MEX
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||
kd> !load mex Mex External 3.0.0.7148 Loaded! kd> !mex Mex currently has 324 extensions available. Please specify a keyword to search. Or browse by category: All PowerShell[6] SystemCenter[3] IE[6] RDS[2] Excel[4] Word[6] VB[5] MAPI[24] MSO[3] Outlook[15] Networking[12] Process[7] Mex[2] Kernel[27] DotNet[32] Decompile[15] Utility[40] Thread[27] Binaries[6] General[23] 7: kd> !mex.help -all Command Description Category Owner =========================================== ======================================================================================================================================================== ============ =========== addr Display information about an address Kernel mexfeedback afd Afd Command Help Networking mexfeedback aspnetcache (!aspnetcache) Display the ASP.NET Cache DotNet mexfeedback aspxpagesext Like !aspxpages, but more powerful DotNet mexfeedback atom Dumps user mode atom table Utility mexfeedback autod Enable or disable AutoDiscover tracing output for Outlook Outlook mexfeedback backtrace (!bt) Displays the stack backtrace for the specified index into ntdll!RtlpStackTraceDatabase General mexfeedback base64 (!b64) Displays or saves base64 data General mexfeedback beep Beeps Utility mexfeedback bin Displays binary information located at the given address Utility mexfeedback bits2 (!b2) Executes a command with all possible values of a single bit flip Utility mexfeedback bl Replaces the built in breakpoint list (bl) command with DML'd version Utility mexfeedback bp Replaces the built in breakpoint (bp) command with a DML'd version Utility mexfeedback cache (!c) Cache the output of a command to replay later Utility mexfeedback celement (!_mce) Dump mshtml!CElement object from address IE mexfeedback chkall Shortcut for !chkimg against all modules Binaries mexfeedback classtype (!ct) Tries to determine the C++ class type of a pointer General mexfeedback clipboard2 Gets/Sets text on the clipboard, or enable/disable clipboard access Utility mexfeedback clrstack2 (!ck2) Prints the stack trace of a managed thread DotNet mexfeedback clusdisk Shows all the disk cluster is aware of for W2k3 - W28R2 General mexfeedback codescope Prints all available code analysis checklists Decompile mexfeedback colescript (!_jscole) Dump jscript!COleScript object from address IE mexfeedback commandline (!cl) Prints out the command line of a process General mexfeedback comment Displays the comments for the dump Utility mexfeedback computername (!cn) Computer Name Command Help Utility mexfeedback conhost (!con) Displays console host (conhost.exe) info Process mexfeedback context (!w) Prints out the current implicit process and thread context (e.g. where am I) General mexfeedback cordll (!cordll) Displays available CLR versions DotNet mexfeedback count Counts the number of lines returned by a command Utility mexfeedback criticalsection (!cs) CS - Displays details for a critical section General mexfeedback crypt32 Dumps crypt32.dll info Process mexfeedback cscriptbody Dumps information about a vbscript!CScriptBody object VB mexfeedback cut Filters output, removing unwanted areas Utility mexfeedback da Displays an ANSI string Utility mexfeedback dae (!DumpAllExceptions) Replacement for !dae DotNet mexfeedback ddt Wrapper for dt that adds some DML Utility mexfeedback decodeoplockstate (!dols) Decode an OpLockState to human readable values General mexfeedback decompilemember Decompile and print psuedo-C# source code for the given [MemberName] Decompile mexfeedback decompiletype Decompile and print psuedo-C# source code for the given [TypeName] Decompile mexfeedback deferredready (!dfr) Shows the current deferredready threads Thread mexfeedback delegaterefs (!drefs) Displays information about objects referenced by delegates DotNet mexfeedback desktop (!desktops) Displays the desktops for the Windows Stations Kernel mexfeedback deviceobject (!devo) Displays information about a device object Kernel mexfeedback dhcp Displays information for the DHCP server process Networking mexfeedback diffimg Compares the process' loaded module list with a scan of memory and displays any differences Binaries mexfeedback displayobj (!do2) Display a managed object structure DotNet mexfeedback dnsclient (!dnsc) Displays the DNS client cache, and includes many other features for the DNS Client service. Networking mexfeedback dr Displays registers showing volatile registers highlighted with (*) General mexfeedback driverobject (!drvo) Displays details about a driver object Kernel mexfeedback dtpool (!dtp) Displays information about a pool allocation, if it is a known pooltag we will 1. Try to run the correct extension, or 2. Just dt the structure for you. Kernel mexfeedback du Displays a Unicode string Utility mexfeedback dumpaspnetsession Prints information on ASP.NET InProc Sessions DotNet mexfeedback dumpattachmentcol (!dac) Dumps an object which inherits from AttachmentCol Outlook mexfeedback dumpattachmentobject (!dao) Dumps an object which inherits from AttachmentObject Outlook mexfeedback dumpccnctconnprovhttp (!dccph) Dumps an emsmdb32!CCnctConnProvHTTP object MAPI mexfeedback dumpcnct (!cnct) Dumps an emsmdb32!CNCT object MAPI mexfeedback dumpcontactinfo (!dci) Dumps an CMsoContactInfo object Outlook mexfeedback dumpcontextlinks (!dcl) Dumps the chain of context links of type outlook!OMContextLink Outlook mexfeedback dumpdataset Dumps a list of all DataSet objects DotNet mexfeedback dumpdotsourcedfiles Outputs any dot sourced Powershell files optionally with their accompanying script blocks PowerShell mexfeedback dumpdynamicassemblies2 (!dda2) Like !DumpDynamicAssemblies, but better DotNet mexfeedback dumpgcalloc (!_jsgca) Dump jscript Garbage Collector Alloc from address IE mexfeedback dumphttpruntime2 Dumps the HttpRuntime objects on the heap DotNet mexfeedback dumpinfo (!di) Display dump information Utility mexfeedback dumppersona Dumps an CMsoPersona object Outlook mexfeedback dumpprintfieldinfo (!dpfi) Dumps a RGPFI array of PrintFieldInfo structures Outlook mexfeedback dumppsvariables Outputs the Powershell Variables of the currently running script on the current thread PowerShell mexfeedback dumpreminderdialog (!drd) Dumps the reminder dialog from OUTLOOK!g_pReminder Outlook mexfeedback dumprpcs Finds MAPI RPCs using olmapi32!g_ServerReqMgrList MAPI mexfeedback dumpsharedlock (!dsl) Dumps the mso!CSharedLock object for the current thread MSO mexfeedback dumpstackpscommands Outputs the commands, cmdlets, etc. found on the current thread including those referenced by other objects on the thread. PowerShell mexfeedback dumpstackpsobjects Outputs the PSObjects found on the current thread including those referenced by other objects on the thread. PowerShell mexfeedback dumpstackstrings (!dss) Displays all the strings on the stack Thread mexfeedback dumpsubmitters Dumps SUBMITTER_REC records MAPI mexfeedback dumpsystemstring (!systemstring) Dumps a pstprx32!Microsoft::System::String MAPI mexfeedback dumptasks Dumps SERVER_REQ_TASK_REC records MAPI mexfeedback dumptime Time Information Utility mexfeedback dumpvar (!dumpvt) Dumps a VARIANT at the given address VB mexfeedback dumpwcfmessage (!wcfmsg) Dumps information about a WCF buffered message DotNet mexfeedback dumpwindowsurfaces (!dws) Dump window surfaces to a directory Kernel mexfeedback dumpwrappercontexts (!dwc) Dumps Outlook wrapper contexts from outlook!OMPerTypeList<OMWrapperContext>::s_pHead Outlook mexfeedback eresource (!eres) Displays details for a nt!_ERESOURCE Kernel mexfeedback err Interprets an error code MAPI mexfeedback evt Show detail for a nt!_KEVENT Kernel mexfeedback exec Runs a series of commands. Use this instead of using semicolons Utility mexfeedback executive Displays details on threads waiting on the executive Thread mexfeedback fileobject (!fo) Displays information about a given file object Kernel mexfeedback fileserver (!fs) Displays thread running the SRV.sys or SRV2.sys drivers, excluding threads waiting on inbound work General mexfeedback filetime (!ft) Dumps a FILETIME at the given address MAPI mexfeedback finalizable (!finalizable) Displays information about finalizable objects in the GC Heap DotNet mexfeedback findunkobj (!fuo) Finds all emsmdb32!UNKOBJ objects in memory (potentially slow) MAPI mexfeedback fixthis Preface a broken command with this one to open an email and send it to the Mex team (e.g. !fixthis !otherMexCommandThatDidNotWork Mex mexfeedback fncinfo Dumps information about a vbscript!FncInfo object VB mexfeedback foldobj Dumps a folder which inherits from emsmdb32!FOLDOBJ MAPI mexfeedback foreachcpu (!fec) Executes a command on each processor Kernel mexfeedback foreachframe (!fef) An implementation of !for_each_frame that supports filtering and sets the context before executing Thread mexfeedback foreachitem (!fei) Iterates through a list, executing a command for each item. Utility mexfeedback foreachline (!fel) Runs a command against every line of data Utility mexfeedback foreachmatchingstack (!fems) Run a command against identical stacks Thread mexfeedback foreachmodule (!fem) An implementation of !for_each_module that supports filtering Binaries mexfeedback foreachobject (!feo) Runs a command against each CLR object DotNet mexfeedback foreachprocess (!fep) An implementation of !for_each_process that supports filtering and sets the context before executing Kernel mexfeedback foreachthread (!fet) An implementation of .for_each_thread that works in user and kernel mode Thread mexfeedback gatewait Shows threads with a state of GateWait Thread mexfeedback gchandleinfo (!gchandle) Displays information on GC Handles DotNet mexfeedback gcheapinfo (!gchi) Get info on the managed GC Heap DotNet mexfeedback genericarray (!ga) Dumps an Outlook GenericArray Outlook mexfeedback grep Search the output of a command for a specific string or pattern Utility mexfeedback guid Dumps a GUID at the given address MAPI mexfeedback handlefind (!hf) Find handles for a given kernel object General mexfeedback head Displays the first X lines of a command's output Utility mexfeedback help Help General mexfeedback hidefsurf Encapsulates visualization of the HiDef RDP surfaces RDS mexfeedback httpheaders Print the contents of an HttpHeaderCollection DotNet mexfeedback httptrace Enable or Disable HTTP tracing output for Outlook Outlook mexfeedback if (!mif) Condition detection based on command output Utility mexfeedback il Prints the IL for the specified method Decompile mexfeedback ilspy Automatically extracts the module from the dump, and launches ILSpy DotNet mexfeedback imports Displays the import table for a module Binaries mexfeedback initialized (!init) Shows the current threads in the initialized state Thread mexfeedback interpretrawstack (!irs) This command dumps the raw stack and interprets the values as symbols, and as unicode and ansi strings. It will also highlight start and end of frames General mexfeedback ip Converts an address into an IP address format Networking mexfeedback irpbyfilename (!ibfn) Dump any IRP containing the specified text in filename General mexfeedback ldap Displays LDAP client or server details Process mexfeedback listthreads (!lt) Displays a list of threads Thread mexfeedback listticks (!lticks) Show tick counts for threads Kernel mexfeedback logonobj Dumps an object which inherits from emsmdb32!LOGONOBJ MAPI mexfeedback loop Loops either forwards or backwards through a series of numbers with variable replacement Utility mexfeedback managedthreads (!mthreads) A !threads look-alike, with !aspxpagexext-like output DotNet mexfeedback mapistruct Dumps a MAPI object MAPI mexfeedback mappeddrives (!mdrives) Displays mapped drives Process mexfeedback messagequeue (!mq) Displays message queue Kernel mexfeedback mheap A DML'd version of !heap. Process mexfeedback mirp Displays IRP details (replaces !irp) Kernel mexfeedback mirpfind Mex version of IRPFIND Kernel mexfeedback mods Displays modules loaded in a process Binaries mexfeedback more Runs a command in paged mode, asking for input every X lines Utility mexfeedback mreg This is a DML'd version of !reg Kernel mexfeedback mrmsg (!msg) Interprets a Windows message Utility mexfeedback msgobj Dumps a message which inherits from emsmdb32!MSGOBJ MAPI mexfeedback msodoc Displays detailed information about an object which inherits from mso!CMsoOLDocBase MSO mexfeedback msprvdrobj Dumps a folder which inherits from emsmdb32!MSPRVDROBJ MAPI mexfeedback mup Displays info for the Multiple UNC Provider (MUP) Networking mexfeedback nametbl (!_jsnt) Dump jscript!NameTbl object from address IE mexfeedback ncsi Displays Network Connectivity Status Indicator (NCSI) configuration Networking mexfeedback ndao Native Dump ALL Objects - Potentially very slow General mexfeedback ndro Native Dump Register Objects General mexfeedback ndso Native Dump Stack Objects Thread mexfeedback net Net Command Help Networking mexfeedback notifyobj Dumps a message which inherits from emsmdb32!NOTIFYOBJ MAPI mexfeedback obj Displays details for a given kernel object (object manager) Kernel mexfeedback objectsummary Outputs object analysis summary DotNet mexfeedback objt Interprets an OBJT MAPI mexfeedback obtrace Dumps the trace information for an object Kernel mexfeedback olanalyze (!ola) Basic Outlook/MAPI dump analysis Outlook mexfeedback olcmd (!olglobals) Dumps the command line parameters from OUTLOOK!g_psoclCmdLine Outlook mexfeedback olic (!officelicense) Dumps the Office Licensing information from mso!vplic MSO mexfeedback oracleclientperfcounters Display System.Data.OracleClient performance counters DotNet mexfeedback outline (!ol) Outlines the calls inside a given function Utility mexfeedback p Displays process details Process mexfeedback parsemem Walks a range of memory and counts unique byte sequences Kernel mexfeedback parsescripttext (!_jssf) Dump jscript9!ScriptEngine::ParseScriptText object from address IE mexfeedback phandles (!ph) Shows a list of currently open printer handles General mexfeedback pingtrack Pingtrack command Networking mexfeedback printdbcommand Prints information about a DBCommand object DotNet mexfeedback printexception2 (!pe2) Like !PrintException, with DML DotNet mexfeedback printmanifest Prints the assembly manifest for the specified module Decompile mexfeedback printmembers Scans specified module and type [Module!TypeName] and prints all members Decompile mexfeedback printtypes Scans specified [Module] and prints all types Decompile mexfeedback proxyinfo (!_wpi) Dump wininet!PROXY_INFO object from address IE mexfeedback psrunspace Outputs the runspaces in the process. PowerShell mexfeedback psscriptblock Outputs the script blocks in the process. PowerShell mexfeedback rasmans Displays the rasmans!ConnectionBlockList Networking mexfeedback readfile Read a file from the filesystem and display the output in the debugger Utility mexfeedback ready (!rdy) Shows the currently ready threads Thread mexfeedback recenterror (!re) Dumps the recent error queue from olmapi32!g_RecentErrInfo MAPI mexfeedback rmsfldchg (!folderchange) Dumps an emsmdb32!RMSFLDCHG object MAPI mexfeedback rnotf Dumps a message which inherits from emsmdb32!RNOTF MAPI mexfeedback rollup (!ru) Takes an input value and rolls it up to the appropriate bucket (e.g. bytes to GB) Utility mexfeedback rop Interprets a ROP MAPI mexfeedback rot Dumps Outlook's Running Object Table (ROT) Outlook mexfeedback rpctrace Enable or Disable RPC tracing output for Outlook Outlook mexfeedback rtime Interprets an rtime value MAPI mexfeedback runaway2 Runaway2.. Replacement for !runaway General mexfeedback runcheck (!runchecks) runs the specified check(s) on the specified module(s) Decompile mexfeedback runchecklist runs the specified checklist(s) on the specified module(s) Decompile mexfeedback running (!cpu) (Kernel mode only) A brief overview of currently executing threads Thread mexfeedback rxirps Displays the list of IRPs stored in rdbss!RxIrpsList Kernel mexfeedback sccm SCCM SystemCenter mexfeedback scom (!om) Utilities for SC Operations Manager. SystemCenter mexfeedback scsm (!sm) Utilities for SC Service Manager SystemCenter mexfeedback searchthreadstacks (!sts) Searches thread stacks for a value Thread mexfeedback services (!service) Displays details about services. Requires access to the usermode address space of services.exe (userdump of services.exe or complete memory dump) General mexfeedback settings Mex Settings Mex mexfeedback sort Sort command Utility mexfeedback spdisposecheck Executes the SharePoint Dispose and Do Not Dispose Checklist items Decompile mexfeedback sqlclientperfcounters Display System.Data.SqlClient performance counters DotNet mexfeedback sqlcmd Provides information about ADO.NET Commands to SQL Server DotNet mexfeedback sqlcn Provides an overview of ADO.NET connections to SQL Server DotNet mexfeedback sqlports (!sqlports) Gets the local and remote TCP ports from a SqlConnection object DotNet mexfeedback srvnet Displays info on SRVNET Networking mexfeedback standby (!sby) Shows the current standby threads Thread mexfeedback staticfields Display static fields of a managed type DotNet mexfeedback strings Prints out readable strings in an address range Utility mexfeedback sum (!sum) Sums the output returned by a command Utility mexfeedback suspended Displays details on suspended threads Thread mexfeedback svcreg Dumps the passed in service/driver registry key General mexfeedback svcthreads (!svcthreads) Find threads executing WCF services DotNet mexfeedback t A new implementation of !thread for user & kernel mode Thread mexfeedback tableobj Dumps a folder which inherits from emsmdb32!TABLEOBJ MAPI mexfeedback tac Writes input to console, last line first. Utility mexfeedback tag Searches kernel modules for a given pooltag Kernel mexfeedback tail Displays the final X lines of a command's output Utility mexfeedback tasklist (!tl) Displays information about running tasks (processes) Kernel mexfeedback tasktriage (!tasks) Analyzes the System.Threading.Tasks.Task objects still on the heap. DotNet mexfeedback tcpip (!tcp) TCP/IP - Gets TCP and UDP ports from Kernel Memory Networking mexfeedback threadpool (!tp) Displays information regarding NTDLL thread pools Thread mexfeedback threadreport (!trep) Displays a thread report. Thread mexfeedback time Time how long a command takes to execute Utility mexfeedback tr (!replace) Search and Replace. Translate a char/string into another char/string. Utility mexfeedback transition (!trans) Shows the current threads in the transition state Thread mexfeedback udescan (!manalyze) Scans dump for known issues and displays them in human-readable format. Utility mexfeedback uniqlines (!ul) Prints each line of output and a count of how many times they appeared Utility mexfeedback uniquestacks (!us) Like the built-in !uniqstacks except it associates thread IDs with the stack traces Thread mexfeedback unkobj Interprets an UNKOBJ MAPI mexfeedback userrequest Displays details on threads with a wait reason of UserRequest Thread mexfeedback vadmodules (!vadm) Lists the vads of a process. Kernel mexfeedback vbaproj Displays detailed information about a VBA project (vbe7!ProjItem) VB mexfeedback vbscript (!vbs) Displays detailed information about vbscript running on the current thread VB mexfeedback ver Displays OS version info Utility mexfeedback vrdpfb Encapsulates visualization of the RDP frame buffer RDS mexfeedback vss Vss Command Help Kernel mexfeedback wcfperfcounters Dumps performance counters for WCF services DotNet mexfeedback wcftcpconnectionpools (!wtcp) Display WCF Net.TCP connection pools DotNet mexfeedback wdanalyze Displays Word-specific information (open documents, active document, last fetch, etc.) Word mexfeedback wddoc (!doc) Displays detailed information about a particular document which inherits from wwlib!DOD Word mexfeedback wddocs (!docs) Finds currently opened Word documents and templates using wwlib!vpdodUser Word mexfeedback wdflags Displays information about global flags Word mexfeedback wdfn Displays detailed information about open files Word mexfeedback wdt Displays information about last fetch Word mexfeedback wfp Displays information for the Windows Filtering Platform (WFP) General mexfeedback whocalls Scans all loaded managed modules and finds methods that call [MethodName] Decompile mexfeedback whoimplements Scans all loaded managed modules and finds types that implement [InterfaceName] Decompile mexfeedback whoinherits Scans all loaded managed modules and finds types that inherit [TypeName] Decompile mexfeedback whonews Scans all loaded managed modules and finds methods that construct [TypeName] Decompile mexfeedback whopins Scans managed modules and all finds methods that pin objects of a given [TypeName] or all types Decompile mexfeedback window (!wnd) Displays windows for each desktop. You must be in the context of a given session to see that session's windows Kernel mexfeedback windowstation (!winsta) Display details for windows station(s) Kernel mexfeedback winnsi winnsi Command Help Networking mexfeedback wldap32 Displays wldap32.dll details (dll responsible for client side LDAP connections) Process mexfeedback wq Displays executive work queue threads Kernel mexfeedback wrcpuratecontrol Displays details on threads with a wait reason of WrCpuRateControl Thread mexfeedback wrexecutive Displays details on threads waiting on the executive Thread mexfeedback wrfastmutex Displays details on threads waiting for a Fast Mutex Thread mexfeedback wrfreepage Displays details on threads with a wait reason of WrFreePage Thread mexfeedback writefile Runs a command and writes the data to a file Utility mexfeedback writemodule Writes a module to your temp directory Binaries mexfeedback wrlpcreceive (!lpcs) Displays details on LPC/ALPC server threads Thread mexfeedback wrresource Displays details on threads with a wait reason of WrResource Thread mexfeedback x Wrapper for x that adds some DML General mexfeedback xlanalyze (!xla) Analyzes Excel session and displays debug information. Excel mexfeedback xlbooks (!xlb) Displays information about open workbooks. Excel mexfeedback xlvbe Displays information about the Visual Basic Environment (VBE). Excel mexfeedback xlwindows (!xlw) Displays information about open windows. Excel mexfeedback xx (!x2) Replacement for !x General mexfeedback