1. Common WinDbg Commands (Thematically Grouped)
(Documents/Command Lists)

... in the form of tags. Debugger user interfaces parse out the extra information to provide new behaviors. DML is primarily intended to address two issues: Linking of related information Discoverability ...

2. Contact & Imprint
(Misc/Legal)

Responsible for the online presence Robert Kuster Slovenia E-mail: mailrkuster@windbg.info   Note: The actual email address does not contain the word “mail“ – spam prevention.   ...

3. !mlocks hung interpretation help needed
(Forum/Crash Dump Analysis )

...  116 CurrentReaderThreadIds: WaitingReaderCount: 576 ReaderEvent: 80400002 WaitingReaderThreadIds: *This lock has 116 orphaned reader locks. 0:007> !rwlock Address  ...

4. ASP hang
(Forum/Crash Dump Analysis )

... symbols for fcgiext.dll - FAULTING_IP: +5befd80 00000000 ?? ??? EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0000000000000000 ExceptionCode: ...

5. Dll export table - Exported functions list and @
(Forum/Kernel-Mode Debugging)

Hello Can we extract exported functions list from a dll and their asociated addresses using windbg? Can we determine what dlls's functions are used by an application? for exemple: myapp.exe ...

6. Function offsets and return address in callstack
(Forum/User-Mode Debugging)

... notepad!_initterm_e+0x1a1 (FPO: [Non-Fpo]) I would like to know if frame notepad!WinMain+0xe3 after address calculation along with offset +0xe3 represents return address for the frame above with address ...

7. Help with crash dump
(Forum/Crash Dump Analysis )

... (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a ...

8. Memory Searching issue (command s)
(Forum/Kernel-Mode Debugging)

... The problem I am having is, the images I debug are large (often 5-10mb), and they seem to get paged out all the time, making searching impossible. If I didn't know the exact address of where to find my ...

9. Minidump error
(Forum/Crash Dump Analysis )

Hi, kindly help. Got 3 minidump files w/ after 3 consecutive restart of the machine by itself. Debugging Details: ------------------ Could not read faulting driver name READ_ADDRESS:  ...

10. Re: break on driver load - question from kam
(Forum/Article Discussions)

... kd> ? $iment( ba644000) Evaluate expression: -1167828646 = ba64595a ;now that we have the DriverEntry address we can conveniently set a breakpoint on it 0: kd> bp ba64595a *** ERROR: Module load ...

11. Re: Finding undocumented swtiches
(Forum/General Questions)

... script to automate the process). Usually larger switch-case statements have a so called address-table (see Why should I split up my switch block with more than three case statements?). Your script could ...

12. Re: kernel32 symbol in live kernel debug
(Forum/Symbol and Source Files )

Welcome Thongchai. The kernel on 2000, XP, Vista, or Windows 7 never loads user32.dll or kernel32.dll. Both are user mode DLLs and thus get loaded by user-mode applications (generally speaking any Win32 ...

13. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

... is actually used (its virtual addresses space paged-in etc.). A simple .process ?? and .reload /user should fix your memory issues described. A few more words The transition from user-mode to kernel-mode ...

14. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

... try as well. To do this you must ensure the context of your process is actually used (its virtual addresses space paged-in etc.). A simple .process ?? and .reload /user should fix your memory issues ...

15. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

Brett, hi again. The following excerpt of the .process (Set Process Context) command explains it quite well. You might also take a look at .context (Set User-Mode Address Context) which is a very similar ...

16. Re: ntdll.dll symbols are missing?
(Forum/Symbol and Source Files )

... one - I've taken it from Peb field of !process 0 0 output. kd> dt _PEB 7ffdb000 ntdll!_PEB +0x000 InheritedAddressSpace : ?? +0x001 ReadImageFileExecOptions : ?? +0x002 BeingDebugged  ...

17. Re: See in Memory Descriptor List whats on
(Forum/Kernel-Mode Debugging)

...  00000059 00000023 Current Pool Bytes 00023708 00003760 Peak Pool Allocations 000000d3 0000002d Peak Pool Bytes 00024b88 00003be8 PoolAddress SizeInBytes Tag ...

18. Re: windbg question from kam
(Forum/Article Discussions)

... can easily get the base address of your driver too: > !lmi 77fba431 OR > lm vm 77fba431 Both commands will return the base/start address of your driver in memory. Then you would do something like ...

19. Re:Can all commands be watched with WinDbg
(Forum/General Questions)

... again This time WinDbg is attached right after ntdll.dll has been loaded into our newly created address space. Now you can debug the windows loader which is actually implemented in large part in ntdll.dll. Note ...

20. Re:Debugging minGW/GCC built DLL in Visual Studio?
(Forum/Symbol and Source Files )

... in your code by using the address in the error message I hope this helps, Robert ...

21. Re:Question about COFF deprecation
(Forum/Symbol and Source Files )

... help a debugger to map raw addresses in the PE executable to source-code lines, to analyze internal layout and data of applications, and so on. Obviously symbol files are not limited with backward compatibility ...

22. windbg question
(Forum/Article Discussions)

... convertible? example: driver name is 77fba431.sys so, normally I would do something like "bp 77fba431+rva_entrypoint" (just like lets say "bp ntfs+rva") but of course 77fba431 is read as an address, ...

23. windbg question
(Forum/Article Discussions)

Hi, Let's say that the driver I want to debug doesn't have symbols, so I can't use DriverEntry. !lmi 77fba431 (same problem: address not found (so name is interpreted as hex)) Also, the problem ...