Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » Special Commands   (RSS)

Special Command—Unassembling code with u, ub and uf

When debugging sooner or later you will need to disassemble code to get a better understanding of that code. By disassembling the code, you get the mnemonics translated from the 0s and 1s that constitute the binary code. It is a low level view of the Read More...
Posted Thursday, November 05, 2009 9:27 PM by Roberto Farah | 2 Comments

Special Command—Using # to Find Patterns of Assembly Instructions

Sometimes you need to look for patterns of disassembled code. You can browse the disassembled code and manually look for a specific pattern, or you can use a command to automate it. The # command does that. # [Pattern] [Address [ L Size ]] Parameters: Read More...
Posted Friday, October 23, 2009 3:46 PM by Roberto Farah | 0 Comments

Special Command—Tracing Applications Using wt

wt [WatchOptions] [= StartAddress] [EndAddress] Transcribing the WinDbg documentation, this command runs through the whole function and then displays statistics when executed at the beginning of a function call. Thus, this command can be used just when Read More...
Posted Monday, October 12, 2009 6:27 PM by Roberto Farah | 0 Comments

Special Command—Saving Modules Using .writemem

This command enables you to save memory into a disk file. The cool thing about it is that you can save modules too; however, it is just the raw memory. The parameters are: .writemem <filename> <range> Here is an example: 0:026> lm start Read More...
Posted Wednesday, September 23, 2009 12:00 AM by Roberto Farah | 1 Comments

Special Command—Using .dump/.dumpcab to Get Dumps and Symbols from Production Servers

Using WinDbg you can create a dump file from an application running, for instance, in a production server. After collecting the dump file, you can load it in another machine and debug it. However, to be more effective during your debugging session you Read More...
Posted Wednesday, September 16, 2009 12:55 AM by Roberto Farah | 3 Comments

Special Command—Using !chksym/!itoldyouso to Check PDB Files Against Modules

These are two debugger extensions that are used to see the PDB file that matches a specific module. Note that !itoldyouso is not documented. The output of both commands is identical. Usage: 0:025> !chksym ntdll ntdll.dll Timestamp: 49EEA706 SizeOfImage: Read More...
Posted Friday, September 04, 2009 6:46 PM by Roberto Farah | 0 Comments

Special Command—Displaying Information From Modules/DLLs with !dlls

!dlls extension displays the table entries of all loaded modules. You can also use it to display all modules that a specified thread or process is using. The WinDbg help file describes all parameters. Here we are going to show the most common usage. Displays Read More...
Posted Thursday, August 20, 2009 3:10 AM by Roberto Farah | 0 Comments

Special Command—Using !for_each_frame to Run Commands

!for_each_frame is a favorite among debuggers. It's a very flexible and powerful command that enables you to run commands for each frame of the call stack. You can use basically any command. For instance, let’s say you want to see all local variables Read More...
Posted Thursday, August 20, 2009 3:07 AM by Roberto Farah | 2 Comments

Special Command—Displaying More PE Header Information with !dh

The !dh extension displays the PE header information from a specified module. Usage: !dh [options] <addressOfModule> Options can be: -f Displays file headers. -s Displays section headers. -a Displays all header information. Example: 0:532> lm Read More...
Posted Thursday, August 20, 2009 3:05 AM by Roberto Farah | 0 Comments

Special Command—Displaying the PE Header Information with !lmi

Like its cousin !dh, the !lmi extension displays the PE header information from a specified module. However, it gives you fewer details than !dh . The output is summarized. Usage: !lmi <moduleName> Examples: 0:532> !lmi mtgdi Loaded Module Info: Read More...
Posted Thursday, August 20, 2009 2:59 AM by Roberto Farah | 0 Comments

Special Command—CPU Time for Each Thread with !runaway

This is one of my favorite commands! !runaway displays information about the CPU time consumed by each thread in User Mode and Kernel Mode. It is one of those commands you run when you think the application is hung with low or high CPU or has some kind Read More...
Posted Thursday, August 20, 2009 2:55 AM by Roberto Farah | 0 Comments

Special Command—Peeking Memory Addresses Using !address

Let’s say that you get a memory address and you want to know if it’s from the heap, the stack, or someplace else. Or yet, let’s say you have a .NET application consuming lots of memory, and you want to get a better understanding of this memory consumption. Read More...
Posted Tuesday, March 17, 2009 11:10 PM by Roberto Farah | 2 Comments

Special Command—Parsing Strings, Files, and Commands Output Using .foreach

This is by far one of the most powerful WinDbg commands. Even if you don’t create scripts, you’ll benefit from this command. It’s powerful because it’s flexible. You can use it for a huge variety of operations. The .foreach token parses the output of Read More...
Posted Thursday, March 12, 2009 1:41 AM by Roberto Farah | 1 Comments

Special Command—Parsing Commands Using .shell

Finally I’m writing about this command. I love it! It’s so powerful! .shell command launches a shell process and redirects its output to the debugger or to a specified file. Usage: .shell [ Options ] [ ShellCommand ] .shell -i InFile [ -o OutFile [ -e Read More...
Posted Thursday, February 19, 2009 8:51 PM by Roberto Farah | 1 Comments

Special Command—Advanced Programming Techniques for WinDbg Scripts

It has been a long time since my last post, but I’m back on the blog. The article for today is about the black art of WinDbg scripting. When I first started creating my scripts, I learned by trial and error. It was tough; however, it gave me the basis Read More...
Posted Saturday, January 31, 2009 5:32 AM by Roberto Farah | 1 Comments
More Posts Next page »
 
Page view tracker