windbg

问题 I want to debug a program in kernel mode, and I want to break on the entry point of the program like ollydbg . But I can't break it with bp because the program is not start and the symbol can't be loaded. I have found some way to do it but I think it's not so good. 1.Break on the CreateProcess function in kernel. But I don't know which function exactly should I break and I think there is a long way between CreateProcess and the entry point of the program. 2.Change the entry point of the

问题 I have a full process dump from an NT service (implemented using C# / .NET 4.5.2) that's in the middle of a GC cycle. When I load it into WinDbg and try to run !DumpHeap -stat (or any other variant of DumpHeap ), I get this warning: The garbage collector data structures are not in a valid state for traversal. It is either in the "plan phase," where objects are being moved around, or we are at the initialization or shutdown of the gc heap. Commands related to displaying, finding or traversing

问题 I have a simple demo console program to debug but surprisingly windbg can't symbols from Microsoft default store. I do .reload /f I get the summary: ************* Symbol Loading Error Summary ************** Module name Error ConsoleApp PDB not found : cache* Unable to locate the .pdb file in this location The system cannot find the file specified : SRV*https://msdl.microsoft.com/download/symbols The SYMSRV client failed to find a file in the UNC store, or there is an invalid UNC store (an

问题 Is there a set of CDB commands for setting a breakpoint based on a line number? It seems that there is no "direct" one. Actually it seems that CDB knowledge is falling into a black hole and it's getting harder and harder to find resources on the Internet. My CDB setup cdb -c "l+*;.lines" and later I add the source lsf mySource.d Currently I put hard-coded breakpoints with a mixin enum brk = "debug{asm{int 3;}}"; // code mixin(brk); But it's not a viable solution. 回答1: The syntax to break in

问题 Please, observe: 0:000> !dumpheap -stat Statistics: MT Count TotalSize Class Name 000007fefa9c8c58 1 24 System.ServiceProcess.Res 000007fef99d3de8 1 24 System.Collections.Generic.GenericArraySortHelper`1[[System.DateTime, mscorlib]] 000007fef99cf8e8 1 24 System.Collections.Generic.GenericComparer`1[[System.Decimal, mscorlib]] ... 000007fef8f02090 47295 141585288 System.Char[] 000007fe9b1cbe20 1064155 229857480 Xyz.DataServices.Platform.BalanceTransactionForAccrualByOrg 000007fef8f06888 21401

问题 Hello I have a leak in my WPF application and I'm trying to use the memory dump file to track down where the problem is. Using WinDbg and SOS I couldn't find anything suspicious. Then I tried DebugDiag and I got that Microsoft VC Runtime Heap (private) has 1,42 GBytes of commited memory. Do you know why does this happen? Heap 1 - 0x003b0000 Heap Name Microsoft VC Runtime Heap (private) Heap Description This is a private CRT heap used by mscoreei Reserved memory 1,43 GBytes Committed memory 1

问题 I used the !address -RegionusageIsVAD and found an entry that is very huge in size. How can i view who wrote this data and what data is in that specitic address? Exmaple output: 099230000 : 099230000 - 01000000 Type 00020000 MEM_PRIVATE Protect 00000004 PAGE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageIsVAD So i want to see what data is in this address and who allocated it. 回答1: High RegionUsageIsVAD typically comes from 2 reasons : this is a .NET application. In this case, the CLR

问题 I'm experiencing an exception in the first run of any SOS extension commands when the load by command is use to load the extension. However if I use the load command the exception is not presented. Below is a step through the process I use. can someone explain why this happens and a possible resolution. 0:007> .chain Extension DLL search Path: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\WINXP;C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\winext;C:\Program Files (x86)\Windows

问题 There is a null-terminated ASCII string existing in the address space of the target process under debugging. I want to write a WinDbg script to print out the length of this string. Assuming I know the address of the starting character of the string, how do I calculate its length? 回答1: IMHO it's not convenient in WinDbg and I tried finding a solution involving s , .foreach and .if for more than 15 minutes but the result was frustrating. In such a case I use a real programming language like

问题 I downloaded symbols for windows2003 server from here http://msdn.microsoft.com/en-us/windows/hardware/gg463028 I did what is described here - http://blogs.msdn.com/b/johan/archive/2007/11/13/getting-started-with-windbg-part-i.aspx. But when I try to run !threadpool it says 0:024> !threadpool Failed to load data access DLL, 0x80004005 Verify that 1) you have a recent build of the debugger (6.2.14 or newer) 2) the file mscordacwks.dll that matches your version of mscorwks.dll is in the version