windbg

How can I calculate heap chunk size from raw bytes read from memory. I tried below thing. 0:001> !heap Index Address Name Debugging options enabled 1: 00500000 2: 00280000 3: 008f0000 4: 00ab0000 5: 00cc0000 0:001> !heap -a 00500000 .. .. Heap entries for Segment00 in Heap 00500000 address: psize . size flags state (requested size) 00500000: 00000 . 00588 [101] - busy (587) 00500588: 00588 . 00240 [101] - busy (23f) 005007c8: 00240 . 00020 [101] - busy (18) 005007e8: 00020 . 00ca0 [101] - busy (c94) .. .. !heap -a 00500000 shows that size of first chunk is 588 bytes. If we dump the chunk

I have recently made a mistake analyzing a callstack, because I didn't expect the application to be 64 bit. I have used the WinDbg command kb to show the callstack and parameters passed to methods. On 64 bit, the parameters are not passed via the stack but in registers (RCX, RDX, R8 and R9) instead. It seems that WinDbg has not or not fully implemented this. Partly I guess it is almost impossible since the register values might have changed meanwhile. However, the WinDbg help still lists kb as a valid command under User-Mode, x64 Processor . Therefore my question is: What does kb display for

I have a minidump crashed from a .NET application. Is there any way to know the CLR version (e.g. version of mscorwks.dll) of the fault machine (which generates the crash dump) using either Windbg or some other tool? In WinDbg: the easiest way is to use the !eeversion command, but if you want additional info you can use the lm command with the v verbose option for the runtime module mscorwks . If you're on .NET 4 the runtime is called clr , so in that case you need to change the command accordingly. 0:026> lm vm mscorwks start end module name 79e70000 7a3ff000 mscorwks T (no symbols) Loaded

I can't make source code show in windbg when I pipe ntsd -d on the target through windbg -k , but it works when I debug locally. I want to debug the very first code execution of Winlogon.exe and LSASS.exe. But to make it easy to reproduce the problem, I made up this setup: I use the CrashMe sample application , with source and symbols pre-built, copied to C:\CrashMe on both the target and host I use Windows Debugging tools for Windows (DTW) version 6.12.0002.633 everywhere. The target is running Windows XP SP3, the host Windows 7 ultimate. Every path and settings is the same on both machine :

WinDbg has the .if statement for conditional execution of commands: .if (Condition) { Commands } .else { Commands } For Condition, it's not possible to use WinDbg commands. Is there any indirect way of using commands for the condition, e.g. through pseudo registers? Example task to accomplish: If a logfile is already opened, do nothing. If no logfile is open, use .logopen /t /u /d With .logfile , I can find out whether a log is open or not. But how to parse that output and how to assign the result to a pseudo register? Any other way without pseudo registers is also welcome. As the example may