UPDATE

This windbg debug extension works as data mining for .NET. THE EXTENSION DOES NOT REQUIRE SOS OR PSSCORX TO WORK. It access .NET debugging API directly without intermediary

LATEST VERSION: 2.1.65.5000 here

Description

Getting started

• Open WinDBG. Load netext
• Make sure you open the appropriate 32-bits or 64-bits extension (32-bits dumps require winbg 32-bits and netext 32-bits)
• For detailed help, run: ".browse !whelp"
• Run: "!windex -tree" and follow the instructions
• All the rest will be intuitive
• For scripts, see !wfrom and !wselect
• Download the training material here: [https://netext.codeplex.com/releases/view/611486] - Training material is NOW up-to-date.

Common Resources List of available commands Examples

You can do select like queries to .NET objects including sublevel fields.

For example, to get the url of a HttpContext it is necessary to

1. !do the httpcontext instance, get address of _request
2. !do the HttpRequest instance, get the address of _url
3. !do the URI instance, get the address of m_String
4. !do the instance of the string object.

Using netext you only need to issue a command like: !wselect _request._url.m_String, _response._statusCode from 0x242afe8

Or to list all requests that are "http:" and the status code is not 200 (OK) from ALL HttpRequests:

!wfrom -type *.HttpContext 
  where ( ($contains(_request._url.m_String, "http:")) && (_response._statuscode != 0n200) ) 
  select $addr(), _request._url.m_String, _response._statusCode
calculated: 0n5731369072
_request._url.m_String: http://rviana-serv.contoso.com:80/TestClass/Service.svc/net
_response._statusCode: 0n401
calculated: 0n6802002784
_request._url.m_String: http://rviana-serv.contoso.com:80/TestClass/Service.svc/net
_response._statusCode: 0n401 

It also works very well showing arrays (!wdo, !wselect and !wfrom) and providing link to the objects or showing the items value depending on the content of the array.

<a id='examples'></a> Examples:

.load netext
0:000> !windex -type *.httpcontext

(...)
00000001956e5360 000007feda232488      336   1 0 System.Web.HttpContext
0000000195702098 000007feda232488      336   1 0 System.Web.HttpContext

0:000> !wselect _request._url.m_String, _response._statuscode from 0000000195702098
System.String _request._url.m_String = 00000001559cb3a8 http://rviana-serv.contoso.com:80/TestClass/Service.svc/net
(int32)System.Int32 _response._statuscode = c8 (0n200)

0:000> !wselect * from 000000015579ec00
System.String Key = 000000015578c6c8 assembly
System.Object Value = 000000015579EBD8

Note: !wselect does not accept expressions or conditionals but it accepts wildcard fields

0:000> !wdo 0000000195702098
Address: 0000000195702098
EEClass: 000007fed9e923b8
Method Table: 000007feda232488
Class Name: System.Web.HttpContext
(...)
Inherits: System.Web.HttpContext System.Object (000007FEDA232488 000007FEEFC07370)
07feda234fb0 System.Web.IHttpAsyncHandler +0000   _asyncAppHandler 0000000000000000
07feda234ae0 System.Web.HttpApplication +0008         _appInstance 0000000000000000
(...)
07feefc47fb8 System.DateTime +0120                   _utcTimestamp -mt 07FEEFC47FB8 01957021C0 10/26/2011 9:16:11 PM
(...)
07feefc47eb8 System.TimeSpan +0138                       _timeout -mt 07FEEFC47EB8 01957021D8 03:14:07
007feefc0ecf0 System.Int32 +010c                     _timeoutState 0 (0n0)
(...)
007feefc06c50 System.Boolean +0118      _finishPipelineRequestCalled 1 (True)
(...)

0:000> !wdo 00000001556d1dc8
Address: 00000001556d1dc8
EEClass: 000007feef80eb58
Method Table: 000007feefbf5870
Class Name: System.Object[]
Size : 48
Rank: 1
Components: 2
[0]: 00000001556d27e0 <IPermission class="System.Security.Permissions.MediaPermission, WindowsBase,
Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Audio="SafeAudio" Video="SafeVideo" Image="SafeImage"/>
[1]: 00000001556d33d8 <IPermission class="System.Security.Permissions.WebBrowserPermission, WindowsBase,
Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Level="Safe"/>

0:000> ~*e!wstack
Listing objects from: 0000000000284000 to 0000000000290000 from thread: 0 [21a0]
Listing objects from: 000000000088e000 to 0000000000890000 from thread: 1 [263c]
(...)
Listing objects from: 0000000004208000 to 0000000004210000 from thread: 20 [1780]
@rcx=00000001956e6318 000007feefc39f88 System.Threading._TimerCallback 1 0
(...)
0000000195701d78 000007feda23a620 System.Web.Hosting.IIS7WorkerRequest 1 0
0000000195720380 000007feefc01808 System.Threading.ContextCallback 1 0
00000001556e5490 000007feda22c148 System.Web.HttpRuntime 0 0
(...)

<a id='menu'></a>

List of commands

Commands to Show Object Details --------------------------------------

• !wdo - Display ad-hoc objects or arrays from GAC or Stack
• !wselect - Display ad-hoc fields (and level fields) for an object or for all item in an array
• !wfrom - Perform SQL-like analysis of Heap objects enabling comparison, expression evaluation and indexed filtering.
• !wpe - Dump Exception Object

Enumerate objects ---------------------

• !windex - index and display objects based in different filters like object with of type HttpContext
• !wstack - dump unique stack objects
• !wheap - list objects without indexing and show thottled heap sampling
• !wgchandles - Dump GC root handles
• !wdae - Dump all exceptions in the heap

Process commands ----------------

• !wclrstack - Dump current thread's stack trace (only managed thread)
• !wthreads - Dump thread information
• !wver - Show version of the .NET framework(s) present in the process or dump and extension version
• !wupdate - Check for new versions and compare with current. If a new version is found, it tries to open the update page
• !wdomain - Dump all Application Domains
• !wmodule - List modules based on a pattern
• !wtime - Show UTC and local time
• !wapppool - Display AppPool details
• !wk - Dump current thread's stack trace in mixed mode (native and managed)
• !wp - Step over managed code. This is similar to F10 in Visual Studio.
• !wt - Step into managed code. This is similar to F11 in Visual Studio.
• !wvar - List process's environment variable.
• (new) !wsetruntime - Let you change which runtime to use (when netcore and regular .NET are on a same process)

Special Purpose ------------------

• !wdict - Display dictionary objects
• !whash - Display HashTable objects
• !whttp - List HttpContext Objects
• !wconfig - Show all .config file lines in memory
• !wservice - List WCF service Objects
• !weval - Evaluate expression list
• !wclass - Show "reflected" class definition (fields, properties and methods)(new)
• !wkeyvalue - Display pair key/value for NameObjectCollection type objects
• !wcookie - Display HTTP cookies using filters and grouping
• !wruntime - Display HTTP Runtime Info including Active Requests count
• !wtoken - Display WIF tokens and claims
• !wsocket - Dump socket information
• !wxml - Dump a XML document
• !wmakesource - It tries to reflect the current frame into source code
• !wopensource - Open source file based on the IP provided
• (not working in .NETCore) !wconcurrentdict - Dump a concurrent dictionary
• !wsql - Dump a concurrent dictionary

---

expression syntax functions list

<a id='wsql'></a>

!wsql - Display all SQL Server Commands (System.Data.SqlClient.SqlCommand) or a specific one. It can be filtered by active or partial command text or display only stored procedure queries

Syntax:
-------
!wsql [-sproc] [-active] [-command <partial-name>] [<expr>] 

Where:
	-sproc - Lists only queries thar are stored procedure. Optional
	-active - Lists only queries still running. Optional
	-command <partial-name> - List only queries when its text matches the pattern (e.g -command *INSERT*INTO*). Optional
	<expr> - If an address is specified it will display only that command. Optional

Examples:
----------

List a specific command
-------------------------------

0:004> !wsql 000000d44804ff78

Connection String: [Data Source=CONTOSOSQL/A1;Initial Catalog=SharePoint_Config;Integrated Security=True;...]

[  0]: 000000d44804ff78  Type: Stored Procedure State: Open     Runing Time: 00:00:08 Pool Connection: 1 of 100 
proc_getObjectsByClass

Parameters:
=============
@RETURN_VALUE=0n0
@ClassId={5669b3e1-5bb4-40d1-a944-2cafe00d8c3f}
@ParentId={e154cb00-7fb9-4902-a7eb-2ceeedef9c3d}
@Name=
@RequestGuid={ab9ec69e-8030-908e-922f-8a38850b9aa3}


Filter by partial command
-------------------------------
0:004> !wsql -command *TVP*
Connection String: [&lt;NOT SET OR CLOSED&gt;]

[  0]: 000000d4480912d8  Type: Stored Procedure State: Closed      
proc_putObjectTVP

Parameters:
=============
@RETURN_VALUE=0n0
@Id={4efadda2-0b5a-493a-8cb7-ef810c568bc6}
@ParentId={e154cb00-7fb9-4902-a7eb-2ceeedef9c3d}
@ClassId={5669b3e1-5bb4-40d1-a944-2cafe00d8c3f}
@Name=
@Status=0n0
@Version=0n88675
@Properties=<object type="Microsoft.SharePoint.Administration.SPLargeListThrottleSettings, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c">
@AutoResolveMissingTypes=0
@Dependenc