How to find a process command-line using kernel debugger?

 

I hadn't posted since two years ago; a lot of things happen in such a time and now I'm part of the IIS team. I'm not sure about what to talk about, so I will start with random stuff.

I found debugging very task oriented, there are a bunch of ways to get an answer to the same question; let's say that someone gave you a machine ready to be debugged in kernel mode and you want to do .tlist -v to list all the processes and the additional information such as PID, Session, Command Line. If you are using a remote machine to access the target machine in kernel mode, .tlist will give you the process in the remote machine; to get the processes in the target machine and dump process information such as the Command Line arguments follow the next steps:

1. List the processes.

kd> !process 0 0

**** NT ACTIVE PROCESS DUMP ****
PROCESS 8447b790  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00122000  ObjectTable: 830002d8  HandleCount: 580.
    Image: System

... (some other processes)

PROCESS 867b7d90  SessionId: 0  Cid: 07a4    Peb: 7ffdf000  ParentCid: 0a00
    DirBase: 7ea6b560  ObjectTable: 83170470  HandleCount:  60.
    Image: appcmd.exe

2. Look for your process and copy the DirBase property, in this example I will use appcmd.exe (7ea6b560), and switch to the process' context:

kd> .context 7ea6b560

3. Dump the process information, that information includes the command-line

kd> !peb

PEB at 7ffdf000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No

.... (more information)

    ImageFile:    'D:\Windows\System32\inetsrv\appcmd.exe'
    CommandLine:  'D:\Windows\System32\inetsrv\appcmd.exe clear config -section:system.web
Server/cgi'