There’s a also very good example in the help for the dt command that shows
how to walk the process list going forward. You can probably substitute
Blink for Flink and accomplish what you want.
-----Original Message-----
From: Tony Mason [mailto:xxxxx@osr.com]
Sent: Thursday, February 12, 2004 7:29 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] !process quickie
Douglas,
Actually, the list is circular, so even if you don’t know the name of
the head element, you just need to find the LIST_ENTRY in the process
structure. A quick “dt nt!_EPROCESS” showed a number of LIST_ENTRY
elements, but my guess was “ActiveProcessLinks”. You can then dump the
list from there (personally, I like !kdex2x86.list, but there are
numerous list walking mechanisms including the basic “dl” command.)
And, just for the record, the list head is PsActiveProcessHead.
Did I mention that manually walking the process list is a tad painful?
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Douglas G. Hanley
Sent: Thursday, February 12, 2004 7:11 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] !process quickie
Windows 2K and windbg 6.1.000172. I am using that version on another
person’s machine. Obviously, I’ll make the upgrade - is that likely to
be the problem? I must admit to having seen this mysterious message a
number of times on my version of windbg - 6.2.0013.0. It was this
frequency which prompted me to finally ask this community.
Throw me a bone and give me the list head name Tony to save me wading
into the docs. Cheers,
Douglas.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: 12 February 2004 12:02
To: Kernel Debugging Interest List
Subject: RE: [windbg] !process quickie
Which version of WinDBG are you using? Which version of
Windows?
It is also possible that the process list has become damaged or
corrupted because that will cause problems for the extension trying to
walk the process list. Of course, you can do it manually (the wonder of
doubly linked lists) but that’s a bit more work.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com, http://www.osronline.com
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Douglas G. Hanley
Sent: Thursday, February 12, 2004 6:00 AM
To: Kernel Debugging Interest List
Subject: [windbg] !process quickie
When analyzing a kernel dump I issue a !process 0 7 and get lots
of process information before the output is terminated with an “Unable
to read _EPROCESS at 0xblah”. I have a user mode process communicating
with a driver which is hung, I then force the dump and go and attempt to
use the above command to look out said process. I get the error message
and find my process is not included in the output leading me to believe
the process list is incomplete due to windbg having a problem. Any idea
why !process terminates prematurely like this? The dump is complete.
Cheers muchly,
Douglas.
Douglas G. Hanley
Senior Developer
The Neverfail Group
t: +44 (0)870 770 0234
f: +44 (0)870 770 0235
m: +44 (0)790 666 0965
e: xxxxx@neverfailgroup.com
mailto:xxxxx
w: http://www.neverfailgroup.com
http:</http:>
Protected by Neverfail for Exchange
http:</http:>
_________________________________________________________________
—
You are currently subscribed to windbg as: xxxxx@osr.com
To unsubscribe send a blank email to
xxxxx@lists.osr.com —
You are currently subscribed to windbg as: xxxxx@osr.com
To unsubscribe send a blank email to
xxxxx@lists.osr.com —
You are currently subscribed to windbg as:
xxxxx@neverfailgroup.com
To unsubscribe send a blank email to
xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</mailto:xxxxx>