6, LMF
Lists all DLL files and corresponding paths loaded in the current process
Strange didn't find my program inside loaded DLL obediently drip. Is the attach process shutting down the DLL? Try the empty dump.
11!runaway can show CPU consumption for each thread
This command is very good, directly find which thread takes a long time, if always occupy, then this thread inside must have a dead loop, or constantly operate something
Thread 6th occupancy Time 1分钟31秒
I see someone through the catch dump to see, that should be the most accurate bar, WinDbg attached to the process, the program card dropped, the resources of the DLL also stopped.
The thread that is the problem is the one that takes up several times with the dump and the same time each time.
12, ~ command is used to switch the target thread
0:018> ~ can display information about a thread
0:018> ~0s Switches the current thread to line Line 0, which is the main thread, and the prompt changes to 0:000.
13. ~* command lists details of all threads in the current process
14. ~*KB command lists all threads ' stacks
15. The k command is used to display the stack of the current thread, as follows
Go to line Line 6.
Not much information
15. The k command is used to display the stack of the current thread, as follows
0:018> K
Like the D command, K can be followed by many suffixes, such as KB KP,KN,KV,KL, which control the format and information displayed.
Stack directive k[b|p| P|V]
These four instructions show similar content, but each instruction has its own characteristics;
KB display three parameters;
KP displays all the parameters, but requires full symbols or private pdbsymbols support. KP is similar to KP, except that KP displays the parameter line;
KV is used to display FPO and calling conventions;
KD, used to display the dump of a stack, is useful when tracking stacks.
These directives are size-sensitive.
16. The u command translates the code on the specified address into the assembly output
0:018> u 7739d023
user32! Ntuserwaitmessage:
7739d023 b84a120000 mov eax,0x124a
7739d028 ba0003fe7f mov edx,0x7ffe0300
7739d02d Ff12 call DWORD ptr [EDX]
7739D02F c3 ret
If the symbol file is loaded correctly, the entire function can be disassembled directly using the UF command, such as UF user32! Ntuserwaitmessage
WinDbg Learning and remembering