Display Type
Display Type:
0:004> dt ntdll!_TEB
+0x000 NtTib : _NT_TIB
+0x01c EnvironmentPointer : Ptr32 Void
+0x020 ClientId : _CLIENT_ID
+0x028 ActiveRpcHandle : Ptr32 Void
+0x02c ThreadLocalStoragePointer : Ptr32 Void
+0x030 ProcessEnvironmentBlock : Ptr32 _PEB
+0x034 LastErrorValue : Uint4B
+0x038 CountOfOwnedCriticalSections : Uint4B
+0x03c CsrClientThread : Ptr32 Void
+0x040 Win32ThreadInfo : Ptr32 Void
+0x044 User32Reserved : [26] Uint4B
+0x0ac UserReserved : [5] Uint4B
+0x0c0 WOW32Reserved : Ptr32 Void
+0x0c4 CurrentLocale : Uint4B
+0x0c8 FpSoftwareStatusRegister : Uint4B
+0x0cc ReservedForDebuggerInstrumentation : [16] Ptr32 Void
+0x10c SystemReserved1 : [26] Ptr32 Void
+0x174 PlaceholderCompatibilityMode : Char
+0x175 PlaceholderReserved : [11] Char
+0x180 ProxiedProcessId : Uint4B
+0x184 _ActivationStack : _ACTIVATION_CONTEXT_STACK
+0x19c WorkingOnBehalfTicket : [8] UChar
+0x1a4 ExceptionCode : Int4B
+0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK
+0x1ac InstrumentationCallbackSp : Uint4B
+0x1b0 InstrumentationCallbackPreviousPc : Uint4B
+0x1b4 InstrumentationCallbackPreviousSp : Uint4B
+0x1b8 InstrumentationCallbackDisabled : UChar
+0x1b9 SpareBytes : [23] UChar
+0x1d0 TxFsContext : Uint4B
+0x1d4 GdiTebBatch : _GDI_TEB_BATCH
+0x6b4 RealClientId : _CLIENT_ID
+0x6bc GdiCachedProcessHandle : Ptr32 Void
+0x6c0 GdiClientPID : Uint4B
+0x6c4 GdiClientTID : Uint4B
+0x6c8 GdiThreadLocalInfo : Ptr32 Void
+0x6cc Win32ClientInfo : [62] Uint4B
+0x7c4 glDispatchTable : [233] Ptr32 Void
+0xb68 glReserved1 : [29] Uint4B
+0xbdc glReserved2 : Ptr32 Void
+0xbe0 glSectionInfo : Ptr32 Void
+0xbe4 glSection : Ptr32 Void
+0xbe8 glTable : Ptr32 Void
+0xbec glCurrentRC : Ptr32 Void
+0xbf0 glContext : Ptr32 Void
+0xbf4 LastStatusValue : Uint4B
+0xbf8 StaticUnicodeString : _UNICODE_STRING
+0xc00 StaticUnicodeBuffer : [261] Wchar
+0xe0c DeallocationStack : Ptr32 Void
+0xe10 TlsSlots : [64] Ptr32 Void
+0xf10 TlsLinks : _LIST_ENTRY
+0xf18 Vdm : Ptr32 Void
+0xf1c ReservedForNtRpc : Ptr32 Void
+0xf20 DbgSsReserved : [2] Ptr32 Void
+0xf28 HardErrorMode : Uint4B
+0xf2c Instrumentation : [9] Ptr32 Void
+0xf50 ActivityId : _GUID
+0xf60 SubProcessTag : Ptr32 Void
+0xf64 PerflibData : Ptr32 Void
+0xf68 EtwTraceData : Ptr32 Void
+0xf6c WinSockData : Ptr32 Void
+0xf70 GdiBatchCount : Uint4B
+0xf74 CurrentIdealProcessor : _PROCESSOR_NUMBER
+0xf74 IdealProcessorValue : Uint4B
+0xf74 ReservedPad0 : UChar
+0xf75 ReservedPad1 : UChar
+0xf76 ReservedPad2 : UChar
+0xf77 IdealProcessor : UChar
+0xf78 GuaranteedStackBytes : Uint4B
+0xf7c ReservedForPerf : Ptr32 Void
+0xf80 ReservedForOle : Ptr32 Void
+0xf84 WaitingOnLoaderLock : Uint4B
+0xf88 SavedPriorityState : Ptr32 Void
+0xf8c ReservedForCodeCoverage : Uint4B
+0xf90 ThreadPoolData : Ptr32 Void
+0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void
+0xf98 MuiGeneration : Uint4B
+0xf9c IsImpersonating : Uint4B
+0xfa0 NlsCache : Ptr32 Void
+0xfa4 pShimData : Ptr32 Void
+0xfa8 HeapVirtualAffinity : Uint2B
+0xfaa LowFragHeapDataSlot : Uint2B
+0xfac CurrentTransactionHandle : Ptr32 Void
+0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME
+0xfb4 FlsData : Ptr32 Void
+0xfb8 PreferredLanguages : Ptr32 Void
+0xfbc UserPrefLanguages : Ptr32 Void
+0xfc0 MergedPrefLanguages : Ptr32 Void
+0xfc4 MuiImpersonation : Uint4B
+0xfc8 CrossTebFlags : Uint2B
+0xfc8 SpareCrossTebBits : Pos 0, 16 Bits
+0xfca SameTebFlags : Uint2B
+0xfca SafeThunkCall : Pos 0, 1 Bit
+0xfca InDebugPrint : Pos 1, 1 Bit
+0xfca HasFiberData : Pos 2, 1 Bit
+0xfca SkipThreadAttach : Pos 3, 1 Bit
+0xfca WerInShipAssertCode : Pos 4, 1 Bit
+0xfca RanProcessInit : Pos 5, 1 Bit
+0xfca ClonedThread : Pos 6, 1 Bit
+0xfca SuppressDebugMsg : Pos 7, 1 Bit
+0xfca DisableUserStackWalk : Pos 8, 1 Bit
+0xfca RtlExceptionAttached : Pos 9, 1 Bit
+0xfca InitialThread : Pos 10, 1 Bit
+0xfca SessionAware : Pos 11, 1 Bit
+0xfca LoadOwner : Pos 12, 1 Bit
+0xfca LoaderWorker : Pos 13, 1 Bit
+0xfca SkipLoaderInit : Pos 14, 1 Bit
+0xfca SpareSameTebBits : Pos 15, 1 Bit
+0xfcc TxnScopeEnterCallback : Ptr32 Void
+0xfd0 TxnScopeExitCallback : Ptr32 Void
+0xfd4 TxnScopeContext : Ptr32 Void
+0xfd8 LockCount : Uint4B
+0xfdc WowTebOffset : Int4B
+0xfe0 ResourceRetValue : Ptr32 Void
+0xfe4 ReservedForWdf : Ptr32 Void
+0xfe8 ReservedForCrt : Uint8B
+0xff0 EffectiveContainerId : _GUIDThe sub-structure type can also be identified with an underscore (_) leading the field type, and the field type name in capital letters.
We can use dt with the address of the TEB by leveraging the $teb pseudo register.
By supplying the -r flag to the dt command, WinDbg will recursively display nested structures where present.
0:009> dt -r ntdll!_TEB **@$teb**
+0x000 NtTib : _NT_TIB
+0x000 ExceptionList : 0x06daf8a0 _EXCEPTION_REGISTRATION_RECORD
+0x000 Next : 0x06daf8fc _EXCEPTION_REGISTRATION_RECORD
+0x004 Handler : 0x77917390 _EXCEPTION_DISPOSITION ntdll!_except_handler4+0
+0x004 StackBase : 0x06db0000 Void
+0x008 StackLimit : 0x06dac000 Void
+0x00c SubSystemTib : (null)
+0x010 FiberData : 0x00001e00 Void
+0x010 Version : 0x1e00
+0x014 ArbitraryUserPointer : (null)
+0x018 Self : 0x02eb8000 _NT_TIB
+0x000 ExceptionList : 0x06daf8a0 _EXCEPTION_REGISTRATION_RECORD
+0x004 StackBase : 0x06db0000 Void
+0x008 StackLimit : 0x06dac000 Void
+0x00c SubSystemTib : (null)
+0x010 FiberData : 0x00001e00 Void
+0x010 Version : 0x1e00
+0x014 ArbitraryUserPointer : (null)
+0x018 Self : 0x02eb8000 _NT_TIB
+0x01c EnvironmentPointer : (null)
+0x020 ClientId : _CLIENT_ID
+0x000 UniqueProcess : 0x00001fbc Void
+0x004 UniqueThread : 0x000019f4 Void
+0x028 ActiveRpcHandle : (null)
+0x02c ThreadLocalStoragePointer : (null)
+0x030 ProcessEnvironmentBlock : 0x02eae000 _PEB
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0x1 ''
+0x003 BitField : 0x4 ''
+0x003 ImageUsesLargePages : 0y0
+0x003 IsProtectedProcess : 0y0
+0x003 IsImageDynamicallyRelocated : 0y1
+0x003 SkipPatchingUser32Forwarders : 0y0
+0x003 IsPackagedProcess : 0y0
+0x003 IsAppContainer : 0y0
+0x003 IsProtectedProcessLight : 0y0
+0x003 IsLongPathAwareProcess : 0y0
+0x004 Mutant : 0xffffffff Void
+0x008 ImageBaseAddress : 0x00dc0000 Void
+0x00c Ldr : 0x7799ab40 _PEB_LDR_DATA
+0x000 Length : 0x30
+0x004 Initialized : 0x1 ''
+0x008 SsHandle : (null)
+0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x3041d58 - 0x30602a8 ]
+0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x3041d60 - 0x30602b0 ]
+0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x3041c80 - 0x30602b8 ]
+0x024 EntryInProgress : (null)
+0x028 ShutdownInProgress : 0 ''
+0x02c ShutdownThreadId : (null)
+0x010 ProcessParameters : 0x03041568 _RTL_USER_PROCESS_PARAMETERS
+0x000 MaximumLength : 0x610
+0x004 Length : 0x610
+0x008 Flags : 0x6001
+0x00c DebugFlags : 0
+0x010 ConsoleHandle : (null)
+0x014 ConsoleFlags : 0
+0x018 StandardInput : (null)
+0x01c StandardOutput : 0x00010001 Void
+0x020 StandardError : (null)
+0x024 CurrentDirectory : _CURDIR
+0x030 DllPath : _UNICODE_STRING ""
+0x038 ImagePathName : _UNICODE_STRING "C:\\Windows\\system32\\notepad.exe"
+0x040 CommandLine : _UNICODE_STRING ""C:\\Windows\\system32\\notepad.exe" "
+0x048 Environment : 0x03040ae0 Void
+0x04c StartingX : 0
+0x050 StartingY : 0
+0x054 CountX : 0
+0x058 CountY : 0
+0x05c CountCharsX : 0
+0x060 CountCharsY : 0
+0x064 FillAttribute : 0
+0x068 WindowFlags : 0xc01
+0x06c ShowWindowFlags : 1
+0x070 WindowTitle : _UNICODE_STRING "C:\\Users\\Offsec\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk"
+0x078 DesktopInfo : _UNICODE_STRING "Winsta0\\Default"
+0x080 ShellInfo : _UNICODE_STRING ""
+0x088 RuntimeData : _UNICODE_STRING ""
+0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR
+0x290 EnvironmentSize : 0xa80
+0x294 EnvironmentVersion : 1
+0x298 PackageDependencyData : (null)
+0x29c ProcessGroupId : 0x23c
+0x2a0 LoaderThreads : 0
+0x014 SubSystemData : 0x731b6b30 Void
+0x018 ProcessHeap : 0x03040000 Void
+0x01c FastPebLock : 0x7799a940 _RTL_CRITICAL_SECTION
+0x000 DebugInfo : 0xffffffff _RTL_CRITICAL_SECTION_DEBUG
+0x004 LockCount : 0n-1
+0x008 RecursionCount : 0n0
+0x00c OwningThread : (null)
+0x010 LockSemaphore : (null)
+0x014 SpinCount : 0x20007d0
+0x020 AtlThunkSListPtr : (null)
+0x024 IFEOKey : (null)
+0x028 CrossProcessFlags : 0
+0x028 ProcessInJob : 0y0
+0x028 ProcessInitializing : 0y0
+0x028 ProcessUsingVEH : 0y0
+0x028 ProcessUsingVCH : 0y0
+0x028 ProcessUsingFTH : 0y0
+0x028 ProcessPreviouslyThrottled : 0y0
+0x028 ProcessCurrentlyThrottled : 0y0
+0x028 ReservedBits0 : 0y0000000000000000000000000 (0)
+0x02c KernelCallbackTable : 0x772d10e8 Void
+0x02c UserSharedInfoPtr : 0x772d10e8 Void
+0x030 SystemReserved : 0
+0x034 AtlThunkSListPtr32 : (null)
+0x038 ApiSetMap : 0x00d30000 Void
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0x7799ab98 Void
+0x044 TlsBitmapBits : [2] 0xffffffff
+0x04c ReadOnlySharedMemoryBase : 0x7f550000 Void
+0x050 SharedData : (null)
+0x054 ReadOnlyStaticServerData : 0x7f5504a0 -> (null)
+0x058 AnsiCodePageData : 0x7f650000 Void
+0x05c OemCodePageData : 0x7f660224 Void
+0x060 UnicodeCaseTableData : 0x7f670648 Void
+0x064 NumberOfProcessors : 2
+0x068 NtGlobalFlag : 0
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
+0x000 LowPart : 0x79b8000
+0x004 HighPart : 0n-6035
+0x000 u : <unnamed-tag>
+0x000 QuadPart : 0n-25920000000000
+0x078 HeapSegmentReserve : 0x100000
+0x07c HeapSegmentCommit : 0x2000
+0x080 HeapDeCommitTotalFreeThreshold : 0x10000
+0x084 HeapDeCommitFreeBlockThreshold : 0x1000
+0x088 NumberOfHeaps : 4
+0x08c MaximumNumberOfHeaps : 0x10
+0x090 ProcessHeaps : 0x77999660 -> 0x03040000 Void
+0x094 GdiSharedHandleTable : 0x033b0000 Void
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0x14
+0x0a0 LoaderLock : 0x779983c0 _RTL_CRITICAL_SECTION
+0x000 DebugInfo : 0x779986e4 _RTL_CRITICAL_SECTION_DEBUG
+0x004 LockCount : 0n-1
+0x008 RecursionCount : 0n0
+0x00c OwningThread : (null)
+0x010 LockSemaphore : (null)
+0x014 SpinCount : 0x4000000
+0x0a4 OSMajorVersion : 0xa
+0x0a8 OSMinorVersion : 0
+0x0ac OSBuildNumber : 0x3fab
+0x0ae OSCSDVersion : 0
+0x0b0 OSPlatformId : 2
+0x0b4 ImageSubsystem : 2
+0x0b8 ImageSubsystemMajorVersion : 0xa
+0x0bc ImageSubsystemMinorVersion : 0
+0x0c0 ActiveProcessAffinityMask : 3
+0x0c4 GdiHandleBuffer : [34] 0
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : 0x7799ab88 Void
+0x154 TlsExpansionBitmapBits : [32] 1
+0x1d4 SessionId : 1
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 u : <unnamed-tag>
+0x000 QuadPart : 0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 u : <unnamed-tag>
+0x000 QuadPart : 0
+0x1e8 pShimData : 0x00db0000 Void
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING ""
+0x000 Length : 0
+0x002 MaximumLength : 2
+0x004 Buffer : 0x7f5504e2 ""
+0x1f8 ActivationContextData : 0x00da0000 _ACTIVATION_CONTEXT_DATA
+0x1fc ProcessAssemblyStorageMap : 0x030480b0 _ASSEMBLY_STORAGE_MAP
+0x200 SystemDefaultActivationContextData : 0x00d90000 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : (null)
+0x208 MinimumStackCommit : 0
+0x20c FlsCallback : 0x0304e288 _FLS_CALLBACK_INFO
+0x210 FlsListHead : _LIST_ENTRY [ 0x304e078 - 0x30af968 ]
+0x000 Flink : 0x0304e078 _LIST_ENTRY [ 0x30702c8 - 0x2eae210 ]
+0x004 Blink : 0x030af968 _LIST_ENTRY [ 0x2eae210 - 0x309d180 ]
+0x218 FlsBitmap : 0x7799abc0 Void
+0x21c FlsBitmapBits : [4] 0x7f
+0x22c FlsHighIndex : 6
+0x230 WerRegistrationData : (null)
+0x234 WerShipAssertPtr : (null)
+0x238 pUnused : (null)
+0x23c pImageHeaderHash : (null)
+0x240 TracingFlags : 0
+0x240 HeapTracingEnabled : 0y0
+0x240 CritSecTracingEnabled : 0y0
+0x240 LibLoaderTracingEnabled : 0y0
+0x240 SpareTracingBits : 0y00000000000000000000000000000 (0)
+0x248 CsrServerReadOnlySharedMemoryBase : 0x7f0e0000
+0x250 TppWorkerpListLock : 0
+0x254 TppWorkerpList : _LIST_ENTRY [ 0x324f8c4 - 0x6d6f918 ]
+0x000 Flink : 0x0324f8c4 _LIST_ENTRY [ 0x328fd8c - 0x2eae254 ]
+0x004 Blink : 0x06d6f918 _LIST_ENTRY [ 0x2eae254 - 0x5c3fc24 ]
+0x25c WaitOnAddressHashTable : [128] (null)
+0x45c TelemetryCoverageHeader : (null)
+0x460 CloudFileFlags : 0
+0x034 LastErrorValue : 0
+0x038 CountOfOwnedCriticalSections : 0
+0x03c CsrClientThread : (null)
+0x040 Win32ThreadInfo : (null)
+0x044 User32Reserved : [26] 0
+0x0ac UserReserved : [5] 0
+0x0c0 WOW32Reserved : (null)
+0x0c4 CurrentLocale : 0x409
+0x0c8 FpSoftwareStatusRegister : 0
+0x0cc ReservedForDebuggerInstrumentation : [16] (null)
+0x10c SystemReserved1 : [26] (null)
+0x174 PlaceholderCompatibilityMode : 0 ''
+0x175 PlaceholderReserved : [11] ""
+0x180 ProxiedProcessId : 0
+0x184 _ActivationStack : _ACTIVATION_CONTEXT_STACK
+0x000 ActiveFrame : (null)
+0x004 FrameListCache : _LIST_ENTRY [ 0x2eb8188 - 0x2eb8188 ]
+0x000 Flink : 0x02eb8188 _LIST_ENTRY [ 0x2eb8188 - 0x2eb8188 ]
+0x004 Blink : 0x02eb8188 _LIST_ENTRY [ 0x2eb8188 - 0x2eb8188 ]
+0x00c Flags : 2
+0x010 NextCookieSequenceNumber : 1
+0x014 StackId : 0x504f9
+0x19c WorkingOnBehalfTicket : [8] ""
+0x1a4 ExceptionCode : 0n0
+0x1a8 ActivationContextStackPointer : 0x02eb8184 _ACTIVATION_CONTEXT_STACK
+0x000 ActiveFrame : (null)
+0x004 FrameListCache : _LIST_ENTRY [ 0x2eb8188 - 0x2eb8188 ]
+0x000 Flink : 0x02eb8188 _LIST_ENTRY [ 0x2eb8188 - 0x2eb8188 ]
+0x004 Blink : 0x02eb8188 _LIST_ENTRY [ 0x2eb8188 - 0x2eb8188 ]
+0x00c Flags : 2
+0x010 NextCookieSequenceNumber : 1
+0x014 StackId : 0x504f9
+0x1ac InstrumentationCallbackSp : 0
+0x1b0 InstrumentationCallbackPreviousPc : 0
+0x1b4 InstrumentationCallbackPreviousSp : 0
+0x1b8 InstrumentationCallbackDisabled : 0 ''
+0x1b9 SpareBytes : [23] ""
+0x1d0 TxFsContext : 0xfffe
+0x1d4 GdiTebBatch : _GDI_TEB_BATCH
+0x000 Offset : 0y0000000000000000000000000000000 (0)
+0x000 HasRenderingCommand : 0y0
+0x004 HDC : 0
+0x008 Buffer : [310] 0
+0x6b4 RealClientId : _CLIENT_ID
+0x000 UniqueProcess : 0x00001fbc Void
+0x004 UniqueThread : 0x000019f4 Void
+0x6bc GdiCachedProcessHandle : (null)
+0x6c0 GdiClientPID : 0
+0x6c4 GdiClientTID : 0
+0x6c8 GdiThreadLocalInfo : (null)
+0x6cc Win32ClientInfo : [62] 0
+0x7c4 glDispatchTable : [233] (null)
+0xb68 glReserved1 : [29] 0
+0xbdc glReserved2 : (null)
+0xbe0 glSectionInfo : (null)
+0xbe4 glSection : (null)
+0xbe8 glTable : (null)
+0xbec glCurrentRC : (null)
+0xbf0 glContext : (null)
+0xbf4 LastStatusValue : 0
+0xbf8 StaticUnicodeString : _UNICODE_STRING ""
+0x000 Length : 0
+0x002 MaximumLength : 0x20a
+0x004 Buffer : 0x02eb8c00 ""
+0xc00 StaticUnicodeBuffer : [261] ""
+0xe0c DeallocationStack : 0x06d70000 Void
+0xe10 TlsSlots : [64] (null)
+0xf10 TlsLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x000 Flink : (null)
+0x004 Blink : (null)
+0xf18 Vdm : (null)
+0xf1c ReservedForNtRpc : (null)
+0xf20 DbgSsReserved : [2] (null)
+0xf28 HardErrorMode : 0
+0xf2c Instrumentation : [9] (null)
+0xf50 ActivityId : _GUID {00000000-0000-0000-0000-000000000000}
+0x000 Data1 : 0
+0x004 Data2 : 0
+0x006 Data3 : 0
+0x008 Data4 : [8] ""
+0xf60 SubProcessTag : (null)
+0xf64 PerflibData : (null)
+0xf68 EtwTraceData : (null)
+0xf6c WinSockData : (null)
+0xf70 GdiBatchCount : 0
+0xf74 CurrentIdealProcessor : _PROCESSOR_NUMBER
+0x000 Group : 0
+0x002 Number : 0 ''
+0x003 Reserved : 0 ''
+0xf74 IdealProcessorValue : 0
+0xf74 ReservedPad0 : 0 ''
+0xf75 ReservedPad1 : 0 ''
+0xf76 ReservedPad2 : 0 ''
+0xf77 IdealProcessor : 0 ''
+0xf78 GuaranteedStackBytes : 0
+0xf7c ReservedForPerf : (null)
+0xf80 ReservedForOle : (null)
+0xf84 WaitingOnLoaderLock : 0
+0xf88 SavedPriorityState : (null)
+0xf8c ReservedForCodeCoverage : 0
+0xf90 ThreadPoolData : (null)
+0xf94 TlsExpansionSlots : (null)
+0xf98 MuiGeneration : 0
+0xf9c IsImpersonating : 0
+0xfa0 NlsCache : (null)
+0xfa4 pShimData : (null)
+0xfa8 HeapVirtualAffinity : 0
+0xfaa LowFragHeapDataSlot : 0
+0xfac CurrentTransactionHandle : (null)
+0xfb0 ActiveFrame : (null)
+0xfb4 FlsData : (null)
+0xfb8 PreferredLanguages : (null)
+0xfbc UserPrefLanguages : (null)
+0xfc0 MergedPrefLanguages : (null)
+0xfc4 MuiImpersonation : 0
+0xfc8 CrossTebFlags : 0
+0xfc8 SpareCrossTebBits : 0y0000000000000000 (0)
+0xfca SameTebFlags : 0x208
+0xfca SafeThunkCall : 0y0
+0xfca InDebugPrint : 0y0
+0xfca HasFiberData : 0y0
+0xfca SkipThreadAttach : 0y1
+0xfca WerInShipAssertCode : 0y0
+0xfca RanProcessInit : 0y0
+0xfca ClonedThread : 0y0
+0xfca SuppressDebugMsg : 0y0
+0xfca DisableUserStackWalk : 0y0
+0xfca RtlExceptionAttached : 0y1
+0xfca InitialThread : 0y0
+0xfca SessionAware : 0y0
+0xfca LoadOwner : 0y0
+0xfca LoaderWorker : 0y0
+0xfca SkipLoaderInit : 0y0
+0xfca SpareSameTebBits : 0y0
+0xfcc TxnScopeEnterCallback : (null)
+0xfd0 TxnScopeExitCallback : (null)
+0xfd4 TxnScopeContext : (null)
+0xfd8 LockCount : 0
+0xfdc WowTebOffset : 0n0
+0xfe0 ResourceRetValue : (null)
+0xfe4 ReservedForWdf : (null)
+0xfe8 ReservedForCrt : 0
+0xff0 EffectiveContainerId : _GUID {00000000-0000-0000-0000-000000000000}
+0x000 Data1 : 0
+0x004 Data2 : 0
+0x006 Data3 : 0
+0x008 Data4 : [8] ""We can also display specific fields in the structure by passing the name of the field as an additional parameter.
For example from above output
0:009> dt ntdll!_TEB @$teb ProcessParameters
Cannot find specified field members.
0:009> dt ntdll!_TEB @$teb SessionAware
+0xfca SessionAware : 0y0Display the size of a structure
0:009> ?? sizeof(ntdll!_TEB)
unsigned int 0x1000Dump some structures such as the PEB
0:009> dt ntdll!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 BitField : UChar
+0x003 ImageUsesLargePages : Pos 0, 1 Bit
+0x003 IsProtectedProcess : Pos 1, 1 Bit
+0x003 IsImageDynamicallyRelocated : Pos 2, 1 Bit
+0x003 SkipPatchingUser32Forwarders : Pos 3, 1 Bit
+0x003 IsPackagedProcess : Pos 4, 1 Bit
+0x003 IsAppContainer : Pos 5, 1 Bit
+0x003 IsProtectedProcessLight : Pos 6, 1 Bit
+0x003 IsLongPathAwareProcess : Pos 7, 1 Bit
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : Ptr32 Void
+0x018 ProcessHeap : Ptr32 Void
+0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
+0x020 AtlThunkSListPtr : Ptr32 _SLIST_HEADER
+0x024 IFEOKey : Ptr32 Void
+0x028 CrossProcessFlags : Uint4B
+0x028 ProcessInJob : Pos 0, 1 Bit
+0x028 ProcessInitializing : Pos 1, 1 Bit
+0x028 ProcessUsingVEH : Pos 2, 1 Bit
+0x028 ProcessUsingVCH : Pos 3, 1 Bit
+0x028 ProcessUsingFTH : Pos 4, 1 Bit
+0x028 ProcessPreviouslyThrottled : Pos 5, 1 Bit
+0x028 ProcessCurrentlyThrottled : Pos 6, 1 Bit
+0x028 ReservedBits0 : Pos 7, 25 Bits
+0x02c KernelCallbackTable : Ptr32 Void
+0x02c UserSharedInfoPtr : Ptr32 Void
+0x030 SystemReserved : Uint4B
+0x034 AtlThunkSListPtr32 : Ptr32 _SLIST_HEADER
+0x038 ApiSetMap : Ptr32 Void
+0x03c TlsExpansionCounter : Uint4B
+0x040 TlsBitmap : Ptr32 Void
+0x044 TlsBitmapBits : [2] Uint4B
+0x04c ReadOnlySharedMemoryBase : Ptr32 Void
+0x050 SharedData : Ptr32 Void
+0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
+0x058 AnsiCodePageData : Ptr32 Void
+0x05c OemCodePageData : Ptr32 Void
+0x060 UnicodeCaseTableData : Ptr32 Void
+0x064 NumberOfProcessors : Uint4B
+0x068 NtGlobalFlag : Uint4B
+0x070 CriticalSectionTimeout : _LARGE_INTEGER
+0x078 HeapSegmentReserve : Uint4B
+0x07c HeapSegmentCommit : Uint4B
+0x080 HeapDeCommitTotalFreeThreshold : Uint4B
+0x084 HeapDeCommitFreeBlockThreshold : Uint4B
+0x088 NumberOfHeaps : Uint4B
+0x08c MaximumNumberOfHeaps : Uint4B
+0x090 ProcessHeaps : Ptr32 Ptr32 Void
+0x094 GdiSharedHandleTable : Ptr32 Void
+0x098 ProcessStarterHelper : Ptr32 Void
+0x09c GdiDCAttributeList : Uint4B
+0x0a0 LoaderLock : Ptr32 _RTL_CRITICAL_SECTION
+0x0a4 OSMajorVersion : Uint4B
+0x0a8 OSMinorVersion : Uint4B
+0x0ac OSBuildNumber : Uint2B
+0x0ae OSCSDVersion : Uint2B
+0x0b0 OSPlatformId : Uint4B
+0x0b4 ImageSubsystem : Uint4B
+0x0b8 ImageSubsystemMajorVersion : Uint4B
+0x0bc ImageSubsystemMinorVersion : Uint4B
+0x0c0 ActiveProcessAffinityMask : Uint4B
+0x0c4 GdiHandleBuffer : [34] Uint4B
+0x14c PostProcessInitRoutine : Ptr32 void
+0x150 TlsExpansionBitmap : Ptr32 Void
+0x154 TlsExpansionBitmapBits : [32] Uint4B
+0x1d4 SessionId : Uint4B
+0x1d8 AppCompatFlags : _ULARGE_INTEGER
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
+0x1e8 pShimData : Ptr32 Void
+0x1ec AppCompatInfo : Ptr32 Void
+0x1f0 CSDVersion : _UNICODE_STRING
+0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
+0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
+0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
+0x208 MinimumStackCommit : Uint4B
+0x20c FlsCallback : Ptr32 _FLS_CALLBACK_INFO
+0x210 FlsListHead : _LIST_ENTRY
+0x218 FlsBitmap : Ptr32 Void
+0x21c FlsBitmapBits : [4] Uint4B
+0x22c FlsHighIndex : Uint4B
+0x230 WerRegistrationData : Ptr32 Void
+0x234 WerShipAssertPtr : Ptr32 Void
+0x238 pUnused : Ptr32 Void
+0x23c pImageHeaderHash : Ptr32 Void
+0x240 TracingFlags : Uint4B
+0x240 HeapTracingEnabled : Pos 0, 1 Bit
+0x240 CritSecTracingEnabled : Pos 1, 1 Bit
+0x240 LibLoaderTracingEnabled : Pos 2, 1 Bit
+0x240 SpareTracingBits : Pos 3, 29 Bits
+0x248 CsrServerReadOnlySharedMemoryBase : Uint8B
+0x250 TppWorkerpListLock : Uint4B
+0x254 TppWorkerpList : _LIST_ENTRY
+0x25c WaitOnAddressHashTable : [128] Ptr32 Void
+0x45c TelemetryCoverageHeader : Ptr32 Void
+0x460 CloudFileFlags : Uint4Bdisply peb structure with recursive
0:009> dt -r ntdll!_PEB @$peb
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0x1 ''
+0x003 BitField : 0x4 ''
+0x003 ImageUsesLargePages : 0y0
+0x003 IsProtectedProcess : 0y0
+0x003 IsImageDynamicallyRelocated : 0y1
+0x003 SkipPatchingUser32Forwarders : 0y0
+0x003 IsPackagedProcess : 0y0
+0x003 IsAppContainer : 0y0
+0x003 IsProtectedProcessLight : 0y0
+0x003 IsLongPathAwareProcess : 0y0
+0x004 Mutant : 0xffffffff Void
+0x008 ImageBaseAddress : 0x00dc0000 Void
+0x00c Ldr : 0x7799ab40 _PEB_LDR_DATA
+0x000 Length : 0x30
+0x004 Initialized : 0x1 ''
+0x008 SsHandle : (null)
+0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x3041d58 - 0x30602a8 ]
+0x000 Flink : 0x03041d58 _LIST_ENTRY [ 0x3041c70 - 0x7799ab4c ]
+0x004 Blink : 0x030602a8 _LIST_ENTRY [ 0x7799ab4c - 0x305fe88 ]
+0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x3041d60 - 0x30602b0 ]
+0x000 Flink : 0x03041d60 _LIST_ENTRY [ 0x3041c78 - 0x7799ab54 ]
+0x004 Blink : 0x030602b0 _LIST_ENTRY [ 0x7799ab54 - 0x305fe90 ]
+0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x3041c80 - 0x30602b8 ]
+0x000 Flink : 0x03041c80 _LIST_ENTRY [ 0x3042458 - 0x7799ab5c ]
+0x004 Blink : 0x030602b8 _LIST_ENTRY [ 0x7799ab5c - 0x305fe98 ]
+0x024 EntryInProgress : (null)
+0x028 ShutdownInProgress : 0 ''
+0x02c ShutdownThreadId : (null)
+0x010 ProcessParameters : 0x03041568 _RTL_USER_PROCESS_PARAMETERS
+0x000 MaximumLength : 0x610
+0x004 Length : 0x610
+0x008 Flags : 0x6001
+0x00c DebugFlags : 0
+0x010 ConsoleHandle : (null)
+0x014 ConsoleFlags : 0
+0x018 StandardInput : (null)
+0x01c StandardOutput : 0x00010001 Void
+0x020 StandardError : (null)
+0x024 CurrentDirectory : _CURDIR
+0x000 DosPath : _UNICODE_STRING "C:\\Users\\Offsec\\"
+0x008 Handle : 0x0000003c Void
+0x030 DllPath : _UNICODE_STRING ""
+0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)
+0x038 ImagePathName : _UNICODE_STRING "C:\\Windows\\system32\\notepad.exe"
+0x000 Length : 0x3e
+0x002 MaximumLength : 0x40
+0x004 Buffer : 0x03041a14 "C:\\Windows\\system32\\notepad.exe"
+0x040 CommandLine : _UNICODE_STRING ""C:\\Windows\\system32\\notepad.exe" "
+0x000 Length : 0x44
+0x002 MaximumLength : 0x46
+0x004 Buffer : 0x03041a54 ""C:\\Windows\\system32\\notepad.exe" "
+0x048 Environment : 0x03040ae0 Void
+0x04c StartingX : 0
+0x050 StartingY : 0
+0x054 CountX : 0
+0x058 CountY : 0
+0x05c CountCharsX : 0
+0x060 CountCharsY : 0
+0x064 FillAttribute : 0
+0x068 WindowFlags : 0xc01
+0x06c ShowWindowFlags : 1
+0x070 WindowTitle : _UNICODE_STRING "C:\\Users\\Offsec\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk"
+0x000 Length : 0xba
+0x002 MaximumLength : 0xbc
+0x004 Buffer : 0x03041a9a "C:\\Users\\Offsec\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk"
+0x078 DesktopInfo : _UNICODE_STRING "Winsta0\\Default"
+0x000 Length : 0x1e
+0x002 MaximumLength : 0x20
+0x004 Buffer : 0x03041b56 "Winsta0\\Default"
+0x080 ShellInfo : _UNICODE_STRING ""
+0x000 Length : 0
+0x002 MaximumLength : 2
+0x004 Buffer : 0x03041b76 ""
+0x088 RuntimeData : _UNICODE_STRING ""
+0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)
+0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR
+0x000 Flags : 0
+0x002 Length : 0
+0x004 TimeStamp : 0
+0x008 DosPath : _STRING ""
+0x290 EnvironmentSize : 0xa80
+0x294 EnvironmentVersion : 1
+0x298 PackageDependencyData : (null)
+0x29c ProcessGroupId : 0x23c
+0x2a0 LoaderThreads : 0
+0x014 SubSystemData : 0x731b6b30 Void
+0x018 ProcessHeap : 0x03040000 Void
+0x01c FastPebLock : 0x7799a940 _RTL_CRITICAL_SECTION
+0x000 DebugInfo : 0xffffffff _RTL_CRITICAL_SECTION_DEBUG
+0x000 Type : ??
+0x002 CreatorBackTraceIndex : ??
+0x004 CriticalSection : ????
+0x008 ProcessLocksList : _LIST_ENTRY
+0x010 EntryCount : ??
+0x014 ContentionCount : ??
+0x018 Flags : ??
+0x01c CreatorBackTraceIndexHigh : ??
+0x01e SpareUSHORT : ??
+0x004 LockCount : 0n-1
+0x008 RecursionCount : 0n0
+0x00c OwningThread : (null)
+0x010 LockSemaphore : (null)
+0x014 SpinCount : 0x20007d0
+0x020 AtlThunkSListPtr : (null)
+0x024 IFEOKey : (null)
+0x028 CrossProcessFlags : 0
+0x028 ProcessInJob : 0y0
+0x028 ProcessInitializing : 0y0
+0x028 ProcessUsingVEH : 0y0
+0x028 ProcessUsingVCH : 0y0
+0x028 ProcessUsingFTH : 0y0
+0x028 ProcessPreviouslyThrottled : 0y0
+0x028 ProcessCurrentlyThrottled : 0y0
+0x028 ReservedBits0 : 0y0000000000000000000000000 (0)
+0x02c KernelCallbackTable : 0x772d10e8 Void
+0x02c UserSharedInfoPtr : 0x772d10e8 Void
+0x030 SystemReserved : 0
+0x034 AtlThunkSListPtr32 : (null)
+0x038 ApiSetMap : 0x00d30000 Void
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0x7799ab98 Void
+0x044 TlsBitmapBits : [2] 0xffffffff
+0x04c ReadOnlySharedMemoryBase : 0x7f550000 Void
+0x050 SharedData : (null)
+0x054 ReadOnlyStaticServerData : 0x7f5504a0 -> (null)
+0x058 AnsiCodePageData : 0x7f650000 Void
+0x05c OemCodePageData : 0x7f660224 Void
+0x060 UnicodeCaseTableData : 0x7f670648 Void
+0x064 NumberOfProcessors : 2
+0x068 NtGlobalFlag : 0
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
+0x000 LowPart : 0x79b8000
+0x004 HighPart : 0n-6035
+0x000 u : <unnamed-tag>
+0x000 LowPart : 0x79b8000
+0x004 HighPart : 0n-6035
+0x000 QuadPart : 0n-25920000000000
+0x078 HeapSegmentReserve : 0x100000
+0x07c HeapSegmentCommit : 0x2000
+0x080 HeapDeCommitTotalFreeThreshold : 0x10000
+0x084 HeapDeCommitFreeBlockThreshold : 0x1000
+0x088 NumberOfHeaps : 4
+0x08c MaximumNumberOfHeaps : 0x10
+0x090 ProcessHeaps : 0x77999660 -> 0x03040000 Void
+0x094 GdiSharedHandleTable : 0x033b0000 Void
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0x14
+0x0a0 LoaderLock : 0x779983c0 _RTL_CRITICAL_SECTION
+0x000 DebugInfo : 0x779986e4 _RTL_CRITICAL_SECTION_DEBUG
+0x000 Type : 0
+0x002 CreatorBackTraceIndex : 0
+0x004 CriticalSection : 0x779983c0 _RTL_CRITICAL_SECTION
+0x008 ProcessLocksList : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x010 EntryCount : 0
+0x014 ContentionCount : 0
+0x018 Flags : 1
+0x01c CreatorBackTraceIndexHigh : 0
+0x01e SpareUSHORT : 0
+0x004 LockCount : 0n-1
+0x008 RecursionCount : 0n0
+0x00c OwningThread : (null)
+0x010 LockSemaphore : (null)
+0x014 SpinCount : 0x4000000
+0x0a4 OSMajorVersion : 0xa
+0x0a8 OSMinorVersion : 0
+0x0ac OSBuildNumber : 0x3fab
+0x0ae OSCSDVersion : 0
+0x0b0 OSPlatformId : 2
+0x0b4 ImageSubsystem : 2
+0x0b8 ImageSubsystemMajorVersion : 0xa
+0x0bc ImageSubsystemMinorVersion : 0
+0x0c0 ActiveProcessAffinityMask : 3
+0x0c4 GdiHandleBuffer : [34] 0
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : 0x7799ab88 Void
+0x154 TlsExpansionBitmapBits : [32] 1
+0x1d4 SessionId : 1
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 u : <unnamed-tag>
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 QuadPart : 0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 u : <unnamed-tag>
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 QuadPart : 0
+0x1e8 pShimData : 0x00db0000 Void
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING ""
+0x000 Length : 0
+0x002 MaximumLength : 2
+0x004 Buffer : 0x7f5504e2 ""
+0x1f8 ActivationContextData : 0x00da0000 _ACTIVATION_CONTEXT_DATA
+0x1fc ProcessAssemblyStorageMap : 0x030480b0 _ASSEMBLY_STORAGE_MAP
+0x200 SystemDefaultActivationContextData : 0x00d90000 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : (null)
+0x208 MinimumStackCommit : 0
+0x20c FlsCallback : 0x0304e288 _FLS_CALLBACK_INFO
+0x210 FlsListHead : _LIST_ENTRY [ 0x304e078 - 0x30af968 ]
+0x000 Flink : 0x0304e078 _LIST_ENTRY [ 0x30702c8 - 0x2eae210 ]
+0x000 Flink : 0x030702c8 _LIST_ENTRY [ 0x30831d8 - 0x304e078 ]
+0x004 Blink : 0x02eae210 _LIST_ENTRY [ 0x304e078 - 0x30af968 ]
+0x004 Blink : 0x030af968 _LIST_ENTRY [ 0x2eae210 - 0x309d180 ]
+0x000 Flink : 0x02eae210 _LIST_ENTRY [ 0x304e078 - 0x30af968 ]
+0x004 Blink : 0x0309d180 _LIST_ENTRY [ 0x30af968 - 0x309bea8 ]
+0x218 FlsBitmap : 0x7799abc0 Void
+0x21c FlsBitmapBits : [4] 0x7f
+0x22c FlsHighIndex : 6
+0x230 WerRegistrationData : (null)
+0x234 WerShipAssertPtr : (null)
+0x238 pUnused : (null)
+0x23c pImageHeaderHash : (null)
+0x240 TracingFlags : 0
+0x240 HeapTracingEnabled : 0y0
+0x240 CritSecTracingEnabled : 0y0
+0x240 LibLoaderTracingEnabled : 0y0
+0x240 SpareTracingBits : 0y00000000000000000000000000000 (0)
+0x248 CsrServerReadOnlySharedMemoryBase : 0x7f0e0000
+0x250 TppWorkerpListLock : 0
+0x254 TppWorkerpList : _LIST_ENTRY [ 0x324f8c4 - 0x6d6f918 ]
+0x000 Flink : 0x0324f8c4 _LIST_ENTRY [ 0x328fd8c - 0x2eae254 ]
+0x000 Flink : 0x0328fd8c _LIST_ENTRY [ 0x5bffa18 - 0x324f8c4 ]
+0x004 Blink : 0x02eae254 _LIST_ENTRY [ 0x324f8c4 - 0x6d6f918 ]
+0x004 Blink : 0x06d6f918 _LIST_ENTRY [ 0x2eae254 - 0x5c3fc24 ]
+0x000 Flink : 0x02eae254 _LIST_ENTRY [ 0x324f8c4 - 0x6d6f918 ]
+0x004 Blink : 0x05c3fc24 _LIST_ENTRY [ 0x6d6f918 - 0x5bffa18 ]
+0x25c WaitOnAddressHashTable : [128] (null)
+0x45c TelemetryCoverageHeader : (null)
+0x460 CloudFileFlags : 0
Memory read error 0000001ddisplya sub structure in PEB
0:009> dt ntdll!_PEB @$peb TppWorkerpList
+0x254 TppWorkerpList : _LIST_ENTRY [ 0x324f8c4 - 0x6d6f918 ]
0:009> dt ntdll!_PEB @$peb _LIST_ENTRYsize of PEB structure
0:009> ?? sizeof(ntdll!_PEB)
unsigned int 0x468Last updated