Command Line Parameters

After a process has been started how do you later determine what the command line parameters are that were passed to it? This can be important when debugging a process you didn’t originally start including figuring out how a process was started after it has crashed and all you have left is a dump file.

Windows

Regular readers of this site will probably guess where we are headed here. If there is one tool that is an absolute must have on Windows, it has to be Process Explorer . This tool allows you to dig deep into all manner of details about running processes. If you have not already, you should now go get and install this tool. So now on to the problem, how does Process Explorer let us see the command line parameters? Start Process Explorer and select the process you are interested in. Let’s illustrate with an example

  1. Open a cmd window
  2. Enter
    notepad example.txt
  3. In Process Explorer navigate to notepad.exe in the process list and double click the entry
  4. Navigate to the “Image” tab in the process properties dialog. The “Command Line” text box shows you the command line passed to the process when it was started.
     Command Line Parameters
This is great if you have a running process but what happens if the process has crashed and all you are left with is a dump file? Native debuggers to the rescue.
  1. Download and install the windows native debugger suite from MSDN
  2. Start windbg (usually installed in c:\Program Files\Debugging Tools for Windows)
  3. Open the dump file by navigating to “File->Open Crash Dump…” in the windbg menu
  4. Attach to the Microsoft public symbol server by entering the following in the debugger command line (please note the leading . , it is required)
    .symfix
  5. In the debugger command line dump the process environment block by entering (note the leading ! )
    !peb
The process environment block contains a plethora of interesting data about the process that crashed including the command line parameters passed to it at startup. Near the top of this data (after the loaded DLL list for the process) is the command line entry.
Windbg showing command line parameters

You may want to also peruse the environment variables page to see how to find what environment variables the process sees. In Windows these are read at application start and not usually updated for the running process even if they later change on the system.

Linux/OS X

For a running process you can use the built in tools ps and grep to quickly find command line parameters

    1. Open your favorite terminal
    2. Enter

ps awx | grep -i “<name or part of name of your process here>”

In this example we are looking for a process called vim . We find a vim process called with the parameter foo .

ps awx | grep  -i “vim”
41856 s001  T      0:00.21 /usr/bin/vim foo

Further Reading

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Your email address will not be published. Required fields are marked *