!irp
The !irp extension displays information about an I/O request packet (IRP).
!irp Address [Detail]
Parameters
Address
Specifies the hexadecimal address of the IRP.
Detail
If this parameter is included with any value, such as 1, the output includes the status of the IRP, the address of its memory descriptor list (MDL), its owning thread, and stack information for all of its I/O stacks, and information about each stack location for the IRP, including hexadecimal versions of the major function code and the minor function code. If this parameter omitted, the output includes only a summary of the information.
DLL
Kdexts.dll
Additional Information
See Plug and Play Debugging and Debugging Interrupt Storms for applications of this extension command. For information about IRPs, see the Windows Driver Kit (WDK) documentation and Microsoft Windows Internals by Mark Russinovich and David Solomon. For further information on the major and minor function codes, see the Windows Driver Kit (WDK) documentation.
This topic describes the IRP structure, IRP.
For detailed information on decoding the IRP structure including the returned Args, see the following resources.
- Windows Internals by Mark E. Russinovich, David A. Solomon and Alex Ionescu
- Developing Drivers with the Windows Driver Foundation Guy Smith and Penny Orwick
Remarks
The output also indicates under what conditions the completion routine for each stack location will be called once the IRP has completed and the stack location is processed. There are three possibilities:
Success
Indicates that the completion routine will be called when the IRP is completed with a success code.
Error
Indicates that the completion routine will be called when the IRP is completed with an error code.
Cancel
Indicates that the completion routine will be called if an attempt was made to cancel the IRP.
Any combination of these three may appear, and if any of the conditions shown are satisfied, the completion routine will be called. The appropriate values are listed at the end of the first row of information about each stack location, immediately after the Completion-Context entry.
Here is an example of the output from this extension for Windows 10:
0: kd> !irp ac598dc8
Irp is active with 2 stacks 1 is current (= 0xac598e38)
No Mdl: No System Buffer: Thread 8d1c7bc0: Irp stack trace.
cmd flg cl Device File Completion-Context
>[IRP_MJ_FILE_SYSTEM_CONTROL(d), N/A(0)]
1 e1 8a6434d8 ac598d40 853220cb-a89682d8 Success Error Cancel pending
\FileSystem\Npfs fltmgr!FltpPassThroughCompletion
Args: 00000000 00000000 00110008 00000000
[IRP_MJ_FILE_SYSTEM_CONTROL(d), N/A(0)]
1 0 8a799710 ac598d40 00000000-00000000
\FileSystem\FltMgr
Args: 00000000 00000000 0x00110008 00000000
Starting with Windows 10 the IRP major and minor code text is displayed, for example, "IRP_MJ_FILE_SYSTEM_CONTROL" The code value is also shown in hex, in this example "(d)".
The third argument displayed in the output, is the IOCTL code. Use the !ioctldecode command to display information about the IOCTL.
Here is an example of the output from this extension from Windows Vista.
0: kd> !irp 0x831f4a00
Irp is active with 8 stacks 5 is current (= 0x831f4b00)
Mdl = 82b020d8 Thread 8c622118: Irp stack trace.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
>[ 3,34] 40 e1 828517a8 00000000 842511e0-00000000 Success Error Cancel pending
\Driver\disk partmgr!PmReadWriteCompletion
Args: 00007000 00000000 fe084e00 00000004
[ 3, 0] 40 e0 82851450 00000000 842414d4-82956350 Success Error Cancel
\Driver\PartMgr volmgr!VmpReadWriteCompletionRoutine
Args: 129131bb 000000de fe084e00 00000004
[ 3, 0] 0 e0 82956298 00000000 847eeed0-829e2ba8 Success Error Cancel
\Driver\volmgr Ntfs!NtfsMasterIrpSyncCompletionRoutine
Args: 00007000 00000000 1bdae400 00000000
[ 3, 0] 0 0 82ac2020 8e879410 00000000-00000000
\FileSystem\Ntfs
Args: 00007000 00000000 00018400 00000000
Note that the completion routine next to the driver name is set on that stack location, and it was set by the driver in the line below. In the preceding example, Ntfs!NtfsMasterIrpSyncCompletionRoutine was set by \FileSystem\Ntfs. The Completion-Context entry above Ntfs!NtfsMasterIrpSyncCompletionRoutine, 847eeed0-829e2ba8, indicates the address of the completion routine, as well as the context that will be passed to Ntfs!NtfsMasterIrpSyncCompletionRoutine. From this we can see that the address of Ntfs!NtfsMasterIrpSyncCompletionRoutine is 847eeed0, and the context that will be passed to this routine when it is called is 829e2ba8.
IRP major function codes
The following information is included to help you interpret the output from this extension command.
The IRP major function codes are as follows:
| Major Function Code | Hexadecimal Code |
|---|---|
IRP_MJ_CREATE |
0x00 |
IRP_MJ_CREATE_NAMED_PIPE |
0x01 |
IRP_MJ_CLOSE |
0x02 |
IRP_MJ_READ |
0x03 |
IRP_MJ_WRITE |
0x04 |
IRP_MJ_QUERY_INFORMATION |
0x05 |
IRP_MJ_SET_INFORMATION |
0x06 |
IRP_MJ_QUERY_EA |
0x07 |
IRP_MJ_SET_EA |
0x08 |
IRP_MJ_FLUSH_BUFFERS |
0x09 |
IRP_MJ_QUERY_VOLUME_INFORMATION |
0x0A |
IRP_MJ_SET_VOLUME_INFORMATION |
0x0B |
IRP_MJ_DIRECTORY_CONTROL |
0x0C |
IRP_MJ_FILE_SYSTEM_CONTROL |
0x0D |
IRP_MJ_DEVICE_CONTROL |
0x0E |
| IRP_MJ_INTERNAL_DEVICE_CONTROL IRP_MJ_SCSI | 0x0F |
IRP_MJ_SHUTDOWN |
0x10 |
IRP_MJ_LOCK_CONTROL |
0x11 |
IRP_MJ_CLEANUP |
0x12 |
IRP_MJ_CREATE_MAILSLOT |
0x13 |
IRP_MJ_QUERY_SECURITY |
0x14 |
IRP_MJ_SET_SECURITY |
0x15 |
IRP_MJ_POWER |
0x16 |
IRP_MJ_SYSTEM_CONTROL |
0x17 |
IRP_MJ_DEVICE_CHANGE |
0x18 |
IRP_MJ_QUERY_QUOTA |
0x19 |
IRP_MJ_SET_QUOTA |
0x1A |
| IRP_MJ_PNP IRP_MJ_MAXIMUM_FUNCTION | 0x1B |
The Plug and Play minor function codes are as follows:
| Minor Function Code | Hexadecimal Code |
|---|---|
IRP_MN_START_DEVICE |
0x00 |
IRP_MN_QUERY_REMOVE_DEVICE |
0x01 |
IRP_MN_REMOVE_DEVICE |
0x02 |
IRP_MN_CANCEL_REMOVE_DEVICE |
0x03 |
IRP_MN_STOP_DEVICE |
0x04 |
IRP_MN_QUERY_STOP_DEVICE |
0x05 |
IRP_MN_CANCEL_STOP_DEVICE |
0x06 |
IRP_MN_QUERY_DEVICE_RELATIONS |
0x07 |
IRP_MN_QUERY_INTERFACE |
0x08 |
IRP_MN_QUERY_CAPABILITIES |
0x09 |
IRP_MN_QUERY_RESOURCES |
0x0A |
IRP_MN_QUERY_RESOURCE_REQUIREMENTS |
0x0B |
IRP_MN_QUERY_DEVICE_TEXT |
0x0C |
IRP_MN_FILTER_RESOURCE_REQUIREMENTS |
0x0D |
IRP_MN_READ_CONFIG |
0x0F |
IRP_MN_WRITE_CONFIG |
0x10 |
IRP_MN_EJECT |
0x11 |
IRP_MN_SET_LOCK |
0x12 |
IRP_MN_QUERY_ID |
0x13 |
IRP_MN_QUERY_PNP_DEVICE_STATE |
0x14 |
IRP_MN_QUERY_BUS_INFORMATION |
0x15 |
IRP_MN_DEVICE_USAGE_NOTIFICATION |
0x16 |
IRP_MN_SURPRISE_REMOVAL |
0x17 |
IRP_MN_QUERY_LEGACY_BUS_INFORMATION |
0x18 |
The WMI minor function codes are as follows:
| Minor Function Code | Hexadecimal Code |
|---|---|
IRP_MN_QUERY_ALL_DATA |
0x00 |
IRP_MN_QUERY_SINGLE_INSTANCE |
0x01 |
IRP_MN_CHANGE_SINGLE_INSTANCE |
0x02 |
IRP_MN_CHANGE_SINGLE_ITEM |
0x03 |
IRP_MN_ENABLE_EVENTS |
0x04 |
IRP_MN_DISABLE_EVENTS |
0x05 |
IRP_MN_ENABLE_COLLECTION |
0x06 |
IRP_MN_DISABLE_COLLECTION |
0x07 |
IRP_MN_REGINFO |
0x08 |
IRP_MN_EXECUTE_METHOD |
0x09 |
The power management minor function codes are as follows:
| Minor Function Code | Hexadecimal Code |
|---|---|
IRP_MN_WAIT_WAKE |
0x00 |
IRP_MN_POWER_SEQUENCE |
0x01 |
IRP_MN_SET_POWER |
0x02 |
IRP_MN_QUERY_POWER |
0x03 |
The SCSI minor function codes are as follows:
| Minor Function Code | Hexadecimal Code |
|---|---|
IRP_MN_SCSI_CLASS |
0x01 |