In this article, we are going to learn about Windows Debugger aka WinDBG, and how we can configure it to use in our Environment.
Introduction:
As per the great Wikipedia: https://en.wikipedia.org/wiki/WinDbg
WinDBG is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. So It is a Debugger which is used to Debug Code, Drivers, Application or even Processes which are running over the Windows Operating System.
Let’s take an example of a Windows Crashing with Bluescreen of Death. If you know that every BSOD Crash generated a huge file with the name Memory.DMP has the Active Memory State of the System at the time when the Crash happened so that we can use it during the time of debugging to understand what processes were running, what threads were running in the System at the time when the system Crashed. We can also find the Culprit driver and what it has done due to which the Crash was triggered.
This is the same thing that is done by Microsoft as well when you raise a case with them and share the Memory.DMP File with them.
In the Last Article: Basic Windows Debugging – Part 1: Setting up your Tools . We have already installed the WinDBG and now we are going to understand how we can configure it and use it.
For this demo, I will be using WinDBG Preview which is a Windows App and can be download from the Windows Store. The reason behind it is that it’s new and easy to use. Once you are going to open the App it’s going to look something like this:
If you are a Fan of Bright light this looks good, otherwise for a person like me. I will change the theme of this App to suit my requirement: Dark.
Select
File -> Setting ->General -> Theme (Switch to Dark)
Not Sure why but this looks way better to the Eyes:
Here you will see all the reference options and objects which you can use, however, we will learn about them while we will be discussing those issues. Right now we are only going to talk about configuring the Debugger.
Let’s understand some concept of Debugging before we are going to start learning WinDBG.
Symbols:
When you design an application and build it, along with the Exe and DLL there will be Symbol files associated with the Code. These Symbol files contain data associated with the Code which is generally useful while debugging the Application. Generally, these symbols contain Global variables, Local Variables, Source Line numbers, etc.
Once the Process dump is loaded with the Symbols, you will be able to see the Global and Local Variable associated with the code, You can also see the reference to the Code Line where a specific string is associated.
Setting the Location of Symbol Server:
1. From GUI:
You can add the location of the Symbol server to the below options. Before doing this please make sure that you create a Default Cache Location as C:\Symbols
File -> Setting -> Debugging Setting -> Default Symbol Path :: You can add the Value = srv*C:\Symbols\Windows*http://msdl.microsoft.com/download/symbols
File -> Setting -> Debugging Setting -> Default cache :: C:\Symbols
2. From Command:
Generally, symbols are loaded after you have loaded the Dump or started the Debugger.
Below are the Commands to make the change:
.symfixThe .symfix command automatically sets the symbol path to point to the Microsoft symbol store.
To stage your C:\Symbols Folder as a Cache for these Dumps you can run the below command:
.symfix C:\SymbolsTo see the location of the current symbol you can run the command:
.sympathSyntax:
1: kd> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols
************* Path validation summary **************
Response Time (ms) Location
Deferred
srv*
Once the Symbol location is specified you can run the below command to reload the symbols in the Debugger.
.reloadSyntax:
1: kd> .reload
Loading Kernel Symbols
..........................................................................................
Loading User Symbols
Loading unloaded module list
....
Troubleshooting:
In case if you are seeing any errors during this time or have any issues to load any symbols you can use the below command to enable the logging :
1: kd> !sym noisy
noisy mode - symbol prompts on
Post which if you will reload you can see the steps which the debugger is performing and you can isolate the issue using that:
1: kd> .reload
SYMSRV: BYINDEX: 0x61
C:\Symbols*https://msdl.microsoft.com/download/symbols
ntoskrnl.exe
5E2FC6A777d000
SYMSRV: PATH: C:\Symbols\ntoskrnl.exe\5E2FC6A777d000\ntoskrnl.exe
SYMSRV: RESULT: 0x00000000
DBGHELP: C:\Symbols\ntoskrnl.exe\5E2FC6A777d000\ntoskrnl.exe - OK
DBGENG:
C:\Symbols\ntoskrnl.exe\5E2FC6A777d000\ntoskrnl.exe - Mapped image memory
SYMSRV: BYINDEX: 0x62
C:\Symbols*https://msdl.microsoft.com/download/symbols
ntkrnlmp.pdb
4253B608A3C54483889B5A27143D25011
SYMSRV: PATH: C:\Symbols\ntkrnlmp.pdb\4253B608A3C54483889B5A27143D25011\ntkrnlmp.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: nt - public symbols
C:\Symbols\ntkrnlmp.pdb\4253B608A3C54483889B5A27143D25011\ntkrnlmp.pdb
Loading Kernel Symbols
.......................................................................................
Loading User Symbols
Once you have done the troubleshooting you can switch is back to its initial State:
1: kd> !sym quiet
quiet mode - symbol prompts on
