windbg .net debug command .foreach, how to use /ps and /pS?

Question

I read the Tess's blog about dump the asp.net request, I read code, I wonder why the .foreach command need so many switch of "/ps 99" in the code in the blog.

for example code:

$$ RETURNCODE = CONTEXT->RESPONSE->_STATUSCODE ((CONTEXT+0X14)+50)
$$ ---------------------------------------------------------------------------------- 
    .foreach /pS 2 /ps 99 (token {?poi(poi(${hc}+0x14)+50)}){
        .printf "${token}\t\t"
    };

this code is on .net 2, I do some test on my own .net 4,

RETURNCODE = CONTEXT->RESPONSE->_STATUSCODE ((CONTEXT+0X28)+b0), offset is changed on .net4.

0:000> ? poi(0x00000000ffc59a58+0x28)+0xb0
Evaluate expression: 4291217184 = 00000000`ffc6c720
0:000> ? poi(poi(0x000000011fa2b948+0x28)+0xb0)
Evaluate expression: 200 = 00000000`000000c8

.foreach

• /pS 2 --> means to skip the initial 2, so the first two 'Evaluate expression:' will skip.

• /ps 99 --> but why here need 99?

Answer 1

The /ps 99 means "skip the next 99 tokens, then take the next one, then skip the next 99, etc.". The 99 here happens to be arbitrary. She wants to take only one token, but there is no way to do that with the .foreach command. She picked an arbitrarily high number to effectively tell it "skip the rest of the tokens".

The difference between /ps and /pS can be found in the WinDbg help file:

/pS InitialSkipNumber

Causes some initial tokens to be skipped. InitialSkipNumber specifies the number of output tokens that will not be passed to the specified OutCommands.

/ps SkipNumber

Causes tokens to be skipped repeatedly each time a command is processed. After each time a token is passed to the specified OutCommands, a number of tokens equal to the value of SkipNumber will be ignored.