I want to parse the full crash dump (*.dmp) file and get the private bytes data. I know that VMMap of SysInternals can tell me how much my private bytes, heap etc are all but what I need is if I have the dump, I should be able to parse it and get the Heap (managed Heap) Structure and data in the heap. I am already done with this by reading the PEB and then walking through heaps.

What I am not able to figure out is how to read the private bytes (other than Heap, which is supposed to be the process data for native code). Could anyone please point me in the right direction so that I am able to parse the private bytes other than heap from the crash dump.

Thanks.

!address -summary

In the first section you get a breakdown of the usage:

--- Usage Summary ---------------- RgnCount ----------- Total Size -------- %ofBusy %ofTotal
Free                                    170          6f958000 (   1.743 Gb)           87.18%
<unknown>                               477           6998000 ( 105.594 Mb)  40.21%    5.16%
Stack                                   417           5d00000 (  93.000 Mb)  35.42%    4.54%
Image                                   253           3970000 (  57.438 Mb)  21.87%    2.80%
Heap                                     20            600000 (   6.000 Mb)   2.28%    0.29%
TEB                                      93             5d000 ( 372.000 kb)   0.14%    0.02%
Other                                     9             32000 ( 200.000 kb)   0.07%    0.01%
PEB                                       1              1000 (   4.000 kb)   0.00%    0.00%

Unknown would be virtual allocs.

To list the unknown memory regions you can run:

!address -f:VAR

VAR as defined in the debugger.chm - Busy regions. These regions include all virtual allocation blocks, the SBH heap, memory from custom allocators, and all other regions of the address space that fall into no other classification.