How to determine LARGEADDRESSAWARE from a dump file

This interesting little question came up on one of our internal email lists. Sometimes when debugging you want to know whether a particular process is linked using the /LARGEADDRESSAWARE flag and therefore capable of using usermode addresses above the 2Gb boundary.  Here is my solution:

!address -summary will show you the effective user mode address space for the process:

0:022> !address –summary
..
       Tot: 7fff0000 (2097088 KB) Busy: 278fd000 (648180 KB) <<< 2Gb for non-large-address-aware EXE or large address aware EXE on x86 system without /3Gb in boot.ini

or

       Tot: bd7f0000 (3104704 KB) Busy: 23dee000 (587704 KB) <<< 3Gb for large-address-aware EXE on x86 system with /3Gb in boot.ini

or

       Tot: ffff0000 (4194240 KB) Busy: 268b2000 (631496 KB) <<< 4Gb for large-address-aware EXE running with WoW64 on x64 system

However, since the first case is ambiguous, to actually see if the EXE is linked with /LARGEADDRESSAWARE or not do this:

0:000> !dlls -c inetinfo    <<< inetinfo is the module name of the EXE in this case]
Dump dll containing 0x01000000:

0x00081eb0: C:WINDOWSsystem32inetsrvinetinfo.exe
      Base   0x01000000  EntryPoint  0x0100326e  Size        0x00006000
      Flags  0x00004000  LoadCount   0x0000ffff  TlsIndex    0x00000000
             LDRP_ENTRY_PROCESSED
0:000> .shell -i - -ci "!dlls -f 0x00081eb0" FIND "characteristics"
     12F characteristics

The characteristics field in the header is the key: 0x12f & 0x20 == 0x20. This is the value of IMAGE_FILE_LARGE_ADDRESS_AWARE – see winnt.h in the Platform SDK for this and related definitions.

So this EXE is large address aware.

Note the above usage of the .shell command (which is used to shell to another EXE, in this case "FIND") is something I use all the time to filter the output of debugger commands. Very handy.

HTH

Doug