P. 1
Windbg Quick Reference

Windbg Quick Reference

|Views: 1,263|Likes:
Published by Francis Lui

More info:

Published by: Francis Lui on May 09, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as RTF, PDF, TXT or read online from Scribd
See more
See less





Breakpoints / Execution / Exceptions

U U U U U U U U U G G G G G G G G G G G G G G G G G G G G G G G K K K K K K K K K G G G G G K K K K K .breakin .ecxr ~F ~U ~N ~M ~S |S ||S BA BC BD BE BL BP BU BM AH AH(bcdi) SX SX(DEIN) !exchain .exr G GH Gn GN P PA PC T TA TB TC WT .fiber .record_branches !bpid !ubc !ubd !ube !ubl !ubp .trap ~S .thread .dump .dumpcab !analyze -v .opendump !findxmldata .bugcheck .crash .reboot !bugdump .enumtag Break to the Kernel Debugger Exception Context Record Freeze Thread Unfreeze Thread Suspend Thread Resume Thread Set Current Thread Set Current Process Set Current System Break on Access Breakpoint Clear Breakpoint Disable Breakpoint Enable Breakpoint List Set Breakpoint Assertion Handling Set Exceptions Exception handler chain Exception Record Go Go with Exception Handled Go with Exception Not Handled Step Step to Address Step to Next Call Trace Trace to Address Trace to Next Branch Trace to Next Call Trace and Watch Data Set Fiber Context (AMD64) Enable Branch Recording Cause a process to break Clear a user-space breakpoint Disable a user-space breakpoint Enable a user-space breakpoint Lists all user-space breakpoints Sets a breakpoint in user space Trap Frame Change Current Processor Set Register Context Create Dump File Create Dump File CAB Analyze bugcheck Open Dump File XML from a kernel Small Memory Dump CAB Display Bug Check Data Force System Crash Reboot Target Computer Bug check callback buffers Enumerate Secondary Callback Data Run Script File Delete Alias List Aliases

G AS Set Alias G J Execute If - Else G Z Execute While G !for_each_frame Execute for each frame in the stack G !for_each_local Execute for each local variable G !for_each_module Execute for each loaded module G !list Execute for every element in a linked list .foreach .do .for .while .if .elsif .else .catch .break .continue .leave See help :)

Modules / Symbols
G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G LM List Loaded Modules !chkimg Detects corruption of images !dh Display the headers of an image !dlls Display list all used modules !imgreloc Original base address of each module !lmi Display information about a module !imggp Global pointer GP for a 64-bit image LD Load Symbols .reload /u Reload Modules DT –b –v Display Type Ex: nt!* nt!_IRP LN List Nearest Symbols .fnent Display Function Data LS LSA List Source Lines LSC List Current Source LSF LSFLoad or Unload Source File LSP Set Number of Source Lines Dds DPs DQs Display Words and Symbols L+ LSet Source Options X /t /v Examine Symbols Ex: Drv!*g_* .exepath Set Executable Path .lines Toggle Source Line Support .open Open Source File .srcnoisy Noisy Source Loading .srcpath .lsrcpath Set Source Path .symfix Set Symbol Store Path .symopt Set Symbol Options .sympath Set Symbol Path !sym Controls noisy symbol loading and prompts !symsrv close Closes the symbol server client .fpo Control FPO Overrides


.detach .kill !gle !peb !teb .context .process /p .restart !process !ready !running !sprocess !thread !zombies .tss

Detach from Process Kill Process Last error value for the current thread Process environment block PEB Thread environment block TEB Set User-Mode Address Context Set Process Context Restart Kernel Connection One or all processes READY threads List all running threads Session processes Thread "Zombie" processes or threads Display Task State Segment

Modifications / Memory
U U U U U U G G G U G G G G G G G G G G G K K K K K K K K K K K K K K K K K K K !dphdump Debug page heap !dphfind Find a debug page heap !dphflags Set or display the global page heap flags !dphhogs Debug page heap hogs !vadump Virtual memory ranges and their protection !vprot Display virtual memory protection A Assemble U Unassemble # Search for Disassembly Pattern !igrep Search for a pattern in disassembly C Compare Memory D(ABCdDFPQUW) DY(bd) Disp Memory DdP DPP DQP Referenced Memory E( ABdDFPQUW) Edit Memory F FP Fill Memory M Move Memory S Search Memory .holdmem Hold and Compare Memory .writemem Write Memory to File !heap Breakpoints, leaks; search for blocks !kuser Shared user-mode page KUSER_SHARED_DATA .ignore_missing_pages Suppress Missing Page Errors .pagein Page In Memory !d(bcdpuw) Data at physical address !eb !ed Write to a physical address !pool Pool(s) !poolfind Find pool tag in nonpaged or paged pools !poolused Memory use, based on the pool tag !poolval Analyzes a pool page and find corruptions !frag Pool memory fragmentation !spoolused Session's paged pool use !lookaside Display or modify look-aside lists !sysptes System page table entries PTEs !vm Virtual memory use statistics !vtop Virtual to physical; page table and directory !pfn Page(s) frame(s) database !pte Adress' page table entry PTE and PDE !ptov Physical-to-virtual map for a process !vad Adress' virtual address descriptor VAD !memusage Physical memory use

Crash Dump

Processes and threads
U U U U U U U U U U U U U U U G || | ~ ~E .abandon .attach .childdbg .create .createdir .restart .ttime !runaway !threadtoken !locks .tlist .cxr System Status Process Status Thread Status Thread-Specific Command Abandon Process Attach to Process Debug Child Processes Create Process Set Created Process Directory Restart Target Application Display Thread Times Display the time consumed by each thread Thread's impersonation state ntsdexts.dll, process' critical sections List Process IDs Display Context Record

Control Flow
G $< G AD G AL

logclose Close Log File .sleep Pause Debugger .expr /s masm/c++ Choose Expression Evaluator .logfile Display Log File Status .logappend Append Log File .OEM Support Tools http://support. Machine check architecture MCA registers Itanium.echotimestamps Show Time Stamps .kframes [N] !gflag !handle !htrace !owner !obja !acl !sd !sid !tls !token !npx !dflink !dblink .asm Disasm Opt: no_code_bytes ignore_output_width .enable_long_status Enable Long Integer Display .com/?kbid&ID=253066 (If needed) !apc!dpc Dump APC/DPC or all APCs/DPCs !ethread/!kthread Display thread structure !idt Dump information about IDT and handlers !ip Dissection and dump of IP packets !kqueue Display queue of worker thread !lastlivetime Display system last live time !list.hh Open HTML Help File !help Help for the extension commands * Comment N Set Number Base SO Set Kernel Debugging Options SQ Set Quiet Mode SS Set Symbol Suffix Q QQ Quit QD Quit and Detach vercommand Debugger Command Line version Debugger Version vertarget Target Version .h !xpool Prints maps of pool usage G G G G G G G G G K .noshell Prohibit Shell Commands .cls Clear Screen .pcmd Set Prompt Command .write_cmd_hist [file] Writes the history to file !dbgprint Previously sent string to the DbgPrint buffer Hardware G G G K K K K K K K K K K K K K K K K K K K K Console / Help G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G . Command Separator ? Command Help . and the Driver Verifier Write to the PCI configuration space CardBus informations and registers CPU CardBus ExCA registers Itanium firmware x86.force_tb Forcibly Allow Branch Tracing .help Meta-Command Help .force_radix_output Use Radix for Integers . MCA error record BIOS Intel Multiprocessor Specification MPS Display the MTRR register Status of the PCI buses and devices attached PCI/Cardbus device objects and child buses Processor's processor Control Region PCR Display the processor control block PRCB Display a SCSI Request Block SRB Display a USB request block URB WDM Audio WDMAud structures Informations U U U U U U U G G G G G G G G G G G G G G !critsec !cs .formats Show Number Formats .dll.echocpunum !apc !timer !blockeddrv !ca !callback !cmreslist !deadlock !defwrites !devext !devnode !devobj !devstack !drvobj !drivers !pnpevent !rellist !pocaps !popolicy !diskspace !object !qlocks !reg !regkcb !session !stacks !vpb !wsle !arbiter !errlog !exqueue !filecache !filelock !gentable !hidppd !bushnd !ioresdes !ioreslist !irp !irpfind !irql !job !locks Singly-linked list SList Set Local Context Display Last Event Set Stack Length Set or display the global flags Handle(s) Stack trace for one or more handles Owner of a module or function Object of Object Manager Access control list ACL Security descriptor Security identifier SID Thread local storage TLS Security token object Floating-point register save area Linked list in the forward direction Linked list in the backward direction Show CPU Number Asynchronous procedure calls APCs Display all system timer use List of blocked drivers Control area for the specified section Thread's trap's callback data Device object's CM_RESOURCE_LIST Deadlocks found by Driver Verifier Variables of the Cache Manager Bus-specific device extension for devices Node in the device tree DEVICE_OBJECT Device stack associated with a device object DRIVER_OBJECT List all drivers loaded with their memory use Plug and Play device event queue Plug and Play relation list Power capabilities Power policy Free space on a hard disk System object State of all queued spin locks Display and searches through registry data Registry key control blocks Controls or display the session context(s) Kernel stacks Volume parameter block VPB Display all working set list entries WSLE System resource arbiters and arbitrated range Pending entries in the I/O system's error log Queued items in the ExWorkerQueue work queues System file cache memory and PTE use Display a file lock RTL_GENERIC_TABLE HIDP_PREPARSED_DATA HAL BUS_HANDLER IO_RESOURCE_DESCRIPTOR IO_RESOURCE_REQUIREMENTS_LIST I/O request packet IRP Finds I/O request packets IRP Current interrupt request level IRQL job object kdextx86.lastevent .time Display System Time .ocommand Expect Commands from Target . kdexts.dll. ERESOURCE locks .wake Wake Debugger .enable_unicode Enable Unicode Display . or backs up the event log Global atom table Application Verifier and its outputs Adds a string to the event log Atom table Evaluate Expression Evaluate C++ Expression Explain an error value Display String UNICODE_STRING ANSI_STRING or OEM_STRING Display Local Variables Display Selector Registers Register Mask Display Stack Backtrace Display Linked List G G G G G G G G G G G G G G K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K !slist .microsoft. changes.shell Command Shell .frame .echo Echo Comment .ofilter Filter Output .closehandle !dreg !evlog !gatom !avrf !elog_str !atom ? ?? !error DS Ds !ustr !str DV DG R Rm K(BDPpV) DL CRITICAL_SECTION Critical sections tree Close Handle Registry information Display.noversion Disable Version Checking !cpuid UR !psr UX RDMSR WRMSR !dma !ecb !ecd !ecw !cbreg !cpuinfo !exca !fwver !mca !mca !mps !mtrr !pci !pcitree !pcr !prcb !srb !urb !wdmaud Processors Unassemble Real Mode BIOS (Itanium) Status word PSR Unassemble x86 BIOS Read MSR Write MSR DMA subsystem.wtitle Set Window Title .logopen Open Log File .!singlelist Chain display of LIST_ENTRY/SINGLE_LIST_ENTRY !s Cool searching capability !smb Display SMB structure from header !stack Stack analysis !strct Dump most structures in ntddk.

content memory ndiskd.send_file G .microsoft.help K !calldata K !vpdd K !ndiskd. virtual.server G .dll "RPCDBG" Call's performance from the named table Process' physical.dll "ACPI" Driver Verifier verifying a graphics driver Debug a piped session: -k com:pipe.cache K .secure K !processfields K !tokenfields K !threadfields CTRL+A CTRL+B CTRL+C CTRL+D CTRL+F CTRL+K CTRL+P CTRL+R CTRL+V CTRL+W U !dp U !dt G !net_send G !version G !logexts.unload G .resets=0 -ee c++ -QSY -QY -W Test -b -k com:port=com1.endsrv G .servers G .endpsrv G .remote G .K !lpc K !verifier K !ahcache Local procedure call LPC ports and messages Display the status of Driver Verifier Application compatibility cache Misc / Never Used (By me :) U .dll "NDIS" acpikd. display a CSR process Display information about a CSR thread Sends a message over LAN Display the version for the extension DLL logexts.unloadall G .chain G .load G .remote_exit G .locale G .baud=115200 -QSY -QY -W Remote Debugging tools for Windows: http://www.com/whdc/ddk/debugging/default.help K !gdikdx.kdfiles K .help G !rpcexts.port=\\.setdll K IB ID IW K OB OD OW K .exe Server (KD or CDB) Exit Debugging Client Send File Create Debugging Server List Debugging Servers Set Default Extension DLL Input from Port Output to Port Set Cache Size Set Driver Replacement Map Activate Secure Mode EPROCESS fields TOKEN fields ETHREAD fields Toggle Baud Rate Quit Local Debugger Break Toggle Debug Info Break to KD Change Post-Reboot Break State Debug Current Debugger Re-synchronize Toggle Verbose Mode Show Debugger Version In ntsdexts.mspx .dll "Windows API Logging Extensions" rpcexts.\pipe\Name.help K !acpikd.verifier End Debugging Server End Process Server List Debugger Extensions List Debugging Clients Load Extension DLL Unload Extension DLL Unload All Extension DLLs Set Locale Prevent Accidental Quit (KD or CDB) Create Remote.quit_lock G .clients G .dll.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->