!process 0 0 显示进程列表:
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 825b7830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 02b40020 ObjectTable: e1003e00 HandleCount: 254.
Image: System
PROCESS 8241d490 SessionId: none Cid: 0178 Peb: 7ffdf000 ParentCid: 0004
DirBase: 02b40040 ObjectTable: e148a4a0 HandleCount: 19.
Image: smss.exe
PROCESS 824d6268 SessionId: 0 Cid: 0264 Peb: 7ffd4000 ParentCid: 0178
DirBase: 02b40060 ObjectTable: e148fa18 HandleCount: 383.
Image: csrss.exe
....!process XXX显示指定进程的所有信息, !process XXX 0显示指定进程的基本信息
XXX可以为EPROCESS或进程ID
kd> !process @$proc 0
PROCESS 825b7830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 02b40020 ObjectTable: e1003e00 HandleCount: 254.
Image: System
kd> !process 4 0
Searching for Process with Cid == 4
Cid Handle table at e1005000 with 366 Entries in use
PROCESS 825b7830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 02b40020 ObjectTable: e1003e00 HandleCount: 254.
Image: System
!process 0 0 XXX.exe查找进程
kd> !process 0 0 smss.exe
PROCESS 8241d490 SessionId: none Cid: 0178 Peb: 7ffdf000 ParentCid: 0004
DirBase: 02b40040 ObjectTable: e148a4a0 HandleCount: 19.
Image: smss.exe
kd> !process 0 0 system
PROCESS 825b7830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 02b40020 ObjectTable: e1003e00 HandleCount: 254.
Image: System
注意只有sytem,没有sytem.exe!!!
kd> !process 0 0 system.exe
上述命令是找不到的