windbg

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: I'm trying to debug executable notepad.exe (from Windows 10 distribution), and symbols ntdll.pdb from Microsoft symbols server are required, but debugger returns an error that they cannot find file specified: 0:000> .reload Reloading current modules ................................. SYMSRV: BYINDEX: 0x25 http://msdl.microsoft.com/download/symbols ntdll.pdb BC08E2B7EBB349A18DCE18BE9AA6660E1 SYMSRV: HTTPGET: /download/symbols/ntdll.pdb/BC08E2B7EBB349A18DCE18BE9AA6660E1/ntdll.pdb SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND SYMSRV:

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: I'm trying to get WinDbg debugging over the network to work, but it always loses connections after I break into the debugger (Debug->Break), and then try to start it again (Debug->Go). However, if I never break into the debugger, it looks like the connection is stable for an 'N' period of time. I can even see debug print statements in WinDbg as I use the target system during this grace period. Moreover, It seems like the connection is good while in debug break, because I can gather information from the target system. I use "!ustr srv

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: I attached WinDbg to a running process and had the process crashed (I have a separate question re. that case). Once the program crashed, WinDbg stopped and allowed me to debug the program. I took a crash dump for further investigation with a command ".dump /ma". The program was compiled as "Any CPU" and I used WinDbg x64 to take the dump. Now I open WinDbg x64 on the same computer again and open the crash dump. Here is what it says: Loading Dump File [C:\crashdump.dmp] User Mini Dump File with Full Memory: Only application data is available

I have generated dumps on four servers and am analyzing the output of !threadpool and !threads. I noticed the roughly consistent following output: 0:024> !threadpool CPU utilization 0% Worker Thread: Total: 2 Running: 0 Idle: 2 MaxLimit: 200 MinLimit: 2 Work Request in Queue: 0 Number of Timers: 27 Completion Port Thread:Total: 2 Free: 0 MaxFree: 4 CurrentLimit: 2 MaxLimit: 200 MinLimit: 2 !threads -special ThreadCount: 32 UnstartedThread: 0 BackgroundThread: 19 PendingThread: 0 DeadThread: 13 Hosted Runtime: no My questions are: 1)How can I determine what the source of those 27 timers are? 2

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: A customer is attempting to capture a minidump of a hang. He fires up WindDbg and successfully attaches to the process. WinDbg displays its header: Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. and the loaded modules are enumerated. He enters a dump command: .dump /m c:\problem.dmp It reports: Creating c:\problem.dmp - mini user dump WriteMemoryFromProcess.Read(0x1f1e000, 0x2000) failed, 0x8007012b Dump creation failed, Win32 error 0n299 "Only part of a ReadProcessMemory

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: How I can obtain file path from handle with windbg/kd in kernel mode? 回答1: Use !handle <handle_num> 7 <proc_id> to display detailed information for that handle where <handle_num> is the handle value and <proc_id> is the process id value (both hex based) see this msdn link for further information. You can gleam your process id from a user mode session, this is the easiest method, just attach in user mode and enter the pipe command | and it will output like so: . 0 id: 1680 attach name: D:\test\MyApp.exe so 1680 would be the proc id, then list

原文地址为： Windbg -- 查看调用堆栈 一. 显示堆栈信息 k* 命令 [~ Thread ] k[b |p| P |v] [c] [n] [f] [ L ] [ M ] [ FrameCount ] [~ Thread ] k[b |p| P |v] [c] [n] [f] [ L ] [ M ] = BasePtr [ FrameCount ] [~ Thread ] k[b |p| P |v] [c] [n] [f] [ L ] [ M ] = BasePtr StackPtr InstructionPtr [~ Thread ] kd [ WordCount ] 参数： Thread： b： p： P： p 。不同之处在于，每个参数显示在单独的行上面。 n： FrameCount： 二. 切换到指定帧信息 调用堆栈显示出来之后，如果想知道调用某帧时的相关信息，可以使用 .frame 来切换到指定的帧，然后就可以使用如 dv 命令显示局部变量等。 .frame [/c] [/r] [FrameNumber] /r： FrameNumber： 函数的调用过程以及入栈出栈顺序可以参考： 从汇编的角度分析函数调用过程（1） 从汇编的角度分析函数调用过程（2） 转载请注明本文地址： Windbg -- 查看调用堆栈 文章来源: Windbg -- 查看调用堆栈

here is what I'm trying to solve. I have a crash dump from Google Chrome. I open windbg and say File -> Symbol File Path: "SRV*c:\code\symbols*http://msdl.microsoft.com/download/symbols;SRV*c:\code\symbols*https://chromium-browser-symsrv.commondatastorage.googleapis.com" I guess this looks for the debugging symbols from let to right and should finally grab them from google then. I copied that from http://www.chromium.org/developers/how-tos/debugging . I drag and drop the crash dump into windbg And then... Microsoft (R) Windows Debugger Version 6.2.8400.0 AMD64 Copyright (c) Microsoft

.effmach (Effective Machine) .effmach命令显示或更改调试器使用的处理器模式。 . effmach [ MachineType ] 参数： MachineType 指定调试器用于此会话的处理器类型。如果省略此参数，调试器将显示当前计算机类型。 您可以输入下列机器类型之一。 计算机类型 说明 . 使用目标计算机的本机处理器模式的处理器模式。 # 使用为最近事件执行的代码的处理器模式。 x86 使用基于 x86 的处理器模式。 amd64 使用基于 x64 的处理器模式。 ebc 使用 EFI 字节代码处理器模式。 arm 使用 ARM64 处理器模式。 chpe 使用 CHPE 处理器模式。 环境： ģʽ 用户模式下，内核模式 目标 实时、 崩溃转储 ƽ̨ 全部 处理器模式影响许多调试器功能： 哪个处理器用于堆栈跟踪。 进程是使用32位指针还是64位指针。 哪个处理器的寄存器集是活动的。 来源：博客园 作者： 活着的虫子 链接：https://www.cnblogs.com/yilang/p/11563225.html

e, ea, eb, ed, eD, ef, ep, eq, eu, ew, eza (Enter Values) e*命令将您指定的值输入内存。不要将此命令与~e（Thread-Specific Command）限定符混淆。 e { b | d | D | f | p | q | w } Address [ Values ] e { a | u | za | zu } Address "String" e Address [ Values ] 参数： Address 指定输入值的起始地址。 调试器将替换地址和每个后续内存位置处的值，直到所有值都被使用为止。 Values 指定要输入内存的一个或多个值。多个数值应该用空格分隔。如果未指定任何值，则将显示当前地址和该地址的值，并提示您输入。 String 指定要输入内存的字符串。ea和eza命令将此作为ascii字符串写入内存；eu和ezu命令将此作为unicode字符串写入内存。eza和ezu命令会写入一个终端空值；ea和eu命令不会。字符串必须用引号括起来。 环境： ģʽ 用户模式下，内核模式 目标 实时、 崩溃转储 ƽ̨ 全部 此命令存在于以下表单中。ed和eD命令的第二个字符区分大小写。 Command Enter e 这将以与最新的e*命令相同的格式输入数据。（如果最新的e*命令是ea、eza、eu或ezu