~. Submit and view feedback for. !heap -p -h HeapHandle Addr = start address of the list If the file exists, it will be overwritten. Echo Comment -> comment text + echo it [~Thrd] == thread that the bp applies too. pr Whether the extension was loaded successfully can be checked by executing the sos.help command. Patterns. Dump default register mask. Follow reference for the given pointer (handle) address, Save the module dll to a file (can be used to get its version), Dump heap data that can be used by CLR profiler, displays all elements of the TEB or “Thread Environment Block”, !strings [ModuleAddress] [min] [max] [gen#] [filter], Search the managed heap or a module for strings matching the specified criteria, Displays the type of managed data located at the specified address or the current instruction pointer, Show data on the loaded modules (mscorwks, clr), Show version and paths of all loaded modules (sieextpub), searches the system’s RPC state information for endpoint information (rpcexts).

Name: MemoryLeaker.MyData[] Example 1: .formats 5 FUNCTION = placeholder for exported function # = Breakpoint ID by memory order I have used the following .NET Core program in this post as an example application. Causes the symbol handler to search the public symbol table during every symbol search. dt [-n|y] [mod! !logc p # wt -ns ..

.help /D .reload [/f | /v] Module. commands Shows most recent event or exception, !analyze -v Download the mex.exe archive. dq* -> 64-bit pointer used !heap -l, Brief help b = byte (default value) !address -summary !heap -p -all. Lists all loaded debugger extensions as DML (where extensions are linked to a .extmatch), .extmatch /e ExtDLL FunctionFilter Passes = Activate breakpoint after #Passes (it is ignored before) ib = Signed byte fill specified memory location with the pattern "ABC", repeated several times, search memory locations 0012FF40 through 0012FF5F for the pattern "Hello", list all heaps with range information (startAddr, endAddr), Summary for all heaps (reserved and committed memory, ..), Dump HeapHandle list. rX Reg1, Reg2 the 2nd char determines the pointer size used: 00007fff8c4971b8 7 17736 System.Object[] Extract to any folder. TebAddr = specify thread; if omitted, the current thread is used, display thread times (user + kernel mode), display information about time consumed by each thread (0-user time, 1-kernel time, 2-time elapsed since thread creation). verbose (symbol type and size) .symopt- Flags, displays current symbol options

I have a small problem though with pattern matching and conditional breakpoints.

l = maximum depth of traced calls Summary info, i.e. list symbols (wildcard) !mapped_file Addr, Brief Help current thread .symfix+ DownstreamStore. Dump only specified registers from current mask 00007fff8c4b6c08 2 944 System.Globalization.CultureData

0x8 = segment registers Sets all the symbol handler options at once. Specify the mask to use when displaying the registers. If you're using the .NET Framework, the easiest way to load sos.dll is via the command .loadby sos clr. .holdmem -D Causes the debugger to display 'File access error' messages during symbol load. Length = minimum length of such strings; the default is 3 chars !heap -i [HeapAddr] -vs N Answering the mystery what parts of program bombard SQL Server with queries. s = STRING or ANSI_STRING Name: MemoryLeaker.MyData if ((g_dwLastErrorToBreakOn != 0 ) && (dwErrCode == g_dwLastErrorToBreakOn)) MT Count TotalSize Class Name

Trace and watch data. Loading stuff .loadby sos mscorwks Load SOS extension (will identify sos location by loaded mscorwks path) .load c:\Windows\Microsoft.NET\Framework\v2.0.50727\sos Load SOS extension for .NET 2.0 .load psscor2 Load PSSCOR… For a full listing of commands type: !mex.help.

iq = Signed qword (8b)

The most of the examples are heavily inspired by Konrad Kokosa’s excellent book Pro .NET Memory Management.. For troubleshooting .NET (Core) memory or performance issues, there’re a lot of free or commercial tools available. Ignores the final breakpoint in target application. For a list of exceptions that can be specified, see Event Definitions and Defaults. d = dword (4b)

A detailed display of the elements can be achieved with the -details option. -brk [INDEX]. wt -m Module [-m Module2] .. break first-chance -s [size] = For enumeration only, enumerate types only of given size. zu = Unicode string (NULL-terminated), ds [/c #] [Addr] dS [/c #] [Addr], Dump string struct (struct! .effmach #

i = type (local, global, parameter), t = data type, V = memory address or register location Display regular commands

00007fff38dd6668 6764 162336 MemoryLeaker.MyData Causes the debugger to turn off C++ translation. Default is full register length, thus r eax:uw would display two values as EAX is a 32-bit register.

Dump name of the file containing given Addr, Fill memory. [Command]: works for a few regular commands such as k, r, General WinDbg's commands (clear screen, ..), Re: break on driver load - question from kam, Discuss this item on the forum. Passes = Activate breakpoint after #Passes (it is ignored before), Set unresolved breakpoint. .expr /s masm, Choose default expression evaluator

s -[Flags]b Range Pattern

rF Reg=Value Go exception handled

00007fff38f84a30 2 65584 MemoryLeaker.MyData[] Object = Addr of a pointer to the Object or of the Object itself After WinDbg Preview is installed, WinDbgX.exe is available to run from any directory location. brief help, r Default is the current EIP. Specifies that the debug heap should not be used. Toggle verbose mode ON/OFF It is often more useful than !dh.

Display or set source search path

