The !teb extension displays a formatted view of the information in the thread environment block (TEB).
The hexadecimal address of the thread whose TEB you want to examine. (This is not the address of the TEB as derived from the kernel thread block for the thread.) If TEB-Address is omitted in user mode, the TEB for the current thread is used. If it is omitted in kernel mode, the TEB corresponding to the current register context is displayed.
For information about thread environment blocks, see Microsoft Windows Internals by Mark Russinovich and David Solomon.
The TEB is the user-mode portion of Microsoft Windows thread control structures.
If the !teb extension with no argument gives you an error in kernel mode, you should use the !process extension to determine the TEB address for the desired thread. Make sure your register context is set to the desired thread, and then use the TEB address as the argument for !teb.
Here is an example of this command's output in user mode:
0:001> ~ 0 id: 324.458 Suspend: 1 Teb 7ffde000 Unfrozen . 1 id: 324.48c Suspend: 1 Teb 7ffdd000 Unfrozen 0:001> !teb TEB at 7FFDD000 ExceptionList: 76ffdc Stack Base: 770000 Stack Limit: 76f000 SubSystemTib: 0 FiberData: 1e00 ArbitraryUser: 0 Self: 7ffdd000 EnvironmentPtr: 0 ClientId: 324.48c Real ClientId: 324.48c RpcHandle: 0 Tls Storage: 0 PEB Address: 7ffdf000 LastErrorValue: 0 LastStatusValue: 0 Count Owned Locks:0 HardErrorsMode: 0
The similar !peb extension displays the process environment block.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.