Clever Geek Handbook

How can I find the N largest lines in a managed kernel dump using WinDbg?

I have a dump containing 26 GB of lines - over 3.5 million lines. The large object heap only has 18 of them, taking just over 2.5 MB - checked with the command !sosex.dumpgen

.

Gen 2 has most of them. How can I get the N largest, except they all end up in the log file and then parse it outside of WinDbg?

+3


source to share


2 answers


I thought it was possible with Netext but it is only close to SOSEx ' !strings

so it needs some more scripts

0:000> .load F:\...\netext\2.0.1.5580\x86\NetExt.dll
NetExt version 2.0.1.5580 Aug  3 2015
License and usage can be seen here: !whelp license
Check Latest version: !wupdate
For help, type !whelp (or in WinDBG run: '.browse !whelp')
Questions and Feedback: http://netext.codeplex.com/discussions 
Copyright (c) 2014-2015 Rodney Viana (http://blogs.msdn.com/b/rodneyviana) 
Type: !windex -tree or ~*e!wstack to get started

0:000> !windex
Starting indexing at 20:55:54
Indexing finished at 20:55:54
30,707 Bytes in 343 Objects
Index took 00:00:00

0:000> !wfrom /nofield /type System.String where (m_stringLength>50) select m_stringLength
0n100
0n137
0n130
0n100
...

To get rid of the prefix 0n

, we use $substr(m_stringLength,2,100)

.

This gives us an overview of line lengths. This list needs some sorting, so use the command .shell

and DOS sort /R

:



!! -ci "!wfrom /nospace /nofield /type System.String where (m_stringLength>50) select $substr(m_stringLength,2,100)" sort /R

As a result, we get the top N elements using a loop and skipping some elements. Replace 0n2

with the number of items you want minus 1.

.foreach /pS 0n2 /ps 999999 (length {!! -ci "!wfrom /nospace /nofield /type System.String where (m_stringLength>50) select $substr(m_stringLength,2,100)" sort /R}) {.echo length}

Now that we know the minimum length of the top N lines, we can apply it again to the original command !wfrom

.

Hey, right? Writing to a text file is sometimes a good solution ...
+1


source


sosex has a command ! lines , which has a switch where we can specify the min.



Sorry, I'm not near a machine where I can try sosex. but it should be like! strings -m 1000. You can try soshelp command and get this string! Sosex.help. This will print all lines that are more than 1000. Similarly, I tried to try large values ​​like 10000 and get large lines.

+1


source






More articles:


All Articles