Debugging Toolbox

Windbg scripts, debugging and troubleshooting tools and techniques to help you isolate software problems.

Browse by Tags

Tagged Content List
  • Blog Post: New Debugging Book – Windows Debugging Notebook: Essential User Space WinDbg Commands

    A reference book for technical support and escalation engineers troubleshooting and debugging complex software issues. The book is also invaluable for software maintenance and development engineers debugging Windows applications and services. Do you want to know more about this book? Check out...
  • Blog Post: PSSCOR2, the Superset of SOS.DLL is Now Public!!!

    Whenever I’m debugging with customers watching it’s inevitable: they always ask me what this PSSCOR2.dll extension is. The next question is always if PSSCOR2.DLL is going to be public. PSSCOR2.DLL is a superset of SOS.DLL and has much more commands and variations! The good news is that yes, now PSSCOR2...
  • Blog Post: Special Command—Saving Modules Using .writemem

    This command enables you to save memory into a disk file. The cool thing about it is that you can save modules too; however, it is just the raw memory. The parameters are: .writemem <filename> <range> Here is an example: 0:026> lm start end module name...
  • Blog Post: Special Command—Using .dump/.dumpcab to Get Dumps and Symbols from Production Servers

    Using WinDbg you can create a dump file from an application running, for instance, in a production server. After collecting the dump file, you can load it in another machine and debug it. However, to be more effective during your debugging session you need symbols . Thus, thinking about it, here's the...
  • Blog Post: Special Command—Using !chksym/!itoldyouso to Check PDB Files Against Modules

    These are two debugger extensions that are used to see the PDB file that matches a specific module. Note that !itoldyouso is not documented. The output of both commands is identical. Usage: 0:025> !chksym ntdll ntdll.dll Timestamp: 49EEA706 SizeOfImage: 180000 pdb: wntdll...
  • Blog Post: Special Command—Displaying Information From Modules/DLLs with !dlls

    !dlls extension displays the table entries of all loaded modules. You can also use it to display all modules that a specified thread or process is using. The WinDbg help file describes all parameters. Here we are going to show the most common usage. Displays file headers and section headers...
  • Blog Post: Special Command—Displaying More PE Header Information with !dh

    The !dh extension displays the PE header information from a specified module. Usage: !dh [options] <addressOfModule> Options can be: -f Displays file headers. -s Displays section headers. -a Displays all header information. Example: 0...
  • Blog Post: Special Command—Displaying the PE Header Information with !lmi

    Like its cousin !dh, the !lmi extension displays the PE header information from a specified module. However, it gives you fewer details than !dh . The output is summarized. Usage: !lmi <moduleName> Examples: 0:532> !lmi mtgdi Loaded Module Info: [mtgdi...
  • Blog Post: Special Command—Peeking Memory Addresses Using !address

    Let’s say that you get a memory address and you want to know if it’s from the heap, the stack, or someplace else. Or yet, let’s say you have a .NET application consuming lots of memory, and you want to get a better understanding of this memory consumption. The !address command is helpful in both situations...
  • Blog Post: Special Command—Parsing Strings, Files, and Commands Output Using .foreach

    This is by far one of the most powerful WinDbg commands. Even if you don’t create scripts, you’ll benefit from this command. It’s powerful because it’s flexible. You can use it for a huge variety of operations. The .foreach token parses the output of one or more debugger commands and uses each...
  • Blog Post: Special Command—Use lm* and Get All Details from Modules

    Yet another basic and useful command: lm . Hmmmmm… OK so you already know this command. Great! But do you know all of its variations? Usually when we get used to a command we don’t try to explore its variations and sometimes one of these variations may give you the information you’re looking for...
  • Blog Post: Special Command—Searching the Call Stack for Symbols or Modules Using !findstack

    During your debugging session, you may find yourself trying to identify if a specific symbol or module appears in one or more threads. There’s more than one way to do that, and here I covert it in the simplest way: !findstack This command accepts the following arguments: Symbol Specifies...
  • Blog Post: Special Command: Using s to Explore The Memory

    Very often I found myself scanning the stack or the entire virtual memory for the process to find information that may help me. This information may be strings, DWORDS, bytes, chars, etc… To accomplish this you should use the s command. Here I exemplify how you can use it to scan the memory...
  • Blog Post: [PowerShell Script] Saving a Module from a .NET Method Call

    This is my first script using the PowerDbg functions. It’s a good example of how to use PowerDbg to build your own scripts. PowerDbgScriptSaveModule . ps1 is the PowerShell version of my Windbg script Save_Module.txt Actually it does more than the previous version: it automatically saves the...
  • Blog Post: [Windbg Script] Saving a Module - Extracting Base Address and Image Name from a method call

    After creating this script, I have used it in almost every case that requires decompilation, and I guess you are going to use it, too. This script gives you the base address and module name, so you can use !SaveModule from SOS to save the module. Ok… maybe you are wondering what is so cool about...
Page 1 of 1 (15 items)