Debugging Toolbox

Browse by Tags

Special Command—Using .dump/.dumpcab to Get Dumps and Symbols from Production Servers

Using WinDbg you can create a dump file from an application running, for instance, in a production server. After collecting the dump file, you can load it in another machine and debug it. However, to be more effective during your debugging session you Read More...

Posted Wednesday, September 16, 2009 12:55 AM by Roberto Farah | 3 Comments

Filed under: Call Stack, SQL Connections, SQL Commands, PE Headers, Serviced Components, Modules, Disassembly, Hang, High CPU, Crash, Exceptions, Special Commands, Stack Corruption, Heap Corruption, Symbols, Threads, Performance Bottlenecks, SharePoint, Memory Leak

Special Command—Using !chksym/!itoldyouso to Check PDB Files Against Modules

These are two debugger extensions that are used to see the PDB file that matches a specific module. Note that !itoldyouso is not documented. The output of both commands is identical. Usage: 0:025> !chksym ntdll ntdll.dll Timestamp: 49EEA706 SizeOfImage: Read More...

Posted Friday, September 04, 2009 6:46 PM by Roberto Farah | 0 Comments

Filed under: Modules, Special Commands, Symbols

Special Command—Using !for_each_frame to Run Commands

!for_each_frame is a favorite among debuggers. It's a very flexible and powerful command that enables you to run commands for each frame of the call stack. You can use basically any command. For instance, let’s say you want to see all local variables Read More...

Posted Thursday, August 20, 2009 3:07 AM by Roberto Farah | 2 Comments

Filed under: Call Stack, Special Commands, Symbols, Threads

Special Command—Peeking Memory Addresses Using !address

Let’s say that you get a memory address and you want to know if it’s from the heap, the stack, or someplace else. Or yet, let’s say you have a .NET application consuming lots of memory, and you want to get a better understanding of this memory consumption. Read More...

Posted Tuesday, March 17, 2009 11:10 PM by Roberto Farah | 2 Comments

Filed under: Modules, Special Commands, Stack Corruption, Heap Corruption, Symbols, Performance Bottlenecks, Memory Leak

Special Command—Parsing Strings, Files, and Commands Output Using .foreach

This is by far one of the most powerful WinDbg commands. Even if you don’t create scripts, you’ll benefit from this command. It’s powerful because it’s flexible. You can use it for a huge variety of operations. The .foreach token parses the output of Read More...

Posted Thursday, March 12, 2009 1:41 AM by Roberto Farah | 1 Comments

Filed under: Call Stack, SQL Commands, PE Headers, Modules, Disassembly, Hang, High CPU, Crash, Special Commands, Stack Corruption, Heap Corruption, Symbols, Threads, Performance Bottlenecks

Special Command—Parsing Commands Using .shell

Finally I’m writing about this command. I love it! It’s so powerful! .shell command launches a shell process and redirects its output to the debugger or to a specified file. Usage: .shell [ Options ] [ ShellCommand ] .shell -i InFile [ -o OutFile [ -e Read More...

Posted Thursday, February 19, 2009 8:51 PM by Roberto Farah | 1 Comments

Filed under: Call Stack, Exceptions, Special Commands, Symbols, Threads

[PowerShell Script] Downloading PDB for Specific Modules

A few weeks ago, during a laboratory with a customer, I found myself struggling to download the public symbol from a specific driver. Since driver is Kernel Mode if you get a User Mode dump from the application using the driver, you won’t be able to actually Read More...

Posted Saturday, August 09, 2008 12:35 AM by Roberto Farah | 2 Comments

Filed under: PowerShell Scripts, Symbols

Special Command—Listing the Nearest Symbols with ln

ln is a very useful command. It stands for list nearest. You provide an address as argumen t, and it gives you the closest symbol that matches the address. Of course, you have to be using the right symbols! Here is the syntax : ln [ address ] Example: Read More...

Posted Wednesday, June 11, 2008 3:23 AM by Roberto Farah | 1 Comments

Filed under: Special Commands, Stack Corruption, Symbols

Special Command—Extracting Class and Struct Fields Using dt

dt is another command used almost all the time whenever you want to get the fields and type for a structure or class. For example, you may have a this pointer and use dt to get its fields and type. It’s a simple command with interesting variations that Read More...

Posted Tuesday, April 22, 2008 12:18 AM by Roberto Farah | 1 Comments

Filed under: PE Headers, Magic Pointers, Special Commands, Symbols

Special Command: Using s to Explore The Memory

Very often I found myself scanning the stack or the entire virtual memory for the process to find information that may help me. This information may be strings, DWORDS, bytes, chars, etc… To accomplish this you should use the s command. Here I exemplify Read More...

Posted Tuesday, March 11, 2008 5:58 PM by Roberto Farah | 1 Comments

Filed under: Call Stack, Modules, Crash, Exceptions, Special Commands, Stack Corruption, Heap Corruption, Symbols, Threads

Special Command: Advanced Symbol Searching Using x.

This is yet another command that has powerful capabilities. It’s very flexible, too. You can use different parameter s combinations; though, I recommend you look at or check the WinDbg documentation if you want to explore other variations. Again I’m going Read More...

Posted Sunday, March 02, 2008 6:58 PM by Roberto Farah | 2 Comments

Filed under: Special Commands, Symbols

Debugging Toolbox

Search

Tags

Archives

# of Readers Right Now

Blog Statistics

Cool Stuff

Notes

Related Blogs