View registry entries in kernel dump

shakti_sinha-2 · November 10, 2013, 9:54am

Hi,

Is it possible to view registry enteries in a crash dump using windbg.
If no, is there any other tool available.
I found !reg and !dreg, but that seems to be for user mode.

Thanks

Jeffrey_Tippet_MSFT · November 10, 2013, 12:19pm

!reg works in full kernel dumps and live kernel remotes. I use it rather frequently.

!reg is limited in the keys it can view - it can only see keys that are in memory (similar to how you can’t see pageable memory if it’s paged-out). The SYSTEM hive is going to be locked into memory, and that’s generally what most drivers interact with, so you don’t have to worry too much if you’re going after SYSTEM keys. (SOFTWARE keys are iffy, and user keys are usually difficult).

!reg doesn’t automatically follow symbolic links, so if you’re looking at CurrentControlSet, replace that with ControlSet001 (or whatever).

We made some improvements to the reliability of !reg in Windows 8.1, so if you have a choice in the matter, prefer to use the latest WDK on the latest OS.

Here’s an example, taken from a live kernel remote:

0: kd> !reg q \registry\machine\system\controlset001\services\ndis

Found KCB = ffffc000001e3a70 :: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\NDIS

Hive ffffc00000028000
KeyNode ffffc00000f839bc

[SubKeyAddr] [SubKeyName]
ffffc00000f827fc IfTypes
ffffc00000f8279c Parameters

Use ‘!reg keyinfo ffffc00000028000 ’ to dump the subkey details

[ValueType] [ValueName] [ValueData]
REG_SZ DisplayName @%SystemRoot%\system32\drivers\ndis.sys,-200
REG_DWORD ErrorControl 3
REG_SZ Group NDIS Wrapper
REG_EXPAND_SZ ImagePath system32\drivers\ndis.sys
REG_DWORD Start 0
REG_DWORD Type 1
REG_SZ Description @%SystemRoot%\system32\drivers\ndis.sys,-201

OSR_Community_User · November 10, 2013, 9:05pm

The Registry is on disk. The crash dump is a memory snapshot. So the
simple answer is “no”.
joe

Hi,

Is it possible to view registry enteries in a crash dump using windbg.
If no, is there any other tool available.
I found !reg and !dreg, but that seems to be for user mode.

Thanks

WINDBG is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

shakti_sinha-2 · November 13, 2013, 12:56pm

Thanks for the explanations.