How to Access the User Mode Debugger from the Kernel Debugger

How to Access the User Mode Debugger from the Kernel Debugger

  • Comments 4

In certain cases you may want to use a user mode debugger to debug a process from within the kernel debugger.    It could be that you have an application that loads a kernel mode driver, and you want to be able to debug the user mode aspect of the application and then break into the kernel to follow the calls made to kernel.

Here is how you do it!

·         Attach the kernel debugger via a serial cable (Null modem cable), USB cable or FireWire cable, and have your machine configured to be kernel debugged. The article located at  http://support.microsoft.com/kb/151981  is a good reference for pre-Vista systems.  To enable the debug options on Vista or Windows 2008 you must use bcdedit.exe because those OSes no longer use a boot.ini file. Here’s an example:

 

bcdedit /debug {<guid>} <ON | OFF>
bcdedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200

 

·         Add a new debugger key to the “Image File Execution Options” for your process.  In this case we will use notepad.exe as the target process. The new key will look like this:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe

 

·         Add a string value under this key called “debugger” that contains the value “ntsd –d”. Here’s a screen shot of the registry changes for reference.

 

·         The –d option redirects the output of NTSD to the kernel debugger allowing remote control via the kernel debugger.

 

·         With the existence of this new key, the user mode debugger will automatically start and attach to your process when Notepad.exe starts.  Note: It’s important to remove the registry entry when you’re finished debugging.

 

·         You can now issue any standard NTSD Command via the kernel debugger.

 

·         When you are ready to break into the kernel and run under the kernel debugger simply type .breakin

 

 

Jeff- 

Leave a Comment
  • Please add 8 and 3 and type the answer here:
  • Post
  • PingBack from http://hoursfunnywallpaper.cn/?p=374

  • You should point out that on Windows 2000, XP and Server 2003 systems this will result in the antiquated version of ntsd from system32 been launched to debug the process, rather than a more up to date version from the Debugging Tools for Windows.

    Furthermore, on Windows Vista and Windows Server 2008, ntsd is no longer included with the OS so the Image File Execution Options will have to be set to account for the absolute location of the Debugging Tools for Windows on the system.

  • Ask the Directory Services Team : MCS Talks Infrastructure Architecture joeware - never stop exploring…

  • Hi All, Debugging a dump from a hung server may not be something you do every day so you may want to

Page 1 of 1 (4 items)