Debugging Toolbox

Windbg scripts, debugging and troubleshooting tools and techniques to help you isolate software problems.

Browse by Tags

Tagged Content List
  • Blog Post: D3v3l0p3r PF3s – 0bs3rv1ng Th3m in Th31r Natural Hab1tat

    PFE has engineers who specialize in areas which can contain one or more technologies. This species is universally known as D3v PF3 (Developer PFE). Not everyone really knows their habits and role and, as a consequence, sometimes it’s hard for customers to engage them. Their specialty is problem...
  • Blog Post: New Debugging Book – Windows Debugging Notebook: Essential User Space WinDbg Commands

    A reference book for technical support and escalation engineers troubleshooting and debugging complex software issues. The book is also invaluable for software maintenance and development engineers debugging Windows applications and services. Do you want to know more about this book? Check out...
  • Blog Post: Special Command—Editing memory with a, eb, ed, ew, eza, ezu

    When talking about editing memory, we usually think about patching code. Patching code means changing the binary code in memory for, let’s say, when you want to prove a hypothesis while debugging and you don’t have access to the source code. This is a very exciting subject, and WinDbg has the right...
  • Blog Post: Special Command—Unassembling code with u, ub and uf

    When debugging sooner or later you will need to disassemble code to get a better understanding of that code. By disassembling the code, you get the mnemonics translated from the 0s and 1s that constitute the binary code. It is a low level view of the code, but a higher level than seeing just numbers...
  • Blog Post: Special Command—Using # to Find Patterns of Assembly Instructions

    Sometimes you need to look for patterns of disassembled code. You can browse the disassembled code and manually look for a specific pattern, or you can use a command to automate it. The # command does that. # [Pattern] [Address [ L Size ]] Parameters: Pattern - Specifies the pattern...
  • Blog Post: Special Command—Tracing Applications Using wt

    wt [WatchOptions] [= StartAddress] [EndAddress] Transcribing the WinDbg documentation, this command runs through the whole function and then displays statistics when executed at the beginning of a function call. Thus, this command can be used just when doing live debugging, not post mortem debugging...
  • Blog Post: Special Command—Saving Modules Using .writemem

    This command enables you to save memory into a disk file. The cool thing about it is that you can save modules too; however, it is just the raw memory. The parameters are: .writemem <filename> <range> Here is an example: 0:026> lm start end module name...
  • Blog Post: Special Command—Using .dump/.dumpcab to Get Dumps and Symbols from Production Servers

    Using WinDbg you can create a dump file from an application running, for instance, in a production server. After collecting the dump file, you can load it in another machine and debug it. However, to be more effective during your debugging session you need symbols . Thus, thinking about it, here's the...
  • Blog Post: Special Command—Using !chksym/!itoldyouso to Check PDB Files Against Modules

    These are two debugger extensions that are used to see the PDB file that matches a specific module. Note that !itoldyouso is not documented. The output of both commands is identical. Usage: 0:025> !chksym ntdll ntdll.dll Timestamp: 49EEA706 SizeOfImage: 180000 pdb: wntdll...
  • Blog Post: Special Command—Displaying Information From Modules/DLLs with !dlls

    !dlls extension displays the table entries of all loaded modules. You can also use it to display all modules that a specified thread or process is using. The WinDbg help file describes all parameters. Here we are going to show the most common usage. Displays file headers and section headers...
  • Blog Post: Special Command—Using !for_each_frame to Run Commands

    !for_each_frame is a favorite among debuggers. It's a very flexible and powerful command that enables you to run commands for each frame of the call stack. You can use basically any command. For instance, let’s say you want to see all local variables from each frame of a specific stack. Of course...
  • Blog Post: Special Command—Displaying More PE Header Information with !dh

    The !dh extension displays the PE header information from a specified module. Usage: !dh [options] <addressOfModule> Options can be: -f Displays file headers. -s Displays section headers. -a Displays all header information. Example: 0...
  • Blog Post: Special Command—Displaying the PE Header Information with !lmi

    Like its cousin !dh, the !lmi extension displays the PE header information from a specified module. However, it gives you fewer details than !dh . The output is summarized. Usage: !lmi <moduleName> Examples: 0:532> !lmi mtgdi Loaded Module Info: [mtgdi...
  • Blog Post: Special Command—CPU Time for Each Thread with !runaway

    This is one of my favorite commands! !runaway displays information about the CPU time consumed by each thread in User Mode and Kernel Mode. It is one of those commands you run when you think the application is hung with low or high CPU or has some kind of performance issue. Parameters: ...
  • Blog Post: Special Command—Peeking Memory Addresses Using !address

    Let’s say that you get a memory address and you want to know if it’s from the heap, the stack, or someplace else. Or yet, let’s say you have a .NET application consuming lots of memory, and you want to get a better understanding of this memory consumption. The !address command is helpful in both situations...
  • Blog Post: Special Command—Parsing Strings, Files, and Commands Output Using .foreach

    This is by far one of the most powerful WinDbg commands. Even if you don’t create scripts, you’ll benefit from this command. It’s powerful because it’s flexible. You can use it for a huge variety of operations. The .foreach token parses the output of one or more debugger commands and uses each...
  • Blog Post: Special Command—Parsing Commands Using .shell

    Finally I’m writing about this command. I love it! It’s so powerful! .shell command launches a shell process and redirects its output to the debugger or to a specified file. Usage: .shell [ Options ] [ ShellCommand ] .shell -i InFile [ -o OutFile [ -e ErrFile ]] [ Options ] ShellCommand According...
  • Blog Post: Special Command—Advanced Programming Techniques for WinDbg Scripts

    It has been a long time since my last post, but I’m back on the blog. The article for today is about the black art of WinDbg scripting. When I first started creating my scripts, I learned by trial and error. It was tough; however, it gave me the basis to create the technique that has proven to be...
  • Blog Post: Special Command—Execute Commands from a Customized User Interface with .cmdtree

    A few weeks ago I received an e-mail from Brad Wilson, a Support Escalation Engineer from the OCS ( Office Communications Server) team. Brad asked me about the .cmdtree command and I told him I’ve never configured it before. A few days ago he sent me another e-mail saying he figured out how to use this...
  • Blog Post: Special Command—Using Variables and Retrieving Information through Pseudo-Registers

    WinDbg for 32 bits and 64 bits has a set of internal pseudo-registers that you can use as variables or as a means to get specific information. The pseudo-registers are, according to WinDbg documentation: Pseudo-register Description $ea The effective address of...
  • Blog Post: Special Command—.if and j to Use in Breakpoints and Scripts

    The .if and j commands are used conditionally to execute a command or series of commands. .if is very similar to if from C and C++: .if ( Condition ) { Commands } .elsif ( Condition ) { Commands } .else { Commands } j does the same thing, but uses a very different syntax: j Expression...
  • Blog Post: Special Command—Listing the Nearest Symbols with ln

    ln is a very useful command. It stands for list nearest. You provide an address as argumen t, and it gives you the closest symbol that matches the address. Of course, you have to be using the right symbols! Here is the syntax : ln [ address ] Example: Tip: You can see if...
  • Blog Post: Special Command—Logging Commands Output and Commands History

    If you’ve been following my blog you know I use .logopen and .logclose quite a lot, mainly in PowerDbg . Using these pairs of commands you can save a log file that has all output from the debugger. Usage: .logopen [ Options ] [ FileName ] .logopen /d Arguments: /t Appends the...
  • Blog Post: Special Command—How to See Different Call Stacks Only? !uniqstack

    I’ve been travelling a lot in the US and Latin America: that’s why you haven’t seen any new posts coming. Now I’m back! OK, just for a while, but it’s enough to write more articles. By the way, Buenos Aires (Argentina) is a beautiful place to know! J This post introduces a command that is not well...
  • Blog Post: Special Command—Using Breakpoints: bp, bm, ba, bu

    When doing live debugging you’ll use breakpoints at some point when tackling a problem. A simple breakpoint is easy to use ; however, when you are on the trenches you might need to use advanced breakpoints that save you a lot of manual work. For instance, you may need to use a breakpoint that works...
Page 1 of 2 (37 items) 12