0:000> !mex.help Mex currently has 255 extensions available. Please specify a keyword to search. Or browse by category: All PowerShell[6] SystemCenter[3] Networking[12] Process[5] Mex[2] Kernel[27] DotNet[32] Decompile[15] Utility[40] Thread[27] Binaries[6] General[22] 0:000> !mex.help -cat 'PowerShell' Command Description Category =================== ========================================================================================================================== ========== dumpdotsourcedfiles Outputs any dot sourced Powershell files optionally with their accompanying script blocks PowerShell dumppsvariables Outputs the Powershell Variables of the currently running script on the current thread PowerShell dumpstackpscommands Outputs the commands, cmdlets, etc. found on the current thread including those referenced by other objects on the thread. PowerShell dumpstackpsobjects Outputs the PSObjects found on the current thread including those referenced by other objects on the thread. PowerShell psrunspace Outputs the runspaces in the process. PowerShell psscriptblock Outputs the script blocks in the process. PowerShell 0:000> !mex.help -cat 'SystemCenter' Command Description Category ============= ==================================== ============ sccm SCCM SystemCenter scom (!om) Utilities for SC Operations Manager. SystemCenter scsm (!sm) Utilities for SC Service Manager SystemCenter 0:000> !mex.help -cat 'Networking' Command Description Category ================= =========================================================================================== ========== afd Afd Command Help Networking dhcp Displays information for the DHCP server process Networking dnsclient (!dnsc) Displays the DNS client cache, and includes many other features for the DNS Client service. Networking ip Converts an address into an IP address format Networking mup Displays info for the Multiple UNC Provider (MUP) Networking ncsi Displays Network Connectivity Status Indicator (NCSI) configuration Networking net Net Command Help Networking pingtrack Pingtrack command Networking rasmans Displays the rasmans!ConnectionBlockList Networking srvnet Displays info on SRVNET Networking tcpip (!tcp) TCP/IP - Gets TCP and UDP ports from Kernel Memory Networking winnsi winnsi Command Help Networking 0:000> !mex.help -cat 'Process' Command Description Category ======================= ======================================== ======== conhost (!con) Displays console host (conhost.exe) info Process ldap Displays LDAP client or server details Process mappeddrives (!mdrives) Displays mapped drives Process mheap A DML'd version of !heap. Process p Displays process details Process 0:000> !mex.help -cat 'Mex' Command Description Category ======== ================================================================================================================================= ======== fixthis Preface a broken command with this one to open an email and send it to the Mex team (e.g. !fixthis !otherMexCommandThatDidNotWork Mex settings Mex Settings Mex 0:000> !mex.help -cat 'Kernel' Command Description Category ============================== ======================================================================================================================================================== ======== addr Display information about an address Kernel desktop (!desktops) Displays the desktops for the Windows Stations Kernel deviceobject (!devo) Displays information about a device object Kernel driverobject (!drvo) Displays details about a driver object Kernel dtpool (!dtp) Displays information about a pool allocation, if it is a known pooltag we will 1. Try to run the correct extension, or 2. Just dt the structure for you. Kernel dumpwindowsurfaces (!dws) Dump window surfaces to a directory Kernel eresource (!eres) Displays details for a nt!_ERESOURCE Kernel evt Show detail for a nt!_KEVENT Kernel fileobject (!fo) Displays information about a given file object Kernel foreachcpu (!fec) Executes a command on each processor Kernel foreachprocess (!fep) An implementation of !for_each_process that supports filtering and sets the context before executing Kernel listticks (!lticks) Show tick counts for threads Kernel messagequeue (!mq) Displays message queue Kernel mirp Displays IRP details (replaces !irp) Kernel mirpfind Mex version of IRPFIND Kernel mreg This is a DML'd version of !reg Kernel obj Displays details for a given kernel object (object manager) Kernel obtrace Dumps the trace information for an object Kernel parsemem Walks a range of memory and counts unique byte sequences Kernel rxirps Displays the list of IRPs stored in rdbss!RxIrpsList Kernel tag Searches kernel modules for a given pooltag Kernel tasklist (!tl) Displays information about running tasks (processes) Kernel vadmodules (!vadm) Lists the vads of a process. Kernel vss Vss Command Help Kernel window (!wnd) Displays windows for each desktop. You must be in the context of a given session to see that session's windows Kernel windowstation (!winsta) Display details for windows station(s) Kernel wq Displays executive work queue threads Kernel 0:000> !mex.help -cat 'DotNet' Command Description Category =========================================== =================================================================== ======== aspnetcache (!aspnetcache) Display the ASP.NET Cache DotNet aspxpagesext Like !aspxpages, but more powerful DotNet clrstack2 (!ck2) Prints the stack trace of a managed thread DotNet cordll (!cordll) Displays available CLR versions DotNet dae (!DumpAllExceptions) Replacement for !dae DotNet delegaterefs (!drefs) Displays information about objects referenced by delegates DotNet displayobj (!do2) Display a managed object structure DotNet dumpaspnetsession Prints information on ASP.NET InProc Sessions DotNet dumpdataset Dumps a list of all DataSet objects DotNet dumpdynamicassemblies2 (!dda2) Like !DumpDynamicAssemblies, but better DotNet dumphttpruntime2 Dumps the HttpRuntime objects on the heap DotNet dumpwcfmessage (!wcfmsg) Dumps information about a WCF buffered message DotNet finalizable (!finalizable) Displays information about finalizable objects in the GC Heap DotNet foreachobject (!feo) Runs a command against each CLR object DotNet gchandleinfo (!gchandle) Displays information on GC Handles DotNet gcheapinfo (!gchi) Get info on the managed GC Heap DotNet httpheaders Print the contents of an HttpHeaderCollection DotNet ilspy Automatically extracts the module from the dump, and launches ILSpy DotNet managedthreads (!mthreads) A !threads look-alike, with !aspxpagexext-like output DotNet objectsummary Outputs object analysis summary DotNet oracleclientperfcounters Display System.Data.OracleClient performance counters DotNet printdbcommand Prints information about a DBCommand object DotNet printexception2 (!pe2) Like !PrintException, with DML DotNet sqlclientperfcounters Display System.Data.SqlClient performance counters DotNet sqlcmd Provides information about ADO.NET Commands to SQL Server DotNet sqlcn Provides an overview of ADO.NET connections to SQL Server DotNet sqlports (!sqlports) Gets the local and remote TCP ports from a SqlConnection object DotNet staticfields Display static fields of a managed type DotNet svcthreads (!svcthreads) Find threads executing WCF services DotNet tasktriage (!tasks) Analyzes the System.Threading.Tasks.Task objects still on the heap. DotNet wcfperfcounters Dumps performance counters for WCF services DotNet wcftcpconnectionpools (!wtcp) Display WCF Net.TCP connection pools DotNet 0:000> !mex.help -cat 'Decompile' Command Description Category ===================== =============================================================================================== ========= codescope Prints all available code analysis checklists Decompile decompilemember Decompile and print psuedo-C# source code for the given [MemberName] Decompile decompiletype Decompile and print psuedo-C# source code for the given [TypeName] Decompile il Prints the IL for the specified method Decompile printmanifest Prints the assembly manifest for the specified module Decompile printmembers Scans specified module and type [Module!TypeName] and prints all members Decompile printtypes Scans specified [Module] and prints all types Decompile runcheck (!runchecks) runs the specified check(s) on the specified module(s) Decompile runchecklist runs the specified checklist(s) on the specified module(s) Decompile spdisposecheck Executes the SharePoint Dispose and Do Not Dispose Checklist items Decompile whocalls Scans all loaded managed modules and finds methods that call [MethodName] Decompile whoimplements Scans all loaded managed modules and finds types that implement [InterfaceName] Decompile whoinherits Scans all loaded managed modules and finds types that inherit [TypeName] Decompile whonews Scans all loaded managed modules and finds methods that construct [TypeName] Decompile whopins Scans managed modules and all finds methods that pin objects of a given [TypeName] or all types Decompile 0:000> !mex.help -cat 'Utility' Command Description Category ======================== ======================================================================================== ======== atom Dumps user mode atom table Utility beep Beeps Utility bin Displays binary information located at the given address Utility bits2 (!b2) Executes a command with all possible values of a single bit flip Utility bl Replaces the built in breakpoint list (bl) command with DML'd version Utility bp Replaces the built in breakpoint (bp) command with a DML'd version Utility cache (!c) Cache the output of a command to replay later Utility clipboard2 Gets/Sets text on the clipboard, or enable/disable clipboard access Utility comment Displays the comments for the dump Utility computername (!cn) Computer Name Command Help Utility count Counts the number of lines returned by a command Utility cut Filters output, removing unwanted areas Utility da Displays an ANSI string Utility ddt Wrapper for dt that adds some DML Utility du Displays a Unicode string Utility dumpinfo (!di) Display dump information Utility dumptime Time Information Utility exec Runs a series of commands. Use this instead of using semicolons Utility foreachitem (!fei) Iterates through a list, executing a command for each item. Utility foreachline (!fel) Runs a command against every line of data Utility grep Search the output of a command for a specific string or pattern Utility head Displays the first X lines of a command's output Utility if (!mif) Condition detection based on command output Utility loop Loops either forwards or backwards through a series of numbers with variable replacement Utility more Runs a command in paged mode, asking for input every X lines Utility mrmsg (!msg) Interprets a Windows message Utility outline (!ol) Outlines the calls inside a given function Utility readfile Read a file from the filesystem and display the output in the debugger Utility rollup (!ru) Takes an input value and rolls it up to the appropriate bucket (e.g. bytes to GB) Utility sort Sort command Utility strings Prints out readable strings in an address range Utility sum (!sum) Sums the output returned by a command Utility tac Writes input to console, last line first. Utility tail Displays the final X lines of a command's output Utility time Time how long a command takes to execute Utility tr (!replace) Search and Replace. Translate a char/string into another char/string. Utility udescan (!manalyze) Scans dump for known issues and displays them in human-readable format. Utility uniqlines (!ul) Prints each line of output and a count of how many times they appeared Utility ver Displays OS version info Utility writefile Runs a command and writes the data to a file Utility 0:000> !mex.help -cat 'Thread' Command Description Category ============================= ================================================================================================== ======== deferredready (!dfr) Shows the current deferredready threads Thread dumpstackstrings (!dss) Displays all the strings on the stack Thread executive Displays details on threads waiting on the executive Thread foreachframe (!fef) An implementation of !for_each_frame that supports filtering and sets the context before executing Thread foreachmatchingstack (!fems) Run a command against identical stacks Thread foreachthread (!fet) An implementation of .for_each_thread that works in user and kernel mode Thread gatewait Shows threads with a state of GateWait Thread initialized (!init) Shows the current threads in the initialized state Thread listthreads (!lt) Displays a list of threads Thread ndso Native Dump Stack Objects Thread ready (!rdy) Shows the currently ready threads Thread running (!cpu) (Kernel mode only) A brief overview of currently executing threads Thread searchthreadstacks (!sts) Searches thread stacks for a value Thread standby (!sby) Shows the current standby threads Thread suspended Displays details on suspended threads Thread t A new implementation of !thread for user & kernel mode Thread threadpool (!tp) Displays information regarding NTDLL thread pools Thread threadreport (!trep) Displays a thread report. Thread transition (!trans) Shows the current threads in the transition state Thread uniquestacks (!us) Like the built-in !uniqstacks except it associates thread IDs with the stack traces Thread userrequest Displays details on threads with a wait reason of UserRequest Thread wrcpuratecontrol Displays details on threads with a wait reason of WrCpuRateControl Thread wrexecutive Displays details on threads waiting on the executive Thread wrfastmutex Displays details on threads waiting for a Fast Mutex Thread wrfreepage Displays details on threads with a wait reason of WrFreePage Thread wrlpcreceive (!lpcs) Displays details on LPC/ALPC server threads Thread wrresource Displays details on threads with a wait reason of WrResource Thread 0:000> !mex.help -cat 'Binaries' Command Description Category ==================== =========================================================================================== ======== chkall Shortcut for !chkimg against all modules Binaries diffimg Compares the process' loaded module list with a scan of memory and displays any differences Binaries foreachmodule (!fem) An implementation of !for_each_module that supports filtering Binaries imports Displays the import table for a module Binaries mods Displays modules loaded in a process Binaries writemodule Writes a module to your temp directory Binaries 0:000> !mex.help -cat 'General' Command Description Category ============================ ====================================================================================================================================================== ======== backtrace (!bt) Displays the stack backtrace for the specified index into ntdll!RtlpStackTraceDatabase General base64 (!b64) Displays or saves base64 data General classtype (!ct) Tries to determine the C++ class type of a pointer General clusdisk Shows all the disk cluster is aware of for W2k3 - W28R2 General commandline (!cl) Prints out the command line of a process General context (!w) Prints out the current implicit process and thread context (e.g. where am I) General criticalsection (!cs) CS - Displays details for a critical section General decodeoplockstate (!dols) Decode an OpLockState to human readable values General dr Displays registers showing volatile registers highlighted with (*) General fileserver (!fs) Displays thread running the SRV.sys or SRV2.sys drivers, excluding threads waiting on inbound work General handlefind (!hf) Find handles for a given kernel object General help Help General interpretrawstack (!irs) This command dumps the raw stack and interprets the values as symbols, and as unicode and ansi strings. It will also highlight start and end of frames General irpbyfilename (!ibfn) Dump any IRP containing the specified text in filename General ndao Native Dump ALL Objects - Potentially very slow General ndro Native Dump Register Objects General phandles (!ph) Shows a list of currently open printer handles General runaway2 Runaway2.. Replacement for !runaway General services (!service) Displays details about services. Requires access to the usermode address space of services.exe (userdump of services.exe or complete memory dump) General svcreg Dumps the passed in service/driver registry key General x Wrapper for x that adds some DML General xx (!x2) Replacement for !x General