Edit

Share via

!teb

  • Article

The !teb extension displays a formatted view of the information in the thread environment block (TEB).

!teb [TEB-Address]

\Parameters

TEB-Address
The hexadecimal address of the thread whose TEB you want to examine. (This is not the address of the TEB as derived from the kernel thread block for the thread.) If TEB-Address is omitted in user mode, the TEB for the current thread is used. If it is omitted in kernel mode, the TEB corresponding to the current register context is displayed.

DLL

Exts.dll

Additional Information

For information about thread environment blocks, see Microsoft Windows Internals by Mark Russinovich and David Solomon.

Remarks

The TEB is the user-mode portion of Microsoft Windows thread control structures.

If the !teb extension with no argument gives you an error in kernel mode, you should use the !process extension to determine the TEB address for the desired thread. Make sure your register context is set to the desired thread, and then use the TEB address as the argument for !teb.

Here is an example of this command's output in user mode:

0:001> ~
   0  id: 324.458   Suspend: 1 Teb 7ffde000 Unfrozen
.  1  id: 324.48c   Suspend: 1 Teb 7ffdd000 Unfrozen

0:001> !teb 
TEB at 7FFDD000
    ExceptionList:    76ffdc
    Stack Base:       770000
    Stack Limit:      76f000
    SubSystemTib:     0
 FiberData:        1e00
    ArbitraryUser:    0
    Self:             7ffdd000
    EnvironmentPtr:   0
 ClientId:         324.48c
    Real ClientId:    324.48c
    RpcHandle:        0
    Tls Storage:      0
    PEB Address:      7ffdf000
    LastErrorValue:   0
    LastStatusValue:  0
    Count Owned Locks:0
    HardErrorsMode:   0

The similar !peb extension displays the process environment block.