1. Common WinDbg Commands (Thematically Grouped)
(Documents/Command Lists)

... interfaces parse out the extra information to provide new behaviors. DML is primarily intended to address two issues: Linking of related information Discoverability of debugger and extension ...

2. Contact & Imprint
(Misc/Legal)

Responsible for the online presence Robert Kuster Slovenia E-mail: mailrkuster@windbg.info   Note: The actual email address does not contain the word “mail“ – spam prevention.   ...

3. ASP hang
(Forum/Crash Dump Analysis )

... symbols for fcgiext.dll - FAULTING_IP: +5befd80 00000000 ?? ??? EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0000000000000000 ExceptionCode: ...

4. function plus offset question
(Forum/Crash Dump Analysis )

... and 0x60c? Thanks. 2 Id: 330.370 Suspend: 1 Teb: 7ffdc000 Unfrozen ChildEBP RetAddr 00deff14 7c90df5a ntdll!KiFastSystemCallRet 00deff18 7c8025db ntdll!ZwWaitForSingleObject+0xc 00deff7c ...

5. Memory Searching issue (command s)
(Forum/Kernel-Mode Debugging)

... The problem I am having is, the images I debug are large (often 5-10mb), and they seem to get paged out all the time, making searching impossible. If I didn't know the exact address of where to find my ...

6. Minidump error
(Forum/Crash Dump Analysis )

Hi, kindly help. Got 3 minidump files w/ after 3 consecutive restart of the machine by itself. Debugging Details: ------------------ Could not read faulting driver name READ_ADDRESS:  ...

7. Re: break on driver load - question from kam
(Forum/Article Discussions)

... kd> ? $iment( ba644000) Evaluate expression: -1167828646 = ba64595a ;now that we have the DriverEntry address we can conveniently set a breakpoint on it 0: kd> bp ba64595a *** ERROR: Module load ...

8. Re: Determing cause of access denied - USN Journal
(Forum/Kernel-Mode Debugging)

... mode. The stack in the kernel looks something like this: 1: kd> kb ChildEBP RetAddr Args to Child acb11adc b9dbdca6 88928a38 88666008 acb11b20 Ntfs!NtfsDeleteUsnJournal acb11af0 b9da7adc 88928a38 ...

9. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

... is actually used (its virtual addresses space paged-in etc.). A simple .process ?? and .reload /user should fix your memory issues described. A few more words The transition from user-mode to kernel-mode ...

10. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

Thanks for the help! I learned a bit about SYSENTER and was using... rdmsr 176 bp /t @$thread addr ...as a one-shot break point on going into the Kernel, but I will have to give your bp script a ...

11. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

Brett, hi again. The following excerpt of the .process (Set Process Context) command explains it quite well. You might also take a look at .context (Set User-Mode Address Context) which is a very similar ...

12. Re: See in Memory Descriptor List whats on
(Forum/Kernel-Mode Debugging)

...  00000059 00000023 Current Pool Bytes 00023708 00003760 Peak Pool Allocations 000000d3 0000002d Peak Pool Bytes 00024b88 00003be8 PoolAddress SizeInBytes Tag ...

13. Re: windbg question from kam
(Forum/Article Discussions)

... can easily get the base address of your driver too: > !lmi 77fba431 OR > lm vm 77fba431 Both commands will return the base/start address of your driver in memory. Then you would do something like ...

14. Re:Can all commands be watched with WinDbg
(Forum/General Questions)

... again This time WinDbg is attached right after ntdll.dll has been loaded into our newly created address space. Now you can debug the windows loader which is actually implemented in large part in ntdll.dll. Note ...

15. Re:Debugging minGW/GCC built DLL in Visual Studio?
(Forum/Symbol and Source Files )

... in your code by using the address in the error message I hope this helps, Robert ...

16. Re:Question about COFF deprecation
(Forum/Symbol and Source Files )

... help a debugger to map raw addresses in the PE executable to source-code lines, to analyze internal layout and data of applications, and so on. Obviously symbol files are not limited with backward compatibility ...

17. windbg question
(Forum/Article Discussions)

... convertible? example: driver name is 77fba431.sys so, normally I would do something like "bp 77fba431+rva_entrypoint" (just like lets say "bp ntfs+rva") but of course 77fba431 is read as an address, ...

18. windbg question
(Forum/Article Discussions)

Hi, Let's say that the driver I want to debug doesn't have symbols, so I can't use DriverEntry. !lmi 77fba431 (same problem: address not found (so name is interpreted as hex)) Also, the problem ...