!process shows common thread

Reverse_Engineer · December 15, 2010, 11:41pm

Hello Everyone,

i have taken complete memory dump using notmyfault utility.

when i started analyzing, i see the following

!process 0 0 –> list me all the processes

!process “test.exe” –> shows me single thread that belong to notmyfault.exe

!process lsass.exe –> also shows me single thread of notmyfault.exe

i tested with many different processes , same behavior. I even tried changing the process context but fails.

So i am puzzled. any help would be appreciated.

taehwa_lee · December 16, 2010, 12:00am

Hi

If you want to see process information for specific process, you need to
use like below

!process 0 7 lsass.exe

Syntax
!process [/s Session] [/m Module] 0 Flags ImageName

Best regards,
Taehwa.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-434551-
xxxxx@lists.osr.com] On Behalf Of xxxxx@live.com
Sent: Thursday, December 16, 2010 1:41 PM
To: Kernel Debugging Interest List
Subject: [windbg] !process shows common thread

Hello Everyone,

i have taken complete memory dump using notmyfault utility.

when i started analyzing, i see the following

!process 0 0 –> list me all the processes

!process “test.exe” –> shows me single thread that belong to notmyfault.exe

!process lsass.exe –> also shows me single thread of notmyfault.exe

i tested with many different processes , same behavior. I even tried
changing the process context but fails.

So i am puzzled. any help would be appreciated.

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Reverse_Engineer · December 16, 2010, 1:33am

Hi ,
Thank you for the message.

I can list all the thread even when i issue !process 0 2 lsass.exe , but why can it display the thread associated with process when i issue !process lsass.exe was confusing.

Reverse_Engineer · December 16, 2010, 1:52am

sorry, my observation was wrong.

even though you give !process lsass.exe or !process iexplore.exe , windbg would only display the implicit process information and which is notmyfault in my scenario.

when i give !process 0 2 or provide appropriate flags then i get accurate results.

Anderson_Bill · December 16, 2010, 3:39am

!process 0 0 test.exe