200 8

WinDbg A Reference Poster and Learning Cards

OpenTask in association with Dmitry Vostokov from DumpAnalysis.org

Published by OpenTask, Republic of Ireland

Copyright © 2008 by Dmitry Vostokov

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior written permission of the publisher.

You must not circulate this book in any other binding or cover and you must impose the same condition on any acquirer.

Microsoft, MSDN, Visual C++, Visual Studio, Win32, Windows, Windows Server and Windows Vista are registered trademarks of Microsoft Corporation. Citrix is a registered trademark of Citrix Systems. Other product and company names mentioned in this book may be trademarks of their owners. WinDbg is a part of Debugging Tools for Windows from Microsoft Corporation.

OpenTask books are available through booksellers and distributors worldwide. For further information or comments send requests to [email protected].

A CIP catalogue record for this book is available from the British Library.

ISBN-l3: 978-l-906717-29-2 (Paperback)

First printing, 2008

Card command mnemonic colors:

!black - extension

.black - user, kernel and complete space

.blue - user space

.red - kernel space

.green - scripting

Card command descriptions colors:

Black - live and crash dump sessions or extension or scripting

Blue - crash dump analysis only

Red - live debugging only

!acl

1 .apply_dbp .block .breakin

.abandon !acpiirqarb !amli !apicerr

!acpiinf .asm .bpsync 1 .bugcheck

.allow_exec_cmds !address !analyze !arbinst

!acpicache .attach .break .cache

!finddata .exptr !findfilelockowner .exr

.srcnoisy .unloadall .srcpath .unload

.allow_image_mapping !ahcache !apc !arbiter

!frozen !wudfext.* !wsle !wmitrace.*

!timer !thread !teb !sysptes

!rtlavl !rsdt !rpcexts.* !rellist

Switches to Groups commands Applies bps Shows friendly kernel-mode and evaluates to specified contents of ACL debugging aliases CONTEXT

ACPI Machine Shows ACPI Shows APIC Language Ends debugging IRQ Arbiter error log Interpreter session only structure debugger

Shows ACPI Stops all Sets format Shows bugcheck configuration threads upon of disassembly code and args and table a breakpoint output location

Information Shows memory Enables/ Shows arbiter about exception region usage disables information or bugcheck and attributes g, t and p

Sets the size Works similar Shows ACPI Attaches to and memory to break in C tables cached a process cache options and C++ by HAL

Shows exception Shows cached Finds an owner EXCEPTION_POINTERS record data at of a file lock structure information a file offset

Unloads Sets verbosity Sets the source Unloads all a debugging for source file search path extensions extension file loads

Shows Shows resource Shows application Sets module arbiters and information compatibility mapping their ranges about APC cache

User-mode Event tracing Shows working set Shows the state driver framework extension list entries of processors extension

Shows formatted Shows formatted Shows ETHREAD and Shows system system page thread environment a stack trace timers table entries block

Shows ACPI Shows Shows a PnP RPC debugging Root System RTL_AVL_TABLE relation list extension Description Table structure