Geoff Chappell - Software Analyst
The USEREXTS debugger extension as supplied with the Device Driver Kit (DDK) for both Windows NT 4.0 and Windows 2000 exports a dso function and thus supports a !dso command.
The !dso command is in some sense an early form of what Microsoft’s debuggers would soon offer as the built-in dt command. A key difference is that the dt command dumps from type information in whatever symbol files the debugger has handy (or can download) but the !dso command dumps only the debugger extension’s built-in knowledge.
The extension’s own description of the !dso command is variously:
dso <Struct> [Field] [Address]- Dumps Struct field(s)'s offset(s) and value(s).
or
dso <Struct> [Field] [addr [*n]]-Dumps Struct field(s)'s offsets(s) & value(s).
It is not this note’s purpose, however, to pick over the syntax of an old command. The point is instead to note that in the years before Microsoft built type information into public symbol files, the !dso command was often the most detailed public record (by far) that Microsoft left of undocumented Windows structures. Not all the structures that are known to the !dso command are undocumented, but many are, including some for which type information has hardly ever (and in some few cases never) turned up in public symbol files even through to Windows 10.
The large table that follows lists the structures whose offsets can be dumped by the !userexts.dso command. Please be aware that a different !dso command is implemented in another debugger extension, named USERKDX, which Microsoft at first distributed only with the Platform SDK from the time of Windows NT 4.0, not with the contemporaneous DDK. Inevitably, the same command in the other extension supports a different set of structures.
| Structure | Versions |
|---|---|
| ACCEL | 4.0 and 5.0 |
| ADVISE_LINK | 5.0 only |
| ANIMATIONINFO | 4.0 and 5.0 |
| ATTR_PAIR | 5.0 only |
| ATTR_ROW | 5.0 only |
| BITMAP | 4.0 and 5.0 |
| BITMAPCOREHEADER | 4.0 and 5.0 |
| BITMAPCOREINFO | 4.0 and 5.0 |
| BITMAPFILEHEADER | 4.0 and 5.0 |
| BITMAPINFO | 4.0 and 5.0 |
| BITMAPINFOHEADER | 4.0 and 5.0 |
| BITMAPV4HEADER | 4.0 and 5.0 |
| BUTN | 5.0 only |
| BUTNWND | 5.0 only |
| CALLPROCDATA | 4.0 and 5.0 |
| CANDIDATEFORM | 5.0 only |
| CANDIDATEINFO | 5.0 only |
| CANDIDATELIST | 5.0 only |
| CAPTUREBUF | 4.0 and 5.0 |
| CARET | 4.0 and 5.0 |
| CBOX | 4.0 and 5.0 |
| CHAR_ROW | 5.0 only |
| CHWIDTHINFO | 5.0 only |
| CLIENTCREATESTRUCT | 4.0 and 5.0 |
| CLIENTIMC | 5.0 only |
| CLIENTINFO | 4.0 and 5.0 |
| CLIENTTHREADINFO | 4.0 and 5.0 |
| CLS | 4.0 and 5.0 |
| CLSMENUNAME | 4.0 and 5.0 |
| CL_CONV_INFO | 5.0 only |
| CL_INSTANCE_INFO | 5.0 only |
| COMBOWND | 4.0 and 5.0 |
| COMMCONFIG | 4.0 and 5.0 |
| COMMON_WNDCLASS | 4.0 and 5.0 |
| COMPOSITIONFORM | 5.0 only |
| COMPOSITIONSTRING | 5.0 only |
| CONSOLEDESKTOPCONSOLETHREAD | 4.0 and 5.0 |
| CONSOLEWINDOWSTATIONPROCESS | 4.0 and 5.0 |
| CONSOLE_CURSOR_INFO | 4.0 and 5.0 |
| CONSOLE_FONT_INFO | 4.0 and 5.0 |
| CONSOLE_GRAPHICS_BUFFER_INFO | 4.0 and 5.0 |
| CONSOLE_INFORMATION | 5.0 only |
| CONSOLE_READCONSOLE_CONTROL | 4.0 and 5.0 |
| CONSOLE_SCREEN_BUFFER_INFO | 4.0 and 5.0 |
| CONSOLE_WRITECONSOLE_MSG | 5.0 only |
| CONV_INFO | 5.0 only |
| COPYDATASTRUCT | 5.0 only |
| CPINFO | 4.0 and 5.0 |
| CPTABLEINFO | 4.0 and 5.0 |
| CREATESTRUCTA | 4.0 and 5.0 |
| CREATESTRUCTW | 4.0 and 5.0 |
| CSR_API_MSG | 5.0 only |
| CSR_PROCESS | 5.0 only |
| CSR_THREAD | 5.0 only |
| CSR_WAIT_BLOCK | 5.0 only |
| CSTRING | 4.0 and 5.0 |
| CTLCOLOR | 4.0 and 5.0 |
| CURSORDATA | 4.0 and 5.0 |
| CURSORFIND | 4.0 and 5.0 |
| CURSORRESOURCE | 4.0 and 5.0 |
| CURSORSHAPE | 4.0 and 5.0 |
| CWPRETSTRUCT | 4.0 and 5.0 |
| CWPSTRUCT | 4.0 and 5.0 |
| DDEACK | 4.0 and 5.0 |
| DDEADVISE | 4.0 and 5.0 |
| DDEDATA | 4.0 and 5.0 |
| DDELN | 4.0 and 5.0 |
| DDEMLDATA | 4.0 and 5.0 |
| DDEML_MSG_HOOK_DATA | 4.0 and 5.0 |
| DDEPACK | 4.0 and 5.0 |
| DDEPOKE | 4.0 and 5.0 |
| DDEUP | 4.0 and 5.0 |
| DDE_DATA | 4.0 and 5.0 |
| DDE_MESSAGE_QUEUE | 4.0 and 5.0 |
| DEADKEY | 4.0 and 5.0 |
| DEBUGHOOKINFO | 4.0 and 5.0 |
| DELETEITEMSTRUCT | 4.0 and 5.0 |
| DESKTOPINFO | 4.0 and 5.0 |
| DIALOG | 4.0 and 5.0 |
| DISPLAYINFO | 4.0 and 5.0 |
| DISPLAYRESOURCE | 4.0 only |
| DISPLAY_DEVICEA | 4.0 and 5.0 |
| DISPLAY_DEVICEW | 4.0 and 5.0 |
| DLG | 4.0 and 5.0 |
| DLGENUMDATA | 4.0 and 5.0 |
| DLGITEMTEMPLATE | 4.0 and 5.0 |
| DLGITEMTEMPLATE2 | 4.0 and 5.0 |
| DLGTEMPLATE | 4.0 and 5.0 |
| DLGTEMPLATE2 | 4.0 and 5.0 |
| DRAWICONEXDATA | 4.0 and 5.0 |
| DRAWITEMSTRUCT | 4.0 and 5.0 |
| DRAWTEXTPARMS | 4.0 and 5.0 |
| DROPFILESTRUCT | 4.0 and 5.0 |
| ED | 4.0 and 5.0 |
| EDITWND | 4.0 and 5.0 |
| ENABLE_ENUM_STRUCT | 5.0 only |
| ENDDLGPARAMS | 5.0 only |
| EPROCESS | 4.0 and 5.0 |
| EPROCESS_QUOTA_BLOCK | 4.0 and 5.0 |
| ERESOURCE | 4.0 and 5.0 |
| ETHREAD | 4.0 and 5.0 |
| EVENTMSG | 4.0 and 5.0 |
| EXCEPTION_DEBUG_INFO | 4.0 and 5.0 |
| EXCEPTION_POINTERS | 4.0 and 5.0 |
| EXCEPTION_RECORD | 4.0 and 5.0 |
| EXCEPTION_REGISTRATION_RECORD | 4.0 and 5.0 |
| EX_DEBUG_LOG | 4.0 and 5.0 |
| EX_DEBUG_LOG_EVENT | 4.0 and 5.0 |
| EX_DEBUG_LOG_TAG | 4.0 and 5.0 |
| FILEINFO | 4.0 and 5.0 |
| GRAPHICS_BUFFER_INFO | 5.0 only |
| GUIDELINE | 5.0 only |
| HANDLEENTRY | 4.0 and 5.0 |
| HANDLETABLE | 4.0 and 5.0 |
| HANDLE_ENTRY | 4.0 only |
| HANDLE_TABLE | 4.0 and 5.0 |
| HARDERRORINFO | 5.0 only |
| HARDERROR_MSG | 4.0 and 5.0 |
| HARDWAREHOOKSTRUCT | 4.0 and 5.0 |
| HARDWARE_PTE | 4.0 only |
| HEAD | 4.0 only |
| HEAP | 5.0 only |
| HEAP_ENTRY | 5.0 only |
| HEAP_FREE_ENTRY | 5.0 only |
| HEAP_SEGMENT | 5.0 only |
| HELPINFO | 4.0 and 5.0 |
| HELPWININFOA | 4.0 and 5.0 |
| HELPWININFOW | 4.0 and 5.0 |
| HLP | 4.0 and 5.0 |
| HOOK | 4.0 and 5.0 |
| ICONINFO | 4.0 and 5.0 |
| ICONMETRICSA | 4.0 and 5.0 |
| ICONMETRICSW | 4.0 and 5.0 |
| IMAGE_DEBUG_INFORMATION | 5.0 only |
| IMAGE_SECTION_HEADER | 5.0 only |
| IMC | 5.0 only |
| IMECHARPOSITION | 5.0 only |
| IMEDPI | 5.0 only |
| IMEINFO | 5.0 only |
| IMEINFOEX | 5.0 only |
| IMEMENUITEMINFOA | 5.0 only |
| IMEMENUITEMINFOW | 5.0 only |
| IMEMODESAVER | 5.0 only |
| IMEPRIVATEMODESAVER | 5.0 only |
| IMEUI | 5.0 only |
| IMEWND | 5.0 only |
| INPUTCONTEXT | 5.0 only |
| INPUT_INFORMATION | 5.0 only |
| IN_STRING | 4.0 and 5.0 |
| ITEM | 4.0 and 5.0 |
| KE | 4.0 and 5.0 |
| KEY_EVENT_RECORD | 5.0 only |
| KTHREAD | 4.0 and 5.0 |
| LARGE_ANSI_STRING | 4.0 and 5.0 |
| LARGE_IN_STRING | 4.0 and 5.0 |
| LARGE_STRING | 4.0 and 5.0 |
| LARGE_UNICODE_STRING | 4.0 and 5.0 |
| LBIV | 4.0 and 5.0 |
| LBItem | 4.0 and 5.0 |
| LBODItem | 4.0 and 5.0 |
| LBWND | 4.0 and 5.0 |
| LDR_DATA_TABLE_ENTRY | 4.0 and 5.0 |
| LDR_ENUM_RESOURCE_ENTRY | 4.0 and 5.0 |
| LINK_COUNT | 5.0 only |
| LOGFONTA | 5.0 only |
| LOGFONTW | 5.0 only |
| MDI | 4.0 and 5.0 |
| MDICREATESTRUCTA | 4.0 and 5.0 |
| MDICREATESTRUCTW | 4.0 and 5.0 |
| MDINEXTMENU | 4.0 and 5.0 |
| MDIWND | 4.0 and 5.0 |
| MEASUREITEMSTRUCT | 4.0 and 5.0 |
| MEASUREITEMSTRUCT_EX | 4.0 and 5.0 |
| MENU | 4.0 and 5.0 |
| MENUITEMINFOA | 4.0 and 5.0 |
| MENUITEMINFOW | 4.0 and 5.0 |
| MENUITEMTEMPLATE | 4.0 and 5.0 |
| MENUITEMTEMPLATE2 | 4.0 and 5.0 |
| MENUITEMTEMPLATEHEADER | 4.0 and 5.0 |
| MENU_EVENT_RECORD | 4.0 and 5.0 |
| MESSAGE_RESOURCE_BLOCK | 4.0 and 5.0 |
| MESSAGE_RESOURCE_DATA | 4.0 and 5.0 |
| MESSAGE_RESOURCE_ENTRY | 4.0 and 5.0 |
| MINIMIZEDMETRICS | 4.0 and 5.0 |
| MINMAXINFO | 4.0 and 5.0 |
| MONITOR | 5.0 only |
| MOUSEHOOKSTRUCT | 4.0 and 5.0 |
| MOUSEKEYS | 4.0 and 5.0 |
| MOUSE_EVENT_RECORD | 4.0 and 5.0 |
| MSG | 4.0 and 5.0 |
| MSGBOXDATA | 4.0 and 5.0 |
| MSGBOXPARAMSA | 4.0 and 5.0 |
| MSGBOXPARAMSW | 4.0 and 5.0 |
| NCCALCSIZE_PARAMS | 4.0 and 5.0 |
| NEMODULESEG | 4.0 and 5.0 |
| NLS_DATA_BLOCK | 4.0 and 5.0 |
| NONCLIENTMETRICSA | 4.0 and 5.0 |
| NONCLIENTMETRICSW | 4.0 and 5.0 |
| OBJECT_ATTRIBUTES | 4.0 and 5.0 |
| OBJECT_BASIC_INFORMATION | 4.0 and 5.0 |
| OBJECT_CREATE_INFORMATION | 4.0 and 5.0 |
| OBJECT_DIRECTORY | 4.0 and 5.0 |
| OBJECT_DIRECTORY_ENTRY | 4.0 and 5.0 |
| OBJECT_DIRECTORY_INFORMATION | 4.0 and 5.0 |
| OBJECT_HANDLE_COUNT_DATABASE | 4.0 and 5.0 |
| OBJECT_HANDLE_COUNT_ENTRY | 4.0 and 5.0 |
| OBJECT_HANDLE_FLAG_INFORMATION | 4.0 and 5.0 |
| OBJECT_HANDLE_INFORMATION | 4.0 and 5.0 |
| OBJECT_HEADER | 4.0 and 5.0 |
| OBJECT_HEADER_CREATOR_INFO | 4.0 and 5.0 |
| OBJECT_HEADER_HANDLE_INFO | 4.0 and 5.0 |
| OBJECT_HEADER_NAME_INFO | 4.0 and 5.0 |
| OBJECT_HEADER_QUOTA_INFO | 4.0 and 5.0 |
| OBJECT_NAME_INFORMATION | 4.0 and 5.0 |
| OBJECT_SYMBOLIC_LINK | 4.0 and 5.0 |
| OBJECT_TYPE | 4.0 and 5.0 |
| OBJECT_TYPES_INFORMATION | 4.0 and 5.0 |
| OBJECT_TYPE_INFORMATION | 4.0 and 5.0 |
| OBJECT_TYPE_INITIALIZER | 4.0 and 5.0 |
| PEB | 5.0 only |
| PENINPUTDATA | 5.0 only |
| PROCOBJHEAD | 4.0 and 5.0 |
| PROP | 4.0 and 5.0 |
| PROPSET | 4.0 and 5.0 |
| RECONVERTSTRING | 5.0 only |
| RECTL | 4.0 and 5.0 |
| REG_NOTIFY_INFORMATION | 4.0 and 5.0 |
| REG_PROVIDER | 4.0 and 5.0 |
| RTL_CRITICAL_SECTION | 5.0 only |
| RTL_CRITICAL_SECTION_DEBUG | 5.0 only |
| RTL_USER_PROCESS_PARAMETERS | 5.0 only |
| ROW | 5.0 only |
| SBCALC | 4.0 and 5.0 |
| SBDATA | 4.0 and 5.0 |
| SBINFO | 4.0 and 5.0 |
| SBTRACK | 4.0 and 5.0 |
| SBWND | 4.0 and 5.0 |
| SCREEN_INFORMATION | 5.0 only |
| SCROLLINFO | 4.0 and 5.0 |
| SCROLLPOS | 4.0 and 5.0 |
| SERVERINFO | 4.0 and 5.0 |
| TEB | 4.0 and 5.0 |
| TEXTMETRICW | 5.0 only |
| TEXT_BUFFER_INFO | 5.0 only |
| THREAD_BASIC_INFORMATION | 4.0 and 5.0 |
| THROBJHEAD | 4.0 and 5.0 |
| TPMPARAMS | 4.0 and 5.0 |
| TRACKMOUSEEVENT | 5.0 only |
| TRANSMSG | 5.0 only |
| TRANSMSGLIST | 5.0 only |
| USERCONNECT | 4.0 and 5.0 |
| USEROBJECTFLAGS | 4.0 and 5.0 |
| USERTHREAD_FLAGS | 4.0 and 5.0 |
| USERTHREAD_SHUTDOWN_INFORMATION | 4.0 and 5.0 |
| USERTHREAD_WOW_INFORMATION | 4.0 and 5.0 |
| W32PROCESS | 4.0 and 5.0 |
| W32THREAD | 4.0 and 5.0 |
| WINDOWPLACEMENT | 4.0 and 5.0 |
| WINDOWPOS | 4.0 and 5.0 |
| WMCSDATA | 5.0 only |
| WND | 4.0 and 5.0 |
| WNDCLASSA | 4.0 and 5.0 |
| WNDCLASSEXA | 4.0 and 5.0 |
| WNDCLASSEXW | 4.0 and 5.0 |
| WNDCLASSW | 4.0 and 5.0 |
| WNDMSG | 4.0 and 5.0 |
| XACT_INFO | 5.0 only |
What principle ever governed the selection of structures for presentation through the !dso command is not known. As fits the name, by far the most of the supported structures are creatures of user mode. Yet more than a few have no visibility except in kernel mode.
One influence on the selection may be that a structure was eligible only if it was thought stable. The USEREXTS debugger extension ships with the DDK which in turn is new for each Windows version but not for each build and not even for each formally released service pack. Even assuming that programmers (both Microsoft’s and not) use the debugger, including its extensions, from the DDK for the same version of Windows that they’re debugging, the !dso command would have greatly reduced worth if the structures it dumps change between builds.
Many structures were added to the !dso output for version 5.0. Some of these structures truly were new for version 5.0. Many were perhaps added simply because Microsoft’s own programmers had found the !dso command to be useful and sought to increase its coverage. Only four were withdrawn: DISPLAYRESOURCE, HANDLE_ENTRY, HARDWARE_PTE and HEAD.