Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Basically, once you manage to obtain the handle to your memory mapped file, you could view some relevant data (including its name) using the <code>!handle &lt;address&gt; 0xF</code> command.<br> If you don't have a specific handle, but just want to view the names of the existing memory mapped files in the process, you could use the following command: <code>!handle 0 0x4 Section</code>.<br> Which should provide you with an output similar to this one: </p> <pre><code>Handle 6bc Name \BaseNamedObjects\NLS_CodePage_862_3_2_0_0 Handle 6cc Name \BaseNamedObjects\MyMap Handle 794 Name \BaseNamedObjects\Cor_Private_IPCBlock_v4_4092 Handle 798 Name \BaseNamedObjects\Cor_SxSPublic_IPCBlock_4092 Handle 7cc Name \BaseNamedObjects\ShimSharedMemory 5 handles of type Section </code></pre> <p>If you'd like to view the actual filename, you could issue the <code>!handle</code> command in a kernel debugger to view some information about the system objects that correspond to your File handles.<br> For example:</p> <pre><code>lkd&gt; !handle 0 0x3 2c4 File Searching for Process with Cid == 2c4 Searching for handles of type File PROCESS 89242da0 SessionId: 0 Cid: 02c4 Peb: 7ffdd000 ParentCid: 0b48 DirBase: 0a640dc0 ObjectTable: e1c361d0 HandleCount: 83. Image: ConsoleApplication1.exe Handle table at e11f6000 with 83 entries in use 000c: Object: 86a74868 GrantedAccess: 00100020 (Inherit) Entry: e11f6018 Object: 86a74868 Type: (89e2a730) File ObjectHeader: 86a74850 (old version) HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \Foo\Bar {HarddiskVolume2} 06d0: Object: 8669c4b8 GrantedAccess: 00100083 Entry: e11f6da0 Object: 8669c4b8 Type: (89e2a730) File ObjectHeader: 8669c4a0 (old version) HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \wubildr {HarddiskVolume1} 06d4: Object: 86bf1f58 GrantedAccess: 00120089 Entry: e11f6da8 Object: 86bf1f58 Type: (89e2a730) File ObjectHeader: 86bf1f40 (old version) HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \WINDOWS\assembly\pubpol6.dat {HarddiskVolume1} 06dc: Object: 892c43e0 GrantedAccess: 00120089 Entry: e11f6db8 Object: 892c43e0 Type: (89e2a730) File ObjectHeader: 892c43c8 (old version) HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \WINDOWS\assembly\NativeImages_v4.0.30319_32\index1fe.dat {HarddiskVolume1} 06ec: Object: 892cf1f8 GrantedAccess: 00100001 Entry: e11f6dd8 Object: 892cf1f8 Type: (89e2a730) File ObjectHeader: 892cf1e0 (old version) HandleCount: 1 PointerCount: 1 </code></pre>
    singulars
    1. This table or related slice is empty.
    1. POHow do I find a memory mapped file's name in WinDbg?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USLiran
    1. USLiran
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COYou can have a section mapped in without having a handle to the section open.
      singulars
      1. PO
      1. USwj32
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload