The !locks extension in Kdextx86.dll and Kdexts.dll displays information about kernel ERESOURCE locks.
This extension command should not be confused with the !ntsdexts.locks extension command.
!locks [Options] [Address]
Specifies the amount of information to be displayed. Any combination of the following options can be used:
Displays detailed information about each lock.
Display all available information about the locks, including performance statistics.
Display information about all locks. Otherwise, only locks with contention are displayed.)
Specifies the hexadecimal address of the ERESOURCE lock to be displayed. If Address is 0 or omitted, information about all ERESOURCE locks in the system will be displayed.
Windows XP and later
The !locks extension displays all locks held on resources by threads. A lock can be shared or exclusive, which means no other threads can gain access to that resource. This information is useful when a deadlock occurs on a system. A deadlock is caused by one non-executing thread holding an exclusive lock on a resource that the executing thread needs.
You can usually pinpoint a deadlock in Microsoft Windows 2000 by finding one non-executing thread that holds an exclusive lock on a resource that is required by an executing thread. Most of the locks are shared.
Here is an example of the basic !locks output:
kd> !locks **** DUMP OF ALL RESOURCE OBJECTS **** KD: Scanning for held locks...... Resource @ 0x80e97620 Shared 4 owning threads Threads: ff688da0-01<*> ff687da0-01<*> ff686da0-01<*> ff685da0-01<*> KD: Scanning for held locks....................................................... Resource @ 0x80e23f38 Shared 1 owning threads Threads: 80ed0023-01<*> *** Actual Thread 80ed0020 KD: Scanning for held locks. Resource @ 0x80d8b0b0 Shared 1 owning threads Threads: 80ed0023-01<*> *** Actual Thread 80ed0020 2263 total locks, 3 locks currently held
Note that the address for each thread displayed is followed by its thread count (for example, "-01"). If a thread is followed by "<*>", that thread is one of the owners of the lock. In some instances, the initial thread address contains an offset. In that case, the actual thread address is displayed as well.
If you want to find more information about one of these resource objects, use the address that follows "Resource @" as an argument for future commands. To investigate the second resource shown in the preceding example, you could use dt ERESOURCE 80d8b0b0 or !thread 80ed0020. Or you could use the !locks extension again with the -v option:
kd> !locks -v 80d8b0b0 Resource @ 0x80d8b0b0 Shared 1 owning threads Threads: 80ed0023-01<*> *** Actual Thread 80ed0020 THREAD 80ed0020 Cid 4.2c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) KernelMode Non-Alertable 8055e100 Unknown Not impersonating GetUlongFromAddress: unable to read from 00000000 Owning Process 80ed5238 WaitTime (ticks) 44294977 Context Switch Count 147830 UserTime 0:00:00.0000 KernelTime 0:00:02.0143 Start Address nt!ExpWorkerThread (0x80506aa2) Stack Init fafa4000 Current fafa3d18 Base fafa4000 Limit fafa1000 Call 0 Priority 13 BasePriority 13 PriorityDecrement 0 ChildEBP RetAddr fafa3d30 804fe997 nt!KiSwapContext+0x25 (FPO: [EBP 0xfafa3d48] [0,0,4]) [D:\NT\base\ntos\ke\i386\ctxswap.asm @ 139] fafa3d48 80506a17 nt!KiSwapThread+0x85 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\nt\base\ntos\ke\thredsup.c @ 1960] fafa3d78 80506b36 nt!KeRemoveQueue+0x24c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\nt\base\ntos\ke\queueobj.c @ 542] fafa3dac 805ad8bb nt!ExpWorkerThread+0xc6 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\nt\base\ntos\ex\worker.c @ 1130] fafa3ddc 8050ec72 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\nt\base\ntos\ps\create.c @ 2164] 00000000 00000000 nt!KiThreadStartup+0x16 [D:\NT\base\ntos\ke\i386\threadbg.asm @ 81] 1 total locks, 1 locks currently held