Sunday, May 31, 2009

Few useful Debugging Commands - WinDbg

All of these commands are for kernel mode. These are few useful commands, that I use on daily basis for debugging. I hope you find them useful

Vertarget:
Lists Version information for the machine/dump you're debugging. You can also use "version" to tell you about the debugger bits.

1: kd> vertarget
Windows Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x64
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
Kernel base = 0xfffff800`0160c000 PsLoadedModuleList = 0xfffff800`017d1db0
Debug session time: Tue Apr 1 14:29:22.553 2008 (GMT-7)
System Uptime: 0 days 0:03:14.328

!sysinfo
Good utility to check the CPU revs, BIOS revs, etc

1: kd> !sysinfo machineid
Machine ID Information [From Smbios 2.31, DMIVersion 0, Size=1695]
BiosVendor = Phoenix Technologies LTD
BiosVersion = 6.00
BiosReleaseDate = 09/24/2007
SystemManufacturer = VMware, Inc.
SystemProductName = VMware Virtual Platform
SystemVersion = None
BaseBoardManufacturer = Intel Corporation
BaseBoardProduct = 440BX Desktop Reference Platform
BaseBoardVersion = None

1: kd> !sysinfo cpuinfo
[CPU Information]
~MHz = REG_DWORD 2000
Component Information = REG_BINARY 0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0
Configuration Data = REG_FULL_RESOURCE_DESCRIPTOR ff,ff,ff,ff,ff,ff,ff,ff,0,0,0,0,0,0,0,0
Identifier = REG_SZ x86 Family 6 Model 15 Stepping 8
ProcessorNameString = REG_SZ Intel(R) Xeon(R) CPU L5335 @ 2.00GHz
Update Signature = REG_BINARY 0,0,0,0,b4,0,0,0
Update Status = REG_DWORD 2
VendorIdentifier = REG_SZ GenuineIntel
MSR8B = REG_QWORD b400000000

Getting the Server Name from the dump:
It's quite a bit easier to do internally, but this will get it done too. Good to know you're debugging the right server. :)

1: kd> dS srv!srvcomputername
e1b64db0 "Phantom"

!thread
Display current thread on the target system

1: kd> !thread
THREAD fa6046c8 Cid 1ab4.1f34 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 1
IRP List:
fa0cc490: (0006,01d8) Flags: 00000404 Mdl: 00000000
Not impersonating
Owning Process fa15f3e0 Image: cmd.exe
Wait Start TickCount 16627733 Ticks: 0
Context Switch Count 1102 LargeStack
UserTime 00:00:00.312
KernelTime 00:00:00.109
Win32 Start Address 0x00407ccc
Start Address 0x77e617f8
Stack Init f1e9d000 Current f1e9c4b8 Base f1e9d000 Limit f1e99000 Call 0
Priority 6 BasePriority 6 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f1e9c174 e105bba7 0000008e c0000005 e11294a0 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f1e9c538 e10346b4 f1e9c554 00000000 f1e9c5a8 nt!KiDispatchException+0x3a2 (FPO: [Non-Fpo])
f1e9c5a0 e1034668 f1e9c628 e11294a0 badb0d00 nt!CommonDispatchException+0x4a (FPO: [0,20,0])
f1e9c628 e1131ac4 fa6046c8 fa15f3e0 f9de0310 nt!Kei386EoiHelper+0x186
f1e9c628 e1131ac4 fa6046c8 fa15f3e0 f9de0310 nt!SeCreateAccessState+0x27 (FPO: [Non-Fpo])
f1e9c648 e112d742 f9de0310 f9de03c8 00000180 nt!SeCreateAccessState+0x27 (FPO: [Non-Fpo])
f1e9c680 e112c65d 00000000 00000000 b57f0000 nt!ObOpenObjectByName+0x8f (FPO: [Non-Fpo])
f1e9c6fc e1131d22 f1e9c7fc 00000180 f1e9c7b8 nt!IopCreateFile+0x447 (FPO: [Non-Fpo])
f1e9c758 f4df068a f1e9c7fc 00000180 f1e9c7b8 nt!IoCreateFile+0xa3 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f1e9c7a4 f4defe67 80005510 00540052 e9fa0920 savrt+0x4668a
00000000 00000000 00000000 00000000 00000000 savrt+0x45e67

!irp
Display information about an I/O request packet

1: kd> !irp fa0cc490
Irp is active with 10 stacks 12 is current (= 0xfa0cc68c)
No Mdl: No System Buffer: Thread fa6046c8: Irp is completed.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 12, 0] 0 0 fd1a8020 00000000 00000000-00000000
\FileSystem\Ntfs
Args: 00000000 00000000 00000000 00000000
[ 12, 0] 0 0 fd101cd8 00000000 00000000-00000000
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SYMEVENT.SYS -
\Driver\SymEvent
Args: 00000000 00000000 00000000 00000000

!poolused
Investigate what data structures are consuming the various memory pools

!poolused 2 - sorted by Non-paged pool, summary
!poolused 3 - sorted by Non-Paged pool, details*
!poolused 4 - sorted by Paged pool, summary
!poolused 5 - sorted by Paged pool, details*

!running -ti
This will dump the stacks of each thread that is running on each processor

1: kd> !running -ti

System Processors 3 (affinity mask)
Idle Processors 1

Prcb Current Next
0 ffdff120 8089d8c0 ................

ChildEBP RetAddr
f45f0c70 bf8bb568 win32k!CanForceForeground+0x42
f45f0ca4 bf8bab6a win32k!CheckAllowForeground+0x79
f45f0cb4 bf8b7f41 win32k!xxxInitProcessInfo+0x54
f45f0cdc bf8b8032 win32k!xxxUserProcessCallout+0x23
f45f0cf8 809456dd win32k!W32pProcessCallout+0x43
f45f0d54 8088948e nt!PsConvertToGuiThread+0x13d
f45f0d58 00000000 nt!KiBBTUnexpectedRange+0xc
WARNING: Process directory table base EFFC7BE0 doesn't match CR3 EFFC7020
WARNING: Process directory table base EFFC7BE0 doesn't match CR3 EFFC7020

1 f7727120 8c034bd0 ................

*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr
f45f0c70 bf8bb568 win32k!CanForceForeground+0x42
f45f0ca4 bf8bab6a win32k!CheckAllowForeground+0x79
f45f0cb4 bf8b7f41 win32k!xxxInitProcessInfo+0x54
f45f0cdc bf8b8032 win32k!xxxUserProcessCallout+0x23
f45f0cf8 809456dd win32k!W32pProcessCallout+0x43
f45f0d54 8088948e nt!PsConvertToGuiThread+0x13d
f45f0d58 00000000 nt!KiBBTUnexpectedRange+0xc

!stacks
This is a great utility to check what threads are waiting on for each process. Find out more in the debuggers chm.

1: kd> !stacks 2
Proc.Thread .Thread Ticks ThreadState Blocker
Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Prototype PTEs are implicitly decoded
[fffffa8000c77950 System]
4.000008 fffffa8000c774c0 ffffe94b GATEWAIT nt!KiSwapContext+0x7f
nt!KiSwapThread+0x2fa
nt!KeWaitForGate+0x22a
nt!MmZeroPageThread+0x162
nt!Phase1Initialization+0xe
nt!PspSystemThreadStartup+0x57
nt!KiStartSystemThread+0x16
4.000010 fffffa8000ca0720 ffffff8c Blocked nt!KiSwapContext+0x7f
nt!KiSwapThread+0x2fa
nt!KeWaitForSingleObject+0x2da
nt!PopIrpWorkerControl+0x22
nt!PspSystemThreadStartup+0x57
nt!KiStartSystemThread+0x16
4.000014 fffffa8000c78bb0 fffffcb0 Blocked nt!KiSwapContext+0x7f
nt!KiSwapThread+0x2fa
nt!KeWaitForSingleObject+0x2da
nt!PopIrpWorker+0x164
nt!PspSystemThreadStartup+0x57
nt!KiStartSystemThread+0x16

!locks
It will display a list of all kernel mode locks that are being held by threads. Each lock is displayed with the mode the lock was taken out with (shared or exclusive). The owning thread(s) will be listed with an asterisk next to the thread id. If any waiters are queued up for the lock, it will list these too.

1: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks....

Resource @ nt!CmpRegistryLock (0xe10ad4c0) Shared 2 owning threads
Contention Count = 87
Threads: fc783020-01<*> feee9db0-01<*>
KD: Scanning for held locks...

Resource @ 0xfeeed078 Shared 4 owning threads
Threads: fad42330-01<*> fad33020-01<*> fad33db0-01<*> fad42b40-01<*>
KD: Scanning for held locks.......................................

Resource @ 0xfc6df828 Shared 1 owning threads
Threads: fa6046c8-01<*>
KD: Scanning for held locks..

Resource @ 0xfc7e91c8 Shared 1 owning threads
Threads: fa6046c8-01<*>
KD: Scanning for held locks.

Resource @ savrt (0xf4daf040) Shared 1 owning threads
Contention Count = 1
Threads: fa6046c8-01<*>
KD: Scanning for held locks.........................

Resource @ 0xfa6c1380 Shared 1 owning threads
Contention Count = 71388
Threads: f9ed1918-01<*>
KD: Scanning for held locks..............................

Resource @ 0xfaab7840 Shared 1 owning threads
Threads: feee9db3-01<*> *** Actual Thread feee9db0
KD: Scanning for held locks....................
11756 total locks, 7 locks currently held

!qlocks
command which displays all the various spinlocks. All processors are displayed across the top and codes appear next to the corresponding spinlock if owned or not, waiting or corrupt.

1: kd> !qlocks
Key: O = Owner, 1-n = Wait order, blank = not owned/waiting, C = Corrupt

Processor Number
Lock Name 0 1 2 3

KE - Dispatcher
MM - Expansion
MM - PFN
MM - System Space
CC - Vacb
CC - Master
EX - NonPagedPool
IO - Cancel
EX - WorkQueue
IO - Vpb
IO - Database
IO - Completion
NTFS - Struct
AFD - WorkQueue
CC - Bcb
MM - NonPagedPool

!PCR
Command will show you some useful info from the processor control block. Like the current thread, next, DPQ queues (Can run !dpcs).

1: kd> !pcr
KPCR for Processor 1 at f7727000:
Major 1 Minor 1
NtTib.ExceptionList: f4ac3d44
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: f7727fe0
NtTib.Version: 00336d13
NtTib.UserPointer: 00000002
NtTib.SelfTib: 7ffde000

SelfPcr: f7727000
Prcb: f7727120
Irql: 0000001f
IRR: 00000000
IDR: ffffffff
InterruptMode: 00000000
IDT: f772d800
GDT: f772d400
TSS: f7727fe0

CurrentThread: 8c034bd0
NextThread: 00000000
IdleThread: f772a090

DpcQueue:

lm t n
Displaying the list of installed drivers reveals our obsolete culprit

1: kd> lm t n
start end module name
dd800000 dd9d0000 win32k win32k.sys Wed Mar 19 17:01:40 2008 (47E0F99C)
dd9d0000 dd9e7000 dxg dxg.sys Sat Feb 17 11:44:39 2007 (45D69D4F)
dd9e7000 dda3e100 ati2drad ati2drad.dll Mon Mar 22 21:53:41 2004 (405F130D)
dda3f000 dda5d000 RDPDD RDPDD.dll Sat Feb 17 19:31:19 2007 (45D70AAF)
e1000000 e127a000 nt ntkrnlmp.exe Mon Mar 05 18:32:02 2007 (45EC14CA)
e127a000 e12a6000 hal halmacpi.dll Sat Feb 17 11:18:26 2007 (45D6972A)
f1ca4000 f1cb81e0 naveng naveng.sys Fri Aug 15 09:30:26 2008 (48A4FF5A)
f1cb9000 f1d8ca20 navex15 navex15.sys Fri Aug 15 08:40:42 2008 (48A4F3B2)
f31a0000 f31cb000 RDPWD RDPWD.SYS Sat Feb 17 11:14:38 2007 (45D69646)
f38b4000 f38bf000 TDTCP TDTCP.SYS Sat Feb 17 11:14:32 2007 (45D69640)
f3904000 f3912000 HIDCLASS HIDCLASS.SYS Tue Mar 25 12:40:17 2003 (3E8000D9)
f3d14000 f3d1d000 hidusb hidusb.sys Tue Mar 25 12:40:17 2003 (3E8000D9)
f3d74000 f3d9e000 Fastfat Fastfat.SYS Sat Feb 17 11:57:55 2007 (45D6A06B)
f4046000 f40a3000 srv srv.sys Sat Feb 17 11:57:20 2007 (45D6A048)
f466b000 f4683000 clusnet clusnet.sys Sat Feb 17 11:32:57 2007 (45D69A91)
f48b3000 f48c8000 Cdfs Cdfs.SYS Sat Feb 17 11:57:08 2007 (45D6A03C)

!LMI
When I want to find out ifno about a particular driver in the dump, i use "lm n t" to get all of them, but then !lmi to drill into one.

1: kd> !lmi win32k.sys
Loaded Module Info: [win32k.sys]
Module: win32k
Base Address: bf800000
Image Name: win32k.sys
Machine Type: 332 (I386)
Time Stamp: 47e0f99c Wed Mar 19 17:01:40 2008
Size: 1d0000
CheckSum: 1cd134
Characteristics: 10e perf
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 23, 1935ac, 1929ac RSDS - GUID: {09B6D936-14C4-4CA1-90CF-A00888CD89A8}
Age: 2, Pdb: win32k.pdb
CLSID 4, 1935a8, 1929a8 [Data not mapped]
Image Type: MEMORY - Image read successfully from loaded memory.
Symbol Type: PDB - Symbols loaded successfully from symbol server.
c:\symcache\win32k.pdb\09B6D93614C44CA190CFA00888CD89A82\win32k.pdb
Load Report: public symbols , not source indexed
c:\symcache\win32k.pdb\09B6D93614C44CA190CFA00888CD89A82\win32k.pdb

7 comments:

Anonymous said...

Hello !.
might , perhaps curious to know how one can reach 2000 per day of income .
There is no need to invest much at first. You may start to receive yields with as small sum of money as 20-100 dollars.

AimTrust is what you thought of all the time
The firm represents an offshore structure with advanced asset management technologies in production and delivery of pipes for oil and gas.

It is based in Panama with affiliates everywhere: In USA, Canada, Cyprus.
Do you want to become an affluent person?
That`s your choice That`s what you wish in the long run!

I`m happy and lucky, I began to get real money with the help of this company,
and I invite you to do the same. If it gets down to choose a correct companion who uses your funds in a right way - that`s the AimTrust!.
I make 2G daily, and my first investment was 500 dollars only!
It`s easy to get involved , just click this link http://ilelokusib.freecities.com/ucydane.html
and go! Let`s take our chance together to feel the smell of real money

December 1, 2009 at 2:13 AM
Anonymous said...

Hi !.
might , perhaps very interested to know how one can make real money .
There is no need to invest much at first. You may begin to receive yields with as small sum of money as 20-100 dollars.

AimTrust is what you haven`t ever dreamt of such a chance to become rich
The company incorporates an offshore structure with advanced asset management technologies in production and delivery of pipes for oil and gas.

It is based in Panama with offices everywhere: In USA, Canada, Cyprus.
Do you want to become an affluent person?
That`s your chance That`s what you really need!

I`m happy and lucky, I started to take up real money with the help of this company,
and I invite you to do the same. It`s all about how to select a correct partner who uses your savings in a right way - that`s the AimTrust!.
I earn US$2,000 per day, and my first investment was 500 dollars only!
It`s easy to start , just click this link http://ikelarafor.lookseekpages.com/yvukoni.html
and go! Let`s take this option together to become rich

December 13, 2009 at 2:48 AM
Anonymous said...

Hello !.
might , perhaps curious to know how one can make real money .
There is no initial capital needed You may begin to get income with as small sum of money as 20-100 dollars.

AimTrust is what you need
AimTrust incorporates an offshore structure with advanced asset management technologies in production and delivery of pipes for oil and gas.

It is based in Panama with structures everywhere: In USA, Canada, Cyprus.
Do you want to become really rich in short time?
That`s your chance That`s what you desire!

I`m happy and lucky, I began to get income with the help of this company,
and I invite you to do the same. It`s all about how to choose a correct partner who uses your money in a right way - that`s AimTrust!.
I earn US$2,000 per day, and my first investment was 500 dollars only!
It`s easy to join , just click this link http://efiwiwaku.kogaryu.com/iqijes.html
and lucky you`re! Let`s take our chance together to get rid of nastiness of the life

December 13, 2009 at 3:09 PM
Anonymous said...

Good day, sun shines!
There have been times of hardship when I felt unhappy missing knowledge about opportunities of getting high yields on investments. I was a dump and downright pessimistic person.
I have never imagined that there weren't any need in big starting capital.
Nowadays, I feel good, I begin take up real money.
It gets down to choose a proper companion who utilizes your funds in a right way - that is incorporate it in real business, and shares the income with me.

You may get interested, if there are such firms? I have to tell the truth, YES, there are. Please be informed of one of them:
[url=http://theblogmoney.com] Online investment blog[/url]

January 10, 2010 at 10:32 PM
Anonymous said...

Hi there!
I would like to burn a theme at here. There is such a nicey, called HYIP, or High Yield Investment Program. It reminds of financial piramyde, but in rare cases one may happen to meet a company that really pays up to 2% daily not on invested money, but from real profits.

For quite a long time, I make money with the help of these programs.
I don't have problems with money now, but there are heights that must be conquered . I get now up to 2G a day , and I started with funny 500 bucks.
Right now, I'm very close at catching at last a guaranteed variant to make a sharp rise . Visit my web site to get additional info.

[url=http://theinvestblog.com] Online investment blog[/url]

January 14, 2010 at 2:27 AM
Anonymous said...

Most printers years ago used daisy wheels or ribbons to print documentsBasketball jerseys have always been very popular especially among the college students She looked absolutely miserable as she cruised the apartment like a drunken sailor, bumping into walls and falling overIf shampoo gets in his eyes, rinse with cool water or saline eyewash
With the main body of believers raptured out before all these events start to occur, God is going to show all of us what will happen when He is not a part of our lives and our world SOME things will change but other areas of my life – my work, my friendships, my hobbies and my social life will carry on as normally as possible They continually hammer at the nail until it is very hard to get out

[url=http://www.authenticnikefalconsshop.com/julio-jones-jersey-for-sale-c-15_19.html]Nike Julio Jones Jersey[/url]
[url=http://www.authenticnikefalconsshop.com/tony-gonzalez-jersey-for-sale-c-15_22.html]Nike Tony Gonzalez Jersey[/url]
[url=http://www.authenticnikefalconsshop.com/michael-turner-jersey-for-sale-c-15_20.html]Nike Michael Turner Jersey[/url]

December 5, 2012 at 1:39 PM
Anonymous said...

When we think about the concept of the word like, not just in relation to its an amorous marriage together with one more, nonetheless as a experiencing that may be engendered for those who have miltchmonkey a much better association yourself as well - or even just as a a sense of better oneness household as well as mankind ( blank ) then it develops into a lot more extraordinary that each one anyone wants in life is certainly really enjoy.

December 14, 2012 at 6:41 PM

Post a Comment

Subscribe to: Post Comments (Atom)

DISCLAIMER

WE USE LINKS TO SITES AND NOT DIRECT DOWNLOAD LINKS. THERE NO FILES HOSTED ON OUR SERVER,THEY ARE ONLY INDEXED MUCH LIKE GOOGLEWORKS.
The hosting server or the administrator cannot be held responsible for the contents of any linked sites or any link contained in a linked site, or changes / updates to such sites.

BY ENTERING THIS SITE YOU AGREE TO BE BOUND BY THESE CONDITIONS
If you don't like the software posted here, please don't hesitate to let us know and we will unpost it.