1. Common WinDbg Commands (Thematically Grouped)
(Documents/Command Lists)

... in the form of tags. Debugger user interfaces parse out the extra information to provide new behaviors. DML is primarily intended to address two issues: Linking of related information Discoverability ...

2. Contact & Imprint
(Misc/Legal)

Responsible for the online presence Robert Kuster Slovenia E-mail: mailrkuster@windbg.info   Note: The actual email address does not contain the word “mail“ – spam prevention.   ...

3. !mlocks hung interpretation help needed
(Forum/Crash Dump Analysis )

...  116 CurrentReaderThreadIds: WaitingReaderCount: 576 ReaderEvent: 80400002 WaitingReaderThreadIds: *This lock has 116 orphaned reader locks. 0:007> !rwlock Address  ...

4. ASP hang
(Forum/Crash Dump Analysis )

... symbols for fcgiext.dll - FAULTING_IP: +5befd80 00000000 ?? ??? EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0000000000000000 ExceptionCode: ...

5. AVIStreamWrite exception.. need help !!
(Forum/User-Mode Debugging)

...  ???????? ???????? ???????? ???????? 092000b8 ???????? ???????? ???????? ???????? Stack Trace -------------- 0:007> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following ...

6. Dll export table - Exported functions list and @
(Forum/Kernel-Mode Debugging)

Hello Can we extract exported functions list from a dll and their asociated addresses using windbg? Can we determine what dlls's functions are used by an application? for exemple: myapp.exe ...

7. Function offsets and return address in callstack
(Forum/User-Mode Debugging)

... notepad!_initterm_e+0x1a1 (FPO: [Non-Fpo]) I would like to know if frame notepad!WinMain+0xe3 after address calculation along with offset +0xe3 represents return address for the frame above with address ...

8. function plus offset question
(Forum/Crash Dump Analysis )

... and 0x60c? Thanks. 2 Id: 330.370 Suspend: 1 Teb: 7ffdc000 Unfrozen ChildEBP RetAddr 00deff14 7c90df5a ntdll!KiFastSystemCallRet 00deff18 7c8025db ntdll!ZwWaitForSingleObject+0xc 00deff7c ...

9. Help with crash dump
(Forum/Crash Dump Analysis )

... (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a ...

10. Memory Searching issue (command s)
(Forum/Kernel-Mode Debugging)

... The problem I am having is, the images I debug are large (often 5-10mb), and they seem to get paged out all the time, making searching impossible. If I didn't know the exact address of where to find my ...

11. Minidump error
(Forum/Crash Dump Analysis )

Hi, kindly help. Got 3 minidump files w/ after 3 consecutive restart of the machine by itself. Debugging Details: ------------------ Could not read faulting driver name READ_ADDRESS:  ...

12. Re: break on driver load - question from kam
(Forum/Article Discussions)

... kd> ? $iment( ba644000) Evaluate expression: -1167828646 = ba64595a ;now that we have the DriverEntry address we can conveniently set a breakpoint on it 0: kd> bp ba64595a *** ERROR: Module load ...

13. Re: Determing cause of access denied - USN Journal
(Forum/Kernel-Mode Debugging)

... mode. The stack in the kernel looks something like this: 1: kd> kb ChildEBP RetAddr Args to Child acb11adc b9dbdca6 88928a38 88666008 acb11b20 Ntfs!NtfsDeleteUsnJournal acb11af0 b9da7adc 88928a38 ...

14. Re: Finding undocumented swtiches
(Forum/General Questions)

... script to automate the process). Usually larger switch-case statements have a so called address-table (see Why should I split up my switch block with more than three case statements?). Your script could ...

15. Re: kernel32 symbol in live kernel debug
(Forum/Symbol and Source Files )

Welcome Thongchai. The kernel on 2000, XP, Vista, or Windows 7 never loads user32.dll or kernel32.dll. Both are user mode DLLs and thus get loaded by user-mode applications (generally speaking any Win32 ...

16. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

... is actually used (its virtual addresses space paged-in etc.). A simple .process ?? and .reload /user should fix your memory issues described. A few more words The transition from user-mode to kernel-mode ...

17. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

Thanks for the help! I learned a bit about SYSENTER and was using... rdmsr 176 bp /t @$thread addr ...as a one-shot break point on going into the Kernel, but I will have to give your bp script a ...

18. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

Brett, hi again. The following excerpt of the .process (Set Process Context) command explains it quite well. You might also take a look at .context (Set User-Mode Address Context) which is a very similar ...

19. Re: ntdll.dll symbols are missing?
(Forum/Symbol and Source Files )

... one - I've taken it from Peb field of !process 0 0 output. kd> dt _PEB 7ffdb000 ntdll!_PEB +0x000 InheritedAddressSpace : ?? +0x001 ReadImageFileExecOptions : ?? +0x002 BeingDebugged  ...

20. Re: See in Memory Descriptor List whats on
(Forum/Kernel-Mode Debugging)

...  00000059 00000023 Current Pool Bytes 00023708 00003760 Peak Pool Allocations 000000d3 0000002d Peak Pool Bytes 00024b88 00003be8 PoolAddress SizeInBytes Tag ...

21. Re: windbg question from kam
(Forum/Article Discussions)

... can easily get the base address of your driver too: > !lmi 77fba431 OR > lm vm 77fba431 Both commands will return the base/start address of your driver in memory. Then you would do something like ...

22. Re:Can all commands be watched with WinDbg
(Forum/General Questions)

... again This time WinDbg is attached right after ntdll.dll has been loaded into our newly created address space. Now you can debug the windows loader which is actually implemented in large part in ntdll.dll. Note ...

23. Re:Debugging minGW/GCC built DLL in Visual Studio?
(Forum/Symbol and Source Files )

... in your code by using the address in the error message I hope this helps, Robert ...

24. Re:Question about COFF deprecation
(Forum/Symbol and Source Files )

... help a debugger to map raw addresses in the PE executable to source-code lines, to analyze internal layout and data of applications, and so on. Obviously symbol files are not limited with backward compatibility ...

25. windbg question
(Forum/Article Discussions)

... convertible? example: driver name is 77fba431.sys so, normally I would do something like "bp 77fba431+rva_entrypoint" (just like lets say "bp ntfs+rva") but of course 77fba431 is read as an address, ...

26. windbg question
(Forum/Article Discussions)

Hi, Let's say that the driver I want to debug doesn't have symbols, so I can't use DriverEntry. !lmi 77fba431 (same problem: address not found (so name is interpreted as hex)) Also, the problem ...