Debugging Tools for Windows
!address
The !address extension displays information about the memory that the target process or target computer uses.
Syntax
User-Mode
!address Address
!address -summary
!address -Filter
!address -?
Kernel-Mode
!address Address
!address
Parameters
- Address
- Displays only the region of the address space that contains Address.
- -summary
- Displays only summary information.
- Filter
- Displays only the specified region. The value of Filter is not case sensitive.
The following possible Filter values specify memory regions by the way that the target process is using them.
| Filter value | Memory region displayed |
|---|
| RegionUsageIsVAD | The "busy" region. This region includes all virtual allocation blocks, the SBH heap, memory from custom allocators, and all other regions of the address space that fall into no other classification. |
| RegionUsageFree | The available memory in the target's virtual address space. This memory includes all memory that has not been committed or reserved. |
| RegionUsageImage | The memory region that mapped images of binaries use. |
| RegionUsageStack | The memory region that is used for the stacks that the threads in the target process own. |
| RegionUsageTeb | The memory region that is used for the thread environment blocks (TEBs) for all threads in the target process. |
| RegionUsageHeap | The memory region that is used for the heaps that the target process owns. |
| RegionUsagePageHeap | The memory region that is used for the full-page heap that the target process owns. |
| RegionUsagePeb | The memory region that is used for the process environment block (PEB) of the target process. |
| RegionUsageProcessParametrs | The memory region that is used for the startup parameters of the target process. |
| RegionUsageEnvironmentBlock | The memory region that is used for the environment block of the target process. |
The following possible Filter values specify memory by the memory type.
| Filter value | Memory type displayed |
|---|
| MEM_IMAGE | Memory that is mapped from a file that is part of an executable image. |
| MEM_MAPPED | Memory that is mapped from a file that is not part of an executable image. This memory includes memory that is mapped from the paging file. |
| MEM_PRIVATE | Memory that is private (that is, not shared by other processes) and that is not mapped from any file. |
The following possible Filter values specify memory by the state of the memory:
| Filter value | Memory state displayed |
|---|
| MEM_COMMIT | All memory that is currently committed for use by the target. Physical storage has been allocated for this memory, in physical memory or in the page file. |
| MEM_RESERVE | All memory that is reserved for future use by the target. No physical storage is allocated for this memory. |
| MEM_FREE | All available memory in the target's virtual address space. This memory includes all memory that has not been committed or reserved. This Filter value is the same as RegionUsageFree. |
- -?
- Displays minimal Help text for this extension in the Debugger Command window.
DLL
| Windows 2000 | Ext.dll |
| Windows XP and later | Ext.dll |
Comments
Without any parameters, the !address extension displays information about the whole address space and a summary of the usage. The !address -summary command shows only the summary.
In kernel mode, this extension searches only kernel memory, even if you used .process (Set Process Context) to specify a given process' virtual address space. In user mode, the !address extension always refers to the memory that the target process owns.
In user mode, !address Address shows the characteristics of the region that the specified address belongs to. Without parameters, !address shows the characteristics of all memory regions. These characteristics include the memory type, memory state, and memory usage. For more information about the meaning of this information, see the earlier tables in the description of the Filter parameter.
The following example shows !address.
0:000> !address 7c571234
7c570000 : 7c571000 - 00059000
Type 01000000 MEM_IMAGE
Protect 00000020 PAGE_EXECUTE_READ
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\WINNT\system32\KERNEL32.dll
This example uses an Address value of 0x7C571234. The display shows that this address is in a large memory region that begins with the address 0x7C570000. Within this region, there is a smaller region that begins with 0x7C571000 and that has total size 0x59000. Therefore, this smaller region ranges from 0x7C571000 through 0x7C5C9FFF. This smaller region has memory type MEM_IMAGE, state MEM_COMMIT, and usage RegionUsageImage. (For more information about the meaning of these values, see the earlier tables.) Moreover, the memory is readable and executable, but not writeable. Finally, this memory is in the space that the Kernel32.dll module owns.
If you are starting with an address and trying to determine information about it, the usage information is frequently the most valuable. After you know the usage, you can use additional extensions to learn more about this memory. For example, if the usage is RegionUsageHeap, you can use the !heap extension to learn more.
In kernel mode, the display of !address is similar but contains less information. The following example example shows this situation.
kd> !address
804de000 - 00235000
Usage KernelSpaceUsageImage
ImageName ntoskrnl.exe
80c00000 - 001e1000
Usage KernelSpaceUsagePFNDatabase
....
f85b0000 - 00004000
Usage KernelSpaceUsageKernelStack
KernelStack 817b4da0 : 324.368
f880d000 - 073d3000
Usage KernelSpaceUsageNonPagedPoolExpansion
The meaning of "usage" is the same as in user mode. "ImageName" indicates the module that is associated with this address. "KernelStack" shows the address of this thread's ETHREAD block (0x817B4DA0), the process ID (0x324), and the thread ID (0x368).
Additional Information
For more information about how to display and search memory, see Reading and Writing Memory. For additional extensions that display memory properties, see !vm (kernel mode) and !vprot (user mode).