SOS Internals – DumpDomain Command

After the threads command in previous article, here comes the dumpdomain command :

!dumpdomain 0014dcf8

The address 0x0014dcf8 is obtained as the address at Domain field in the threads command :

This the typical output after the above command is executed :

Domain 1: 0014dcf8
LowFrequencyHeap: 0014dd1c
HighFrequencyHeap: 0014dd68
StubHeap: 0014ddb4
Stage: OPEN
SecurityDescriptor: 0014f020
Name: CLRTest.exe
Assembly: 00190e90 [C:\WINDOWS\assembly\GAC_32\mscorlib\\mscorlib.dll]
ClassLoader: 00190f10
SecurityDescriptor: 0018eb80
Module Name
790c1000 C:\WINDOWS\assembly\GAC_32\mscorlib\\mscorlib.dll

Assembly: 001944d8 [D:\Projects\CLRTest\bin\Debug\CLRTest.exe]
ClassLoader: 00194558
SecurityDescriptor: 001943d8
Module Name
00c82c5c D:\Projects\CLRTest\bin\Debug\CLRTest.exe

Inside the sos!dumpdomain API function, first, the supplied address is retrieved via GetExpression function :

DWORD_PTR p_DomainAddr = GetExpression (args);

Then it first checked the existence of domain store structure :

DacpAppDomainStoreData adsData;

You can see that this command also depends on existence of g_clrData that I’ve already explained in my previous article about threads command.

If the domain store structure data can’t be accessed then the command will exits after reporting this error :

“Unable to get AppDomain information”

Inside the Request method of DacpAppDomainStoreData we have :



So this is basically the identical Request method with the method that we’ve found in the threads API command call chain. The difference is located in the type of the passed parameters.

In the case of dumpdomain Request, based on the first parameter, the ClrDataAccess::Request will execute :

status = RequestAppDomainStoreData(inBufferSize,


Inside the RequestAppDomainStoreData function, the system and shared domain information is treated as a header data and retrieved using these statements :

DacpAppDomainStoreData* adsData = (DacpAppDomainStoreData*)outBuffer;

adsData->systemDomain = HOST_CDADDR(SystemDomain::System());
adsData->sharedDomain = HOST_CDADDR(SharedDomain::GetDomain());

This function also try to enumerate all create domains in the created domain structure.

Because we specified the address that is not either the system or shared domain, the dumpdomain will try to dump the detail domain information :

DacpAppDomainData appDomain1;

If detail domain structure is not initialized yet, or any other error in fulfilling this request, the dumpdomain will exits after passing this error message :

“Fail to fill AppDomain”

Inside the Request method :



Facing the DACPRIV_REQUEST_APPDOMAIN_DATA parameter, the ClrDataAccess::Request method will execute :

status = RequestAppDomainData(inBufferSize,inBuffer,


Based in given domain address this function will retrieve the domain fields information as follows :

AppDomain* pAppDomain = PTR_AppDomain(TO_TADDR(addr));

appdomainData->AppDomainPtr = HOST_CDADDR(pAppDomain);
appdomainData->AppSecDesc = HOST_CDADDR(pAppDomain->GetSecurityDescriptor());

The PTR_AppDomain is similar to PTR_Thread that will retrieve the correct class instance based on given address value, which is AppDomain class instance.

After all proper fields information is filled to the pAppDomain structure, the dumpdomain then call the DomainInfo to print out the content of each related fields.

If there are assemblies that is already loaded for the specified domain, the DomainInfo function will execute the AssemblyInfo function to dump summary information for each of the loaded assemblies.

To retrieve the assembly information, first, the DomainInfo function will allocated necessary array of assemby addresses :

CLRDATA_ADDRESS *pArray = new CLRDATA_ADDRESS[pDomain->AssemblyCount];

Then it executes the GetAssemblies method to fill out the pArray assembly addresses :



If this method fails, the user will get the error output :

“Unable to get array of Assemblies”

After the pArray is properly filled, based on each adresses, the function will execute the Request, this time against DacpAssemblyData class instance :

DacpAssemblyData assemblyData;
assemblyData.Request(g_clrData,pArray[n], pDomain->AppDomainPtr);

Peering inside the Request method of DacpAssemblyData :

HRESULT Request(IXCLRDataProcess* dac, CLRDATA_ADDRESS addr)
return Request(dac, addr, NULL);

The NULL value is for appDomainPtr which is not used in this context, so inside the Request method with three parameters as above :

return dac->Request(DACPRIV_REQUEST_ASSEMBLY_DATA,sizeof(addr),(PBYTE)&addr,sizeof(*this),(PBYTE)this);

For the parameter, the Request method will execute :

status = RequestAssemblyData(inBufferSize,inBuffer,outBufferSize,outBuffer);

Going further into RequestAssemblyData function :

DacpAssemblyData* assemblyData = (DacpAssemblyData*)outBuffer;
Assembly* pAssembly = PTR_Assembly(TO_TADDR(addr));

AppDomain* pDomain = NULL;
if (assemblyData->AppDomainPtr != NULL)
pDomain = PTR_AppDomain(TO_TADDR(assemblyData->AppDomainPtr));

assemblyData->AssemblyPtr = HOST_CDADDR(pAssembly);
assemblyData->ClassLoader = HOST_CDADDR(pAssembly->GetLoader());
assemblyData->ParentDomain = HOST_CDADDR(pAssembly->GetDomain());

After all the necessary fields is retrieve, it will calls the AssemblyInfo :


To print out detail assembly information.

If you reads my previous article about threads command, you will see the repetition of Request and private data structure pattern inside the CLR Framework. Here is the table that will give you the overall information about CLR internal data structures and its methods of access :


5 Responses to “SOS Internals – DumpDomain Command”

  1. คลิปโป๊ออนไลน์ Says:

    Hi there everybody, here every one is sharing these know-how, therefore it’s pleasant to read this weblog,
    and I used to go to see this weblog everyday.

  2. Debt Collection Says:

    Generally I do not read article on blogs, however I wish to
    say that this write-up very pressured me to take
    a look at and do it! Your writing style has been surprised me.
    Thanks, quite great post.

  3. debt collector Says:

    I’m not that much of a online reader to be honest but your
    blogs really nice, keep it up! I’ll go ahead and bookmark
    your website to come back later. Cheers

  4. bluehost aol westhost webmail login screen Says:

    If you have to waste your time to deal with web hosting company due to downtimes and server failure
    then you won’t be able to concentrate on your real business.
    Should your merchant is of a mother or father company, also confirm the parent or guardian firm’s internet site for a settlement
    or perhaps outlet area. Coordinator gator world-wide-web internet
    hosting companies is in probability the #1 web page variety about the online world, nonetheless could it be definitely some wonderful.
    Use only the plugins you really need, and delete the rest.
    Enjoy Bluehost Coupons and Promo Codes and Save up to 75% off Orders:
    . In this review, details and comments are from actual users of the service.

    It might be your first time to grab a domain name so your are looking for domain name registration process guide.
    ll be asked to check the email address of the domain name.
    The company has a lot to offer to its clients, making it the best pick amongst different web hosts in the market today.

    A wealthy FAQ and tutorial update is uploaded typically to confirm
    that clients are well informed.

  5. executive resume best practices Says:

    executive resume best practices

    SOS Internals – DumpDomain Command | Welcome to the Corner of Excellence

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: