Windbg: Using .shell to search text


To me one of the most useful commands when using windbg is .shell. According to Debugging Tools For Windows documentation


“The .shell command launches a shell process and redirects its output to the debugger, or to a specified file.”


So, why would I find that interesting and useful in my day to day work to launch a shell process ? Maybe to impress friends (that know nothing about debugging) with strange commands or make it sound very complicated. Well, actually I use .shell in one of the most simple tasks we all do everyday and that´s finding text. Now you might be thinking, so why don´t you use Ctrl+F and find what you want ? (We will talk about this in a couple of minutes)


So, has I was saying, I use it a lot to find text inside memory dumps and this saves me time. Since .shell launches a shell process, the key here is to use the old FIND command from DOS to help us. FIND allows to search for text inside a file. If you open a command line and do FIND /? You will see something like below.


 



Searches for a text string in a file or files.


FIND [/V] [/C] [/N] [/I] [/OFF[LINE]] "string" [[drive:][path]filename[ ...]]


  /V         Displays all lines NOT containing the specified string.


  /C         Displays only the count of lines containing the string.


  /N         Displays line numbers with the displayed lines.


  /I         Ignores the case of characters when searching for the string.


  /OFF[LINE] Do not skip files with offline attribute set.


  "string"   Specifies the text string to find.


  [drive:][path]filename


             Specifies a file or files to search.


If a path is not specified, FIND searches the text typed at the prompt


or piped from another command.


 


 


The sample below is an example (a very simple one) of finding a specific string in the call stack. I use it a lot to find specific values inside objects properties but i´m sure you will find other useful uses for this command.


 



0:000:x86> .shell -ci "~*kb" FIND /I "BaseCachedThreadroutine"


0c8ffdb0 75721c6b 00512fe0 0c8ffdc8 76c9e3f3 rpcrt4!BaseCachedThreadRoutine+0x9e


0effff60 75721c6b 00512fe0 0effff78 76c9e3f3 rpcrt4!BaseCachedThreadRoutine.shell: Process exited


 


The argument –ci specifies that the output of the command “~*kb” is to be used as input for FIND command. There are some more options that you can look at Debugging Tools For Windows help.


Till next time. Have Fun!!!


Bruno

Comments (1)
  1. Anonymous says:

    Hi there,

    Is there anyway to hide string ".shell: Process exited" always displays in the end of command output?

Comments are closed.

Skip to main content