Where can I get the current label counter in a 64-bit dump of Windows?

Question

Where can I get the current label counter in a 64-bit dump of Windows?

There is one KeTickCount character that works in 32-bit mode, but when I applied it in my 64-bit dump (Windows 2008), it no longer works. Have the window value changed?

The only approach I can take is to use ".time" to get the current uptime and multiply it by ticksPerSecond, which is difficult and inaccurate.

+5

windows dump kernel

liujinmarshall Feb 01 '12 at 11:49

source share

2 answers

Neeraj singh · Answer 1 · 2012-05-06T17:18:27+0000

Launch it! kuser to get it in windbg.

arx · Answer 2 · 2012-02-01T13:31:04+0000

According to several messages on the Internet, it has a hard-coded address 0FFFFF78000000320h. I have not tried, though.

Where can I get the current label counter in a 64-bit dump of Windows?

More articles: