1. Common WinDbg Commands (Thematically Grouped)
(Documents/Command Lists)

...  Version of target computer CTRL+ALT+V Toggle verbose mode ON/OFF In verbose mode some commands (such as register dumping) have more detailed output. n n ...

2. Debugging TDRs
(Forum/General Questions)

... some corruption is seen (this is the issue i want to debug.) The problem im getting is that when i want to recreate the TDR with Windbg connected in kernel debug mode, it gives me a Fatal System Error ...

3. ntdll.dll symbols are missing?
(Forum/Symbol and Source Files )

... I try to debug in kernel mode I've got troubles of course, that's not surprising - !peb and other stuff like !object or dt nt_!PEB doesn't work too. Can anyone suggest an issue? ...

4. Re: break on driver load - question from kam
(Forum/Article Discussions)

... memory (be it an EXE, DLL, or kernel mode driver) and calls its entry point thereafter. In other words by the time DriverEntry is called the driver will always be loaded. If all you need is break into ...

5. Re: CrashMe Application
(Forum/Article Discussions)

Hello everybody I can't see 10 Mb memory in dump which allocate operator new. I do next step 1) Start "CrashMe.exe" in debug mode 2) Attach with WinDbg 3) Press button "operator new*" 4) Press ...

6. Re: Detail analysis of crashme.exe
(Forum/Article Discussions)

... and make the nParam1 to 9, I just can hack into the assembly and edit the instruction save the binary file or just modify the register value when in debug mode. I will be appreciated your help! Thanks! PS: ...

7. Re: Determing cause of access denied - USN Journal
(Forum/Kernel-Mode Debugging)

... mode. The stack in the kernel looks something like this: 1: kd> kb ChildEBP RetAddr Args to Child acb11adc b9dbdca6 88928a38 88666008 acb11b20 Ntfs!NtfsDeleteUsnJournal acb11af0 b9da7adc 88928a38 ...

8. Re: kernel32 symbol in live kernel debug
(Forum/Symbol and Source Files )

Welcome Thongchai. The kernel on 2000, XP, Vista, or Windows 7 never loads user32.dll or kernel32.dll. Both are user mode DLLs and thus get loaded by user-mode applications (generally speaking any Win32 ...

9. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

Brett, welcome. Note that you are trying to debug user-mode code (kernel32!CreateFileW is user-mode code...) from a kernel-mode debug session. To do this you must ensure the context of your process ...

10. Re: Memory Access errors in the Kernel
(Forum/Kernel-Mode Debugging)

Brett, hi again. The following excerpt of the .process (Set Process Context) command explains it quite well. You might also take a look at .context (Set User-Mode Address Context) which is a very similar ...

11. Re: Remote debugging of CrashMe with ntsd -d
(Forum/Article Discussions)

Guillaume, welcome. My experience is that it is often not worth to debug user mode applications from a kernel mode debugger. True, the official docus propose to debug Winlogon just as you did. But hey, ...

12. Re: See in Memory Descriptor List whats on
(Forum/Kernel-Mode Debugging)

... you should find ..\Debugging Tools for Windows (x86)\triage\ pooltag.txt which lists all tags used by kernel mode components and drivers. Here is what it says about the Mdl tag: - - Mdl - - Io, ...

13. Re: tracking malicious code with windbg
(Forum/General Questions)

Hi, Once you have the kernel debug session established you can use ntsd -d to debug the malware via the connection. You can also use breakin to break into the user mode code. Cs. ...

14. Re:Unable to load image ntoskrnl.exe
(Forum/Crash Dump Analysis )

... least get a hint of what went wrong because of the "!sym noisy" command (noisy mode - symbol prompts on). Check 7) Symbols and 10) Loaded modules and image information for more details about the commands ...

15. set breakpoint for ring3 application
(Forum/User-Mode Debugging)

i setuped the remote debugging localhost with vmware through namepipe/com1. After i access to the kernel mode, is it possible i debug the ring3 application (for example hello.exe) in vmware? My Question: 1) ...

16. StackOverFlowException in .Net
(Forum/Crash Dump Analysis )

... StackOverflow; instead if I build in debug mode I can see full stack with recursive call of MyMethod. What can I do to see full stack in release mode? Can anyone help me? Thanks! Below WinDBG output ...

17. unknown stream type 0x13 and other weird messages
(Forum/Crash Dump Analysis )

I have several dumps on a system that always shows the following messages logged. Does anyone know what this indicates (in bold): Loading Dump File [C:\temp\dumps\Crash_Mode__Date_09-03-2010__Time_12-37-50PM\PID-5396__VWJS.EXE__1st_chance_Process_Shut_Down__full_24e4_2010-09-07_05-27-12-493_1514.dmp] User ...