!address
The !address extension displays information about the memory that the target process or target computer uses.
User-Mode
!address Address
!address -summary
!address [-f:F1,F2,...] {[-o:{csv | tsv | 1}] | [-c:"Command"]}
!address -? | -help
Kernel-Mode
!address Address
!address
Parameters
Address
Displays only the region of the address space that contains Address.
-summary
Displays only summary information.
-f:F1, F2, ...
Displays only the regions specified by the filters F1, F2, and so on.
The following filter values specify memory regions by the way that the target process is using them.
| Filter value | Memory regions displayed |
|---|---|
VAR |
Busy regions. These regions include all virtual allocation blocks, the SBH heap, memory from custom allocators, and all other regions of the address space that fall into no other classification. |
Free |
Free memory. This includes all memory that has not been reserved. |
Image |
Memory that is mapped to a file that is part of an executable image. |
Stack |
Memory used for thread stacks. |
Teb |
Memory used for thread environment blocks (TEBs). |
Peb |
Memory used for the process environment block (PEB). |
Heap |
Memory used for heaps. |
PageHeap |
The memory region used for the full-page heap. |
CSR |
CSR shared memory. |
Actx |
Memory used for activation context data. |
NLS |
Memory used for National Language Support (NLS) tables. |
FileMap |
Memory used for memory-mapped files. This filter is applicable only during live debugging. |
The following filter values specify memory regions by the memory type.
| Filter value | Memory regions displayed |
|---|---|
MEM_IMAGE |
Memory that is mapped to a file that is part of an executable image. |
MEM_MAPPED |
Memory that is mapped to a file that is not part of an executable image. This includes memory that is mapped to the paging file. |
MEM_PRIVATE |
Private memory. This memory is not shared by any other process, and it is not mapped to any file. |
The following filter values specify memory regions by the state of the memory.
| Filter value | Memory regions displayed |
|---|---|
MEM_COMMIT |
Committed memory. |
MEM_FREE |
Free memory. This includes all memory that has not been reserved. |
MEM_RESERVE |
Reserved memory. |
The following filter values specify memory regions by the protection applied to the memory.
| Filter value | Memory regions displayed |
|---|---|
PAGE_NOACCESS |
Memory that cannot be accessed. |
PAGE_READONLY |
Memory that is readable, but not writable and not executable. |
PAGE_READWRITE |
Memory that is readable and writable, but not executable. |
PAGE_WRITECOPY |
Memory that has copy-on-write behavior. |
PAGE_EXECUTE |
Memory that is executable, but not readable and not writeable. |
PAGE_EXECUTE_READ |
Memory that is executable and readable, but not writable. |
PAGE_EXECUTE_READWRITE |
Memory that is executable, readable, and writable. |
PAGE_EXECUTE_WRITECOPY |
Memory that is executable and has copy-on-write behavior. |
PAGE_GUARD |
Memory that acts as a guard page. |
PAGE_NOCACHE |
Memory that is not cached. |
PAGE_WRITECOMBINE |
Memory that has write-combine access enabled. |
-o:{csv | tsv | 1}
Displays the output according to one of the following options.
| Option | Output format |
|---|---|
csv |
Displays the output as comma-separated values. |
tsv |
Displays the output as tab-separated values. |
1 |
Displays the output in bare format. This format works well when !address is used as input to .foreach. |
-c:"Command"
Executes a custom command for each memory region. You can use the following placeholders in your command to represent output fields of the !address extension.
| Placeholder | Output field |
|---|---|
%1 |
Base address |
%2 |
End address + 1 |
%3 |
Region size |
%4 |
Type |
%5 |
State |
%6 |
Protection |
%7 |
Usage |
For example, !address -f:Heap -c:".echo %1 %3 %5" displays the base address, size, and state for each memory region of type Heap.
Quotes in the command must be preceded by a back slash (\"). For example, !address -f:Heap -c:"s -a %1 %2 \"pad\"" searches each memory region of type Heap for the string "pad".
Multiple commands separated by semicolons are not supported.
-?
Displays minimal Help text for this extension in the Debugger Command window.
DLL
Ext.dll
Additional Information
For more information about how to display and search memory, see Reading and Writing Memory. For additional extensions that display memory properties, see !vm (kernel mode) and !vprot (user mode).
Remarks
Without any parameters, the !address extension displays information about the whole address space. The !address -summary command shows only the summary.
In kernel mode, this extension searches only kernel memory, even if you used .process (Set Process Context) to specify a given process' virtual address space. In user mode, the !address extension always refers to the memory that the target process owns.
In user mode, !address Address shows the characteristics of the region that the specified address belongs to. Without parameters, !address shows the characteristics of all memory regions. These characteristics include the memory usage, memory type, memory state, and memory protection. For more information about the meaning of this information, see the earlier tables in the description of the -f parameter.
The following example uses !address to retrieve information about a region of memory that is mapped to kernel32.dll.
0:000> !address 75831234
Usage: Image
Base Address: 75831000
End Address: 758f6000
Region Size: 000c5000
Type: 01000000MEM_IMAGE
State: 00001000MEM_COMMIT
Protect: 00000020PAGE_EXECUTE_READ
More info: lmv m kernel32
More info: !lmi kernel32
More info: ln 0x75831234
This example uses an Address value of 0x75831234. The display shows that this address is in a memory region that begins with the address 0x75831000 and ends with the address 0x758f6000. The region has usage Image, type MEM_IMAGE, state MEM_COMMIT, and protection PAGE_EXECUTE_READ. (For more information about the meaning of these values, see the earlier tables.) The display also lists three other debugger commands that you can use to get more information about this memory address.
If you are starting with an address and trying to determine information about it, the usage information is frequently the most valuable. After you know the usage, you can use additional extensions to learn more about this memory. For example, if the usage is Heap, you can use the !heap extension to learn more.
The following example uses the s (Search Memory) command to search each memory region of type Image for the wide-character string "Note".
!address /f:Image /c:"s -u %1 %2 \"Note\""
*** Executing: s -u 0xab0000 0xab1000 "Note"
*** Executing: s -u 0xab1000 0xabc000 "Note"
00ab2936 004e 006f 0074 0065 0070 0061 0064 0000 N.o.t.e.p.a.d...
00ab2f86 004e 006f 0074 0065 0070 0061 0064 005c N.o.t.e.p.a.d.\.
00ab32e4 004e 006f 0074 0065 0070 0061 0064 0000 N.o.t.e.p.a.d...
*** Executing: s -u 0xabc000 0xabd000 "Note"
. . .
In kernel mode, the output of !address is similar to the user mode output but contains less information. The following example shows the kernel mode output.
kd> !address
804de000 - 00235000
Usage KernelSpaceUsageImage
ImageName ntoskrnl.exe
80c00000 - 001e1000
Usage KernelSpaceUsagePFNDatabase
....
f85b0000 - 00004000
Usage KernelSpaceUsageKernelStack
KernelStack 817b4da0 : 324.368
f880d000 - 073d3000
Usage KernelSpaceUsageNonPagedPoolExpansion
The meaning of "usage" is the same as in user mode. "ImageName" indicates the module that is associated with this address. "KernelStack" shows the address of this thread's ETHREAD block (0x817B4DA0), the process ID (0x324), and the thread ID (0x368).