windbg学习---!process

!process 0 0 显示进程列表：

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 825b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 02b40020  ObjectTable: e1003e00  HandleCount: 254.
    Image: System

PROCESS 8241d490  SessionId: none  Cid: 0178    Peb: 7ffdf000  ParentCid: 0004
    DirBase: 02b40040  ObjectTable: e148a4a0  HandleCount:  19.
    Image: smss.exe

PROCESS 824d6268  SessionId: 0  Cid: 0264    Peb: 7ffd4000  ParentCid: 0178
    DirBase: 02b40060  ObjectTable: e148fa18  HandleCount: 383.
    Image: csrss.exe
....

!process XXX显示指定进程的所有信息， !process XXX 0显示指定进程的基本信息

XXX可以为EPROCESS或进程ID

kd> !process @$proc 0
PROCESS 825b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 02b40020  ObjectTable: e1003e00  HandleCount: 254.
    Image: System

kd> !process 4 0
Searching for Process with Cid == 4
Cid Handle table at e1005000 with 366 Entries in use
PROCESS 825b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 02b40020  ObjectTable: e1003e00  HandleCount: 254.
    Image: System

!process 0 0 XXX.exe查找进程

kd> !process 0 0  smss.exe
PROCESS 8241d490  SessionId: none  Cid: 0178    Peb: 7ffdf000  ParentCid: 0004
    DirBase: 02b40040  ObjectTable: e148a4a0  HandleCount:  19.
    Image: smss.exe

kd> !process 0 0 system
PROCESS 825b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 02b40020  ObjectTable: e1003e00  HandleCount: 254.
    Image: System

注意只有sytem,没有sytem.exe!!!

kd> !process 0 0 system.exe

上述命令是找不到的