HOME

TheInfoList



Click Here for Items Related To - WinDbg
OR:
WinDbg on:   [Wikipedia]   [Google]   [Amazon]

WinDbg is a multipurpose debugger for the
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...
computer
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
, distributed by Microsoft.
Debugging In computer programming and software development, debugging is the process of finding and resolving '' bugs'' (defects or problems that prevent correct operation) within computer programs, software, or systems. Debugging tactics can involve i ...
is the process of finding and resolving errors in a
system A system is a group of interacting or interrelated elements that act according to a set of rules to form a unified whole. A system, surrounded and influenced by its environment, is described by its boundaries, structure and purpose and express ...
; in computing it also includes exploring the internal operation of
software Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work. At the lowest programming level, executable code consist ...
as a help to development. It can be used to debug user mode applications,
device driver In computing, a device driver is a computer program that operates or controls a particular type of device that is attached to a computer or automaton. A driver provides a software interface to hardware devices, enabling operating systems and o ...
s, and the operating system itself in
kernel mode In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behavior (by providing computer security). Compute ...
.


Overview

Like the better-known Visual Studio Debugger WinDbg has a
graphical user interface The GUI ( "UI" by itself is still usually pronounced . or ), graphical user interface, is a form of user interface that allows users to interact with electronic devices through graphical icons and audio indicator such as primary notation, ins ...
(GUI), but is more powerful and has little else in common. WinDbg can automatically load debugging symbol files (e.g., PDB files) from a server by matching various criteria (e.g., timestamp, CRC, single or multiprocessor version) via SymSrv (SymSrv.dll), instead of the more time-consuming task of creating a symbol tree for a debugging target environment. If a private symbol server is configured, the symbols can be correlated with the
source code In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the ...
for the binary. This eases the burden of debugging problems that have various versions of binaries installed on the debugging target by eliminating the need for finding and installing specific symbols version on the debug host. Microsoft has a public symbol server that has most of the public symbols for Windows 2000 and later versions of Windows (including
service packs In computing, a service pack comprises a collection of updates, fixes, or enhancements to a software program delivered in the form of a single installable package. Companies often release a service pack when the number of individual patches to a ...
). WinDbg can also be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death which occurs when a
bug check A fatal system error (also known as a system crash, stop error, kernel error, or bug check) occurs when an operating system halts because it has reached a condition where it can no longer operate safely (''i.e.'' where critical data could be l ...
is issued. It can also be used to debug user-mode crash dumps. This is known as post-mortem debugging. Recent versions of WinDbg have been and are being distributed as part of the free Debugging Tools for Windows suite, which shares a common debugging back-end between WinDbg and
command line A command-line interpreter or command-line processor uses a command-line interface (CLI) to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and pro ...
debugger front-ends like KD, CDB, and NTSD. Most commands can be used as is with all the included debugger front-ends. In 2017 Microsoft announced new version of WinDbg called WinDbg Preview (aka WinDbgX). One of the most notable features of WinDbg Preview is so called Time-Travel-Debugging (TTD). The main idea here is that the user can record an actual live process (at a performance penalty) to later debug going back and forth in time. This feature is especially useful during reverse-engineering process. It also allows writing scripts in JavaScript language.


Extensions

WinDbg allows the loading of extension DLLs that can augment the debugger's supported commands and allow for help in debugging specific scenarios: for example, displaying an MSXML document given an IXMLDOMDocument, or debugging the Common Language Runtime (CLR). These extensions are a large part of what makes WinDbg such a powerful debugger. WinDbg is used by the
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...
product team to build Windows, and everything needed to debug Windows is included in these extension DLLs. Extension commands are always prefixed with !. While some extensions are used only inside Microsoft, most of them are part of the public Debugging Tools for Windows package. The extension model is documented in the help file included with the Debugging Tools for Windows.


Ext.dll

Ext is a standard Windows Debugger extension that ships with WinDBG and is loaded by default.


!analyze command

The most commonly used command is !analyze -v, which analyzes the current state of the program being debugged and the machine/process state at the moment of crash or hang. This command is often able to debug the current problem in a completely automated fashion. When used without any switches, !analyze simply returns the results of its analysis. The -v and -vv give further details about that analysis.


Wow6432exts.dll

Wow6432exts is a standard Windows Debugger extension that ships with WinDBG. It is used to debug processes running inside
WoW64 In computing on Microsoft platforms, WoW64 (Windows 32-bit on Windows 64-bit) is a subsystem of the Windows operating system capable of running 32-bit applications on 64-bit Windows. It is included in all 64-bit versions of Windows—includi ...
(32-bit processes running in 64-bit Windows).


SOS.dll

The SOS (Son of Strike) Debugging Extension (SOS.dll) assists in debugging managed programs in Visual Studio and WinDbg by providing information about the internal common language runtime (CLR) environment. This tool requires a project to have unmanaged debugging enabled. SOS.dll is automatically installed with the .NET Framework. To use SOS.dll in Visual Studio, install the Windows Driver Kit (WDK). To debug a process or memory dump, the sos.dll version must match the .NET Framework version. Psscor2 and Psscor4 are a superset of SOS.


Psscor2.dll

Psscor2 is the Windows Debugger Extension used to debug .NET Framework applications that use the .NET CLR version 2.0 (.NET Framework versions 2 through 3.5). Psscor2 was developed for internal use at Microsoft as part of their Product Support Services tools. While Microsoft only released Psscor2 in 2010 Microsoft had been publishing commands from the extension several years before, causing difficulty for those who were trying to follow their processes.


Psscor4.dll

Psscor4 is a Windows Debugger extension used to debug .NET Framework 4 applications.


Coupling with virtual machines

WinDbg allows debugging a Microsoft Windows kernel running on a
virtual machine In computing, a virtual machine (VM) is the virtualization/ emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized h ...
by
VMware VMware, Inc. is an American cloud computing and virtualization technology company with headquarters in Palo Alto, California. VMware was the first commercially successful company to virtualize the x86 architecture. VMware's desktop software ru ...
, VPC or Parallels using a
named pipe In computing, a named pipe (also known as a FIFO for its behavior) is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of inter-process communication (IPC). The concept is also found in OS/2 and ...
. This can be achieved by using a virtual
COM port COM (communication port) is the original, yet still common, name of the serial port interface on PC-compatible computers. It can refer not only to physical ports, but also to emulated ports, such as ports created by Bluetooth or USB adapters. ...
. In the case of VMware and
VirtualBox Oracle VM VirtualBox (formerly Sun VirtualBox, Sun xVM VirtualBox and Innotek VirtualBox) is a type-2 hypervisor for x86 virtualization developed by Oracle Corporation. VirtualBox was originally created by Innotek GmbH, which was acquired by S ...
, the VirtualKD extension adds native support for VM debugging to the Windows kernel, claiming to speed debugging by a factor of up to 45. For
Windows 8 Windows 8 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on August 1, 2012; it was subsequently made available for download via MSDN and TechNet on August 15, 2012, and later to ...
and later, kernel debugging over network is allowed, allowing fast kernel debugging without special configuration.


Protocol

The WinDbg protocol is not documented, but is supported by the IDA Pro and radare2
disassembler A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. A disassembler differs from a decompiler, which targets a high-level language rather than an assembly ...
s.


See also

*
ProcDump ProcDump is a command-line application used for monitoring an application for CPU spikes and creating crash dumps during a spike. The crash dumps can then be used by an administrator or software developer to determine the cause of the spike. ProcD ...
*
Microsoft Detours __NOTOC__ Microsoft Detours is an open source library for intercepting, monitoring and instrumenting binary functions on Microsoft Windows. It is developed by Microsoft and is most commonly used to intercept Win32 API calls within Windows applicat ...


References


External links

* Getting Started
Install InstructionsPart 1Part 2

Debugging Tools for Windows
- information and free downloads

- Theory and examples, 111 slides






Windows Debuggers: Part 1: A WinDbg Tutorial

KD extension for fast VMware and VirtualBox debugging

SOS Debugging Extension (SOS.dll)

psscor4 (.NET 4.0)
o
psscor2 (.NET 2.0-3.5)
Replacement for SOS with a superset of commands

WinDBG v6.12.2.633 available via Windows Driver Kit Version 7.1.0
Extension for python scripting (pykd)

DbgKit: the first GUI extension for Debugging Tools for Windows
{{Microsoft development tools Debuggers Microsoft software