WinDbg

Last updated
WinDbg
Developer(s) Microsoft
Stable release
10.0.20153.1000 / April 29, 2020 (2020-04-29)
Operating system Microsoft Windows
Type Debugger
License Commercial
Website Debugging Tools at docs.microsoft.com

WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. [1] Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode.

Contents

Overview

Like the better-known Visual Studio Debugger WinDbg has a graphical user interface (GUI), but is more powerful and has little else in common. WinDbg can automatically load debugging symbol files (e.g., PDB files) from a server by using a unique ID embedded in the executable (using the "RSDS Guid" [2] ) via SymSrv (SymSrv.dll), [3] instead of requiring users to manually find the files. If a private symbol server is configured, the symbols can be correlated with the source code for the binary. This eases the burden of debugging problems that have various versions of binaries installed on the debugging target by eliminating the need for finding and installing specific symbols version on the debug host. Microsoft has a public symbol server that has most of the public symbols for Windows 2000 and later versions of Windows (including service packs). [4]

WinDbg can also be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death which occurs when a bug check is issued. [5] It can also be used to debug user-mode crash dumps. This is known as post-mortem debugging. [6]

Recent versions of WinDbg have been and are being distributed as part of the free Debugging Tools for Windows suite, which shares a common debugging back-end between WinDbg and command line debugger front-ends like KD, CDB, and NTSD. Most commands can be used as is with all the included debugger front-ends.

In 2017 Microsoft announced new version of WinDbg called WinDbg Preview (aka WinDbgX). [7] One of the most notable features of WinDbg Preview is so called Time-Travel-Debugging (TTD). [8] The main idea here is that the user can record an actual live process (at a performance penalty) to later debug going back and forth in time. This feature is especially useful during reverse-engineering process. It also allows writing scripts in JavaScript language. [9]

Extensions

WinDbg allows the loading of extension DLLs [10] that can augment the debugger's supported commands and allow for help in debugging specific scenarios: for example, displaying an MSXML document given an IXMLDOMDocument, or debugging the Common Language Runtime (CLR). [11] These extensions are a large part of what makes WinDbg such a powerful debugger. WinDbg is used by the Microsoft Windows product team to build Windows, and everything needed to debug Windows is included in these extension DLLs.

Extension commands are always prefixed with !.

While some extensions are used only inside Microsoft, most of them are part of the public Debugging Tools for Windows package.

The extension model is documented in the help file included with the Debugging Tools for Windows.

Ext.dll

Ext is a standard Windows Debugger extension that ships with WinDBG and is loaded by default.

!analyze command

The most commonly used command is !analyze -v, [12] which analyzes the current state of the program being debugged and the machine/process state at the moment of crash or hang. This command is often able to debug the current problem in a completely automated fashion.

When used without any switches, !analyze simply returns the results of its analysis. The -v and -vv give further details about that analysis.

Wow6432exts.dll

Wow6432exts is a standard Windows Debugger extension that ships with WinDBG. It is used to debug processes running inside WoW64 (32-bit processes running in 64-bit Windows). [13]

SOS.dll

The SOS (Son of Strike) [14] Debugging Extension (SOS.dll) assists in debugging managed programs in Visual Studio and WinDbg by providing information about the internal common language runtime (CLR) environment. This tool requires a project to have unmanaged debugging enabled. SOS.dll is automatically installed with the .NET Framework. To use SOS.dll in Visual Studio, install the Windows Driver Kit (WDK). [15] To debug a process or memory dump, the sos.dll version must match the .NET Framework version. Psscor2 and Psscor4 are a superset of SOS.

Psscor2.dll

Psscor2 is the Windows Debugger Extension used to debug .NET Framework applications that use the .NET CLR version 2.0 (.NET Framework versions 2 through 3.5). Psscor2 was developed for internal use at Microsoft as part of their Product Support Services tools. [16] While Microsoft only released Psscor2 in 2010 [17] Microsoft had been publishing commands from the extension several years before, [18] causing difficulty for those who were trying to follow their processes.

Psscor4.dll

Psscor4 is a Windows Debugger extension used to debug .NET Framework 4 applications.

Coupling with virtual machines

WinDbg allows debugging a Microsoft Windows kernel running on a virtual machine by VMware, VPC or Parallels using a named pipe. This can be achieved by using a virtual COM port. In the case of VMware and VirtualBox, the VirtualKD extension adds native support for VM debugging to the Windows kernel, claiming to speed debugging by a factor of up to 45. [19] For Windows 8 and later, kernel debugging over network is allowed, [20] allowing fast kernel debugging without special configuration.

Protocol

The WinDbg protocol is not documented, but is supported by the IDA Pro and radare2 disassemblers.

See also

Related Research Articles

VBScript is a deprecated Active Scripting language developed by Microsoft that is modeled on Visual Basic. It allows Microsoft Windows system administrators to generate powerful tools for managing computers without error handling and with subroutines and other advanced programming constructs. It can give the user complete control over many aspects of their computing environment.

SoftICE is a kernel mode debugger for DOS and Windows up to Windows XP. It is designed to run underneath Windows, so that the operating system is unaware of its presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed. Because of its low-level capabilities, SoftICE is also popular as a software cracking tool.

<span class="mw-page-title-main">Windows API</span> Microsofts core set of application programming interfaces on Windows

The Windows API, informally WinAPI, is the foundational application programming interface (API) that allows a computer program to access the features of the Microsoft Windows operating system in which the program is running.

JScript is Microsoft's legacy dialect of the ECMAScript standard that is used in Microsoft's Internet Explorer web browser.

NTLDR is the boot loader for all releases of Windows NT operating system from 1993 with the release of Windows NT 3.1 up until Windows XP and Windows Server 2003. From Windows Vista onwards it was replaced by the BOOTMGR bootloader. NTLDR is typically run from the primary storage device, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.

A dynamic-link library (DLL) is a shared library in the Microsoft Windows or OS/2 operating system.

The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI loading the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.

ntoskrnl.exe, also known as the kernel image, contains the kernel and executive layers of the Microsoft Windows NT kernel, and is responsible for hardware abstraction, process handling, and memory management. In addition to the kernel and executive mentioned earlier, it contains the cache manager, security reference monitor, memory manager, scheduler (Dispatcher), and blue screen of death.

<span class="mw-page-title-main">Windows Embedded CE 6.0</span> Embedded operating system by Microsoft released in 2006

Windows Embedded CE 6.0 is the sixth major release of the Microsoft Windows embedded operating system targeted to enterprise-specific tools such as industrial controllers and consumer electronics devices like digital cameras. CE 6.0 features a kernel that supports 32,768 processes, up from the 32-process limit of prior versions. Each process receives 2 GB of virtual address space, up from 32 MB. Windows Embedded CE is commonly used in supermarket self-checkouts and cars as a display. Windows Embedded CE is a background system on most devices that have it.

The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.

The booting process of Microsoft Windows varies between different releases.

<span class="mw-page-title-main">Microsoft Silverlight</span> Application framework for writing and running rich Internet applications

Microsoft Silverlight is a discontinued application framework designed for writing and running rich internet applications, similar to Adobe's runtime, Adobe Flash. While early versions of Silverlight focused on streaming media, later versions supported multimedia, graphics, and animation, and gave support to developers for CLI languages and development tools. Silverlight was one of the two application development platforms for Windows Phone, but web pages using Silverlight did not run on the Windows Phone or Windows Mobile versions of Internet Explorer, as there was no Silverlight plugin for Internet Explorer on those platforms.

Visual Studio Tools for Office (VSTO) is a set of development tools available in the form of a Visual Studio add-in and a runtime that allows Microsoft Office 2003 and later versions of Office applications to host the .NET Framework Common Language Runtime (CLR) to expose their functionality via .NET.

<span class="mw-page-title-main">Visual Studio</span> Code editor and IDE

Visual Studio is an integrated development environment (IDE) developed by Microsoft. It is used to develop computer programs including websites, web apps, web services and mobile apps. Visual Studio uses Microsoft software development platforms such as Windows API, Windows Forms, Windows Presentation Foundation (WPF), Windows Store and Microsoft Silverlight. It can produce both native code and managed code.

<span class="mw-page-title-main">Blue screen of death</span> Error screen displayed after a fatal system error on a computer running Microsoft Windows or ReactOS

The blue screen of death (BSoD), blue screen error, blue screen, fatal error, or bugcheck, and officially known as a stop error, is a critical error screen displayed by the Microsoft Windows and ReactOS operating systems in the event of a fatal system error. It indicates a system crash, in which the operating system has reached a critical condition where it can no longer operate safely.

<span class="mw-page-title-main">.NET Framework</span> Software platform developed by Microsoft

The .NET Framework is a proprietary software framework developed by Microsoft that runs primarily on Microsoft Windows. It was the predominant implementation of the Common Language Infrastructure (CLI) until being superseded by the cross-platform .NET project. It includes a large class library called Framework Class Library (FCL) and provides language interoperability across several programming languages. Programs written for .NET Framework execute in a software environment named the Common Language Runtime (CLR). The CLR is an application virtual machine that provides services such as security, memory management, and exception handling. As such, computer code written using .NET Framework is called "managed code". FCL and CLR together constitute the .NET Framework.

In computing the Process Environment Block is a data structure in the Windows NT operating system family. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system. Microsoft notes, in its MSDN Library documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows". The PEB contains data structures that apply across a whole process, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion for process-wide data structures.

<span class="mw-page-title-main">.NET</span> Free and open-source software platform developed by Microsoft

The .NET platform is a free and open-source, managed computer software framework for Windows, Linux, and macOS operating systems. The project is mainly developed by Microsoft employees by way of the .NET Foundation and is released under an MIT License.

<span class="mw-page-title-main">Windows Subsystem for Linux</span> Compatibility layer for running Linux binary executables natively on Windows

Windows Subsystem for Linux (WSL) is a feature of Windows that allows developers to run a Linux environment without the need for a separate virtual machine or dual booting. There are two versions of WSL: WSL 1 and WSL 2. WSL 1 was first released on August 2, 2016, and acts as a compatibility layer for running Linux binary executables by implementing Linux system calls on the Windows kernel. It is available on Windows 10, Windows 10 LTSB/LTSC, Windows 11, Windows Server 2016, Windows Server 2019 and Windows Server 2022.

<span class="mw-page-title-main">ProcDump</span> Command-line application

ProcDump is a command-line application used for monitoring an application for CPU spikes and creating crash dumps during a spike. The crash dumps can then be used by an administrator or software developer to determine the cause of the spike. ProcDump supports monitoring of hung windows and unhandled exceptions. It can also create dumps based on the values of system performance counters.

References

  1. EliotSeattle. "Download the Windows Driver Kit (WDK)". Msdn.microsoft.com. Retrieved 23 April 2018.
  2. "PE/COFF Specification Addendum" . Retrieved 11 March 2024.
  3. "Debugging with Symbols (Windows)". Support.microsoft.com. Retrieved 23 April 2018.
  4. DOMARS. "Microsoft public symbol server". Msdn.microsoft.com. Retrieved 23 April 2018.
  5. "How do I use WinDBG Debugger to troubleshoot a Blue Screen of Death?". TechRepublic. 18 December 2009. Retrieved 23 April 2018.
  6. "Post-mortem debugging of .NET applications using WinDbg". Tewarid.github.io. 10 September 2010. Retrieved 23 April 2018.
  7. "New WinDbg available in preview! – Debugging Tools for Windows". blogs.msdn.microsoft.com. Retrieved 2019-08-13.
  8. "Leveraging the new WinDbgX and Time-Travel-Trace –Script to list all access to files – Rodney Viana's (MSFT) Blog". blogs.msdn.microsoft.com. Retrieved 2019-08-13.
  9. "Easier WinDbg scripting with Javascript for malware research – Avar 2018" . Retrieved 2019-08-13.
  10. DOMARS. ".load, .loadby (Load Extension DLL)". Msdn.microsoft.com. Retrieved 23 April 2018.
  11. "MSDN Magazine Issues". Msdn.microsoft.com. Retrieved 23 April 2018.
  12. DOMARS. "analyze". Msdn.microsoft.com. Retrieved 23 April 2018.
  13. "Debugging WOW64 (Windows)". Msdn.microsoft.com. Retrieved 23 April 2018.
  14. "SOS Debugging of the CLR, Part 1". Blogs.msdn.com. Archived from the original on 28 June 2010. Retrieved 23 April 2018.
  15. mairaw. "SOS.dll (SOS Debugging Extension)". Msdn.microsoft.com. Retrieved 23 April 2018.
  16. "New debugger extension for .NET (PSSCOR2)". Blogs.msdn.com. Retrieved 23 April 2018.
  17. "New debugger extension for .NET, Psscor2, released". Blogs.msdn.com. Retrieved 23 April 2018.
  18. "MSDN Magazine Issues". Msdn.microsoft.com. Retrieved 23 April 2018.
  19. "VirtualKD - Windows Kernel Debugger Booster for Virtual Machines". Virtualkd.sysprogs.org. Retrieved 23 April 2018.
  20. DOMARS. "Setting Up Kernel-Mode Debugging over a Network Cable Manually". Msdn.microsoft.com. Retrieved 23 April 2018.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.