WinDbg
Encyclopedia
WinDbg is a multipurposed debugger
for Microsoft Windows
, distributed on the web by Microsoft. It can be used to debug user mode applications, drivers, and the operating system
itself in kernel mode. It is a GUI
application, but has little in common with the more well-known, but less powerful, Visual Studio Debugger.
WinDbg can be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death
which occurs when a bug check
is issued. It can also be used to debug user-mode crash dumps. This is known as Post-mortem debugging.
WinDbg also has the ability to automatically load debugging symbol
files (e.g., PDB
files) from a server by matching various criteria (e.g., timestamp, CRC, single or multiprocessor version). This is a very helpful and time saving alternative to creating a symbol tree for a debugging target environment. If a private symbol server is configured, the symbols can be correlated with the source code
for the binary. This eases the burden of debugging problems that have various versions of binaries installed on the debugging target by eliminating the need for finding and installing specific symbols version on the debug host. Microsoft has a public symbol server that has most of the public symbols for Windows 2000 and later versions of Windows (including service packs).
Recent versions of WinDbg have been distributed as part of the free Debugging Tools for Windows suite, which shares a common debugging engine between WinDbg and command line debuggers like KD, CDB, and NTSD. This means that most commands will work in all alternative versions without modification, allowing users to use the style of interface
with which they are most comfortable.
s that can augment the debugger's supported commands and allow for help in debugging specific scenarios: for example, displaying an MSXML
document given an IXMLDOMDocument, or debugging the Common Language Runtime (CLR)
. These extensions are a large part of what makes WinDbg such a powerful debugger. WinDbg is used by the Microsoft Windows
product team to build Windows, and everything needed to debug Windows is included in these extension DLLs.
Extension commands are always prefixed with !.
While some extensions are used only inside Microsoft, most of them are part of the public Debugging Tools for Windows package.
The extension model is documented in the help file included with the Debugging Tools for Windows.
kernel running on a VMware
or VPC
virtual machine using a Named pipe
. This can be achieved by using a virtual
COM port. In the case of VMware or VirtualBox, the VirtualKD extension adds native support for VM debugging to Windows
kernel.
When used without any switches, !analyze simply returns the results of its analysis. The -v and -vv give further details about that analysis.
Debugger
A debugger or debugging tool is a computer program that is used to test and debug other programs . The code to be examined might alternatively be running on an instruction set simulator , a technique that allows great power in its ability to halt when specific conditions are encountered but which...
for Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, distributed on the web by Microsoft. It can be used to debug user mode applications, drivers, and the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
itself in kernel mode. It is a GUI
Gui
Gui or guee is a generic term to refer to grilled dishes in Korean cuisine. These most commonly have meat or fish as their primary ingredient, but may in some cases also comprise grilled vegetables or other vegetarian ingredients. The term derives from the verb, "gupda" in Korean, which literally...
application, but has little in common with the more well-known, but less powerful, Visual Studio Debugger.
WinDbg can be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death
Blue Screen of Death
To forse a BSOD Open regedit.exe,Then search: HKLM\SYSTEM\CurrentControlSet\services\i8042prt\ParametersThen make a new DWORD called "CrashOnCtrlScroll" And set the value to 1....
which occurs when a bug check
Bug check
A fatal system error, also known as a system crash, stop error, kernel error, or bug check, is when an operating system halts the moment it reaches a condition where it cannot operate safely....
is issued. It can also be used to debug user-mode crash dumps. This is known as Post-mortem debugging.
WinDbg also has the ability to automatically load debugging symbol
Debug symbol
A debug symbol is information that expresses which programming-language constructs generated a specific piece of machine code in a given executable module. Sometimes the symbolic information is compiled together with the module's binary file, or distributed in separate file, or simply discarded...
files (e.g., PDB
Program database
PDB stands for Program Database, a proprietary file format for storing debugging information about a program . PDB files commonly have a .pdb extension. A PDB file is typically created from source files during compilation...
files) from a server by matching various criteria (e.g., timestamp, CRC, single or multiprocessor version). This is a very helpful and time saving alternative to creating a symbol tree for a debugging target environment. If a private symbol server is configured, the symbols can be correlated with the source code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
for the binary. This eases the burden of debugging problems that have various versions of binaries installed on the debugging target by eliminating the need for finding and installing specific symbols version on the debug host. Microsoft has a public symbol server that has most of the public symbols for Windows 2000 and later versions of Windows (including service packs).
Recent versions of WinDbg have been distributed as part of the free Debugging Tools for Windows suite, which shares a common debugging engine between WinDbg and command line debuggers like KD, CDB, and NTSD. This means that most commands will work in all alternative versions without modification, allowing users to use the style of interface
User interface
The user interface, in the industrial design field of human–machine interaction, is the space where interaction between humans and machines occurs. The goal of interaction between a human and a machine at the user interface is effective operation and control of the machine, and feedback from the...
with which they are most comfortable.
Extensions
WinDbg allows the loading of extension DLLDynamic-link library
Dynamic-link library , or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems...
s that can augment the debugger's supported commands and allow for help in debugging specific scenarios: for example, displaying an MSXML
MSXML
Microsoft XML Core Services is a set of services that allow applications written in JScript, VBScript, and Microsoft development tools to build Windows-native XML-based applications...
document given an IXMLDOMDocument, or debugging the Common Language Runtime (CLR)
Common Language Runtime
The Common Language Runtime is the virtual machine component of Microsoft's .NET framework and is responsible for managing the execution of .NET programs. In a process known as just-in-time compilation, the CLR compiles the intermediate language code known as CIL into the machine instructions...
. These extensions are a large part of what makes WinDbg such a powerful debugger. WinDbg is used by the Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
product team to build Windows, and everything needed to debug Windows is included in these extension DLLs.
Extension commands are always prefixed with !.
While some extensions are used only inside Microsoft, most of them are part of the public Debugging Tools for Windows package.
The extension model is documented in the help file included with the Debugging Tools for Windows.
Coupling with Virtual Machines
WinDbg allows debugging Microsoft WindowsMicrosoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
kernel running on a VMware
VMware
VMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....
or VPC
Windows Virtual PC
Windows Virtual PC is a virtualization program for Microsoft Windows. In July 2006 Microsoft released the Windows-hosted version as a free product...
virtual machine using a Named pipe
Named pipe
In computing, a named pipe is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of inter-process communication. The concept is also found in Microsoft Windows, although the semantics differ substantially...
. This can be achieved by using a virtual
Virtual
The term virtual is a concept applied in many fields with somewhat differing connotations, and also, differing denotations.The term has been defined in philosophy as "that which is not real" but may display the salient qualities of the real....
COM port. In the case of VMware or VirtualBox, the VirtualKD extension adds native support for VM debugging to Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
kernel.
!analyze
The most commonly-used extension is !analyze -v, which analyzes the current state of the program being debugged and the machine/process state at the moment of crash or hang. This extension is often able to debug the current problem in a completely automated fashion.When used without any switches, !analyze simply returns the results of its analysis. The -v and -vv give further details about that analysis.
External links
- Getting Started: Install Instructions, Part 1, Part 2
- Debugging Tools for Windows - information and free downloads
- WinDbg. From A to Z! - Theory and examples, 111 slides
- Common WinDbg Commands (Thematically Grouped)
- Tutorial on solving system crashes using WinDbg
- Symbols loading in WinDbg
- Windows Debuggers: Part 1: A WinDbg Tutorial
- KD extension for fast VMWare and VirtualBox debugging
- SOS Debugging Extension (SOS.dll)
- http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff WinDBG v6.12.2.633 available via Windows Driver Kit Version 7.1.0
- Extension for python scripting (pykd)