Getting the process ID from a crash dump file with PyKd

Question

I am analyzing a lot of crash dumps with Pykd and I would like to get the process ID (PID) from the crash dump.

In WinDbg, I'd use the command | and use my brain to figure it out. Some time later, I'd come up with a command like

.foreach /pS 3 /ps 999 ( pid {|}) {.echo ${pid}}

which extracts the process ID for me.

Just a little bit smarter and I'd use a pseudo register instead:

.printf "%p", $tpid

How would I use PyKD to get the process ID from a user mode crash dump file (.dmp)?

Of course I can always do a pykd.dbgCommand(), but I'd like to use a more robust built-in way.

I have tried

pykd.getCurrentProcessId() but it returns 0.
pykd.reg("tpid") but it says "Invalid register name"

score 0 · Answer 1 · answered Dec 14 '21 at 12:42

0

The pseudo reguster idea was not that bad:

pykd.expr("$tpid")

gives the process ID as a number. Format it as hexadecimal if it's needed in the same format as |.

answered Dec 14 '21 at 12:42

Thomas Weller

55,411
20
125
222

score 0 · Accepted Answer · answered Dec 14 '21 at 17:28

0:000> dx Debugger.Sessions.First().Processes
Debugger.Sessions.First().Processes
    [0x294c]         : wait.exe
0:000> .shell -ci ".echo " type f:\src\wait\pid.py
from pykd import *
print(hex(expr("@$tpid"))).shell: Process exited
0:000> !py f:\src\wait\pid.py
0x294c
0:000> |
.  0    id: 294c        examine name: F:\src\wait\wait.exe
0:000>

score 0 · Answer 3 · answered Dec 20 '21 at 11:06

0

try to use pykd.getProcessSystemID

https://githomelab.ru/pykd/pykd/-/wikis/API%20Reference#function-getprocesssystemid

getCurrentProcessId has sense if you are debugging several processes and need to switch they contexts ( like | command )

answered Dec 20 '21 at 11:06

ussrhero

606
4
5

Getting the process ID from a crash dump file with PyKd

3 Answers3