Common WinDBG Commands Reference





























































































































































Command
Description from WinDBG Help (go there for detailed help!)
! ! Extension Commands

!address
displays information about the memory that the target process or target computer uses.
!analyze -hang (hang) Generates !analyze hung-application output.
!analyze -v displays information about the current exception or bug check.
!devstack displays a formatted view of the device stack associated with a device object.
!drvobj displays detailed information about a DRIVER_OBJECT.
!exqueue (hang) displays a list of items currently queued in the ExWorkerQueue work queues.
!exqueue 2 (hang) display a list of threads and events associated with the work queue and their wait states.
!handle displays information about a handle or handles that one or all processes in the target system own.
!irpfind (hang) displays information about all I/O request packets (IRP) currently allocated in the target system, or about those IRPs matching the specified search criteria.
!irql displays the interrupt request level (IRQL) of a processor on the target computer before the debugger break.
!locks (hang) information about kernel ERESOURCE locks.
!memusage displays summary statistics about physical memory use.
!pcr (hang) displays the current status of the Processor Control Region (PCR) on a specific processor.
!podev displays the power capabilities of the target computer.
!poolused (hang) displays memory use summaries, based on the tag used for each pool allocation.
Use !xpoolused if this command does not work.
!process (hang) displays information about the specified process, or about all processes, including the EPROCESS block.
!pte displays the page table entry (PTE) and page directory entry (PDE) for the specified address.
!ready displays summary information about each thread in the system in a READY state.
!session displays one or more user sessions, or displays a specified process running in multiple user sessions.
!stacks displays information about the kernel stacks.
!stacks 2 (hang) displays the full parameters for all stacks, including those currently paged out and the current kernel stacks
!teb displays a formatted view of the information in the thread environment block (TEB).
!thread displays summary information about a thread on the target system, including the ETHREAD block.
!verifier –f displays the status of Driver Verifier and its actions.
!vm (hang) displays summary information about virtual memory use statistics on the target system.
!vm 20 (hang) display to include kernel virtual address usage.
!xpoolmap (hang) displays a map of pool use
. . Commands
.cxr displays the context record saved at the specified address. It also sets the register context.
.imgscan scans virtual memory for image headers
.kFrames sets the default length of a stack trace display, i.e. 0n256 = 256 length
.reload deletes all symbol information for the specified module and reloads these symbols as needed
.sympath changes the default path of the host debugger for symbol search.
.trap displays the trap frame register state and also sets the register context.
a Standard Commands
dh displays the headers for the specified image.
dps The dds (double word), dps (pointer-sized), and dqs (quad-word) commands display the contents of memory in the given range.
dt displays information about a local variable, global variable or data type
kvf, kvn display the stack frame of the given thread, together with related information
lm displays the specified loaded modules.
ln displays the symbols at or near the given address
r displays or modifies registers, floating-point registers, flags, pseudo-registers, and fixed-name aliases.
ub displays an assembly translation of the specified program code in memory.
uf displays an assembly translation of the specified function in memory.
uf /c Displays only the call instructions in a routine instead of the full disassembly.
up displays an assembly translation of the specified program code in physical memory.
vertarget displays the current version of the Microsoft Windows operating system of the target computer.
x displays the symbols in all contexts that match the specified pattern.

Comments (1)

  1. vinay says:

    Thanks for the post

Skip to main content