Common WinDbg Commands (Thematically Grouped)

Load symbols for Module
Load symbols for all modules

Get state of symbol loading
Set noisy symbol loading (debugger displays info about its search for symbols)
Set quiet symbol loading (=default)

Examine symbols: displays symbols that match the specified pattern
with data type
verbose (symbol type and size)
sort by address
sort by name
sort by size ("size" of a function symbol is the size of the function in memory)

List nearest symbols = display the symbols at or near the given Addr. Useful to:

• determine what a pointer is pointing to
• when looking at a corrupted stack to determine which procedure made a call

Display or set symbol search path
Append directories to previous symbol path

displays current symbol options
add option
remove option

Set symbol store path to automatically point to http://msdl.microsoft.com/download/symbols
+ = append it to the existing path
DownstreamStore = directory to be used as a downstream store. Default is WinDbgInstallationDir\Sym.

Reload symbol information for all modules**
f = force immediate symbol load (overrides lazy loading); v = verbose mode
Module = for Module only

**Note: The .reload command does not actually cause symbol information to be read. It just lets the debugger know that the symbol files may have changed, or that a new module should be added to the module list. To force actual symbol loading to occur use the /f option, or the ld (Load Symbols) command.

Go
Go exception handled
Go not handled

What happened? Shows most recent event or exception

Display information about the current exception or bug check; verbose
User mode: Analyzes the thread stack to determine whether any threads are blocking other threads.
See an exception analysis even when the debugger does not detect an exception.

Show all event filters with break status and handling
break first-chance
break second-chance
notify; don't break
ignore event
reset filter settings to default values

display most recent exception record
display exception record at Addr

displays exception context record (registers) associated with the current exception

Display content and type of C++ exception

List modules; verbose | with loaded symbols | k-kernel or u-user only symbol info | image path; pattern that the module name must match
DML mode of lm; lmv command links included in output

all loaded modules with load count
by initialization order
by load order (default)
by memory order
with version info
only module at ModuleAddr
brief help

information about relocated images

detailed info about a module (including exact symbol info)

Dump headers for ImgBaseAddr
f = file headers only
s = section headers only
h = brief help

The !lmi extension extracts the most important information from the image header and displays it in a concise summary format. It is often more useful than !dh.

(DML) displays current processes and allows drilling into processes for more information

Print status of all processes being debugged

lists all processes running on the system

display formatted view of the process's environment block (PEB)

list threads
all threads
current thread
thread that caused the current event or exception
thread whose ordinal is Number
thread whose thread ID is TID (the brackets are required)
switch to thread N (new current thread)

[Command]: works for a few regular commands such as k, r

Execute thread-specific commands (CommandString = one or more commands to be executed) for:
all threads
current thread
thread which caused the current event
thread with ordinal

Freeze thread (see ~ for Thread syntax)

Unfreeze thread (see ~ for Thread syntax)

Suspend thread = increment thread's suspend count

Resume thread = decrement thread's suspend count

display formatted view of the thread's environment block (TEB)

-1 = dump all slots for current thread
SlotIdx = dump only specified slot
TebAddr = specify thread; if omitted, the current thread is used

display thread times (user + kernel mode)

display information about time consumed by each thread (0-user time, 1-kernel time, 2-time elapsed since thread creation). quick way to find out which threads are spinning out of control or consuming too much CPU time

Dump last error for current thread
Dump last error for all threads

Point of interest:
SetLastError( dwErrCode ) checks the value of kernel32!g_dwLastErrorToBreakOn and possibly executes a DbgBreakPoint.

if ((g_dwLastErrorToBreakOn != 0 ) && (dwErrCode == g_dwLastErrorToBreakOn))
    DbgBreakPoint();

The downside is that SetLastError is only called from within KERNEL32.DLL.
Other calls to SetLastError are redirected to a function located in NTDLL.DLL, RtlSetLastWin32Error.

Decode and display information about an error value
Treat ErrValue value as an NTSTATUS code

List breakpoints

Clear all breakpoints
Clear breakpoint #

Enable all bps
Enable bp #

Disable all bps
Disable bp #

Set breakpoint at address
CmdString = Cmd1; Cmd2; .. Executed every time the BP is hit.

~Thrd == thread that the bp applies too.
# = Breakpoint ID
Passes = Activate breakpoint after #Passes (it is ignored before)

Set unresolved breakpoint. bp is set when the module gets loaded

Set symbol breakpoint. SymPattern can contain wildcards
CmdString = Cmd1; Cmd2; .. Executed every time the BP is hit.

~Thrd == thread that the bp applies too.
Passes = Activate breakpoint after #Passes (it is ignored before)

The syntax bm SymPattern is equivalent to using x SymPattern and then using bu on each of the results.

Break on Access: [r=read/write, w=write, e=execute], Size=[1|2|4 bytes]

[~Thrd] == thread that the bp applies too.
# = Breakpoint ID
Passes = Activate breakpoint after #Passes (it is ignored before)

renumbers one or more breakpoints

Go (F5)
Go up = execute until the current function is complete
    gu ~= g @$ra
    gu ~= bp /1 /c @$csp @$ra;g
        -> $csp = same as esp on x86
        -> $ra = The return address currently on the stack

Single step - executes a single instruction or source line. Subroutines are treated as a single step.

Toggle display of registers and flags
Count = count of instructions or source lines to step through before stopping
Command = debugger command to be executed after the step is performed
StartAddress = Causes execution to begin at the specified address. Default is the current EIP.

~Thread = The specified thread is thawed and all others frozen

Single trace - executes a single instruction or source line. For subroutines each step is traced as well.

Step to next return - similar to the GU (go up), but staying in context of the current function
If EIP is already on a return instruction, the entire return is executed. After this return is returned, execution will continue until another return is reached.

Trace to next return - similar to the GU (go up), but staying in context of the current function
If EIP is already on a return instruction, the debugger traces into the return and continues executing until another return is reached.

Step to next call - executes the program until a call instruction is reached
If EIP is already on a call instruction, the entire call will be executed. After this call is returned execution will continue until another call is reached.

Trace to next call - executes the program until a call instruction is reached
If EIP is already on a call instruction, the debugger will trace into the call and continue executing until another call is reached.

Step to address; StopAddr = address at which execution will stop
Called functions are treated as a single unit

Toggle display of registers and flags
Command = debugger command to be executed after the step is performed
StartAddress = Causes execution to begin at the specified address. Default is the current EIP.

Trace to address; StopAddr = address at which execution will stop
Called functions are traced as well

Trace and watch data. Go to the beginning of a function and do a wt. It will run through the entire function and display statistics.

StartAddr = execution begin; EndAddr = address at which to end tracing (default = after RET of current function)
l = maximum depth of traced calls
m = restrict tracing to Module
i = ignore code from Module
oa = dump actual address of call sites
or = dump return register values (EAX value) of sub-functions
oR = dump return register values (EAX value) in the appropriate type
nc = no info for individual calls
ns = no summary info
ns = no warnings

Dump current filter list = functions that are skipped when tracing (t, ta, tc)
FilterList = Filter 1; Filter 2; ... symbols associated with functions to be stepped over (skipped)
clear the filter list

.step_filter is not very useful in assembly mode, as each function call is on a different line.

dump stack; n = with frame #; f = distance between adjacent frames; L = omit source lines; number of stack frames to display
first 3 params
all params: param type + name + value
all params formatted (new line)
FPO info, calling convention

display raw stack data + possible symbol info == dds esp

DML variant with links to .frame #;dv

Set stack length. The default is 20 (0x14).

show current frame
specify frame #
show register values

The .frame command specifies which local context (scope) will be used to interpret local variables, or displays the current local context.
When executing a near call, the processor pushes the value of the EIP register (which contains the offset of the instruction following the CALL instruction) onto the stack (for use later as a return-instruction pointer). This is the first step in building a frame. Each time a function call is made, another frame is created so that the called function can access arguments, create local variables, and provide a mechanism to return to calling function. The composition of the frame is dependant on the function calling convention.

show stacks for all threads
[b = first 3 params, v = FPO + calling convention, p = all params: param type + name + value], [n = with frame #]
brief help

locate all stacks that contain Symbol or module
[0 = show only TID, 1 = TID + frames, 2 = entire thread stack]
brief help

Dump all registers
Dump only specified registers (i.e.: r eax, edx)
Value to assign to the register (i.e.: r eax=5, edx=6)

Type = data format in which to display the register (i.e.: r eax:uw)
  ib = Signed byte
  ub = Unsigned byte
  iw = Signed word (2b)
  uw = Unsigned word (2b)
  id = Signed dword (4b)
  ud = Unsigned dword (4b)
  iq = Signed qword (8b)
  uq = Unsigned qword (8b)
  f = 32-bit floating-point
  d = 64-bit floating-point

Num = number of elements to display (i.e.: r eax:1uw)
Default is full register length, thus r eax:uw would display two values as EAX is a 32-bit register.

Thread = thread from which the registers are to be read (i.e.: ~1 r eax)

Dump register types specified by Mask
Dump only specified registers from current mask
Value to assign to the register

Flags for Mask
  0x1 = basic integer registers
  0x4 = floating-point registers == rF
  0x8 = segment registers
  0x10 = MMX registers
  0x20 = Debug registers
  0x40 = SSE XMM registers == rX

Dump all floating-point registers == rM 0x4
Dump only specified floating-point registers
Value to assign to the register

Dump all SSE XMM registers == rM 0x40
Dump only specified SSE XMM registers
Value to assign to the register

Dump default register mask. This mask controls how registers are displayed by the "r".
Dump a list of possible Mask bits
Specify the mask to use when displaying the registers.

Brief help
Dump variable info
Dump only 'field-name(s)' (struct or unions)
Addr of struct to be dumped
list symbols (wildcard)

-n Name = param is a name (use if name can be mistaken as an address)
-y Name = partially match instead of default exact match

-a = Shows array elements in new line with its index
-b = Dump only contiguous block of struct
-c = Compact output (all fields in one line)
-i = Does not indent the subtypes
-l ListField = Field which is pointer to the next element in list
-o = Omit the offset value (fields of struct)
-p = Dump from physical address
-r[l] = Recursively dump subtypes/fields (up to l levels)
-s [size] = For enumeration only, enumerate types only of given size.
-v = Verbose output.

display local variables and parameters
vars matching Pattern
i = type (local, global, parameter), t = data type, V = memory address or register location
a = sort by Addr, n = sort by name, z = sort by size

Display memory [#columns to display]
a = ascii chars
u = Unicode chars

b = byte + ascii
w = word (2b)
W = word (2b) + ascii
d = dword (4b)
c = dword (4b) + ascii
q = qword (8b)

f = floating point (single precision - 4b)
D = floating point (double precision - 8b)

b = binary + byte
d = binary + dword

Edit memory
b = byte
w = word (2b)
d = dword (4b)
q = qword (8b)

f = floating point (single precision - 4b)
D = floating point (double precision - 8b)

a = ascii string
za = ascii string (NULL-terminated)
u = Unicode string
zu = Unicode string (NULL-terminated)

Dump string struct (struct! not null-delimited char sequence)
s = STRING or ANSI_STRING
S = UNICODE_STRING
 

Display words and symbols (memory at Addr is assumed to be a series of addresses in the symbol table)
dds = dwords (4b)
dqs = qwords (8b)

Display referenced memory = display pointer at specified Addr, dereference it, and then display the memory at the resulting location in a variety of formats.

the 2nd char determines the pointer size used:
 dd* -> 32-bit pointer used
 dq* -> 64-bit pointer used
 dp* -> standard size: 32-bit or 64-bit, depending on the CPU architecture

the 3rd char determines how the dereferenced memory is displayed:
 d*a -> dereferenced mem as asci chars
 d*u -> dereferenced mem as Unicode chars
 d*p -> dereferenced mem as dword or qword, depending on the CPU architecture. If this value matches any known symbol, this symbol is displayed as well.

Display linked list (LIST_ENTRY or SINGLE_LIST_ENTRY)
b = dump in reverse order (follow BLinks instead of FLinks)
Addr = start address of the list
MaxCount = max # elements to dump
Size = Size of each element

Use !list to execute some command for each element in the list.

Display info about the memory used by the target process
Brief help
Dump info for region with Addr
Dump summary info for process
Dump specified regions (RegionUsageStack, RegionUsagePageHeap, ..)

Brief Help
Dump virtual memory protection info

Brief Help
Dump name of the file containing given Addr

Compare memory

Move memory

Fill memory. Pattern = a series of bytes (numeric or ASCII chars)

Search memory

b = byte (default value)
Pattern = a series of bytes (numeric or ASCII chars)

w = word (2b)
d = dword (4b)
q = qword (8b)
Pattern = enclosed in single quotation marks (for example, 'Tag7')

a = ascii string (must not be null-terminated)
u = Unicode string (must not be null-terminated)
Pattern = enclosed in double quotation marks (for example, "This string")

Search for any memory containing printable ascii strings
Search for any memory containing printable Unicode strings
Length = minimum length of such strings; the default is 3 chars

Search for objects of the same type.
Object = Addr of a pointer to the Object or of the Object itself

Flags
-------
  w = search only writable memory
  1 = output only addresses of search matches (useful if you are using the .foreach)
Flags must be surrounded by a single set of brackets without spaces.
Example: s -[swl 10]Type Range Pattern

Hold and compare memory. The comparison is made byte-for-byte
Memory range to safe
Display all saved memory ranges
Compares Range to all saved memory ranges
Delete all saved memory ranges
Delete specified memory ranges (any saved range containing Addr or overlapping with Range)

Brief help

List heaps with index and HeapAddr
List heaps with index and range (= startAddr(=HeapAddr), endAddr)
Detailed heap info [Idx = heap Idx, 0 = all heaps]
Validate heap [Idx = heap Idx, 0 = all heaps]
Summary info, i.e. reserved and committed memory [Idx = heap Idx, 0 = all heaps]
Detailed info for a block at given address
Search heap block containing the address (v = search the whole process virtual space)
Search for potentially leaked heap blocks

Set conditional breakpoint in the heap manager [Heap = HeapAddr | Idx | 0]
Remove a conditional breakpoint

Dump info for allocations matching the specified size
Filter by range

Dump heap handle list
Dump usage statistic for every AllocSize [HeapHandle = given heap | 0 = all heaps].
The statistic includes AllocSize, #blocks, TotalMem for each AllocSize.

Extended page heap help
Summary for NtGlobalFlag, HeapHandle + NormalHeap list **
Detailed info about a page heap with Handle
Details of heap allocation containing UserAddr. Prints backtraces when available.
Details of all allocations in all heaps in the process.
The output includes UserAddr and AllocSize for every HeapAlloc call.

It seems that the following applies for windows XP SP2:

a) Normal heap

1. CreateHeap -> creates a _HEAP
2. AllocHeap -> creates a _HEAP_ENTRY

1. CreateHeap -> creates a _DPH_HEAP_ROOT (+ _HEAP + 2x _HEAP_ENTRY)**
2. AllocHeap -> creates a _DPH_HEAP_BLOCK

displays all Logexts.dll extension commands

Enable logging + possibly initialize it if not yet done. Output directory optional.

Initialize (=inject Logger into the target application) but don't enable logging.

Disable logging

List output settings
Enable/disable [d - Debugger, t - Text file, v - Verbose log] output. Use logviewer.exe to examine Verbose logs.

List all categories
List APIs in category #
Enable/disable all categories
Enable/disable category #

Print buffer contents to debugger
Flush buffer to log files

Display module inclusion/exclusion list
Specify module inclusion/exclusion list