Vir Gnarus
BSOD Kernel Dump Expert
- Mar 2, 2012
- 474
Hi guys,
I know this isn't much, especially with the long hiatus on new content, but I've recently been attempting to familiarize myself with the .foreach command, which can be some pretty powerful stuff. Right now I found from this article something that fits right into my current dilemma with certain crashdumps.
As a repeat of the example it gives, there's been a number of times when I come across a raw callstack or some other range of memory that holds data and I'm thinking to myself looking at it, "I know there has to be an IRP somewhere in there!" Well, previously I would have to tediously peruse until I find items that look kinda like addresses for IRPs, in which case I'll run it through !irp and determine if it's hit or miss. With .foreach, all that is automated, which pulls a big weight off my shoulders. Again, as a copy of the example given in the article:
.foreach (ptrVar { dp 98d7ee60}) { .echo Is ptrVar an IRP?; !irp ptrVar }
So it just pulls each value outputted from the dp command, slaps it into a variable with the name you give it (in this case ptrVar) and then presents a string with it and then follows up with an !irp command using the var. This can save a boatload of time and frustration.
I'm sure other more script/programming savvy individuals here have come across this gem before. Have you had any use of it, or can you think of anything that might benefit from parsing from Windbg command output and working through it? Next in my agenda for using this is getting a raw callstack and running through each pointer in the callstack to find if it points to a memory range containing a string, but I'm sure you all have plenty of other ideas.
I know this isn't much, especially with the long hiatus on new content, but I've recently been attempting to familiarize myself with the .foreach command, which can be some pretty powerful stuff. Right now I found from this article something that fits right into my current dilemma with certain crashdumps.
As a repeat of the example it gives, there's been a number of times when I come across a raw callstack or some other range of memory that holds data and I'm thinking to myself looking at it, "I know there has to be an IRP somewhere in there!" Well, previously I would have to tediously peruse until I find items that look kinda like addresses for IRPs, in which case I'll run it through !irp and determine if it's hit or miss. With .foreach, all that is automated, which pulls a big weight off my shoulders. Again, as a copy of the example given in the article:
.foreach (ptrVar { dp 98d7ee60}) { .echo Is ptrVar an IRP?; !irp ptrVar }
So it just pulls each value outputted from the dp command, slaps it into a variable with the name you give it (in this case ptrVar) and then presents a string with it and then follows up with an !irp command using the var. This can save a boatload of time and frustration.
I'm sure other more script/programming savvy individuals here have come across this gem before. Have you had any use of it, or can you think of anything that might benefit from parsing from Windbg command output and working through it? Next in my agenda for using this is getting a raw callstack and running through each pointer in the callstack to find if it points to a memory range containing a string, but I'm sure you all have plenty of other ideas.
