How to find a process command-line using kernel debugger?

Daniel Vasquez Lopez — Tue, 01 May 2007 03:34:00 GMT

I hadn't posted since two years ago; a lot of things happen in such a time and now I'm part of the IIS team. I'm not sure about what to talk about, so I will start with random stuff.

I found debugging very task oriented, there are a bunch of ways to get an answer to the same question; let's say that someone gave you a machine ready to be debugged in kernel mode and you want to do .tlist -v to list all the processes and the additional information such as PID, Session, Command Line. If you are using a remote machine to access the target machine in kernel mode, .tlist will give you the process in the remote machine; to get the processes in the target machine and dump process information such as the Command Line arguments follow the next steps:

1. List the processes.

kd> !process 0 0

**** NT ACTIVE PROCESS DUMP ****
PROCESS 8447b790 SessionId: none Cid: 0004    Peb: 00000000 ParentCid: 0000
    DirBase: 00122000 ObjectTable: 830002d8 HandleCount: 580.
    Image: System

... (some other processes)

PROCESS 867b7d90 SessionId: 0 Cid: 07a4    Peb: 7ffdf000 ParentCid: 0a00
    DirBase: 7ea6b560 ObjectTable: 83170470 HandleCount: 60.
    Image: appcmd.exe

2. Look for your process and copy the DirBase property, in this example I will use appcmd.exe (7ea6b560), and switch to the process' context:

kd> .context 7ea6b560

3. Dump the process information, that information includes the command-line

kd> !peb

PEB at 7ffdf000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No

.... (more information)

ImageFile: 'D:\Windows\System32\inetsrv\appcmd.exe'
CommandLine: 'D:\Windows\System32\inetsrv\appcmd.exe clear config -section:system.web
Server/cgi'

Daniel Vasquez Lopez's Blog : KD

How to find a process command-line using kernel debugger?