The !peb extension displays a formatted view of the information in the process environment block (PEB).
The hexadecimal address of the process whose PEB you want to examine. (This is not the address of the PEB as derived from the kernel process block for the process.) If PEB-Address is omitted in user mode, the PEB for the current process is used. If it is omitted in kernel mode, the PEB corresponding to the current process context is displayed.
Windows XP and later
For information about process environment blocks, see Microsoft Windows Internals by Mark Russinovich and David Solomon. (This book may not be available in some languages and countries.)
The PEB is the user-mode portion of Microsoft Windows process control structures.
If the !peb extension with no argument gives you an error in kernel mode, you should use the !process extension to determine the PEB address for the desired process. Make sure your process context is set to the desired process, and then use the PEB address as the argument for !peb.
The exact output displayed depends on the Windows version and on whether you are debugging in kernel mode or user mode. The following example is taken from a kernel debugger attached to a Windows Server 2003 target:
kd> !peb PEB at 7ffdf000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: No ImageBaseAddress: 4ad00000 Ldr 77fbe900 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 00241ef8 . 00242360 Ldr.InLoadOrderModuleList: 00241e90 . 00242350 Ldr.InMemoryOrderModuleList: 00241e98 . 00242358 Base TimeStamp Module 4ad00000 3d34633c Jul 16 11:17:32 2002 D:\WINDOWS\system32\cmd.exe 77f40000 3d346214 Jul 16 11:12:36 2002 D:\WINDOWS\system32\ntdll.dll 77e50000 3d3484ef Jul 16 13:41:19 2002 D:\WINDOWS\system32\kernel32.dll .... SubSystemData: 00000000 ProcessHeap: 00140000 ProcessParameters: 00020000 WindowTitle: 'D:\Documents and Settings\Administrator\Desktop\Debuggers.lnk' ImageFile: 'D:\WINDOWS\system32\cmd.exe' CommandLine: '"D:\WINDOWS\system32\cmd.exe" ' DllPath: 'D:\WINDOWS\system32;D:\WINDOWS\system32;.... Environment: 00010000 ALLUSERSPROFILE=D:\Documents and Settings\All Users APPDATA=D:\Documents and Settings\UserTwo\Application Data CLIENTNAME=Console .... windir=D:\WINDOWS
The similar !teb extension displays the thread environment block.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.