WinDbg

Last updated
WinDbg
Developer(s) Microsoft
Stable release
1.2407.24003.0 / August 2024;0 months ago (2024-08) [1]
Operating system Microsoft Windows
Type Debugger
License Commercial
Website Microsoft Learn

WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. [2] Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode.

Contents

Overview

Like the Visual Studio Debugger, WinDbg has a graphical user interface (GUI), but is more powerful and has little else in common. WinDbg can automatically load debugging symbol files (e.g., PDB files) from a server by using a unique ID embedded in the executable (using the "RSDS Guid" [3] ) via SymSrv (SymSrv.dll), [4] instead of requiring users to manually find the files. If a private symbol server is configured, the symbols can be correlated with the source code for the binary. This eases the burden of debugging problems that have various versions of binaries installed on the debugging target by eliminating the need for finding and installing specific symbols version on the debug host. Microsoft has a public symbol server that has most of the public symbols for Windows 2000 and later versions of Windows (including service packs). [5]

WinDbg can also be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death which occurs when a bug check is issued. [6] It can also be used to debug user-mode crash dumps. This is known as post-mortem debugging. [7]

WinDbg is distributed as a standalone package from the Windows Debugger Portal and via the Microsoft Store. The WinDBG Debugger Engine is the common debugging back-end between WinDbg and command line debugger front-ends like KD, CDB, and NTSD. Most commands can be used as is with all the included debugger front-ends.

In 2023 Microsoft released a new version of WinDbg which was announced in 2017 as WinDbg Preview (WinDbgX). [8] One of the most notable features is so called Time-Travel-Debugging (TTD). [9] TTD allows a user to record an actual live process (at a performance penalty) to later debug going back and forth in time. In addition, WinDbg has updated user interface, support for dark mode and keyboard navigation. It also allows writing scripts in the JavaScript language. [10] [11]

Extensions

WinDbg allows the loading of extension DLLs [12] that can augment the debugger's supported commands and allow for help in debugging specific scenarios: for example, displaying an MSXML document given an IXMLDOMDocument, or debugging the Common Language Runtime (CLR). [13] These extensions are a large part of what makes WinDbg such a powerful debugger. WinDbg is used by the Microsoft Windows product team to build Windows, and everything needed to debug Windows is included in these extension DLLs.

Extension commands are always prefixed with !.

While some extensions are used only inside Microsoft, most of them are part of the public Debugging Tools for Windows package.

The extension model is documented in the help file included with the Debugging Tools for Windows.

Ext.dll

Ext is a standard Windows Debugger extension that ships with WinDBG and is loaded by default.

!analyze command

The most commonly used command is !analyze -v, [14] which analyzes the current state of the program being debugged and the machine/process state at the moment of crash or hang. This command is often able to debug the current problem in a completely automated fashion.

When used without any switches, !analyze simply returns the results of its analysis. The -v and -vv give further details about that analysis.

Wow6432exts.dll

Wow6432exts is a standard Windows Debugger extension that ships with WinDBG. It is used to debug processes running inside WoW64 (32-bit processes running in 64-bit Windows). [15]

SOS.dll

The SOS (Son of Strike) [16] Debugging Extension (SOS.dll) assists in debugging managed programs in Visual Studio and WinDbg by providing information about the internal common language runtime (CLR) environment. This tool requires a project to have unmanaged debugging enabled. SOS.dll is automatically installed with the .NET Framework. To use SOS.dll in Visual Studio, install the Windows Driver Kit (WDK). [17] To debug a process or memory dump, the sos.dll version must match the .NET Framework version. Psscor2 and Psscor4 are a superset of SOS.

Psscor2.dll

Psscor2 is the Windows Debugger Extension used to debug .NET Framework applications that use the .NET CLR version 2.0 (.NET Framework versions 2 through 3.5). Psscor2 was developed for internal use at Microsoft as part of their Product Support Services tools. [18] While Microsoft only released Psscor2 in 2010 [19] Microsoft had been publishing commands from the extension several years before, [20] causing difficulty for those who were trying to follow their processes.

Psscor4.dll

Psscor4 is a Windows Debugger extension used to debug .NET Framework 4 applications.

Coupling with virtual machines

WinDbg allows debugging a Microsoft Windows kernel running on a virtual machine by VMware, VPC or Parallels using a named pipe. This can be achieved by using a virtual COM port. In the case of VMware and VirtualBox, the VirtualKD extension adds native support for VM debugging to the Windows kernel, claiming to speed debugging by a factor of up to 45. [21] For Windows 8 and later, kernel debugging over network is allowed, [22] allowing fast kernel debugging without special configuration.

Protocol

The WinDbg protocol is not documented, but is supported by the IDA Pro and radare2 disassemblers.

See also

Related Research Articles

VBScript is a deprecated programming language for scripting on Microsoft Windows using Component Object Model (COM) based on classic Visual Basic and Active Scripting.

In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminated abnormally. In practice, other key pieces of program state are usually dumped at the same time, including the processor registers, which may include the program counter and stack pointer, memory management information, and other processor and operating system flags and information. A snapshot dump is a memory dump requested by the computer operator or by the running program, after which the program is able to continue. Core dumps are often used to assist in diagnosing and debugging errors in computer programs.

<span class="mw-page-title-main">Debugger</span> Computer program used to test and debug other programs

A debugger or debugging tool is a computer program used to test and debug other programs. The main use of a debugger is to run the target program under controlled conditions that permit the programmer to track its execution and monitor changes in computer resources that may indicate malfunctioning code. Typical debugging facilities include the ability to run or halt the target program at specific points, display the contents of memory, CPU registers or storage devices, and modify memory or register contents in order to enter selected test data that might be a cause of faulty program execution.

SoftICE is a kernel mode debugger for DOS and Windows up to Windows XP. It is designed to run underneath Windows, so that the operating system is unaware of its presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed. Due to its low-level capabilities, SoftICE is also popular as a software cracking tool.

The Portable Executable (PE) format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems, and in UEFI environments. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, SYS, MUI and other file types. The Unified Extensible Firmware Interface (UEFI) specification states that PE is the standard executable format in EFI environments.

<span class="mw-page-title-main">Windows API</span> Microsofts core set of application programming interfaces on Windows

The Windows API, informally WinAPI, is the foundational application programming interface (API) that allows a computer program to access the features of the Microsoft Windows operating system in which the program is running.

JScript is Microsoft's legacy dialect of the ECMAScript standard that is used in Microsoft's Internet Explorer web browser.

NTLDR is the boot loader for all releases of Windows NT operating system from 1993 with the release of Windows NT 3.1 up until Windows XP and Windows Server 2003. From Windows Vista onwards it was replaced by the BOOTMGR bootloader. NTLDR is typically run from the primary storage device, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.

A dynamic-link library (DLL) is a shared library in the Microsoft Windows or OS/2 operating system.

The Native API is a lightweight application programming interface (API) used by Windows NT's kernel and user mode applications. This API is used in the early stages of Windows NT startup process, when other components and APIs are still unavailable. Therefore, a few Windows components, such as the Client/Server Runtime Subsystem (CSRSS), are implemented using the Native API. The Native API is also used by subroutines such as those in kernel32.dll that implement the Windows API, the API based on which most of the Windows components are created.

ntoskrnl.exe, also known as the kernel image, contains the kernel and executive layers of the Microsoft Windows NT kernel, and is responsible for hardware abstraction, process handling, and memory management. In addition to the kernel and executive layers, it contains the cache manager, security reference monitor, memory manager, scheduler (Dispatcher), and blue screen of death.

The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.

The booting process of Microsoft Windows varies between different releases.

A kernel debugger is a debugger present in some operating system kernels to ease debugging and kernel development by the kernel developers. A kernel debugger might be a stub implementing low-level operations, with a full-blown debugger such as GNU Debugger (gdb), running on another machine, sending commands to the stub over a serial line or a network connection, or it might provide a command line that can be used directly on the machine being debugged.

Visual Studio Tools for Office (VSTO) is a set of development tools available in the form of a Visual Studio add-in and a runtime that allows Microsoft Office 2003 and later versions of Office applications to host the .NET Framework Common Language Runtime (CLR) to expose their functionality via .NET.

<span class="mw-page-title-main">Visual Studio</span> Code editor and IDE

Visual Studio is an integrated development environment (IDE) developed by Microsoft. It is used to develop computer programs including websites, web apps, web services and mobile apps. Visual Studio uses Microsoft software development platforms including Windows API, Windows Forms, Windows Presentation Foundation (WPF), Microsoft Store and Microsoft Silverlight. It can produce both native code and managed code.

<span class="mw-page-title-main">Blue screen of death</span> Fatal system error screen

The blue screen of death is a critical error screen displayed by the Microsoft Windows operating systems. It indicates a system crash, in which the operating system reaches a critical condition where it can no longer operate safely.

In computing on Microsoft platforms, WoW64 is a subsystem of the Windows operating system capable of running 32-bit applications on 64-bit Windows. It is included in all 64-bit versions of Windows, except in Windows Server Server Core where it is an optional component, and Windows Nano Server where it is not included. WoW64 aims to take care of many of the differences between 32-bit Windows and 64-bit Windows, particularly involving structural changes to Windows itself.

<span class="mw-page-title-main">.NET Framework</span> Software platform developed by Microsoft

The .NET Framework is a proprietary software framework developed by Microsoft that runs primarily on Microsoft Windows. It was the predominant implementation of the Common Language Infrastructure (CLI) until being superseded by the cross-platform .NET project. It includes a large class library called Framework Class Library (FCL) and provides language interoperability across several programming languages. Programs written for .NET Framework execute in a software environment named the Common Language Runtime (CLR). The CLR is an application virtual machine that provides services such as security, memory management, and exception handling. As such, computer code written using .NET Framework is called "managed code". FCL and CLR together constitute the .NET Framework.

In computing the Process Environment Block is a data structure in the Windows NT operating system family. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system. Microsoft notes, in its MSDN Library documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows". The PEB contains data structures that apply across a whole process, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion for process-wide data structures.

References

  1. "WinDbg release notes". Microsoft Learn. Retrieved 2024-08-30.
  2. EliotSeattle. "Download the Windows Driver Kit (WDK)". Msdn.microsoft.com. Retrieved 23 April 2018.
  3. "PE/COFF Specification Addendum" . Retrieved 11 March 2024.
  4. "Debugging with Symbols (Windows)". Support.microsoft.com. Retrieved 23 April 2018.
  5. DOMARS. "Microsoft public symbol server". Msdn.microsoft.com. Retrieved 23 April 2018.
  6. "How do I use WinDBG Debugger to troubleshoot a Blue Screen of Death?". TechRepublic. 18 December 2009. Retrieved 23 April 2018.
  7. "Post-mortem debugging of .NET applications using WinDbg". Tewarid.github.io. 10 September 2010. Retrieved 23 April 2018.
  8. "New WinDbg available in preview! – Debugging Tools for Windows". blogs.msdn.microsoft.com. Retrieved 2019-08-13.
  9. "Leveraging the new WinDbgX and Time-Travel-Trace –Script to list all access to files – Rodney Viana's (MSFT) Blog". blogs.msdn.microsoft.com. Retrieved 2019-08-13.
  10. "Easier WinDbg scripting with Javascript for malware research – Avar 2018" . Retrieved 2019-08-13.
  11. "What is WinDbg" . Retrieved 2024-07-27.
  12. DOMARS. ".load, .loadby (Load Extension DLL)". Msdn.microsoft.com. Retrieved 23 April 2018.
  13. "MSDN Magazine Issues". Msdn.microsoft.com. Retrieved 23 April 2018.
  14. DOMARS. "analyze". Msdn.microsoft.com. Retrieved 23 April 2018.
  15. "Debugging WOW64 (Windows)". Msdn.microsoft.com. Retrieved 23 April 2018.
  16. "SOS Debugging of the CLR, Part 1". Blogs.msdn.com. Archived from the original on 28 June 2010. Retrieved 23 April 2018.
  17. mairaw. "SOS.dll (SOS Debugging Extension)". Msdn.microsoft.com. Retrieved 23 April 2018.
  18. "New debugger extension for .NET (PSSCOR2)". Blogs.msdn.com. Retrieved 23 April 2018.
  19. "New debugger extension for .NET, Psscor2, released". Blogs.msdn.com. Retrieved 23 April 2018.
  20. "MSDN Magazine Issues". Msdn.microsoft.com. Retrieved 23 April 2018.
  21. "VirtualKD - Windows Kernel Debugger Booster for Virtual Machines". Virtualkd.sysprogs.org. Retrieved 23 April 2018.
  22. DOMARS. "Setting Up Kernel-Mode Debugging over a Network Cable Manually". Msdn.microsoft.com. Retrieved 23 April 2018.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.