#requires -Version 5.1 <# cdb_probe.ps1 Standard analysis probe for an acclient minidump. Writes structured output next to the dump as .probe.txt. Runs (in order): vertarget — image version + uptime .lastevent — last debug event captured !peb — process env block lm vM — modules with versions !address -summary — VA usage summary !address /f:Heap — list heap regions and sizes !runaway 7 — thread CPU usage (kernel+user time) ~* k 12 — short stack of every thread (no symbols, just RVAs) #> param( [Parameter(Mandatory)] [string] $Dump ) $ErrorActionPreference = 'Stop' if (-not (Test-Path $Dump)) { throw "Dump file not found: $Dump" } $cdb = 'C:\Users\acbot\Tools\WindowsKits\Windows Kits\10\Debuggers\x86\cdb.exe' $out = "$Dump.probe.txt" $env:_NT_SYMBOL_PATH = 'C:\Users\acbot\leakhunt\pdb' $script = @( '.echo === vertarget ===' 'vertarget' '.echo === lastevent ===' '.lastevent' '.echo === peb ===' '!peb' '.echo === modules ===' 'lm vM' '.echo === address summary ===' '!address -summary' '.echo === heap regions ===' '!address /f:Heap' '.echo === runaway ===' '!runaway 7' '.echo === threads top frames ===' '~* k 12' 'q' ) -join ';' & $cdb -z $Dump -y 'C:\Users\acbot\leakhunt\pdb' -c $script 2>&1 | Out-File -FilePath $out -Encoding utf8 Write-Output "probe written: $out size=$([math]::Round((Get-Item $out).Length/1KB,1)) KB"