New Debugging Book – Windows Debugging Notebook: Essential User Space WinDbg Commands

A reference book for technical support and escalation engineers troubleshooting and debugging complex software issues. The book is also invaluable for software maintenance and development engineers debugging Windows applications and services.   Do you want to know more about this book? Check out here…

2

PSSCOR2, the Superset of SOS.DLL is Now Public!!!

Whenever I’m debugging with customers watching it’s inevitable: they always ask me what this PSSCOR2.dll extension is. The next question is always if PSSCOR2.DLL is going to be public. PSSCOR2.DLL is a superset of SOS.DLL and has much more commands and variations! The good news is that yes, now PSSCOR2.DLL is public, so you can download…

2

Special Command—Saving Modules Using .writemem

This command enables you to save memory into a disk file. The cool thing about it is that you can save modules too; however, it is just the raw memory. The parameters are:   .writemem <filename> <range>   Here is an example:   0:026> lm start    end        module name 00400000 00427000   mtgdi      (deferred)             5a700000 5acaf000  …

1

Special Command—Using .dump/.dumpcab to Get Dumps and Symbols from Production Servers

Using WinDbg you can create a dump file from an application running, for instance, in a production server. After collecting the dump file, you can load it in another machine and debug it. However, to be more effective during your debugging session you need symbols. Thus, thinking about it, here’s the trick to get both dump…

3

Special Command—Using !chksym/!itoldyouso to Check PDB Files Against Modules

These are two debugger extensions that are used to see the PDB file that matches a specific module. Note that !itoldyouso is not documented. The output of both commands is identical.   Usage:   0:025> !chksym ntdll   ntdll.dll     Timestamp: 49EEA706   SizeOfImage: 180000           pdb: wntdll.pdb       pdb sig: E06BEA15-5E97-48BE-A818-E2D0DD2FED95           age: 2…

0

Special Command—Displaying Information From Modules/DLLs with !dlls

!dlls extension displays the table entries of all loaded modules. You can also use it to display all modules that a specified thread or process is using. The WinDbg help file describes all parameters. Here we are going to show the most common usage.   Displays file headers and section headers:   !dlls –a  …

2

Special Command—Displaying More PE Header Information with !dh

The !dh extension displays the PE header information from a specified module.   Usage:   !dh [options] <addressOfModule>   Options can be:   -f Displays file headers. -s Displays section headers. -a Displays all header information.   Example:   0:532> lm   start    end        module name 00400000 00427000   mtgdi      (deferred)             5a700000 5acaf000   mfc90d     (deferred)             692e0000…

0

Special Command—Displaying the PE Header Information with !lmi

Like its cousin !dh, the !lmi extension displays the PE header information from a specified module. However, it gives you fewer details than !dh. The output is summarized.   Usage:   !lmi <moduleName>   Examples:   0:532> !lmi mtgdi   Loaded Module Info: [mtgdi]          Module: mtgdi    Base Address: 00400000      Image Name: mtgdi.exe…

0

Special Command—Peeking Memory Addresses Using !address

Let’s say that you get a memory address and you want to know if it’s from the heap, the stack, or someplace else. Or yet, let’s say you have a .NET application consuming lots of memory, and you want to get a better understanding of this memory consumption. The !address command is helpful in both situations…

7

Special Command—Parsing Strings, Files, and Commands Output Using .foreach

  This is by far one of the most powerful WinDbg commands. Even if you don’t create scripts, you’ll benefit from this command.  It’s powerful because it’s flexible. You can use it for a huge variety of operations.   The .foreach token parses the output of one or more debugger commands and uses each value…

1