Dumping Kernel Service Table from Windbg

You can use following commands from windbg to dump system service table nicely. Of course, you need to be connected to remote system kernel or load kernel dump file.

Dumping KeServiceDescriptorTable

0:kd> dds poi(nt!KeServiceDescriptorTable) L poi(nt!KeServiceDescriptorTable+8)

808341b0 8092023a nt!NtAcceptConnectPort

808341b4 8096b71e nt!NtAccessCheck

808341b8 8096f9be nt!NtAccessCheckAndAuditAlarm

...

80834640 80994ea4 nt!NtWaitForKeyedEvent

80834644 80944e6c nt!NtQueryPortInformationProcess

80834648 8094546e nt!NtGetCurrentProcessorNumber

8083464c 809390f8 nt!NtWaitForMultipleObjects32

Dumping KeServiceDescriptorTableShadow

0:kd> dds poi(nt!KeServiceDescriptorTableShadow+10) L poi(nt!KeServiceDescriptorTableShadow+18)

bf9a3000 bf92bf8c win32k!NtGdiAbortDoc

bf9a3004 bf941589 win32k!NtGdiAbortPath

bf9a3008 bf818ddf win32k!NtGdiAddFontResourceW

bf9a300c bf936c02 win32k!NtGdiAddRemoteFontToDC

...

bf9a3a50 bf9515d6 win32k!NtGdiBRUSHOBJ_DeleteRbrush

bf9a3a54 bf94ec39 win32k!NtGdiUMPDEngFreeUserMem

bf9a3a58 bf944082 win32k!NtGdiDrawStream

bf9a3a5c bf9459a0 win32k!UMPDDrvQuerySpoolType

bf9a3a60 bf929d4d win32k!NtGdiMakeObjectUnXferable

Advertisements