I hadn’t posted since two years ago; a lot of things happen in such a time and now I’m part of the IIS team. I’m not sure about what to talk about, so I will start with random stuff.
I found debugging very task oriented, there are a bunch of ways to get an answer to the same question; let’s say that someone gave you a machine ready to be debugged in kernel mode and you want to do .tlist -v to list all the processes and the additional information such as PID, Session, Command Line. If you are using a remote machine to access the target machine in kernel mode, .tlist will give you the process in the remote machine; to get the processes in the target machine and dump process information such as the Command Line arguments follow the next steps:
1. List the processes.
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 8447b790 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00122000 ObjectTable: 830002d8 HandleCount: 580.
… (some other processes)
PROCESS 867b7d90 SessionId: 0 Cid: 07a4 Peb: 7ffdf000 ParentCid: 0a00
DirBase: 7ea6b560 ObjectTable: 83170470 HandleCount: 60.
2. Look for your process and copy the DirBase property, in this example I will use appcmd.exe (7ea6b560), and switch to the process’ context:
kd> .context 7ea6b560
3. Dump the process information, that information includes the command-line
PEB at 7ffdf000
…. (more information)
CommandLine: ‘D:\Windows\System32\inetsrv\appcmd.exe clear config -section:system.web