This has got to be one of the top FAQs out there: how do I set up a kernel debugger? I just stumbled across a link on MSDN which gives instructions not only on how to set up a kernel debugger on all transports (serial, 1394, usb2), but also how to set...

This is a pretty cool and somewhat obscure debugger command.  It allows you to tell the debugger what functions to skip if you are using the trace command ('t').  I think of the trace command as the 'step into' command though, but that is just...

A bit over a year ago I had to figure out why my Mail key started behaving differently on Vista vs XP and wrote about how I fixed it.  Well, my dev box was so slow that I was able to employ enough sympathy that I got a new one.  While my old...

I saw a book, Advanced Windows Debugging , in the Microsoft company store and quickly read through it. It looked pretty awesome in the level of detail and breadth that it covered. I ordered my own copy and I think it would be an invaluable resource for...

I posted about !poaction and !poreqlist about a year ago. I tend to use these extensions whenever I am debugging a power related issue in the framework. A few months ago, I ran !poreqlist and got the following output 0: kd> !poreqlist All active Power...

Yesterday I introduced the dl command and demonstrated some of its limitations. Today I will talk about !list . Let's take yesterday's data structure, MY_DATA. What if the LIST_ENTRY is at the end of the structure or there is more data in your structure...

The use of the LIST_ENTRY structure in WDM is quite pervasive. It is used for nearly all list keeping tasks. I have used it extensively in the past and KMDF uses it quite a bit as well. There are two debugger commands that help in viewing the contents...

Your KMDF driver log can also be available in a mini-dump under certain circumstances. If you have a full kernel dump or a full memory dump, the log will be always present (barring any memory corruption or problems writing out the dump file). KMDF...

Yesterday I talked about the KMDF log. The KMDF log is a great tool to debug why a DDI call has failed or diagnose the cause of a bugcheck in your driver. You can customize different attributes of the log so that you can better debug your driver....

A lot of developers have a great experience with KMDF, but then they sometimes hit a wall. They add a chunk of code and the drivers start failing because something in the new code was not implemented correctly. The first question that comes to mind is...

One thing that I have always found clunky is stack frame navigation in windbg/kd. Previously, I thought you had only a couple of options. The first option, if you are using WinDBG, is that you can bring up the call stack window. I have found that...

You can download the package from WHDC . It is hard for me to keep track of when they go public, we get internal drops more often and so it is hard for me to know when fixes see the (external) light of day. Enjoy.

One thing you learn very quickly when writing a driver is that NTSTATUS is used almost everywhere . The consistency is nice, especially compared to user mode where errors can be an HRESULT , LONG , or DWORD (yes they are all the same underlying type,...

A lot of folks are told to connect a kernel debugger (over a serial calbe) to their systems if it is constantly blue screening or if there are suspected issues in the kernel or a loaded driver. Most of these folks do not have the skills to debug the...

One of the features I like about kd is that since you are using a console window, you get a lot of the console functionality for free. The 2 features that I really like are tab (err, F8) completion and the listing of command history (F7). On the other...

One of the prominant design goals throughout KMDF's development cycle was to create a system that had a built in and deeply integrated verifier from the start. Furthermore, we had a goal to create a system that was easier to verify (as compared to...

I think everyone at some point in time wants to embed a break point in there code, whether it be for debugging purposes, path tracing, or detecting edge conditions that have not yet been tested. When I hit a break point, I would prefer that the debugger...

It's a quick one today. One of the great features about windbg is that it has a return to caller button . I tend to like to keep my hands on the keyboard even when I am using windbg and Shift+F11 is still too cumbersome (long live the home row!). In the...

Today's kernel debugger command is "!bpid", break on process id. This command will break into an application in the application context from within the kernel debugger. Why would you want to do this? Well, you are not always in the right user mode...

Today's debugger command is "dps" (display pointers and symbols). You might be familiar with the "dds" command. While dds will always dump a DWORD, dps will dump pointers, where the pointer size is determined by the target. (I used to use dds because...

I think that the C preprocessor is a very powerful tool, but I like to limit my use of #defines. I have already touched on this when i talked about why I liked FORCEINLINE and I want to talk about it some more. I realize I can't eliminate the use of #defines...

Peter Wieland informed me that you can actually find the security descriptor (SD) using !object, you just have to work harder to get at it. It relies on an undocumented structure, but since this is not being used at runtime and !object also uses it, I...

Today I will cover how to look at type information from the command line of windbg/kd. You can do all of this in the UI with a mouse, but that takes too long ;). I like to keep my hands on the keyboard and not move around. More importantly, by learning...

Today I am going to write about !object. One of the tools you can get from sysinternals is WinObj.exe. This allows you to traverse the internal object hierarchy in Windows. It's a neat tool, but it uses internal undocumented APIs which means that when...

Today I got a callstack via email (from the NTDEV list), but no dump file. I needed to determine if the bugcheck was due to a KMDF or a USB core bug. Since I had no dump file, I had to work purely on what the message contained. The callstack did have...