reported first.

Also documentation about “.process” is a bit unclear. I could seems to
WinDbg user that options /p and /r could be used only during live debugging
only.

“
/p
(Live debugging only) If this option is included and Process is nonzero, all
transition page table entries (PTEs) for this process will automatically be
translated into physical addresses before access. This may cause slowdowns,
because the debugger will have to look up the physical addresses for all the
memory used by this process, and a significant amount of data may need to be
transferred across the debug cable. (This behavior is the same as that of
.cache forcedecodeuser.)
If the /p option is included and Process is zero or omitted, this
translation will be disabled. (This behavior is the same as that of .cache
noforcedecodeptes.)

/r
(Live debugging only) If the /r option is included along with the /p option,
user-mode symbols will be reloaded after the process context has been set.
(This behavior is the same as that of .reload /user.)

”
Best regards,
Oleksiy Shatylo
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@bugcheck.org
> Sent: Thursday, August 03, 2006 10:09 PM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] Problem with .cache forcedecodeuser
>
> Ah thanks for the clarification Drew. I suppose I’ve just
> never come across one of those commands myself. In the
> example below the workaround is to use .process /p @$t2
> instead of the .cache which is what i have in a similar
> script (and why i didn’t see the .cache error before). The
> .reload /user can be simplified by using /r as well.
>
>
> Drew Bliss wrote:
> > When using commands which have block statements, such as .for, the
> > entire statement has to be present in the same piece of input. The
> > special $>< concatenates all lines in a script file to make
> that easy,
> > but it also means that you can only use commands that properly obey
> > semicolon termination since everything gets glued together.
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of
> > xxxxx@bugcheck.org
> > Sent: Thursday, August 03, 2006 12:29 PM
> > To: Kernel Debugging Interest List
> > Subject: Re: [windbg] Problem with .cache forcedecodeuser
> >
> >
> > Why bother with the semicolons at all? Provided your
> command is on its
> > own line it should work fine. Ive never had problems omitting them
> > anyway…
> >
> > Drew Bliss wrote:
> >
> >> Unfortunately .cache doesn’t make any attempt to parse its
> arguments,
> >> it just looks at the whole line. We’ll get that fixed.
> >>
> >> In the meantime, I think if you put your .cache command as
> a single
> >> line in a script and then invoke that sub-script from your primary
> >> script it should work.
> >>
> >> -----Original Message-----
> >> From: xxxxx@lists.osr.com
> >> [mailto:xxxxx@lists.osr.com] On Behalf Of Oleksiy
> >> Shatylo
> >> Sent: Thursday, August 03, 2006 7:09 AM
> >> To: Kernel Debugging Interest List
> >> Subject: [windbg] Problem with .cache forcedecodeuser
> >>
> >> Dear WinDbg team,
> >>
> >> I found annoying problem in .cache command.
> >> If I run the command without semicolon at end of line then
> everything
> >> passing well:
> >> kd> .cache forcedecodeuser
> >>
> >> Max cache size is : 1048576 bytes (0x400 KB)
> >> Total memory in cache : 0 bytes (0 KB)
> >> Number of regions cached: 0
> >> 0 full reads broken into 0 partial reads
> >> counts: 0 cached/0 uncached, 0.00% cached
> >> bytes : 0 cached/0 uncached, 0.00% cached
> >> Transition PTEs are implicitly decoded
> >> User virtual addresses are translated to physical
> addresses before
> >> access
> >> ** Prototype PTEs are implicitly decoded
> >>
> >> But if I run command with semicolon at the end then I have
> following
> >> result of its execution:
> >> kd> .cache forcedecodeuser;
> >> Numeric expression missing from ‘;’
> >>
> >> The problem became more important if I am using some script like
> >>
> > below:
> >
> >> $$ Get process list LIST_ENTRY in $t0.
> >> r @$t0 = nt!PsActiveProcessHead;
> >>
> >> $$ Iterate over all processes in list.
> >> .for (r @$t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r @$t1 =
> >> poi(@$t1)) {
> >> r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS,
> >>
> > ActiveProcessLinks);
> >
> >> .process @$t2;
> >> .cache forcedecodeuser;
> >> .reload /user;
> >> !process @$t2 7;
> >> }
> >>
> >> Kd tells me following:
> >> kd> $$>< D:\WinDbgData\Scripts\proc.wds
> >> Implicit process is now 820af9a0
> >> Numeric expression missing from '; .reload /user;
> !process @$t2 7;
> >>
> > '
> >
> >> As background information:
> >> kd> version
> >> Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86
> >> compatible
> >> Product: WinNt
> >> Kernel base = 0x804d7000 PsLoadedModuleList = 0x805451b8 Debug
> >> session
> >> time: Wed Aug 2 14:22:46.021 2006 (GMT+2) System Uptime: 0 days
> >> 0:01:24.721 32-bit Full kernel dump:
> >> N:\4Alexey\MEMORY_60802_51012.DMP
> >>
> >
> >
> >> command line: 'D:\WinDbg\windbg.exe -Q -QS ’ Debugger Process
> >> 0x3784
> >> dbgeng: image 6.6.0007.5, built Sat Jul 08 22:12:40 2006
> >> [path: D:\WinDbg\dbgeng.dll]
> >> dbghelp: image 6.6.0007.5, built Sat Jul 08 22:11:32 2006
> >> [path: D:\WinDbg\dbghelp.dll]
> >> DIA version: 60516
> >> Extension DLL search Path:
> >>
> >>
> D:\WinDbg\winext;D:\WinDbg\winext\arcade;D:\WinDbg\W2KFre;D:\WinDbg\p
> >> r
> >> i;
> >> D:\W
> >> inDbg;D:\WinDbg\winext\arcade;C:\Program
> >>
> Files\Far;C:\Perl\bin;C:\Perl\bin;C:\Tcl\bin;C:\WINDOWS\system32;C:
> >> <br>> >> WI
> >> NDOW
> >> S;C:\WINDOWS\System32\Wbem;C:\Program
> >>
> Files\UltraEdit;c:\bin;C:\GnuWin32\bin;d:\bin\smartstorage;D:\MSSDK\B
> >> i
> >> n<br>> >> .;D:
> >> \MSSDK\Bin\WinNT.;C:\Program Files\Microsoft SQL
> >> Server\80\Tools\Binn;C:\Program Files\MakeMsi;C:\Program
> >>
> Files\cvsnt;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bin\WinNT.;C:\Progra
> >> m Files\OpenSSH\bin;c:\bin\wix-2.0.4103.0-binaries;C:\Program
> >> Files\Microsoft Driver Test
> >>
> Manager\Controller;D:\VisualStudio6\Common\Tools\WinNT;D:\VisualStud
> >> i
> >> o6
> >> \Com
> >>
> mon\MSDev98\Bin;D:\VisualStudio6\Common\Tools;D:\VisualStudio6\VC98\b
> >> i
> >> n;
> >> D:\M
> >>
> SSDK\Bin.;D:\MSSDK\Bin\WinNT.;D:\PlatformSDK\Bin.;D:\PlatformSDK\B
> >> i
> >> n<br>> >> WinN
> >> T.
> >> Extension DLL chain:
> >> dbghelp: image 6.6.0007.5, API 6.0.6, built Sat Jul 08 22:11:32
> >>
> > 2006
> >
> >> [path: D:\WinDbg\dbghelp.dll]
> >> ext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08
> 22:10:52 2006
> >> [path: D:\WinDbg\winext\ext.dll]
> >> kext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08
> 22:11:01 2006
> >> [path: D:\WinDbg\winext\kext.dll]
> >> kdextx86: image 5.00.2195.6883, API 5.0.5, built Tue Feb 22
> >> 02:38:44
> >> 2005
> >> [path: D:\WinDbg\W2KFre\kdextx86.dll] Free
> Extension dll for
> >> Build 2195 debugging Free kernel for Build 2195
> >>
> >> Best regards,
> >> Oleksiy Shatylo
> >>
> >>
> >> —
> >> You are currently subscribed to windbg as:
> xxxxx@winse.microsoft.com
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >>
> >>
> >> —
> >> You are currently subscribed to windbg as: unknown lmsubst tag
> >>
> > argument: ‘’
> >
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >>
> >>
> >
> >
> > —
> > You are currently subscribed to windbg as:
> xxxxx@winse.microsoft.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
> >
> > —
> > You are currently subscribed to windbg as: unknown lmsubst
> tag argument: ‘’
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
>
>
> —
> You are currently subscribed to windbg as: xxxxx@nero.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
></d:>

I used your script and got stacks, so I’m not sure what’s going on.

Note also that the 0x10 flag for !process will do a user-mode switch and
reload for you, so your script could just be a !process 0 17.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Oleksiy Shatylo
Sent: Friday, August 04, 2006 5:19 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] Problem with .cache forcedecodeuser

Hello,

I perfectly knew about “.process /p /r” command and I started exactly
from usage of this command.
I.e. my initial script was exactly as below:
----------------------------------------- proc.wds starts

$$ Get process list LIST_ENTRY in $t0.
r @$t0 = nt!PsActiveProcessHead;

$$ Iterate over all processes in list.
.for (r @$t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r @$t1 =
poi(@$t1)) {
r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
.process /p /r @$t2;
!process @$t2 7;
};

----------------------------------------- proc.wds ends

But this script has not been working for Windows 2000 full kernel crash
dump. I had following output from it:

kd> $$><d:>Implicit process is now 820af9a0
Loading User Symbols

PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81edd8e0
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81ea6c40
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81e47ca0
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81e2b260
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81e354e0
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81e5a5a0
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81e06420
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

Implicit process is now 81de6880
Loading User Symbols
…
PROCESS 80546930 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: 820d4408 TableSize: 146.
Image: Idle
VadRoot 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 0
Process Lock Owned by Thread 0
Token e1000790
ElapsedTime 12:22:46.0021
UserTime 0:00:00.0000
KernelTime 0:01:02.0620
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (4, 50, 450) (16KB, 200KB, 1800KB)
PeakWorkingSetSize 4
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0

THREAD 80546bc0 Cid 0.0 Teb: 00000000 Win32Thread: 00000000
RUNNING

< and so on … >

I.e. information about threads stacks was absent. It was quite strange
because when I executed commands manually everything worked fine. Have a
look below into output for commands “.process /p /r” and “!process
7”:

kd> .PROCESS /p /r 81de6880
Implicit process is now 81de6880
Loading User Symbols
…
kd> !PROCESS 81de6880 7
PROCESS 81de6880 SessionId: 0 Cid: 0208 Peb: 7ffdf000 ParentCid:
00ec
DirBase: 1a225000 ObjectTable: 81e32b48 TableSize: 142.
Image: SPOOLSV.EXE
VadRoot 81de8328 Clone 0 Private 330. Modified 0. Locked 0.
DeviceMap 820af508
Token e20b80d0
ElapsedTime 0:00:48.0930
UserTime 0:00:00.0040
KernelTime 0:00:00.0120
QuotaPoolUsage[PagedPool] 23944
QuotaPoolUsage[NonPagedPool] 14656
Working Set Sizes (now,min,max) (961, 50, 345) (3844KB, 200KB,
1380KB)
PeakWorkingSetSize 963
VirtualSize 31 Mb
PeakVirtualSize 31 Mb
PageFaultCount 1250
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 665

THREAD 81de6600 Cid 208.204 Teb: 7ffde000 Win32Thread:
00000000
WAIT: (Executive) UserMode Non-Alertable
81de6204 NotificationEvent
IRP List:
81e34468: (0006,00b8) Flags: 00000970 Mdl: 00000000
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6266 Elapsed Ticks: 2194
Context Switch Count 20
UserTime 0:00:00.0000
KernelTime 0:00:00.0010
Start Address KERNEL32!BaseProcessStartThunk (0x7c4e87b3)
Win32 Start Address spoolsv!mainCRTStartup (0x01001170)
Stack Init bdc85000 Current bdc84bfc Base bdc85000 Limit
bdc82000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdc84c14 80504e88 81e34468 00000000 8067bea0
nt!KiSwapThread+0xc5
bdc84c3c 80591263 81de6204 00000000 00000001
nt!KeWaitForSingleObject+0x1a1
bdc84c64 8057071b 81f35cf0 00000103 81de61a8
nt!IopSynchronousServiceTail+0xbf
bdc84d38 8053c691 00000030 00000000 00000000 nt!NtReadFile+0x5f4
bdc84d38 77f8c55d 00000030 00000000 00000000
nt!KiSystemService+0xc4
0006fbec 7c4e660d 00000030 00000000 00000000
ntdll!ZwReadFile+0xb
0006fc60 7c2e0135 00000030 0006fd38 00000216
KERNEL32!ReadFile+0x181
0006fc8c 7c2dffbb 00000030 0006fd38 00000216
ADVAPI32!ScGetPipeInput+0x28
0006fd08 7c2dfcca 00000030 0006fd38 00000216
ADVAPI32!ScDispatcherLoop+0x4a
0006ff68 01001295 0100b030 01001265 00000001
ADVAPI32!StartServiceCtrlDispatcherW+0xf6
0006ff70 01001265 00000001 002336f8 00232958 spoolsv!main+0xb
0006ffc0 7c4e87f5 0006f944 77fcc35c 7ffdf000
spoolsv!mainCRTStartup+0xff
0006fff0 00000000 01001170 00000000 000000c8
KERNEL32!BaseProcessStart+0x3d

THREAD 81de5540 Cid 208.20c Teb: 7ffdd000 Win32Thread:
e20bdc08
WAIT: (UserRequest) UserMode Non-Alertable
81de5500 NotificationEvent
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6266 Elapsed Ticks: 2194
Context Switch Count 16 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address ADVAPI32!ScSvcctrlThreadA (0x7c2e02e9)
Stack Init bdcf5000 Current bdcf4ca0 Base bdcf5000 Limit
bdcf2000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdcf4cb8 80504e88 00000000 00000000 8057d152
nt!KiSwapThread+0xc5
bdcf4ce0 8057d203 81de5500 00000006 00000001
nt!KeWaitForSingleObject+0x1a1
bdcf4d50 8053c691 0000005c 00000000 00000000
nt!NtWaitForSingleObject+0xb7
bdcf4d50 77f94091 0000005c 00000000 00000000
nt!KiSystemService+0xc4
0028ff5c 7c4fc4c2 0000005c 00000000 00000000
ntdll!NtWaitForSingleObject+0xb
0028ff84 7c4f1b1b 0000005c ffffffff 00000000
KERNEL32!WaitForSingleObjectEx+0x71
0028ff94 010012df 0000005c ffffffff 00074158
KERNEL32!WaitForSingleObject+0xf
0028ffa4 7c2e02f7 00000001 00074160 0006f984
spoolsv!SPOOLER_main+0x42
0028ffb4 7c4e987c 00074158 00000000 0006f984
ADVAPI32!ScSvcctrlThreadA+0xe
0028ffec 00000000 7c2e02e9 00074158 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81de59c0 Cid 208.210 Teb: 7ffdc000 Win32Thread:
00000000
WAIT: (WrEventPairLow) UserMode Non-Alertable
81de5f80 Unknown
81de5aa8 NotificationTimer
IRP List:
81e03b08: (0006,00b8) Flags: 00000800 Mdl: 00000000
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6571 Elapsed Ticks: 1889
Context Switch Count 3
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address RPCRT4!ThreadStartRoutine (0x77d3dcf3)
Stack Init bdc7d000 Current bdc7cc90 Base bdc7d000 Limit
bdc7a000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdc7cca8 805061a7 bdc7cd64 00000000 8056ecd3
nt!KiSwapThread+0xc5
bdc7cccc 8056edb8 bdc7cd00 00000001 bdc7cd00
nt!KeRemoveQueue+0x195
bdc7cd48 8053c691 00000040 002cff0c 002cfefc
nt!NtRemoveIoCompletion+0xf1
bdc7cd48 77f8beb2 00000040 002cff0c 002cfefc
nt!KiSystemService+0xc4
002cfeb8 7c4efea1 00000040 002cff0c 002cfefc
ntdll!NtRemoveIoCompletion+0xb
002cfee4 77d357c0 00000040 002cff1c 002cff0c
KERNEL32!GetQueuedCompletionStatus+0x27
002cff20 77d52899 000493e0 002cff60 002cff5c
RPCRT4!COMMON_ProcessCalls+0x9e
002cff74 77d52778 77d3dd59 00075008 0028faf2
RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x99
002cff78 77d3dd59 00075008 0028faf2 77f8c277
RPCRT4!ProcessIOEventsWrapper+0x9
002cffa8 77d3dd0b 00077b58 002cffec 7c4e987c
RPCRT4!BaseCachedThreadRoutine+0x4f
002cffb4 7c4e987c 00077b80 0028faf2 77f8c277
RPCRT4!ThreadStartRoutine+0x18
002cffec 00000000 77d3dcf3 00077b80 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81de4020 Cid 208.214 Teb: 7ffdb000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81e568a8 Semaphore Limit 0x7fffffff
81de4108 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 7435 Elapsed Ticks: 1025
Context Switch Count 19
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Stack Init bdc79000 Current bdc78c48 Base bdc79000 Limit
bdc76000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdc78c60 80504e88 e206ac08 00000000 80545160
nt!KiSwapThread+0xc5
bdc78c88 8050bc5f 81e568a8 00000010 820ab701
nt!KeWaitForSingleObject+0x1a1
bdc78d48 8053c691 00000078 0030ff54 0030fe50
nt!NtReplyWaitReceivePortEx+0x3b1
bdc78d48 77f839c7 00000078 0030ff54 0030fe50
nt!KiSystemService+0xc4
0030fe24 77d3dbac 00000078 0030ff54 0030fe50
ntdll!NtReplyWaitReceivePortEx+0xb
0030ff74 77d3d9db 77d3dded 000765e0 77f91b34
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x74
0030ff78 77d3dded 000765e0 77f91b34 77d3dcf3
RPCRT4!RecvLotsaCallsWrapper+0x9
0030ffa8 77d3dd0b 00073dc8 0030ffec 7c4e987c
RPCRT4!BaseCachedThreadRoutine+0x11f
0030ffb4 7c4e987c 00077d28 77f91b34 77d3dcf3
RPCRT4!ThreadStartRoutine+0x18
0030ffec 00000000 77d3dcf3 00077d28 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81de4ca0 Cid 208.21c Teb: 7ffd9000 Win32Thread:
e20be528
WAIT: (WrExecutive) UserMode Non-Alertable
810cdbe8 SynchronizationEvent
81de4d88 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6266 Elapsed Ticks: 2194
Context Switch Count 3 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address spoolsv!SpoolerGetSpoolMessage (0x01001961)
Stack Init bdce5000 Current bdce4c44 Base bdce5000 Limit
bdce2000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdce4c5c 80504e88 0007883c 00000000 00000000
nt!KiSwapThread+0xc5
bdce4c84 a0083a25 810cdbe8 00000007 00000001
nt!KeWaitForSingleObject+0x1a1
bdce4d04 a0083962 0007883c 00078854 00001fe8
win32k!GreGetSpoolMessage+0x1ce
bdce4d4c 8053c691 0007883c 00002000 00078104
win32k!NtGdiGetSpoolMessage+0x8b
bdce4d4c 77f4726a 0007883c 00002000 00078104
nt!KiSystemService+0xc4
007dffb4 7c4e987c 00000000 00075868 00071eac
GDI32!NtGdiGetSpoolMessage+0xb
77f84bd7 00000000 f99dcc00 00000077 f99d8500
KERNEL32!BaseThreadStart+0x52

THREAD 81d21920 Cid 208.4e4 Teb: 7ffd8000 Win32Thread:
e2228068
WAIT: (DelayExecution) UserMode Alertable
81d21a08 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 7324 Elapsed Ticks: 1136
Context Switch Count 24 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0020
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
LPC Server thread working on message Id 720
Stack Init bd726000 Current bd725cc4 Base bd726000 Limit
bd722000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd725cdc 8050487a bd725d64 0081ff84 0081ff90
nt!KiSwapThread+0xc5
bd725d04 8058fb21 81cee901 00000001 bd725d34
nt!KeDelayExecutionThread+0x180
bd725d54 8053c691 00000001 0081ff90 00000000
nt!NtDelayExecution+0x7f
bd725d54 77f8915e 00000001 0081ff90 00000000
nt!KiSystemService+0xc4
0081ff74 77d3ddcd 00000001 0081ff90 00000000
ntdll!NtDelayExecution+0xb
0081ffa8 77d3dd0b 00073dc8 0081ffec 7c4e987c
RPCRT4!BaseCachedThreadRoutine+0xc3
0081ffb4 7c4e987c 00078510 00000000 00000000
RPCRT4!ThreadStartRoutine+0x18
0081ffec 00000000 77d3dcf3 00078510 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81c47da0 Cid 208.4e8 Teb: 7ffd7000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d241e0 SynchronizationEvent
81d241a0 SynchronizationEvent
81c47d60 SynchronizationEvent
81cb4b00 SynchronizationEvent
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6614 Elapsed Ticks: 1846
Context Switch Count 4
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address RTUTILS!TraceServerThread (0x778321fe)
Stack Init bd622000 Current bd621930 Base bd622000 Limit
bd61f000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd621948 80504ba9 0000000c e20bcb18 81e32b48
nt!KiSwapThread+0xc5
bd62197c 80527b9b 00000004 bd6219f8 00000001
nt!KeWaitForMultipleObjects+0x266
bd621d48 8053c691 00000004 00c7fd48 00000001
nt!NtWaitForMultipleObjects+0x3a0
bd621d48 77f9323e 00000004 00c7fd48 00000001
nt!KiSystemService+0xc4
00c7fd20 7c4ebdd7 00000004 00c7fd48 00000001
ntdll!ZwWaitForMultipleObjects+0xb
00c7fd70 7c4fabfb 00c7fd48 00000001 00000000
KERNEL32!WaitForMultipleObjectsEx+0xea
00c7fd88 778322b2 00000004 00c7feb0 00000000
KERNEL32!WaitForMultipleObjects+0x17
00c7ffb4 7c4e987c 00000005 000b000a 7c2d02a7
RTUTILS!TraceServerThread+0xde
00c7ffec 00000000 778321fe 0007d838 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81c47500 Cid 208.4ec Teb: 7ffd6000 Win32Thread:
e22d3168
WAIT: (UserRequest) UserMode Non-Alertable
81c47960 SynchronizationEvent
81ca3f00 SynchronizationEvent
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6644 Elapsed Ticks: 1816
Context Switch Count 290 LargeStack
UserTime 0:00:00.0020
KernelTime 0:00:00.0070
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address spoolsv!InitializeRouter (0x01001b1b)
Stack Init bd6f6000 Current bd6f5930 Base bd6f6000 Limit
bd6f2000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd6f5948 80504ba9 00000004 e20bcc28 81e32b48
nt!KiSwapThread+0xc5
bd6f597c 80527b9b 00000002 bd6f59f8 00000001
nt!KeWaitForMultipleObjects+0x266
bd6f5d48 8053c691 00000002 00cdf85c 00000001
nt!NtWaitForMultipleObjects+0x3a0
bd6f5d48 77f9323e 00000002 00cdf85c 00000001
nt!KiSystemService+0xc4
00cdf834 7c4ebdd7 00000002 00cdf85c 00000001
ntdll!ZwWaitForMultipleObjects+0xb
00cdf884 77e13990 00cdf85c 00000001 00000000
KERNEL32!WaitForMultipleObjectsEx+0xea
00cdf8e0 77e13a5c 00cdf8ac 00cdf928 ffffffff
USER32!MsgWaitForMultipleObjectsEx+0x153
00cdf8fc 76a91f29 00000001 00cdf928 00000000
USER32!MsgWaitForMultipleObjects+0x1d
00cdf944 76a9156e 00000000 00000000 00075fb8
SPOOLSS!HandlePollNotifications+0x33
00cdffb4 7c4e987c 00c99518 00000000 00000000
SPOOLSS!InitializeRouter+0x35f
00cdffec 00000000 01001b1b 00075fb8 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81cb4020 Cid 208.218 Teb: 7ffda000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81de4ae0 SynchronizationEvent
IRP List:
820c74a8: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6612 Elapsed Ticks: 1848
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address SPOOLSS!PnpIPAddressChangeListener
(0x76a91793)
Stack Init bdc75000 Current bdc74930 Base bdc75000 Limit
bdc72000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bdc74948 80504ba9 00000000 e20bcab0 81e32b48
nt!KiSwapThread+0xc5
bdc7497c 80527b9b 00000001 bdc749f8 00000001
nt!KeWaitForMultipleObjects+0x266
bdc74d48 8053c691 00000001 00d1ff30 00000001
nt!NtWaitForMultipleObjects+0x3a0
bdc74d48 77f9323e 00000001 00d1ff30 00000001
nt!KiSystemService+0xc4
00d1ff08 7c4ebdd7 00000001 00d1ff30 00000001
ntdll!ZwWaitForMultipleObjects+0xb
00d1ff58 7c4fabfb 00d1ff30 00000001 00000000
KERNEL32!WaitForMultipleObjectsEx+0xea
00d1ff70 76a917f7 00000001 00d1ffa8 00000000
KERNEL32!WaitForMultipleObjects+0x17
00d1ffb4 7c4e987c 00000128 00000000 00000000
SPOOLSS!PnpIPAddressChangeListener+0x60
00d1ffec 00000000 76a91793 00233c10 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81d204a0 Cid 208.4f4 Teb: 7ffd5000 Win32Thread:
00000000
WAIT: (DelayExecution) UserMode Non-Alertable
81d20588 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6639 Elapsed Ticks: 1821
Context Switch Count 2
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address localspl!ServerThread (0x76148015)
Stack Init bd61a000 Current bd619cc4 Base bd61a000 Limit
bd617000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd619cdc 8050487a bd619d64 0146fe64 0146fe6c
nt!KiSwapThread+0xc5
bd619d04 8058fb21 00000001 00000000 bd619d34
nt!KeDelayExecutionThread+0x180
bd619d54 8053c691 00000000 0146fe6c 00000000
nt!NtDelayExecution+0x7f
bd619d54 77f8915e 00000000 0146fe6c 00000000
nt!KiSystemService+0xc4
0146fe54 7c4faca5 00000000 0146fe6c 00000000
ntdll!NtDelayExecution+0xb
0146fe74 7c4fac79 0001d4c0 00000000 76148051
KERNEL32!SleepEx+0x32
0146fe80 76148051 0001d4c0 00000000 7c4ea4e1 KERNEL32!Sleep+0xb
0146ffb4 7c4e987c 00000000 00000000 7c4ea4e1
localspl!ServerThread+0x3c
0146ffec 00000000 76148015 00000000 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81d20220 Cid 208.4f8 Teb: 7ffd4000 Win32Thread:
00000000
WAIT: (UserRequest) UserMode Non-Alertable
81d20720 SynchronizationEvent
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6639 Elapsed Ticks: 1821
Context Switch Count 2
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address localspl!SchedulerThread (0x76133013)
Stack Init bd616000 Current bd615ca0 Base bd616000 Limit
bd613000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd615cb8 80504e88 00000000 00000000 8057d152
nt!KiSwapThread+0xc5
bd615ce0 8057d203 81d20720 00000006 00277001
nt!KeWaitForSingleObject+0x1a1
bd615d50 8053c691 00000198 00000000 00000000
nt!NtWaitForSingleObject+0xb7
bd615d50 77f94091 00000198 00000000 00000000
nt!KiSystemService+0xc4
014aff60 7c4fc4c2 00000198 00000000 00000000
ntdll!NtWaitForSingleObject+0xb
014aff88 7c4f1b1b 00000198 ffffffff 00000000
KERNEL32!WaitForSingleObjectEx+0x71
014aff98 7613303b 00000198 ffffffff 00000000
KERNEL32!WaitForSingleObject+0xf
014affb4 7c4e987c 00c920f0 00000000 00cdf320
localspl!SchedulerThread+0x30
014affec 00000000 76133013 00c920f0 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81ca3b40 Cid 208.504 Teb: 7ffad000 Win32Thread:
00000000
WAIT: (WrLpcReceive) UserMode Non-Alertable
81ca3e08 Semaphore Limit 0x7fffffff
81ca3c28 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6640 Elapsed Ticks: 1820
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address RPCRT4!ThreadStartRoutine (0x77d3dcf3)
Stack Init bd60e000 Current bd60dc48 Base bd60e000 Limit
bd60b000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd60dc60 80504e88 bd60dd64 e22d39e0 00000000
nt!KiSwapThread+0xc5
bd60dc88 8050bd74 81ca3e08 00000010 80581401
nt!KeWaitForSingleObject+0x1a1
bd60dd48 8053c691 000002a0 0157ff54 00000000
nt!NtReplyWaitReceivePortEx+0x45e
bd60dd48 77f839c7 000002a0 0157ff54 00000000
nt!KiSystemService+0xc4
0157fe24 77d3dbac 000002a0 0157ff54 00000000
ntdll!NtReplyWaitReceivePortEx+0xb
0157ff74 77d3d9db 77d3dd59 00098650 4008bdc8
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x74
0157ff78 77d3dd59 00098650 4008bdc8 00000060
RPCRT4!RecvLotsaCallsWrapper+0x9
0157ffa8 77d3dd0b 0008c288 0157ffec 7c4e987c
RPCRT4!BaseCachedThreadRoutine+0x4f
0157ffb4 7c4e987c 0008c310 4008bdc8 00000060
RPCRT4!ThreadStartRoutine+0x18
0157ffec 00000000 77d3dcf3 0008c310 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81ca3820 Cid 208.508 Teb: 7ffac000 Win32Thread:
00000000
WAIT: (DelayExecution) UserMode Non-Alertable
81ca3908 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 6640 Elapsed Ticks: 1820
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
Win32 Start Address OLE32!CRpcThreadCache::RpcWorkerThreadEntry
(0x77a8e915)
Stack Init bd60a000 Current bd609cc4 Base bd60a000 Limit
bd607000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd609cdc 8050487a bd609d64 015bff6c 015bff74
nt!KiSwapThread+0xc5
bd609d04 8058fb21 81ca3901 00000000 bd609d34
nt!KeDelayExecutionThread+0x180
bd609d54 8053c691 00000000 015bff74 00000000
nt!NtDelayExecution+0x7f
bd609d54 77f8915e 00000000 015bff74 00000000
nt!KiSystemService+0xc4
015bff5c 7c4faca5 00000000 015bff74 7c4fc468
ntdll!NtDelayExecution+0xb
015bff7c 7c4fac79 0000ea60 00000000 77a60216
KERNEL32!SleepEx+0x32
015bff88 77a60216 0000ea60 77a8e970 00000000 KERNEL32!Sleep+0xb
015bff90 77a8e970 00000000 77a50000 0008e788
OLE32!CROIDTable::WorkerThreadLoop+0xc
015bffa8 77a8e92f 77a986dc 77a53c19 7c4e987c
OLE32!CRpcThread::WorkerLoop+0x22
015bffb4 7c4e987c 0008e788 77a986dc 77a53c19
OLE32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a
015bffec 00000000 77a8e915 0008e788 00000000
KERNEL32!BaseThreadStart+0x52

THREAD 81d20da0 Cid 208.510 Teb: 7ffaa000 Win32Thread:
00000000
WAIT: (DelayExecution) UserMode Alertable
81d20e88 NotificationTimer
Not impersonating
Owning Process 81de6880
Wait Start TickCount 7435 Elapsed Ticks: 1025
Context Switch Count 12
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x7c4e9824)
LPC Server thread working on message Id 728
Stack Init bd61e000 Current bd61dcc4 Base bd61e000 Limit
bd61b000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
bd61dcdc 8050487a bd61dd64 0167ff84 0167ff90
nt!KiSwapThread+0xc5
bd61dd04 8058fb21 81cfec01 00000001 bd61dd34
nt!KeDelayExecutionThread+0x180
bd61dd54 8053c691 00000001 0167ff90 00000000
nt!NtDelayExecution+0x7f
bd61dd54 77f8915e 00000001 0167ff90 00000000
nt!KiSystemService+0xc4
0167ff74 77d3ddcd 00000001 0167ff90 00000000
ntdll!NtDelayExecution+0xb
0167ffa8 77d3dd0b 00073dc8 0167ffec 7c4e987c
RPCRT4!BaseCachedThreadRoutine+0xc3
0167ffb4 7c4e987c 000c0f28 00000000 00000000
RPCRT4!ThreadStartRoutine+0x18
0167ffec 00000000 77d3dcf3 000c0f28 00000000
KERNEL32!BaseThreadStart+0x52

Please, notice that for Windows XP full kernel memory dumps the script
is working perfectly.
As attempt to workaround the problem I decided to use pair of commands
“.cache forcedecodeuser” and “.reload /user” but I run into new problem
that I reported first.

Also documentation about “.process” is a bit unclear. I could seems to
WinDbg user that options /p and /r could be used only during live
debugging only.

“
/p
(Live debugging only) If this option is included and Process is nonzero,
all transition page table entries (PTEs) for this process will
automatically be translated into physical addresses before access. This
may cause slowdowns, because the debugger will have to look up the
physical addresses for all the memory used by this process, and a
significant amount of data may need to be transferred across the debug
cable. (This behavior is the same as that of .cache forcedecodeuser.) If
the /p option is included and Process is zero or omitted, this
translation will be disabled. (This behavior is the same as that of
.cache
noforcedecodeptes.)

/r
(Live debugging only) If the /r option is included along with the /p
option, user-mode symbols will be reloaded after the process context has
been set.
(This behavior is the same as that of .reload /user.)

”
Best regards,
Oleksiy Shatylo
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@bugcheck.org
> Sent: Thursday, August 03, 2006 10:09 PM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] Problem with .cache forcedecodeuser
>
> Ah thanks for the clarification Drew. I suppose I’ve just never come
> across one of those commands myself. In the example below the
> workaround is to use .process /p @$t2 instead of the .cache which is
> what i have in a similar script (and why i didn’t see the .cache error

> before). The .reload /user can be simplified by using /r as well.
>
>
> Drew Bliss wrote:
> > When using commands which have block statements, such as .for, the
> > entire statement has to be present in the same piece of input. The
> > special $>< concatenates all lines in a script file to make
> that easy,
> > but it also means that you can only use commands that properly obey
> > semicolon termination since everything gets glued together.
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of
> > xxxxx@bugcheck.org
> > Sent: Thursday, August 03, 2006 12:29 PM
> > To: Kernel Debugging Interest List
> > Subject: Re: [windbg] Problem with .cache forcedecodeuser
> >
> >
> > Why bother with the semicolons at all? Provided your
> command is on its
> > own line it should work fine. Ive never had problems omitting them
> > anyway…
> >
> > Drew Bliss wrote:
> >
> >> Unfortunately .cache doesn’t make any attempt to parse its
> arguments,
> >> it just looks at the whole line. We’ll get that fixed.
> >>
> >> In the meantime, I think if you put your .cache command as
> a single
> >> line in a script and then invoke that sub-script from your primary
> >> script it should work.
> >>
> >> -----Original Message-----
> >> From: xxxxx@lists.osr.com
> >> [mailto:xxxxx@lists.osr.com] On Behalf Of Oleksiy
> >> Shatylo
> >> Sent: Thursday, August 03, 2006 7:09 AM
> >> To: Kernel Debugging Interest List
> >> Subject: [windbg] Problem with .cache forcedecodeuser
> >>
> >> Dear WinDbg team,
> >>
> >> I found annoying problem in .cache command.
> >> If I run the command without semicolon at end of line then
> everything
> >> passing well:
> >> kd> .cache forcedecodeuser
> >>
> >> Max cache size is : 1048576 bytes (0x400 KB)
> >> Total memory in cache : 0 bytes (0 KB)
> >> Number of regions cached: 0
> >> 0 full reads broken into 0 partial reads
> >> counts: 0 cached/0 uncached, 0.00% cached
> >> bytes : 0 cached/0 uncached, 0.00% cached
> >> Transition PTEs are implicitly decoded
> >> User virtual addresses are translated to physical
> addresses before
> >> access
> >> ** Prototype PTEs are implicitly decoded
> >>
> >> But if I run command with semicolon at the end then I have
> following
> >> result of its execution:
> >> kd> .cache forcedecodeuser;
> >> Numeric expression missing from ‘;’
> >>
> >> The problem became more important if I am using some script like
> >>
> > below:
> >
> >> $$ Get process list LIST_ENTRY in $t0.
> >> r @$t0 = nt!PsActiveProcessHead;
> >>
> >> $$ Iterate over all processes in list.
> >> .for (r @$t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r @$t1 =
> >> poi(@$t1)) {
> >> r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS,
> >>
> > ActiveProcessLinks);
> >
> >> .process @$t2;
> >> .cache forcedecodeuser;
> >> .reload /user;
> >> !process @$t2 7;
> >> }
> >>
> >> Kd tells me following:
> >> kd> $$>< D:\WinDbgData\Scripts\proc.wds
> >> Implicit process is now 820af9a0
> >> Numeric expression missing from '; .reload /user;
> !process @$t2 7;
> >>
> > '
> >
> >> As background information:
> >> kd> version
> >> Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86
> >> compatible
> >> Product: WinNt
> >> Kernel base = 0x804d7000 PsLoadedModuleList = 0x805451b8 Debug
> >> session
> >> time: Wed Aug 2 14:22:46.021 2006 (GMT+2) System Uptime: 0 days
> >> 0:01:24.721 32-bit Full kernel dump:
> >> N:\4Alexey\MEMORY_60802_51012.DMP
> >>
> >
> >
> >> command line: 'D:\WinDbg\windbg.exe -Q -QS ’ Debugger Process
> >> 0x3784
> >> dbgeng: image 6.6.0007.5, built Sat Jul 08 22:12:40 2006
> >> [path: D:\WinDbg\dbgeng.dll]
> >> dbghelp: image 6.6.0007.5, built Sat Jul 08 22:11:32 2006
> >> [path: D:\WinDbg\dbghelp.dll]
> >> DIA version: 60516
> >> Extension DLL search Path:
> >>
> >>
> D:\WinDbg\winext;D:\WinDbg\winext\arcade;D:\WinDbg\W2KFre;D:\WinDbg\p
> >> r
> >> i;
> >> D:\W
> >> inDbg;D:\WinDbg\winext\arcade;C:\Program
> >>
> Files\Far;C:\Perl\bin;C:\Perl\bin;C:\Tcl\bin;C:\WINDOWS\system32;C:
> >> <br>> >> WI
> >> NDOW
> >> S;C:\WINDOWS\System32\Wbem;C:\Program
> >>
> Files\UltraEdit;c:\bin;C:\GnuWin32\bin;d:\bin\smartstorage;D:\MSSDK\B
> >> i
> >> n<br>> >> .;D:
> >> \MSSDK\Bin\WinNT.;C:\Program Files\Microsoft SQL
> >> Server\80\Tools\Binn;C:\Program Files\MakeMsi;C:\Program
> >>
> Files\cvsnt;D:\PlatformSDK\Bin.;D:\PlatformSDK\Bin\WinNT.;C:\Progra
> >> m Files\OpenSSH\bin;c:\bin\wix-2.0.4103.0-binaries;C:\Program
> >> Files\Microsoft Driver Test
> >>
> Manager\Controller;D:\VisualStudio6\Common\Tools\WinNT;D:\VisualStud
> >> i
> >> o6
> >> \Com
> >>
> mon\MSDev98\Bin;D:\VisualStudio6\Common\Tools;D:\VisualStudio6\VC98\b
> >> i
> >> n;
> >> D:\M
> >>
> SSDK\Bin.;D:\MSSDK\Bin\WinNT.;D:\PlatformSDK\Bin.;D:\PlatformSDK\B
> >> i
> >> n<br>> >> WinN
> >> T.
> >> Extension DLL chain:
> >> dbghelp: image 6.6.0007.5, API 6.0.6, built Sat Jul 08 22:11:32
> >>
> > 2006
> >
> >> [path: D:\WinDbg\dbghelp.dll]
> >> ext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08
> 22:10:52 2006
> >> [path: D:\WinDbg\winext\ext.dll]
> >> kext: image 6.6.0007.5, API 1.0.0, built Sat Jul 08
> 22:11:01 2006
> >> [path: D:\WinDbg\winext\kext.dll]
> >> kdextx86: image 5.00.2195.6883, API 5.0.5, built Tue Feb 22
> >> 02:38:44
> >> 2005
> >> [path: D:\WinDbg\W2KFre\kdextx86.dll] Free
> Extension dll for
> >> Build 2195 debugging Free kernel for Build 2195
> >>
> >> Best regards,
> >> Oleksiy Shatylo
> >>
> >>
> >> —
> >> You are currently subscribed to windbg as:
> xxxxx@winse.microsoft.com
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >>
> >>
> >> —
> >> You are currently subscribed to windbg as: unknown lmsubst tag
> >>
> > argument: ‘’
> >
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >>
> >>
> >
> >
> > —
> > You are currently subscribed to windbg as:
> xxxxx@winse.microsoft.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
> >
> > —
> > You are currently subscribed to windbg as: unknown lmsubst
> tag argument: ‘’
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
>
>
> —
> You are currently subscribed to windbg as: xxxxx@nero.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</d:>