11

Does anyone know how I can list all threads in WinDbg while kernel debugging. I have found older references that say ~ but that does not work.

Specifically, I am looking to the find the ID of a thread that caused an event, namely a breakpoint.

Ajay
  • 18,086
  • 12
  • 59
  • 105
user963228
  • 644
  • 1
  • 7
  • 7

2 Answers2

12

~ only works in user mode. To list all threads on the system, it's !process 0 1 as I recall (it's been awhile).

"Specifically I am looking to the find the ID of a thread that caused an event, namely a breakpoint."

This statement doesn't make much sense to do from kernel mode. Can you descrive more about what your scenario is?

Edit: Ah, now I get it. You want to know which thread you're currently in right now. Give !thread a go.

Ana Betts
  • 73,868
  • 16
  • 141
  • 209
  • Yeh, I have a breakpoint on NtLoadDriver, just would like to know the ID of the thread that raises the exception. – user963228 Dec 24 '11 at 08:07
  • How are you setting the breakpoint? You can't set or intercept breakpoints on user-mode code by default while in a kernel debugger. – Ana Betts Dec 24 '11 at 08:13
  • I mean NtLoadDriver in ntoskrnl, so the thread is already executing in supervisor mode (ring 0). With debug symbols I just type kd> bp NtLoadDriver – user963228 Dec 24 '11 at 08:15
  • and it breaks fine as expected when I expect it too. Im just looking for a way to retrieve the ID of the thread that is raising the exception. – user963228 Dec 24 '11 at 08:17
  • 3
    For the record, it should be !process 0 2 to show threads for each process. If you also want a stack trace, you can use !process 0 6. This gets extremely verbose though, so I'd recommend providing a specific process to look at instead of using 0. – Mitch Lindgren Mar 28 '14 at 19:08
8

You can always use the @$thread pseudo register to reference the current thread object:

0: kd> r @$thread
$thread=fffff80002c02cc0

If you want the ID of the thread, you'll need to dig it out of the ETHREAD. Luckily, the @$thread is typed as a pointer to an ETHREAD if you're using the C++ evaluator:

0: kd> ?? @$thread->Cid
struct _CLIENT_ID
   +0x000 UniqueProcess    : 0x00000000`00001408 Void
   +0x008 UniqueThread     : 0x00000000`0000144c Void
Ajay
  • 18,086
  • 12
  • 59
  • 105
snoone
  • 5,409
  • 18
  • 19