Basic WinDbg Command Summary

 

•DB/DW/DD/DQ display the contents of memory in the given range.

Example: dd 0xf75e98c0 l0x100

 

•.reload [module name]

–Example: .reload /f force to load sym immediately

–Example: reload /i Ignore a mismatch in the .pdb file versions.

–Example: reload /u Reload special symbol or all the symbol files.

 

•k, kb, kd, kp, kP, kv (Display Stack Backtrace)

 

•!analyze –v

–The !analyze extension displays information about the current exception or bug check.

 

•The !pte extension displays the page table entry (PTE) and page directory entry (PDE) for the specified address.

–kd>  !pte   801544f4
801544F4  - PDE at C0300800        PTE at C0200550
          contains 0003B163      contains 00154121
        pfn 3b G-DA--KWV    pfn 154 G--A--KRV

 

•dt (Display Type)

–0:000> dt mt1
   +0x000 a                : 10
   +0x004 b                : 98 'b'
   +0x006 c                : 0xdd
   +0x008 d                : 0xabcd
   +0x00c gn               : [6] 0x1
   +0x024 ex               : 0x0

 

•The r command displays or modifies registers, floating-point registers, flags, pseudo-registers, and fixed-name aliases.

•kd>  r
Last set context:
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=80403a0d esp=fd581c2c ebp=fd581c60 iopl=0         nv up di pl nz na pe nc
cs=0000  ss=0000  ds=0000  es=0000  fs=0000  gs=0000             efl=00000000
0000:3a0d ??              ???

 

• lm command lists the specified loaded modules. The output includes the status and the path to the module.

–

 

•The !process extension displays information about the specified process, or about all processes.

–kd>   !process   0   0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 80a02a60  Cid: 0002    Peb: 00000000  ParentCid: 0000
    DirBase: 00006e05  ObjectTable: 80a03788  TableSize: 150.
    Image: System
PROCESS 80986f40  Cid: 0012    Peb: 7ffde000  ParentCid: 0002
    DirBase: 000bd605  ObjectTable: 8098fce8  TableSize:  38.
    Image: smss.exe
PROCESS 80958020  Cid: 001a    Peb: 7ffde000  ParentCid: 0012
    DirBase: 0008b205  ObjectTable: 809782a8  TableSize: 150.
    Image: csrss.exe
PROCESS 80955040  Cid: 0020    Peb: 7ffde000  ParentCid: 0012
    DirBase: 00112005  ObjectTable: 80955ce8  TableSize:  54.

 

 

•The .thread command specifies which thread will be used for the register context

–Use the .thread command with the address of the desired thread. This sets the register context and enables you to examine the important registers and the call stack for this thread.

–

 

•Ba/bp set break point.

•Bl list the break point list

•Bc clear the break point.

•The !irp extension displays information about an I/O request packet (IRP).

•The .crash command causes the target computer to issue a bug check.

 

 

kd>  .thread   ffaa43a0
Using context of thread ffaa43a0

kd>  r
Last set context:
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=80403a0d esp=fd581c2c ebp=fd581c60 iopl=0         nv up di pl nz na pe nc
cs=0000  ss=0000  ds=0000  es=0000  fs=0000  gs=0000             efl=00000000
 

kd>  lm   m   s* start    end        module name f9f73000 f9f7fd80   sysaudio     (deferred)                  fa04b000 fa09b400   srv          (deferred)                  faab7000 faac8500   sr           (deferred)                  facac000 facbae00   serial       (deferred)                  fb008000 fb00ba80   serenum      e:\mysymbols\SereEnum.pdb\....... fb24f000 fb250000   swenum       (deferred)                  Unloaded modules: f9f53000 f9f61000   swmidi.sys fb0ae000 fb0b0000   splitter.sys fb040000 fb043000   Sfloppy.SYS