!handle
The !handle extension displays information about a handle or handles that one or all processes in the target system own.
User-Mode
!handle [Handle [UMFlags [TypeName]]]
!handle -?
Kernel-Mode
!handle [Handle [KMFlags [Process [TypeName]]]]
Parameters
Handle
Specifies the index of the handle to display. If Handle is -1 or if you omit this parameter, the debugger displays data for all handles that are associated with the current process. If Handle is 0, the debugger displays data for all handles.
UMFlags
(User mode only) Specifies what the display should contain. This parameter can be a sum of any of the following bit values. (The default value is 0x1.)
Bit 0 (0x1)
Displays handle type information.
Bit 1 (0x2)
Displays basic handle information.
Bit 2 (0x4)
Displays handle name information.
Bit 3 (0x8)
Displays object-specific handle information, when available.
KMFlags
(Kernel mode only) Specifies what the display should contain. This parameter can be a sum of any of the following bit values. (The default value is 0x3.)
Bit 0 (0x1)
Displays basic handle information.
Bit 1 (0x2)
Displays information about objects.
Bit 2 (0x4)
Displays free handle entries. If you do not set this bit and you omit Handle or set it to zero, the list of handles that are displayed does not include free handles. If Handle specifies a single free handle, it is displayed even if you do not set this bit.
Bit 4 (0x10)
Displays the handle from the kernel handle table instead of the current process.
Bit 5 (0x20)
Interprets the handle as a thread ID or process ID and displays information about the corresponding kernel object.
Process
(Kernel mode only) Specifies a process. You can use the process ID or the hexadecimal address of the process object. This parameter must refer to a currently running process on the target system. If this parameter is -1 or if you omit it, the current process is used. If this parameter is 0, handle information from all processes is displayed.
TypeName
Specifies the type of handle that you want to examine. Only handles that match this type are displayed. TypeName is case sensitive. Valid types include Event, Section, File, Port, Directory, SymbolicLink, Mutant, WindowStation, Semaphore, Key, Token, Process, Thread, Desktop, IoCompletion, Timer, Job, and WaitablePort.
-?
(User mode only) Displays some Help text for this extension in the Debugger Command window.
DLL
Windows 2000 |
Kdextx86.dll Uext.dll Ntsdexts.dll |
Windows XP and later |
Kdexts.dll Uext.dll Ntsdexts.dll |
Additional Information
For more information about handles, see the !htrace extension, the Microsoft Windows SDK documentation and Microsoft Windows Internals by Mark Russinovich and David Solomon.
Remarks
You can use the !handle extension during user-mode and kernel-mode live debugging. You can also use this extension on kernel-mode dump files. However, you cannot use this extension on user-mode dump files, unless you specifically created them with handle information. (You can create such dump files by using the .dump /mh (Create Dump File) command.)
During live user-mode debugging, you can use the .closehandle (Close Handle) command to close one or more handles.
The following examples are user-mode examples of the !handle extension. The following command displays a list of all handles.
0:000> !handle
Handle 4
Type Section
Handle 8
Type Event
Handle c
Type Event
Handle 10
Type Event
Handle 14
Type Directory
Handle 5c
Type File
6 Handles
Type Count
Event 3
Section 1
File 1
Directory 1
The following command displays detailed information about handle 0x8.
0:000> !handle 8 f
Handle 8
Type Event
Attributes 0
GrantedAccess 0x100003:
Synch
QueryState,ModifyState
HandleCount 2
PointerCount 3
Name <none>
Object Specific Information
Event Type Auto Reset
Event is Waiting
The following examples are kernel-mode examples of !handle. The following command lists all handles, including free handles.
kd> !handle 0 4
processor number 0
PROCESS 80559800 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: e1000d60 TableSize: 380.
Image: Idle
New version of handle table at e1002000 with 380 Entries in use
0000: free handle, Entry address e1002000, Next Entry fffffffe
0004: Object: 80ed5238 GrantedAccess: 001f0fff
0008: Object: 80ed46b8 GrantedAccess: 00000000
000c: Object: e1281d00 GrantedAccess: 000f003f
0010: Object: e1013658 GrantedAccess: 00000000
......
0168: Object: ffb6c748 GrantedAccess: 00000003 (Protected)
016c: Object: ff811f90 GrantedAccess: 0012008b
0170: free handle, Entry address e10022e0, Next Entry 00000458
0174: Object: 80dfd5c8 GrantedAccess: 001f01ff
......
The following command show detailed information about handle 0x14 in the kernel handle table.
kd> !handle 14 13
processor number 0
PROCESS 80559800 SessionId: 0 Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: e1000d60 TableSize: 380.
Image: Idle
Kernel New version of handle table at e1002000 with 380 Entries in use
0014: Object: e12751d0 GrantedAccess: 0002001f
Object: e12751d0 Type: (80ec8db8) Key
ObjectHeader: e12751b8
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER\EXECUTIVE
The following command shows information about all handles to Section objects in all processes.
!handle 0 3 0 Section
...
PROCESS fffffa8004f48940
SessionId: none Cid: 0138 Peb: 7f6639bf000 ParentCid: 0004
DirBase: 10cb74000 ObjectTable: fffff8a00066f700 HandleCount: 39.
Image: smss.exe
Handle table at fffff8a00066f700 with 39 entries in use
0040: Object: fffff8a000633f00 GrantedAccess: 00000006 (Inherit) Entry: fffff8a000670100
Object: fffff8a000633f00 Type: (fffffa80035fef20) Section
ObjectHeader: fffff8a000633ed0 (new version)
HandleCount: 1 PointerCount: 262144
...