Debugging Tools for Windows
!teb
The !teb extension displays a formatted view of the information in the thread environment block (TEB).
Syntax
!teb [TEB-Address]
Parameters
- TEB-Address
- The hexadecimal address of the thread whose TEB you want to examine. (This is not the address of the TEB as derived from the kernel thread block for the thread.) If TEB-Address is omitted in user mode, the TEB for the current process is used. If it is omitted in kernel mode, the TEB corresponding to the current register context is displayed.
DLL
| Windows 2000 | Kdextx86.dll
Ntsdexts.dll |
| Windows XP and later | Exts.dll |
Comments
The TEB is the user-mode portion of Microsoft Windows thread control structures.
If the !teb extension with no argument gives you an error in kernel mode, you should use the !process extension to determine the TEB address for the desired thread. Make sure your register context is set to the desired thread, and then use the TEB address as the argument for !teb.
Here is an example of this command's output in user mode:
0:001> ~
0 id: 324.458 Suspend: 1 Teb 7ffde000 Unfrozen
. 1 id: 324.48c Suspend: 1 Teb 7ffdd000 Unfrozen
0:001> !teb
TEB at 7FFDD000
ExceptionList: 76ffdc
Stack Base: 770000
Stack Limit: 76f000
SubSystemTib: 0
FiberData: 1e00
ArbitraryUser: 0
Self: 7ffdd000
EnvironmentPtr: 0
ClientId: 324.48c
Real ClientId: 324.48c
RpcHandle: 0
Tls Storage: 0
PEB Address: 7ffdf000
LastErrorValue: 0
LastStatusValue: 0
Count Owned Locks:0
HardErrorsMode: 0
The similar !peb extension displays the process environment block.
Additional Information
For information about thread environment blocks, see Microsoft Windows Internals by Mark Russinovich and David Solomon.