!sprocess
The !sprocess extension displays information about the specified session process, or about all processes in the specified session.
!sprocess Session [Flags [ImageName]]
!sprocess -?
Parameters
Session
Specifies the session that owns the desired process. Session is always interpreted as a decimal number.
Session can have the following values:
-1 |
Use current session. This is the default. |
-2 |
Use session context. |
-4 |
Display all processes by session. |
Flags
Specifies the level of detail in the display. Flags can be any combination of the following bits. The default is 0.
0x0 |
Display minimal information. |
Bit 0 (0x1) |
Display time and priority statistics. |
Bit 1 (0x2) |
Adds to the display a list of threads and events associated with the process and the wait states of the threads. |
Bit 2 (0x4) |
Adds to the display a list of threads associated with the process. If this bit is used without Bit 1 (0x2), each thread is displayed on a single line. If this is included with Bit 1, each thread is displayed with a stack trace. |
Bit 3 (0x8) |
Adds to the display of each function the return address, the stack pointer and, on Itanium-based systems, the bsp register value. It suppresses the display of function arguments. |
Bit 4 (0x10) |
Display only the return address of each function. Suppress the arguments and stack pointers. |
ImageName
Specifies the name of the process to be displayed. All processes whose executable image names match ImageName are displayed. The image name must match that in the EPROCESS block. In general, this is the executable name that was invoked to start the process, including the file extension (usually .exe), and truncated after the fifteenth character. There is no way to specify an image name that contains a space.
-?
Displays help for this extension in the Debugger Command window. This help text has some omissions.
DLL
Kdexts.dll
Additional Information
For information about sessions and processes in kernel mode, see Changing Contexts. For more information about analyzing processes and threads, see Microsoft Windows Internals, by Mark Russinovich and David Solomon.
Remarks
The output of this extension is similar to that of !process, except that the addresses of _MM_SESSION_SPACE and _MMSESSION are displayed as well.