I am working on the Windows 8 memory dump. And I am using the latest WinDbg from SDK for Windows 8.1. The version is WinDbg:6.3.9600.16384.
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9200.16628.amd64fre.win8_gdr.130531-150
When I use ‘!process’ command, for some reason, the handle count cannot be displayed. I always see the following, “HandleCount: ”.
I searched the web. Somebody said that WinDbg is still not yet updated to handle the changed HANDLE_TABLE struct on Windows 8. How come this could happen? Is there a newer version WinDbg which has resolved this issue?
Anyway I also dumped the _HANDLE_TABLE and _HANDLE_TABLE_ENTRY defination on the target.
: kd> !process fffffa804e0a7080
PROCESS fffffa804e0a7080
SessionId: 0 Cid: 0130 Peb: 7f66883c000 ParentCid: 030c
DirBase: 12e8e6000 ObjectTable: fffff8a001df4880 HandleCount:
Image: VMWVvpsvc.exe
VadRoot fffffa804e0a5e60 Vads 147 Clone 0 Private 12107. Modified 22926. Locked 0.
DeviceMap fffff8a00000c0a0
Token fffff8a001df5060
ElapsedTime 4 Days 20:06:15.768
UserTime 00:00:08.812
KernelTime 00:00:21.421
QuotaPoolUsage[PagedPool] 138344
QuotaPoolUsage[NonPagedPool] 18752
Working Set Sizes (now,min,max) (14441, 50, 345) (57764KB, 200KB, 1380KB)
PeakWorkingSetSize 15189
VirtualSize 140 Mb
PeakVirtualSize 147 Mb
PageFaultCount 362963
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 13306
0: kd> dt _HANDLE_TABLE
ntdll!_HANDLE_TABLE
+0x000 NextHandleNeedingPool : Uint4B
+0x004 ExtraInfoPages : Int4B
+0x008 TableCode : Uint8B
+0x010 QuotaProcess : Ptr64 _EPROCESS
+0x018 HandleTableList : _LIST_ENTRY
+0x028 UniqueProcessId : Uint4B
+0x02c Flags : Uint4B
+0x02c StrictFIFO : Pos 0, 1 Bit
+0x02c EnableHandleExceptions : Pos 1, 1 Bit
+0x02c Rundown : Pos 2, 1 Bit
+0x02c Duplicated : Pos 3, 1 Bit
+0x030 HandleContentionEvent : _EX_PUSH_LOCK
+0x038 HandleTableLock : _EX_PUSH_LOCK
+0x040 FreeLists : [1] _HANDLE_TABLE_FREE_LIST
+0x040 ActualEntry : [32] UChar
+0x060 DebugInfo : Ptr64 _HANDLE_TRACE_DEBUG_INFO
0: kd> dt _HANDLE_TABLE_ENTRY
ntdll!_HANDLE_TABLE_ENTRY
+0x000 VolatileLowValue : Int8B
+0x000 LowValue : Int8B
+0x000 InfoTable : Ptr64 _HANDLE_TABLE_ENTRY_INFO
+0x000 Unlocked : Pos 0, 1 Bit
+0x000 RefCnt : Pos 1, 19 Bits
+0x000 Attributes : Pos 20, 3 Bits
+0x000 ObjectPointerBits : Pos 23, 41 Bits
+0x008 HighValue : Int8B
+0x008 NextFreeHandleEntry : Ptr64 _HANDLE_TABLE_ENTRY
+0x008 LeafHandleValue : _EXHANDLE
+0x008 GrantedAccessBits : Pos 0, 25 Bits
+0x008 Spare : Pos 25, 7 Bits
+0x00c TypeInfo : Uint4B
Move this thread to WinDbg list.
On Thu, Dec 19, 2013 at 10:59 AM, wrote:
> I am working on the Windows 8 memory dump. And I am using the latest
> WinDbg from SDK for Windows 8.1. The version is WinDbg:6.3.9600.16384.
>
> 0: kd> vertarget
> Windows 8 Kernel Version 9200 MP (2 procs) Free x64
> Product: WinNt, suite: TerminalServer SingleUserTS
> Built by: 9200.16628.amd64fre.win8_gdr.130531-150
>
> When I use ‘!process’ command, for some reason, the handle count cannot be
> displayed. I always see the following, “HandleCount: ”.
>
> I searched the web. Somebody said that WinDbg is still not yet updated to
> handle the changed HANDLE_TABLE struct on Windows 8. How come this could
> happen? Is there a newer version WinDbg which has resolved this issue?
>
> Anyway I also dumped the _HANDLE_TABLE and _HANDLE_TABLE_ENTRY defination
> on the target.
>
> : kd> !process fffffa804e0a7080
> PROCESS fffffa804e0a7080
> SessionId: 0 Cid: 0130 Peb: 7f66883c000 ParentCid: 030c
> DirBase: 12e8e6000 ObjectTable: fffff8a001df4880 HandleCount: > Not Accessible>
> Image: VMWVvpsvc.exe
> VadRoot fffffa804e0a5e60 Vads 147 Clone 0 Private 12107. Modified
> 22926. Locked 0.
> DeviceMap fffff8a00000c0a0
> Token fffff8a001df5060
> ElapsedTime 4 Days 20:06:15.768
> UserTime 00:00:08.812
> KernelTime 00:00:21.421
> QuotaPoolUsage[PagedPool] 138344
> QuotaPoolUsage[NonPagedPool] 18752
> Working Set Sizes (now,min,max) (14441, 50, 345) (57764KB, 200KB,
> 1380KB)
> PeakWorkingSetSize 15189
> VirtualSize 140 Mb
> PeakVirtualSize 147 Mb
> PageFaultCount 362963
> MemoryPriority BACKGROUND
> BasePriority 8
> CommitCharge 13306
>
> 0: kd> dt _HANDLE_TABLE
> ntdll!_HANDLE_TABLE
> +0x000 NextHandleNeedingPool : Uint4B
> +0x004 ExtraInfoPages : Int4B
> +0x008 TableCode : Uint8B
> +0x010 QuotaProcess : Ptr64 _EPROCESS
> +0x018 HandleTableList : _LIST_ENTRY
> +0x028 UniqueProcessId : Uint4B
> +0x02c Flags : Uint4B
> +0x02c StrictFIFO : Pos 0, 1 Bit
> +0x02c EnableHandleExceptions : Pos 1, 1 Bit
> +0x02c Rundown : Pos 2, 1 Bit
> +0x02c Duplicated : Pos 3, 1 Bit
> +0x030 HandleContentionEvent : _EX_PUSH_LOCK
> +0x038 HandleTableLock : _EX_PUSH_LOCK
> +0x040 FreeLists : [1] _HANDLE_TABLE_FREE_LIST
> +0x040 ActualEntry : [32] UChar
> +0x060 DebugInfo : Ptr64 _HANDLE_TRACE_DEBUG_INFO
>
> 0: kd> dt _HANDLE_TABLE_ENTRY
> ntdll!_HANDLE_TABLE_ENTRY
> +0x000 VolatileLowValue : Int8B
> +0x000 LowValue : Int8B
> +0x000 InfoTable : Ptr64 _HANDLE_TABLE_ENTRY_INFO
> +0x000 Unlocked : Pos 0, 1 Bit
> +0x000 RefCnt : Pos 1, 19 Bits
> +0x000 Attributes : Pos 20, 3 Bits
> +0x000 ObjectPointerBits : Pos 23, 41 Bits
> +0x008 HighValue : Int8B
> +0x008 NextFreeHandleEntry : Ptr64 _HANDLE_TABLE_ENTRY
> +0x008 LeafHandleValue : _EXHANDLE
> +0x008 GrantedAccessBits : Pos 0, 25 Bits
> +0x008 Spare : Pos 25, 7 Bits
> +0x00c TypeInfo : Uint4B
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>