All of these commands are for kernel mode. These are few useful commands, that I use on daily basis for debugging. I hope you find them useful
Vertarget:
Lists Version information for the machine/dump you’re debugging. You can also use “version” to tell you about the debugger bits.
1: kd> vertarget
Windows Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x64
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
Kernel base = 0xfffff800`0160c000 PsLoadedModuleList = 0xfffff800`017d1db0
Debug session time: Tue Apr 1 14:29:22.553 2008 (GMT-7)
System Uptime: 0 days 0:03:14.328
!sysinfo
Good utility to check the CPU revs, BIOS revs, etc
1: kd> !sysinfo machineid
Machine ID Information [From Smbios 2.31, DMIVersion 0, Size=1695]
BiosVendor = Phoenix Technologies LTD
BiosVersion = 6.00
BiosReleaseDate = 09/24/2007
SystemManufacturer = VMware, Inc.
SystemProductName = VMware Virtual Platform
SystemVersion = None
BaseBoardManufacturer = Intel Corporation
BaseBoardProduct = 440BX Desktop Reference Platform
BaseBoardVersion = None
1: kd> !sysinfo cpuinfo
[CPU Information]
~MHz = REG_DWORD 2000
Component Information = REG_BINARY 0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0
Configuration Data = REG_FULL_RESOURCE_DESCRIPTOR ff,ff,ff,ff,ff,ff,ff,ff,0,0,0,0,0,0,0,0
Identifier = REG_SZ x86 Family 6 Model 15 Stepping 8
ProcessorNameString = REG_SZ Intel(R) Xeon(R) CPU L5335 @ 2.00GHz
Update Signature = REG_BINARY 0,0,0,0,b4,0,0,0
Update Status = REG_DWORD 2
VendorIdentifier = REG_SZ GenuineIntel
MSR8B = REG_QWORD b400000000
Getting the Server Name from the dump:
It’s quite a bit easier to do internally, but this will get it done too. Good to know you’re debugging the right server. 🙂
1: kd> dS srv!srvcomputername
e1b64db0 “Phantom”
!thread
Display current thread on the target system
1: kd> !thread
THREAD fa6046c8 Cid 1ab4.1f34 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 1
IRP List:
fa0cc490: (0006,01d8) Flags: 00000404 Mdl: 00000000
Not impersonating
Owning Process fa15f3e0 Image: cmd.exe
Wait Start TickCount 16627733 Ticks: 0
Context Switch Count 1102 LargeStack
UserTime 00:00:00.312
KernelTime 00:00:00.109
Win32 Start Address 0x00407ccc
Start Address 0x77e617f8
Stack Init f1e9d000 Current f1e9c4b8 Base f1e9d000 Limit f1e99000 Call 0
Priority 6 BasePriority 6 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f1e9c174 e105bba7 0000008e c0000005 e11294a0 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f1e9c538 e10346b4 f1e9c554 00000000 f1e9c5a8 nt!KiDispatchException+0x3a2 (FPO: [Non-Fpo])
f1e9c5a0 e1034668 f1e9c628 e11294a0 badb0d00 nt!CommonDispatchException+0x4a (FPO: [0,20,0])
f1e9c628 e1131ac4 fa6046c8 fa15f3e0 f9de0310 nt!Kei386EoiHelper+0x186
f1e9c628 e1131ac4 fa6046c8 fa15f3e0 f9de0310 nt!SeCreateAccessState+0x27 (FPO: [Non-Fpo])
f1e9c648 e112d742 f9de0310 f9de03c8 00000180 nt!SeCreateAccessState+0x27 (FPO: [Non-Fpo])
f1e9c680 e112c65d 00000000 00000000 b57f0000 nt!ObOpenObjectByName+0x8f (FPO: [Non-Fpo])
f1e9c6fc e1131d22 f1e9c7fc 00000180 f1e9c7b8 nt!IopCreateFile+0x447 (FPO: [Non-Fpo])
f1e9c758 f4df068a f1e9c7fc 00000180 f1e9c7b8 nt!IoCreateFile+0xa3 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f1e9c7a4 f4defe67 80005510 00540052 e9fa0920 savrt+0x4668a
00000000 00000000 00000000 00000000 00000000 savrt+0x45e67
!irp
Display information about an I/O request packet
1: kd> !irp fa0cc490
Irp is active with 10 stacks 12 is current (= 0xfa0cc68c)
No Mdl: No System Buffer: Thread fa6046c8: Irp is completed.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 12, 0] 0 0 fd1a8020 00000000 00000000-00000000
\FileSystem\Ntfs
Args: 00000000 00000000 00000000 00000000
[ 12, 0] 0 0 fd101cd8 00000000 00000000-00000000
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SYMEVENT.SYS –
\Driver\SymEvent
Args: 00000000 00000000 00000000 00000000
!poolused
Investigate what data structures are consuming the various memory pools
!poolused 2 – sorted by Non-paged pool, summary
!poolused 3 – sorted by Non-Paged pool, details*
!poolused 4 – sorted by Paged pool, summary
!poolused 5 – sorted by Paged pool, details*
!running -ti
This will dump the stacks of each thread that is running on each processor
1: kd> !running -ti
System Processors 3 (affinity mask)
Idle Processors 1
Prcb Current Next
0 ffdff120 8089d8c0 …………….
ChildEBP RetAddr
f45f0c70 bf8bb568 win32k!CanForceForeground+0x42
f45f0ca4 bf8bab6a win32k!CheckAllowForeground+0x79
f45f0cb4 bf8b7f41 win32k!xxxInitProcessInfo+0x54
f45f0cdc bf8b8032 win32k!xxxUserProcessCallout+0x23
f45f0cf8 809456dd win32k!W32pProcessCallout+0x43
f45f0d54 8088948e nt!PsConvertToGuiThread+0x13d
f45f0d58 00000000 nt!KiBBTUnexpectedRange+0xc
WARNING: Process directory table base EFFC7BE0 doesn’t match CR3 EFFC7020
WARNING: Process directory table base EFFC7BE0 doesn’t match CR3 EFFC7020
1 f7727120 8c034bd0 …………….
*** Stack trace for last set context – .thread/.cxr resets it
ChildEBP RetAddr
f45f0c70 bf8bb568 win32k!CanForceForeground+0x42
f45f0ca4 bf8bab6a win32k!CheckAllowForeground+0x79
f45f0cb4 bf8b7f41 win32k!xxxInitProcessInfo+0x54
f45f0cdc bf8b8032 win32k!xxxUserProcessCallout+0x23
f45f0cf8 809456dd win32k!W32pProcessCallout+0x43
f45f0d54 8088948e nt!PsConvertToGuiThread+0x13d
f45f0d58 00000000 nt!KiBBTUnexpectedRange+0xc
!stacks
This is a great utility to check what threads are waiting on for each process. Find out more in the debuggers chm.
1: kd> !stacks 2
Proc.Thread .Thread Ticks ThreadState Blocker
Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Prototype PTEs are implicitly decoded
[fffffa8000c77950 System]
4.000008 fffffa8000c774c0 ffffe94b GATEWAIT nt!KiSwapContext+0x7f
nt!KiSwapThread+0x2fa
nt!KeWaitForGate+0x22a
nt!MmZeroPageThread+0x162
nt!Phase1Initialization+0xe
nt!PspSystemThreadStartup+0x57
nt!KiStartSystemThread+0x16
4.000010 fffffa8000ca0720 ffffff8c Blocked nt!KiSwapContext+0x7f
nt!KiSwapThread+0x2fa
nt!KeWaitForSingleObject+0x2da
nt!PopIrpWorkerControl+0x22
nt!PspSystemThreadStartup+0x57
nt!KiStartSystemThread+0x16
4.000014 fffffa8000c78bb0 fffffcb0 Blocked nt!KiSwapContext+0x7f
nt!KiSwapThread+0x2fa
nt!KeWaitForSingleObject+0x2da
nt!PopIrpWorker+0x164
nt!PspSystemThreadStartup+0x57
nt!KiStartSystemThread+0x16
!locks
It will display a list of all kernel mode locks that are being held by threads. Each lock is displayed with the mode the lock was taken out with (shared or exclusive). The owning thread(s) will be listed with an asterisk next to the thread id. If any waiters are queued up for the lock, it will list these too.
1: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks….
Resource @ nt!CmpRegistryLock (0xe10ad4c0) Shared 2 owning threads
Contention Count = 87
Threads: fc783020-01 feee9db0-01
KD: Scanning for held locks…
Resource @ 0xfeeed078 Shared 4 owning threads
Threads: fad42330-01 fad33020-01 fad33db0-01 fad42b40-01
KD: Scanning for held locks…………………………………
Resource @ 0xfc6df828 Shared 1 owning threads
Threads: fa6046c8-01
KD: Scanning for held locks..
Resource @ 0xfc7e91c8 Shared 1 owning threads
Threads: fa6046c8-01
KD: Scanning for held locks.
Resource @ savrt (0xf4daf040) Shared 1 owning threads
Contention Count = 1
Threads: fa6046c8-01
KD: Scanning for held locks…………………….
Resource @ 0xfa6c1380 Shared 1 owning threads
Contention Count = 71388
Threads: f9ed1918-01
KD: Scanning for held locks…………………………
Resource @ 0xfaab7840 Shared 1 owning threads
Threads: feee9db3-01 *** Actual Thread feee9db0
KD: Scanning for held locks………………..
11756 total locks, 7 locks currently held
!qlocks
command which displays all the various spinlocks. All processors are displayed across the top and codes appear next to the corresponding spinlock if owned or not, waiting or corrupt.
1: kd> !qlocks
Key: O = Owner, 1-n = Wait order, blank = not owned/waiting, C = Corrupt
Processor Number
Lock Name 0 1 2 3
KE – Dispatcher
MM – Expansion
MM – PFN
MM – System Space
CC – Vacb
CC – Master
EX – NonPagedPool
IO – Cancel
EX – WorkQueue
IO – Vpb
IO – Database
IO – Completion
NTFS – Struct
AFD – WorkQueue
CC – Bcb
MM – NonPagedPool
!PCR
Command will show you some useful info from the processor control block. Like the current thread, next, DPQ queues (Can run !dpcs).
1: kd> !pcr
KPCR for Processor 1 at f7727000:
Major 1 Minor 1
NtTib.ExceptionList: f4ac3d44
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: f7727fe0
NtTib.Version: 00336d13
NtTib.UserPointer: 00000002
NtTib.SelfTib: 7ffde000
SelfPcr: f7727000
Prcb: f7727120
Irql: 0000001f
IRR: 00000000
IDR: ffffffff
InterruptMode: 00000000
IDT: f772d800
GDT: f772d400
TSS: f7727fe0
CurrentThread: 8c034bd0
NextThread: 00000000
IdleThread: f772a090
DpcQueue:
lm t n
Displaying the list of installed drivers reveals our obsolete culprit
1: kd> lm t n
start end module name
dd800000 dd9d0000 win32k win32k.sys Wed Mar 19 17:01:40 2008 (47E0F99C)
dd9d0000 dd9e7000 dxg dxg.sys Sat Feb 17 11:44:39 2007 (45D69D4F)
dd9e7000 dda3e100 ati2drad ati2drad.dll Mon Mar 22 21:53:41 2004 (405F130D)
dda3f000 dda5d000 RDPDD RDPDD.dll Sat Feb 17 19:31:19 2007 (45D70AAF)
e1000000 e127a000 nt ntkrnlmp.exe Mon Mar 05 18:32:02 2007 (45EC14CA)
e127a000 e12a6000 hal halmacpi.dll Sat Feb 17 11:18:26 2007 (45D6972A)
f1ca4000 f1cb81e0 naveng naveng.sys Fri Aug 15 09:30:26 2008 (48A4FF5A)
f1cb9000 f1d8ca20 navex15 navex15.sys Fri Aug 15 08:40:42 2008 (48A4F3B2)
f31a0000 f31cb000 RDPWD RDPWD.SYS Sat Feb 17 11:14:38 2007 (45D69646)
f38b4000 f38bf000 TDTCP TDTCP.SYS Sat Feb 17 11:14:32 2007 (45D69640)
f3904000 f3912000 HIDCLASS HIDCLASS.SYS Tue Mar 25 12:40:17 2003 (3E8000D9)
f3d14000 f3d1d000 hidusb hidusb.sys Tue Mar 25 12:40:17 2003 (3E8000D9)
f3d74000 f3d9e000 Fastfat Fastfat.SYS Sat Feb 17 11:57:55 2007 (45D6A06B)
f4046000 f40a3000 srv srv.sys Sat Feb 17 11:57:20 2007 (45D6A048)
f466b000 f4683000 clusnet clusnet.sys Sat Feb 17 11:32:57 2007 (45D69A91)
f48b3000 f48c8000 Cdfs Cdfs.SYS Sat Feb 17 11:57:08 2007 (45D6A03C)
!LMI
When I want to find out ifno about a particular driver in the dump, i use “lm n t” to get all of them, but then !lmi to drill into one.
1: kd> !lmi win32k.sys
Loaded Module Info: [win32k.sys]
Module: win32k
Base Address: bf800000
Image Name: win32k.sys
Machine Type: 332 (I386)
Time Stamp: 47e0f99c Wed Mar 19 17:01:40 2008
Size: 1d0000
CheckSum: 1cd134
Characteristics: 10e perf
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 23, 1935ac, 1929ac RSDS – GUID: {09B6D936-14C4-4CA1-90CF-A00888CD89A8}
Age: 2, Pdb: win32k.pdb
CLSID 4, 1935a8, 1929a8 [Data not mapped]
Image Type: MEMORY – Image read successfully from loaded memory.
Symbol Type: PDB – Symbols loaded successfully from symbol server.
c:\symcache\win32k.pdb\09B6D93614C44CA190CFA00888CD89A82\win32k.pdb
Load Report: public symbols , not source indexed
c:\symcache\win32k.pdb\09B6D93614C44CA190CFA00888CD89A82\win32k.pdb
Don’t forget to leave your comments 🙂
Thanks,
Aresh
good blog … keep it up!!! … pretty useful commands