แก้ไข

แชร์ผ่าน


!irp

The !irp extension displays information about an I/O request packet (IRP).

!irp Address [Detail] 

Parameters

Address
Specifies the hexadecimal address of the IRP.

Detail
If this parameter is included with any value, such as 1, the output includes the status of the IRP, the address of its memory descriptor list (MDL), its owning thread, and stack information for all of its I/O stacks, and information about each stack location for the IRP, including hexadecimal versions of the major function code and the minor function code. If this parameter omitted, the output includes only a summary of the information.

DLL

Kdexts.dll

Additional Information

See Plug and Play Debugging and Debugging Interrupt Storms for applications of this extension command. For information about IRPs, see the Windows Driver Kit (WDK) documentation and Microsoft Windows Internals by Mark Russinovich and David Solomon. For further information on the major and minor function codes, see the Windows Driver Kit (WDK) documentation.

This topic describes the IRP structure, IRP.

For detailed information on decoding the IRP structure including the returned Args, see the following resources.

  • Windows Internals by Mark E. Russinovich, David A. Solomon and Alex Ionescu
  • Developing Drivers with the Windows Driver Foundation Guy Smith and Penny Orwick

Remarks

The output also indicates under what conditions the completion routine for each stack location will be called once the IRP has completed and the stack location is processed. There are three possibilities:

Success
Indicates that the completion routine will be called when the IRP is completed with a success code.

Error
Indicates that the completion routine will be called when the IRP is completed with an error code.

Cancel
Indicates that the completion routine will be called if an attempt was made to cancel the IRP.

Any combination of these three may appear, and if any of the conditions shown are satisfied, the completion routine will be called. The appropriate values are listed at the end of the first row of information about each stack location, immediately after the Completion-Context entry.

Here is an example of the output from this extension for Windows 10:

0: kd> !irp ac598dc8
Irp is active with 2 stacks 1 is current (= 0xac598e38)
 No Mdl: No System Buffer: Thread 8d1c7bc0:  Irp stack trace.  
     cmd  flg cl Device   File     Completion-Context
>[IRP_MJ_FILE_SYSTEM_CONTROL(d), N/A(0)]
            1 e1 8a6434d8 ac598d40 853220cb-a89682d8 Success Error Cancel pending
           \FileSystem\Npfs fltmgr!FltpPassThroughCompletion
            Args: 00000000 00000000 00110008 00000000
 [IRP_MJ_FILE_SYSTEM_CONTROL(d), N/A(0)]
            1  0 8a799710 ac598d40 00000000-00000000    
           \FileSystem\FltMgr
            Args: 00000000 00000000 0x00110008 00000000

Starting with Windows 10 the IRP major and minor code text is displayed, for example, "IRP_MJ_FILE_SYSTEM_CONTROL" The code value is also shown in hex, in this example "(d)".

The third argument displayed in the output, is the IOCTL code. Use the !ioctldecode command to display information about the IOCTL.

Here is an example of the output from this extension from Windows Vista.

0: kd> !irp 0x831f4a00
Irp is active with 8 stacks 5 is current (= 0x831f4b00)
 Mdl = 82b020d8 Thread 8c622118:  Irp stack trace.
     cmd  flg cl Device   File     Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000

                        Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000

                        Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000

                        Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000

                        Args: 00000000 00000000 00000000 00000000
>[  3,34]  40 e1 828517a8 00000000 842511e0-00000000 Success Error Cancel pending
               \Driver\disk     partmgr!PmReadWriteCompletion
 Args: 00007000 00000000 fe084e00 00000004
 [  3, 0]  40 e0 82851450 00000000 842414d4-82956350 Success Error Cancel
 \Driver\PartMgr  volmgr!VmpReadWriteCompletionRoutine
                        Args: 129131bb 000000de fe084e00 00000004
 [  3, 0]   0 e0 82956298 00000000 847eeed0-829e2ba8 Success Error Cancel
 \Driver\volmgr   Ntfs!NtfsMasterIrpSyncCompletionRoutine
                        Args: 00007000 00000000 1bdae400 00000000
 [  3, 0]   0  0 82ac2020 8e879410 00000000-00000000
               \FileSystem\Ntfs
                        Args: 00007000 00000000 00018400 00000000

Note that the completion routine next to the driver name is set on that stack location, and it was set by the driver in the line below. In the preceding example, Ntfs!NtfsMasterIrpSyncCompletionRoutine was set by \FileSystem\Ntfs. The Completion-Context entry above Ntfs!NtfsMasterIrpSyncCompletionRoutine, 847eeed0-829e2ba8, indicates the address of the completion routine, as well as the context that will be passed to Ntfs!NtfsMasterIrpSyncCompletionRoutine. From this we can see that the address of Ntfs!NtfsMasterIrpSyncCompletionRoutine is 847eeed0, and the context that will be passed to this routine when it is called is 829e2ba8.

IRP major function codes

The following information is included to help you interpret the output from this extension command.

The IRP major function codes are as follows:

Major Function Code Hexadecimal Code

IRP_MJ_CREATE

0x00

IRP_MJ_CREATE_NAMED_PIPE

0x01

IRP_MJ_CLOSE

0x02

IRP_MJ_READ

0x03

IRP_MJ_WRITE

0x04

IRP_MJ_QUERY_INFORMATION

0x05

IRP_MJ_SET_INFORMATION

0x06

IRP_MJ_QUERY_EA

0x07

IRP_MJ_SET_EA

0x08

IRP_MJ_FLUSH_BUFFERS

0x09

IRP_MJ_QUERY_VOLUME_INFORMATION

0x0A

IRP_MJ_SET_VOLUME_INFORMATION

0x0B

IRP_MJ_DIRECTORY_CONTROL

0x0C

IRP_MJ_FILE_SYSTEM_CONTROL

0x0D

IRP_MJ_DEVICE_CONTROL

0x0E

IRP_MJ_INTERNAL_DEVICE_CONTROL IRP_MJ_SCSI

0x0F

IRP_MJ_SHUTDOWN

0x10

IRP_MJ_LOCK_CONTROL

0x11

IRP_MJ_CLEANUP

0x12

IRP_MJ_CREATE_MAILSLOT

0x13

IRP_MJ_QUERY_SECURITY

0x14

IRP_MJ_SET_SECURITY

0x15

IRP_MJ_POWER

0x16

IRP_MJ_SYSTEM_CONTROL

0x17

IRP_MJ_DEVICE_CHANGE

0x18

IRP_MJ_QUERY_QUOTA

0x19

IRP_MJ_SET_QUOTA

0x1A

IRP_MJ_PNP IRP_MJ_MAXIMUM_FUNCTION

0x1B

The Plug and Play minor function codes are as follows:

Minor Function Code Hexadecimal Code

IRP_MN_START_DEVICE

0x00

IRP_MN_QUERY_REMOVE_DEVICE

0x01

IRP_MN_REMOVE_DEVICE

0x02

IRP_MN_CANCEL_REMOVE_DEVICE

0x03

IRP_MN_STOP_DEVICE

0x04

IRP_MN_QUERY_STOP_DEVICE

0x05

IRP_MN_CANCEL_STOP_DEVICE

0x06

IRP_MN_QUERY_DEVICE_RELATIONS

0x07

IRP_MN_QUERY_INTERFACE

0x08

IRP_MN_QUERY_CAPABILITIES

0x09

IRP_MN_QUERY_RESOURCES

0x0A

IRP_MN_QUERY_RESOURCE_REQUIREMENTS

0x0B

IRP_MN_QUERY_DEVICE_TEXT

0x0C

IRP_MN_FILTER_RESOURCE_REQUIREMENTS

0x0D

IRP_MN_READ_CONFIG

0x0F

IRP_MN_WRITE_CONFIG

0x10

IRP_MN_EJECT

0x11

IRP_MN_SET_LOCK

0x12

IRP_MN_QUERY_ID

0x13

IRP_MN_QUERY_PNP_DEVICE_STATE

0x14

IRP_MN_QUERY_BUS_INFORMATION

0x15

IRP_MN_DEVICE_USAGE_NOTIFICATION

0x16

IRP_MN_SURPRISE_REMOVAL

0x17

IRP_MN_QUERY_LEGACY_BUS_INFORMATION

0x18

The WMI minor function codes are as follows:

Minor Function Code Hexadecimal Code

IRP_MN_QUERY_ALL_DATA

0x00

IRP_MN_QUERY_SINGLE_INSTANCE

0x01

IRP_MN_CHANGE_SINGLE_INSTANCE

0x02

IRP_MN_CHANGE_SINGLE_ITEM

0x03

IRP_MN_ENABLE_EVENTS

0x04

IRP_MN_DISABLE_EVENTS

0x05

IRP_MN_ENABLE_COLLECTION

0x06

IRP_MN_DISABLE_COLLECTION

0x07

IRP_MN_REGINFO

0x08

IRP_MN_EXECUTE_METHOD

0x09

The power management minor function codes are as follows:

Minor Function Code Hexadecimal Code

IRP_MN_WAIT_WAKE

0x00

IRP_MN_POWER_SEQUENCE

0x01

IRP_MN_SET_POWER

0x02

IRP_MN_QUERY_POWER

0x03

The SCSI minor function codes are as follows:

Minor Function Code Hexadecimal Code

IRP_MN_SCSI_CLASS

0x01

See also

IRP

!irpfind

!ioctldecode