EDN Admin
Well-known member
In this episode of Defrag Tools , Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg ). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the commands used to show the state of debug session. It also shows some of the basic commands used to view process and thread information of a user mode process. We cover these commands: version vertarget | || .sympath .srcpath .exepath .extpath .chain !analyze -v .bugcheck !error ~ ~NNs ~~[TID]s ~*k ~*r !process 0 17 !threads !findstack !uniqstack !peb !teb k= <addr> <addr> <frames> dps dpu dpa dpp .reload /f .reload /user !gle !tls Make sure you watch http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-Building-your-USB-thumbdrive Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution. Resources:
http://www.microsoft.com/en-us/download/details.aspx?id=8279 Microsoft Windows SDK for Windows 7 and .NET Framework 4
http://msdn.microsoft.com/en-us/library/windows/desktop/ms681381.aspx System Error Codes <span><span> Timeline:
<span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=01m01s [01:01] - Live Debug of Notepad
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=02m14s [02:14] - Overview of the debug session (version)
<span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=03m10s [03:10] - OS Version/Architecture and System/Debug/User/Kernel times (vertarget)<span><span>
<span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=09m03s [09:03] - Process and System Status (| {pipe}, || {double pipe})
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=10m16s [10:16] - Symbol Path (.sympath)
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=10m52s [10:52] - Source Path (.srcpath)
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=11m00s [11:00] - Executable Path (.exepath, lmvm - Memory Mapped Image File)
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=11m40s [11:40] - Extension Path (.extpath)
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=12m20s [12:20] - Loaded Extensions (.chain)
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=13m43s [13:43] - !analyze is for both User and Kernel crashes (!analyze -v)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=14m56s [14:56] - Bugcheck code and arguments (.bugcheck)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=15m26s [15:26] - Error Code Lookup (!error)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=16m04s [16:04] - Threads in a User Process (~ {tilde})
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=17m33s [17:33] - Change Current Thread Context (~NNs)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=20m13s [20:13] - Show all the call stacks or registers (~*k, ~*r)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=21m04s [21:04] - Change Current Thread Context by TID (~~[TID]s)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=24m18s [24:18] - Show all the call stacks in all the processes in a kernel session (!process 0 17)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=25m29s [25:29] - Configuration summary of all thread (!threads)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=26m54s [26:54] - Find call stack (!findstack)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=27m35s [27:35] - Unique call stacks (!uniqstack)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=28m30s [28:30] - Process Environment Block (!peb)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=30m50s [30:50] - Thread Environment Block (!teb)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=32m02s [32:02] - Buffer Overflow of a stack variable
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=33m11s [33:11] - Call Stack Recreation (k= <addr> <addr> <frames> {x64})
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=34m40s [34:40] - Display Pointers as a Symbol, Unicode, ANSI or Pointer (dps, dpu, dpa, dpp)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=37m40s [37:40] - Force the loading of symbols (.reload /f)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=38m43s [38:43] - Force the loading of user symbols in the kernel when you change thread context (.reload /user)
Note: /u is for unload, not load user symbols - thats why Chad is the kernel guy!
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=39m18s [39:18] - http://msdn.microsoft.com/en-us/library/windows/desktop/ms680627.aspx SetLastError / http://msdn.microsoft.com/en-us/library/windows/desktop/ms679360.aspx GetLastError value in the TEB (!gle)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=40m14s [40:14] - http://msdn.microsoft.com/en-us/library/windows/desktop/ms686991.aspx Thread Local Storage values in the TEB (!tls) <img src="http://m.webtrends.com/dcs1wotjh10000w0irc493s0e_6x1g/njs.gif?dcssip=channel9.msdn.com&dcsuri=http://channel9.msdn.com/Feeds/RSS&WT.dl=0&WT.entryid=Entry:RSSView:0df573ca2e7947a29d54a0f70001ae0b
View the full article
http://www.microsoft.com/en-us/download/details.aspx?id=8279 Microsoft Windows SDK for Windows 7 and .NET Framework 4
http://msdn.microsoft.com/en-us/library/windows/desktop/ms681381.aspx System Error Codes <span><span> Timeline:
<span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=01m01s [01:01] - Live Debug of Notepad
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=02m14s [02:14] - Overview of the debug session (version)
<span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=03m10s [03:10] - OS Version/Architecture and System/Debug/User/Kernel times (vertarget)<span><span>
<span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=09m03s [09:03] - Process and System Status (| {pipe}, || {double pipe})
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=10m16s [10:16] - Symbol Path (.sympath)
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=10m52s [10:52] - Source Path (.srcpath)
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=11m00s [11:00] - Executable Path (.exepath, lmvm - Memory Mapped Image File)
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=11m40s [11:40] - Extension Path (.extpath)
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=12m20s [12:20] - Loaded Extensions (.chain)
<span><span><span><span><span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=13m43s [13:43] - !analyze is for both User and Kernel crashes (!analyze -v)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=14m56s [14:56] - Bugcheck code and arguments (.bugcheck)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=15m26s [15:26] - Error Code Lookup (!error)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=16m04s [16:04] - Threads in a User Process (~ {tilde})
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=17m33s [17:33] - Change Current Thread Context (~NNs)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=20m13s [20:13] - Show all the call stacks or registers (~*k, ~*r)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=21m04s [21:04] - Change Current Thread Context by TID (~~[TID]s)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=24m18s [24:18] - Show all the call stacks in all the processes in a kernel session (!process 0 17)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=25m29s [25:29] - Configuration summary of all thread (!threads)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=26m54s [26:54] - Find call stack (!findstack)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=27m35s [27:35] - Unique call stacks (!uniqstack)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=28m30s [28:30] - Process Environment Block (!peb)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=30m50s [30:50] - Thread Environment Block (!teb)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=32m02s [32:02] - Buffer Overflow of a stack variable
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=33m11s [33:11] - Call Stack Recreation (k= <addr> <addr> <frames> {x64})
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=34m40s [34:40] - Display Pointers as a Symbol, Unicode, ANSI or Pointer (dps, dpu, dpa, dpp)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=37m40s [37:40] - Force the loading of symbols (.reload /f)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=38m43s [38:43] - Force the loading of user symbols in the kernel when you change thread context (.reload /user)
Note: /u is for unload, not load user symbols - thats why Chad is the kernel guy!
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=39m18s [39:18] - http://msdn.microsoft.com/en-us/library/windows/desktop/ms680627.aspx SetLastError / http://msdn.microsoft.com/en-us/library/windows/desktop/ms679360.aspx GetLastError value in the TEB (!gle)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-20-WinDbg-Basic-Commands#time=40m14s [40:14] - http://msdn.microsoft.com/en-us/library/windows/desktop/ms686991.aspx Thread Local Storage values in the TEB (!tls) <img src="http://m.webtrends.com/dcs1wotjh10000w0irc493s0e_6x1g/njs.gif?dcssip=channel9.msdn.com&dcsuri=http://channel9.msdn.com/Feeds/RSS&WT.dl=0&WT.entryid=Entry:RSSView:0df573ca2e7947a29d54a0f70001ae0b
View the full article