Dbg Tools
Dbg Tools
symchk.exe:验证符号文件或者从符号服务器下载符号文件
symstore.exe:创建和维护符号库
Using SymChk(symchk.exe)
SymChk用于验证符号文件或者从符号服务器下载符号文件。
使用Symchk.exe验证以及下载符号:
symchk [/r] FileNames /s SymbolPath
Examples:
验证指定ExeFile的符号文件是否存在,从本地符号路径,服务器符号路径查找:
symchk C:\Application.exe /s C:\MyLocalSymbols;SRV*http://msdl.microsoft.com/download/symbols
开关/v显示详细信息:
symchk /v C:\Application.exe /s C:\MyLocalSymbols;SRV*http://msdl.microsoft.com/download/symbols
验证指定ExeFile的符号文件是否存在,从本地符号路径,服务器符号路径查找,如果存在则下载到缓存符号路径(可用于下载指定程序或者路径的符号文件):
symchk C:\Application.exe /s C:\MyLocalSymbols;cache*C:\MyCacheSymbols;SRV*http://msdl.microsoft.com/download/symbols
验证指定目录下的文件对应的符号文件是否存在,如果存在则下载到缓存目录,开关/r表示查找子目录:
symchk /r C:\windows\system32 /s C:\MyLocalSymbols;cache*C:\MyCacheSymbols;SRV*http://msdl.microsoft.com/download/
验证指定目录下的文件对应的符号文件是否存在:
symchk /r C:\windows\system32
如果不使用开关/s则默认SymbolPath为(需要管理员权限运行才能向%SystemRoot%(eg.C:\Windows)写文件):
srv*%SystemRoot%\symbols*http://msdl.microsoft.com/download/symbols
如果指定CACHE地址的同时指定SRV本地地址则SRV本地地址会被忽略,如下,下载的缓存文件存储到C:\SymbolsCache中:
symchk C:\Windows\System32\netapi32.dll /s CACHE*C:\SymbolsCache*SRV*C:\SymbolsCa*C:\SymCancheA*C:\SymCancheB*http://msdl.microsoft.com/download/symbols
如果指定多个SRV本地地址,缓存的pdb文件会存放在第一个路径中,其余的本地路径均存放同样的pd_文件(不知道这个格式是做什么的)
symchk C:\Windows\System32\netapi32.dll /s SRV*C:\SymbolsCa*C:\SymCancheA*C:\SymCancheB*http://msdl.microsoft.com/download/symbols
CACHE指定的缓存目录不仅存储pdb文件还存储对应的可执行文件例如.dll,.exe...,SRV指定的本地文件仅存储pdb文件
Using Tlist(tlist.exe)
TList (Task List Viewer), Tlist.exe, is a command-line tool that displays the processes running on the local computer along with useful information about each process.
TList displays:
All processes running on the computer, along with their process IDs (PIDs).
A tree showing which processes created each process.
Details of the process, including its virtual memory use and the command that started the process.
Threads running in each process, including their thread IDs, entry points, last reported error, and thread state.
The modules running in each process, including the version number, attributes, and virtual address of the module.
You can use TList to search for a process by name or PID, or to find all processes that have loaded a specified module.
In Windows XP and later versions of Windows, TList was replaced by TaskList (Tasklist.exe), which is described in Help and Support for those systems. TList is included in Debugging Tools for Windows to support users who do not have access to TaskList.
TList Commands
The syntax of the TList command is as follows:
tlist [/p ProcessName | PID | Pattern | /t | /c | /e | /k | /m [Module] | /s | /v]
Parameters
tlist Without additional parameters, TList displays all running processes, their process identifiers (PIDs), and the title of the window in which they are running, if any.
/p ProcessName Displays the process identifier (PID) of the specified process.
ProcessName is the name of the process (with or without file name extension), not a pattern.
If the value of ProcessName does not match any running process, TList displays -1. If it matches more than one process name, TList displays only the PID of the first matching process.
PID Displays detailed information about the process specified by the PID. For information about the display, see the "Remarks" section below. To find a process ID, type tlist without additional parameter.
Pattern Displays detailed information about all processes whose names or window titles match the specified pattern. Pattern can be a complete name or a regular expression.
/t Displays a task tree in which each process appears as a child of the process that created it.
/c Displays the command line that started each process.
/e Displays the session identifier for each process.
/k Displays the COM components active in each process.
/m Module Lists tasks in which the specified DLL or executable module is loaded. Module can be a complete module name or a module name pattern.
/s Displays the services that are active in each process.
/v Displays details of running processes including the process ID, session ID, window title, command line, and the services running in the process.
Comments In its detailed display of a process (tlist PID or tlist Pattern), TList displays the following information.
Process ID, executable name, friendly name of the program.
Current working directory (CWD).
The command line that started the process (CmdLine).
Current virtual address space values.
Number of threads.
A list of threads running in the process. For each thread, TList displays the thread ID (TID), the function that the thread is running, the address of the entry point, the address of the last reported error (if any), and the thread state.
A list of the modules loaded for the process. For each module, TList displays the version number, attributes, virtual address of the module, and the module name.
When using the /e parameter, valid session identifiers appear in the process list only under the following conditions. Otherwise, the session identifier is zero (0).
On Windows 2000 and Windows Server 2003, at least one user must be connected to a session other than the console session.
On Windows XP, Fast User Switching must be enabled and more than one user must be connected to the non-console session.
On Windows Vista, where all processes are associated with two Terminal Services sessions by default, at least one user must be connected to the non-console session.
TList Examples The following examples demonstrate how to use TList.
Simplest TList Command (tlist) Typing tlist without additional parameters displays a list of running processes, their process IDs (PIDs), and the title of the window in which they are running, if any.
c:>tlist
0 System Process
4 System
308 smss.exe
356 csrss.exe
380 winlogon.exe NetDDE Agent
424 services.exe
436 lsass.exe
604 svchost.exe
776 svchost.exe
852 spoolsv.exe
1000 clisvcl.exe
1036 InoRpc.exe
1064 InoRT.exe
1076 InoTask.exe
1244 WTTSvc.exe
1492 Sysparse_com.exe OleMainThreadWndName
1980 explorer.exe Program Manager
1764 launch32.exe SMS Client User Application Launcher
1832 msmsgs.exe MSBLNetConn
2076 ctfmon.exe
2128 ISATRAY.EXE IsaTray
4068 tlist.exe
Find a process ID (-p) The following command uses the -p parameter and process name to find the process ID of the Explorer.exe (Explorer) process.
In response, TList displays the process ID of the Explorer process, 328.
c:>tlist -p explorer 328
Find process details using PID The following command uses the process ID of the process in which Explorer is running to find detailed information about the Explorer process.
c:>tlist 328
In response, TList displays details of the Explorer process including the following elements:
Process ID, executable name, program friendly name.
Current working directory (CWD).
The command line that started the process (CmdLine).
Current virtual address space values.
Number of threads.
A list of threads running in the process. For each thread, TList displays the thread ID (TID), the function that the thread is running, the address of the entry point, the address of the last reported error (if any), and the thread state.
A list of the modules loaded for the process. For each module, TList displays the version number, attributes, virtual address of the module, and the module name.
The following is an excerpt of the output resulting from this command.
328 explorer.exe Program Manager CWD: C:\Documents and Settings\user01\ CmdLine: C:\WINDOWS\Explorer.EXE VirtualSize: 90120 KB PeakVirtualSize: 104844 KB WorkingSetSize: 19676 KB PeakWorkingSetSize: 35716 KB NumberOfThreads: 17 332 Win32StartAddr:0x010160cc LastErr:0x00000008 State:Waiting 1232 Win32StartAddr:0x70a7def2 LastErr:0x00000000 State:Waiting 1400 Win32StartAddr:0x77f883de LastErr:0x00000000 State:Waiting 1452 Win32StartAddr:0x77f91e38 LastErr:0x00000000 State:Waiting 1484 Win32StartAddr:0x70a7def2 LastErr:0x00000006 State:Waiting 1904 Win32StartAddr:0x74b02ed6 LastErr:0x00000000 State:Ready 1948 Win32StartAddr:0x72d22ecc LastErr:0x00000000 State:Waiting .... (thread data deleted here)
6.0.2800.1106 shp 0x01000000 Explorer.EXE 5.1.2600.1217 shp 0x77F50000 ntdll.dll 5.1.2600.1106 shp 0x77E60000 kernel32.dll 7.0.2600.1106 shp 0x77C10000 msvcrt.dll 5.1.2600.1106 shp 0x77DD0000 ADVAPI32.dll 5.1.2600.1254 shp 0x78000000 RPCRT4.dll 5.1.2600.1106 shp 0x77C70000 GDI32.dll 5.1.2600.1255 shp 0x77D40000 USER32.dll .... (module data deleted here)
Find multiple processes (Pattern) The following command searches for processes by a regular expression that represents the process name or window name of one or more processes. In this example, the command searches for a process whose process name or window name begins with "ino."
c:>tlist ino*
In response, TList displays process details for Inorpc.exe, Inort.exe, and Inotask.exe. For a description of the output, see the "Find process details using PID" subsection above.
Display a process tree (/t) The following command displays a tree that represents the processes running on the computer. Processes appear as the children of the process that created them.
c:>tlist /t
The resulting process tree follows. This tree shows, among other things, that the System (4) process created the Smss.exe process, which created Csrss.exe, Winlogon.exe, Lsass.exe and Rundll32.exe. Also, Winlogon.exe created Services.exe, which created all of the service-related processes.
System Process (0)
System (4)
smss.exe (404)
csrss.exe (452)
winlogon.exe (476) NetDDE Agent
services.exe (520)
svchost.exe (700)
svchost.exe (724)
svchost.exe (864)
svchost.exe (888)
spoolsv.exe (996)
scardsvr.exe (1040)
alg.exe (1172)
atievxx.exe (1200) ATI video bios poller
InoRpc.exe (1248)
InoRT.exe (1264)
InoTask.exe (1308)
mdm.exe (1392)
dllhost.exe (2780)
lsass.exe (532)
rundll32.exe (500)
explorer.exe (328) Program Manager
WLANMON.exe (1728) TI Wireless LAN Monitor
ISATRAY.EXE (1712) IsaTray
cmmon32.exe (456)
WINWORD.EXE (844) Tlist.doc - Microsoft Word
dexplore.exe (2096) Platform SDK - CreateThread
Find process by module (/m) The following command finds all of the processes running on the computer that load a particular DLL.
c:>tlist /m
In response, TList displays process details for Inorpc.exe, Inort.exe, and Inotask.exe. For a description of the output, see the "Find process details using PID" subsection above.
Using Tasklist(tasklist.exe)
tasklist /FI "IMAGENAME eq notepad.exe"