switching to user stack in kernel dumps

windbg callstack usermode
user3279954 picture user3279954 · Mar 7, 2014 · Viewed 9k times · Source

Is there a way to switch to user mode of a particular process in a kernel dump while doing postmortem debugging ?

I remember doing this while live debugging using the .process command.

Answer

Thomas Weller picture Thomas Weller · Mar 7, 2014

.process also works in kernel dumps. First, you can find your process using

!process 0 0 myprocess.exe

and then switch to that process using

.process <address>

where <address> is the hex number after PROCESS.

Note that you are still kernel debugging and you have only the physical memory of that process available (a.k.a. Working Set). The majority of virtual address space is probably swapped to disk and you cannot analyze that process as you would in user mode (especially for .NET programs, where you need the complete .NET heap).

Related questions

WinDBG View Passed Arguments to Any Function

I'm using windbg to debug an Windows executable. I want to know how I can see arguments passed to any function using WinDBG. For example If I wanna know the parameters passed to function Kernel32!CreatefileA using Immunity Debugger or …

Read More
Getting windbg without the whole WDK?

Does anyone know how to get ahold of windbg without having to download the entire 620MB WDK ISO? All I can find on the net to download the debugger is this link, which says you have to get the whole …

Read More
How to set up symbols in WinDbg?

I am using Debugging Tools for Windows and I get the following error message when starting WinDbg / cdb or ntsd: Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the …

Read More