แก้ไข

แชร์ผ่าน


!thread

The !thread extension displays summary information about a thread on the target system, including the ETHREAD block. This command can be used only during kernel-mode debugging.

This extension command is not the same as the .thread (Set Register Context) command.

Syntax

!thread [-p] [-t] [Address [Flags]]

Parameters

-p
Displays summary information about the process that owns the thread.

-t
When this option is included, Address is the thread ID, not the thread address.

Address
Specifies the hexadecimal address of the thread on the target computer. If Address is -1 or omitted, it indicates the current thread.

Flags
Specifies the level of detail to display. Flags can be any combination of the following bits. If Flags is 0, only a minimal amount of information is displayed. The default is 0x6:

Bit 1 (0x2)
Displays the thread's wait states.

Bit 2 (0x4)
If this bit is used without Bit 1 (0x2), it has no effect. If this bit is used with Bit 1, the thread is displayed with a stack trace.

Bit 3 (0x8)
Adds the return address, the stack pointer, and (on Itanium systems) the bsp register value to the information displayed for each function and suppresses the display of function arguments.

Bit 4 (0x10)
Sets the process context equal to the process that owns the specified thread for the duration of this command. This results in more accurate display of thread stacks.

DLL

Kdexts.dll

Additional Information

For information about threads in kernel mode, see Changing Contexts and Controlling Processes and Threads. For more information about analyzing processes and threads, see Microsoft Windows Internals, by Mark Russinovich, Alex Ionescu and David Solomon.

Remarks

Here is an example using Windows 10:

0: kd> !thread 0xffffcb088f0a4480            
THREAD ffffcb088f0a4480  Cid 0e34.3814  Teb: 0000001a27ca6000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap                 ffffb80842016c20
Owning Process            ffffcb08905397c0       Image:         MsMpEng.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      182835891      Ticks: 0
Context Switch Count      5989           IdealProcessor: 3             
UserTime                  00:00:01.046
KernelTime                00:00:00.296
Win32 Start Address 0x00007ffb3b2fd1b0
Stack Init ffff95818476add0 Current ffff958184769d30
Base ffff95818476b000 Limit ffff958184765000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff802`59858c68 fffff801`b56d24aa : ffffcb08`8fd68010 00000000`00000000 fffff802`58259600 00000000`00000008 : nt!DbgBreakPointWithStatus [d:\rs2\minkernel\ntos\rtl\amd64\debugstb.asm @ 130] 
fffff802`59858c70 ffffcb08`8fd68010 : 00000000`00000000 fffff802`58259600 00000000`00000008 ffffcb08`8f0a4400 : 0xfffff801`b56d24aa
fffff802`59858c78 00000000`00000000 : fffff802`58259600 00000000`00000008 ffffcb08`8f0a4400 00000000`00000019 : 0xffffcb08`8fd68010

Use commands like !process to locate the address or thread ID of the thread you are interested in.

The useful information in the !thread display is explained in the following table.

Parameter Meaning

Thread address

The hexadecimal number after the word THREAD is the address of the ETHREAD block. In the preceding example, the thread address is 0xffffcb088f0a4480 .

Thread ID

The two hexadecimal numbers after the word Cid are the process ID and the thread ID: process ID.thread ID. In the preceding example, the process ID is 0x0e34, and the thread ID is 0x3814.

Thread Environment Block (TEB)

The hexadecimal number after the word Teb is the address of the thread environment block (TEB).

Win32Thread

The hexadecimal number after the word Win32Thread is the address of the Win32Thread.

Thread State

The thread state is displayed at the end of the line that begins with the word RUNNING.

Owning Process

The hexadecimal number after the words Owning Process is the address of the EPROCESS for the process that owns this thread.

Start Address

The hexadecimal number after the words Start Address is the thread start address. This might appear in symbolic form.

User Thread Function

The hexadecimal number after the words Win32 Start Address is the address of the user thread function.

Priority

The priority information for the thread follows the word Priority.

Stack trace

A stack trace for the thread appears at the end of this display.