CS490 Windows Internals Labs
Sep 14th, 2012
1. Viewing the Process Tree
Tlist
Usually, you can retrieve most of information of processes from task manager, except the parent
process ID. In this lab, we are going to use [Link] tool to get parent ID of a process. [Link] can
be found in your Debugging Tools for Windows installation directory. To show the process tree,
use /t switch. The format to call [Link] is: tlist /t
Here’s an output example of [Link].
Here, you can see that if a process doesn’t have a parent, it is left-justified. Windows only
maintain the parent process ID, so that even if these processes have grandparents, [Link]
cannot show them to you.
�To prove that, follow these steps:
1. Open a Command Prompt Window.
2. Type start cmd to start a new Command Prompt Window.
3. In the second command prompt, type mspaint to run Microsoft Paint.
4. Use [Link] to check the tree of current processes, just as the following picture:
5. Switch to the second command prompt, type exit. (Windows Paint remains there)
6. Check the process tree by [Link], and you can see the Microsoft Paint is left-justified now.
7. At this time, bring up Task Manager, click the Applications tab, right-click on the Command
Prompt task, and select Go To Process.
8. Right-click on the [Link] highlighted, and select End Process Tree to end the process tree.
Now you can still see Microsoft paint, but the command prompt disappeared. That’s because
Windows have not link between a grandparent or a grandchild.
Process Explorer
In this lab, instead of using [Link], you can also use Process Explorer in sysinternals. Process
Explorer can return much more information of processes to you than Tlist.
1. Run [Link] from the sysinternals package.
2. The first time you open Process Explorer, you may need to configure the symbol path. Set the
symbol path as follows (If you have downloaded a local package of symbols, set the path to
your symbol directory).
Microsoft symbol server: [Link]
3. Click “OK” and you can see the main window of Process Explorer. Just enjoy it.
�2. Kernel Debugging
Debugging Tools for Windows package contains many tools for debugging Windows. These tools
can be used to debug user-mode as well as the kernel. Here you are going to do an experiment
on kernel debugging by using Windbg, which is the GUI version of windows debugger.
1. Before using Windbg, please boot Windows in Debugging mode. Press F8 before windows
started, select Debugging Mode to boot the system.
2. [Link] is in the directory of debugging tools for Windows. The first time you run it, you
must configure the symbol path. (To configure symbol path, please read the [Link] on the
course website). After that, you can see the following window:
�3. Click “File” on the menu bar, and select “Kernel Debug…”, in the Kernel Debugging dialog
window, choose “local” and click “OK”, and “Yes” to save the information for workspace. The
user interface of windbg is like this:
4. In the bottom of the UI, you can input debug commands. In this lab, we just try the display
type command “dt”, to display the list of kernel structures whose type information is
� included in the kernel symbols. A simple use of the “dt” command is dt nt!_*, which return
all of the kernel structures to you.
5. You can use “dt” to search kernel structures in many forms, such as dt nt!_*process*. In this
case the debugger will return structures that contain the term “process” to you.
6. Notice that the “*” here means more than 0 character, and you can also try “?”, which means
more than 1 character.
�7. If you want to see more detail, try this: dt nt!_KPROCESS, and you can see the inner
structure of type KPROCESS.
8. To view the structure trees, use the –r option, like this: dt nt!_KPROCESS –r .
For more commands, please check the Debugging Help for Windows debugging tools.
