In This session we are going to take a Process Dump for our reference and then going to use WinDBG to Understand the Process Flow.

Please note that this is the 6th Article under the Basic Windows Debugging. Previous Articles are:

• Part 1: Setting up your Tools
• Part 2: Introducing and Configuring WinDBG
• Part 3: WinDBG Command Types
• Part 4: Basic Understanding of Windows Architecture
• Part 5: Configuring Mex Extension on WinDBG

Steps to Capture a Dump

In order to understand, Process flow let’s take Notepad as an example.

1. Open Notepad.
2. While it’s running open Task Manager and select the Notepad Process.
3. Right Click on the Process and select “Create Dump File“
4. Copy the Dump file from the Location: C:\Users\<Username>\AppData\Local\Temp\Notepad.DMP to somewhere you can access it easily.

In order to understand the complete process you can refer to the below article:

Understanding and Taking a Process Dump

Now Create a Lab Folder on the Root of C: drive and inside a Subfolder paste the Notepad.DMP.

Debugging in WinDBG Preview

1. Open WinDBG
2. Go to File -> Open Dump File -> Select Notepad.DMP
3. Give some time for the Symbols to get loaded.

Till the time Symbols are being loaded, you will see the status bar below

Prerequisite:

Below are the steps which you need to perform whenever you

Symbols Load:

Let’s Confirm the Symbol location using

.sympath

In case if you see any issues just run the below commands:

.symfix

Once done you can reload the Symbols.

.reload

Mex Extension Load:

.load C:\Mex\mex.dll

To list if Mex is loaded correctly you can run the command:

.chain

Capturing Environment Details:

Now let’s try the Very Basic Commands which you are going to use in Every Scenario:

To Find the Name of the DMP File which is loaded. 

In case if you have opened multiple dumps in winDBG.

0:000> ||
 . 0 Full memory user mini dump: C:\Dump Directory\Notepad Open Dump\notepad.DMP

To Know for which process the dump was taken:

0:000> |
.  0        id: 238f4        examine        name: C:\WINDOWS\system32\notepad.exe

To have an Advance View of the Process you can run cool Mex Command:

0:000> !mex.p
Name        Ses PID              PEB              Mods Handle Thrd
=========== === ================ ================ ==== ====== ====
notepad.exe   1 238f4 (0n145652) 000000190e0f6000   42    245    7

CommandLine: "C:\WINDOWS\system32\notepad.exe" 
Last event: 238f4.239f8: Break instruction exception - code 80000003 (first/second chance not available)
Show Threads: Unique Stacks    !listthreads (!lt)    ~*kv

To List the Total Number of Threads Associated with the Dump.

0:000> ~
.  0  Id: 238f4.239f8 Suspend: 0 Teb: 00000019`0e0f7000 Unfrozen
   1  Id: 238f4.22780 Suspend: 0 Teb: 00000019`0e0f9000 Unfrozen
   2  Id: 238f4.25de8 Suspend: 0 Teb: 00000019`0e0fb000 Unfrozen
   3  Id: 238f4.261e0 Suspend: 0 Teb: 00000019`0e0fd000 Unfrozen
   4  Id: 238f4.257a0 Suspend: 0 Teb: 00000019`0e101000 Unfrozen
   5  Id: 238f4.25038 Suspend: 0 Teb: 00000019`0e103000 Unfrozen
   6  Id: 238f4.240c0 Suspend: 0 Teb: 00000019`0e105000 Unfrozen

To Display the Details of the Machine, User Name, Uptime and Windows Version you can run the below command:

0:000> !mex.di
Computer Name: ADMINIST-W01
User Name: administrator
PID: 0x238F4 = 0n145652
Windows 10 Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Debug session time: Thu Dec 17 11:11:12.000 2020 (UTC + 5:30)
System Uptime: 4 days 22:04:52.865
Process Uptime: 0 days 0:00:24.000
  Kernel time: 0 days 0:00:00.000
  User time: 0 days 0:00:00.000
UserMode Dump Path: C:\Dump Directory\Notepad Open Dump\notepad.DMP
Share Path: \\ADMINIST-W01\C$\Dump Directory\Notepad Open Dump\notepad.DMP

To Display the Version of Operating System:

0:000> !mex.ver
Platform ID: 2
Major Version: 10
Minor Version: 0
WinXP: False
Win2K3: False
Win2k3SP1OrNewer: True
Vista: False
VistaOrNewer: True
Win7: False
Win8: False
Blue: False
19041.1.amd64fre.vb_release.191206-1406
Build Number: 19041
Kernel Start Address: ffff800000000000
System Version Build String: 19041.1.amd64fre.vb_release.191206-1406

Now post running all these Commands, you should be able to find the following Details of the Machine and Process.

• Process Name of which we have taken Dump: Notepad.
• Location of Dump: C:\Dump Directory\Notepad Open Dump\notepad.DMP
• Computer Name: ADMINIST-W01
• User Name: administrator
• How many threads are running: 7
• Windows Version: Windows 10 Version 19041
• System Uptime : 4 days 22:04:52.865
• Process Uptime: 0 days 0:00:24.000
• Type of Dump: Full memory user mini dump (Can be found under ||)

Now this should be enough for you to start your analysis. In the next slide we will be discussing Call Stacks