-1

Process Explorer has columns for CPU time (down to milliseconds) and CPU Cycles. For WinDbg I am aware of the !runaway command, also !runaway 7 for more details, but it shows CPU time only.

Are the CPU cycles also available somehow in a user mode crash dump?

Process Explorer vs. WinDbg

What I have tried:

  • I looked at dt nt!_KTHREAD and I see it has a CycleTime property

    ntdll!_KTHREAD
   +0x000 Header           : _DISPATCHER_HEADER
   +0x018 CycleTime        : Uint8B

  • I tried to query that property in a !for_each_thread, but WinDbg responds that it's available in kernel mode only.

Why do I want those CPU cycles?

I am working on a training for JetBrains dotTrace. It has an option to count CPU cycles and I'd like to explain where this cycles come from. Above kernel structure and Process Explorer is probably enough, but it would be awesome to see it live or post mortem in a user mode dump. I explain a lot of basics with WinDbg.

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
  • Ill have to see the doc but times can be queried from usermodecusing winapis like querypricesscycletime() querythreadcycletime from vista+ also have you checked the .times. ,.ttimes ,.echotimestamps commands – blabb Apr 04 '17 at 23:17
  • Does it have to be a user dump? You could always resort to *livekd* and still be awesome ;) – Lieven Keersmaekers Apr 05 '17 at 08:01
  • @LievenKeersmaekers: hihi, thanks for the suggestion. Problem is: people have only learned user mode commands so far and are not familiar with `!process` at that time. But yes, maybe it's also time to take the fear from kernel debugging. I'll definitely give it a try – Thomas Weller Apr 05 '17 at 11:05
  • The question isn't really about getting this information from a dump, but rather getting it from WinDbg. Or is there a way to get that information in WinDbg during live debugging (obvious hacks like `.shell` excluded)? That's what confused me and blabb probably. – conio Apr 05 '17 at 17:03
  • If you really want it in the dump you can probably just add a user stream in the call to `MiniDumpWriteDump` or something like that. – conio Apr 05 '17 at 17:07
  • I've got to wonder why all the available machinery returns time instead of cycles. Maybe because cycle time is variable, so the raw number of cycles is not a practical measurement of performance as a user sees it. Or maybe it's simply impossible to measure (for time measurement, special hardware like HPET is used). See also: http://stackoverflow.com/questions/39549164/cpu-cycles-vs-total-cpu-time, https://en.wikipedia.org/wiki/Time_Stamp_Counter – ivan_pozdeev Apr 05 '17 at 17:17

2 Answers2

0

Following the implementation of GetProcessTimes() in ReactOS, you can see that the information is copied from the process' KPROCESS. So, indeed, it's only physically present in a dump that includes kernel memory.

ivan_pozdeev
  • 33,874
  • 19
  • 107
  • 152
  • 1
    It is copied from the `KPROCESS`... right into the dump file. See the documentation for `MiniDumpWriteDump`. When you include the `MiniDumpWithThreadInfo` in the `DumpType` the dump includes a `MINIDUMP_THREAD_INFO_LIST` struct which contains `MINIDUMP_THREAD_INFO` entries, each containing `ULONG64 KernelTime` and `ULONG64 UserTime`. – conio Apr 05 '17 at 11:38
  • @conio: that whole structure (https://msdn.microsoft.com/en-us/library/windows/desktop/ms680510(v=vs.85).aspx) is about time, not CPU cycles. But I agree in principle: that information could potentially be copied into the user mode dump. – Thomas Weller Apr 05 '17 at 11:46
0
C:\tw>ls -l
total 0

C:\tw>cdb -c ".dump /ma .\tw.dmp;q" calc.exe | grep writ
Dump successfully written

C:\tw>cdb -c "lm;!peb;.dump /ma .\tw1.dmp;q" calc.exe | grep writ
Dump successfully written

C:\tw>cdb -c ".ttime;q" -z tw.dmp | grep -B 3 quit
Created: Wed Apr  5 20:03:55.919 2017 ()
Kernel:  0 days 0:00:00.046
User:    0 days 0:00:00.000
quit:

C:\tw>cdb -c ".ttime;q" -z tw1.dmp | grep -B 3 quit
Created: Wed Apr  5 20:04:28.682 2017 ()
Kernel:  0 days 0:00:00.031
User:    0 days 0:00:00.000
quit:

C:\tw>
blabb
  • 8,674
  • 1
  • 18
  • 27
  • `.ttime` shows the time in seconds. I wanted to get CPU cycles. It must be in my question. @conio also misunderstood it. I rephrased the question to make it more clear (hopefully). – Thomas Weller Apr 05 '17 at 15:19