ARV
Reputation: 6897
In Sysinternals' livekd, how can we find the information associated with a process from its PID?
I want to get information on a process from Sysinternals' livekd using its process ID. How do I do this?
The documentation for WinDBG's !process command on MSDN (https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/-process) says,
!process [/s Session] [/m Module] [Process [Flags]]
gives information about the process specified by "Process". The documentation further says,
Process - Specifies the hexadecimal address or the process ID of the process on the target computer.
But try as I might, specifying the PID gives nothing, and I can't see a way to find the hexadecimal address of the process structure for a running process.
For e.g., from Sysinternals' Process Explorer, I see a process with PID 672 backed by svchost.exe, as follows:
But when I use the !process command with the PID 672 or its hexadecimal, 2A0, I get nothing. See below:
0: kd> !process 672
Searching for Process with Cid == 672
Cannot resolve nt!_EPROCESS object type
0: kd> !process 2A0
Searching for Process with Cid == 2a0
Cannot resolve nt!_EPROCESS object type
But !process svchost.exe works (for a some instance of that image that's running):
0: kd> !process svchost.exe
PROCESS ffffdc0a4b49b180
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001ad002 ObjectTable: ffff9a0ba4e3ee40 HandleCount: 6664.
Image: System
VadRoot ffffdc0a66ea3200 Vads 58 Clone 0 Private 30. Modified 31341619. Locked 192.
DeviceMap ffff9a0ba4e36360
Token ffff9a0ba4e072b0
ElapsedTime 5 Days 13:59:48.702
I can also use !process ffffdc0a4b49b180 using the information gained from !process svchost.exe, but I want to use the process ID to get this information. How do I do this?
Edit 1: I think that I am setting the symbols correctly, based on information here: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/symbol-path . Please see the output below.
0: kd> .sympath
Symbol search path is: srv*c:\symbols\*https://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*c:\symbols\*https://msdl.microsoft.com/download/symbols
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\symbols\*https://msdl.microsoft.com/download/symbols
0: kd> lml
start end module name
fffff804`82200000 fffff804`83246000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
fffff804`a3420000 fffff804`a342d000 LiveKdD (no symbols)
0: kd> !sym noisy
noisy mode - symbol prompts on
0: kd> .reload nt
SYMSRV: BYINDEX: 0xF
c:\symbols\*https://msdl.microsoft.com/download/symbols
ntoskrnl.exe
F05723421046000
SYMSRV: PATH: c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe
SYMSRV: RESULT: 0x00000000
DBGHELP: c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe - OK
DBGENG: c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe - Mapped image memory
SYMSRV: BYINDEX: 0x10
c:\symbols\*https://msdl.microsoft.com/download/symbols
ntkrnlmp.pdb
1F9BB45B28B806E4D18925C06E924B8C1
SYMSRV: PATH: c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: nt - public symbols
c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
0: kd> dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x438 ProcessLock : _EX_PUSH_LOCK
+0x440 UniqueProcessId : Ptr64 Void
+0x448 ActiveProcessLinks : _LIST_ENTRY
+0x458 RundownProtect : _EX_RUNDOWN_REF
+0x460 Flags2 : Uint4B
+0x460 JobNotReallyActive : Pos 0, 1 Bit
+0x460 AccountingFolded : Pos 1, 1 Bit
+0x460 NewProcessReported : Pos 2, 1 Bit
....
Edit 2:
I just discovered that LiveKdD.sys is not getting loaded. I have reinstalled Windows SDK, and uninstalled my antivirus software. That doesn't fix this issue.
But, LivekdD.sys is present in the directory it's trying to load it from. See below.
PS C:\WINDOWS\system32\drivers> dir livekdd.sys
Directory: C:\WINDOWS\system32\drivers
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 24-11-2021 21:53 39272 livekdd.sys
Launching D:\Windows Kits\10\Debuggers\x64\kd.exe:
Microsoft (R) Windows Debugger Version 10.0.22000.194 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'LiveKD live system view'
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff807`75400000 PsLoadedModuleList = 0xfffff807`7602a2d0
Debug session time: Wed Nov 24 22:03:56.831 2021 (UTC + 5:30)
System Uptime: 0 days 0:13:04.851
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..................................
Loading User Symbols
..........................................
Loading unloaded module list
............
For analysis of this file, run !analyze -v
0: kd> .tlist notepad.exe
Unable to load image \??\C:\WINDOWS\system32\Drivers\LiveKdD.SYS, Win32 error 0n2
0n3176 notepad.exe
Upvotes: 0
Views: 916
Answers (1)
blabb
Reputation: 9007
As Already commented several times it works here is an output from livekd
0: kd> .tlist calculator.exe
0n1872 Calculator.exe
0: kd> !process 0n1872 0
Searching for Process with Cid == 750
PROCESS ffffc388a8cd5080
SessionId: 5 Cid: 0750 Peb: 806522f000 ParentCid: 0250
DirBase: 7a081002 ObjectTable: ffff8985feda39c0 HandleCount: 467.
Image: Calculator.exe
0: kd> !process 0 0 calculator.exe
PROCESS ffffc388a8cd5080
SessionId: 5 Cid: 0750 Peb: 806522f000 ParentCid: 0250
DirBase: 7a081002 ObjectTable: ffff8985feda39c0 HandleCount: 467.
Image: Calculator.exe
EDIT
a complete session
D:\>livekd
LiveKd v5.63 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2020 Mark Russinovich and Ken Johnson
Launching C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\kd.exe:
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'LiveKD live system view'
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff803`3cc00000 PsLoadedModuleList = 0xfffff803`3d045f30
Debug session time: Wed Nov 24 06:55:11.500 2021
System Uptime: 3 days 5:19:28.286
Loading Kernel Symbols
...............................................................
................................................................
................................................................
................................................
Loading User Symbols
Loading unloaded module list
..................................................
0: kd> .tlist cmd.exe
*** ERROR: Module load completed but symbols could not be loaded for LiveKdD.SYS
0n7836 cmd.exe
0: kd> !process 0n7836 0
Searching for Process with Cid == 1e9c
PROCESS ffffc388b2810080
SessionId: 9 Cid: 1e9c Peb: 7f78344000 ParentCid: 1468
DirBase: 115d4a002 ObjectTable: ffff8985fed9ad40 HandleCount: 68.
Image: cmd.exe
0: kd>
edit 2
my module is as follows
0: kd> lmv live
start end module name
fffff803`59090000 fffff803`5909d000 LiveKdD (no symbols)
Symbol file: LiveKdD.SYS
Image path: \??\C:\WINDOWS\system32\Drivers\LiveKdD.SYS
Image name: LiveKdD.SYS
Timestamp: Mon Apr 27 21:28:28 2020 (5EA70124)
CheckSum: 00014362
ImageSize: 0000D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
0: kd>
Upvotes: 2
Related Questions
- Get Process PID With PsLookupProcessByProcessId
- get process name from process id (win32)
- I don´t know how i can get the pid of an process by process name
- How to find the PID of a open program
- WINSDK: Determining whether an arbitrary pid identifies a running process on Windows
- How to find process ID in WinCe?
- Get Process Infomation via pid in Win7
- How can one obtain the "name" of a process start address as done in Process Explorer?
- Win32 determine process ID
- Return process id