Jaa


Special Command: Using dv to See the Local Variables

The dv command stands for display variables. It’s easy to memorize.

The reality, though, is in the trenches you won’t use the standard format of dv because it doesn’t give you enough (or much) information.

Here is the way I use this command:

dv /i /t /V

/i Causes the display to specify the kind of variable: local, global, parameter, function or unknown.

/t Causes the display to include the data type for each local variable.

/V (uppercase) Causes the display to include the virtual memory address or register location of each local variable and the address of the local variable relative to the relevant register.

Let me show you the difference.

dv

 

dv /i /t /V

 

 

Cool, huh? Now, look at what you can do using this command:

!for_each_frame

This extension executes a debugger command one time for each frame in the stack of the current thread.
Combining both commands gives you all variables for each frame.

!for_each_frame dv /i /t /V

Example:

 

 

 

Attention: To see the variables you need private symbols.

Tip: kpM does the job, too. See Special Commands tag for more.

Here you can see scripts that use the dv command.

 

Technorati Profile

Comments

  • Anonymous
    February 25, 2008
    PingBack from http://www.biosensorab.org/2008/02/25/special-command-%e2%80%93-using-dv-to-see-the-local-variables/

  • Anonymous
    July 16, 2010
    How can one write a command to dump all variables for each frame in the stack, where variable is not in a Windows/kernel function, like functions prefixed with "nt!"? Basically for example, I would want to dump variables for my (driver) code in the stack only, skipping Windows/kernel related code.

  • Anonymous
    July 19, 2010
    You can create a script that displays just the output of the frames that are not coming from "nt!". A WinDbg script would be complex so PowerDbg is a better alternative for doing that because you can use PowerShell. If you're not in a hurry wait until the new version is released because it's being totally changed. Thanks, Roberto

  • Anonymous
    October 30, 2012
    below code  I found it can not display the variable correctly. #pragma auto_inline(off) VOID  ShowMessage(LPCTSTR lpszName) { TCHAR szMessage[256] = {0}; swprintf(szMessage, sizeof(szMessage)/sizeof(szMessage[0]), _T("You clicked button "%s""), lpszName); MessageBox(g_hWndMain, szMessage, szTitle, MB_OK); } #pragma auto_inline() // returns to previous state this is the result, and it can not show szMessage correctly. 0:000> dv /i /t /V prv param  @esi              @esi              wchar_t * lpszName = 0x01384ca8 "Hello World" prv local  0020eeb0          <virtual frame 20f0b4>-0x0204       wchar_t [256] szMessage = wchar_t [256] "???" That's why ? is it WinDbg bug?

  • Anonymous
    October 31, 2012
    This happens when WinDbg has problems to identify the local variables because of some sort of code optimization. Usually it happens when using a Release version with code optimizations, and usually it doesn't happen when using a Debug version with no optimizations. You still can get those values but it'll require more manual work.