The !vad extension displays details of a virtual address descriptor (VAD) or a tree of VADs.

  • Displays details of one virtual address descriptor (VAD)
  • Displays details of a tree of VADs.
  • Displays information about the VADs for a particular user-mode module and provides a string that you can use to load the symbols for that module.
!vad VAD-Root [Flag]
!vad Address 1


Address of the root of the VAD tree to be displayed.

Specifies the form the display will take. Possible values include:

The entire VAD tree based at VAD-Root is displayed. (This is the default.)

Only the VAD specified by VAD-Root is displayed. The display will include a more detailed analysis.

Address in the virtual address range of a user-mode module.


Windows 2000


Windows XP and later


Additional Information

For information about virtual address descriptors, see Microsoft Windows Internals, by Mark Russinovich and David Solomon.


The address of the root of the VAD for any process can be found by using the !process command.

The !vad command can be helpful when you need to load symbols for a user-mode module that has been paged out of memory. For details, see Mapping Symbols When the PEB is Paged Out.

Here is an example of the !vad extension:

kd> !vad 824bc2f8
VAD     level      start      end    commit
82741bf8 ( 1)      78000    78045         8 Mapped  Exe  EXECUTE_WRITECOPY
824ef368 ( 2)      7f6f0    7f7ef         0 Mapped       EXECUTE_READ
824bc2f8 ( 0)      7ffb0    7ffd3         0 Mapped       READONLY
8273e508 ( 2)      7ffde    7ffde         1 Private      EXECUTE_READWRITE
82643fc8 ( 1)      7ffdf    7ffdf         1 Private      EXECUTE_READWRITE

Total VADs:     5  average level:    2  maximum depth: 2

kd> !vad 824bc2f8 1

VAD @ 824bc2f8
  Start VPN:         7ffb0  End VPN:    7ffd3  Control Area:  827f1208
  First ProtoPte: e1008500  Last PTE e100858c  Commit Charge         0 (0.)
  Secured.Flink          0  Blink           0  Banked/Extend:        0 Offset 0
   ViewShare NoChange READONLY