Windbg, !heap output to .foreach

Question

Doing some debugging in windbg, and I'd like to be able to go through each heap allocation of a given size and then do some analysis on that (just dd for now). Problem is !heap doesnt throw out stuff very cleanly.

I know I can skip the first X or every Y tokens with .foreach flags, but can't seem to get this to work.

Basically looking to do something like this:

.foreach (ADDR {!heap -flt s <size of allocation>}) {dd ADDR}

Is there a way, short of outputing to a file, doing some awking and then feeding it back in?

Answer 1

I was looking for the answer on the same question, and here is the easiest way I found:

1. Run

   !heap -flt s [your alloc size]
   

2. Ctrl+A, Copy and past in some text file, for example, c:\temp\test.txt.

3. Delete all unnecessary rows from the file, so it looks like:

   0000000011af12e0 0400 0000  [00]   0000000011af12f0    03ff0 - (busy)
   0000000011af52e0 0400 0400  [00]   0000000011af52f0    03ff0 - (busy)
   0000000011af92e0 0400 0400  [00]   0000000011af92f0    03ff0 - (busy)
   0000000011afd2e0 0400 0400  [00]   0000000011afd2f0    03ff0 - (busy)....
   

4. Then run in WinDbg command like:

   .logopen /t c:\temp\Output.txt
   

   to save your further output to some file, as you are going to have a loooong one.

5. And finally, run your foreach with file as parameter:

   .foreach /pS4 /ps3 /f ( obj  "c:\temp\test.txt" ) { !heap -p -a obj } 
   

Hooray! it works :)

Answer 2

AFAIK I don't think the !heap command has a short option to use in the .foreach. You could probably try using .shell command to grep the output

HTH