1) Built-in help commands | ||
---|---|---|
Cmd | Variants / Params | Description |
? | ? | Display regular commands |
.help | .help | Display . commands |
.chain | .chain | Lists all loaded debugger extensions |
.extmatch | .extmatch /e ExtDLL FunctionFilter | Show all exported functions of an extension DLL. FunctionFilter = wildcard string |
.hh | .hh | Open WinDbg's help |
2) General WinDbg's commands (show version, clear screen, etc.) | ||
---|---|---|
Cmd | Variants / Params | Description |
version |
| Dump version info of debugger and loaded extension DLLs |
vercommand |
| Dump command line that was used to start the debugger |
vertarget |
| Version of target computer |
CTRL+ALT+V |
| Toggle verbose mode ON/OFF |
n | n [8 | 10 | 16] | Set number base |
.formats | .formats Expression | Show number formats = evaluates a numerical expression or symbol and displays it in multiple numerical formats (hex, decimal, octal, binary, time, ..) |
.cls |
| Clear screen |
.lastevent |
| Displays the most recent exception or event that occurred (why the debugger is waiting?) |
.effmach | .effmach | Dump effective machine (x86, amd64, ..): |
.time |
| display time (system-up, process-up, kernel time, user time) |
3) Debugging sessions (attach, detach, ..) | ||
---|---|---|
Cmd | Variants / Params | Description |
.attach | PID | attach to a process |
.detach |
| ends the debugging session, but leaves any user-mode target application running |
q | q, qq | Quit = ends the debugging session and terminates the target application |
.restart |
| Restart target application |
4) Expressions and commands | ||
---|---|---|
Cmd | Variants / Params | Description |
; |
| Command separator (cm1; cm2; ..) |
? | ? Expression | Evaluate expression (use default evaluator) |
.expr |
| Choose default expression evaluator |
* | * [any text] | Comment Line Specifier |
$$ | $$ [any text] | Comment Specifier |
.echo | .echo String | Echo Comment -> comment text + echo it |
5) Debugger markup language (DML) Starting with the 6.6.07 version of the debugger a new mechanism for enhancing output from the debugger and extensions was included: DML. DML allows output to include directives and extra non-display information in the form of tags. Debugger user interfaces parse out the extra information to provide new behaviors. DML is primarily intended to address two issues:
| ||
---|---|---|
Cmd | Variants / Params | Description |
.dml_start |
| Kick of to other DML commands |
.prefer_dml | .prefer_dml [1 | 0] | Global setting: should DML-enhanced commands default to DML? |
.help /D |
| .help has a new DML mode where a top bar of links is given |
.chain /D |
| .chain has a new DML mode where extensions are linked to a .extmatch |
.extmatch /D |
| .extmatch has a new DML format where exported functions link to "!ExtName.help FuncName" commands |
lmD |
| lm has a new DML mode where module names link to lmv commands |
kM |
| k has a new DML mode where frame numbers link to a .frame/dv |
.dml_flow |
| Allows for interactive exploration of code flow for a function.
|
6) Main extensions | ||
---|---|---|
Cmd | Variants / Params | Display supported commands for .. |
!Ext.help |
| General extensions |
!Exts.help |
| -||- |
!Uext.help |
| User-Mode Extensions (non-OS specific) |
!Ntsdexts.help |
| User-Mode Extensions (OS specific) |
!logexts.help |
| Logger Extensions |
!clr10\sos.help |
| Debugging managed code |
!wow64exts.help |
| Wow64 debugger extensions |
!Wdfkd.help |
| Kernel-Mode driver framework extensions |
!Gdikdx.help |
| Graphics driver extensions |
.. |
|
|
!NAME.help |
| Display detailed help about an exported function |
7) Symbols | ||
---|---|---|
Cmd | Variants / Params | Description |
ld | ld ModuleName | Load symbols for Module |
!sym
| !sym | Get state of symbol loading |
x | x [Options] Module!Symbol | Examine symbols : displays symbols that match the specified pattern |
ln |
| List nearest symbols = display the symbols at or near the given Addr. Useful to:
|
.sympath | .sympath | Display or set symbol search path |
.symopt | .symopt | displays current symbol options |
.symfix | .symfix | Set symbol store path to automatically point to http://msdl.microsoft.com/download/symbols |
.reload | .reload | Reload symbol information for all modules** |
![]()
Also check the "!lmi" command. |
8) Sources | ||
---|---|---|
Cmd | Variants / Params | Description |
.srcpath | .srcpath | Display or set source search path |
.srcnoisy | {1|0} | Controls noisy source loading |
.lines | [-e | -d | -t] | Toggle source line support: enable; disable; toggle |
l (small letter L) | l+l, l-l | show line numbers |
9) Exceptions, events, and crash analysis | ||
---|---|---|
Cmd | Variants / Params | Description |
g | g | Go |
.lastevent |
| What happened? Shows most recent event or exception |
!analyze | !analyze -v | Display information about the current exception or bug check; verbose |
sx | sx | Show all event filters with break status and handling |
.exr | .exr-1 | display most recent exception record |
.ecxr | displays exception context record (registers) associated with the current exception | |
!cppexr | Addr | Display content and type of C++ exception |
![]()
|
10) Loaded modules and image information | ||
---|---|---|
Cmd | Variants / Params | Description |
lm | lm[ v | l | k | u | f ] [m Pattern] | List modules; verbose | with loaded symbols | k-kernel or u-user only symbol info | image path; pattern that the module name must match |
!dlls | !dlls | all loaded modules with load count |
!imgreloc | ImgBaseAddr | information about relocated images |
!lmi | Module | detailed info about a module (including exact symbol info) |
!dh | !dh ImgBaseAddr | Dump headers for ImgBaseAddr |
![]()
|
11) Process related information | ||
---|---|---|
Cmd | Variants / Params | Description |
!dml_proc |
| (DML) displays current processes and allows drilling into processes for more information |
| (pipe) |
| Print status of all processes being debugged |
.tlist |
| lists all processes running on the system |
!peb |
| display formatted view of the process's environment block (PEB) |
![]()
|
12) Thread related information | ||
---|---|---|
Cmd | Variants / Params | Description |
~ | ~ | list threads |
~e |
| Execute thread-specific commands (CommandString = one or more commands to be executed) for: |
~f | ~Thread f | Freeze thread (see ~ for Thread syntax) |
~u | ~Thread u | Unfreeze thread (see ~ for Thread syntax) |
~n | ~Thread n | Suspend thread = increment thread's suspend count |
~m | ~Thread m | Resume thread = decrement thread's suspend count |
!teb |
| display formatted view of the thread's environment block (TEB) |
!tls | !tls -1 | -1 = dump all slots for current thread |
.ttime |
| display thread times (user + kernel mode) |
!runaway | [Flags: 0 | 1 | 2] | display information about time consumed by each thread (0-user time, 1-kernel time, 2-time elapsed since thread creation). quick way to find out which threads are spinning out of control or consuming too much CPU time |
!gle | !gle | Dump last error for current thread |
!error | !error ErrValue | Decode and display information about an error value |
![]()
|
13) Breakpoints | ||
---|---|---|
Cmd | Variants / Params | Description |
bl |
| List breakpoints |
bc | bc * | Clear all breakpoints |
be | be * | Enable all bps |
bd | bd * | Disable all bps |
bp | bp [Addr] | Set breakpoint at address |
bu | bu [Addr] | Set unresolved breakpoint. bp is set when the module gets loaded |
bm | bm SymPattern | Set symbol breakpoint. SymPattern can contain wildcards |
ba | ba [r|w|e] [Size] Addr | Break on Access: [r=read/write, w=write, e=execute], Size=[1|2|4 bytes] |
br | br OldID NewID [OldID2 NewID2 ...] | renumbers one or more breakpoints |
![]() With bp, the breakpoint location is always converted to an address. In contrast, a bu or a bm breakpoint is always associated with the symbolic value. Simple Examples
Breakpoitns with options
Breakpoints with commands: The command will be executed when the breakpoint is hit.
Howto set a brekpoint in your code programatically?
|
14) Tracing and stepping (F10, F11) Each step executes either a single assembly instruction or a single source line, depending on whether the debugger is in assembly mode or source mode. Use the l+t and l-t commands or the buttons on the WinDbg toolbar to switch between these modes. | ||
---|---|---|
Cmd | Variants / Params | Description |
g (F5) | g | Go (F5) |
p (F10) | p | Single step - executes a single instruction or source line. Subroutines are treated as a single step. |
t (F11) | t | Single trace - executes a single instruction or source line. For subroutines each step is traced as well. |
pt | pt | Step to next return - similar to the GU (go up), but staying in context of the current function |
tt | tt | Trace to next return - similar to the GU (go up), but staying in context of the current function |
pc | pc | Step to next call - executes the program until a call instruction is reached |
tc | tc | Trace to next call - executes the program until a call instruction is reached |
pa | pa StopAddr | Step to address ; StopAddr = address at which execution will stop |
ta | ta StopAddr | Trace to address ; StopAddr = address at which execution will stop |
wt | wt | Trace and watch data . Go to the beginning of a function and do a wt . It will run through the entire function and display statistics. |
.step_filter | .step_filter | Dump current filter list = functions that are skipped when tracing (t, ta, tc) |
![]()
|
15) Call stack | ||
---|---|---|
Cmd | Variants / Params | Description |
k | k [n] [f] [L] [#Frames] | dump stack; n = with frame #; f = distance between adjacent frames; L = omit source lines; number of stack frames to display |
kd | kd [WordCnt] | display raw stack data + possible symbol info == dds esp |
kM |
| DML variant with links to .frame #;dv |
.kframes |
| Set stack length. The default is 20 (0x14). |
.frame | .frame | show current frame |
!uniqstack | !uniqstack | show stacks for all threads |
!findstack | !findstack Symbol | locate all stacks that contain Symbol or module |
![]()
To get more than 3 Function Arguments from the stack dd ChildEBP+8 (Parameters start at ChildEBP+8) dd ChildEBP+8 (frame X) == dd ESP (frame X-1)
|
16) Registers | ||
---|---|---|
Cmd | Variants / Params | Description |
r | r | Dump all registers |
rM | rM Mask | Dump register types specified by Mask |
rF | rF | Dump all floating-point registers == rM 0x4 |
rX | rX | Dump all SSE XMM registers == rM 0x40 |
rm | rm | Dump default register mask. This mask controls how registers are displayed by the "r". |
![]()
|
17) Information about variables | ||
---|---|---|
Cmd | Variants / Params | Description |
dt | dt -h | Brief help |
dv | dv | display local variables and parameters |
![]()
|
18) Memory | ||
---|---|---|
Cmd | Variants / Params | Description |
d* | d[a| u| b| w| W| d| c| q| f| D] [/c #] [Addr] | Display memory [#columns to display] |
e* | e[ b | w | d | q | f | D ] Addr Value | Edit memory |
ds, dS |
| Dump string struct (struct! not null-delimited char sequence) |
d*s |
| Display words and symbols (memory at Addr is assumed to be a series of addresses in the symbol table) |
dd*, dq*, dp* |
| Display referenced memory = display pointer at specified Addr, dereference it, and then display the memory at the resulting location in a variety of formats. |
dl |
| Display linked list (LIST_ENTRY or SINGLE_LIST_ENTRY) |
!address |
| Display info about the memory used by the target process |
!vprot | !vprot -? | Brief Help |
!mapped_file | !mapped_file -? | Brief Help |
![]()
Determine stack usage for a thread Stack Identifier Memory Identifier ^ --------------------------------------------------------- -------------- <- _TEB.StackBase SubRegionBase3 + SubRegionSize3 | | | MEM_COMMIT | | | |------------| <- _TEB.StackLimit SubRegionBase3 ^, SubRegionBase2 + SubRegionSize2 | PAGE_GUARD | |------------| SubRegionBase2 ^, SubRegionBase1 + SubRegionSize1 | | |MEM_RESERVED| | | |------------| <- _TEB.DeallocationStack AllocationBase or RegionBase, SubRegionBase1 ^ DeallocationStack: dt ntdll!_TEB TebAddr DeallocationStackFrom MSDN CreateThread > dwStackSize > "Thread Stack Size": "Each new thread receives its own stack space, consisting of both committed and reserved memory. By default, each thread uses 1 Mb of reserved memory, and one page of committed memory. The system will commit one page block from the reserved stack memory as needed." |
19) Manipulating memory ranges | ||
---|---|---|
Cmd | Variants / Params | Description |
c | c Range DestAddr | Compare memory |
m | m Range DestAddr | Move memory |
f | f Range Pattern | Fill memory. Pattern = a series of bytes (numeric or ASCII chars) |
s | s Range Pattern | Search memory |
.holdmem |
| Hold and compare memory. The comparison is made byte-for-byte |
![]()
|
20) Memory: Heap | |||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Cmd | Variants / Params | Description | |||||||||||||||||||||||||||||||||
!heap | !heap -? | Brief help | |||||||||||||||||||||||||||||||||
!heap -b, -B | !heap Heap -b [alloc | realloc | free] [Tag] | Set conditional breakpoint in the heap manager [Heap = HeapAddr | Idx | 0] | |||||||||||||||||||||||||||||||||
!heap -flt | !heap -flt s Size | Dump info for allocations matching the specified size | |||||||||||||||||||||||||||||||||
!heap -stat | !heap -stat | Dump heap handle list | |||||||||||||||||||||||||||||||||
!heap -p | !heap -p -? | Extended page heap help | |||||||||||||||||||||||||||||||||
It seems that the following applies for windows XP SP2:
|
![]()
Who allocated memory - who called HeapAlloc?
Who created a heap - who called HeapCreate?
Finding memory leaks
*** What is a ?
|
21) Application Verifier Application Verifier profiles and tracks Microsoft Win32 APIs (heap, handles, locks, threads, DLL load/unload, and more), Exceptions, Kernel objects, Registry, File system. With the !avrf extension we get access to this tracking information! | ||
---|---|---|
Cmd | Variants / Params | Description |
!avrf |
| Displays Application Verifier options. If an Application Verifier Stop has occurred, reveal the nature of the stop and what caused it. |
!avrf | -? | Brief help |
22) Logging extension (logexts.dll) You must enable the following options for you image in GFlags: -> "Create user mode stack trace database" -> "Stack Backtrace: (Megs)" -> 10 -> It seems that you sometimes also need to check and specify the "Debugger" field in GFlags | ||
---|---|---|
Cmd | Variants / Params | Description |
!logexts.help |
| displays all Logexts.dll extension commands |
!loge | !loge [dir] | Enable logging + possibly initialize it if not yet done. Output directory optional. |
!logi |
| Initialize (=inject Logger into the target application) but don't enable logging. |
!logd |
| Disable logging |
!logo | !logo | List output settings |
!logc | !logc | List all categories |
!logb | !logb p | Print buffer contents to debugger |
!logm | !logm | Display module inclusion/exclusion list |
![]() Enable 19-ProcessesAndThreads and 22-StringManipulation logging:
|