!vad
The !vad extension displays details of a virtual address descriptor (VAD) or a tree of VADs.
- Displays details of one virtual address descriptor (VAD)
- Displays details of a tree of VADs.
- Displays information about the VADs for a particular user-mode module and provides a string that you can use to load the symbols for that module.
!vad VAD-Root [Flag]
!vad Address 1
Parameters
VAD-Root
Address of the root of the VAD tree to be displayed.
Flag
Specifies the form the display will take. Possible values include:
0
The entire VAD tree based at VAD-Root is displayed. (This is the default.)
1
Only the VAD specified by VAD-Root is displayed. The display will include a more detailed analysis.
Address
Address in the virtual address range of a user-mode module.
DLL
Kdexts.dll
Additional Information
For information about virtual address descriptors, see Microsoft Windows Internals, by Mark Russinovich and David Solomon.
Remarks
The address of the root of the VAD for any process can be found by using the !process command.
The !vad command can be helpful when you need to load symbols for a user-mode module that has been paged out of memory. For details, see Mapping Symbols When the PEB is Paged Out.
Here is an example of the !vad extension:
kd> !vad 824bc2f8
VAD level start end commit
82741bf8 ( 1) 78000 78045 8 Mapped Exe EXECUTE_WRITECOPY
824ef368 ( 2) 7f6f0 7f7ef 0 Mapped EXECUTE_READ
824bc2f8 ( 0) 7ffb0 7ffd3 0 Mapped READONLY
8273e508 ( 2) 7ffde 7ffde 1 Private EXECUTE_READWRITE
82643fc8 ( 1) 7ffdf 7ffdf 1 Private EXECUTE_READWRITE
Total VADs: 5 average level: 2 maximum depth: 2
kd> !vad 824bc2f8 1
VAD @ 824bc2f8
Start VPN: 7ffb0 End VPN: 7ffd3 Control Area: 827f1208
First ProtoPte: e1008500 Last PTE e100858c Commit Charge 0 (0.)
Secured.Flink 0 Blink 0 Banked/Extend: 0 Offset 0
ViewShare NoChange READONLY
SecNoChange