The !vad extension displays details of a virtual address descriptor (VAD) or a tree of VADs.
- Displays details of one virtual addres descriptor (VAD)
- Displays details of a tree of VADs.
- Displays information about the VADs for a particular user-mode module and provides a string that you can use to load the symbols for that module.
!vad VAD-Root [Flag] !vad Address 1
Address of the root of the VAD tree to be displayed.
Specifies the form the display will take. Possible values include:
The entire VAD tree based at VAD-Root is displayed. (This is the default.)
Only the VAD specified by VAD-Root is displayed. The display will include a more detailed analysis.
Address in the virtual address range of a user-mode module.
Windows XP and later
For information about virtual address descriptors, see Microsoft Windows Internals, by Mark Russinovich and David Solomon. (This book may not be available in some languages and countries.)
The address of the root of the VAD for any process can be found by using the !process command.
The !vad command can be helpful when you need to load symbols for a user-mode module that has been paged out of memory. For details, see Mapping Symbols When the PEB is Paged Out.
Here is an example of the !vad extension:
kd> !vad 824bc2f8 VAD level start end commit 82741bf8 ( 1) 78000 78045 8 Mapped Exe EXECUTE_WRITECOPY 824ef368 ( 2) 7f6f0 7f7ef 0 Mapped EXECUTE_READ 824bc2f8 ( 0) 7ffb0 7ffd3 0 Mapped READONLY 8273e508 ( 2) 7ffde 7ffde 1 Private EXECUTE_READWRITE 82643fc8 ( 1) 7ffdf 7ffdf 1 Private EXECUTE_READWRITE Total VADs: 5 average level: 2 maximum depth: 2 kd> !vad 824bc2f8 1 VAD @ 824bc2f8 Start VPN: 7ffb0 End VPN: 7ffd3 Control Area: 827f1208 First ProtoPte: e1008500 Last PTE e100858c Commit Charge 0 (0.) Secured.Flink 0 Blink 0 Banked/Extend: 0 Offset 0 ViewShare NoChange READONLY SecNoChange