!process 명령의 기본적인 형식은 다음과 같습니다.
!process Process Flags
자세한 사용법은 WinDbg 도움말을 참고하시는게 항상 좋구요. ^^
여기서는 제가 자주 사용하는 방법에 대해서만 간단히 설명 드리려고 합니다.
1) !process 0 0
모든 프로세스를 보고 싶을 때 사용합니다.
Process에 0 을 주면 모든 프로세스라는 뜻이 됩니다.
Flags에 0 을 주면 가장 간단히 보여달라는 뜻이 됩니다.
예제)
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 867b5a00 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 06c20000 ObjectTable: e1003e60 HandleCount: 281.
Image: System
PROCESS 860a1220 SessionId: none Cid: 0578 Peb: 7ffde000 ParentCid: 0004
DirBase: 0f89e000 ObjectTable: e16d73c8 HandleCount: 21.
Image: smss.exe
PROCESS 86433b20 SessionId: 0 Cid: 05ec Peb: 7ffd9000 ParentCid: 0578
DirBase: 113af000 ObjectTable: e100fa68 HandleCount: 489.
Image: csrss.exe
PROCESS 863fcda0 SessionId: 0 Cid: 0604 Peb: 7ffd7000 ParentCid: 0578
DirBase: 14214000 ObjectTable: e15a6698 HandleCount: 471.
Image: winlogon.exe
...
2) !process 0 0 ImageName.exe
특정 프로세스를 찾을 때 사용합니다.
모든 프로세스 중에서 원하는 프로세스 이름과 일치하는 녀석만 찾아서 보여줍니다.
프로세스 이름은 위에서 보여지는 것처럼 확장자까지 일치해야 합니다.
예제)
kd> !process 0 0 notepad.exe
PROCESS 859a1020 SessionId: 0 Cid: 04d8 Peb: 7ffdf000 ParentCid: 0150
DirBase: 0d413000 ObjectTable: e197b118 HandleCount: 53.
Image: notepad.exe
3) !process Process 7
특정 프로세스의 정보를 자세히 보고 싶을 때 사용합니다.
Flags 는 비트마다 의미가 있는데 7 로 주면 1,2,3 비트 모두 켠 것이므로 가장 자세히 보여줍니다.
각각의 의미는 역시 WinDbg 도움말!!!
예제)
위에서 찾아진 notepad.exe의 정보중 PROCESS 859a1020 를 참고해서 다음과 같이 명령합니다.
kd> !process 859a1020 7
PROCESS 859a1020 SessionId: 0 Cid: 04d8 Peb: 7ffdf000 ParentCid: 0150
DirBase: 0d413000 ObjectTable: e197b118 HandleCount: 53.
Image: notepad.exe
VadRoot 864c5cb8 Vads 68 Clone 0 Private 225. Modified 19. Locked 0.
DeviceMap e287fc90
Token e15c9570
ElapsedTime 00:00:19.390
UserTime 00:00:00.046
KernelTime 00:00:00.250
QuotaPoolUsage[PagedPool] 34280
QuotaPoolUsage[NonPagedPool] 2720
Working Set Sizes (now,min,max) (1003, 50, 345) (4012KB, 200KB, 1380KB)
PeakWorkingSetSize 1004
VirtualSize 32 Mb
PeakVirtualSize 37 Mb
PageFaultCount 1088
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 488
THREAD 859a1da8 Cid 04d8.00a4 Teb: 7ffde000 Win32Thread: e2fe45c8 WAIT: (WrUserRequest) UserMode Non-Alertable
85dd62c8 SynchronizationEvent
Not impersonating
DeviceMap e287fc90
Owning Process 859a1020 Image: notepad.exe
Wait Start TickCount 151791 Ticks: 1168 (0:00:00:18.250)
Context Switch Count 797 LargeStack
UserTime 00:00:00.0031
KernelTime 00:00:00.0250
Win32 Start Address windbg!`string' (0x0100739d)
Start Address kernel32!BaseProcessStartThunk (0x7c810665)
Stack Init ec962000 Current ec961c20 Base ec962000 Limit ec95d000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
ec961c38 804e3bd2 859a1e18 859a1da8 804e3c1e nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
ec961c44 804e3c1e 000025ff e2fe45c8 00000000 nt!KiSwapThread+0x6b (FPO: [0,0,0])
ec961c6c bf802fa0 00000001 0000000d 00000001 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
ec961ca8 bf801b80 000025ff 00000000 00000001 win32k!xxxSleepThread+0x192 (FPO: [Non-Fpo])
ec961cec bf80f24e ec961d18 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x418 (FPO: [Non-Fpo])
ec961d4c 804df99f 0007fefc 00000000 00000000 win32k!NtUserGetMessage+0x27 (FPO: [Non-Fpo])
ec961d4c 7c93eb94 0007fefc 00000000 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ ec961d64)
0007fed8 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
콜스택까지 보이므로 이 프로세스가 행이 걸려있다면 어디에서 멈춰있는지 확인하는 목적으로 종종 사용하기도 합니다.
4) !process 0 7
모든 프로세스의 정보를 자세히 보고 싶을 때 사용합니다.
저같은 경우 모든 프로세스, 쓰레드의 콜스택을 보고 싶을 때 사용합니다.
여러 프로세스, 쓰레드 간의 DeadLock 문제가 발생했다면 모든 콜스택 중에서 제가 작성한 드라이버가 존재하는 콜스택을 검색하고 이것들을 분석하여 원인을 찾기도 합니다.
나중에 DeadLock 분석 예제에서 활용방법을 좀 더 자세히 보게 될 것입니다.
예제)
kd> !process 0 7
**** NT ACTIVE PROCESS DUMP ****
PROCESS 867b5a00 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 06c20000 ObjectTable: e1003e60 HandleCount: 282.
Image: System
VadRoot 867ac3c0 Vads 4 Clone 0 Private 3. Modified 8487. Locked 0.
DeviceMap e1003148
Token e1000b40
ElapsedTime 00:33:54.765
UserTime 00:00:00.000
KernelTime 00:00:36.078
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (70, 0, 345) (280KB, 0KB, 1380KB)
PeakWorkingSetSize 619
VirtualSize 1 Mb
PeakVirtualSize 3 Mb
PageFaultCount 8781
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 7
THREAD 867b5788 Cid 0004.0008 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable
80568e10 SynchronizationEvent
80569e00 NotificationTimer
Not impersonating
DeviceMap e1003148
Owning Process 867b5a00 Image: System
Wait Start TickCount 130223 Ticks: 9 (0:00:00:00.140)
Context Switch Count 17103
UserTime 00:00:00.0000
KernelTime 00:00:02.0187
Start Address nt!Phase1Initialization (0x806b07cb)
Stack Init f7c46000 Current f7c45798 Base f7c46000 Limit f7c43000 Call 0
Priority 0 BasePriority 0 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f7c457b0 804e3bd2 00000000 867b5788 804e3b83 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f7c457bc 804e3b83 80701aa8 003de060 00000000 nt!KiSwapThread+0x6b (FPO: [0,0,0])
f7c457f4 804eb549 00000002 f7c45828 00000001 nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
f7c45840 806af2bd 867b5788 00000000 00000044 nt!MmZeroPageThread+0x61 (FPO: [Non-Fpo])
f7c45dac 80576128 80087000 00000000 00000000 nt!Phase1Initialization+0x1287 (FPO: [Non-Fpo])
f7c45ddc 804f1c81 806b07cb 80087000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
THREAD 867b4d20 Cid 0004.0010 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
8056b4c0 Unknown
Not impersonating
DeviceMap e1003148
Owning Process 867b5a00 Image: System
Wait Start TickCount 130233 Ticks: 22 (0:00:00:00.343)
Context Switch Count 6541
UserTime 00:00:00.0000
KernelTime 00:00:00.0109
Start Address nt!ExpWorkerThread (0x804e42f1)
Stack Init f7c62000 Current f7c61d24 Base f7c62000 Limit f7c5f000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
f7c61d3c 804e3bd2 867b4d90 867b4d20 804e42d6 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f7c61d48 804e42d6 867b4098 8056b4c0 867b4d20 nt!KiSwapThread+0x6b (FPO: [0,0,0])
f7c61d74 804e438e 00000001 00000001 00000000 nt!KeRemoveQueue+0x22a (FPO: [Non-Fpo])
f7c61dac 80576128 867b4098 00000000 00000000 nt!ExpWorkerThread+0xcc (FPO: [Non-Fpo])
f7c61ddc 804f1c81 804e42f1 00000000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
...
PROCESS 860a1220 SessionId: none Cid: 0578 Peb: 7ffde000 ParentCid: 0004
DirBase: 0f89e000 ObjectTable: e16d73c8 HandleCount: 21.
Image: smss.exe
VadRoot 86443d30 Vads 16 Clone 0 Private 28. Modified 10. Locked 0.
DeviceMap e1003148
Token e181cde0
ElapsedTime 00:34:19.515
UserTime 00:00:00.015
KernelTime 00:00:00.015
QuotaPoolUsage[PagedPool] 5228
QuotaPoolUsage[NonPagedPool] 640
Working Set Sizes (now,min,max) (99, 50, 345) (396KB, 200KB, 1380KB)
PeakWorkingSetSize 121
VirtualSize 3 Mb
PeakVirtualSize 11 Mb
PageFaultCount 217
MemoryPriority BACKGROUND
BasePriority 11
CommitCharge 41
THREAD 860a0da8 Cid 0578.057c Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
86433b20 ProcessObject
863fcda0 ProcessObject
Not impersonating
DeviceMap e1003148
Owning Process 860a1220 Image: smss.exe
Wait Start TickCount 25411 Ticks: 107191 (0:00:27:54.859)
Context Switch Count 43
UserTime 00:00:00.0000
KernelTime 00:00:00.0015
Start Address 0x4858a4c8
Stack Init f71d2000 Current f71d1960 Base f71d2000 Limit f71cf000 Call 0
Priority 11 BasePriority 11 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
THREAD 863b4ac0 Cid 0578.05c4 Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
866b90a8 Semaphore Limit 0x7fffffff
Not impersonating
DeviceMap e1003148
Owning Process 860a1220 Image: smss.exe
Wait Start TickCount 25411 Ticks: 107201 (0:00:27:55.015)
Context Switch Count 9
UserTime 00:00:00.0000
KernelTime 00:00:00.0000
Start Address 0x485893b2
Stack Init f71ce000 Current f71cdc34 Base f71ce000 Limit f71cb000 Call 0
Priority 11 BasePriority 11 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
...
PROCESS 86433b20 SessionId: 0 Cid: 05ec Peb: 7ffd9000 ParentCid: 0578
DirBase: 113af000 ObjectTable: e100fa68 HandleCount: 476.
Image: csrss.exe
VadRoot 858c76b8 Vads 129 Clone 0 Private 342. Modified 1742. Locked 0.
DeviceMap e1003148
Token e1825720
ElapsedTime 00:34:17.718
UserTime 00:00:01.765
KernelTime 00:00:04.046
QuotaPoolUsage[PagedPool] 112960
QuotaPoolUsage[NonPagedPool] 6072
Working Set Sizes (now,min,max) (1693, 50, 345) (6772KB, 200KB, 1380KB)
PeakWorkingSetSize 1696
VirtualSize 79 Mb
PeakVirtualSize 79 Mb
PageFaultCount 4537
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 421
THREAD 86431da8 Cid 05ec.05fc Teb: 7ffdc000 Win32Thread: e18f2eb0 WAIT: (WrLpcReceive) UserMode Non-Alertable
865a9090 Semaphore Limit 0x7fffffff
Not impersonating
DeviceMap e1003148
Owning Process 86433b20 Image: csrss.exe
Wait Start TickCount 132197 Ticks: 459 (0:00:00:07.171)
Context Switch Count 1804 LargeStack
UserTime 00:00:00.0609
KernelTime 00:00:00.0109
Win32 Start Address 0x0001fc07
LPC Server thread working on message Id 1fc07
Start Address 0x75a84616
Stack Init f7166000 Current f7165c34 Base f7166000 Limit f7163000 Call 0
Priority 14 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
f7165c4c 804e3bd2 86431e18 86431da8 804e3c1e nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f7165c58 804e3c1e e1648b60 80563ec0 e1648b60 nt!KiSwapThread+0x6b (FPO: [0,0,0])
f7165c80 8057643b 00000001 00000010 8057ad01 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f7165d30 80576641 00000094 005affd0 00000000 nt!NtReplyWaitReceivePortEx+0x3dc (FPO: [Non-Fpo])
f7165d4c 804df99f 00000094 005affd0 00000000 nt!NtReplyWaitReceivePort+0x18 (FPO: [Non-Fpo])
f7165d4c 7c93eb94 00000094 005affd0 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ f7165d64)
005afff4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 864d6d18 Cid 05ec.060c Teb: 7ffda000 Win32Thread: e1563008 WAIT: (WrLpcReceive) UserMode Non-Alertable
865a9090 Semaphore Limit 0x7fffffff
Not impersonating
DeviceMap e1003148
Owning Process 86433b20 Image: csrss.exe
Wait Start TickCount 132529 Ticks: 147 (0:00:00:02.296)
Context Switch Count 1862 LargeStack
UserTime 00:00:00.0781
KernelTime 00:00:00.0281
Start Address 0x75a84616
Stack Init f7126000 Current f7125c34 Base f7126000 Limit f7123000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
f7125c4c 804e3bd2 864d6d88 864d6d18 804e3c1e nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f7125c58 804e3c1e 00000000 80563ec0 e1648b60 nt!KiSwapThread+0x6b (FPO: [0,0,0])
f7125c80 8057643b 00000001 00000010 8057ad01 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f7125d30 80576641 00000094 0071ffd0 0071feec nt!NtReplyWaitReceivePortEx+0x3dc (FPO: [Non-Fpo])
f7125d4c 804df99f 00000094 0071ffd0 0071feec nt!NtReplyWaitReceivePort+0x18 (FPO: [Non-Fpo])
f7125d4c 7c93eb94 00000094 0071ffd0 0071feec nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ f7125d64)
0071fff4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
...
PROCESS 863fcda0 SessionId: 0 Cid: 0604 Peb: 7ffd7000 ParentCid: 0578
DirBase: 14214000 ObjectTable: e15a6698 HandleCount: 471.
Image: winlogon.exe
VadRoot 86095198 Vads 188 Clone 0 Private 1156. Modified 2210. Locked 0.
DeviceMap e1003148
Token e1560af0
ElapsedTime 00:34:17.843
UserTime 00:00:00.343
KernelTime 00:00:01.296
QuotaPoolUsage[PagedPool] 62420
QuotaPoolUsage[NonPagedPool] 33176
Working Set Sizes (now,min,max) (920, 50, 345) (3680KB, 200KB, 1380KB)
PeakWorkingSetSize 4351
VirtualSize 57 Mb
PeakVirtualSize 59 Mb
PageFaultCount 7284
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 1805
THREAD 860f1da8 Cid 0604.061c Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
866b24b0 Semaphore Limit 0x7fffffff
860f1e98 NotificationTimer
Not impersonating
DeviceMap e1003148
Owning Process 863fcda0 Image: winlogon.exe
Wait Start TickCount 130833 Ticks: 1919 (0:00:00:29.984)
Context Switch Count 112
UserTime 00:00:00.0000
KernelTime 00:00:00.0000
Start Address kernel32!BaseThreadStartThunk (0x7c810659)
Stack Init ef0b6000 Current ef0b5c4c Base ef0b6000 Limit ef0b3000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr Args to Child
ef0b5c64 804e3bd2 860f1e18 860f1da8 804e3c1e nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
ef0b5c70 804e3c1e e13d23a8 80563ec0 e13d23a8 nt!KiSwapThread+0x6b (FPO: [0,0,0])
ef0b5c98 8057643b 00000001 00000010 863fcd01 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
ef0b5d48 804df99f 00000154 00c5ff70 00000000 nt!NtReplyWaitReceivePortEx+0x3dc (FPO: [Non-Fpo])
ef0b5d48 7c93eb94 00000154 00c5ff70 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ ef0b5d64)
00c5ff80 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 860f7da8 Cid 0604.0620 Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
866b2090 Semaphore Limit 0x7fffffff
Not impersonating
DeviceMap e1003148
Owning Process 863fcda0 Image: winlogon.exe
Wait Start TickCount 70172 Ticks: 62593 (0:00:16:18.015)
Context Switch Count 36
UserTime 00:00:00.0000
KernelTime 00:00:00.0000
Win32 Start Address RPCRT4!ThreadStartRoutine (0x77d86bf0)
Start Address kernel32!BaseThreadStartThunk (0x7c810659)
Stack Init f7cca000 Current f7cc9c4c Base f7cca000 Limit f7cc7000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
THREAD 860f8da8 Cid 0604.0624 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Alertable
860f8e98 NotificationTimer
Not impersonating
DeviceMap e1003148
Owning Process 863fcda0 Image: winlogon.exe
Wait Start TickCount 25469 Ticks: 107306 (0:00:27:56.656)
Context Switch Count 8
UserTime 00:00:00.0000
KernelTime 00:00:00.0000
Win32 Start Address ntdll!RtlpTimerThread (0x7c95798d)
Start Address kernel32!BaseThreadStartThunk (0x7c810659)
Stack Init f7cd2000 Current f7cd1cbc Base f7cd2000 Limit f7ccf000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
...
이상으로 !process 의 사용에 대해서 간단히 보여드렸습니다.
http://www.driveronline.org/bbs/view.asp?tb=tipbbs&GotoPage=5&s_bulu=&s_key=&no=35
