This topic has not yet been rated - Rate this topic

!address

The !address extension displays information about the memory that the target process or target computer uses.

User-Mode

Copy

!address Address
!address -summary 
!address [-f:F1,F2,...] {[-o:{csv | tsv | 1}] | [-c:"Command"]}
!address -? | -help

Kernel-Mode

Copy

!address Address 
!address

Parameters

Address

Displays only the region of the address space that contains Address.

-summary

Displays only summary information.

-f:F1, F2, ...

Displays only the regions specified by the filters F1, F2, and so on.

The following filter values specify memory regions by the way that the target process is using them.

Filter value	Memory regions displayed
VAR	Busy regions. These regions include all virtual allocation blocks, the SBH heap, memory from custom allocators, and all other regions of the address space that fall into no other classification.
Free	Free memory. This includes all memory that has not been reserved.
Image	Memory that is mapped to a file that is part of an executable image.
Stack	Memory used for thread stacks.
Teb	Memory used for thread environment blocks (TEBs).
Peb	Memory used for the process environment block (PEB).
Heap	Memory used for heaps.
PageHeap	The memory region used for the full-page heap.
CSR	CSR shared memory.
Actx	Memory used for activation context data.
NLS	Memory used for National Language Support (NLS) tables.
FileMap	Memory used for memory-mapped files. This filter is applicable only during live debugging.

The following filter values specify memory regions by the memory type.

Filter value	Memory regions displayed
MEM_IMAGE	Memory that is mapped to a file that is part of an executable image.
MEM_MAPPED	Memory that is mapped to a file that is not part of an executable image. This includes memory that is mapped to the paging file.
MEM_PRIVATE	Private memory. This memory is not shared by any other process, and it is not mapped to any file.

The following filter values specify memory regions by the state of the memory.

Filter value	Memory regions displayed
MEM_COMMIT	Committed memory.
MEM_FREE	Free memory. This includes all memory that has not been reserved.
MEM_RESERVE	Reserved memory.

The following filter values specify memory regions by the protection applied to the memory.

Filter value	Memory regions displayed
PAGE_NOACCESS	Memory that cannot be accessed.
PAGE_READONLY	Memory that is readable, but not writable and not executable.
PAGE_READWRITE	Memory that is readable and writable, but not executable.
PAGE_WRITECOPY	Memory that has copy-on-write behavior.
PAGE_EXECUTE	Memory that is executable, but not readable and not writeable.
PAGE_EXECUTE_READ	Memory that is executable and readable, but not writable.
PAGE_EXECUTE_READWRITE	Memory that is executable, readable, and writable.
PAGE_EXECUTE_WRITECOPY	Memory that is executable and has copy-on-write behavior.
PAGE_GUARD	Memroy that acts as a guard page.
PAGE_NOCACHE	Memory that is not cached.
PAGE_WRITECOMBINE	Memory that has write-combine access enabled.

-o:{csv | tsv | 1}

Displays the output according to one of the following options.

Option	Output format
csv	Displays the output as comma-separated values.
tsv	Displays the output as tab-separated values.
1	Displays the output in bare format. This format works well when !address is used as input to .foreach.

-c:"Command"

Executes a custom command for each memory region. You can use the following placeholders in your command to represent output fields of the !address extension.

Placeholder	Output field
%1	Base address
%2	End address + 1
%3	Region size
%4	Type
%5	State
%6	Protection
%7	Usage

For example, !address -f:Heap -c:".echo %1 %3 %5" displays the base address, size, and state for each memory region of type Heap.

Quotes in the command must be preceded by a back slash (\"). For example, !address -f:Heap -c:"s -a %1 %2 \"pad\"" searches each memory region of type Heap for the string "pad".

Multiple commands separated by semicolons are not supported.

-?

Displays minimal Help text for this extension in the Debugger Command window.

DLL

Windows 2000	Ext.dll
Windows XP and later	Ext.dll

Additional Information

For more information about how to display and search memory, see Reading and Writing Memory. For additional extensions that display memory properties, see !vm (kernel mode) and !vprot (user mode).

Remarks

Without any parameters, the !address extension displays information about the whole address space. The !address -summary command shows only the summary.

In kernel mode, this extension searches only kernel memory, even if you used .process (Set Process Context) to specify a given process' virtual address space. In user mode, the !address extension always refers to the memory that the target process owns.

In user mode, !address Address shows the characteristics of the region that the specified address belongs to. Without parameters, !address shows the characteristics of all memory regions. These characteristics include the memory usage, memory type, memory state, and memory protection. For more information about the meaning of this information, see the earlier tables in the description of the -f parameter.

The following example uses !address to retrieve information about a region of memory that is mapped to kernel32.dll.

Copy

0:000> !address 75831234
Usage:                  Image
Base Address:           75831000
End Address:            758f6000
Region Size:            000c5000
Type:                   01000000MEM_IMAGE
State:                  00001000MEM_COMMIT
Protect:                00000020PAGE_EXECUTE_READ
More info:              lmv m kernel32
More info:              !lmi kernel32
More info:              ln 0x75831234

This example uses an Address value of 0x75831234. The display shows that this address is in a memory region that begins with the address 0x75831000 and ends with the address 0x758f6000. The region has usage Image, type MEM_IMAGE, state MEM_COMMIT, and protection PAGE_EXECUTE_READ. (For more information about the meaning of these values, see the earlier tables.) The display also lists three other debugger commands that you can use to get more information about this memory address.

If you are starting with an address and trying to determine information about it, the usage information is frequently the most valuable. After you know the usage, you can use additional extensions to learn more about this memory. For example, if the usage is Heap, you can use the !heap extension to learn more.

The following example uses the s (Search Memory) command to search each memory region of type Image for the wide-character string "Note".

Copy

!address /f:Image /c:"s -u %1 %2 \"Note\""

*** Executing: s -u 0xab0000 0xab1000 "Note"
*** Executing: s -u 0xab1000 0xabc000 "Note"
00ab2936  004e 006f 0074 0065 0070 0061 0064 0000  N.o.t.e.p.a.d...
00ab2f86  004e 006f 0074 0065 0070 0061 0064 005c  N.o.t.e.p.a.d.\.
00ab32e4  004e 006f 0074 0065 0070 0061 0064 0000  N.o.t.e.p.a.d...
*** Executing: s -u 0xabc000 0xabd000 "Note"
. . .

In kernel mode, the output of !address is similar to the user mode output but contains less information. The following example example shows the kernel mode output.

Copy

kd> !address
  804de000 - 00235000                           
 Usage       KernelSpaceUsageImage
          ImageName   ntoskrnl.exe

  80c00000 - 001e1000
          Usage       KernelSpaceUsagePFNDatabase

....

  f85b0000 - 00004000
          Usage       KernelSpaceUsageKernelStack
          KernelStack 817b4da0 : 324.368

 f880d000 - 073d3000
          Usage       KernelSpaceUsageNonPagedPoolExpansion

The meaning of "usage" is the same as in user mode. "ImageName" indicates the module that is associated with this address. "KernelStack" shows the address of this thread's ETHREAD block (0x817B4DA0), the process ID (0x324), and the thread ID (0x368).

Send comments about this topic to Microsoft

Build date: 4/2/2012

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)