RECENT NEWS

2015-09-29

A Case Study in How NOT To Process Orders

2014-02-08

Reading email SMTP headers to trace the origin of the message.

2014-02-07

Rants about the pains of performing what should be a simple package upgrade.

LINKS

Your IP address is
3.238.111.130

WinDBG Command Reference/Cheat Sheet

First, let me point out the existence of the debugger.chm help file. If you're ever wondering what a specific command or extension does, what the syntax is to use it, or how to interpret the output - that file should be your first port of call. You can find it in your %PROGRAMFILES%\Debugging Tools For Windows directory, or you can launch it from within WinDBG, using the Help menu.

That said, I find it cumbersome to look through if you just want to remind yourself of something very quickly. I use this document, which started out as a text file on my home drive.

WinDBG Commands

!analyze -v - Analyse the file and provide verbose information !analyze -v -hang - If the dump has been manually initiated on a hung server lm - List all loaded modules (drivers) lmf - List all loaded modules and file path lmt - list all loaded modules and timestamps lm mdriver.sys - Show details (as per lm output) for driver.sys (note the extra m on the command). .tlist - List all running processes (on the machine RIGHT NOW - only useful for live debugging) !vm - Virtual memory usage (good to confirm resource depletion) !vm 0x21 - Verbose Kernel memory usage (in older versions of windbg) !memusage - Physical memory usage (not so much use, unless it's definitely physical depletion). May take aaaages. !poolused - Pool usage by pooltag - similar to having poolmon snapshots !poolused 1 - As above, but verbose !poolused 2 - Sort by Non-Paged pool usage !poolused 3 - Sort by Paged pool usage !poolused 4 - For Paged pool?? !poolused Mm* - Find pooltags beginning "Mm" (case sENSItive) !poolused Mm?t - Find pooltags matching "Mm" something "t". !pool <addr> - Will tell you if the specified address is or was part of paged or nonpaged pool !running - Which threads were running on the CPUs at the time of the crash? Use !running -ti to include stacks and idle threads !ready - Shows which threads were ready to run, but still waiting for CPU !prcb - Processor Control block - gives you an idea of how busy a CPU is (user/kernel time) !heap -l - In user-mode - useful for finding memory leaks in heaps. Can take OVER 24hrs to COMPLETE. !htrace <addr> - If ADDR is a handle, this will (hopefully) trace back where the handle came from. Useful for handle leaks. !cpuinfo - Displays information about the CPU make/model/speed/capabilities .effmach - Shows arch (eg x64 AMD, x86 Intel..). Pretty useless unless debugging on the affected system. !sysinfo machineid - Shows make/model/BIOS version of the system which generated the dumpfile !sysinfo cpuinfo - Shows proc details (speed, family/stepping, vendor) from the system which dumped !sysinfo smbios - Shows detailled hardware info (eg mobo, CPU, DIMMs, memory-mapped devices) x srv!SrvComputerName - Get computername from kernel or full dump !process - Displays memory/cpu stats about processes and their threads. !process 0 0 - Displays all processes !reg q - Version 6.12.84 and up - May show registry key details if they were resident in the memory of the dump file (eg !reg q \registry\machine\system\controlset001\services\ndis) !reg findkcb - !reg findkcb \registry\machine\software\microsoft\windows\currentversion\run - needs the reg key to have been paged IN when the dump was generated !reg kcb ffffffff - Take the returned KCB value from above !reg cellindex KeyHive KeyCell - Taking values from above !reg valuelist KeyHive pcell - Taking pcell from the above will give you a list of values in that key along with Value addresses !reg kvalue ValAddr - Will give you a new Cell Index for this specific value (shown as field data !reg cellindex KeyHive Data - Where Data is the output of the Data field from the reg kvalue command. This gives you a new pcell value to run as: du pcell - Should return the value of the reg key .bugcheck - shows the bugcheck code and arguments .frame /c [FrameNumber] - sets context to specified stack frame. Provides more reliable information than .trap on x64. k or kv - Dumps call stack (v is verbose). kn - Dumps call stack with frame numbers, easier than counting stacks for .frame. ChildEBP: a pointer to a memory location which stores the address of the previous function on the stack ("stack frame"). ChildEBP pointer is supposed to contain the address of the previous function's frame. (eg dd of func2's ChildEbp should = func1 ChildEbp) RetAddr: The "return address" where processing will resume once this function returns (finishes what it had to do). ln - List Nearest. Shows the nearest function to a memory address. !whea - Useful for HW-related buchecks (0x124) !errrec <addr> - Give this the addresses from 'Error Records' output of !whea !chkimg <module> - Checks the loaded module against symbol for inconsistencies (eg !chkimg driver.sys) !chkimg -lo 50 -d hal - Checks drivers against the HAL for hardware errors. !blockeddrv - Shows all blocked drivers. ds|du|da|dc|dd|dq|dw - dump string|unicode|ascii|char|dword|qword|word j ((@cr4 & 0y00000000000000000000000000100000) != 0) '.echo PAE flag Enabled';'.echo PAE flag Disabled' - Determine if PAE is enabled s -u|a [range] string - Search a memory range for a specific string. eg: s -u 00400000 0053b000 'example' (u = unicode, a = ascii) .load C:\Windows\Microsoft.NET\Framework\v2.0.50727\sos.dll - For loading a .net version-specific SOS extension. !driveinfo g: - Shows info about a fixed disk (including the devobj address, which can be parsed with...) !devobj 86bca4a0 - Returns a volume parameter block (VPB) which can be examined with !vpb !vpb - Dumps the vpb, telling if the volume is mounted, what the refcount (like handles) is, maybe the volume label. !ndiskd.protocols - List installed NDIS protocols and NIC bindings !ndiskd.protocol addr - List information about a specific protocol !miniports - List NDIS miniports. !ndiskd.miniport addr - More info on miniport (eg device path, driver, mac address, state), add -offloads to see TCPChimney/RSS info !ndiskd.interfaces - Interface info (Interface name/GUID) Symbol servers: http://msdl.microsoft.com/download/symbols Microsoft http://build.chromium.org/buildbot/symsrv Google Chrome http://symbols.mozilla.org/firefox Firefox http://ctxsym.citrix.com/symbols Citrix Notes: OVERLAPPED_MODULE This means that the memory ranges for the two modules are overlapping. This could cause issues if both modules are loaded at the same time, with overlapping address ranges. User the 'lm' command to check which modules are loaded. For example: OVERLAPPED_MODULE: Address regions for 'Cdfs' and 'imapi.sys' overlap Running lm will give us this: 7: kd> lm start end module name fffffadc`bbab4000 fffffadc`bbad5000 Cdfs (deferred) Unloaded modules: fffffadc`bbabe000 fffffadc`bbad5000 imapi.sys We can see they both have memory up to fffffadc`bbad5000 - however, as imapi.sys is not loaded, this is not an issue. Find the process from a thread> Run !thread... You will see (among other lines): 0: kd> !thread THREAD e089d8c0 Cid 0000.0000 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0 Not impersonating Owning Process e089db40 Image: Idle Now take that owning process, and: !process e089db40 This will spit out the process information and ALL THREADS: 0: kd> !process e089db40 PROCESS e089db40 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000 DirBase: 01655000 ObjectTable: e1801d48 HandleCount: 3804. Image: Idle VadRoot ff9ddf48 Vads 1 Clone 0 Private 0. Modified 4. Locked 0. DeviceMap 00000000 Token e1802a60 ElapsedTime 00:00:00.000 UserTime 00:00:00.000 KernelTime 3 Days 12:11:47.703 QuotaPoolUsage[PagedPool] 0 QuotaPoolUsage[NonPagedPool] 0 Working Set Sizes (now,min,max) (7, 50, 450) (28KB, 200KB, 1800KB) PeakWorkingSetSize 0 VirtualSize 0 Mb PeakVirtualSize 0 Mb PageFaultCount 0 MemoryPriority BACKGROUND BasePriority 0 CommitCharge 0 [...all threads below]. Here, we've got the System Idle Process. You can also take the Cid from the output of !vm: 0: kd> !process 05cc Searching for Process with Cid == 5cc Cid handle table at e3292000 with 1327 entries in use PROCESS fe54e4c0 SessionId: 0 Cid: 05cc Peb: 7ffff000 ParentCid: 0590 DirBase: cfe42300 ObjectTable: e24c7770 HandleCount: 381. Image: java.exe VadRoot fdd2b2b8 Vads 93 Clone 0 Private 14775. Modified 32. Locked 0. DeviceMap e1800700 Token e2ab38b8 ElapsedTime 1 Day 18:47:33.037 UserTime 00:00:02.484 KernelTime 00:00:00.484 QuotaPoolUsage[PagedPool] 58916 QuotaPoolUsage[NonPagedPool] 34712 Working Set Sizes (now,min,max) (15742, 50, 345) (62968KB, 200KB, 1380KB) PeakWorkingSetSize 15836 VirtualSize 251 Mb PeakVirtualSize 257 Mb PageFaultCount 16621 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 15307 On the token field, you can run: 0: kd> !token e1802a60 _TOKEN e1802a60 TS Session ID: 0 User: S-1-5-18 Groups: 00 S-1-5-32-544 Attributes - Default Enabled Owner 01 S-1-1-0 Attributes - Mandatory Default Enabled 02 S-1-5-11 Attributes - Mandatory Default Enabled Primary Group: S-1-5-18 Privs: 00 0x000000007 SeTcbPrivilege Attributes - Enabled Default 01 0x000000002 SeCreateTokenPrivilege Attributes - 02 0x000000009 SeTakeOwnershipPrivilege Attributes - 03 0x00000000f SeCreatePagefilePrivilege Attributes - Enabled Default 04 0x000000004 SeLockMemoryPrivilege Attributes - Enabled Default 05 0x000000003 SeAssignPrimaryTokenPrivilege Attributes - 06 0x000000005 SeIncreaseQuotaPrivilege Attributes - 07 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - Enabled Default 08 0x000000010 SeCreatePermanentPrivilege Attributes - Enabled Default 09 0x000000014 SeDebugPrivilege Attributes - Enabled Default 10 0x000000015 SeAuditPrivilege Attributes - Enabled Default 11 0x000000008 SeSecurityPrivilege Attributes - 12 0x000000016 SeSystemEnvironmentPrivilege Attributes - 13 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 14 0x000000011 SeBackupPrivilege Attributes - 15 0x000000012 SeRestorePrivilege Attributes - 16 0x000000013 SeShutdownPrivilege Attributes - 17 0x00000000a SeLoadDriverPrivilege Attributes - 18 0x00000000d SeProfileSingleProcessPrivilege Attributes - Enabled Default 19 0x00000000c SeSystemtimePrivilege Attributes - 20 0x000000019 SeUndockPrivilege Attributes - 21 0x00000001c SeManageVolumePrivilege Attributes - 22 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 23 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default Authentication ID: (0,3e7) Impersonation Level: Anonymous TokenType: Primary Source: *SYSTEM* TokenFlags: 0x89 ( Token in use ) Token ID: 3ea ParentToken ID: 0 Modified ID: (0, 3e9) RestrictedSidCount: 0 RestrictedSids: 00000000 OriginatingLogonSession: 0 To see information about the permissions on the process. Let's see who was running userinit.exe (which appears in the output of !vm with Cid of 05d8). 0: kd> !process 05d8 Searching for Process with Cid == 5d8 Cid handle table at e3292000 with 1327 entries in use PROCESS fb8bd6b0 SessionId: 0 Cid: 05d8 Peb: 7ffff000 ParentCid: 0244 DirBase: cfe42620 ObjectTable: ea2047b8 HandleCount: 23. Image: userinit.exe VadRoot fbfdf840 Vads 41 Clone 0 Private 101. Modified 0. Locked 0. DeviceMap e1800700 Token e7584030 ElapsedTime 10:46:29.102 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 33340 QuotaPoolUsage[NonPagedPool] 1560 Working Set Sizes (now,min,max) (424, 50, 345) (1696KB, 200KB, 1380KB) PeakWorkingSetSize 424 VirtualSize 12 Mb PeakVirtualSize 12 Mb PageFaultCount 437 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 169 THREAD fbfcd0d0 Cid 05d8.1744 Teb: 7fffe000 Win32Thread: e549a340 WAIT: (Unknown) KernelMode Non-Alertable fdd52b20 Semaphore Limit 0x7fffffff fbfcd148 NotificationTimer IRP List: fc662e48: (0006,01b4) Flags: 00000884 Mdl: 00000000 Not impersonating DeviceMap e1800700 Owning Process fb8bd6b0 Image: userinit.exe Attached Process N/A Image: N/A Wait Start TickCount 9863252 Ticks: 121 (0:00:00:01.890) Context Switch Count 9817 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x0100556b Start Address 0x77e617f8 Stack Init bf410000 Current bf40f814 Base bf410000 Limit bf40c000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr bf40f82c e0833491 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) bf40f858 e0829a82 nt!KiSwapThread+0x2e5 (FPO: [Non-Fpo]) bf40f8a0 e087cc21 nt!KeWaitForSingleObject+0x346 (FPO: [Non-Fpo]) bf40f8dc e087d14c nt!ExpWaitForResource+0xd5 (FPO: [Non-Fpo]) bf40f8fc f4d8c1b8 nt!ExAcquireSharedStarveExclusive+0xac (FPO: [Non-Fpo]) WARNING: Stack unwind information not available. Following frames may be wrong. bf40f9b8 f4d8eb15 Dblhook+0xd1b8 bf40fa00 f55494e8 Dblhook+0xfb15 bf40fa5c e081df85 NsiFiltr!OsrFilterDeregister+0x722 bf40fa70 e08f904b nt!IofCallDriver+0x45 (FPO: [Non-Fpo]) bf40fb58 e0937a20 nt!IopParseDevice+0xa35 (FPO: [Non-Fpo]) bf40fbd8 e0933b54 nt!ObpLookupObjectName+0x5b0 (FPO: [Non-Fpo]) bf40fc2c e08eaeff nt!ObOpenObjectByName+0xea (FPO: [Non-Fpo]) bf40fca8 e08ec199 nt!IopCreateFile+0x447 (FPO: [Non-Fpo]) bf40fd04 e08efd29 nt!IoCreateFile+0xa3 (FPO: [Non-Fpo]) bf40fd44 e08897cc nt!NtOpenFile+0x27 (FPO: [Non-Fpo]) bf40fd44 7c82860c nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ bf40fd64) 0007f55c 00000000 0x7c82860c 0: kd> !token e7584030 _TOKEN e7584030 TS Session ID: 0 User: S-1-5-18 Groups: 00 S-1-5-32-544 Attributes - Default Enabled Owner 01 S-1-1-0 Attributes - Mandatory Default Enabled 02 S-1-5-11 Attributes - Mandatory Default Enabled Primary Group: S-1-5-18 Privs: 00 0x000000007 SeTcbPrivilege Attributes - Enabled Default 01 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default 02 0x000000009 SeTakeOwnershipPrivilege Attributes - 03 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 04 0x00000001c SeManageVolumePrivilege Attributes - 05 0x000000003 SeAssignPrimaryTokenPrivilege Attributes - 06 0x000000005 SeIncreaseQuotaPrivilege Attributes - 07 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - Enabled Default 08 0x000000010 SeCreatePermanentPrivilege Attributes - Enabled Default 09 0x000000019 SeUndockPrivilege Attributes - 10 0x000000015 SeAuditPrivilege Attributes - Enabled Default 11 0x000000008 SeSecurityPrivilege Attributes - 12 0x000000016 SeSystemEnvironmentPrivilege Attributes - 13 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 14 0x000000011 SeBackupPrivilege Attributes - 15 0x000000012 SeRestorePrivilege Attributes - 16 0x000000013 SeShutdownPrivilege Attributes - 17 0x00000000a SeLoadDriverPrivilege Attributes - Authentication ID: (0,3e7) Impersonation Level: Anonymous TokenType: Primary Source: *SYSTEM* TokenFlags: 0x89 ( Token in use ) Token ID: 478a14c ParentToken ID: 0 Modified ID: (0, 173a3) RestrictedSidCount: 0 RestrictedSids: 00000000 OriginatingLogonSession: 0 It was SYSTEM. Now how about cygrunsrv.exe? 0: kd> !token e3129030 _TOKEN e3129030 TS Session ID: 0 User: S-1-5-21-2242690984-4068953358-1829597453-1014 Groups: 00 S-1-5-21-2242690984-4068953358-1829597453-513 Attributes - Mandatory Default Enabled 01 S-1-1-0 Attributes - Mandatory Default Enabled 02 S-1-5-21-2242690984-4068953358-1829597453-1034 Attributes - Mandatory Default Enabled 03 S-1-5-21-2242690984-4068953358-1829597453-1005 Attributes - Mandatory Default Enabled 04 S-1-5-32-544 Attributes - Mandatory Default Enabled Owner 05 S-1-5-32-545 Attributes - Mandatory Default Enabled 06 S-1-5-6 Attributes - Mandatory Default Enabled 07 S-1-5-11 Attributes - Mandatory Default Enabled 08 S-1-5-15 Attributes - Mandatory Default Enabled 09 S-1-2-0 Attributes - Mandatory Default Enabled 10 S-1-5-5-0-130533 Attributes - Mandatory Default Enabled LogonId 11 S-1-5-64-10 Attributes - Mandatory Default Enabled Primary Group: S-1-5-21-2242690984-4068953358-1829597453-513 Privs: 00 0x000000003 SeAssignPrimaryTokenPrivilege Attributes - 01 0x000000002 SeCreateTokenPrivilege Attributes - 02 0x000000007 SeTcbPrivilege Attributes - 03 0x000000005 SeIncreaseQuotaPrivilege Attributes - 04 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 05 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 06 0x000000008 SeSecurityPrivilege Attributes - 07 0x000000011 SeBackupPrivilege Attributes - 08 0x000000012 SeRestorePrivilege Attributes - 09 0x00000000c SeSystemtimePrivilege Attributes - 10 0x000000013 SeShutdownPrivilege Attributes - 11 0x000000018 SeRemoteShutdownPrivilege Attributes - 12 0x000000009 SeTakeOwnershipPrivilege Attributes - 13 0x000000014 SeDebugPrivilege Attributes - 14 0x000000016 SeSystemEnvironmentPrivilege Attributes - 15 0x00000000b SeSystemProfilePrivilege Attributes - 16 0x00000000d SeProfileSingleProcessPrivilege Attributes - 17 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - 18 0x00000000f SeCreatePagefilePrivilege Attributes - 19 0x000000019 SeUndockPrivilege Attributes - 20 0x00000001c SeManageVolumePrivilege Attributes - 21 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default 22 0x000000006 SeUnsolicitedInputPrivilege Attributes - 23 0x00000000a SeLoadDriverPrivilege Attributes - 24 0x000000015 SeAuditPrivilege Attributes - Authentication ID: (0,1fdf0) Impersonation Level: Anonymous TokenType: Primary Source: Advapi TokenFlags: 0x89 ( Token in use ) Token ID: 21d8a ParentToken ID: 0 Modified ID: (0, 217ad) RestrictedSidCount: 0 RestrictedSids: 00000000 OriginatingLogonSession: 3e7