Export (0) Print
Expand All
!ca
!ih
!tz
!vm
Expand Minimize

!thread

The !thread extension displays summary information about a thread on the target system, including the ETHREAD block. This command can be used only during kernel-mode debugging.

This extension command is not the same as the .thread (Set Register Context) command.

Syntax in Windows 2000:

!thread [Address [Flags]]

Syntax in Windows XP:

!thread [-p] [-t] [Address [Flags]]

Parameters

-p

Displays summary information about the process that owns the thread.

-t

When this option is included, Address is the thread ID, not the thread address.

Address

Specifies the hexadecimal address of the thread on the target computer. If Address is -1 or omitted, it indicates the current thread.

Flags

Specifies the level of detail to display. Flags can be any combination of the following bits. If Flags is 0, only a minimal amount of information is displayed. The default is 0x6:

Bit 1 (0x2)

Displays the thread's wait states.

Bit 2 (0x4)

If this bit is used without Bit 1 (0x2), it has no effect. If this bit is used with Bit 1, the thread is displayed with a stack trace.

Bit 3 (0x8)

(Windows XP and later)

Adds the return address, the stack pointer, and (on Itanium systems) the bsp register value to the information displayed for each function and suppresses the display of function arguments.

Bit 4 (0x10)

(Windows XP and later) Sets the process context equal to the process that owns the specified thread for the duration of this command. This results in more accurate display of thread stacks.

DLL

Windows 2000

Kdextx86.dll

Windows XP and later

Kdexts.dll

 

Additional Information

For information about threads in kernel mode, see Changing Contexts. For more information about analyzing processes and threads, see Microsoft Windows Internals, by Mark Russinovich and David Solomon. (This book may not be available in some languages and countries.)

Remarks

Here is an example from a Windows 2000 system:

kd> !thread ff8632c0
THREAD ff8632c0  Cid 38c.380  Teb: 7ffde000  Win32Thread: e1bc1a08 WAIT: (WrUserRequest) UserMode Non-Alertable
    ff8543e0  SynchronizationEvent
Not impersonating
Owning Process ff89c7a0
WaitTime (seconds)      16923
Context Switch Count    67                   LargeStack
UserTime                  0:00:00.0000
KernelTime                0:00:00.0093
Start Address 0x77e878c1
Win32 Start Address 0x01003dd0
Stack Init fd536000 Current fd535c20 Base fd536000 Limit fd531000 Call 0
Priority 12 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr  Args to Child
fd535c38 8012d61c 00000000 e1bc1a08 00000001 ntoskrnl!KiSwapThread+0xc5
fd535cbc 801672a2 00000001 00000001 000021bf ntoskrnl!KeWaitForSingleObject+0x1a1
fd535d4c 80161691 0006ff08 00000000 00000000 ntoskrnl!ExFreePool+0xb
fd535d4c a01772a8 0006ff08 00000000 00000000 ntoskrnl!KiSystemService+0xc4
ffffffff 00000000 00000000 00000000 00000000 +0xa01772a8

The important information in the !thread display is explained in the following table.

ParameterMeaning

Thread address

The hexadecimal number after the word THREAD is the address of the ETHREAD block. In the preceding example, the thread address is 0xFF8632C0.

Thread ID

The two hexadecimal numbers after the word Cid are the process ID and the thread ID: process ID.thread ID. In the preceding example, the process ID is 0x38C, or decimal 908, and the thread ID is 0x380, or decimal 896.

Thread Environment Block (TEB)

The hexadecimal number after the word Teb is the address of the thread environment block (TEB). In the preceding example, the TEB is located at address 0x7FFDE000.

System Service Dispatch Table

The hexadecimal number after the word Win32Thread is the address of the system service dispatch table. In the preceding example, the system dispatch table is located at address 0xE1BC1A08.

Thread State

The thread state is displayed at the end of the line that begins with the word WAIT. In the preceding example, the thread is in a non-alertable state.

Owning Process

The hexadecimal number after the words Owning Process is the address of the EPROCESS for the process that owns this thread.

Start Address

The hexadecimal number after the words Start Address is the thread start address. This might appear in symbolic form.

User Thread Function

The hexadecimal number after the words Win32 Start Address is the address of the user thread function.

Priority

The priority information for the thread follows the word Priority.

Stack trace

A stack trace for the thread appears at the end of this display.

 

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft