1. Common WinDbg Commands (Thematically Grouped)
(Documents/Command Lists)

Thematically grouped WinDbg command list - keep this on your desk if you use WinDbg! 1) Built-in help commands 9) Exceptions, events, and crash analysis 17) Information about variables 2) ...

2. WinDbg. From A to Z!
(Documents/Presentations)

... "WinDbg. From A to Z!" turns out to be just as useful as WinDbg itself because it explains everything from simple things that you should know right away such as setting up symbols and the theory of command ...

3. !mlocks hung interpretation help needed
(Forum/Crash Dump Analysis )

Hi, i try to investigate a hung with windbg. If I call the command !mlocks i got the following :000> !mlocks Examining SyncBlocks... Scanning for ReaderWriterLock instances... Scanning for holders ...

4. ASP hang
(Forum/Crash Dump Analysis )

... 00333a30 003348c8 w3wp!wmain+0x22a 0014ffc0 7d4e7d42 00000000 00000000 fffdf000 w3wp!wmainCRTStartup+0x12f 0014fff0 00000000 010018f8 00000000 000000c8 kernel32!BaseProcessStart+0x28 STACK_COMMAND: ...

5. Brand New to Windbg - Need some basic answers
(Forum/Kernel-Mode Debugging)

... 'Shutdown' command is issued in Win 2000. This has bugged me for some time. I'm sure that my bios has some incompatibility with the NTapm.sys/HAL.dll calls and want to see if I can track it down. Is ...

6. Can all commands be watched with WinDbg
(Forum/General Questions)

This is a very basic question. I have not been able to figure out the answer and I have been curious about this for a while. If I open an executable from WinDbg, is there a way to watch every single action ...

7. Can handled exceptions be seen with WinDbg
(Forum/Debugging of Managed-Code )

... WinDbg with the SOS extension? Conversely, are only unhandled exceptions caught by WinDbg? I saw she used the sxe command and thought it might be similar. ...

8. Common WinDbg Commands (Thematically Grouped)
(Forum/Article Discussions)

** This thread discusses the content article: Common WinDbg Commands (Thematically Grouped) ** ...

9. Crash location !
(Forum/Crash Dump Analysis )

... that some.dll is loaded at 017a0000. Can I use the following command in my winDBG session to locate the crash location? 0:007> ln 017a300B 012C300B - 0x012C0000 = 300B = crash location? For ...

10. Determing cause of access denied - USN Journal
(Forum/Kernel-Mode Debugging)

... of disk management. The tools have shown me that the problem lies in a few USN journal files near the end of the drive that will not move (or allow deletion.) When I run the fsutil command logged in ...

11. Function offsets and return address in callstack
(Forum/User-Mode Debugging)

... 00000000 notepad!NPCommand+0x165 (FPO: [Non-Fpo]) 0007f650 7795f8d2 000f0406 00000111 00000002 notepad!NPWndProc+0x4cf (FPO: [Non-Fpo]) 0007f67c 7795f794 00c1146c 000f0406 00000111 USER32!InternalCallWinProc+0x23 0007f6f4 ...

12. Help with crash dump
(Forum/Crash Dump Analysis )

...  4a78505a STACK_COMMAND: .trap ffffffffa909db50 ; kb FAILURE_BUCKET_ID: 0xA_nt!PsReturnProcessNonPagedPoolQuota+19 BUCKET_ID: 0xA_nt!PsReturnProcessNonPagedPoolQuota+19 Followup: Machin ...

13. Memory Searching issue (command s)
(Forum/Kernel-Mode Debugging)

Hello! When I try to use the 's' command to search memory, it was coming up with no results. Upon dumping the memory region where I knew the byte-sequence I was looking for is located, the memory there ...

14. Minidump error
(Forum/Crash Dump Analysis )

... e0949b7c 00000000 00000000 00000000 hknlgi+0x3fb eeb9dddc e088e062 f3a552d0 00000000 00000000 nt!PspSystemThreadStartup+0x2e 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: ...

15. One command for Stack
(Forum/General Questions)

Hello all! I need a command that show me all functions of stack when im debuggin windows with my driver from start until fynal of a breakpoint. can you help me??? ...

16. Re: Crash location !
(Forum/Crash Dump Analysis )

... determine exactly what's going on. Alternatively, you can attach to the process and do live debugging, but you'll need to be pretty savvy with the commands. They are all available on the online help ...

17. Re: CrashMe Application
(Forum/Article Discussions)

... Break button in WinDbg 5) Print command in command window "!heap -stat -h 0" In result set no row with size 0xA00000. What is wrong? Thanks for reply ...

18. Re: Finding undocumented swtiches
(Forum/General Questions)

By switches I mean command passed to the application with the shell. For instance, if I were to use IPConfig, a switch I could use, in this context, is /all to return all IPconfig information. I am thinking ...

19. Re: Finding undocumented swtiches
(Forum/General Questions)

Oh, you mean command line parameters. If you use Process Explorer you could simply click on the process in question and go to the Image tab. For example: [USER POSTED IMAGE] And in WinDbg you could ...

20. Re: Finding undocumented swtiches
(Forum/General Questions)

Thanks for that tip. I am looking more for what switches are embedded with the image itself. It seems that in C/C++ the command line switches correspond to switch statements within the code. I just ...

21. Re: kernel32 symbol in live kernel debug
(Forum/Symbol and Source Files )

... principle and is simply not needed to debug an application or the kernel. You can still check out the Symbol Options for WinDbg or start your investigation by examining the ld or !lmi commands. I hope ...

22. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

Brett, hi again. The following excerpt of the .process (Set Process Context) command explains it quite well. You might also take a look at .context (Set User-Mode Address Context) which is a very similar ...

23. Re: One command for Stack
(Forum/General Questions)

Hi Victor, check the 15) Call stack commands in our "Common WinDbg Commands" list. For instance, you might try "kn", "kb".. I hope this helps, Robert ...

24. Re: Pattern matching
(Forum/Article Discussions)

Hey hey Adrian, Thanks for your feedback. I encountered similar problems with this breakpoint command. It turns out that here and then the aliases get messed up by WinDbg. You can easily check what ...

25. Re: See in Memory Descriptor List whats on
(Forum/Kernel-Mode Debugging)

... including Windows Vista. On these systems, the Enable pool tagging check box on the Global Flags dialog box is dimmed and commands to enable or disable pool tagging fail.". Also alongside your WinDbg installation ...

26. Re: sort lm n t by date/time
(Forum/Crash Dump Analysis )

Welcome Carl. You might try the !dll -l command. It lists all currently loaded dlls sorted by their load order, though enough memory information must be present in the dump for the command to work (.dump ...

27. Re: sort lm n t by date/time
(Forum/Crash Dump Analysis )

... The sorted output from your script will then be displayed in WinDbg's Command window. I hope this helps, Robert ...

28. Re: Symbol not found
(Forum/Symbol and Source Files )

... not /ZI (Program Database for Edit & Continue) - use the !sym noisy WinDbg command (debugger displays info about its search for symbols), followed by ld * - check out other symbol-related commands ...

29. Re: Unable to load image ntkrnlpa.exe
(Forum/Crash Dump Analysis )

...  However, moving the downloaded symbols to another Stratus server (I just keep mentioning Stratus so you guys know I'm talking about identical servers), has a negative result. Even though the command ...

30. Re: windbg question from kam
(Forum/Article Discussions)

... can easily get the base address of your driver too: > !lmi 77fba431 OR > lm vm 77fba431 Both commands will return the base/start address of your driver in memory. Then you would do something like ...

31. Re: Wrong display of function Names by WinDbg
(Forum/User-Mode Debugging)

... check out the .symfix+ command... If you aren't able to get the right PDB files any serious debugger will read at least the export symbols (functions) of your modules. Example: If you open MSVCR80.DLL ...

32. Re:Can all commands be watched with WinDbg
(Forum/General Questions)

Hi Will, yes it can be done with WinDbg. Let's start with the File->Open Executable from WinDbg's menu; this way WinDbg starts your application and actually stops after several system DLLs (for example ...

33. Re:Can all commands be watched with WinDbg
(Forum/General Questions)

Thanks Robert. You've given me a lot to work with. I am still in the "wide-eyed" stage of figuring out very basics. These things help me get a grasp much more quickly.

34. Re:Can handled exceptions be seen with WinDbg
(Forum/Debugging of Managed-Code )

... command. I hope this helps, RK :) ...

35. Re:Can macros be set up in WinDbg
(Forum/General Questions)

Hi Will, welcome. Short answer: Yes. Long answer: WinDbg offers a quite powerful mechanism called "Debugger Commands Programs". In fact this is a simple script-language where you can use all commands ...

36. Re:Debugging minGW/GCC built DLL in Visual Studio?
(Forum/Symbol and Source Files )

Edward, welcome. The short answer is it depends. PDB is Microsoft's proprietary format and is not documented. While MS offers APIs to read and extract data from PDBs (see DIA SDK - Debug Interface Access ...

37. Re:Unable to load image ntoskrnl.exe
(Forum/Crash Dump Analysis )

... won't help either. 3) Enter the following commands to WinDbg: > !sym noisy > ld ntoskrnl > .reload /f /v ntoskrnl.exe If everything went fine WinDbg will have loaded "ntoskrnl.exe" and ...

38. Re:Using WinDbg to examine ASP.NET applications
(Forum/Debugging of Managed-Code )

Will, Hi. The worker process for ASP.NET applications is aspnet_wp.exe which internally heavily relies on mscorwks.dll. TODOs: For instance you could use the following WinDbg commands after a ...

39. StackOverFlowException in .Net
(Forum/Crash Dump Analysis )

... sender, EventArgs e) { MyMethod(); } private void MyMethod() { MyMethod(); } Windbg+sos loads symbols correctly, but with analyze command I've not find references to MyMethod that caused ...

40. tracking malicious code with windbg
(Forum/General Questions)

... command? 2. possible using 'wt' to trace what malware.exe doing? thanks, from ictsecurity0 ...

41. WinDbg psscor4 !ASPXPages -ip not listing anything
(Forum/Debugging of Managed-Code )

...  Client IP Server IP ThreadId Total 42 HttpContext objects This command output list just the headers and no values compared to !ASPXPages which fills in the normal output ...