在内核转储中切换到用户堆栈 [英] switching to user stack in kernel dumps

问题描述

在进行事后调试时，是否可以在内核转储中切换到特定进程的用户模式?

Is there a way to switch to user mode of a particular process in a kernel dump while doing postmortem debugging ?

我记得使用.process命令进行实时调试时会这样做.

I remember doing this while live debugging using the .process command.

推荐答案

.process 也可以在内核转储中使用.首先，您可以使用

.process also works in kernel dumps. First, you can find your process using

!process 0 0 myprocess.exe

然后使用切换到该过程

.process <address>

其中< address> 是 PROCESS 之后的十六进制数字.

where <address> is the hex number after PROCESS.

请注意，您仍在进行内核调试，并且只有该进程的物理内存可用(也称为工作集).大多数虚拟地址空间可能已交换到磁盘，并且您无法像在用户模式下那样分析该进程(尤其是对于需要完整的.NET堆的.NET程序).

Note that you are still kernel debugging and you have only the physical memory of that process available (a.k.a. Working Set). The majority of virtual address space is probably swapped to disk and you cannot analyze that process as you would in user mode (especially for .NET programs, where you need the complete .NET heap).

这篇关于在内核转储中切换到用户堆栈的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！