Debugging/Windows
!mex.us
haewon83
2022. 8. 30. 09:01
원하는 모듈명이나 함수명을 이용하여 전체 Thread의 Call Stack을 조사하고자 할 때, "!mex.us" 를 이용할 수 있습니다.
0: kd> !mex.us -help
!UniqueStacks (!us) - Like the built-in !uniqstacks except it associates thread IDs with the stack traces
Usage:
!UniqueStacks [-a] [-c] [-cpu] [-crash] [-d <X>] [-f <X>] [-3] [-i] [-k] [-s <sessionID>] [-l] [-m] [-max <count>] [-nw] [-w] [-p <ProcessAddr>] [-state <state>] [-wr <WaitReason>] [-q] [-r] [-t <threshold>] [-e <FILTER>] [<FILTER>]
-a : (Kernel Only) Scans all processes and reports on each. Supports filters. Supports -p to match process address or name (partial name matches OK).
-c : Clean mode. Does not display file names and lines.
-cpu : (Kernel Only) CPU mode. Display unique stacks that are currently running on processors.
-crash : Crashing threads. Includes stacks that have Raise or Exception on them
-d <X> : Only display stacks which are at least X frames deep
-f <X> : Only match on the first X frames
-3 : Include any stacks that contain 3rd party modules
-i : Include OS thread IDs in addition to debugger thread IDs
-k : (Kernel Only). Generates a report for all threads in every process, but only analyzes the kernel stack (usermode stack is not reviewed)
-s <sessionID> : (Kernel Only). Only include processes from the specified session
-l : Long mode. Dont display '...' for long stacks, display all thread ID's
-m : Multiline Mode. Treats entire stack as a single line for pattern matching. (Enables Regex)
-max <count> : Limit the number of threads processed in each process (or current process)
-nw : No waits. This is useful when analyzing a high cpu issue where waiting threads are not important
-w|-wait : Waits. Shows waiting threads
-p <ProcessAddr> : (Kernel Only) Use this as the process base, instead of the current process
-state <state> : (Kernel Only) Only show threads in this state
-wr <WaitReason> : (Kernel Only) Only show threads with this waitreason (And are waiting)
-q : Quiet. Only display IDs of matching threads
-r : Treat FILTER as a regular expression
-t <threshold> : Won't display stacks with less than the specified number of threads.
-e <FILTER> : Exclude any stacks that contain this filter
FILTER : Only displays stacks that contain a specific string.
!UniqueStacks
Displays unique stacks in a process along with all thread IDs associated with each stack
!UniqueStacks [-?|-h]
-?|-h|-help : Display this help text
Current Owner: mexfeedback
Command is overloaded. Maybe you wanted one of these commands:
!C:\extensions\Mex\x64\Mex.dll.UniqueStacks
!C:\extensions\Mex\x64\Mex.dll.uniquestacks
!C:\extensions\Mex\x64\Mex.dll.us
0: kd> !mex.us -a NDIS
Process: System @ ffffe0011c2f23c0
============================================================
1 thread: ffffe0011d00d040
fffff801a05b6216 nt!KiSwapContext+0x76
fffff801a04bb7ee nt!KiSwapThread+0x14e
fffff801a04bb269 nt!KiCommitThreadWait+0x129
fffff801a04c4193 nt!KeWaitForSingleObject+0x373
fffff800eb311f93 NDIS!ndisThreadPoolTimerHandler+0x1f
fffff801a054573a nt!PspSystemThreadStartup+0x18a
fffff801a05bae66 nt!KiStartSystemThread+0x16
1 thread: ffffe0011d00d880
fffff801a05b6216 nt!KiSwapContext+0x76
fffff801a04bb7ee nt!KiSwapThread+0x14e
fffff801a04bb269 nt!KiCommitThreadWait+0x129
fffff801a04ba1d8 nt!KeRemoveQueueEx+0x788
fffff801a053c93d nt!KeRemoveQueue+0x21
fffff800eb2fbdfb NDIS!ndisWorkerThread+0x3b
fffff801a054573a nt!PspSystemThreadStartup+0x18a
fffff801a05bae66 nt!KiStartSystemThread+0x16
1 thread: ffffe0012a447040
fffff801a05b6216 nt!KiSwapContext+0x76
fffff801a04bb7ee nt!KiSwapThread+0x14e
fffff801a04bb269 nt!KiCommitThreadWait+0x129
fffff801a04c4193 nt!KeWaitForSingleObject+0x373
fffff800eb32113b NDIS!ndisAcquireMiniportPnPEventLock+0x1df8f
fffff800eb3c5ec9 NDIS!ndisPnPNotifyAllTransports+0x79
fffff800eb3944b9 NDIS!ndisFNetPnPEventInternal+0xb5
fffff801a049f669 nt!KeExpandKernelStackAndCalloutInternal+0x2d9
fffff800eb2fbdb9 NDIS!ndisExpandStack+0x19
fffff800eb30e841 NDIS!NdisFNetPnPEvent+0x35
fffff800eb394461 NDIS!ndisFNetPnPEventInternal+0x5d
fffff801a049f669 nt!KeExpandKernelStackAndCalloutInternal+0x2d9
fffff800eb2fbdb9 NDIS!ndisExpandStack+0x19
fffff800eb30e841 NDIS!NdisFNetPnPEvent+0x35
fffff800eb394513 NDIS!ndisFInvokeNetPnPEvent+0x3b
fffff800eb394461 NDIS!ndisFNetPnPEventInternal+0x5d
fffff801a049f669 nt!KeExpandKernelStackAndCalloutInternal+0x2d9
fffff800eb2fbdb9 NDIS!ndisExpandStack+0x19
fffff800eb30e841 NDIS!NdisFNetPnPEvent+0x35
fffff800eb394461 NDIS!ndisFNetPnPEventInternal+0x5d
fffff801a049f669 nt!KeExpandKernelStackAndCalloutInternal+0x2d9
fffff800eb2fbdb9 NDIS!ndisExpandStack+0x19
fffff800eb30e841 NDIS!NdisFNetPnPEvent+0x35
fffff800eb394513 NDIS!ndisFInvokeNetPnPEvent+0x3b
fffff800eb384c15 NDIS!ndisDevicePnPEventNotifyFiltersAndAllTransports+0x111
fffff800eb3b6df2 NDIS!ndisPnPQueryRemoveDevice+0x5e
fffff800eb3b7f98 NDIS!ndisPnPIrpQueryRemove+0x98
fffff800eb3a0400 NDIS!ndisPnPDispatch+0x147cc
fffff801a08989f6 nt!PnpAsynchronousCall+0x102
fffff801a091f7f7 nt!PiIrpQueryRemoveDevice+0x8f
fffff801a091f718 nt!PnpQueryRemoveLockedDeviceNode+0x64
fffff801a09213cb nt!PnpDeleteLockedDeviceNode+0x87
fffff801a092130a nt!PnpDeleteLockedDeviceNodes+0x9a
fffff801a0920545 nt!PnpProcessQueryRemoveAndEject+0x361
fffff801a08921a9 nt!PnpProcessTargetDeviceEvent+0x9d
fffff801a08925d7 nt!PnpDeviceEventWorker+0x31f
fffff801a04cd0ff nt!ExpWorkerThread+0x69f
fffff801a054573a nt!PspSystemThreadStartup+0x18a
fffff801a05bae66 nt!KiStartSystemThread+0x16
16 threads: ffffe0011d1fa880 ffffe0011d1fa040 ffffe0011d1fb880 ffffe0011d1fb040 ffffe0011d032880 ffffe0011d032040 ffffe0011d1f6880 ffffe0011d1e9880 ffffe0011d1fe040 ffffe0011d1fe880 ...
fffff801a05b6216 nt!KiSwapContext+0x76
fffff801a04bb7ee nt!KiSwapThread+0x14e
fffff801a04bb269 nt!KiCommitThreadWait+0x129
fffff801a04c4193 nt!KeWaitForSingleObject+0x373
fffff800eb2fce78 NDIS!ndisReceiveWorkerThread+0xa8
fffff801a054573a nt!PspSystemThreadStartup+0x18a
fffff801a05bae66 nt!KiStartSystemThread+0x16
Threads matching filter: 19 out of 164