windbg dd command on hex adress giving ????question mark

Question

what does below output in WINDBG mean,when I do dd command on hex address: a66e920

0:001> dd a66e920
00000000`0a66e920  ???????? ???????? ???????? ????????
000         


        

Answer 1

The question marks indicate that the memory is not available.

For crash dumps: the memory might not be included in the crash dump, depending on the MINIDUMP_TYPE that was used to create the crash dump. E.g. Procdump has an option ( -mp) to exclude memory regions larger than 512 MB. If you assume that's the case, create crash dumps with full memory.

For live debugging: there was never a VirtualAlloc() call to the operating system that returned this portion of memory. Or, the memory was allocated but has been VirtualFree()d, so it's no longer available. If the program would access the memory in a read or write operation, an access violation (AV) would occur.

The question marks are not equivalent to NULL values. A null pointer value at that address would be 00000000 (32 bit) or 00000000'00000000 (64 bit).

If you have a pointer that points to such memory, it might also be that you're building a C++ program in Release build, which may leave pointers with some garbage if you never initialize them ("bogus pointer"). In debug mode, they would be initialized with some memory pattern.

Side note: if you're investigating pointers, using dp ("dump pointer sized data") is preferred over dd (32 bit) or dq (64 bit).