แชร์ผ่าน


windbg recipes

See also: all the recipes and the intro

 # Windbg interface for debugging through Hypervisor is named EXDI

# Starting in the KDNET mode
"c:\Program Files\Debugging Tools for Windows (x64)\windbg.exe" -k net:target=bird2,port=50000,key=1.2.3.4

!dbgprint # print the debug buffer
.prefer_dml 1 # enable the links
ln <addr> # find the nearest symbol

# get the crash info
!analyze –v 


#  printing WMI events in the debugger
!wmitrace.dynamicprint 1
# starting the trace
!wmitrace.start -kd ...
!wmitrace.kdtracing 1
# status
!wmitrace.strdump # list all loggers
!wmitrace.strdump 0x0 # status of logger 0x0
https://blogs.msdn.com/b/ntdebugging/archive/2009/09/08/exploring-and-decoding-etw-providers-using-event-log-channels.aspx

# start a debugger server, connecting through this session
.server tcp:port=8086

# loader snaps - diagnostics of DLL loading failures
# in windbg, may also need: gflags.exe -i your-app-without-path.exe +sls
sxe +ld 

# how to debug apps on NanoServer with a remote debugger
# run on Nano
Netsh advf set allprofiles state off
Mwdbgsrv.exe -t tcp:port=34567
# run on the remote full Windows
Windbg -premote tcp:server=<ipaddress>,port=34567 CMD
# running apps and debugger on NanoServer
https://blogs.technet.com/b/nanoserver/archive/2015/12/24/nano-server-developer-experience-visual-studio-2015-update-1-and-above.aspx

# install windbg as the default postmortem debugger on crash
windbg -I
# associate windbg with dump file extensions in Registry
windbg -IA

# make windbg break-in as soon as Windows boots
windbg -d ...

# killing a process with the debugger wrapper
ntsd –p <pid> -c q

# enabling all DbgPrint DEBUG_IO messages
reg add "HKLM\ControlSet001\Control\Session Manager\Debug Print Filter" /f /v DEFAULT /t REG_DWORD /d 0xFFFFFFFF


# Filtering DbgPrint DEBUG_IO messages
https://msdn.microsoft.com/en-us/library/windows/hardware/ff551519%28v=vs.85%29.aspx

# PowerShell interface to debugger
https://codebox/DbgShell

# Detection of debugger in system config
https://msdn.microsoft.com/en-us/library/windows/desktop/ms724509%28v=vs.85%29.aspx


# KDNET errors reported in registry
HKLM\SYSTEM\CurrentControlSet\Services\kdnet
  KdInitStatus (DWORD) - 0 on success, error code on error
  KdInitErrorString - explanation of the error (also contains informational messages if no error)

# CPU usage analysis with windbg - on CLR
https://improve.dk/debugging-in-production-part-1-analyzing-100-cpu-usage-using-windbg/
https://raghurana.com/blog/?p=144

# How to force a crash bugcheck from keyboard
https://msdn.microsoft.com/en-us/library/windows/hardware/ff545499(v=vs.85).aspx
# crash from kernel debugger
https://msdn.microsoft.com/en-us/library/windows/hardware/ff545491(v=vs.85).aspx

# converting a VM saved state to a debugger memory dump 
https://blogs.technet.com/b/virtualworld/archive/2010/02/02/vm2dmp-hyper-v-tm-vm-state-to-memory-dump-converter.aspx

# Application Verifier - poor man's valgrind
https://msdn.microsoft.com/en-us/library/windows/desktop/dd371695%28v=vs.85%29.aspx